Proofs for Traffic Safety

Transcription

1 Carl von Oietzky Univerität Oldenburg Fakultät II Informatik, Wirtchaft- und Rechtwienchaften Department für Informatik Proof for Traffic Safety Combining Diagram and Logic Diertation zur Erlangung de Grade eine Doktor der Naturwienchaften vorgelegt von Sven Linker Tag der Diputation: Gutachter: Prof. Dr. Ernt-Rüdiger Olderog Prof. Dr. Michael Reichhardt Hanen

2

3 Abtract Due to the increaing interet in autonomouly driving car, afety iue of uch ytem are of utmot importance. Safety in thi ene i primarily the abence of colliion, which i inherently a patial property. Within computer cience, typical model of car include pecification of their behaviour, where the pace a car need for operating afely i a function of time. Thi complicate proof of afety propertie tremendouly. In thi thei, we preent method to eparate reaoning on pace from the dynamical behaviour of car. To that end, we define an abtract model with an emphai on patial tranformation of the ituation on the road. Baed on thi model, we develop two formalim: We give the definition of a modal logic uited to reaon about afety propertie of arbitrarily many car. Furthermore, we preent a diagrammatic language to eae the pecification of uch propertie. We formally prove that no colliion arie between car obeying a mall et of requirement. i

4

5 Zuammenfaung Durch da teigende Interee an autonomen Fahrzeugen gewinnt deren Sicherheit immer tärker an Bedeutung. Hierbei it Sicherheit gleichbedeutend mit Kolliionfreiheit, eine grundätzlich räumliche Eigenchaft. Fahrzeugmodelle in der Informatik beinhalten Spezifikationen de dynamichen Verhalten, o da der zum icheren Betrieb nötige Raum abhängig von der Zeit it. Die erchwert Sicherheitbeweie enorm. In dieer Arbeit tellen wir Methoden vor, um Schlufolgerungen über den Raum vom Fahrzeugverhalten abzutrennen. Hierzu definieren wir ein abtrakte Modell mit dem Schwerpunkt auf den räumlichen Veränderungen der Straßenituation. Darauf aufbauend entwickeln wir zwei Formalimen: Wir definieren eine Modallogik, mit der Auagen über die Sicherheit von beliebig vielen Fahrzeugen bewieen werden können. Weiterhin tellen wir Diagramme zur einfacheren Spezifikation olcher Eigenchaften vor. Wir beweien die Kolliionfreiheit zwichen Fahrzeugen, die wenige Anforderungen erfüllen. iii

6

7 Acknowledgement I could not have finihed my thei without the help of many different people. Firt and foremot, I thank Ernt-Rüdiger Olderog for upporting me throughout my time at the Univerity of Oldenburg, both during my undergraduate tudie a well a during my time a a Ph.D. tudent. Furthermore, I thank Michael Reichhardt Hanen for being my external examiner and for the helpful feedback he gave during my viit in Lyngby. While I wrote the text of thi document, Manuel Gieeking, Martin Hilcher and Maike Schwammberger were willing to uffer and proofread different chapter. I am epecially indebted to Manuel Gieeking, who checked many of the proof. All of the remaining error are due to myelf. The pleaant atmophere in the working group Correct Sytem Deign wa trongly haped by all of my former and current colleague along the different group working on theoretical computer cience in Oldenburg: Marion Bramkamp, Björn Engelmann, Evgeny Erofeev, Johanne Faber, Han Fleichhack, Nil-Erik Flick, Sibylle Fröchle, Manuel Gieeking, Andrea Göken, Martin Hilcher, Sören Jeerich, Stephanie Kemper, Heinrich Ody, Chritoph Peuer, Jan-David Queel, Hendrik Radke, Uli Schlachter, Maike Schwammberger, Tim Strazny, Mani Swaminathan, Patrick Uven, Ira Wempe and Elke Wilkeit. Thank you very much. The beginning of my Ph.D. tudie wa influenced immenely by my fellow in the graduate chool TrutSoft : Amna Aif, Ahmad El Maamoun, Kinga Ki-Iakab, Henrik Lipkoch, Nil Müllner, Felix Oppermann, Hendrik Radke and Atrid Rakow. Many thank to all of you for the intructive meeting, the great trip to Dagtuhl and the nice dicuion. It wa an honour to meet you. Epecially, I would like to thank Ira Wempe for being a great coordinator of the graduate chool and for litening to all the problem we had. Of coure, there are people who upported me outide of academia. I would like to thank Chritian Brun, Marku Dahlke, Karten Fritzch, Manuel Gieeking, Niel Hapke, Marku Lohmeyer, Andrea Schäfer, Alexander Skobel and Tim Strazny for their contant upport and time, for relaxed dicuion, for great vacation trip, and in general for being friend. Special thank go to my current and former flatmate Holger Brettchneider, Marcu Dreßler, Sebatian Richter and in particular Cathrin Vogel for helping me during the hard time of the lat year, a well a for being part of the fun activitie we had together. Thank you, I owe you very much. v

8

9 Content 1 Introduction Contribution Structure of thi Thei Preliminarie Mathematical Notation Temporal Logic and Interval Logic Labelled Natural Deduction Graph Rewriting Spatial Model of Traffic Abtract Road Bounded Viibility Senor Model Related Work Modal Logic for Freeway Traffic Syntax and Semantic Proof Sytem Undecidability of Spatial MLSL Related Work Viual Logic for Freeway Traffic Concrete Syntax Convenience Formaliing Sanity Abtract Syntax Semantic Decidability of Spatial Traffic Diagram Related Work Combining Text and Diagram Comparion of Expreivity Verification Framework vii

10 Content 6.3 Related Work Cae tudy Controller Specification Safety Proof Refining the Specification Concluion Summary Future Work Bibliography 141 Index 150 Symbol Index Subject Index viii

11 Lit of Figure 1.1 Decompoing Reaoning about Traffic Semantic of the chop modality Example of a Graph Rewriting Rule The graph G Poible Reult of Applying r once to G The Hyperedge Replacement Sytem R Example of a Graph Rewriting Rule with an Application Condition Situation on a Freeway at a Single Point in Time Spatial Traffic Diagram Example of a Topological Sequence Example of a Lane Sequence Example of Ditance Arrow Omiion of Notation for Conjunction Ambiguitie with Sequence Sanity Condition a Diagram (I) Sanity Condition a Diagram (II) Sanity Condition a Diagram (III) Connectedne of Car Alignment of Car Abtract Syntax of Fig Concrete and Abtract Syntax of a Diagram with Duration Arrow Rule Set R LS, R SEP, R CH and R OCC : Lane/Topological Sequence Rule Set R B L, R LA, R T and R I : Structure of Spatial Diagram Hyperedge Replacement Grammar for the Definition of Path Rule R ing CS : Ditance Arrow from Left to Right of a Topological Situation Different Poibilitie for Ditance Arrow Application Condition for Ditance Arrow between Different Lane Rule RCS 1 and R2 CS : Ditance Arrow between Car Rule RCS 3 and R4 CS : Ditance Arrow attached to Left of Target Rule RCS 5 and R6 CS : Ditance Arrow attached to Right of Source ix

12 Lit of Figure 5.21 Rule RCS 7 : Ditance Arrow on the Same Lane from Right to Left Rule RCS 8 : Ditance Arrow on Different Lane from Right to Left Rule Set R S, R B D, R L and R AT : Structure of Traffic Diagram Semantic for Logical Connective Semantic of Sequence Semantic of Layer Semantic of Lane Sequence Semantic of Topological Sequence Semantic of Ditance Arrow Concrete and Abtract Syntax of an Example Diagram Example of a Spatial Diagram Problematic Example for Decidability A Time-Ditance Diagram for Railway A Time-Space Diagram Schema of a Spatial Diagram Example for the Metric Tranformation New Rule R 5 B D : Formula Example of a Combination of EMLSL and Traffic Diagram Proving Safety with EMLSL and Traffic Diagram Poitive Condition for the Creation of Reervation Withdrawal of Reervation Ditance Controller Preerving Free Space in Front of Car x

13 Lit of Table 4.1 Intruction for Counter c 1 of a Two-Counter Machine Diagrammatic Element of Traffic Diagram Terminal Type of the Abtract Syntax xi

14

15 1 Introduction The amount of individual traffic i till on the rie, and will probably continue to do o in the near future. The reduction of accident in pite of the increae of traffic denity i therefore a main goal of much reearch involving the development of car. Advanced driver aitance ytem upport the human driver by upplying different kind of information. They may, e.g., diplay warning whenever the current velocity i higher than allowed. Furthermore, they often provide viual mean to inform the driver whether changing lane i poible in a afe way. However, the human element within traffic i till a ource for unafe ituation, e.g., when driver overetimate the capabilitie of their car, or are exhauted due to a long drive. To further enure afety, the development of automated car capable of driving autonomouly ha been and i till of trong interet. The PATH project [Hu+94] wa one of the pioneering project contructing and analying the behaviour of fully autonomou car. The reult of thi project led to the identification of everal manoeuvre the controller of uch car have to upport. Furthermore, it wa poible to derive contraint enuring afety, i.e., the prevention of colliion. Several afe controller for car have been preented, e.g., by Lygero et al. [LGS98] and Jula et al. [JKI99] within thi project. In all of thee work, the dominant role in both the pecification of the controller, a well a in proving their afety, i played by the car dynamic. Safety in thee approache i alway defined a the avoidance of colliion, which i an inherently patial property. By uing differential equation, the poition and braking ditance of car are only derived element of the model, which tremendouly increae the complexity of proof. Intuitively, afety of traffic i only dependent on the local environment of each car. Conider for example two car C and D. If the ditance between both i very large, e.g., 100 kilometre, the behaviour of one hould not concern the afety of the other. Intead of mimicking uch a property on a yntactic level, it hould be inherent in the model definition itelf to avoid clutter in pecification. We want to pecifically addre the problem of afety on freeway with thee idea in 1

16 1 Introduction Spatial Abtraction Focu of thi thei Interface Dynamic Figure 1.1: Decompoing Reaoning about Traffic mind. To that end, we want to reaon locally with an emphai on the patial propertie of traffic. For that, we want to examine how patial propertie and locality retriction can be incorporated into a model of traffic a firt-cla citizen, and in what way uch a model eae proof of patial afety predicate. That i, we decompoe the reaoning proce into two level a hown in Fig On the upper level, the topology of pace and it evolution over time i the main focu of reaoning. That i, the model hould reflect which part of the freeway are occupied by car and how thee part change while the car drive along their current lane, and when they change lane. On the lower level, the dynamic pecify the concrete trajectorie, how the car perform thee change. Hence there ha to be an exchange of information between both level, a indicated by the arrow in Fig On the one hand, the abtraction ha to get information about the ize of the occupied pace from the dynamic. On the other hand, mode change within the layer of dynamic can be initiated by the upper level. Now aume that we have pecified a protocol for the behaviour of car on the patial abtraction and hown that it prohibit colliion. Then we only have to prove that the dynamic layer repect the contraint for the behaviour implied by the upper level, and that it provide the patial abtraction with the correct information for our protocol to work. For formal reaoning purpoe, the ue of logic and epecially modal logic ha a long tanding tradition within computer cience. Logic provide a good trade-off between being uccinct and precie. Furthermore, uch a logical approach benefit from meta-theoretical reearch, e.g., the development of proof ytem or method to decide atifiability of formula algorithmically. Proof ytem allow the uer to reaon only on formula and to diregard the concrete emantic tructure, a long a the main propertie of the emantic are captured within axiom and proof rule. They may alo be implemented within interactive or automated theorem prover, thu providing the uer with the guarantee to create a correct proof. Tool checking atifiability may be ued for example to decide whether a formal yntactic proof hould be attempted. For thi, the deired property i negated and then checked for atifiability. If the algorithm decide that the negated property can be atified, all attempt to formally prove the validity of the property are futile. Due to thee advantage, many approache to prove afety (or other intereting propertie) of oftware and hardware device make extenive ue of logical method and formula in general. 2

17 1.1 Contribution However, within engineering practice, formula and mathematical decription lack thi acceptance. There, viual language play a more prominent role. For example, for oftware engineering, the Unified Modelling Language (UML) [RJB04; UML12] i well-etablihed. It incorporate, e.g., Meage Sequence Chart (MSC) [ITU96], which are ued to define the communication between everal independent object, and timing diagram [UML12], which are able to expre timing relation between event occurring in chip-deign. Similarly, depiction of electronic circuit are ued widely to communicate about pecification and implementation of computing device. But mot of thee diagrammatic language lack a precie emantic. For example, within MSC, it i not alway clear whether a diagram tate a poible or a neceary coure of event. Still, everal diagrammatic language have been provided with a formal emantic. While general mathematical propertie may be captured by formal Euler- and Venn- Diagram [Shi95; AB96], only few diagram extenively ued in computer cience were formalied in thi way. MSC have been enhanced by a mathematical emantic in the definition of Life Sequence Chart [DH01], which alo extend MSC with method to ditinguih univeral and exitential equence. Schlör examined timing diagram formally [Sch01]. In the context of real-time ytem, Kleuker preented a viual pecification language called Contraint Diagram [Kle00]. 1.1 Contribution With thee conideration at hand, the contribution of thi work are the following. We define a model of freeway traffic that clearly ditinguihe pace from the dynamical behaviour of car. Thi model alo emphaie the local environment of a ingle car, and by that i a uitable model for the remainder of thi thei. An explicit formaliation of the enor provided by the car on the freeway complete the model. Uing thi model a the emantic, we preent the extended multi-lane patial logic (EMLSL) to reaon locally about patial propertie of freeway traffic. While the logic cannot expre concrete propertie of the dynamic, it i able to ditinguih different dicrete change in the pace on the road. Within the logic, both qualitative apect, i.e., the topological ituation on the freeway, a well a quantitative apect, e.g., the length of free pace ahead of a car or the number of lane between two different car, can be referred to. A a firt tep toward tool aitance, we preent a formal proof ytem in the tyle of natural deduction and derive everal ueful rule within thi ytem. To further eae the ue of our approach, we define a formal diagrammatic language called Traffic Diagram, which ue the abtract model of traffic a a emantic. Similar to the logic, the diagram incorporate method to reaon about the exitence of tranition and to meaure ditance between car. For a clearly defined yntax, we do not only define the viual element ued within the diagram, but give a formal yntactic definition in term of hypergraph. Thi formal yntax may be ued to take advantage of already exiting method and tool upport for diagram paring. We compare the expreivene of Traffic Diagram and EMLSL. A it will turn out, the diagram are not a expreive a the logic. To that end, we preent a tranlation 3

18 1 Introduction of diagram into equivalent formula. Furthermore, we dicu how the diagram and formula may be ued in conjunction to exploit their repective advantage. Finally, we apply all of thee formalim to pecify a mall et of requirement retricting the poible behaviour of car. In addition, we define a afety predicate, which i expreing the abence of colliion. We then formally prove the afety predicate to be invariant along all poible tranition equence of the abtract model of traffic with the help of the deductive ytem for the logic. 1.2 Structure of thi Thei After thi introduction, we preent definition and convention that we will ue throughout thi thei in Chap. 2. Chapter 3 i devoted to the development of the abtract model of traffic that we ue a a emantic. In Chap. 4, we define the logic EMLSL and prove it undecidability. Furthermore, thi chapter contain the proof ytem together with everal derived rule. Chapter 5 contain the definition needed for the viual language of Traffic Diagram. We preent both the concrete and abtract yntax a well a a formal emantic. In addition, the chapter include formaliation of certain propertie the abtract model poee and a ketch for a decidable ubet of diagram. The combination of EMLSL and Traffic Diagram i explored in Chap. 6, in which we alo compare the expreivene of both approache. Chapter 7 preent the application of the proof ytem and the diagram to a cae tudy, defining the required contraint for afe behaviour within freeway traffic. Finally, Chap. 8 conclude the thei. 4

19 2 Preliminarie Content 2.1 Mathematical Notation Temporal Logic and Interval Logic Labelled Natural Deduction Graph Rewriting In thi chapter, we preent mot of the work thi thei i baed upon. We firt give the baic notation ued throughout the following work in Sect In Sect. 2.2 and Sect. 2.3 we recall the preliminarie for the firt part of the thei, i.e., the concept and definition of different interval logic and labelled natural deduction, repectively. Following that, we preent graph rewriting in Sect. 2.4, which play a crucial role for the yntax of the diagram in thi thei. 2.1 Mathematical Notation In thi ection, we introduce general mathematical notation. While the notation itelf follow mathematical tandard, we include it for reference purpoe. Set For a et S, the poweret of S, i.e., the et of all ubet of S, i denoted by P(S). We ue the uual notation, and \ for the union, interection and difference of et. To denote the dijoint union, we ue the ymbol. The Carteian product of the et S and T, i.e., the et of all ordered tuple (, t) with element taken from the et S and T, i denoted by S T. We ue the tandard notation for the different et of number, i.e., N for the poitive 5

20 2 Preliminarie integer and R for the real number. The poitive real are denoted by R + = {x R x 0}. In thi thei, we will make extenive ue of interval over both the poitive integer and the real number. We denote cloed border of interval with bracket and open border with parenthei. Furthermore, we alo allow for infinity a a right border. For example, a typical interval we will ue i the interval of all poitive real [0, ) (= R + ). We denote the et of all real-valued interval, i.e., interval over the real with I. Sometime, we want to ue variable a the border of an interval. We will ue the notation I Var to refer to the et of all variable interval, i.e., where the border are either variable or real number. Oberve that I I Var. Let i I with the border a and b, i.e., i = [a, b], i = (a, b], i = [a, b) or i = (a, b). We call the et i \ {a, b} the interior of i, denoted by I(i). Relation and Function If S and T are et, R S T i a relation between S and T. The domain of R i the et of all element of S which are related to an element of T. Similarly, the range of R i the et of all element of T which are related to element of S. If both the domain and range of R are ubet of the ame et S, i.e., R S S, then we call R a relation on S. We denote the reflexive and tranitive cloure of a relation R on a et S by R. A function i a relation f S T, which i functional and total, i.e., (, t 1 ) f and (, t 2 ) f implie t 1 = t 2 (Functionality), for all S there i a t T uch that (, t) f (Totality). We denote the function f itelf by f : S T and it element (, t) f by f() = t. If a relation f i only functional, but not total, we call f a partial function. If f : S T i a (partial or total) function, the image of S S i given by f(s ) = {t T S f() = t}. Injectivity of a function mean, that each element of the range i related to exactly one element of the function domain, i.e., ( 1, t) f and ( 2, t) f implie 1 = 2 (Injectivity). If f i injective, we denote the preimage of an element t of T by f 1 (t) =, where f() = t. To denote the function modification, we ue notation taken from the Z pecification language [Smi00]. That i, for the function f, we ue f {x y} to denote the function which coincide with f except for f(x) = y. For two function f : S T and g : T U, the function g f : S U i the compoition of g and f, given by (g f)(x) = g(f(x)) a long a both f(x) and g(f(x)) are defined. A equence i a function f with either the natural number or a finite ubet of them a it domain. We will often denote a equence f with the domain {0,..., n} by c 0,..., c n, 6

21 2.2 Temporal Logic and Interval Logic where f(i) = c i for all i {0,..., n}. The element c i are the value of the equence. If S i a et, we ue the notation S for the et of all finite equence with value in S. It will be clear from the context whether we ue thi notation for equence or the reflexive tranitive cloure of a relation. If we want to apply the function g to all element of the equence c 0,..., c n, we alo write g( c 0,..., c n ) for the equence g(c 0 ),..., g(c n ). 2.2 Temporal Logic and Interval Logic Reaoning about temporal change by mean of logical formula ha a long hitory. The firt approach to ue a temporal logic, i.e., a modal logic to formalie propertie of time i due to Prior [Pri57]. He introduced the modalitie G and F with the intended meaning of it will alway be the cae and it will be the cae, repectively, a well a H and P, which tand for it ha alway been the cae and it wa the cae, repectively. Prior analyed the modalitie with repect to a totally ordered linear time cale, i.e., for two time point x and y, either x wa later than y, or y wa later than x, or both tood for the ame time point. Such model are model of linear time. For the pecification and verification of computational ytem, linear temporal logic (LTL), a preented by Pnueli [Pnu77], i a typical formalim inpired by Prior work. In computer cience, logic with emantic of branching time are alo of trong importance, with the mot famou example being computational tree logic (CTL), introduced by Emeron and Clarke [EC82]. Intead of interpreting time a a linearly ordered domain, they conider a tree of tate, each of which may poe an arbitrary number of children. CTL then provide operator to reaon about path originating at the current node, and about the occurrence of tate on thee path. A different approach to decribe temporal propertie i due to both Mozkowki [Mo85] and Halpern and Shoham [HS91]. Halpern and Shoham introduced a modal logic, ubequently called HS, where the modalitie correpond to Allen interval relation [All83]. The main application of HS and it extenion lie in the field of artificial intelligence, where the different relation decribe the knowledge about time (or other domain) an agent may poe. Mozkowki introduced interval temporal logic (ITL) to pecify and verify hardware pecification. The model of both of thee approache are baed on (uually finite) interval. In the following, we will concentrate on ITL. Within ITL, interval can be divided into their ubinterval, to decribe, e.g., the beginning or the end of the interval. For thi purpoe, Mozkowki introduced the chop modality. An interval [a, b] atifie a formula ϕ ψ, if and only if there i a point c uch that a c b, where [a, c] atifie ϕ and [c, b] atifie ψ. A depiction of thi interpretation i given in Fig The yntax of ITL i baically firt-order logic with ϕ ψ a ϕ c ψ b Figure 2.1: Semantic of the chop modality 7

22 2 Preliminarie the addition of the chop-modality: ϕ ::= θ 1 = θ 2 ϕ 1 ϕ 2 x ϕ 1 ϕ 1 ϕ 2, where θ 1 and θ 2 are term over a given ignature. ITL ditinguihe between rigid and flexible term. The value of the former are given globally by a valuation of the variable, while the emantic of the latter may change with repect to the interval under conideration. A typical example of a flexible variable would be the length of an interval. We will not go further into the detail of the emantic of ITL. Both ITL itelf a well a extenion like the Duration Calculu [ZHR91] or Neighbourhood Logic [BRZ99] have been proven valuable for the pecification and verification of real-time ytem. 2.3 Labelled Natural Deduction In hi PhD thei, Gentzen [Gen35] developed the calculu of natural deduction to preent an alternative to axiom-baed proof ytem. Natural deduction i baed on a et of proof rule and (temporary) aumption, to give a tighter connection between the way mathematician naturally prove theorem and the formal proof ytem. To that end, the ytem comprie an introduction and an elimination rule for each operator (with the poible exception of the falum propoition ). A derivation within natural deduction conit of a tree, where the root i the theorem to prove and the leave are the aumption ued within the proof. The branche from the root to the aumption are determined by the tructure of the proof rule. Each rule may poe application condition, which retrict the form of the aumption in the branche above the application of thi rule. Thee condition can enure, e.g., frehne of variable or term for rule concerning the quantor in firt-order logic. A main feature of natural deduction i that rule may eliminate aumption from the derivation. The underlying idea of thi method i that the information of the eliminated aumption i already compried within the concluion of the rule. For example, if we can derive the truth of a formula ψ from the aumption that the formula ϕ hold, then ϕ ψ reflect exactly thi information. Hence, we can eliminate ϕ from the et of aumption and diregard it in the ret of the derivation. Thi mechanim i a formal counterpart to the informal mathematical trategy to ue temporary aumption within a proof. For example, within cae ditinction we temporarily aume the truth of each cae and derive our deired concluion independently. Within natural deduction, we would ue the elimination rule for the dijunction operator for uch a purpoe. A proof in natural deduction i a derivation, where all aumption have been eliminated. In derivation, we will mark eliminated aumption by encloing them in quare bracket. To identify the application of the rule which wa the reaon why thi particular aumption wa eliminated, we add a unique index to both the aumption and the application of the rule within the tree. While thi approach i well-uited for claical logic and intuitionitic logic, other nonclaical logic impoe problem. For example, to define rule covering general modalitie, application condition for the rule have to contrain the et of all aumption, not only the et of aumption involved in the formula to prove [Pra06]. 8

23 2.3 Labelled Natural Deduction A way to preerve the underlying tructure of natural deduction i to augment the formula in the proof with information about the emantic. Thi lead to ytem of labelled natural deduction (LND) [Sim94; BMV98; Vig00]. In labelled natural deduction, one of the baic entitie are labelled formula w : ϕ, where ϕ i a formula of the logic and w i a name of a world. Intuitively, the labelled formula w : ϕ mean that the formula ϕ hold at world w. The reachability relation between the world R i defined by relational formula of the form wrv, where w and v are name for world. The formula wrv expree that v i reachable from w. By adding uitable rule concerning relational formula, different type of reachability relation may be defined. For example, the addition of the following rule define, that R i both reflexive and tranitive, and hence i the underlying reachability relation of all S4-frame. wrw wrv vru wru For an operator, we denote the elimination rule of by E. Similarly, we ue the notation I for the introduction rule of. The rule concerning claical propoitional and firt-order logic operator are imilar to tandard natural deduction rule. In the preentation of the rule, we will denote the yntactical ubtitution of x by a term t in the formula φ by φ[x t]. Following the notation of Bain et al.[bmv98], we ue the name E for reductio ad aburdum. Note that thi rule i the only one concerning falum. [w : ϕ] [w : ϕ] w : ϕ ψ w : ψ w : ϕ E. w : ψ w : ϕ ψ I. v : E w : ϕ w : ϕ ψ E w : ϕ w : ϕ ψ E w : ψ w : ϕ w : ψ I w : ϕ ψ w : x ϕ w : ϕ[x t] E w : ϕ[x t] w : x ϕ I The application condition for I i that t may not occur in any aumption w : ϕ[x t] depend on. The rule E allow for a contradiction to be propagated along the reachable world. That i, we take to be a global contradiction [Vig00]. A main advantage of the labelling approach i that the behaviour and intention of the modalitie can be captured by rule which only ue the typical mechanim of natural deduction, i.e., application condition and elimination of aumption. Furthermore, the introduction and elimination rule for a box modality can be defined without any further knowledge about the propertie of the reachability relation R: [wrv] E w : ϕ v : ϕ wrv. v : ϕ I w : ϕ 9

24 2 Preliminarie The application condition of the introduction rule I i that v i different from w and may not occur free in any aumption v : ϕ depend on, except for wrv. The box elimination rule tate that whenever ϕ hold on w, and v i reachable from w, then ϕ hold on v. The introduction rule tate that if we can deduce the truth of ϕ on v, where the only aumption on v i that it i reachable from w, then we know that ϕ hold on all world reachable from w. Hence ϕ hold on w. Thi i exactly the intended emantic of a box-like modality. We will often ue the rule for the derived operator, i.e.,,,, and diamond-like modalitie. To pare the reader the earch of thee rule in the literature, we include the rule for thee operator. [w : ϕ] w : ϕ w : ϕ E w :. w : I w : ϕ [w : ϕ] [w : ψ] w : ϕ ψ. v : χ v : χ. v : χ E w : ϕ w : ϕ ψ I w : ψ w : ϕ ψ I [w : ϕ] [w : ψ].. w : ψ w : ϕ I w : ϕ ψ w : ϕ w : ϕ ψ E w : ψ w : ψ w : ϕ ψ E w : ϕ [w : ϕ] w : ϕ[x t] w : x ϕ I w : x ϕ v : χ. v : χ E [v : ϕ] [wrv] v : ϕ wrv I w : ϕ w : ϕ u: χ. u: χ E The application condition for E i that x appear free neither in any aumption v : χ depend on (except for w : ϕ) nor in v : χ itelf. Similarly, in the rule E, v ha to be different from both u and w and may not appear in any aumption u: χ depend on, except for wrv. Uually, the rule for the quantifier have to aert the exitence of the term t ubtituted for the variable x. In thi thei, we will aume contant and infinite domain of quantification, and therefore the exitence of the term i guaranteed, allowing u to omit thee additional aumption. LND ha been tranferred to interval logic by Ramuen [Ra01; Ra02]. In hi work, the reachability relation i ternary and labelled formula are of the form [a, b]: ϕ, where [a, b] i an interval on which ϕ i true. Ramuen ued a generalied interval logic called igned interval logic (SIL), where interval may alo have a negative length, i.e., 10

25 2.4 Graph Rewriting he allow for interval [a, b], where a > b. He defined rule capturing, e.g., the ingle decompoition property of interval [Dut95], and the behaviour of the chop-modalitie, and achieved a ound and complete proof ytem. For a well-defined proof ytem, Ramuen alo needed to expre whether a term or formula i rigid and whether a formula doe not contain a chop-modality, i.e., i chop-free. Since thee propertie are both of yntactic nature, predicate for rigidity and for chop-freene can be traightforwardly defined. Furthermore, Ramuen extended the proof ytem for SIL with uitable axiom and rule to embrace, for example, Duration Calculu or Neighbourhood logic. 2.4 Graph Rewriting In thi ection we preent the baic idea of graph rewriting baed on hypergraph. Even though we preent the formal definition, we will motly focu on the intuitive notion. However, we will give reference to complete formaliation of the approache decribed in thi ection. The firt thing needed for the definition of a graph rewriting ytem i a notion of graph. In thi thei, we will ue typed hypergraph, a generaliation of graph. Definition 2.1 (Typed Hypergraph). Let T be a et of type and O a et of label. A typed hypergraph G = (V, E, τ, θ, l) over T and O conit of a et of vertice V, hyperedge (or edge for hort) E, an attachment function τ : E V, a type function θ : E T and a labelling function l: E O. In contrat to edge in uual graph, a hyperedge e may connect an arbitrary number of vertice, we ay it viit the node via it tentacle. We ue typed hypergraph, i.e., the type θ(e) of an edge e determine the number of vertice e mut be viiting. Hence for all edge e of the ame type, the equence τ(e) i of the ame length. We denote the et of all typed hypergraph by the et G. Even though, the attachment function of a hypergraph return equence, we will introduce a more mnemonic notation to refer to the element of the equence. Since the length of the equence for all edge of one type i equal, we will not peak of the index of a node within the equence, but refer to it by a hort tring, e.g., i or at. Thi will be ued to have a more intuitive way to decribe graph. If we refer to different graph G and H, we will ometime ue the notation V G and V H to denote the et of vertice of the correponding graph, and imilarly for the other element of the graph. For the viualiation of typed hypergraph, we ue mall black circle to denote the vertice and grey rectangle with rounded corner to denote the hyperedge, where the type of the edge i incribed in the rectangle. The tentacle of the edge are given by the labelled connection between the edge and the vertice. Label are preented a rectangle, which are connected with the edge they label by a dahed line. For the definition of graph rewriting ytem, we now have to introduce graph homomorphim. Definition 2.2 (Graph Homomorphim). Let G and H be two typed hypergraph. The two function f V : V G V H and f E : E G E H form a graph homomorphim, if they are 11

26 2 Preliminarie edge preerving and compatible with the attachment function, a well a the typing and labelling function. That i, for all edge e E G uch that τ G (e) = v 0,..., v n we have τ H (f E (e)) = f V (v 0 ),..., f V (v n ), θ H (f E (e)) = θ G (e), l H (f E (e)) = l G (e). The pair f V and f E will imply be abbreviated by f : G H and by abue of notation, we will ue the name f to denote both function. In general, we will only conider injective graph homomorphmim, i.e., both f V and f E have to be injective function. Graph rewriting ytem [Roz97] are a generaliation of formal grammar. Where formal grammar replace occurrence of tring with other tring, graph rewriting ytem allow for the replacement of graph with other, poibly more complex graph. Hence uch rewriting ytem allow for the creation of a language of graph. Even though graph rewriting ytem are often defined in term of category theory, we give a definition within et theory, following the preentation of Baldan et al.[bkk03]. Firt, we have to define what a graph rewriting rule conit of. Definition 2.3 (Rewriting Rule). A graph rewriting rule (or production) p = L, R, α i defined by it left-hand ide (LHS) L and it right-hand ide (RHS) R, a well a the injective function α: V L V R, which we will uually indicate by labelling correponding vertice of L and R by natural number. A rule p i applicable to a graph G, if there exit an injective graph homomorphim m: L G, a match of L in G. Given a match m of L in G, the application of p to G reult in a new graph H, given by V H = V G (V R \ α(v L )) E H = (E G \ m(e L )) E R and with the function m: V R V H given by m(v) = m(α 1 (v)) if v α(v L ) and m(v) = v otherwie, the attachment, type and labelling function are defined a e E G \ m(e L ) τ H (e) = τ G (e), θ H (e) = θ G (e), l H (e) = l G (e) e E R τ H (e) = m(τ R (e)), θ H (e) = θ R (e), l H (e) = l R (e) We denote the application of a rule p to the graph G reulting in H by G p H. Intuitively, the application of a rule p to a graph G conit of replacing an occurrence of a ubgraph F of G that matche the LHS with the RHS, where vertice are identified by the function α. Example 2.1. Conider the rule r hown in Fig The injective function of r i given by the node labelled 1 and 2. The label determine, which node are identified in the LHS and RHS during the application of the rule. So let u conider the graph G hown in Fig We can apply r at three different occurrence of the LHS of r to G. Thi yield the three graph hown in Fig Of coure, r could be applied to thee graph again, until no edge of the type S occur in the reult anymore. 12

27 2.4 Graph Rewriting 1 S t u H v Figure 2.2: Example of a Graph Rewriting Rule a S t d S S t t c e Figure 2.3: The graph G A graph rewriting ytem (or graph tranformation ytem) conit baically of a et of rewriting rule. In addition, it contain the axiom, denoting the graph where all derivation of the ytem have to tart at. Definition 2.4 (Graph Rewriting Sytem). A graph rewriting ytem G = (T, S, P ) conit of a et of type T, an axiom S, i.e., a typed hypergraph over T, and a et of rewriting rule P, where all graph occurring in P are typed hypergraph over T. If H i the reult of an arbitrary equence of application of rule within G to the graph G, we write G G H, or imply G H, if G i clear from the context. We ay that there exit a derivation of H from G. Unfortunately, thi approach i not expreive enough for our purpoe. We need the poibility to contrain the application of rule more than jut through the mere occurrence of a ubgraph. For that, we employ neted condition [HP09] or rather their extenion HR condition [HR10; Rad13]. Intuitively, neted condition allow not only for the tatement whether a certain ubgraph matching the left-hand ide exit, but alo for further condition on the environment of thi match. For example, it i poible to tate that a certain other ubgraph hall not exit, for a rule to be applicable. HR condition extend thi notion by allowing for variable within the condition, which have to be intantiated by graph that are created by a hyperedge replacement ytem. A hyperedge replacement ytem i a graph rewriting ytem, where the LHS of each rule may only refer to one hyperedge at once. For example, the rule r given above i uch a rule. 13

28 2 Preliminarie a H u v S c t d S t a S t v H d u d S t a S t S e v t d H u c e c e c e (a) Replacing the Left Edge (b) Replacing the Middle Edge (c) Replacing the Right Edge Figure 2.4: Poible Reult of Applying r once to G Definition 2.5 (Graph Subtitution). Let X be a et of edge type and R a hyperedge replacement ytem. A graph ubtitution induced by R i a function σ : X G where x R σ(x) for all x X. We denote the application of a ubtitution σ to the graph G, i.e., the imultaneou replacement of all occurrence of edge in the domain of σ within G by G σ. The main yntactic element of HR condition i (h, c), where h: P C i a graph homomorphim and c a graph condition. For a given graph G, thi notation hall decribe the exitence of a ubgraph C σ within G, i.e., a ubgraph decribed by the application of a uitable graph ubtitution σ to C. The ubgraph C σ then ha to further atify the condition c. Thi contruction allow u, e.g., to expre the exitence of a path of arbitrary length within G. With the condition c, additional contraint on the path (or even the environment of the path) can be defined. The other crucial element of the condition i (P C, c), where P and C are graph and c i a graph condition. Thi notation give u the ability to cut certain element from graph ued within the condition and only refer to the element of C ubequently (repectively, the element of C σ for a ubtitution σ). With thi contruction, we can circumvent the injectivity of the underlying graph morphim. The full yntax of HR condition i given by the following definition. Definition 2.6 (HR Graph Condition). Let R be a hyperedge replacement ytem and G be a hypergraph poibly containing hyperedge that can be replaced by R. For a hypergraph P, the et of HR condition over P i given inductively a follow: 1. i a HR condition over P. 2. Let P be a ubgraph of C, where h: P C i the incluion of P in C and let c be a HR condition over C, then (h, c) i a HR condition over P. 3. Let C be a graph and c a HR condition over C, then (P C, c) i a HR condition over P. 14

29 2.4 Graph Rewriting 4. Let c and c be HR condition over P, then both c and c c are HR condition over P. If the domain of the incluion in the econd cae of the definition i obviou from the context, we may omit it. That i, intead of (P C, c), we would write (C, c). We now define the emantic of a HR condition baed on graph homomorphim, to have a clearly defined notion of atifaction. In the following definition, we ue the notation c σ for a condition c and a ubtitution σ, do denote the recurive application of σ to all graph occurring within c. Definition 2.7 (Semantic of HR Condition). Let g : P G be a graph homomorphim. Then the atifaction of c by g, denoted by g = c i defined a follow. 1. g atifie. 2. g atifie (h, c) iff h: P C and there i a ubtitution σ which replace all variable edge of C and a graph homomorphim q : C σ G with q h σ = g 1 uch that q atifie c σ 3. g atifie (P C, c) iff there i a ubtitution σ uch that C σ P and a graph homomorphim f : C σ G atifying c σ uch that g retricted to C σ coincide with f, i.e., g C σ = f. 4. g atifie c iff g doe not atify c. 5. g atifie c c iff g atifie c and g atifie c. If g ha the domain, i.e., g : G and g atifie the HR condition c, we alo ay that G atifie c. We define the abbreviation for the miing Boolean connective and univeral quantification a uual. Furthermore, we will omit any condition of the form, e.g., intead of (C, ), we only write (C). Oberve that the ubtitution σ in the emantic of the condition replace each occurrence of a variable edge by the ame graph. Thi will be unfortunate for our main purpoe, when we want to tate the exitence of everal, tructurally different path defined by the ame hyperedge replacement ytem. However, Radke howed that imultaneou replacement of variable by ubtitution and replacement of variable with different graph (which are till derivable by the replacement ytem) are equally expreive [Rad13] 2. We choe to preent the emantic baed on ubtitution, ince they require le notational overhead, but will ue the condition a if we defined the emantic baed on replacement. 1 h σ i the graph homomorphim which coincide with h for all element of P, but ha C σ a it range. Oberve that all element of C have a unique counterpart within C σ, and hence h σ i uniquely determined. 2 The main idea of the proof that ubtitution i a expreive a replacement i to create a new variable type for each occurrence of a variable within a condition. The replacement rule for thee new type are then defined to be imilar to the original variable type. The other direction i more involved. 15

30 2 Preliminarie If we want to formally add a HR condition a an application condition to a rule r = L, R, α, we ue the following approach. We tart with the condition (L I, c 0 ), where I i the graph induced by the retriction of α to only the node of L, i.e., it conit of a dicrete graph. Then, within the condition c 0, we can contrain poible connection between thee node, e.g., claim the exitence of a path. Thi extra tep i needed, ince we want to reue the element of the left-hand ide within the condition, which i normally prevented by the injectivity of all homomorphim involved. Definition 2.8 (Application of a Rule with a HR condition). Let r = L, R, α be a rewriting rule enhanced with the HR condition c over L. Then r i applicable to the graph G, if there exit a match m: L G and m = c. The application of r to G i then defined a in Definition 2.3. Viually, we ue an abbreviation. If we want to add an application condition (L I, c) to a rule r = L, R, α, we depict c to the left of the LHS of r and eparate c from r with a white triangle. 1 P t 2 1 S t 2 t P 1 S t 2 Figure 2.5: The Hyperedge Replacement Sytem R Example 2.2. A an example, conider the hyperedge replacement ytem R, coniting of the rule hown in Fig It replace the hyperedge P by a path of S edge of an arbitrary length greater than zero. Uing R, we can define a HR condition to retrict the application of the rule r of Fig Conider the modification of r a hown in Fig P t 1 1 S t u H v Figure 2.6: Example of a Graph Rewriting Rule with an Application Condition The application condition tate that the rule may only be applied, whenever there i no path of S edge tarting at the node labelled 2. That i, the econd application of r a hown in Fig. 2.3 would not be poible anymore. Oberve that it prohibit the 16

31 2.4 Graph Rewriting unlabelled node and the node with the label 1 to be identified due to the injectivity of the homomorphim involved. If there are everal rule with the ame left-hand ide, we ue a notation imilar to the extended Backu-Naur form to achieve a compact depiction of uch rule (ee, e.g., the rule defining the hyperedge replacement ytem R in Fig. 2.5). Then, if a rule ha more than one alternative, we ue the following convention to eaily refer to each of thee. Convention 2.1. If there i more than one alternative for a left-hand ide of rule, we will add upercript 1, 2, 3,... to the name of the rule to refer to the firt, econd, third,... alternative of the right-hand ide of the rule. 17

32

33 3 Spatial Model of Traffic Content 3.1 Abtract Road Bounded Viibility Senor Model Related Work In thi chapter we define the model we ue to reaon about traffic ituation. Here we concentrate on a model of freeway traffic [Hil+11], i.e., we do not conider car driving in oppoing direction or interection of treet. A main property we want to maintain in the model i it independence of the dynamic of the car. Such a model will enable u to decompoe reaoning about traffic afety into two part. On the upper level, patial argument allow to how traffic afety propertie, e.g., dijointne of pace needed for emergency braking manoeuvre. Then, on the lower level, controller only need to comply with the patial contraint of the model, and afety for the overall ytem, i.e., the freeway, will follow. Still, to keep the model decriptive, we will give a imple type of dynamic, but will alo give the required (but till very weak) retriction on poible car dynamic. A long a the actual car dynamic adhere to the patial contraint implied by our model, the propertie proven with the technique preented in thi thei will hold, even with more concrete and expreive dynamic. Figure 3.1 how an exemplary ituation on a freeway. For each car, we have both indicated it phyical ize (the mall polygon) a well a it braking ditance, i.e., the ditance it need in cae of an emergency braking to come to a complete tandtill. We will call the um of thee the afety envelope of the car. Note that already thi picture contain an important abtraction: car A ha been depicted a driving on two lane at the ame time. Thi notion hall indicate that A i preently engaged in a lane-change manoeuvre. Hence we already abtracted from the concrete phyical poition of A. The 19

34 3 Spatial Model of Traffic C braking ditance afety envelope phyical ize E A B E A Figure 3.1: Situation on a Freeway at a Single Point in Time dotted intance of car E denote that E ha currently et it turn ignal to indicate it deire to change to the lane to it right. In the next ection, we will formalie ituation imilar to thi figure and decribe the poible behaviour of car. The dahed rectangle hall denote the finite part of pace that the car E perceive at the moment, a implied by the enor implemented in E. The model of traffic i divided into different ection. Firt, we will define how all car may behave on the treet, i.e., we give an abtraction of the freeway and what action car may perform on thi abtraction. Afterward, we will retrict thi model to the part a ingle car may perceive at a point in time. Then, we will make ue of an abtract function Ω E, which define the behaviour of the enor of a car E. Finally, we are able to define how each car perceive different car on the freeway: imply a their phyical ize, or with additional knowledge of their braking ditance. 3.1 Abtract Road We allow for an infinite (but countable) number of car on the treet. Each car i aociated with a unique identifier, which may be thought of, e.g., a it licene plate. The et of uch car identifier i I. We will uually denote element of I with uppercae letter, e.g., C, D I. The road itelf comprie an arbitrary but fixed number N > 1 of lane, which are given by the et L = {1,..., N} N. We will make ue of addition and the total order on natural number, ubequently. For implicity, we aume each lane to be of infinite extenion, o that we do not have to conider tart- or endpoint of the road. Hence we take the extenion of the freeway to be the et of real number R. Throughout thi thei, we choe to ue continuou time, i.e., the time domain T i fixed to be T = R +. A hown in Fig. 3.1, we ditinguih between two patial propertie for each car. Firt, each car reerve a certain amount of pace on the freeway. Thi pace i determined by the actual poition on the freeway and the phyical ize of the car. Furthermore, depending on the model of the car enor, it may include it braking ditance. A typical afety property would include that the reervation of all car are dijoint during the 20

35 3.1 Abtract Road whole obervation. In contrat to reervation, the pace claimed by a car may be thought of a a tet, or a virtual image of the car, to check whether a lane change manoeuvre i poible. Hence a claim model that a car et it turn ignal to indicate an upcoming lane change. In Fig. 3.1, the reervation are drawn olid, while the claim of E i given by a dotted polygon. We will ue thi convention throughout thi thei. Definition 3.1 (Traffic Snaphot). Let L be a fixed, finite et of lane and I a countably infinite et of car identifier. A tructure T S = (re, clm, po, pd, acc), i a traffic naphot, where re, clm, po, pd and acc are function re : I P(L) uch that re(c) i the et of lane the car C reerve, clm : I P(L) uch that clm(c) i the et of lane the car C claim, po : I R uch that po(c) i the poition of the car C along the lane, pd : I R uch that pd(c) i the current peed of the car C, acc : I R uch that acc(c) i the current acceleration of the car C. Thi model of the freeway i till very broad. To make a tighter connection between real freeway and thi abtract notion, we retrict the model in everal way. Firt, we require all car to reerve at leat one, and at mot two lane. A car reerving two lane at once i aumed to be in the proce of changing from one lane to the other. Furthermore, a car may only et it turn ignal, if it i not already engaging a lane-change. Finally, a car may only try to change to a lane adjacent to it current lane. Thee requirement are captured in the following anity condition of traffic naphot. Definition 3.2 (Sanity Condition). A traffic naphot T S i ane, if the following condition hold for all C I. 1. re(c) clm(c) = 2. 1 re(c) clm(c) re(c) + clm(c) 2 5. re(c) = 2 implie n L re(c) = {n, n + 1} 6. clm(c) implie n L re(c) clm(c) = {n, n + 1} We denote the et of all ane traffic naphot by TS. Example 3.1. We formalie Fig. 3.1 a a traffic naphot T S = (re, clm, po, pd, acc). We will only preent the ubet of the function for the car viible in the figure. Auming 21

36 3 Spatial Model of Traffic that the et of lane i L = {1, 2, 3}, where 1 denote the lower lane and 3 the upper one, the function defining the reervation and claim of T S are given by re(a) = {1, 2} re(b) = {1} re(c) = {3} re(e) = {2} clm(a) = clm(b) = clm(c) = clm(e) = {1} For the function po, we choe arbitrary real value which till atify the relative poition of the car in the figure. Similarly, we intantiate the function pd uch that the afety envelope of the car could match the figure. For example, ince the afety envelope of B i larger than the afety envelope of C, B ha to drive with a higher velocity. For implicity, we aume that all car are driving with contant velocity at the moment, i.e., for all car, the function acc return zero. po(a) = 28 po(b) = 3.5 po(c) = 2 po(e) = 14 pd(a) = 8 pd(b) = 14 pd(c) = 4 pd(e) = 11 Thi traffic naphot atifie the anity condition. To allow for change of patial ituation, we have to define tranition between traffic naphot. The poible tranition may be categoried in two different way. Firt, we may ditinguih local tranition from global tranition, the former decribing, e.g., how a ingle car create a claim, or mutate it exiting claim into a reervation. The only global tranition i the paing of time, in which all car change their poition and velocitie according to their dynamic. However, the paing of time doe not capture the whole of the dynamic in our etting, ince we allow for intantaneou change of acceleration, out of implicity. The dynamic tranition conit of thee dicrete change of acceleration and the timepaing tranition. The other type of tranition are eentially change in the patial configuration on the freeway, which we call patial tranition. Definition 3.3 (Tranition). The following tranition decribe the change that may occur at a traffic naphot T S = (re, clm, po, pd, acc). T S c(c,n) T S T S = (re, clm, po, pd, acc) wd c(c) clm(c) = 0 re(c) = 1 re(c) {n + 1, n 1} clm = clm {C {n}} T S T S T S = (re, clm, po, pd, acc) clm = clm {C } T S r(c) T S T S = (re, clm, po, pd, acc) clm = clm {C } re = re {C re(c) clm(c)} 22

37 3.1 Abtract Road wd r(c,n) T S T S T S = (re, clm, po, pd, acc) re = re {C {n}} n re(c) re(c) = 2 T S t T S T S = (re, clm, po, pd, acc) C I: po (C) = po(c) + pd(c) t + 1 2acc(C) t2 C I: pd (C) = pd(c) + acc(c) t T S acc(c,a) T S T S = (re, clm, po, pd, acc ) acc = acc {C a} The patial tranition are the following. The car C may create a claim on the lane n via the tranition c(c, n), if it doe not hold a claim at the moment, and n i adjacent to it current reervation. It may furthermore withdraw it claim by the tranition wd c(c). The creation of a reervation r(c) merge the current claim of C with it reervation and remove the claim. If the car C reerve two lane at once, it may withdraw it reervation to the lane n via wd r(c, n), provided n i an element of it current reervation. Oberve that neither the creation of a reervation nor the withdrawal of a claim have any precondition. Hence thee tranition may occur at any time. The dynamic tranition given above are very pecific, which eem to contradict our aim to abtract from the dynamic of car. However, thee tranition are only given exemplarily, to have a defined behaviour of car within thi thei. The reult in the following chapter are independent of the concrete intantiation of the dynamic, a long a the change of poition and velocitie of car are continuou. Intereting model of car dynamic, e.g. given by reult of control theory in fact are continuou in thi ene [Bya+09]. Uually the dicrete change allowed by the dynamic define the level of abtraction, i.e., the point, at which the dynamic no longer accommodate the phyical reality. Due to thee reaon, we alo combine paing of time and change of acceleration to evolution. Definition 3.4 (Evolution). An evolution of duration t tarting in T S and ending in T S i a tranition equence t T S = T S 0 acc(c 0,a 0 ) 0 T S1... T tn acc(c n,a n) S 2n 1 T S 2n = T S, where t = n i=0 t i, a i R and C i I for all 0 i n. We denote thi evolution by T S t T S. We furthermore need a notion for the occurrence of arbitrary many tranition. For that, we jut collect all behaviour between two different naphot with the concept of abtract tranition. 23

38 3 Spatial Model of Traffic λ Definition 3.5 (Abtract Tranition). Let T = T S 0 λ n T S n be a tranition equence, where λ i i an arbitrary tranition label (for 0 i < n). Then T S 0 = T S n i an abtract tranition. Example 3.2. The following trace how an exemplary tranition equence tarting at the traffic naphot defined in Example 3.1. At firt, all car move along their dynamic for t 1 econd. Then the car C claim lane 2. Afterward, t 2 econd pa. Subequently, C change it claim to a reervation on lane 2 and after driving for t lc econd on both lane (moving over), it then withdraw all reervation but the one for lane 2. Furthermore, T S = T S 7. T S t 1 c(c,2) t T S 2 T S 2 r(c) t 3 T S4 T S lc wd r(c,2) 5 T S6 T S 7 However, there i no traffic naphot T S uch that T S c(a,3) T S, ince the reervation of car A already comprie two lane. The tranition are well-defined in the ene, that a tranition tarting in a ane traffic naphot, will again reult in a ane naphot. That i, the tranition preerve the anity condition of Def Lemma 3.1 (Preervation of Sanity). Let T S be a ane traffic naphot. Then, each tructure T S reachable by a tranition i a ane traffic naphot. Proof. We proceed by a cae ditinction. If the tranition leading from T S to T S i the paing of time, or the change of an acceleration, the anity condition are till atified in T S, ince they only concern the amount and place of claim and reervation. wd c(c) The removal of a claim T S T S et clm (C) =. We ditinguih two cae. If clm(c) =, then T S = T S and hence atifie the condition trivially. Let clm(c). After the tranition, condition 1 hold trivially, condition 2 i not affected, condition 3 hold, a doe condition 4. While condition 5 i not affected, condition 6 hold trivially. Now let T S T c(c,n) S. Then by definition of the tranition, re(c) on T S contain exactly one element, and clm(c) i empty. On T S, clm (C) contain exactly n. Since {n + 1, n 1} re(c), n cannot be an element of re (C). Hence the condition 1 to 6 are atified. wd r(c,n) Conider T S T S. Since re(c) = 2, condition 4 enure that clm(c) =, by which condition 1, 3, 4, 5 and 6 hold in T S. Condition 2 hold, ince we overwrite re(c) with {n}. Finally, let T S T r(c) S. Again we have to conider two cae. Firt, if clm(c) =, then T S = T S, and hence the anity condition hold. If clm(c), we get by condition 3 that clm(c) = {n} for ome n L. By condition 4, re(c) = 1, and by condition 1, we get that after the tranition re(c) = 2, i.e., condition 2 hold. Condition 1 and 6 hold now trivially. Condition 3 hold ince we reet clm (C) = and imilarly for condition 4. Condition 5 hold, ince condition 6 hold on T S. In the ret of thi thei, we will only conider ane traffic naphot. 24

39 3.2 Bounded Viibility 3.2 Bounded Viibility An important aumption for our approach i that afety of a manoeuvre on the freeway hould not be dependent on the behaviour of car in too far ditance. Even though uch car may indirectly influence the patial ituation near a car C, e.g., by performing an emergency braking, C hould be in the poition to enure a afe execution of manoeuvre by obervation of the car in it proximity. Hence we aume that the information available to each actor of a manoeuvre i limited to a finite part of the freeway around it. Thi idea i formalied in the definition of view. Definition 3.6 (View). For a given traffic naphot T S with a et of lane L, a view V i defined a a tructure V = (L, X, E), where L = [l, n] L i an interval of lane that are viible in the view, X = [r, t] R i the extenion that i viible in the view, E I i the identifier of the car under conideration, called owner of the view. A ubview of V i obtained by retricting the lane and extenion we oberve. For thi we ue ub- and upercript notation: V L = (L, X, E) and V X = (L, X, E), where L and X are ubinterval of L and X, repectively. The maximal view of E hould at leat comprie the pace needed for braking in the wort poible cae, i.e., the ditance needed to come to a tandtill for the car with the wort brake at maximal velocity. Thi ditance i ubequently called horizon of the ytem. Furthermore, we aume that in uch a maximal view, every car may perceive all lane of the freeway within the horizon. Definition 3.7 (Standard View). For a traffic naphot T S = (re, clm, po, pd, acc) with L a it et of lane and a car E I we define the tandard view of E to be V (E, T S) = (L, [po(e) h, po(e) + h], E), where the horizon h i choen uch that a car driving at maximum peed can, with lowet maximal deceleration, come to a tandtill within the horizon h. In our approach we want to emphaie local reaoning with repect to the owner of a view. If thi car move along the road, i.e., in term of tranition, whenever time pae, we have to enure that the view owned by thi car alo move with the ame peed. t T S 1, the Formally, if a traffic naphot T S 0 evolve to T S 1 in the time t, i.e. T S 0 extenion X of a view V = (L, X, E) ha to be hifted by the difference of the poition of E in T S 0 and T S 1. For thi purpoe, we introduce the function mv, which, given two naphot T S, T S and a view V, compute the view V correponding to V after moving from T S to T S. 25

40 3 Spatial Model of Traffic Definition 3.8 (Moving a View). Let T S and T S be two traffic naphot with T S = (re, clm, po, pd, acc) and T S = (re, clm, po, pd, acc ). Furthermore, let V = (L, [r, ], E) be a view. Then the reult of moving V from T S to T S i given by mv T T S S (V ) = (L, [r + x, + x], E), where x = po (E) po(e). With the poibility to move a view from one naphot to another, we abue the notion of tranition to connect tuple of traffic naphot and view. That i, if a tranition exit between traffic naphot T S and T S, it alo exit between T S, V and T S, V, where V i either equal to V if the tranition i patial, or the reult of moving V to T S if the tranition i an evolution. For abtract tranition, we alo have to move the view to the new naphot, ince time may have paed between the traffic naphot. Convention 3.1 (Extended Tranition). Let T S be a traffic naphot, V any uitable view for T S and {r(c), wd r(c, n), c(c, n), wd c(c) C I, n L}. Then we may alo write T S, V T S, V for T S T S, T S, V t T S, mv T T S S (V ) for T S t T S, T S, V = T S, mv T T S S (V ) for T S = T S. The model defined o far i clearly capable of capturing qualitative propertie of pace on the freeway. Since we are alo intereted in quantitative propertie, e.g., the ditance between two car, we introduce two meaure on the et of lane and the extenion of the view. For the extenion, thi notion coincide with the length meaurement of Duration Calculu (DC) [ZHR91], while the meaure on the lane i imply it cardinality. Definition 3.9 (Meaure). Let I R = [r, t] be a real-valued interval, i.e. r, t R. The meaure of I R i the norm I R = t r. Similarly, the meaure of a dicrete interval I D i it cardinality I D. The definition of ubview induce a relation between view, which we will formalie ubequently. Since the et of lane and the extenion of a view are alway dicrete and real-valued interval, repectively, we choe to employ relation a induced by other interval baed logic, like Interval Temporal Logic (ITL) [Mo85] or DC [ZHR91]. That i, the view V 1 = (L, [r, ], E) and V 2 = (L, [, t], E) are in horizontal relation with V = (L, [r, t], E), where [r, t]. For vertical relation, we have to be more careful, ince the et of lane i dicrete, in contrat to the extenion of the view. If we would ue a imilar notion of vertical relation, i.e., V 1 = ([l, m], X, E), V 2 = ([m, n], X, E) and V = ([l, n], X, E), two problem would arie. Firt, the lane m would be part of both ubview, which clearly contradict the idea of eparating them. 1 Furthermore, we could never achieve a view without lane. While thi doe not eem to be a problem at firt, it would complicate the definition of a modal logic with traffic naphot and view a emantic (cf. Chap.4). An indication of thi problem we can already decribe here i that the meaure on the horizontal and 1 In the cae of continuou interval, we do not mind that i part of both ubview, ince we are generally only intereted in car with a ize greater than zero. 26

41 3.3 Senor Model vertical dimenion would behave differently. For example, the mallet poible interval in horizontal direction i [, ] for an arbitrary R. Thi interval ha the meaure [, ] = 0. However, the mallet interval in vertical direction would be [m, m] with m N, which ha the meaure [m, m] = 1. To avoid thi aymmetry, we give a lightly more intricate notion of chopping dicrete interval. Definition 3.10 (Chopping Dicrete Interval). Let I be a dicrete interval, i.e., I = [l, n] for ome l, n L or I =. Then I = I 1 I 2 if and only if I 1 I 2 = I, I 1 I 2 =, and either max(i 1 ) + 1 = min(i 2 ) or I 1 = or I 2 =. However, for a ymmetric definition, we will alo ue a correponding notation for continuou interval. Definition 3.11 (Chopping Continuou Interval). Let X = [r, t] and [r, t]. Furthermore, we denote [r, ] by X 1 and [, t] by X 2. Then X = X 1 ɵ X 2. We define the following relation on view to have a conitent decription of reachable view in vertical and horizontal direction. Definition 3.12 (Relation of View). Let V 1, V 2 and V = (L, X, E) be view of a naphot T S. Then V = V 1 V 2 if and only if L = L 1 L 2, V 1 = V L 1 and V 2 = V L 2. Furthermore, V = V 1 ɵ V 2 if and only if X = X 1 ɵ X 2 and V 1 = V X1 and V 2 = V X2. Note that view with different owner may never be related to each other. Example 3.3. Conider again Fig The dahed rectangle indicate the view V = (L, X, E) we want to define. Inpection of Example 3.1 how that L = {1, 2}. For the extenion, we only have to chooe value uch that the relation of the figure are preerved, i.e., both E and A fit fully into the extenion, the afety envelope of B i partially contained in X, while no part of C overlap with it. For example, we can chooe X = [12, 42], if we aume that the afety envelope of C i maller than eight patial unit and the afety envelope of B i larger than 9.5 patial unit. 3.3 Senor Model Subequently we will ue a car dependent enor function Ω E : I TS R + which, given a car identifier and a traffic naphot, provide the length of the correponding car, a perceived by E. The idea behind thi function i to parameterie the capabilitie of different enor within the model. For example, in previou work we preented two type of obtainable knowledge of car [Hil+11]. The implet type i called perfect knowledge and aume that the enor return not only the phyical ize of a car, but in addition the length it need for afe braking in cae of an emergency. Both length together comprie the afety envelope of the car. For a more realitic cenario, it i enible to aume that a car E know it own afety envelope, but only the phyical ize of the other car. Such different aumption may be defined by intantiating the enor function appropriately. Furthermore, the enor function may be thought of a a link between the abtract etting preented here and concrete controller for different car manoeuvre. Controller 27

42 3 Spatial Model of Traffic mut on the one hand return correct value according to the enor function, e.g., while computing afety envelope, and on the other hand may only ue the type of knowledge determined by the function. In thi thei, we will only conider the cae of perfect knowledge of every car, to gain a very ymmetrical etting. A hown in previou work, uing an aymmetrical model of knowledge lead to the need of explicit communication between car [Hil+11]. In the etting of perfect knowledge however, we can ue the implicit communication via reervation and claim in particular, and till prove colliion freedom. The enor function together with a view give rie to the way the pace on the freeway i perceived by the different car. For a given view V = (L, X, E) and a traffic naphot T S = (re, clm, po, pd, acc) we ue the following abbreviation: re V : I P(L) with C re(c) L (3.1) clm V : I P(L) with C clm(c) L (3.2) len V : I P(X) with C [po(c), po(c) + Ω E (C, T S)] X (3.3) The function (3.1) and (3.2) are retriction of their counterpart in T S to the et of lane conidered in thi view. The function (3.3) give u the part of the view occupied by a car C. Oberve that uing thi definition without further retriction, car may have a point-like extenion. To have a more realitic model, we require the value of the enor function to be greater than zero for all car and traffic naphot. Convention 3.2. For all car C I, all view V = (L, X, E) and all traffic naphot T S, we require Ω E (C, T S) > 0. Example 3.4. In thi example we finih the formaliation of Fig. 3.1 by pecifying a poible intantiation of the enor function. Compare the value in thi example to both Example 3.1 and 3.3. Ω E (A, T S) = 11 Ω E (B, T S) = 11.5 Ω E (C, T S) = 7 Ω E (E, T S) = 13 With thi enor definition, the derived function of T S and V are a follow. re V (A) = {1, 2} re V (B) = {1} re V (C) = re V (E) = {2} clm V (A) = clm V (B) = clm V (C) = clm V (E) = {1} len V (A) = [28, 39] len V (B) = [12, 15] len V (C) = len V (E) = [14, 27] Oberve how the pace occupied by B i reduced to fit into the view, and how the reervation of C i inviible for E, ince the view only comprie both lower lane. 3.4 Related Work Different model for traffic on freeway have been propoed throughout the pat. A main difference between thee approache, i whether they explicitly define pace or only model 28

43 3.4 Related Work the connection tructure between car. The former approach wa taken within the PATH project by Hu et al. [Hu+94; LGS98], where different minimal manoeuvre for car partaking in automated traffic have been defined. The behaviour of the car themelve i modelled by differential equation. Combining the manoeuvre in thi approach allow for more ophiticated manoeuvre on the freeway, for example the contruction of o-called platoon of everal car to lower the overall fuel-conumption by exploiting the liptream of the car in front. Platzer defined an extenion of dynamic logic allowing for the ue of differential equation within program [Pla10a]. It ha been ued by Platzer and Queel to model railway [PQ09] and extended to cope with an infinite number of car changing lane on a multi-lane freeway [Pla10b; LPN11]. In contrat to our work, the explicit dynamic of the car and the patial configuration on the road are inherently interwoven. Thi tem from the generality of their approach, where the emantic itelf i a Kripke model, in which the tate are given by firt-order tructure. Hence all aumption and definition of freeway traffic have to be given by formula of their logic. Since we conider a more retricted and pecific emantic, we can omit thee definition. However, there are triking imilaritie to our model of freeway traffic. Car changing lane are modelled a uing two lane at once, for example. Furthermore, they ue contant domain of the emantic firt-order tate, which reemble our aumption of a contant et of car. Banach and Butler preented a formaliation of a cruie controller, which keep the velocity contant a long a poible [BB13] and a controller which trie to keep the car at the center of a lane [BB14]. They tarted with a pecification given in pure Event-B [Abr10] without any hybrid element and gradually refined event and non-determinitic behaviour, to finally achieve a verified hybrid formaliation of thee controller. In contrat to our approach, they explicitly olve the differential equation within their pecification. Damm, Hungar and Olderog preented a method to verify afe behaviour within traffic by uing a proof rule [DHO06]. The condition for afe behaviour are divided into the premie of the proof rule and can be verified independently. In that ene, they plit the goal to be analyed, by providing a protocol the car have to implement. Thi protocol require the car to enter certain correction mode, whenever the car are approaching an unafe ituation. However, they bae their model on hybrid automata with explicit differential equation in the mode. The interaction between controller for different purpoe, namely keeping a given target velocity and taying within one lane, ha been tudied by Damm, Möhlmann and Rakow [DMR14]. They ue hybrid automata for the definition of the controller and hence rely trongly on concrete differential equation for the behaviour. Furthermore, their approach i not directly defined to cope with lane change, even though the protocol can be extended to gradually change the lane intead of tabiliing to the mid of the current lane. None of thee model of car traffic ditinguih between what we call reervation and the communication of the intention to change the lane, i.e., a claim. That i, they treat a lane-change a a manoeuvre of a ingle car, who doe not need to announce it action. In contrat, in our model all car able to perceive a claim can take thi information into 29

44 3 Spatial Model of Traffic account. Toben [Tob08] ha ued the potlight principle [WW07] to verify ditributed ytem with a dynamically changing link tructure. Hi running example i baed on car platoon. The potlight abtraction retrict the et of agent under conideration to a finite number. Only thee ditinguihed car are kept explicitly, while the car outide thi potlight are abtracted to a proce with arbitrary behaviour. Our retriction of the road to a finite view imilarly retrict the et of agent viible to a ingle ditinguihed car. However, we do not directly get that the number of car in the view i finite. Furthermore, car outide of a view are not conidered at all, ince we aume that they are currently not able to communicate with the owner of thi view. The preented model can be extended to take oncoming traffic into account [HLO13]. The main difference i that the et of car ha to be divided into dijoint ubet I and I to refer to the direction a car i driving into. Then, mot of the definition in thi chapter can be ued without change, except for the calculation of the perceived length len V of a car. There the different direction caue for a lightly altered definition. A different extenion i to get rid of the concrete dynamic introduced in Definition 3.3. We could introduce a new function called, e.g., dyn : I (T R) which return for a given car it continuou dynamical behaviour. While time pae, all car would evolve according to the function returned by dyn. Intead of changing the acceleration of a car C, dyn would be updated to reflect the mode change within C. For a more concie preentation, we refrained from giving thi even more abtract definition. However, the reult in thi thei are not affected by thi change. 30

45 4 Modal Logic for Freeway Traffic Content 4.1 Syntax and Semantic Proof Sytem Relational Propertie Rigidity Firt-Order Logic Chopping, Decompoition and Tranition Specifying the Domain Spatial Propertie of Spatial Atom Spatial Atom and Tranition Invariance Derived Rule Undecidability of Spatial MLSL Related Work In thi chapter, we preent the extended multi-lane patial logic (EMLSL) which i explicitly defined to deal with traffic ituation decribed by the model in the previou chapter. That i, the main focu of reaoning lie on the patial apect of traffic, while mot of the dynamic i hidden within the emantic. Thi chapter i baed on previou work [LH13], but contain a more tructured preentation of the proof ytem, a well a a more thorough and complete dicuion. 4.1 Syntax and Semantic We employ three ort of variable. The et of variable ranging over car identifier i denoted by CVar, with typical element c and d. For referring to length and quantitie 31

46 4 Modal Logic for Freeway Traffic of lane, we ue the ort RVar and LVar ranging poitive over real number and natural number, repectively. The et of all variable i denoted by Var. To refer to the car owning the current view, we ue the pecial contant ego. Furthermore, we ue the yntax l for the length of a view, i.e., the length of the extenion of the view and ω for the width, i.e., the number of lane. For implicity, we only allow for addition between correctly orted term. However, it i traightforward to augment the definition with further arithmetic operation. Definition 4.1 (Term of EMLSL). We ue the following definition of term. θ ::= n r ego u l ω θ 1 + θ 2, where n N, r R +, u Var and θ i are both of the ame ort, and not element of CVar {ego}. We denote the et of term with Θ. In addition to the atom denoting a contradiction, = for equality and for the order between element of the dimenion, we ue two patial atom re(c) and cl(c), which hall be true, iff the current view conit of one ingle lane which i completely filled with the reervation of the car denoted by c (or it claim, repectively). To reaon about view with more lane and different topological relation between car, we can chop view either horizontally with the binary modality, or vertically which i denoted by tacking formula on top of each other. Furthermore, we ue unary univeral modalitie for all of the poible patial tranition between traffic naphot and for evolution. The modality for evolution i metric, i.e., it i poible to contrain the length of the evolution by the interval the modality i annotated with. Oberve that the patial modalitie ue a car variable in their ubcript. Thi variable will be evaluated like other variable in the formula. I.e., the modalitie are parameteried by thee variable. The modality G i a univeral modality with repect to abtract tranition, i.e., it can be ued to define invariance propertie. Finally, EMLSL i cloed under all firt-order operator. Definition 4.2 (Syntax of EMLSL). The yntax of formula of the extended multi-lane patial logic EMLSL i given a follow. φ ::= θ 1 = θ 2 θ 1 θ 2 re(c) cl(c) φ 1 φ 2 z φ 1 φ 1 φ 2 φ 2 φ 1 Mφ where M { r(c), c(c), wd c(c), wd r(c), I, G }, I I, c CVar {ego}, z Var, and θ 1, θ 2 Θ are of the ame ort. For the atom θ 1 θ 2, we alo require that θ i are not element of CVar {ego}. We denote the et of all EMLSL formula by Φ. Definition 4.3 (Valuation and Modification). A valuation i a function ν : Var {ego} I R + N. The function ν {x α} i a modification of ν, which coincide with ν except poibly for x. We ilently aume valuation and their modification to repect the ort of variable. For a view V = (L, X, E), we lift ν to a function ν V evaluating term, where variable and ego are interpreted a in ν, and ν V (l) = X and ν V (ω) = L. The function + i interpreted a addition. 32

47 4.1 Syntax and Semantic Definition 4.4 (Semantic). In the following, let θ i be term of the ame ort, I I, c CVar {ego} and z Var. The atifaction of formula with repect to a traffic naphot T S, a view V = (L, X, E) and a valuation ν with ν(ego) = E i defined inductively a follow: T S, V, ν = for all T S, V, ν T S, V, ν = θ 1 = θ 2 ν V (θ 1 ) = ν V (θ 2 ) T S, V, ν = θ 1 θ 2 ν V (θ 1 ) ν V (θ 2 ) T S, V, ν = re(c) L = 1 and X > 0 and re V (ν(c)) = L and X = len V (ν(c)) T S, V, ν = cl(c) L = 1 and X > 0 and clm V (ν(c)) = L and X = len V (ν(c)) T S, V, ν = φ 1 φ 2 T S, V, ν = φ 1 implie T S, V, ν = φ 2 T S, V, ν = z φ α I R + N T S, V, ν {z α} = φ T S, V, ν = φ 1 φ 2 V 1, V 2 V = V 1 ɵ V 2 and T S, V 1, ν = φ 1 and T S, V 2, ν = φ 2 T S, V, ν = φ 2 φ 1 V 1, V 2 V = V 1 V 2 and T S, V 1, ν = φ 1 and T S, V 2, ν = φ 2 T S, V, ν = r(c) φ T S T S r(ν(c)) T S implie T S, V, ν = φ T S, V, ν = c(c) φ T S, n T S c(ν(c),n) T S implie T S, V, ν = φ wd c(ν(c)) T S, V, ν = wd c(c) φ T S T S T S implie T S, V, ν = φ wd r(ν(c),n) T S, V, ν = wd r(c) φ T S, n T S T S implie T S, V, ν = φ T S, V, ν = I φ T S, t t I T S t T S implie T S, mv T S T S (V ), ν = φ T S, V, ν = G φ T S T S = T S implie T S, mv T S T S (V ), ν = φ In addition to the tandard abbreviation of the remaining Boolean operator and the exitential quantifier, we ue. Furthermore, we introduce a et of derived modalitie and abbreviation in the following convention. Convention 4.1 (Abbreviation). An important derived modality of our previou work [Hil+11] i the omewhere modality φ φ. Further, we ue it dual operator everywhere. We abbreviate the modality omewhere along the extenion of the view with the operator l, imilar to the on ome ubinterval 33

48 4 Modal Logic for Freeway Traffic modality of DC. For the metric modality, we allow for two implification, if the interval I i a ingleton et and if the bound are not relevant. We alo introduce the dual operator to the invariance modality. [φ] φ l φ φ l φ l φ τ φ [0, ) φ x φ [x,x] φ F φ G φ Likewie, abbreviation can be defined to expre the modality on ome lane. Furthermore, we define the diamond modalitie for the tranition a uual, i.e., φ φ, where {r(c), c(c), wd r(c), wd c(c), I}. Example 4.1. We firt preent ome example ϕ i for EMLSL formula. ϕ 1 l = x ϕ 2 cl(ego) ϕ 3 re(c) ϕ 4 r(ego) re(ego) re(ego) ϕ 5 c(a) ϕ 6 c(b) cl(b) For evaluating their emantic, we recall the traffic naphot T S, the view V and the enor function defined in Example 3.1 to 3.4, i.e., the formaliation of Fig We only repeat the value of the view and of the derived function re V, clm V and len V. The view i given by V = ({1, 2}, [12, 42], E) and the correponding retriction of T S are a follow: re V (A) = {1, 2}, re V (B) = {1}, re V (C) =, re V (E) = {2}, clm V (A) =, clm V (B) =, clm V (C) =, clm V (E) = {1}, len V (A) = [28, 39], len V (B) = [12, 15], len V (C) =, len V (E) = [14, 27]. Let ν be defined by ν(x) = 30, ν(a) = A, ν(b) = B, ν(c) = C and ν(ego) = E. Then the following relation hold: T S, V, ν = ϕ 1 T S, V, ν = ϕ 2 T S, V, ν = ϕ 3 T S, V, ν = ϕ 4 T S, V, ν = ϕ 5 T S, V, ν = ϕ 6 The firt formula i true, ince the length of V i exactly 30 patial unit. The formula ϕ 2 i true, ince we can find the ubview V 2 = (L 2, X 2, E) with L 2 = {1} and X 2 = [14, 27], 34

49 4.1 Syntax and Semantic for which clm V2 (E) = L 2 and len V2 (E) = X 2. The reaoning why T S, V and ν do not atify ϕ 3 i imilar. For ϕ 4, oberve that there i only one tranition for E mutating it claim to a reervation. After thi tranition, re V (E) = {1, 2} hold. Hence, there i a ubview of V, uch that ϕ 4 i atified after all tranition with the label r(e). The formula ϕ 5 i not atified by the given model, ince there i no tranition, where A may create a new claim (a explained in Example 3.2). Finally, ϕ 6 i atified, becaue when B create a claim, the only lane the claim can be created on i lane 2. Hence, we can find a ubview V 6, which conit of L 6 = {2} and X 6 = [12, 15]. Thi view and the naphot emerging from the tranition atify ϕ 6. Oberve that the preented extenion for the atifaction of ϕ 2 and ϕ 6 are the maximal extenion poible. We could alo have choen a ubinterval of thee extenion with a length greater than zero, and till have a atifying model. In the firt definition of MLSL, we included the atom free to denote free pace on the road, i.e., pace which i neither occupied by a reervation nor by a claim. It wa not poible to derive thi atom from the other, ince we were unable to expre the exitence of exactly one lane and a non-zero extenion in the view. However, in the current preentation, free can be defined within EMLSL. free l > 0 ω = 1 c l (cl(c) re(c)) Furthermore, we can define l < r (l = r ) and ue the upercript φ r to abbreviate the chema φ l = r. For reaon of clarity, we will not alway ue thi abbreviation and write out the formula intead, to emphaie the retriction. A an example, the following formula define the behaviour of a ditance controller, i.e., a long a the car tart in a ituation with free pace in front of it, the formula demand that after an arbitrary time, there i till free pace left. x, y l ω = x re(ego) free ω = y τ l ω = x re(ego) free ω = y We have to relate the lane in both the antecedent and the concluion by the atom ω = x and ω = y repectively. If we imply ued re(ego) free, it would be poible for the reervation to be on different lane, and hence, we would not enure that free pace i in front of each of ego reervation at every point in time. However, the formula doe not contrain how the ituation may change, whenever reervation or claim are created or withdrawn. Oberve that it i crucial to combine acceleration and time tranition into a ingle modality I. Let ego drive on lane m with a velocity of v. If we only allowed for the paing of time without any change of acceleration, thi formula would require all car on m in front of ego to have a velocity v f v, while all car behind ego had to drive with v b v. Hence the evolution allow for more complex behaviour in the underlying model. Like for ITL [Mo85] or DC [ZHR91], we call a term or formula flexible whenever it atifaction i dependent on the current traffic naphot and view. Otherwie the formula 35

50 4 Modal Logic for Freeway Traffic i rigid. However, ince the patial dimenion of EMLSL are not directly interrelated, we alo ditinguih horizontally rigid and vertically rigid formula. The atifaction of the former i independent of the extenion of view, while for the latter, the amount of lane in a view i of no influence. If a formula i only independent of the current traffic naphot, we call it dynamically rigid. Definition 4.5 (Type of Rigidity). Let φ be a formula of EMLSL. We call φ dynamically rigid, if it doe not contain any patial atom, i.e., re(c) or cl(c) a a ubformula. Furthermore, we call φ horizontally rigid, if it i dynamically rigid and in addition doe not contain l a a term. Similarly, φ i vertically rigid, if it i dynamically rigid and doe not contain ω a a term. If φ i both vertically and horizontally rigid, it i imply rigid. Example 4.2. Each equality contraint between variable c = d i a rigid formula. In contrat, l = x i only vertically rigid, and ω = y i only horizontally rigid. Since both of thee formula are dynamically rigid, o i l = x ω = y. The formula re(c) i not rigid in any way. Lemma 4.1. Let φ, φ H and φ V be formula of EMLSL, uch that φ i dynamically rigid, φ H i horizontally rigid and φ V i vertically rigid. Then for all traffic naphot T S, T S, view V, V 1, V 2 and valuation ν, 1. T S, V, ν = φ iff T S, V, ν = φ 2. Let V = V 1 ɵ V 2. Then T S, V, ν = φ H iff T S, V i, ν = φ H (for i {1, 2}). 3. Let V = V 1 V 2. Then T S, V, ν = φ V iff T S, V i, ν = φ V (for i {1, 2}). Proof. By induction on the tructure of EMLSL formula. 4.2 Proof Sytem In thi ection, we define a ytem of labelled natural deduction [Gab96; BMV98; Vig00] for the full logic EMLSL. That i, the rule of the deduction ytem do not operate on formula φ, but on labelled formula w : φ, where w i a term of a labelling algebra and φ i a formula of EMLSL. They may connect the derivation of formula and relation between the term w to allow for a tighter relationhip between both. The labelling algebra i more involved than for tandard modal logic, ince EMLSL i in eence a multi-dimenional logic, where the modalitie are not interdefinable. Obviouly, the patial modalitie cannot be defined by the dynamic modalitie and vice vera. Furthermore, neither can the dynamic modalitie be defined by each other in general. Conider, e.g., the modalitie r(c) and c(c). Both of thee modalitie rely on different tranition between the model, which are only indirectly related. The label of the algebra conit of tuple t, v. Similarly to the emantic, t i the name of a traffic naphot and v the name of a view. The algebra contain three different kind of relation. The relation of the form v = v 1 ɵ v 2 and v = v 1 v 2 define ternary reachability relation between view for the patial modalitie. Relation between 36

51 4.2 Proof Sytem whole label, e.g., t, v t r(c), v decribe the behaviour of tranition. The relation within the labelling algebra for traffic naphot directly correpond to the dynamic modalitie. For example, we have t, v t c(c), v, whenever there exit an n N uch that T S T c(ν(c),n) S, where v and v denote the ame view and t (t ) denote the naphot T S (T S, repectively). Finally, ince we have tranition decribing the paing of time, we need a new type of variable called timing variable t. They may only be ued in formula related to the paing of time, i.e., t, v t t, v, and in inequalitie of the form t 1 t 2. We do not give a deduction ytem for the tranition between naphot, ince the condition needed to hold between them are of a very complex nature, i.e., they are definable only with the power of full firt-order logic with function, identity and arithmetic. Hence we would not achieve a ytem with a nice ditinction between the relational deduction and the deduction of labelled formula [BMV98; Vig00]. Intead, we imply aume the exitence of the relation between naphot whenever needed. That i, we will often have, e.g., the exitence of a tranition in our et of aumption. However, we will give rule to decribe the behaviour of view and naphot under patial tranition. That i, we can enure that the view themelve do not change under uch tranition. Thi i due to the fact that the only poibility for a view to change i during evolution and abtract tranition. Only for them the view i moved according to the difference between the ource and target naphot of the tranition. For view, we have a more ophiticated et of rule. We introduce a new quantifier E, which range over view. We ue it to relate view and define the poibilitie to chop view both horizontally and vertically. Subequently, we aume that we have countably infinite et of name for traffic naphot TS and name for view V. Definition 4.6 (Labelled Formula and Relational Formula). Let t be a name for a traffic naphot, v a name for a view and φ a formula according to Definition 4.2. Then t, v : φ i a labelled formula of EMLSL. Locality formula are of the form ρ ::= v = v 1 ɵ v 2 v = v 1 v 2 Ev ρ where v, v 1, v 2 V. Furthermore, we call t, v t, v dynamic formula, where t, t TS, v, v V and i a relation of the labelling algebra. Finally, formula of the form t 1 t 2, are called timing formula, where t 1 and t 2 are timing term, i.e., either element of T, timing variable or a um of timing term. If we do not need the ditinction between dynamic and locality formula, we imply write relational formula. Oberve that we ue the ame notation for the yntactic contruct of locality formula, a well a the chopping operation a their emantic counterpart. In general, the ditinction hould be clear from the context. To have a meaningful oundne reult of the calculu, we give the relation of the emantic of labelled formula and normal formula. For that, we have to relate the name of view and traffic naphot with their emantic counterpart. That i, we need valuation for both type of name and extend the valuation of variable to timing term. 37

52 4 Modal Logic for Freeway Traffic Definition 4.7 (Snaphot and Locality Valuation). A function σ : TS TS relating name of traffic naphot with traffic naphot themelve i called a naphot valuation. Similarly, a function λ: V V i called a locality valuation. Modification of both naphot and locality valuation are defined imilarly to modification of normal valuation. Furthermore, we extend valuation ν to alo relate timing variable t to element of T. We ilently aume that ν(t) = t if t i a contant element of T and lift the valuation to evaluate timing term. The atifaction of labelled formula and relational formula i defined with repect to a naphot valuation, a locality valuation and a valuation for variable. The firt two type of valuation map the label of formula to a model of EMLSL, uch that the labelled formula can be evaluated by the atifaction relation of EMLSL. For the atifaction of dynamic formula, recall that we lifted the tranition within the model to relate tuple of traffic naphot and view in Convention 3.1. Definition 4.8 (Satifaction of Labelled Formula and Relational Formula). A valuation ν, a naphot valuation σ and a locality valuation λ atify a labelled formula t, v : φ, written σ, λ, ν = t, v : φ if and only if σ(t), λ(v), ν = φ. Furthermore, σ, λ, ν = t 1, v 1 r(c) t 2, v 2 σ(t 1 ), λ(v 1 ) r(ν(c)) σ(t 2 ), λ(v 2 ), wd r(c) wd r(ν(c),n) σ, λ, ν = t 1, v 1 t 2, v 2 n σ(t 1 ), λ(v 1 ) σ(t 2 ), λ(v 2 ), σ, λ, ν = t 1, v 1 c(c) t 2,, v 2 n σ(t 1 ), λ(v 1 ) c(ν(c),n) σ(t 2 ), λ(v 2 ) wd c(c) wd c(ν(c)) σ, λ, ν = t 1, v 1 t 2, v 2 σ(t 1 ), λ(v 1 ) σ(t 2 ), λ(v 2 ) σ, λ, ν = t 1, v 1 t t 2, v 2 σ(t 1 ), λ(v 1 ) ν(t) σ(t 2 ), λ(v 2 ) σ, λ, ν = t 1, v 1 = t 2, v 2 σ(t 1 ), λ(v 1 ) = σ(t 2 ), λ(v 2 ) σ, λ, ν = t 1 t 2 ν(t 1 ) ν(t 2 ) σ, λ, ν = v = v 1 ɵ v 2 λ(v) = λ(v 1 ) ɵ λ(v 2 ) σ, λ, ν = v = v 1 v 2 λ(v) = λ(v 1 ) λ(v 2 ) σ, λ, ν = Ev ρ V σ, λ {v V }, ν = ρ where ρ i a locality formula. We lift the atifaction relation to et of formula. Let Γ and be a et of labelled formula and of relational formula, repectively. Then σ, λ, ν = η σ, λ, ν = η σ, λ, ν = Γ (t, v : φ) Γ σ, λ, ν = t, v : φ σ, λ, ν = (Γ, ) σ, λ, ν = Γ and σ, λ, ν = (Γ, ) = t, v : φ σ, λ, ν = (Γ, ) implie σ, λ, ν = t, v : φ for all σ, λ, ν (Γ, ) = η σ, λ, ν = (Γ, ) implie σ, λ, ν = η where η i a relational formula. for all σ, λ, ν, 38

53 4.2 Proof Sytem Definition 4.9 (Derivation). A derivation of a labelled formula t, v : φ from a et of labelled formula Γ and a et of relational formula i a tree, where the root i t, v : φ, each leaf i an element of Γ or, and each node within the tree i a reult of an application of one of the rule defined ubequently. We denote the exitence of uch a derivation by (Γ, ) t, v : φ. Following Ramuen [Ra01], we define predicate for chop-freene of formula and rigidity of term and formula. To increae the number of deducible theorem, we differentiate between vertical and horizontal chop-freene and rigidity, a well a dynamic rigidity. Thee propertie are epecially important for the correct intantiation of term, i.e., for the elimination of univeral quantifier. Example 4.3. Conider the formula ( ) l = x x l = x l = x, which i a theorem of EMLSL, ince the length of a view i not changed by chopping vertically. If we ue claical univeral quantifier intantiation and ubtitute the vertically flexible term ω for x, then we would get l = ω l = ω l = ω. (4.1) Now let T S be a traffic naphot, V a view and ν a valuation atifying the antecedent of (4.1). Then V can be vertically chopped into V 1 and V 2 uch that it length equal it width on both V 1 and V 2. Now let ν V (l) = c. Then alo ν V1 (ω) = c and ν V2 (ω) = c. Since V conit of both thee ubview, ν V (ω) = 2c. But the concluion of (4.1) tate that V hould atify ω = l = c. Thi i clearly a contradiction. If we require that the term t to be ubtituted for x i vertically rigid, we enure that the value of t i the ame for V 1, V 2 and V. For example, we could ubtitute x by the vertically rigid term l. The example how that have to we examine two thing for a ubtitution of t for x in a formula ϕ to be allowed: On the one hand, it i important whether ϕ contain any chop, both vertical and horizontal. On the other hand, whether the term t i vertically or horizontally flexible determine it uitability for the ubtitution. Then, if ϕ doe not contain a horizontal chop (i.e., it i horizontally chop-free) and t i vertically rigid, then we may ubtitute t for x in ϕ. Similarly, if ϕ i vertically chop-free (i.e., it doe not contain a vertical chop), and t i horizontally rigid, we can ubtitute t for x in ϕ. If ϕ doe not contain any chop, we can ubtitute any term t for x. Likewie, if t i completely rigid, then ϕ may contain chop of any kind. We denote vertical (horizontal) chop-freene by the predicate vcf (hcf) and vertical (horizontal, dynamical) rigidity by vri (hri, dri). If a term or formula θ i completely rigid, we ue the notation ri(θ). The rule for the definition of all thee predicate are traightforward, ince both rigidity and chop-freene are yntactic propertie. All atomic formula are vertically and horizontally chop-free. For being a Boolean operator or the horizontal chop, the following rule give vertical chop-freene. 39

54 4 Modal Logic for Freeway Traffic vcf(φ) vcf(ψ) vcf I vcf(φ ψ) vcf(φ ψ) vcf E vcf(φ) vcf(φ ψ) vcf E vcf(ψ) The rule for quantifier and the horizontal rule are defined imilarly. For term, l i vertically rigid and ω i horizontally rigid. The patial atom re(c) and cl(c) are neither horizontally nor vertically rigid, ince they require the view to poe an extenion greater than zero and exactly one lane. Equality i both vertically and horizontally rigid, a long a both compared term are rigid. Below, we how ome exemplary rule, where i an arbitrary binary operator. hri(φ) hri(ψ) hri I hri(φ ψ) hri(φ ψ) hri E hri(φ) hri(φ ψ) hri E hri(ψ) The final rule of thi ection relate rigidity with horizontal and vertical rigidity. For the introduction of general rigidity, oberve that we do not need to take dynamic rigidity into concern, ince both horizontal a well a vertical rigidity imply dynamic rigidity. hri(φ) vri(φ) rii ri(φ) ri(φ) hri(φ) rie ri(φ) vri(φ) rie Relational Propertie We have different rule for the relation between label. Firt, we tate that each view V i decompoable into two ubview. Thi i true, ince we allow for the empty view, i.e., the view without lane or with a point-like extenion. We ue E to denote exitential quantification over view. To ue the relation between view, we have to be able to intantiate view, i.e., we have to introduce a rule for elimination of exitential quantifier over view. A a ide condition for thi elimination rule, we require that t, v : φ i not dependent on any aumption including v a a label, except for the locality formula ρ. The rule itelf i a traightforward adaptation of the claical rule. Again, we only how the cae for the vertical relation. [ρ] Ev v = v v V 0 v = v 1 v 2 v 2 = v 1 v 2 V Com Ev v = v v 2. Ev ρ t, v : φ EE t, v : φ v = v 1 v 2 v 1 = v 1 V 0 v 2 V Com Ev v = v v Ev v = v 1 v Ev 1, v 2 v = v 1 v 2 V Dec Now we define rule for the interaction between view and traffic naphot along dicrete tranition. The firt et of rule (EV) decribe the equality of view during dicrete tranition. The other et allow for the ubtitution of ubview for view in the label. Thi i a direct conequence of convention 3.1 and the emantic of dynamic and locality formula. 40

55 4.2 Proof Sytem t, v t, v t, v t, v EV t, v t, v t, v t, v EV t, v t, v v = v 1 ɵ v 2 SV t, v 1 t, v 1 t, v t, v v = v 1 ɵ v 2 SV t, v 2 t, v 2 t, v 1 t, v 1 v = v 1 ɵ v 2 SV t, v t, v t, v 2 t, v 2 v = v 1 ɵ v 2 SV t, v t, v A imilar et of rule exit for the vertical relation. In all of thee rule, we require {r(c), c(c), wd r(c), wd c(c) c CVar {ego}}. We alo need a et of rule to ue the invariance of view between dicrete tranition to move formula from one view to another, if thee view are connected by a tranition. Note that we do not require the formula to be rigid of any kind, ince emantically, the view are the ame. t, v t, v t, v : φ IV t, v : φ t, v t, v t, v : φ IV t, v : φ t, v t, v t, v : φ IV t, v : φ t, v t, v t, v : φ IV t, v : φ A very important difference in the rule IV to the rule in the following ection i that the view v and v are related via dicrete tranition. That mean eentially that the extenion, number of lane and the owner of thee view are the ame. Oberve that the naphot in the labelled formula i fixed. The rule relating different type of tranition motly refer to the evolution and the abtract tranition. The labelling for abtract tranition a well a for evolution i both reflexive and tranitive. Furthermore, we may abtract any given tranition to an abtract tranition. t, v 0 t, v t r t 1, v 1 t 1 t2, v 2 t 2, v 2 t 2 t3, v 3 t 1, v 1 t 1+t 2 t3, v 3 t tr t, v = t, v = r t 1, v 1 = t 2, v 2 t 2, v 2 = t 3, v 3 = tr t 1, v 1 = t 3, v 3 t, v t, v t, v = t, v ab In the rule ab, the aterik may be intantiated by any tranition type. Finally, let t, t 1, t 2 and t 3 be either timing variable or contant of T. We then define rule to let be a partial order compatible with addition. We alo require all timing variable and contant of T to be at leat zero. 0 t 0 t t r t 1 t 2 t 2 t 3 tr t 1 t 3 t 1 t 2 t 2 t 1 y t 1 = t 2 t 1 t 2 + t 1 + t 3 t 2 + t 3 41

56 4 Modal Logic for Freeway Traffic Lemma 4.2. The rule concerning the different type of relational formula are ound. Proof. The rule V 0 are ound, ince for each locality valuation λ and name of a view v uch that λ(v) = (L, X, E), we can take the view V 0 = (, X, E) to get λ(v) = V 0 λ(v) and λ(v) = λ(v) V 0. Similar reaoning yield oundne of V Dec. For V Com, aume we have a locality valuation λ, uch that λ(v) = λ(v 1 ) λ(v 2 ) and λ(v 2 ) = λ(v 1 ) λ(v 2 ). Let λ(v) = (L, X, E), λ(v 1) = (L 1, X, E), λ(v 2 ) = (L 2, X, E), λ(v 1 ) = (L 1, X, E) and λ(v 2 ) = (L 2, X, E). Since both L 1 L 2 = and L 1 L 2 =, we alo know (L 1 L 1 ) L 2 =. Furthermore, if the et of lane are not empty, max(l 1 ) + 1 = min(l 2 ) and max(l 1 ) + 1 = min(l 2 ) a well a max(l 1) < max(l 1 ). Hence max(l 1 L 1 ) + 1 = min(l 2 ). That i, for V = (L 1 L 1, X, E), we have λ(v) = V λ(v 2 ). If ome of the et of lane are empty, oundne follow imilarly. Soundne of EE i proved like for the tandard rule for the elimination of the exitential quantifier. For the rule EV, oberve that the during dicrete tranition, the view i not changed. Hence if for a naphot valuation σ, a locality valuation λ and a valuation ν, we have, e.g., σ(t), λ(v) r(ν(c)) σ(t ), λ(v ), then we can deduce λ(v) = λ(v ), i.e., both type of the rule EV are ound. For the rule SV, we jut have to recognie that the exitence of a dicrete tranition i fully independent of the view at hand, i.e., the emantic of the dynamic formula i not affected, when the view change. The proof for the oundne of IV are imilar. Soundne of the rule and axiom concerning the evolution and abtract tranition follow traightforwardly from the emantic definition of thee tranition. Finally, for the rule concerning the partial order on time, the oundne follow ince R + i an additive ordered group Rigidity The intuition of rigidity i formalied in the following rule. Whenever a formula i horizontally rigid, the formula hold on all view horizontally reachable from the current view. The rule for vertically rigidity are imilar. t, v : φ hri(φ) v = v 1 ɵ v 2 RH t, v 1 : φ t, v : φ hri(φ) v = v 1 ɵ v 2 RH t, v 2 : φ t, v 1 : φ hri(φ) v = v 1 ɵ v 2 RH t, v : φ t, v 2 : φ hri(φ) v = v 1 ɵ v 2 RH t, v : φ t, v : φ dri(φ) t, v t, v R D t, v : φ t, v : φ dri(φ) t, v t, v R D t, v : φ Again, the difference of the rule R D to the rule IV i, that in the former the whole label i tranformed, where in the latter, only the view may change. Lemma 4.3. The rule concerning the different type of rigidity are ound. Proof. Immediate by Lemma

57 4.2 Proof Sytem Firt-Order Logic For the firt-order operator, we ue the typical definition of labelled natural deduction rule [BMV98]. The only difference lie in the rule for quantification. We may intantiate an univerally quantified variable with a horizontally (vertically) rigid, if the formula i vertically (horizontally) chop-free. If the formula i completely chop-free, we may intantiate the variable with an arbitrary term. Similarly, rigid term may intantiate x in arbitrary formula. In all cae, a ide condition for the intantiation i that repect the ort of x. t, v : x φ hcf(φ) vri() E t, v : φ[x ] t, v : x φ vcf(φ) hri() E t, v : φ[x ] t, v : x φ hcf(φ) vcf(φ) E t, v : φ[x ] t, v : x φ hri() vri() E t, v : φ[x ] The introduction rule for the univeral quantifier i adapted, uch that the variable to be quantified ha to be completely rigid. [hri(x)] [vri(x)]. t, v : φ I t, v : x φ The application condition i that x may not occur free in any aumption on which t, v : φ depend, except for hri(x) and vri(x). The rule concerning equality are a direct tranlation from Ramuen work [Ra01] t, v : = Refl t, v : = t Sym t, v : t = t, v : = t t, v : t = u t, v : = u Tran t, v : φ[x ] t, v : = t ri() ri(t) Subtri t, v : φ[x t] t, v : φ[x ] t, v : = t vcf(φ) hcf(φ) Subtcf t, v : φ[x t] Lemma 4.4. The rule concerning firt-order quantifier and equality are ound. Proof. The proof for equality, ubtitution and the introduction rule of the univeral quantifier i traightforward. Now conider the cae of the elimination of the univeral quantifier, where φ i horizontally chop-free and i vertically rigid, and let σ be a naphot valuation, λ a locality valuation and ν a valuation uch that σ, λ, ν = t, v : x φ. Then, the emantic of the univeral quantifier yield that σ, λ, ν {x α} = t, v : φ for all α repecting the ort of x. In particular, ince x and are of the ame ort, there i an α uch that ν() = α. Thi valuation i the ame for all ubview of λ(v) ued for the evaluation of φ, ince φ may at mot contain vertical chop and i vertically rigid. Hence σ, λ, ν {x α } = t, v : φ i true and equivalent to σ, λ, ν = t, v : φ[x ]. The other cae of the elimination rule are proved imilarly. 43

58 4 Modal Logic for Freeway Traffic Chopping, Decompoition and Tranition The elimination and introduction rule for the chop modalitie are adopted from Ramuen [Ra01], and reemble the rule for exitential quantification. We only how the cae for the horizontal chop, the rule for vertical chopping are obtained traightforwardly, by replacing horizontal modalitie and relation by the vertical one. [t, v 1 : φ] [t, v 2 : ψ] [v = v 1 ɵ v 2 ] t, v 1 : φ t, v 2 : ψ v = v 1 ɵ v 2 I t, v : φ ψ. t, v : φ ψ t, v : χ t, v : χ E The application condition for the chop elimination rule are, that the name v 1 and v 2 differ from v and v and may not occur free in any aumption on which t, v : χ depend, except for t, v 1 : φ, t, v 2 : ψ and v = v 1 ɵ v 2 (v = v 1 v 2 repectively). The chopping of interval i not ambiguou, i.e., there i a unique view of a certain length at the beginning of a view. Thi i the ingle decompoition property [Dut95] of interval logic and captured in the following rule. When there are two vertical chop of a view, and the upper part are of equal width, we can derive that the ame formula hold on the lower part and vice vera. Even though we only how the vertical et of rule, imilar rule hold for the horizontal chopping of view. The tructure of the rule follow the preentation of Ramuen [Ra01]. t, v 1 : φ t, v 2 : ω = t, v 2 : ω = vri() v = v 1 v 2 v = v 1 v 2 V D t, v 1 : φ t, v 2 : φ t, v 1 : ω = t, v 1 : ω = vri() v = v 1 v 2 v = v 1 v 2 V D t, v 2 : φ The additivity of length and width can be formalied by the following rule. t, v 1 : ω = t, v 2 : ω = t vri() vri(t) v = v 1 v 2 V + I t, v : ω = + t t, v : ω = + t vri() vri(t) t, v : φ [t, v 1 : ω = ] [t, v 2 : ω = t] [v = v 1 v 2 ]. t, v : φ V + E Similar to the elimination of chop, the application condition for V + E (H + E, repectively) i that the name v 1 and v 2 differ from v and v and may not occur free in any aumption, on which t, v : φ depend, except for t, v 1 : ω =, t, v 2 : ω = t and v = v 1 v 2 (t, v 1 : l =, t, v 2 : l = t and v = v 1 ɵ v 2, repectively). 44

59 4.2 Proof Sytem The modalitie decribing the dicrete tranition are defined along the line of Bain et al. [BMV98]. If a tranition from the current naphot i known to be poible, the box modalitie may be eliminated. If we can prove that under the aumption of a tranition {r(d), c(d), wd r(d), wd c(d)}, φ hold on the now reachable naphot, then alo φ i true. The application condition for I i that neither t nor v may occur in any aumption on which t, v : φ depend, except for t, v t, v and that they both differ from t and v. [t, v t, v ] t, v t, v t, v : φ E t, v : φ. t, v : φ t, v : φ I For the dynamic tranition, we need to include aertion about the duration t for which time evolve. That i, we add two more premie, which tate that t tay within the bound of the modality. [t, v t t, v ] [a t] [t b] t, v t t, v t, v : [a,b] φ a t t b t E t, v : φ. t, v : φ t, v : [a,b] φ t I Similar to the rule I, the application condition for t I i that t and v are different from t and v and neither t nor v nor t appear in any aumption, on which t, v : φ depend, except for t, v t t, v, a t, and t b. Furthermore t and v have to be different from t and v. Lemma 4.5. The rule concerning chop, the ingle decompoition property and the additivity of length a well a width of view are ound. Proof. The proof i a traightforward adaptation of the proof in the work of Ramuen [Ra01], Bain et al. [BMV98] and Viganò [Vig00], repectively Specifying the Domain We need further rule to pecify certain propertie of our different domain. For example, l tate that the domain of the extenion i dene, while l0 prohibit negative extenion. t, v : l > 0 t, v : l > 0 l > 0 l t, v : l 0 l0 t, v : ω 0 ω0 t, v : x x t, v : x y t, v : y z t, v : x z t, v : x y t, v : x + z y + z In thee rule, we ilently aume that the term x, y and z are of the ame ort, and epecially are not car variable, i.e., x, y, z CVar {ego}. 45

60 4 Modal Logic for Freeway Traffic Spatial Propertie of Spatial Atom In thi ubection, we preent rule which reflect the connection of reervation and claim to the patial domain. On the one hand, we have rule which are traightforward implication of the intended emantic of the atom, e.g., that the length of a view which atifie re(c) ha to be greater than zero and ha to conit of exactly one lane. On the other hand, we have rule which tate that reervation and claim are dene in the extenion of view. In comparion with Ramuen preentation of Duration Calculu [Ra01], thee rule eem to be very pecific, and one might be tempted to aume that they are already derivable in the given ytem. However, ince we do not have any type of term reembling integration, we are, e.g., not yet able to tate directly that on a view V atifying re(c), each ubview alo ha to atify re(c). So thee rule are needed due to the very pecific and narrow type of atom we permit within EMLSL. t, v : re(c) ExtRe t, v : l > 0 t, v : cl(c) ExtCl t, v : l > 0 t, v : re(c) t, v : ω = 1 LaneRe t, v : cl(c) t, v : ω = 1 LaneCl t, v : re(c) t, v : re(c) re(c) dre t, v : cl(c) t, v : cl(c) cl(c) dcl t, v : re(c) t, v 1 : l > 0 v = v 1 ɵ v 2 cre t, v 1 : re(c) t, v : cl(c) t, v 1 : l > 0 v = v 1 ɵ v 2 ccl t, v 1 : cl(c) t, v : re(c) t, v 2 : l > 0 v = v 1 ɵ v 2 cre t, v 2 : re(c) t, v : cl(c) t, v 2 : l > 0 v = v 1 ɵ v 2 ccl t, v 2 : cl(c) Lemma 4.6. The rule concerning the patial propertie of atom are ound. Proof. Immediate by the emantic of re(c) and cl(c) and the denity of the extenion domain Spatial Atom and Tranition Finally, we have to define how the patial atom behave with repect to occurring tranition. There are two type of rule in general, tability rule and activity rule. Stability rule define which atom tay true after a naphot change according to a certain tranition. The activity rule tate how the reervation and claim of car will change according to the tranition. In all of the rule within thi ection, the aumed tranition will be hown a the middle premi, the patial property to be reaoned about will be the left premi, and the relation between the car d reponible for the tranition and the car c, whoe property i viible in the view, will be hown on the right. If a tranition occur, the truth of all reervation and claim of car not involved in the tranition are unchanged. For the creation of a claim, the following tability rule how that the reervation and claim of other car are unchanged. We have imilar tability rule for the other type of tranition. 46

61 4.2 Proof Sytem t, v : cl(c) t, v c(d) t, v t, v : c d c S t, v : cl(c) t, v : re(c) t, v c(d) t, v t, v : c d c S t, v : re(c) There i an additional tability rule for the creation of reervation. It tate that the already exiting reervation of a car creating a new reervation i not altered. t, v : re(c) t, v r(d) t, v t, v : c = d r S t, v : re(c) The activity rule for c(c) implie two propertie. Firt, a claim may only be created when only one reervation exit. Second, the newly created claim reide on one ide of the exiting reervation. Oberve that we require the view under conideration to comprie both adjacent lane of the reervation. If we dropped thi aumption (i.e., removed the ubformula ω = 1), it would be poible for the newly created claim to reide outide of the view V, and hence the concluion would not be atified. t, v : t, v : (re(c) cl(c)) ω = 1 re(c) (re(c) cl(c)) ω = 1 (re(c) cl(c)) ω = 1 re(c) cl(c) t, v c(d) t, v t, v : c = d cl(c) re(c) (re(c) cl(c)) ω = 1 c A The rule for the creation of reervation in between traffic naphot i the following. It only enure that if we oberved the claim of the car before the tranition, we can perceive it reervation afterward. t, v : cl(c) t, v r(d) t, v t, v : c = d r A t, v : re(c) The following activity rule define the withdrawal of reervation and claim. Oberve that for the withdrawal of a claim, we do not pecify the patial propertie of the traffic naphot and view the tranition originate from. If the claim of a car d wa withdrawn, we can be ure that no claim of d exit at any part of the freeway. t, v : re(c) re(c) t, v : wd r(d) t, v t, v re(c) re(c) re(c) re(c) t, v : c = d wd r A wd c(d) t, v t, v t, v : c = d wd c t, v : cl(c) A We alo have rule for backward reaoning, i.e., if our current naphot i reachable from another, we may draw concluion about the originating naphot. Again, we differentiate between activity and tability rule. The tability rule all follow the ame 47

62 4 Modal Logic for Freeway Traffic chema, where {c, wd c, wd r}. Oberve that thee rule all have the exitence of a reervation at the detination traffic naphot and view a a premi. For checking oundne of thee rule intuitively, conider S. wd r If after the withdrawal of a reervation, we can till perceive a reervation at the given part of the freeway, it had to be there before the withdrawal. Similar reaoning hold for the other backward tability rule. t, v : re(c) t, v : re(c) t, v : re(c) t, v (d) t, v t, v : c = d S t, v : re(c) t, v (d) t, v t, v : c d S t, v : re(c) t, v r(d) t, v t, v : c d r S t, v : re(c) For the backward activity rule for the creation of a reervation, we can only enure that either a claim or a reervation wa perceived before the tranition, ince we can not ditinguih the newly created reervation. t, v : re(c) t, v r(d) t, v t, v : c = d r A t, v : re(c) cl(c) For the backward activity rule for creation of claim however, we can be ure that no claim exited before the tranition occurred. t, v : cl(c) t, v c(d) t, v t, v : c = d c A t, v : cl(c) If we want to reaon backward along the withdrawal of a reervation, we have to enure that the lane next to the perceived reervation after the tranition are contained in the view. Otherwie we could not tate that both reervation were preent within the view before the tranition occurred. t, v : ω = 1 re(c) ω = 1 t, v : wd r(d) t, v t, v re(c) re(c) ω = 1 ω = 1 re(c) re(c) t, v : c = d wd r A Oberve that we cannot define a backward activity rule for the withdrawal of a claim. If we know that after the withdrawal of the claim of c, we cannot perceive a claim of c, we can till not be ure whether the claim wa viible in our view before the tranition wa taken. It could be the cae that no part of c wa ever viible within the view. Lemma 4.7. The rule concerning the change of patial atom along tranition are ound. 48

63 4.2 Proof Sytem Proof. We only how the proof for the activity rule. The proof for the tability rule are traightforward, ince only the reervation and claim of the car taking a tranition may change. Cae 1: Conider an application of wd A. r We aume (Γ 1, 1 ) = t, v : re(c) re(c) wd r(d) and (Γ 2, 2 ) = t, v t, v and (Γ 3, 3 ) = t, v : c = d. Now we have to how, that with Γ 1 Γ 2 Γ 3 = Γ and =, we get (Γ, ) = t, v : re(c) re(c) re(c) re(c). Let σ, λ and ν be uitable valuation uch that σ, λ, ν = (Γ, ), i.e., σ, λ, ν = (Γ 1, 1 ), σ, λ, ν = (Γ 2, 2 ) and σ, λ, ν = (Γ 3, 3 ). Hence σ, λ, ν = t, v : re(c) re(c) wd r(d) σ, λ, ν = t, v t, v, σ, λ, ν = t, v : c = d. Let λ(v) = V 1 V 2, uch that σ(t), V 1, ν = re(c) and σ(t), V 2, ν = re(c) with V i = (L i, X, E). Furthermore, by the emantic of re(c) we get that L i = 1. We know that there i a lane n 0, uch that σ(t), λ(v) wd r(ν(d),n 0) σ(t ), λ(v). Let n 0 L 1. Then by Definition 3.3, and ince ν λ(v) (c) = ν λ(v) (d), we have that re V 2 (ν(c)) = re V 2 (ν(d)) =, which mean σ(t ), V 2, ν = re(c), that i, σ(t ), V 2, ν = re(c). Furthermore, we have n 0 re V 1 (ν(d)), i.e., σ(t ), V 1, ν = re(c). Oberve that λ(v) = λ(v ), i.e., we have λ(v ) = V 1 V 2. By definition of the vertical chop, we get and hence σ(t ), λ(v ), ν = re(c) re(c), σ(t ), λ(v ), ν = re(c) re(c) re(c) re(c). If n 0 L 2, the reaoning i analogou. All in all, we get that σ, λ, ν = t, v : re(c) re(c) re(c) re(c). Cae 2: Conider an application of r A. Then let (Γ 1, 1 ) = t, v : cl(c) and (Γ 2, 2 ) = t, v r(d) t, v and (Γ 3, 3 ) = t, v : c = d. 49

64 4 Modal Logic for Freeway Traffic Now let Γ 1 Γ 2 Γ 3 = Γ and =. Let σ, λ and ν be valuation uch that σ, λ, ν = (Γ, ). That i, σ, λ, ν = t, v : cl(c), σ, λ, ν = t, v r(d) t ), v, σ, λ, ν = t, v : c = d. We aume σ(t) = (re, clm, po, pd, acc) and σ(t ) = (re, clm, po, pd, acc ). Thu, clm λ(v) (ν(c)) = L, where L are the lane of λ(v) = λ(v ). By Definition 3.3 we get that re (ν(d)) = re(ν(d)) clm(ν(d)) and, ince ν λ(v) (c) = ν λ(v) (d), re λ(v) (ν(c)) = clm λ(v) (ν(c)) = L. So σ(t ), λ(v ), ν = re(c) and by that σ, λ, ν = t, v : re(c). wd c wd c(d) Cae 3: Conider an application of A. Let (Γ 1, 1 ) = t, v t, v and (Γ 2, 2 ) = t, v : c = d. Furthermore, we let Γ = Γ 1 Γ 2 and = 1 2. Hence wd c(ν(d)) if σ, λ, ν = (Γ, ), then σ(t), λ(v) σ(t ), λ(v ) i true a well a ν λ(v) (c) = ν λ(v) (d). That i, if σ(t ) = (re, clm, po, pd, acc ), then clm (ν(c)) =. Hence, ince λ(v) = λ(v ), we have σ(t ), λ(v ), ν = cl(c). Thu σ, λ, ν = t, v : cl(c). Cae 4: Conider an application of A. c We aume (Γ 1, 1 ) = t, v : (re(c) cl(c)) ω = 1 re(c) (re(c) cl(c)) ω = 1, (Γ 2, 2 ) = t, v t c(d), v and (Γ 3, 3 ) = t, v : c = d. Furthermore, let Γ = Γ 1 Γ 2 Γ3, = and σ, λ, ν = (Γ, ). That i, for λ(v) = (L, X, E) and σ(t) = (re, clm, po, pd, acc), we know that L contain exactly three element, ay L = {n 1, n 2, n 3 }, where n 2 = n and n 3 = n Then we get re(ν(c)) = {n 2 } and clm(ν(c)) =. Now conider σ(t ) = (re, clm, po, pd, acc ). Since σ, λ, ν = t, v t c(d), v, we have σ(t) c(ν(d),n ) σ(t ) for either n = n 1 or n = n 3 (by Def. 3.3). Furthermore, due to ν λ(v) (c) = ν λ(v) (d) we know that clm (ν(c)) = {n }. Say n = n 1. Then σ(t ), λ(v ) {n1}, ν = cl(c). Note that the extenion of λ(v ) {n1} ha to be greater than zero, ince the ubview λ(v) {n2} already atifie re(c) and λ(v) = λ(v ). Due to re = re, we get σ(t ), λ(v ), ν = (re(c) cl(c)) ω = 1 re(c) cl(c) σ, λ, ν = t, v : (re(c) cl(c)) ω = 1 re(c) cl(c) σ, λ, ν = t, v : (re(c) cl(c)) ω = 1 re(c) cl(c) cl(c) re(c) (re(c) cl(c)) ω = 1. 50

65 4.2 Proof Sytem The cae where n = n 3 i imilar. c Cae 5: Conider an application of A. Then (Γ 1, 1 ) = t, v : cl(c), (Γ 2, 2 ) = t, v t c(d), v and (Γ 3, 3 ) = t, v : c = d. We aume σ, λ, ν = (Γ, ), i.e., σ, λ, ν = (Γ 1, 1 ), σ, λ, ν = (Γ 2, 2 ) and σ, λ, ν = (Γ 3, 3 ). Since c = d i dynamically rigid, we alo have σ, λ, ν = t, v : c = d by Lemma 4.1. So ν λ(v )(c) = ν λ(v )(d). There can only be a tranition creating a new claim for ν λ(v )(c) from σ(t) to σ(t ), if clm(ν λ(v )(c)) = on σ(t). Hence, for each view V, we have σ(t), V, ν = cl(c). That i in particular σ(t), λ(v), ν = cl(c), which yield σ, λ, ν = t, v : cl(c). wd r Cae 6: Conider an application of A and let (Γ 1, 1 ) = t, t : ω = 1 re(c) ω = 1, wd r(d) (Γ 2, 2 ) = t, v t, v and (Γ 3, 3 ) = t, v : c = d. Furthermore, let Γ = Γ 1 Γ 2 Γ 3 and = Now aume σ, λ, ν = (Γ, ), and let σ(t) = (re, clm, po, pd, acc) a well a σ(t ) = (re, clm, po, pd, acc ). We know that the et of lane L of λ(v ) = λ(v) = (L, X, E) contain exactly three element, ay L = {n 1, n 2, n 3 }, where n 2 = n and n 3 = n By the emantic of the tranition (ee Def. 3.3) and EMLSL (ee Def. 4.4), we get re (ν(c)) = {n 2 }. The tranition exit only, when re(ν(c)) = 2 and n 2 re(ν(c)), o there are only two poibilitie (due to the anity condition of Def. 3.1): n 1 re(ν(c)) or n 3 re(ν(c)). Say n 1 re(ν(c)). Then σ(t), λ(v), ν = ω = 1 re(c) re(c) and hence σ, λ, ν = t, v : re(c) re(c) ω = 1 ω = 1 re(c) re(c). The cae for n 3 re(ν(c)) i imilar. r Cae 7: Conider an application of A and let (Γ 1, 1 ) = t, v : re(c), (Γ 2, 2 ) = t, v t r(d), v and (Γ 3, 3 ) = t, v : c = d. Now aume Γ = Γ 1 Γ 2 Γ 3, = and σ, λ, ν = (Γ, ). Furthermore, let σ(t) = (re, clm, po, pd, acc) and σ(t ) = (re, clm, po, pd, acc ). We then know that re λ(v )(c) = {n} where λ(v) = λ(v ) = (L, X, E) with L = {n} and X > 0. By Def. 3.3 and ν λ(v) (c) = ν λ(v) (d) we get that re (ν(c)) = re(ν(c)) clm(ν(c)). If n re(ν(c)), we have σ(t), λ(v), ν = re(c), which implie σ(t), λ(v), ν = re(c) cl(c). Similarly, if n clm(ν(c)), we get σ(t), λ(v), ν = cl(c), which implie σ(t), λ(v), ν = re(c) cl(c). That i, σ, λ, ν = t, v : re(c) cl(c). 51

66 4 Modal Logic for Freeway Traffic Invariance For the introduction of the globally modality G, we employ the rule G I reembling inductive reaoning. If the current naphot T S and view V are a model of the formula φ and we can how that φ i preerved under all poible tranition, then we know that T S and V atify G φ. Hence we get the mot complicated rule of our calculu, G I. [t, v = t 1, v 1 ] [t, v = t 2, v 2 ] [t, v = t 3, v 3 ] [t, v = t 4, v 4 ] [t, v = t 5, v 5 ] r(d) [t 1, v 1 t 1, v 1 ] [t c(d) 2, v 2 t 2, v 2 ] [t wd r(d) 3, v 3 t 3, v 3 ] [t wd c(d) 4, v 4 t 4, v 4 ] [t t 5, v 5 t 5, v 5 ] [t 1, v 1 : φ] [t 2, v 2 : φ] [t 3, v 3 : φ] [t 4, v 4 : φ] [t 5, v 5 : φ]..... t, v : φ t 1, v 1 : φ t 2, v 2 : φ t 3, v 3 : φ t 4, v 4 : φ t 5, v 5 : φ t, v : G φ In the induction rule, the world t i, v i may not occur in any aumption on which t i, v i : φ depend except for the aumption eliminated in thi application. Furthermore, the world t i, v i are all different from each other and from the world t i, v i a well a t, v. Finally, d and t may not occur free in any aumption the premie depend on, except for the aumption eliminated by the application of thi rule. Oberve that we do not impoe any additional aumption on t. We want t to poibly denote any time in the interval [0, ). That i, the only contraint on t i 0 t. But thi timing formula i an axiom of our ytem (cf. Sect ), which i why we can omit it from the definition of thi rule. The rule i inpired by the work of Manna and Pnueli on program verification [MP95]. They defined a proof rule for the invariance of a formula ϕ, where the premie tate that the current tate atifie ϕ, and all tranition preerve ϕ. The elimination rule i much impler and reemble the elimination rule for box modalitie. t, v : G φ t, v = t, v G E t, v : φ Lemma 4.8. The introduction and elimination rule for G are ound. Proof. The oundne of G E i traightforward, hence we concentrate on the introduction rule of the invariance modality. We aume that (Γ, ) = t, v : φ and (Γ i, i ) = t i, v i : φ for 1 i 5. Subequently, we let Γ =Γ (Γ i \ {t i, v i : φ)} and = 1 i 5 ( 1 \ {t, v = t 1, v 1, t 1, v 1 r(d) t 1, v 1}) ( 2 \ {t, v = t 2, v 2, t 2, v 2 c(d) t 2, v 2}) ( 3 \ {t, v = t 3, v 3, t 3, v 3 wd r(d) t 3, v 3}) ( 4 \ {t, v = t 4, v 4, t 4, v 4 wd c(d) t 4, v 4}) ( 5 \ {t, v = t 5, v 5, t 5, v 5 t t 5, v 5}) 52

67 4.2 Proof Sytem We now how that (Γ, ) = t, v : G φ by proving that within the proof context (Γ, ), all naphot and view reachable from t, v atify φ. For that, let σ be a naphot valuation, λ a locality valuation and ν a valuation uch that σ, λ, ν = (Γ, ). We proceed by induction on the length of tranition equence of the form σ(t), λ(v) = T S, V. The induction bae i immediate, ince σ(t), λ(v) = σ(t), λ(v) ha the length zero, and (Γ, ) = t, v : φ by our aumption. A the induction hypothei, we aume that for all tranition equence σ(t), λ(v) = σ(t ), λ(v ) of length n, we have (Γ, ) = t, v : φ. So uppoe we have a tranition equence σ(t), λ(v) = T S, V of length n + 1. That i, there are t, v and a equence σ(t), λ(v) = σ(t ), λ(v ) of length n, uch that one of the following hold: 1. σ(t ), λ(v ) r(c) T S, V 2. σ(t ), λ(v ) c(c,m) T S, V wd r(c,m) 3. σ(t ), λ(v ) T S, V wd c(c) 4. σ(t ), λ(v ) T S, V 5. σ(t ), λ(v ) t T S, V for ome C, m and t repectively. We prove the firt cae, the other one are imilar. Aume σ(t ), λ(v ) r(c) T S, V a well a σ(t ) = T S, λ(v ) = V and ν(c) = C. Then let 1 =( 1 \ {t, v = t 1, v 1, t 1, v 1 r(d) t 1, v 1}) {t, v = t, v, t, v r(c) t, v }. By the induction hypothei, we know that (Γ, ) = t, v : φ. So let Γ 1 = (Γ 1 \ {t 1, v 1 : φ}) {t, v : φ}. Since the application condition enure that neither t 1 nor v 1 i dependent on any other aumption and ince d doe not occur free in any other aumption, we get by our aumption that (Γ 1, V 1 ) = t, v : φ, i.e. σ, λ, ν = t, v : φ. Furthermore, becaue σ, λ and ν were choen arbitrarily, we get (Γ, V ) = t, v : φ. Theorem 4.1. The calculu of labelled natural deduction for EMLSL i ound. Proof. In the preceding ection, we have proven all rule of the calculu to be ound. Since model of EMLSL are baed on the real number, we cannot hope for a complete deduction ytem. 53

68 4 Modal Logic for Freeway Traffic Derived Rule In thi ection we collect ueful derived rule. Thee rule erve different purpoe. On the one hand, they how that everal expected propertie are derivable with the preented proof ytem. On the other hand, we will employ mot of thee rule in our cae tudy in Chap. 7. We firt introduce ome generally ueful horthand. The rule following i an adaptation of previou work [Lin07]. [t, v : l = t] [hri(t)] [vri(t)]. t, v : φ le t, v : φ The rule le ha the application condition that t may neither occur free in any aumption on which t, v : φ depend except for t, v : l = t, hri(t) and vri(t) nor may it occur free in t, v : φ itelf. Lemma 4.9. The rule le i a derived rule of the proof ytem for EMLSL. Proof. We can replace each occurrence of le with the following proof tree: Refl t, v : l = l I t, v : t l = t t, v : φ [t, v : l = t] [hri(t)] [vri(t)]. t, v : φ E The application condition i implied by the application of E. From now on, we will often omit the aertion of rigidity and chop-freene due to brevity, ince they are eaily derivable. The next type of rule concern the removal of empty view. t, v 2 : φ t, v 1 : l = 0 v = v 1 ɵ v 2 0E t, v : φ t, v 2 : φ t, v 1 : ω = 0 v = v 1 v 2 0E t, v : φ t, v 1 : φ t, v 2 : l = 0 v = v 1 ɵ v 2 0E t, v : φ t, v 1 : φ t, v 2 : ω = 0 v = v 1 v 2 0E t, v : φ Lemma The rule 0E are derived rule of the proof ytem for EMLSL. Proof. All proof are tructurally imilar. Hence we only how the cae where v 1 repreent the empty view, and the view i chopped in horizontal direction. We can replace each of thee occurrence of 0E with the following proof tree: Ev v = v ɵ v V 0 Π t, v : l = 0 t, v 1 : l = 0 t, v 2 : φ v = v 1 ɵ v 2 [v = v ɵ v] 3 HD t, v : φ EE3 t, v : φ le4 t, v : φ 54

69 4.2 Proof Sytem where Π i the following proof tree. Π = The proof tree Π = i given a follow. Π > t, v : x + y = x t, v : x + y > x E t, v : E1 t, v : l = 0 le2 t, v : l = 0 [t, v : l = x] 4 [t, v : l = y] 2 [v = v ɵ v] 3 H + I t, v : l = x + y [t, v : l = x] 4 Subtcf t, v : x + y = x And finally Π > i given by: [t, v : l = y] 2 [t, v : l > 0] 1 Subt cf t, v : y > 0 R H t, v : x + y > x [v = v ɵ v] 3 t, v : x + y > x In thi proof we identify (l = 0) with l > 0 and alo implicitly ue the validity of x + y > x (x + y = x) a well a x = x + 0. To give a flavor of how the patial atom and the dicrete tranition interact, we derive a variant of the reervation lemma, which we proved informally in our previou work. Lemma 4.11 (Reervation [Hil+11]). A reervation of a car c oberved directly after c created it, wa either already preent or i due to a previouly exiting claim. I.e., auming t, v t, r(d) v and c = d, the formula r(c) re(c) (re(c) cl(c)) hold. Formally, thi i the following rule. t, v t r(d), v t, v : c = d t, v : r(c) re(c) (re(c) cl(c)) Proof. The exitence of the tranition i of major importance for the elimination of the box modality in the proof uing the backward reaoning rule. We ue two auxiliary derivation, which allow u to infer the exitence of a reervation on the naphot after taking a tranition. Π S : [t, v : re(c)] 1 [t, v t r(d), v ] 2 t, v : c = d t, v : re(c) r S Π A : [t, v : cl(c)] 1 [t, v t r(d), v ] 2 t, v : c = d t, v : re(c) r A Now we preent the derivation to get the right hand ide of the equivalence from the left hand ide, and vice vera. 55

70 4 Modal Logic for Freeway Traffic Π : Π : Π S t, v : re(c) Π A t, v : re(c) [t, v : re(c) cl(c)] 3 E1 t, v : re(c) r(d) I 2 t, v : r(d) re(c) t, v : r(c) re(c) t, v : c = d Subtri [t, v : r(c) re(c)] 3 t, v : c = d Subt ri t, v : r(d) re(c) t, v t r(d), v r(d) E t, v : re(c) t, v t r(d), v t, v : c = d r(d) A t, v : re(c) cl(c) We can ue the rule I to get the deired derivation. Π Π t, v : r(c) re(c) t, v : re(c) cl(c) I3 t, v : r(c) re(c) (re(c) cl(c)) From now on, we will often omit the name of the rule ued in the proof. However, every application of a rule which eliminate ome aumption will be explicitly denoted, both by it name and with an index to refer to the eliminated aumption. A tated in Section 4.1, we ue free to denote free pace on a lane. To how that the abbreviation given i well-behaved, we how the oundne of the following rule. t, v : free t, v : l > 0 Extfree t, v : free t, v : ω = 1 Lanefree t, v : free t, v : free free denefree Lemma The rule concerning the patial propertie of free are ound. Proof. The rule Extfree and Lanefree are a imple application of E. The derivation of denefree i more involved. The root of the proof tree i a derivation of the following hape. t, v : free t, v : l > 0 t, v : l > 0 l > 0 Π 1 t, v 1 : free t, v : free free Π 2 t, v 2 : free [v = v 1 ɵ v 2 ] 1 t, v : free free E1 Now we have to how how to derive t, v i : free from t, v 1 : l > 0, t, v 2 : l > 0 and v = v 1 ɵ v 2 for i = 1 and i = 2. Since both proof tree are tructurally imilar, we only how the tree for i = 1. The main idea i to aume t, v 1 : free, which we identify with t, v 1 : l = 0 (ω = 1) c: (( (re(c) cl(c))) ) and derive a contradiction. Furthermore, we ue the expanded form of l φ, i.e. (( φ) ) and, to enhance the readability of the proof, we merge two application of E into one ternary application. So, Π 1 will eentially be 56

71 4.2 Proof Sytem [t, v 1 : l > 0] 1 [t, v 1 : l = 0] 3 [t, v 1 : free] 2 t, v 1 : t, v 1 : E2 t, v 1 : free where Π ω 1 i given a follow. Π ω 1 t, v 1 : Π 1 t, v 1 : E3 t, v : free t, v : ω = 1 [v = v 1 ɵ v 2 ] 1 t, v 1 : ω = 1 [t, v 1 : (ω = 1)] 3 t, v 1 : The main part lie in the proof tree Π 1, which we till have to plit. [t, v 1 : ( (re(c) cl(c))) ] 4 [t, v 1 : c ( (re(c) cl(c))) ] 3 t, v 1 : E4 t, v 1 : Π 1 t, v 1 : E5 The proof tree Π 1 i an intermediate tep to relate the aumption that a reervation or a claim exit in the ituation on the left view v 1 with the major premi that no reervation or claim exit on the whole of v. [v = v 1 ɵ v 2 ] 1 [v 1 = v L ɵ v R ] 5 Ev v = v L ɵ v Π v 1 t, v : EE6 t, v : t, v 1 : The comparion hinted at in the decription of Π 1 i made explicit in Π v 1. On the left hand ide of the proof tree, we join the part of the view we got in Π 1 to derive, that a reervation or claim of c exit on the whole view v, which contradict the aumption that v atifie free. [t, v L : (re(c) cl(c))] 5 t, v : [v = v L ɵ v ] 6 t, v : ( (re(c) cl(c))) t, v : t, v : free t, v : c (( (re(c) cl(c))) ) t, v : (( (re(c) cl(c))) ) A tated above, the proof tree for the ituation at v 2 i tructurally imilar. Finally, we have created a well-tructured proof tree, where all application condition are atified, and the only open aumption i t, v : free. We can alo derive rule tating the ditributivity of chop over dijunction. t, v : (ϕ ψ) χ t, v : (ϕ χ) (ψ χ) Ditr t, v : (ϕ χ) (ψ χ) Ditr t, v : (ϕ ψ) χ Lemma The rule Ditr are derived rule. Proof. The proof for the left-hand rule i given by the following derivation: 57

72 4 Modal Logic for Freeway Traffic t, v : (ϕ ψ) χ [t, v 1 : (ϕ ψ)] 2 E 1 t, v : ϕ χ ψ χ [t, v 1 : ϕ] 1 [t, v 2 : χ] 2 [v = v 1 ɵ v 2 ] 2 t, v : ϕ χ t, v : ϕ χ ψ χ t, v : ϕ χ ψ χ E2 [t, v 1 : ψ] 1 [t, v 2 : χ] 2 [v = v 1 ɵ v 2 ] 2 t, v : ψ χ t, v : ϕ χ ψ χ The right-hand rule i derived imilarly. The end of the proof tree i given a: t, v : (ϕ χ) (ψ χ) Π ϕ t, v : (ϕ ψ) χ t, v : (ϕ ψ) χ Π ψ t, v : (ϕ ψ) χ E1 The proof tree Π ϕ i a imple application of I and E. [t, v : ϕ χ] 1 [t, v 1 : ϕ] 2 t, v 1 : ϕ ψ [t, v 2 : χ] 2 [v = v 1 ɵ v 2 ] 2 t, v : (ϕ ψ) χ t, v : (ϕ ψ) χ E2 The proof tree Π ψ i tructurally imilar, where t, v 1 : ψ i ubtituted for t, v 1 : ϕ. Even though the omewhere modality i only defined a an abbreviation, we preent explicit elimination and introduction rule. Thee are ueful horthand, ince in mot practical cae thi modality play an important role (ee for example the cae tudy in Chap. 7). [v = v L ɵ v m ] [v m = v m ɵ v R ] [v m = v D v m] [v m = v ub v U ] [t, v ub : ϕ] t, v : ϕ t, v : χ. t, v : χ E v = v L ɵ v m v m = v m ɵ v R v m = v D v m v m = v ub v U t, v ub : ϕ I t, v : ϕ In the rule E, the intermediate view v L, v R, v D, v U,v m, v m, v m, and v ub may not occur in any aumption t, v : χ depend on, except for the aumption eliminated by the application of thi rule. Lemma The omewhere introduction and elimination rule are derived rule. Proof. The derivation are traightforward application of the chop introduction and elimination rule, repectively. 58

73 4.3 Undecidability of Spatial MLSL 4.3 Undecidability of Spatial MLSL In thi ection we give an undecidability reult for the patial fragment of EMLSL, i.e., we do not need the modalitie for the dicrete tate change of the model or the evolution. We will call thi fragment patial MLSL, ubequently. We reduce the halting problem of two-counter machine, which i known to be undecidable [Min67], to atifaction of patial MLSL formula. Intuitively, a two-counter machine execute a branching program which manipulate a (control) tate and increment and decrement two different counter c 1 and c 2. Formally, two counter machine conit of a et of tate Q = {q 0,..., q m }, ditinguihed initial and final tate q 0, q fin Q and a et of intruction I of the form hown in Tab. 4.1 (the intruction for the counter c 2 are analogou). The intruction mutate configuration of the form = (q i, c 1, c 2 ), where q i Q and c 1, c 2 N into new configuration: Table 4.1: Intruction for Counter c 1 of a Two-Counter Machine Intruction (q, c 1, c 2 ) q c+ 1 q j (q j, c 1 + 1, c 2 ) (q, 0, c 2 ) q c 1 q j, q n (q j, 0, c 2 ) (q, c + 1, c 2 ) q c 1 q j, q n (q n, c, c 2 ) A run from the initial configuration of a two-counter machine C = (Q, q 0, q fin, I) i a equence of configuration (q 0, 0, 0) i 0... (q ip p+1, c p+1, c p+1 ), where each i j i an intance of an intruction within I. If q p+1 = q fin, the run i halting. We follow the approach of Zhou et al. [ZHS93] for DC. They encode the configuration in recurring pattern of length 4k (for k R + ), where the firt part contitute the current tate, followed by the content of the firt counter. The third part i filled with a marker to ditinguih the counter, and i finally followed by the content of the econd counter. Each of thee part i exactly of length k. Zhou et al. could ue ditinct obervable for the tate of the machine, counter and eparating delimiter, ince DC allow for the definition of arbitrary many obervable variable. We have to modify thi encoding ince within patial MLSL we are retricted to two predicate for reervation and claim, and the derived predicate for free pace, repectively. Furthermore, due to the contraint on EMLSL model in Def. 3.1, we cannot ue multiple occurrence of reervation of a unique car to tand, e.g., for the value of one counter. Hence we have to exitentially quantify all mention of reervation and claim. We will never reach an upper limit of exiting car, ince we aume I to be countably infinite. The current tate of the machine q i i encoded by the number of lane below the current configuration, the tate of each counter i decribed by a equence of reervation, eparated by free pace in between. A ingle claim identifie the border between the counter. To afely refer to the tart of a configuration, we ue an additional marker 59

74 4 Modal Logic for Freeway Traffic coniting of a claim, an adjacent reervation and again a claim. Each part of the configuration i aumed to have length k. Free pace eparate the reervation within one counter from each other and from the delimiter. Intuitively, a configuration i encoded a follow: i 0 marker free, re cl free, re cl To enhance the readability of our encoding, we ue the abbreviation 5k marker c cl(c) c re(c) c cl(c) to denote the tart of a configuration. Like Zhou et al., we enure that reervation and claim are mutually excluive. mutex c, d [cl(c) re(d)) (re(c) cl(d)]. We do not have to conider free, ince it i already defined a the abence of both reervation and claim. Oberve that we ue the quare bracket to denote the everywhere modality (cf. Sect. 4.1). The initial marking (q 0, 0, 0) i then defined by the following formula. init [ c cl(c)] marker k free k ( c cl(c)) k free k ( c cl(c)) k ω = 0 We have to enure that the configuration occur periodically after every 5k patial unit. Therefore, we ue the following chema Per(D). Oberve that we only require that the lane urrounding the formula D do not contain claim. Thi enure on the one hand that no configuration lie in parallel with the formula D, ince well-defined configuration have to include claim. On the other hand, it allow for the atifiability of the formula, ince we do not forbid the occurrence of reervation. Thee are are needed for the claim within the configuration, due to the fact that each claim ha to be adjacent to a reervation. Per(D) [ c cl(c)] D [ c cl(c)] l = 5k l = 5k [ c cl(c)] D [ c cl(c)] Note that we did not contrain on which lane the periodic behaviour occur. Thi will be defined by the encoding of the operation. 60

75 4.3 Undecidability of Spatial MLSL Now we may define the periodicity of the delimiter and the counter. Here we alo have to lightly deviate from Zhou et al.: we are not able to expre the tatement almot everywhere free or re(c) hold directly. We have to encode it by enuring that on every ubinterval with a length greater than zero, we can find another ubinterval which atifie free or re(c). Thi expree in particular, that no claim may occur, due to the mutual excluion property. periodic Per(( l (l > 0 (free c re(c)) ) ω = 1) k ) Per(( c cl(c)) k ) Per(marker k ) c + 1 We turn to the encoding of the operation q i q j, i.e., the machine goe from q i to q j and increment the firt counter by one (the other operation can be defined in an analogou manner). Similar to Zhou et al., we ue encoding of the form (D 1 D 2 ), meaning whenever the beginning of the view atifie D 1, the next part atifie D 2. The formula following F 1 copie the reervation of counter one of tate q i to the correponding place in counter one in tate q j. F 1 marker k l < k c re(c) (( c re(c) ) l = 5k) ω = i l = 0 ( c re(c) ) ω = j We ue a imilar formula F free to copy the free pace before the reervation. Oberve that we do no copy the lat free part of the counter, ince we intend to add another reervation. Due to pace limitation, we ue the following abbreviation to identify the occurrence of free pace in front of reervation: free re = ((free ) (free c cl(c) ) l = 5k). On the one hand, the formula enure that we find an occurrence of free pace at the beginning of the current interval. On the other hand, it prohibit thi occurrence to be the lat free pace at the end of the counter. F free = marker k l < k free free re ω = i l = 0 (free ) ω = j The formula F 2 and F 3 handle the addition of another reervation to the counter. We have to ditinguih between an empty counter and one already containing reervation. F 2 marker k free k l = 5k ω = i (free c re(c) free) k ω = j 61

76 4 Modal Logic for Freeway Traffic F 3 marker k l < k c re(c) ((free c cl(c) ) l = 6k) ω = i (free c re(c) free c cl(c)) k ω = j In addition, we need formula which copy of content of the econd counter to the new configuration, imilar to F 1. Let I C be the et of the machine intruction and F (i) be the conjunction of the formula encoding operation i and q fin it final tate. Then halt(c) init periodic mutex l F (i) l i I C c cl(c) ω = fin. If and only if halt(c) i atifiable, the machine contain a halting run. Thi hold ince only configuration may contain claim (a defined in the formaliation of periodicity), and whenever the machine reache it final tate, it halt. Hence the halting problem of two counter machine with empty initial configuration reduce to atifiability of patial MLSL formula. Propoition 4.1. Let C be a two-counter machine. Then C ha a halting run if and only if halt(c) i atifiable. Proof. if. Let T S, V, ν = halt(c), where V = (L, X, E). Oberve that all variable occurring in halt(c) are exitentially quantified, and hence we may ignore the value of ν. We divide X into part of length 5k, i.e., we have X = 5k + r, where 0 r < 5k, which mean X = [a, b] = [a + (d 1) 5k, a + d 5k] [a + 5k, b]. d=1 We denote e d=1 [a + (d 1) 5k, a + d 5k] by X e. Let X = [a + (d 1) 5k, a + d 5k] and X = [a + d 5k, a + (d + 1) 5k] for ome 0 < d <. Now aume that at X, lane m contain a configuration, i.e., T S, V {m} X = marker k ( l (l > 0 (free c re(c)) ) ω = 1) k c cl(c) k ( l (l > 0 (free c re(c)) ) ω = 1) k c cl(c) k 62

77 4.3 Undecidability of Spatial MLSL By interpreting periodic on T S, V X X we get that there i a lane m uch that T S, V {m } X = marker k ( l (l > 0 (free c re(c)) ) ω = 1) k c cl(c) k ( l (l > 0 (free c re(c)) ) ω = 1) k c cl(c) k Furthermore, the formula periodic prevent that there exit a lane different from m containing uch a ituation, ince for it to hold, all other lane are forbidden to contain claim at X. Hence we have exactly one configuration on all part [a+(d 1) 5k, a+d 5k]. We can extract a run for C from T S, V from halt(c) by induction on d a follow. Let d = 1. Then init enure that on lane 0, there i a configuration with no reervation between the marker and the firt claim and between the firt and the econd claim. Hence, we have a run tarting and ending with (q 0, 0, 0). A the induction hypothei, we aume that for 1 d <, we can extract a run R = (q 0, 0, 0) (q i, c 1, c 2 ) from T S, V Xd. For d + 1, we know by the argument above, that there exit exactly one configuration on [a + d 5k, a + (d + 1) 5k]. Since C i determinitic, for the configuration on lane i, there i at mot one et of formula applicable. We only how the cae for intruction incrementing counter one. Let F 1, F 2, F 3, F free be the applicable formula, which we will interpret on X d+1 \ X d 1, i.e. the interval X + = [a + (d 1) 5k, a + (d + 1) 5k]. Thi interval i exactly 10k long and tart with marker k on lane i. Then F 1 tate that for each reervation in the repreentation of the firt counter, i.e., where l < k c re(c) hold, we find a reervation on lane j exactly 5k pace unit onward. The outermot negation enure that each poible chop point i conidered, in particular the chop point arbitrarily cloe to the end point of the reervation. F free enure in a imilar way, that for each free pace in front of a reervation in thi repreentation, we have free pace exactly 5k pace unit onward on lane j. Hence, all reervation and the free pace in between i preent on lane j. Now we conider two cae. When there i no reervation between the marker and the firt ingle claim, then F 2 replace thi free pace by a reervation encloed by free pace, i.e., the end configuration of the run wa (q i, 0, c 2 ) and the reulting configuration i (q j, 1, c 2 ). The econd counter wa copied like the firt. If there wa a reervation before the lat free pace, then F 3 replace thi lat free pace imilarly by a reervation encloed by free pace on lane j, i.e., the configuration (q i, c 1, c 2 ) i changed to (q j, c 1 + 1, c 2 ). Hence, in both cae we defined the increment of counter 1 together with a tate change from q i to q j, which i by contruction an intruction of C, hence R (q j, c 1, c 2 ) i a valid run of C. The other cae are analogou. Now if we did extract a run from the atifying model of halt(c), we have two poibilitie. Firt, if r = 0, then the configuration at tep i the lat of R. Then the lat conjunct of halt(c) enure, that a final tate wa reached, hence R i a halting run. Otherwie, if r > 0, then imilarly it i enured that on thi lat part of V, the lane correponding to the final tate ha been reached. Since alo the lat change ha to be initiated by a formula a before, there i an intruction to complete R to a halting run. only if. 63

78 4 Modal Logic for Freeway Traffic Let R = (q 0, 0, 0) (q fin, c 1, c 2 ) be a halting run of C with d + 1 configuration, i.e. q d = q fin. We create a model T S, V with V = (L, X, E) with X = (d + 1) 5k and L = Q + 1 a follow. For a configuration (q i, c 1, c 2 ) at tep d, we define three car C d,0, C d,1, C d,2 with po(c d,e) = d 5k + e k/3 for e {0, 1, 2} re(c d,0) = re(c d,2) = {i + 1} re(c d,1) = {i} clm(c d,0) = clm(c d,2) = {i} clm(c d,1) = Ω E (C d,e, T S) = k/3 for e {0, 1, 2} Thee car atify marker k. For the claim marking the end of counter 1 and 2 repectively, we define C d,4 and C d,6 a follow. po(c d,4) = d 5k + 2k po(c d,6) = d 5k + 4k re(c d,4) = re(c d,6) = {i + 1} clm(c d,4) = clm(c d,6) = {i} Ω E (C d,4, T S) = Ω E (C d,6, T S) = k For the definition of the firt counter, we need the maximum value max of both counter on the whole run. Then we define a equence of car C d,3,x, where 1 x c 1 if c 1 > 0. For each uch car we et ( ) po(c d,3,x) = d k 5k + 3k + (2x + 1) max re(c d,3,x) = {i} clm(c d,3,x) = k Ω E (C d,3,x) = max Otherwie, no uch equence i added. For the econd counter, we define a imilar equence C d,5,x with 1 x c 2 if c 2 > 0. If we create uch et of car for each configuration, the formula halt(c) i atified, if the run i halting. The main theorem of thi ection i a corollary of Prop Theorem 4.2. The atifiability problem of patial MLSL i undecidable. Even though we ued the full power of patial MLSL in the proof, i.e., we ued both l and ω, the proof would be poible without uing the latter. For that, we would not be 64

79 4.4 Related Work able to encode the tate of the configuration in the lane, but by a imilar way to the marker in the formula. For example, the formula ( c cl(c) c re(c) c cl(c)) k would denote the tate q 0, and with another iteration of re(c), it would denote q 1 and o on. If we remove the reference to more than one lane in each of the formula above, the reervation and claim would already imply that only one lane exit, and hence, the ue of ω within the abbreviation free could be omitted. Thi how that patial MLSL i already undecidable even if we only ue l. 4.4 Related Work Within thi chapter, we concentrated on patial reaoning with a labelled tranition ytem of metric pace a emantic. Another variant of logic which are called patial are logic for reaoning about tructural propertie of dicrete ytem, e.g. proce algebra like the π-calculu [MPW92] or the ambient calculu [CG98], or a a more general approach graph. The patial logic for concurrency [CC01] i a very expreive language to decribe procee with dynamically changing tructure. It contain everal patial modalitie to refer to the tructure of procee a well a behavioural modalitie to reaon about the poible meage a proce may end to the environment and firt- and econd-order quantifier. With thi et of operator, fixpoint operator and a validity predicate can be defined within the logic. The equent calculu for thi logic [CC04] ue a et of contraint to tore aumption about poible freh name, which i in a ene imilar to the label and relational formula in our proof ytem. Baldan et al. preented a logic for verification purpoe of graph tranformation ytem [BKK03]. Their approach relie on monadic econd-order quantification and explicit predicate referring to the label of edge and their ource and target. Even though the logic i defined to reaon about arbitrary graph tructure, the et of predicate i imilarly to EMLSL very retricted. Mot related work on patial logic in the ene of thi chapter i focued on purely qualitative patial reaoning [APB07], e.g., the expreible propertie concern topological relation [RCC92]. Shao et al. preented a temporal extenion of uch a qualitative patial logic to pecify propertie of hybrid ytem [Sha+13]. They ue an approach of Finger and Gabbay [FG92] to add topological pace to a linear model of time. However, how the pace evolve over time ha to be explicitly defined within the ytem they deign. Thi contrat our definition, where thee evolution are hidden in the model, and hence not directly acceible by the operator of EMLSL. Logic expreing quantitative patial propertie are rare, an example i Schäfer Shape Calculu (SC) [Sch05], which i a very general extenion of Duration Calculu. On the one hand the focu of EMLSL lie on a retricted field of application, i.e., freeway traffic, and hence EMLSL i more retricted than SC. On the other hand, a direct tranlation into SC or one of it decidable ubet fail, ince in SC quantification i only poible over variable ued in length meaurement. In EMLSL however, quantification over car i allowed, which reemble quantification over patial propertie (e.g., the exitence 65

80 4 Modal Logic for Freeway Traffic of a reervation at a certain point within a view). Thi would have to be modelled by quantification on obervable in SC. Hence, for identifying a ubet of EMLSL where atifaction i decidable, retricting the number of car to be finite eem inevitable. From a more general point of view, EMLSL i a multi-dimenional multi-modal firtorder logic uing three ort of variable. Marx and Venema have further examined different propertie of multi-dimenional modal logic [MV97]. For them, multi-dimenionality tem from the model themelve, i.e., a logic i multi-dimenional, if the model conit of tupel of element taken from more baic et. Our model incorporate many different type of element, and hence are multi-dimenional in their ene. But they only conider homogeneou model, i.e., where all dimenion are imilar, while our dimenion behave very differently. For example, the vertical dimenion i dicrete, while the horizontal dimenion i dene. The temporal dimenion, i.e., the dicrete and continuou tranition, again behave in very different way. Furthermore, EMLSL conit of variou different modal operator, which are not interdefinable. However, the modalitie are trongly interconnected, e.g. the creation of a reervation only ha an effect, if there wa a preceding creation of a claim for the ame car. Due to thi interdependence of the acceibility relation, EMLSL i not imply a fuion [Gab+03] of the correponding uni-modal language. In the definition of EMLSL, we choe to keep the domain of quantification contant on all reachable world. In a previou preentation [Hil+11], the quantifier were evaluated on the et of viible car within a view. However, for the content within thi chapter, contant domain eae the definition of the proof ytem and prohibit certain urpriing pecial cae. For example, equality could not be guaranteed to be a rigid predicate in the cae of varying domain, ince the car under conideration may be viible in one view, but not in it ubview. Such ubtle intricacie are typical for firt-order modal logic with varying domain [FM98]. For car, the exitence predicate of free logic [Ben86] can be emulated, ince exitence in our etting correpond to viibility to the owner of the current view. I.e., we can ue the formula re(c) cl(c) to relativie our quantor. For example intead of c ϕ we would ue c re(c) cl(c) ϕ to mimic varying domain. More pecifically, we can emulate decreaing domain with repect to the patial acceibility relation. Labelled natural deduction for (multi-)modal logic ha been tudied intenely recently. E.g., when the rule for relational formula can be defined with horn claue a antecedent, nice meta-theoretical propertie like normaliation of proof can be etablihed [BMV98; Vig00]. In intuitionitic modal logic, imilar reult are obtained, when the relational theory i defined uing only geometric equent [Sim94]. Unfortunately, even with our retricted et of rule for view relation, thee reult do not carry over to our etting, ince we made ue of exitential quantification on view. In particular, the rule EE merge relational and logical deduction. The et of rule for dynamic tranition i mall and only concern the length of paing time and abtract tranition. Rule tating the poibility of tranition for, e.g., the creation of reervation, need to ue patial atom a premie (in thi cae the exitence of a claim) and relational formula a concluion (the exitence of the tranition). Hence, proof would integrate relational and logical deduction even more. 66

81 4.4 Related Work Raga et al. invetigated the fibring [CSS05] of labelled deductive ytem [Ra+02]. They ditinguih between two different type of fibration. The firt type of ytem i generated by treating all operator a unique, i.e., the operator from the different ytem can not interact directly. In particular, if the ytem ue Boolean operator, thee operator are not immediately equivalent. In the econd type of fibration, operator type common to all ytem may be merged to a ingle et of operator. E.g., uch a combination i needed, if the fibration hould only ue one et of Boolean operator and quantor. We aume that the deduction ytem of Sec. 4.2 i a fibring of the econd type, where the Boolean operator are hared between all deduction ytem involved. A further claification of EMLSL (or a uitable ubet) and it proof ytem within the framework of fibring and multi-dimenional logic would be of interet. If we can find ubet of the deductive ytem which poe uited characteritic, e.g., the finite-model property, we may be able to ue preervation reult [CSS11]. However, already the definition of EMLSL within thi framework i a laboriou challenge. 67

82

83 5 Viual Logic for Freeway Traffic Content 5.1 Concrete Syntax Convenience Formaliing Sanity Abtract Syntax Topological Sequence and Lane Sequence Spatial Diagram Temporal Sequence Semantic Decidability of Spatial Traffic Diagram Related Work During the work on afe lane change controller, we often ued viual depiction of traffic ituation for analyation purpoe. Naturally thi prevalence of diagram led to the quetion whether we could give thee depiction a formal emantic and ue them during proof. In thi chapter we preent a formaliation of our intuitive viualiation. Thi diagrammatic language of Traffic Diagram i looely baed on previou work on a viual language regarding pace and time [Lin10]. The intent of Traffic Diagram i to enable uer to viually reaon about patial and temporal apect of multi-lane traffic. Therefore, thee diagram are interpreted on the abtract road model of EMLSL. The diagram hall denote contraint on the current model. That i, the element hown in the diagram are enured to be preent, while propertie not mentioned within a diagram may have arbitrary value. Hence the diagram retrict the model in a imilar fahion a EMLSL. An example of a purely patial traffic diagram i given in Fig The depicted patial ituation i contained in a dahed rectangle, called a layer. Two adjacent lane are hown, 69

84 5 Viual Logic for Freeway Traffic ego [2, 5] a [2, 5] c Figure 5.1: Spatial Traffic Diagram where two car a and c are driving on the lower lane, and ego i driving on the other. The part of a lane not occupied by any car hown in the diagram are denoting free pace on the road. Contraint on the ditance between the car are hown a ditance arrow, labelled with real-valued interval i I. Thi diagram may, e.g., be part of a very fine grained pecification of a car platooning ytem. It decribe a precondition for ego to join the platoon built by a and c by changing lane. In particular, ego ha to check whether the ditance to the other two car i at leat two and at mot five meter. The idea of the mall ditance between the car i that the ytem may ue the liptream to lower the fuel conumption of the platoon on a global level. Such patial diagram can be connected by duration arrow alo labelled by interval to create patio-temporal equence. A duration arrow contrain the time allowed to pa between the patial layer, i.e., the freeway ituation, it connect. We allow for negation and conjunction a well a exitential quantification on the level of layer and of connected equence of diagram. Within traffic diagram, variable may be ued in two way. Depiction of car may be labelled with variable, while the bound of interval are either variable or real number. The variable allow the uer to connect different ditance and car along everal part of a diagram. 5.1 Concrete Syntax A major difference between diagrammatic and tandard entential logic i the tronger ditinction of diagrammatic yntax into two level [How+02; Dau04b; Dau09], the abtract (or type) and concrete (or token) yntax. The former i typically a formal mathematical contruct, decribing the poible relationhip between it element, while the latter decribe the repreentation of the abtract diagrammatic element. Howe et al. ue a mathematical definition of both yntactic level and relate the yntactic level by uited homomorphim [How+02]. In contrat, Dau argue that the concrete yntax doe not benefit from uch a rigorou treatment [Dau04b; Dau09]. Intead, he emphaie that uch a definition would lead to unneceary technicalitie. Furthermore, it would till not olve the problem of relating the mathematical concrete yntax with the drawing on, e.g., paper. For the preentation of traffic diagram, we follow Dau by defining convention for drawing the yntactic element. We employ a two-orted et of variable Var, coniting of the et of car variable CVar 70

85 5.1 Concrete Syntax and length variable RVar with typical element c, d CVar and x, y RVar, repectively. Similar to EMLSL, we ue a contant ego, to denote the current local car. For temporal purpoe, we ue real-valued interval, i.e., interval, where both bound are concrete real value. The other type of interval are variable interval, where we allow the bound to be either real number or real-valued variable. In both type, i allowed a a right bound of an interval. Recall that we denote the et of real-valued interval by I and the et of variable interval by I Var (cf. Sect 2.1). Furthermore, we denote the et of dicrete action of car by A = {r(c), c(c), wd r(c), wd c(c) c CVar}. The baic element of the concrete yntax of traffic diagram are given in Tab Table 5.1: Diagrammatic Element of Traffic Diagram (α I A and i I Var ) Diagrammatic Element Name Sequence, Full/Partial Layer Unpecified Space, Exact/Wide Lane Separation c c, Reervation, Claim α, Temporal Arrow i D 1 D 2 D x D Ditance Arrow Conjunction Negation Exitential Quantification Thee element are arranged according to the following definition. The patial ituation on ingle lane i captured in topological equence a given below. Thee equence only decribe the qualitative ituation, i.e., which car drive where in relation to other car on the lane. A car i repreented by a reervation or a claim, denoted by olid and dotted irregular pentagon, repectively. Repreentation of car may interect with each other, and their horizontal poition may coincide. In the latter cae, we hift the depiction of the car againt each other in vertical direction to emphaie the preence of more than one car. Car have to be 71

86 5 Viual Logic for Freeway Traffic labelled with variable taken from CVar. Unpecified pace i depicted a a haded part of a lane, while free pace i jut white pace between car and/or unpecified pace. Definition 5.1 (Topological Sequence). A topological equence conit of a horizontally arranged equence of reervation, claim, and unpecified pace, in the following manner. All element have to be of roughly the ame height. Reervation and claim may overlap. If they do, the uer i free to hift ingle reervation and claim vertically, to enhance the viibility of the overlap. All reervation and claim have to be labelled by exactly one variable c CVar or ego. Adjacent reervation or claim have to be labelled differently. Unpecified pace may not overlap with any reervation or claim. There may be blank between the element of the topological equence. Thee blank are free pace. c d ego b Figure 5.2: Example of a Topological Sequence Thi definition implie that a topological equence can be uniquely divided into topological ituation, i.e., a poible overlap of reervation and claim, unpecified pace or free pace. Thi obervation give u the poibility to treat topological ituation one at a time. Example 5.1. Conider the topological equence in Fig It conit of even different topological ituation (from left to right): 1. the reervation of the car named c, 2. the unpecified pace, 3. the claim of the car named d, 4. the free pace between the claim of d and the reervation of ego, 5. the reervation of ego, 6. the overlap of the reervation of ego and the claim of b and 7. the claim of the car named b. Each of thee ituation a well a their order within the equence can be uniquely derived from the depiction in Fig Since topological equence decribe ingle lane, and we want to decribe multi-lane traffic, we have to be able to decribe the patial ituation on adjacent lane at once. We alo want to have the poibility to omit irrelevant lane from the pecification. We therefore introduce lane eparation, which have to be drawn between topological equence. Solid eparation denote that the lane are adjacent, while dahed eparation mean that there may be ome omitted lane between the depicted topological equence. 72

87 5.1 Concrete Syntax Definition 5.2 (Lane Sequence). A lane equence conit of one or more topological equence arranged vertically, which are eparated by wide or exact lane eparation. top. equence top. equence top. equence top. equence Figure 5.3: Example of a Lane Sequence Example 5.2. Conider the abtraction of a lane equence hown in Fig It conit of four topological equence, which we do not define any further, and lane eparation in between. The lowet lane eparation i wide, while both of the upper eparation are exact. Note that the equence doe not have lane eparation a it upper or lower boundary. Up to now, only qualitative apect of pace are decribable with the given definition. Since in the etting of multi-lane traffic quantitative contraint a within two and three meter may be of interet, we introduce method to meaure pace between car (both reervation and claim). Thi i done via ditance arrow. The limitation given in the definition may eem arbitrary at the moment, but they allow for a non-ambiguou definition of abtract type of diagram in Sect Definition 5.3 (Ditance Arrow). An arrow between border of reervation and/or claim i called a ditance arrow. Such an arrow ha to be drawn horizontally. Ditance arrow may connect reervation and/or claim in different topological equence. In thi cae, we require that the arrow i drawn within one of thee equence and the border of the reervation/claim in the other equence i extended by an auxiliary vertical dahed line to meet the arrow. If the ource and target of a ditance arrow lie within the ame topological equence, the ource mut be to the left of the target. Ditance arrow are alway drawn olid and have to be labelled with an interval i I Var. [3,4] f c d [3, x) ego Figure 5.4: Example of Ditance Arrow 73

88 5 Viual Logic for Freeway Traffic Example 5.3. Figure 5.4 how an exemplary lane equence with two ditance arrow. The upper ditance arrow connect the right border of the reervation of the car c with the left border of f reervation. It i labelled with the cloed interval [3, 4]. Note how the border of the reervation of c i extended by the dahed line. The other arrow connect the claim of d with the reervation of ego. Thi arrow i attached to the left border of both it ource and it target. It label contain the variable x a the right border of the half-open interval [3, x). Now we have everything at hand to decribe multi-lane traffic ituation diagrammatically. For atomic ituation, we need a lane equence, poibly with ditance arrow within the equence, and urround it with a dahed or olid rectangle. The former denote that only a part of the current ituation on the road i decribed, while the latter enforce that the perceived part of the road i fully compatible with the diagram at hand. Furthermore, a haded rectangle without a urrounding border denote an arbitrary patial ituation. In addition, we allow for Boolean combination of uch decription and exitential quantification on variable occurring in within topological ituation or within label of ditance arrow. Definition 5.4 (Spatial Diagram). The language of patial diagram i given by the following inductive definition. A haded rectangle i an atomic patial diagram. Let L be a lane equence together with ditance arrow within the equence. Adding a olid (or dahed, repectively) rectangle around L yield an atomic patial diagram, called a full (or partial, repectively) layer. Let S be a patial diagram. Surrounding S with a hook on it left and top ide reult in the patial diagram S, the negation of S. Let S 1 and S 2 be patial diagram. Juxtapoing S 1 and S 2 and adding one dahed vertical line left of S 1 and one right of S 2 yield a patial diagram, the conjunction of S 1 and S 2. Let S be a patial diagram. Adding a olid rectangle around S with the label x for a variable x CVar RVar on top yield a patial diagram. No other diagram i a patial diagram. Finally, to decribe temporal apect of traffic, we lift the given definition to equence of patial diagram. The diagram are connected by arrow defining the poible time elaping or the different patial tranition happening between the patial ituation. A olid arrow annotated with a patial tranition denote that only thi tranition occur between the pecified naphot. If the arrow i labelled with an interval, there ha to be an evolution repecting the given interval between the naphot. Recall that thi mean that no dicrete tranition apart from change in acceleration may happen. For thi reaon, olid temporal arrow will alo be called precie temporal arrow. Dahed arrow, 74

89 5.1 Concrete Syntax however, may not carry a label. They allow for arbitrary tranition (i.e. an abtract tranition) occurring between the naphot, which i why they are called faint temporal arrow. If a olid arrow i annotated with the interval [0, ), the label may be omitted. Again, we allow for logical connective between equence. Thi yield the language of Traffic Diagram. Definition 5.5 (Traffic Diagram). The language of Traffic Diagram i given by the following inductive definition. Each patial diagram urrounded with a dotted rounded rectangle (a equence) i an atomic Traffic Diagram. Let S be a patial diagram and let T be a Traffic Diagram. Aligning S and T uch that S i above T in vertical order and connecting S with T via an unlabelled dahed arrow or a olid arrow labelled with either a real-valued interval or an action and urrounding thi whole equence with a dotted rounded rectangle yield a temporal equence. The arrow connecting S and T i called a temporal arrow. More pecifically, a olid arrow i called a duration arrow if it i labelled with an interval and a dicrete temporal arrow if it i labelled with an action. Let T be a Traffic Diagram. Surrounding T with a hook on it left and top ide reult in the Traffic Diagram T, the negation of T. Let T 1 and T 2 be Traffic Diagram. Juxtapoing T 1 and T 2 and adding a dahed vertical line left of T 1 and right of T 2 yield a Traffic Diagram, the conjunction of T 1 and T 2. Let T be a Traffic Diagram. Adding a olid rectangle around T with the label x for a variable x CVar RVar on top reult in the patial diagram T. No other diagram i a Traffic Diagram. We denote the et of all Traffic Diagram by D The notation for Boolean operator are inpired by the approach of Stapleton and Mathoff [SM07]. However, we choe to add two dahed vertical line to denote conjunction to have a cloer match between the abtract and concrete yntax. To expre negation of an element, we ue a line on top and on it left ide. While Stapleton and Mathoff ue only a line on top of diagram, we ue thi extenion to emphaie the difference between the negation of a ingle layer and a whole equence including the connecting arrow. For an example, ee Fig For exitential quantification, we ue the notation of viual firt-order logic (VFOL) [Sta+05], i.e., the cope of the quantification i denoted by a rectangle and the quantor together with the quantified variable i incribed on top of the cope. 75

90 5 Viual Logic for Freeway Traffic 5.2 Convenience In thi ection, we will remove redundancie and clutter from the formal diagram, while till maintaining a mathematically ditinct emantic. S 1 S 2 S 3 (a) Ambiguou Conjunction S 1 S 2 S 3 (b) Firt Poibility S 1 S 2 S 3 (c) Second Poibility Figure 5.5: Omiion of Notation for Conjunction Typically, conjunction of diagram would be denoted by juxtapoition, like, e.g. in viual firt-order logic [Sta+05]. We decided to include a notation mimicking parenthei to avoid ambiguitie between abtract and concrete yntax, which would be created by omitting a ditinguihed yntax element for conjunction. In particular, conjunction i uually a binary operator, while juxtapoition in general i of arbitrary arity. Conider a diagram D coniting of three juxtapoed equence S i a in Fig. 5.5a. Thi concrete diagram would have two repreentation in term of Traffic Diagram, a hown in Fig. 5.5b and 5.5c. Similar to rule for the omiion of parenthei for entential logic, we aume that uch ambiguitie are reolved by the firt poibility. That i, conjunction i left-aociative. A we will ee in Sect. 5.5, the emantic of the diagram which are now drawn imilarly are in fact the ame. The next implification involve the notion of equence. Within the concrete yntax, the dotted rounded rectangle denoting equence often eem uperfluou. For example, the equence around an atomic Traffic Diagram i not needed to identify thi cae. However, the equence are helpful to etablih the exitence of a unique repreentation for each Traffic Diagram in Sect D 1 D 2 D 1 D 2 (a) Sequence a Topmot Operator (b) Conjunction a Topmot Operator Figure 5.6: Ambiguitie with Sequence Conider the diagram in Fig. 5.6a and Fig. 5.6b. Sequence themelve will not add any retriction to the emantic, and hence both figure expre exactly the ame propertie. We will omit the notation of equence from the concrete depiction of Traffic Diagram in the following ection and chapter. For the ake of well-definedne, however, we aume thee diagram to be defined a in Fig. 5.6a. Finally, we will often denote a point-like interval, i.e., an interval of the form [x, x] by writing imply x. The context of thi notation will alway clarify, whether we mean the variable or uch an interval. 76

91 5.3 Formaliing Sanity 5.3 Formaliing Sanity In thi ection, we formalie the anity condition of the abtract model with uitable Traffic Diagram. We will preent the informal emantic of the diagram, o that the reader may get accutomed to the concrete yntax. Only afterward, in Sect. 5.4 and 5.5, will we tart to formalie both the abtract mathematical yntax, a well a the formal emantic of Traffic Diagram. Thee formaliation how typical form of Traffic Diagram. For example, all of thee diagram tate invariance propertie for all car by negating the aertion of the exitence of a car violating thi property. Furthermore, ome of the diagram can be directly read a implication. Conider, e.g., the tructure of Fig. 5.7e. Diregard the outer negation for the moment. Then, the diagram tate that there i a ituation, where the patial diagram to the left hold, but the negated diagram to it right doe not. That i, if we negate the whole diagram again, we get that there i no uch ituation. Hence, the left patial diagram implie the diagram under the inner negation at all reachable traffic naphot. Thee type of diagram will again arie in Chap. 7, where we ue the combination of EMLSL and Traffic Diagram to define a pecification for a afe lane-change controller. Furthermore, thee diagram tate propertie of the domain a a whole, thereby revealing thee propertie within the yntax of Traffic Diagram. Similar formaliation within EMLSL have been found by Hilcher [Hil14]. The anity condition of Def. 3.2 are given for ingle naphot only. For the axiomatic diagram however, we ue a notion correponding to invariant propertie along all poible tranition equence. That i, the correctne of thee diagram i a direct reult of Lemma 3.1. In thi ene, the diagram are a tronger aertion than the anity condition, ince they already incorporate their invariance along the tranition. However, the anity condition are defined for whole naphot, wherea the diagram may only tate the condition for the current view under conideration. Hence we can not ue thee diagram to replace the anity condition. The diagram depicting the anity condition are given in Fig The firt et of diagram i relatively eay. The fact that the reervation and claim of a ingle car never overlap i hown in Fig. 5.7a. Fig. 5.7b and 5.7c define the maximal number of reervation and claim for a ingle car in a imilar fahion. Note that the relative horizontal poition of the reervation (and claim) are not contrained, ince the topological relation between car on different lane are unpecified. Furthermore, the wide lane eparation allow for an arbitrary number of lane in between the reervation (and claim). Alo note that we allow for the non-exitence of reervation for car. On a firt glance, thi eem to contradict the anity condition 2 and 3, which explicitly require all car to occupy at leat one lane. However, ince we interpret the diagram on a view V, the reervation of car outide of V are not viible. Becaue we interpret the quantifier over all exiting car, whether or not they are viible in the current view, we have to allow for a car to not have any viible reervation. The diagram depicted in Fig. 5.7d denote that no claim may exit, whenever a car already reerve two lane. Note that within the diagram, the layer have to be atified imultaneouly and by the dijointne property of Fig. 5.7a, they may not coincide. 77

92 5 Viual Logic for Freeway Traffic c c c c c c c c c c (a) Dijointne (b) Maximum of Reervation (c) Maximum of Claim Figure 5.7: Sanity Condition a Diagram (I) Hence a atifying model ha either le than three lane, or at mot one of the layer in the diagram can be atified. Together with the previou axiomatic diagram, we get that either one reervation, one claim, or both one claim and exactly one reervation of a ingle car are viible in a view. However, outide of the current view, the car could poe an arbitrary number of claim and reervation. The diagram in Fig. 5.7e and Fig. 5.7f denote that reervation and claim of a ingle car have to be on adjacent lane. Both of thee diagram are eentially implication, where the part under an odd number of negation tate the premie and the evenly diagram give the concluion. In Fig. 5.7e, oberve that the mere exitence of two reervation of the ame car, a indicated by the wide lane eparation and the unpecified pace in front and in the back of the reervation, implie that thee reervation occur on adjacent lane, denoted by the exact lane eparation. The horizontal poition of the reervation are not contrained in any way. The diagram defining the adjacency of claim and reervation i a bit more complicated, ince we have to explicitly define the vertical poibilitie for the claim. On the other hand, the exitence of both the claim and the reervation i impler by uing two eparate partial layer. Note that we can not pecify Fig. 5.7e in a imilar way, ince two partial layer with a ingle reervation may refer to the ame ituation in the traffic naphot. In addition to the formaliation of the anity condition, we alo define two propertie which are only implicitly given by our model. Firt, we have to enure that reervation and claim are connected. That i, for each car, there i at mot one reervation on each lane. In the model, thi i implied by the definition of len V for a view V. For each car C, thi function return either the empty et, or exactly one interval giving the extenion C occupie on the lane it reerve. In the diagram, we can tate the exitence of two reervation or claim of one car, where arbitrary pace lie in between. Now the diagram 78

93 5.3 Formaliing Sanity c c c c (d) Maximum of Simultaneou Reervation and Claim Figure 5.7: Sanity Condition a Diagram (II) c c c c c c c c c c c c (e) Adjacency of Reervation (f) Adjacency of Reervation and Claim Figure 5.7: Sanity Condition a Diagram (III) in Fig. 5.8 expre that whenever we can find uch a ituation with the length x, we can alo find a connected reervation or claim of thi length. Since the quantifier are negated, thi hold in particular for the maximal poible value for x. The lat property of the model i partially formalied in Fig Thee diagram tate, that the tart and end point of reervation on different lane are the ame. That i, the reervation lie directly next to each other and not hifted. Again we ue ditance arrow to relate the reervation on different lane. Thi time, we do not only relate the length, but alo retrict the tart and endpoint of the reervation. Conider Fig. 5.9a. Whenever we find a reervation on the lower lane of length x, we can find a ituation, where the reervation on the upper lane i at leat of thi length. In particular, if x i the maximal length of the lower reervation (which i one of the cae for which the diagram ha to hold), then the upper reervation i of length x (ince the reervation may alo extend into the part denoted by the haded rectangle). In conjunction with Fig. 5.9b, which tate the invere relationhip between the reervation, we get that both 79

94 5 Viual Logic for Freeway Traffic c, x c, x c c x c x c c x c x (a) Connectedne of Reervation (b) Connectedne of Claim Figure 5.8: Connectedne of Car c, x c, x c c 0 0 c x c x c x c x c c 0 0 (a) Alignment of Reervation (b) Alignment of Reervation Figure 5.9: Alignment of Car reervation are of the ame length, and have to tart and end at the ame point. For contraining the alignment of claim, we would have to draw a imilar et of diagram for the cae when the claim reide below the reervation and vice vera. I.e., we need four diagram, which are tructurally imilar to the one preented in Fig We choe to omit thee diagram, ince they are eaily contructable from the given one. 5.4 Abtract Syntax Following the approach of Mina [Min00], we choe to define our abtract yntax in term of graph rewriting ytem, due to the generality of the approach and the relative implicity of the generated graph. In particular, the graph tranformation ytem will create a hypergraph G = (V, E, τ, θ, l) over a et of type T and of label O, which repreent the concrete yntax of a diagram. Recall that τ aign to each edge e E the equence of node v 0... v n (v i V) e viit, where the length of τ(e) i determined by 80

95 5.4 Abtract Syntax θ(e), the type of e. Finally, recall that l denote the labelling function of G. Example 5.4. To familiarie the reader with thi notation and it connection with the viualiation of the graph in thi ection, we preent the formal hypergraph G = (V, E, τ, θ, l) coniting of one of the cae hown in Tab Conider the edge repreenting an occupied topological ituation. We call the vertice of the graph in thi depiction v 1 to v 4, i.e., V = {v 1, v 2, v 3, v 4 }. The et of edge i only the ingleton et E = {e}. The type function aociate the type car with thi edge, i.e., θ(e) = car. Furthermore τ(e) = v 1, v 2, v 3, v 4. For the relation of the attachment function to the graph, we have to chooe the order the mnemonic name occur in the equence. Aume that and t are the firt two element of the equence, followed by l and r. That i, the tentacle viit v 1, the t tentacle v 2, the l tentacle viit v 3 and v 4 i viited by the r tentacle of e. Finally, the labelling of e i given by l(e) = (R, C). Within the graph repreenting the yntax, edge either repreent a diagrammatic element or the way an element i drawn, i.e., dahed or olid. The node erve a the attachment area of thee element, e.g., an edge denoting an arrow i viiting node that are alo viited by it ource and target. Label define the interval arrow are annotated with, the label on lane, a well a which reervation or claim a car repreent. The et of type i ditinguihed into two dijoint et of terminal T T and non-terminal type T NT. In the following, element of the former et will be written in an erif font, while non-terminal type will be capitalied. The minimal requirement for a graph G to be eligible a a repreentation of a diagram, i that G contain only terminal edge. More pecific tructural propertie for G will be given in Def A hown in Tab. 5.2, we employ everal terminal type to refer to the diagrammatic element. On the one hand, we ue equence, layer, true, lane, car, free, totrue, tarrow and arrow to repreent explicit element within the concrete yntax. Depite the fact that duration and ditance arrow are drawn alike, we ditinguih both type on the level of the abtract yntax already by referring to duration arrow with the type tarrow and to ditance arrow with arrow. On the other hand, the type partial and full (faint and precie, wide and exact) define whether a layer (arrow, lane eparation, repectively) i drawn dahed or olid. The Boolean operator are repreented by the type and, while the exitential quantifier i denoted by the type. The different type offer different tentacle. The p tentacle will be ued to refer to the parent of the edge at hand. The tentacle named o (o 1 and o 2, repectively) refer to the operand of the logical operator. Edge type with and t tentacle, denoting the ource and target of the edge, imply an order on the path created by thee edge of thee type. That i, they either repreent a lane equence, a topological equence or an arrow. The i tentacle of the type layer and equence refer to the interior of the concrete element the edge repreent. The tentacle with the name ty are ued to connect the edge repreenting layer or temporal arrow with their diagrammatic type, i.e., whether the layer i full or partial and whether the temporal arrow i precie or faint. The repreentation of ditance arrow need an auxiliary tentacle named c, which repreent the layer which contain the arrow. Thi tentacle i epecially ueful for the definition of the emantic (cf. Sect. 5.5). 81

96 5 Viual Logic for Freeway Traffic Table 5.2: Terminal Type of the Abtract Syntax (α I A, i I Var and R, C Var {ego}) Terminal Type Name tart at Root of the Syntax Graph p o 2 o 1 Conjunction p o Negation x p o Exitential Quantification p equence i Sequence p layer i ty p true at i lane n Layer Unpecified Layer Lane t exact Exact Lane Separation t wide Wide Lane Separation t totrue Unpecified Topological Situation t free Free Topological Situation (R, C) car t l r tarrow t ty full i arrow c i, faint i, t partial α precie i i Occupied Topological Situation Temporal Arrow Ditance Arrow Type for Full/Partial Layer Type for Faint/Precie Temporal Arrow 82

97 5.4 Abtract Syntax Figure 5.10 how the abtract yntax of Fig The graph contain two edge of type lane repreenting both lane of the layer. On each lane, there exit a equence of edge of type free and car, which model the patial ituation. Furthermore, two arrow edge define the patial contraint depicted a ditance arrow in the concrete diagram. tart at p equence i n lane at exact p n i layer lane at ty i partial t ({ego}, ) i t t t free car free [2, 5] i arrow c [2, 5] t arrow r l t t t car free car l c t l ({a}, ) ({c}, ) Figure 5.10: Abtract Syntax of Fig. 5.1 One detail of the abtract yntax i the repreentation of car on the road. Intead of aociating each car on a lane with a car edge, we repreent each part of a lane occupied by a different combination of car on the road by a ingle edge with an appropriate label. Such a label conit of a tuple (R, C) of et of variable. If c i a variable and c R (c C), then the car edge denote that the reervation (claim) of c occupie the correponding pace. Hence, if c and d are element of R, the edge denote that the reervation of c and d coincide at thi poition. Hence only change in the patial configuration of the lane are reflected by the ue of a new edge, either of type car, totrue or free. For an example ee Fig Since ditance arrow may connect two arbitrary car on one layer, we mut enure that there exit a path from the arrow to both node viited by it ource and target tentacle, which ue only edge of the following type: lane, wide, exact, totrue, free and car. In particular, the path may not contain an edge of type layer, ince otherwie the path would lead to repreentation of element outide of the layer containing the arrow (ee Fig. 5.10). Within Sect , we will examine thi requirement in detail. Definition 5.6 (Abtract Syntax of Traffic Diagram). The graph tranformation ytem G = (T NT T T, S, P ) defining the abtract yntax of Traffic Diagram conit of the axiom S, a ingle hyperedge without any tentacle and the rule given in Figure 5.12, 5.13, 5.15, 5.18, 5.19, 5.20, 5.21, 5.22 and In the depiction of the rule, we will omit all tentacle which need not be taken into account for the definition of the rule. For example, we do not how the t tentacle of r r 83

98 5 Viual Logic for Freeway Traffic c p equence o i p true ty i tarrow p c faint o p at tart t ego c p equence i p layer i ty ({ego, c}, ) at n i t lane car i l r partial Figure 5.11: Concrete and Abtract Syntax of a Diagram with Duration Arrow the car edge in Fig The non-terminal type of G will be decribed and preented during the dicuion of the rule they are involved in. To how that the rule of G are enible, we need to define, what it mean for a Traffic Diagram to be repreented by a hypergraph. Then we can how, that the hypergraph created by G are repreentation of Traffic Diagram, and that for each Traffic Diagram D, there i a (up to iomorphim) unique hypergraph created by G, which repreent D. Definition 5.7. A graph G = (V, E, τ, θ, l) repreent a Traffic Diagram D iff we can find an injective mapping h from the viual element of D to G uch that 1. each overlap of a et of reervation R and claim C i mapped to an edge e uch that θ(e) = car and l(e) = (R, C), 2. each occurrence of blank pace within a topological equence i mapped to an edge with θ(e) = free, 3. each occurrence of undefined pace within a topological equence i mapped to an edge with θ(e) = totrue, 4. a ituation within a topological equence i adjacent to the left of a topological ituation if and only if the t tentacle of h() and the tentacle of h( ) viit the ame node, 5. the tentacle of the image h() of the left-mot topological ituation of each topological equence and the i tentacle of a unique edge e with θ(e) = lane viit the ame node, 6. each exact (wide) lane eparation i mapped to an edge e with θ(e) = exact (θ(e) = wide), 7. if a topological equence T 1 i drawn directly beneath a topological equence T 2 and i the lane eparation drawn in between T 1 and T 2, then the tentacle of h() 84

99 5.4 Abtract Syntax viit the ame node a the n tentacle of the lane edge connected to the image of the left-mot topological ituation in T 1 and the t tentacle of h() viit the ame node a the at tentacle of the lane edge connected to the image of the left-mot topological ituation in T 2, 8. each wholly unpecified pace (i.e., a haded rectangle without a urrounding layer) i mapped to an edge e with θ(e) = true, 9. each layer l i mapped to an edge e with θ(e) = layer and if l i full (partial), the ty tentacle of e viit the ame node a the i tentacle of an edge e with θ(e ) = full (θ(e ) = partial, repectively), 10. if T i the lowet lane equence, then the edge e of type lane which i connected to the repreentation of T viit a node v via it at tentacle, which i alo viited by the i tentacle of the edge repreenting the layer T reide in, 11. each patial arrow A labelled with an interval i i mapped to an edge e with θ(e) = arrow and l(e) = i, where a) the tentacle of e viit the ame node a the l of the image of the topological ituation S where A tart, if A tart at the left border of S, b) the tentacle of e viit the ame node a the r of the image of the topological ituation S where A tart, if A tart at the right border of S, and imilarly for the t tentacle of e and the end of A, 12. if A i a faint temporal arrow, then h map A to an edge e with θ(e) = tarrow, whoe ty tentacle viit the ame node a the i tentacle of an edge with type faint. 13. if A i a precie temporal arrow labelled with α, then h map A to an edge e with θ(e) = tarrow, whoe ty tentacle viit the ame node a the i tentacle of an edge e with θ(e ) = precie and l(e) = α. 14. if N i ymbol for negation denoting the negation of D in D, then h map N to an edge e with θ(e) = the o tentacle of e viit the ame node a the p tentacle of the edge repreenting the topmot element in D, 15. if A are two vertical dahed line denoting the conjunction of D 1 and D 2 in D, then h map A to an edge e with θ(e) = and the o i tentacle of e viit the ame node a the p tentacle of the edge repreenting the topmot element in D i (for 1 i 2), 16. if E i a box with the label x on top around D, then h map E to an edge e with θ(e) = and l(e) = x and the o tentacle of e viit the ame node a the p tentacle of the edge repreenting the topmot element in D, 17. if L i patial diagram and D a diagram uch that the temporal arrow A tart at L and end at D, then the tentacle of h(a) viit the ame node a the p tentacle of the edge repreenting the topmot element in L and imilarly for the t tentacle of h(a) and the p tentacle of the edge repreenting the topmot element in D. 85

100 5 Viual Logic for Freeway Traffic 18. the p tentacle of the repreentation of the topmot element of the traffic diagram D viit the ame node a the at tentacle of the unique edge of the type tart. By abue of language, we will alo ay that, e.g., a topological equence T i repreented by a graph G if the condition only concerning topological equence hold for T and G. Recall Convention 2.1 for the naming of graph rewriting rule. According to thi convention, the rule creating the repreentation of a wide lane eparation in Fig will, e.g., be denoted by R 2 SEP Topological Sequence and Lane Sequence 1 LS 1 at lane i n t 1 at SEP CH LS lane i n CH 1 SEP t 2 1 exact t 2 1 wide t 2 1 CH 1 OCC t CH 1 OCC t 1 OCC t 2 (R, C) t car 1 l r 2 1 free t 2 1 totrue t 2 Figure 5.12: Rule Set R LS, R SEP, R CH and R OCC : Lane Sequence and Topological Sequence (R, C CVar {ego}) Similar to the decription of the concrete yntax, we tart with the repreentation of topological and lane equence. The correponding graph rewriting rule are hown in Fig Each lane of a lane equence i repreented by an edge of type lane. The eparation are denoted by wide and exact, depending on whether they are wide or exact eparation. The topological equence are denoted by car, free and totrue edge denoting the patial ituation on each lane. The l and r tentacle of edge of type car repreent the left and right border of car, while the and t tentacle of car, free and totrue edge denote the ource and target of the edge, yielding a equence of car on a lane. Lemma 5.1. Let T be a topological equence and H be a graph of the form H = ({v}, {e}, τ, θ, l) with τ(e) = v and θ(e) = CH and l =. Then there i a graph G uch that H G and G repreent T. Furthermore, G i unique up to iomorphim. Proof. We proceed by induction on the length n of T. If n = 1, we can apply the econd alternative for CH and to get a graph coniting of two node and a connecting OCC edge. Depending on whether T i free pace, an overlap of reervation and claim or undefined pace, we can chooe the uitable rule for OCC to get the right graph G. Oberve that for each of the three poibilitie for T, there i exactly one derivation H G, i.e. G i uniquely defined. Aume that for all topological equence with length n the lemma hold. Now we have to prove the lemma for a topological equence T of length n + 1. So T conit of a 86

101 5.4 Abtract Syntax equence T 1 of length n and an additional equence of length 1. For T 1, we know by the induction hypothee that there exit a unique repreenting graph G 1 with H G 1. Within thi derivation, there i exactly one application of the econd alternative of R CH, i.e. H G 3 R 2 G CH 2 G 1. Now inert an additional application RCH 1 to G 3 and get H G 3 R 1 G CH 3 RCH 2 G 2. All application of rule in G 2 G 1 are till poible tarting with G 2, ince G 2 i a ubgraph of G 2, i.e., H G 3 R 1 G CH 3 RCH 2 G 2 G 1. Then G 1 i iomorphic to a path of length n + 1, where the lat edge i of the type OCC and the firt n edge repreent T 1. Similar to the induction bae, we can apply exactly one of the rule ROCC i (1 i 3) depending on the type of the lat ituation in T to derive graph G repreenting T. Lemma 5.2. Let L be a lane equence and H be a graph H = ({v}, {e}, τ, θ, l) with τ(e) = v and θ(e) = LS and l =. Then there i a graph G uch that H G and G repreent L. Furthermore, G i unique up to iomorphim. Proof. By induction on the length of L and applying Lemma Spatial Diagram 1 B L 1 1 p o LA B L o 2 1 p B L 1 p o o B L 1 x B L 1 LA 1 p layer i ty LS I T 1 p true 1 T 1 i full 1 i partial 1 I 1 I CS 1 Figure 5.13: Rule Set R B L, R LA, R T and R I : Structure of Spatial Diagram (x Var) The et of rule in Fig define the abtract yntax for the qualitative part of patial diagram. The rule for the non-terminal B L decribe the tructure of the edge repreenting firt-order connective between atomic patial diagram. The graph created by thi et of rule are binary tree, where the leave are non-terminal of the type LA. Edge of thi type can either be replaced by an edge of type true to denote a haded rectangle or an edge of type layer to repreent a full or partial layer. All edge created by thee et of rule have a tentacle p, which denote the parent of the repreented element like in a typical yntax graph. The logical connective furthermore employ either one tentacle o or two tentacle o 1 and o 2 for the connection to their operand. The edge of type layer in contrat ue a tentacle called i to decribe the interior of the layer and a tentacle called ty to denote it type, i.e., whether it decribe the whole view or jut a part. The node viited by the ty tentacle are then alo viited by the ingle tentacle of 87

102 5 Viual Logic for Freeway Traffic either an edge of type full or of type partial. The non-terminal I allow for the creation of arbitrary many non-terminal CS, which will be ued for the creation of ditance arrow within one layer. Lemma 5.3. Let S be a patial diagram and H be a graph H = ({v}, {e}, τ, θ, l) with τ(e) = v and θ(e) = B L and l =. Then there i a graph G uch that H G and the unique graph reulting from G by removing all edge of the type CS repreent S, with the omiion of the ditance arrow within S. Proof. By induction on the tructure of patial diagram. Let S be a haded rectangle denoting unpecified pace. Then we can ue the following derivation to get a uitable graph G. H R 1 B L H 1 R 2 LA G. In G the only node i viited by the p tentacle of the only edge of type true. Now let S be a partial layer containing the lane equence L. Then we ue the following derivation H R 1 B L H 1 R 1 LA G 1 R 2 T G 2. By Lemma 5.2, we can derive a graph G L from the edge of type LS uch that G L uniquely repreent the lane equence L. Thi derivation i applicable to G 2, reulting in the graph G. Now the only remaining non-terminal i of the type I, which we remove by applying RI 2 to get the graph G where we can map S to the edge e with θ(e) = layer, whoe ty tentacle viit the ame node a the i tentacle of the partial edge. Hence if we remove all pending edge of the type CS from G (which may have been created, before the application of RI 2 ), we get the unique graph repreenting S with the omiion of the ditance arrow within S. The cae for a full layer i imilar. Now aume that for the patial diagram S 1 and S 2 the lemma hold. Let S be the negation of S 1. Then we ue H R 2 B L H 1. Within H 1 there exit exactly one edge e of the type B L. Call the ubgraph coniting of thi edge and the node it i viiting G H. By the induction hypothei we know that there i a uitable derivation G H G 1 uch that G 1 repreent S 1, if we remove all CS edge from G 1. All the derivation tep can be directly applied to H 1, i.e., we get a derivation H R 2 B L H 1 G, where G 1 i a ubgraph of G. In G, the o tentacle of the edge repreenting the negation viit the ame node a the p tentacle of the repreentation of the topmot operator in S 1. Since G 1 i contained a a ubgraph in G, removing all edge of the type CS from G reult in the unique repreentation of S, with the omiion of all ditance arrow within S. The cae for the conjunction of S 1 and S 2 a well a for the exitential quantification are imilar. 88

103 5.4 Abtract Syntax Ditance Arrow Figure 5.15 to Fig contain the mot complicated rule, which create the hyperedge repreenting ditance arrow, i.e., which replace edge of the type CS. In contrat to the other rule, which replace non-terminal edge in a context-free manner in the ene that only one hyperedge i replaced by an application of a rule without taking the environment of the edge into account, thee production employ application condition. Fig how the grammar for replacing a non-terminal P by a path between the node labelled a 1 and 2. 1 P t 2 1 t P 2 t P 1 t 2 P 1 P 2 t 1 t at lane n i at lane i n t 1 t 2 P P 2 t 1 t 2 P 1 car t 2 1 free t 2 1 totrue t 2 1 exact t 2 1 wide t 2 1 at lane n 2 1 at lane i 2 Figure 5.14: Hyperedge Replacement Grammar for the Definition of Path The edge P may be replaced in two way. Firt, by two edge: the firt of type P connecting 1 and an intermediate node i, and the econd again of type P, connecting i and 2. The econd poibility i by a ingle edge of type P, connecting 1 and 2. The edge typed with P may then be replaced by edge of the following terminal type: car, free, totrue, lane, exact and wide. Furthermore, Fig how the replacement rule for the non-terminal P 2, which i ued for defining a path plitting into two at a lane edge (cf. Fig to Fig. 5.22). Thi grammar alo ue P for the repreentation of the common part of the path. Note that imilarly to the grammar for P, P 2 allow for the creation of a path of arbitrary length ending at the tentacle of P 2. 1 P t 2 1 CS 2 car l r 1 2 c t r arrow l car i Figure 5.15: Rule R ing CS : Ditance Arrow from the Left to the Right Border of a Single Topological Situation (i I Var ) The rule depicted in Fig to Fig define the creation of ditance arrow 89

104 5 Viual Logic for Freeway Traffic a b arrow? l r l r l r t t car car car ({a}, ) ({a, b}, ) ({b}, ) Figure 5.16: Different Poibilitie for Ditance Arrow between the tentacle of car edge. For thi, we have to ditinguih between four cae. Conider for implicity the content of a ingle lane with a ingle ditance arrow like in Fig The ource of the ditance arrow i the right border of the part, where only car a occupie the lane. However, in the abtract yntax, two poibilitie could decribe thi ituation. Both the r node of the leftmot car edge and the l node of the middle car edge refer to the ame border. If we allowed for both poibilitie, uch ituation would not have a unique type. Hence we choe to attach the ource tentacle of arrow edge to l node of car edge whenever poible. A imilar ituation come up for the target tentacle of ditance arrow, which we choe to attach to r node. The rule for thee tandard cae are given in Fig and Fig Figure 5.15 can be read a follow. If there i a non-terminal CS viiting the node labelled 1 and there exit a path from 1 to the repreentation of a topological ituation repreenting an occupied topological ituation, i.e., an edge of type car, then CS can be replaced to repreent a ditance arrow contraining the length of thi ituation. Thi rule i a pecial cae of the rule depicted in Fig Thi pecial cae i needed, ince we ue injective graph condition, i.e., the node labelled 2 and 3 in Fig have to be ditinct. In the rule we furthermore have to ditinguih two cae. The firt cae i that both car edge are part of the ame lane equence. Thi i captured in the upper rule of Fig to Fig and Fig The HR condition enure, that both edge are reachable via a ingle path from the node, the non-terminal CS i viiting. In term of the concrete yntax, thi mean that both topological ituation are part of a ingle topological equence within one layer t t t t PATHS P P 2 P 2 P P P 2 P t 1 t 2 t 1 t 2 t 1 t Figure 5.17: Application Condition for Ditance Arrow between Different Lane The econd cae i that the edge are part of different topological equence within the ame layer. That i, there i a path from the node the CS edge i viiting to the 90

105 5.4 Abtract Syntax node 1 a lane i viiting with it at tentacle, and from thi lane edge, a path to node 2 and another path to node 3. Either the ource of the arrow lie on a lower topological equence than the target or vice vera. Intuitively, the lane edge repreent thi lower topological equence. One of the path defined by the P edge then define the path to the ituation on thi equence, while the other incorporate all lane eparation in addition to all topological ituation to the left of the upper topological ituation. Due to it ize, we preent the correponding HR condition in Fig P P t t car l 1 CS 3 car r c car arrow car l t i r PATHS 2 car l 1 CS 3 car r c car arrow car l t i r Figure 5.18: Rule R 1 CS and R2 CS : Ditance Arrow between Car (i I Var) There are till ituation, where we want to attach the target of a ditance arrow the the l node of car edge however. For example, if the arrow A end at the left border of ituation, whoe left neighbour i blank pace, we are forced to allow for uch an attachment, ince otherwie there would not exit a type for thi ituation. Thi i due to the fact that in the abtract yntax, there i no other car edge attached to the ource node of the edge repreenting the target of A. Thi cae i depicted in Fig Note how the application condition not only enure the exitence of the according path, but alo prohibit another car edge to be attached to the node labelled 3. A imilar ituation arie for the ource of ditance arrow. However, the tandard attachment of car edge in thi cae i the l node. If there i no car edge to the right of the target edge, the arrow may alo connect to the r node. Thi i hown in Fig Finally, we have to conider the cae, where both condition a dicued above apply. That i, the arrow to be repreented tart at the right ide of an overlap of reervation and claim and end at the left ide of uch a ituation, where neither to the right of the ource, nor to the left of the target there are uch topological ituation. The rule for thee cae are depicted in Fig and Fig Lemma 5.4. Let A be a ditance arrow within a patial diagram D, G D the graph, where removing all edge of the type I and CS reult in a graph repreenting D with omiion of the ditance arrow and H be a ubgraph of G D of the form H = ({v}, {e}, τ, θ, l) 91

106 5 Viual Logic for Freeway Traffic 1 car t P P 3 t t 2 3 car 2 car l 1 CS 3 car l c car arrow car l t i l car t PATHS 3 car 2 car l 1 CS 3 car l c car arrow car l t i l Figure 5.19: Rule RCS 3 and R4 CS : Ditance Arrow attached to the Left Side of the Target (i I Var ) with τ(e) = v and θ(e) = CS and l = where v i viited by the i tentacle of the edge repreenting the layer A reide in. Then there i a graph G uch that G D G and G repreent D together with A, with the omiion of all other ditance arrow within D. Furthermore, G i unique up to iomorphim. Proof. We have to conider everal cae, mot of which can be handled imilarly. Aume that h i the injective mapping howing that G D i repreenting D. Firt, let A connect the left and right border of a ingle topological ituation S within the layer L. Let e S be the edge repreenting S. If e S i the leftmot ituation within it topological equence, it tentacle viit the ame node a the i tentacle of a unique edge e LS with θ(e LS ) = lane. Otherwie, we know that it tentacle viit the ame node a the t tentacle of the edge repreenting it left predeceor ituation. So, uing only edge of the type car, free and totrue, we finally reach the unique edge e LS. Now again, if the equence of edge e LS i connected to repreent the lowermot topological equence, then the at tentacle of e LS viit the node which i alo viited by the i tentacle of the repreentation of L. Otherwie there i an edge of type exact or wide whoe t tentacle viit thi node and whoe tentacle viit the node which i connected to the n tentacle of another lane edge repreenting the next topological equence. That i, in a imilar manner to topological equence, we finally reach the unique edge repreenting the lowermot topological equence, which i connected to the node viited by the i tentacle of the repreentation of L. In other word, we can find a path P S leading from thi node to the node viited by the tentacle of e S. Now, if we ubtitute P S for P in the application condition of R Sing CS, the condition i atified. That i, we may replace the non-terminal CS with an edge e with θ(e) = arrow which viit the node viited by the l and r tentacle in the correct way to be a repreentation of A. Furthermore we may chooe the label of e to be the interval labelling A. Hence the lemma hold in thi cae. Now let A connect the left border of a topological ituation S 1 with the right border 92

107 5.4 Abtract Syntax 1 2 car P P t t t 2 3 car 2 car r 1 CS 3 car r c car arrow car r t i r 2 car PATHS t car 2 car r 1 CS 3 car r c car arrow car r t i r Figure 5.20: Rule RCS 5 and R6 CS : Ditance Arrow attached to the Right Side of the Source (i I Var ) of ituation S 2 where S 1 and S 2 lie within the ame topological equence T and S 1 i to the left of S 2. Furthermore aume that there are topological ituation repreented by car edge both to the right of S 1 and to the left of S 2. Now by argument imilar to the firt cae, ince G repreent the qualitative apect of L, we can find a path from the node 3 viited by the tentacle of h(s 2 ) to the node 2 viited by the tentacle of h(s 1 ). Furthermore, we get that there i a path from 2 to the node 1 viited by the i tentacle of h(l). That i, we can replace ubtitute the variable P with thee path and hence get that the rule RCS 1 i applicable. The application of thi rule yield an edge repreenting A. Oberve that none of the rule RCS i for 1 < i 8 are applicable, ince either they require the path to plit at one edge (for i {2, 4, 6, 8}) or they require the abence of at leat one of the car edge repreenting the topological ituation to the right of S 1 and to the left of S 2. Now aume that A connect the left border of a topological ituation S 1 with the right border of ituation S 2 where S 1 lie in the topological equence T 1 and S 2 lie within T 2. Similarly to the previou cae, we aume that there are topological ituation repreented by car edge both to the right of S 1 and to the left of S 2. Without lo of generality, let T 1 be lower than T 2. Since G D repreent D, we have edge e S1 and e S2 repreenting S 1 and S 2 repectively. Furthermore, we find a path P d from e S1 to a node v 1 viited by the i tentacle of a unique edge e T1 with θ(e T1 ) = lane and imilarly a path P u from e S2 to a node v 2 which i viited by the i tentacle of the unique edge e T2 with θ(e T2 ) = lane. Since T 1 i lower than T 2, there i a path P u from v 2 to the node viited by the n tentacle of e T1. Let P u be the concatenation of P u and P u. Again, like in the firt cae, we find a path P from e T1 to the node viited by the i tentacle of h(l). Let both P d be non-empty, i.e. S 1 i not the left-mot topological ituation of T 1 (P u can not be empty ince P u contain at leat one edge). Now conider the application condition PATHS (Fig. 5.17). If we ubtitute P d for the edge of type P connected to the node 2, 93

108 5 Viual Logic for Freeway Traffic 1 2 P P car t t t 2 3 car car t 3 car 2 car r 1 CS 3 car l c car arrow car r t i l Figure 5.21: Rule RCS 7 : Ditance Arrow between Car on the Same Lane attached to the Right Side of the Source and the Left Side of the Target (i I Var ) 2 PATHS car t car car t 3 car 2 car r 1 CS 3 car l c car arrow car r t i l Figure 5.22: Rule RCS 8 : Ditance Arrow between Car on Different Lane attached to the Right Side of the Source and the Left Side of the Target (i I Var ) P u for the other edge connected to node 3 and P for the node of type P 2, the application condition for rule RCS 2 i atified. Hence we can apply thi rule and get a repreentation of A. Similar to the cae above, none of the other rule in the et R CS i applicable. The proof for the ret of the cae are imilar. Oberve that the additional application condition retrict the path created by the HR grammar uch that the rule are only applicable, whenever the repreentation of the ituation right to the ource of A i not an edge of type car or imilarly for the ituation left to the target of A or both. Hence the application condition for all thee rule are mutually excluive, i.e. for all poibilitie for the ource and target of A, there i exactly one type of rule applicable. By that we know that the repreentation of A i uniquely defined Temporal Sequence Finally, the rule creating the repreentation for Traffic Diagram a a whole are given in Fig The rule et R B D i tructurally imilar to the et R B L with the exception of R 1 B D, which create the tart of a temporal equence. The et of rule R L allow for 94

109 5.4 Abtract Syntax S at tart B D 1 B D 1 p equence i 1 p L o B D 1 p o 2 B D 1 p o B D 1 x o B D 1 L 1 B L tarrow ty AT t B D 1 B L 1 AT 1 i i precie 1 i faint Figure 5.23: Rule Set R S, R B D, R L and R AT : Structure of Traffic Diagram (i I A) the creation of the internal part of a temporal equence, i.e. a patial diagram connected by a temporal arrow to a new temporal equence. Similar to the type of layer, the R AT rule define, whether a temporal arrow i precie or faint. The non-terminal S erve to have a clearly defined tart for the derivation of abtract yntax graph for a Traffic Diagram. Lemma 5.5. Let D be a traffic diagram and H be a graph H = ({}, {e}, τ, θ, l) with τ(e) = and θ(e) = S and l =. Then there i a graph G uch that H G and G repreent D. Proof. By tructural induction on traffic diagram. For the induction bae, let D be a patial diagram D urrounded by a rounded dotted rectangle denoting a temporal equence. Then we can ue the following derivation H RS H 1 R 1 B D H 2 R 2 L H 3. The graph H 3 conit of a path tarting at the ingle edge of the type tart and ending at non-terminal edge of the type B L. By Lemma 5.3, we can derive a graph G L from H 3 which repreent the qualitative apect of D. Within thi derivation, there i exactly one application of RI 2, i.e., the rule removing the the ingle edge of the type I. Without lo of generality, we can aume, that it wa the lat rule to be applied., i.e., H 3 G L R 2 I G L. Conider now two cae for G L. Let the number m of CS edge within G L be greater than the number n of ditance arrow within D. Then the rule RI 1 wa applied m time within the derivation. However, all other rule application within H 3 G L are independent of the exitence of thee edge. Hence we can imply omit m n application of RI 1 and till get a repreentation of the qualitative apect of D, but containing exactly n edge of 95

110 5 Viual Logic for Freeway Traffic the type CS. Now let the number of CS edge be maller than n, the number of ditance arrow within D. We can ue the rule RI 1 n-time to create n intance of non-terminal edge of the type CS. By now we have a repreentation of D, where the number of CS edge agree with the number of ditance arrow within D. By abue of notation, we will till call thi concrete repreentation G L. By Lemma 5.4, each of the CS edge can be ued to derive a repreentation of one of the ditance arrow of D,i.e., H RS H 1 R 1 B D H 2 R 2 H L 3 G L n R G I 1 L R 2 G I L n Lem. 5.4 G. The topmot operator in D i the equence, which i repreented in G by the unique edge e of type equence. The p tentacle of e viit the ame node a the edge of type tart. Hence, G repreent D. For the induction hypothei, aume that for the traffic diagram D 1 and D 2, the lemma hold. The cae for the logical operator are imilar to the proof of Lemma 5.3. Hence we proceed with the cae, where D conit of a temporal arrow connecting a patial diagram D S with the traffic diagram D 1. By the induction hypothei there i a derivation H G 1 uch that G 1 repreent D 1. Oberve that the firt applied rule within thi derivation ha to be R S. I.e., H RS H 1 G 1. Now we modify the beginning of the derivation a follow. H RS H 1 R 1 B D H 2. Depending on whether the temporal arrow in D i precie or faint, we apply the rule R 1 AT or R2 AT, repectively. H RS H1 R1 B D H 2 R i AT H 3. Oberve that H 3 contain a ubgraph H S of the form a needed for the application of Lemma 5.3. Similar to the induction bae, we find a derivation H S G S uch that G S repreent D S. The rule ued in thi derivation are all applicable, conider H 3 itelf to get H 4. Similarly, the derivation H 1 G 1 i applicable to H 4, i.e., to the ubgraph attached to the node viited by the t tentacle of the created tarrow edge e. Hence H RS H 1 R 1 B D H 2 R i AT H 3 H 4 G. Then the tentacle of e viit the ame node a the p tentacle of the repreentation of D S, and imilarly the t tentacle of e viit the ame node a the p tentacle of the repreentation of D 1. Since the type of the temporal arrow i repreented by the edge viiting the ame node a the ty arrow a e, we have found a repreentation for the diagram D. The rule to be apply were uniquely defined by the type of the temporal arrow, hence G i alo uniquely defined. 96

111 5.5 Semantic 5.5 Semantic Now having a clearly defined mathematical model to decribe the yntax of traffic diagram, we turn our attention to the definition of their emantic. Similarly to EMLSL, we ue the abtract road model, i.e., traffic naphot and view, introduced in Chap 3 a a bai for the emantic. We have to lightly extend the notion of a valuation given in Chap. 4, Definition 4.3 to alo evaluate the variable ued within interval. Definition 5.8 (Interval Valuation). Let ν be a valuation, i.e., a function ν : Var I R + N repecting the ort of variable. Similar to Definition 4.3, we lift ν to a function ν I evaluating interval, where variable and ego are interpreted a in ν and for an interval i = [a, b], we define ν(i) to be [ν(a), ν(b)] and imilarly if i i (half-) open. We ue the notation ν {v α} for the modification of ν which i identical to ν for all variable different from v, and which map v to α. Oberve that even though the range of ν include N, the definition of traffic diagram doe not include any variable whoe type need them to be evaluated to a natural number. However, thi definition lightly eae the combination of EMLSL formula and Traffic Diagram a defined in Chap. 6. For the definition of the atifaction relation =, oberve that the abtract yntax of a diagram up to the level of layer i eentially a tree. Hence we can travere the abtract yntax, tarting at the ingle edge of type tart, to define = almot in a tandard way. Like for EMLSL, we define the emantic of a whole diagram with repect to a traffic naphot T S, a view V and a valuation ν. To keep track of the poition within the tree, we furthermore have to ue a node of the hypergraph. Thi node will be important for the emantic of ditance arrow. For one of the emantic definition to be applicable to a yntax graph G, we require the exitence of an embedding of the depicted ubgraph into G at the labelled node. We choe to preent the emantic baed on the graphical repreentation of the abtract yntax for purpoe of readability. In thi way, the preentation can be directly compared to the definition of the abtract yntax in the previou ection. In the depiction of the emantic, ome of the cae are not immediately mutually excluive. Conider for example Fig If a yntax graph contain the repreentation of a layer with two lane connected by an exact lane eparation, then both the firt and the econd cae may be applied. In thee cae, we require that the maximal poible occurrence of a graph ha to be choen. We ditinguih two type of variable in the emantic. Firt and mot important, all variable occurring in the yntax of diagram are called explicit variable. Implicit variable refer to auxiliary variable only occurring in the emantic. (See Fig. 5.28). Thee variable are ued to refer to the length of topological ituation. They give u the poibility to connect the qualitative emantic of a diagram, i.e., the order and type of topological ituation with the quantitative emantic, i.e., the contraint on thee length impoed by the ditance arrow. Formally, we ue an injective, partial function mapping all car, free and totrue edge of an abtract yntax graph to implicit variable. 97

112 5 Viual Logic for Freeway Traffic T S, V, ν, at = tart x D iff T S, V, ν, x = D p o T S, V, ν, x = x y D y p o 1 D T S, V, ν, x = 1 x o 2 D 2 z p T S, V, ν, x = x o y D x iff iff iff T S, V, ν, y = D T S, V, ν, y = D 1 and T S, V, ν, z = D 2 there i an α E uch that T S, V, ν {x α}, y = D Figure 5.24: Semantic for Logical Connective Definition 5.9 (Implicit Variable and Implict Length Function). Let G = (V, E, τ, θ, l) be the abtract yntax graph of a Traffic Diagram D and let Var I RVar be an infinite ubet of real-valued variable called implicit variable, which are freh for D. Then the implicit length function χ: E Var I i an injective partial function given by χ(e) = { v e undef. if θ(e) {car, free, totrue} otherwie Within the emantic, all implicit variable are exitentially quantified (ee Fig. 5.26), ince we want the value of thee variable to be independent of the valuation. They hould reflect the patial ituation, and hence the atifaction of a diagram hould not depend on whether an implicit variable i given the right value by the valuation. There are two type of contraint on thee variable. On the one hand, the emantic of the topological ituation will enure that the value of implicit variable reflect the length of the repective ituation. On the other hand the emantic of ditance arrow will require the value of thee variable to repect the interval the arrow are annotated with. Definition 5.10 (Satifaction of Traffic Diagram). The atifaction relation = define the emantic of Traffic Diagram a hown in Figure 5.24, 5.25, 5.26, 5.27, 5.28 and We ay that a traffic naphot T S, a view V = (L, X, E) and a valuation ν with ν(ego) = E atify a Traffic Diagram D, if T S, V, ν, = D, denoted by T S, V, ν = D. The emantic of the firt-order element of Traffic Diagram are given in Fig Mot of thee definition are not urpriing. The only non-tandard apect lie in the emantic of the exitential quantifier. We require the quantified variable to be different than the owner of the current view. Thi i the only poibility to explicitly ditinguih car with Traffic Diagram, ince we do not have a diagrammatic repreentation of equality.. 98

113 5.5 Semantic T S, V, ν, x = T S, V, ν, x = x c equence i y D x L ty tarrow t i y faint D iff iff T S, V, ν, y = D T S T S = T S uch that T S, V, ν, x = L and T S, mv T T S S (V ), ν, y = D T S, V, ν, x = x L ty i tarrow t i y precie D iff T S, t T S t T S where t i and T S, V, ν, x = L and T S, mv T T S S (V ), ν, y = D T S, V, ν, x = x L (c) ty tarrow t i y precie D iff T S T S T (ν(c)) S if {r, wd c} n, T S T S T (ν(c),n), S otherwie T S, V, ν, x = L and T S, V, ν, y = D T S, V, ν, x = x L iff T S, V, ν, x = L Figure 5.25: Semantic of Sequence (where i I and {r, c, wd r, wd c}) Yet, often inequalitie are implicit due to retriction of the poition of reervation and claim a given by the emantic model (cf. Chap. 3). Figure 5.25 how the emantic of equence, i.e., it decribe how the temporal arrow are evaluated. Faint arrow only require the exitence of an abtract tranition to the next traffic naphot, while precie arrow explicitly retrict the type of tranition to be conidered. Similar to the modalitie of EMLSL, we abtract from the concrete lane the tranition refer to. In Fig. 5.26, the atifaction relation i plit up into the relation = S and = M, defining the patial emantic and the metric emantic repectively. The former define the topological tructure of the naphot, i.e., in which order the lane occur, and how the car are arranged on each lane. The relative poition between car on different lane are not retricted in any way. The metric emantic contrain pace according to ditance arrow. For the ditinction between full and partial layer, we ue ubview a in Definition 3.6. Figure 5.27 decribe the emantic of lane equence. Thi reemble the vertical chop 99

114 5 Viual Logic for Freeway Traffic T S, V, ν, x = x c layer ty i y i full L iff for all implicit patial variable ṽ = v 0,..., v n of L, there are α = α 0,..., α n, uch that T S, V, ν {ṽ α}, y = S L and T S, V, ν {ṽ α}, y = M L T S, V, ν, x = x c y layer L ty i partial i iff for all implicit patial variable ṽ = v 0,..., v n of L, there are α = α 0,..., α n and a ubview V of V, uch that T S, V, ν {ṽ α}, y = S L and T S, V, ν {ṽ α}, y = M L T S, V, ν, x = x i true for all T S, V, ν, x Figure 5.26: Semantic of Layer modality of EMLSL. The exitence of a lane edge in a layer enure the exitence of at leat one lane in the view, even if the lane i filled with only one edge totrue and the layer i partial. Thi differ from the omewhere modality ϕ, ince doe not require the view to contain a lane. Hence an partial layer denote a tronger aertion than ϕ. The diagrammatic element correponding to a ingle of MLSL would be the haded rectangle. The difference of wide and exact lane eparation i rather imple. While an exact lane eparation divide a view into exactly two part, one containing a ingle lane and the other one containing the ret, a wide lane eparation may omit everal lane in between. The patial emantic of a ingle topological equence a hown in Fig ubume the horizontal chop of EMLSL a well a it atom. On the one hand, the emantic of all thee edge chop the given view along the horizontal extenion into two interval X 1 and X 2, where free and car edge additionally require X 1 to have a length greater than zero. Then, a free edge aert the abence of any car, while a car edge need all the reervation and claim defined in it label to be preent on the interval. Each of the edge of type free, car and totrue are aociated with their ditinguihed implicit variable holding the length of the correponding interval. Thee variable will be ued again in the emantic of ditance arrow. In the emantic of the car edge, we ue ome abbreviation to enhance readability. For a et of car variable C and a view V = (L, X, E), thee are and R C, V for all c C re V (ν(c)) = L and len V (ν(c)) = X C C, V for all c C clm V (ν(c)) = L and len V (ν(c)) = X. 100

115 5.5 Semantic n T S, V, ν, x = at i S lane S iff L = 1 and T S, V, ν, y = S S x y T S, V, ν, x = S at x lane i n y S exact z T t T S, V, ν, x = S at x lane i n y S wide z T t iff iff L = L 1 L 2 uch that L 1 = 1 and T S, V L 1, ν, y = S S and T S, V L 2, ν, z = S T L = L 1 L m and L m = L m L 2 uch that L 1 = 1 and T S, V L 1, ν, y = S S and T S, V L 2, ν, z = S T Figure 5.27: Semantic of Lane Sequence, where V = (L, X, E) Like the emantic of EMLSL atom, thee formula enure that the interval i filled completely by the reervation (claim) of each variable. Furthermore, the emantic only contrain car referred to in the label. Thi implie that there may be reervation or claim of other car preent within the view. Only the edge repreenting free pace retrict the preence of all car. Note that in contrat to EMLSL, we are not able to define free pace a an abbreviation. We can neither ue negation nor horizontal chop arbitrarily within the diagram and hence the abbreviation given in Sect. 4.1 i not definable a a Traffic Diagram. Thi comparion will be made more clearly in Sect Finally, the metric emantic of ditance arrow of a layer i hown in Fig For thi, we need an order on car within a lane. Therefore, we define a precedence relation on edge. Definition 5.11 (Order on Car). Let c and d be edge of the type car, free or true. Then c i the predeceor of d, denoted by c d, if and only if the tentacle of d viit the ame node a the t tentacle of c. Furthermore, for two edge c and d of thee type, we write c d, if and only if there exit a equence c 0,..., c n uch that c = c 0, c n = d and c i 1 c i for all i {1,..., n}, or c = d. The relation i a partial order on each equence of edge denoting a ingle lane. Thi partial order will be ued to um up the ditance of the left border of a view up to the car the ditance arrow connect. The difference between thee um i then contrained to lie within the interval the arrow i labelled with. Since more than one arrow can be preent inide of a ingle layer, we enumerate thee ditance arrow, a hown in the firt cae of Fig. 5.29, and require the layer to atify each. If an arrow i connected to the left ide of a car, only the ditance from the border of the view to the car without the length of the car itelf i conidered. Otherwie, the length of the car i included in the um. For ditance arrow connecting the left and 101

116 5 Viual Logic for Freeway Traffic T S, V, ν, x = S x iff X = 0 T S, V, ν, x = S x free e t y S iff X = X 1 ɵ X 2 and ν(χ(e)) = X 1 > 0 uch that C I len V (C) I(X 1 ) = re V (C) clm V (C) = and T S, V X2, ν, y = S S T S, V, ν, x = S x totrue e (R, C) t y S iff T S, V, ν, x = S x car t e y S iff X = X 1 ɵ X 2 uch that ν(χ(e)) = X 1 and T S, V X2, ν, y = S S X = X 1 ɵ X 2 uch that ν(χ(e)) = X 1 > 0 and R R, V X1 and C C, V X1 and T S, V X2, ν, y = S S Figure 5.28: Semantic of Topological Sequence, where V = (L, X, E) right border of a ingle car, the emantic i defined imilarly. Example 5.5. We briefly recall the traffic naphot and view defined in Chap. 3 (Example 3.1 to 3.4). The view i given by V = ({1, 2}, [12, 42], E) and the correponding retriction of T S are re V (A) = {1, 2} re V (B) = {1} re V (C) = re V (E) = {2} clm V (A) = clm V (B) = clm V (C) = clm V (E) = {1} len V (A) = [28, 39] len V (B) = [12, 15] len V (C) = len V (E) = [14, 27] Furthermore, let ν be defined by ν(a) = A, ν(b) = B, ν(c) = C and ν(ego) = E. Now we will examine, whether thi model atifie the diagram hown in Fig The diagram itelf carrie no deeper meaning, but till incorporate the main element of Traffic Diagram. Hence it i a uited example to how the calculation of the emantic. The equence and the hyperedge denoting the tart of the diagram can be afely omitted. Then, the firt quetion i, whether T S, V and ν atify the upper layer in the diagram. Therefore, we have to find a uitable ubview V ub of V coniting of one lane Let V ub = ({2}, [16, 20], E). The firt part of the emantic of the edge of the type lane i atified, ince {2} = 1. We then have to check, whether the emantic of the car edge i fulfilled. For that, we chop the extenion of V ub into [16, 20] = [16, 20] ɵ [20, 20]. We have [16, 20] = 4 > 0 and both re V ub (ν(ego)) = re [16,20] V ub (E) = {2} [16,20] (len V ub (ν(ego)) = [16, 20]. [16,20] 102

117 5.5 Semantic i 0 arrow c T S, V, ν, x = e 0 M... t x c e n arrow t i n a 0 b 0 a n b n car car car car iff for all 0 j n, c T S, V, ν, x = M x arrow t e j a j b j car i j car l c T S, V, ν, x = M arrow x t a b e 1 car car e 2 iff ν(χ(e)) ν(χ(e)) ν(l), e b e 2 e { ae 1, if i = l where i =, if i = r T S, V, ν, x = M x for all T S, V, ν, x Figure 5.29: Semantic of Ditance Arrow Since [20, 20] = 0, thi ubview atifie the emantic of the whole topological equence. Now we have to conider the tranition tarting in T S, where ν(a) = A withdraw wd r(a,2) one of it reervation. Conider the tranition T S T S, i.e., in T S, we have re (A) = {2}, while for the ret of I, re coincide with re. Again, we have to find a uitable ubview V ub of V which atifie the topological equence in the lower layer. Let V ub = ({2}, [16, 30], E). Furthermore, we now have to conider the implicit patial variable of the abtract yntax. Let e i be the variable of the i-th edge in the topological equence, i.e. e 1 belong to the left car edge, e 2 to the free edge and e 3 to the right car edge. Similar to the cae above, the emantic of the lane edge i atified. For the topological equence itelf, we conider the following chop of the extenion: [16, 30] = [16, 27] ɵ [27, 30] [27, 30] = [27, 28] ɵ [28, 30] [28, 30] = [28, 30] ɵ [30, 30] Similar to the cae above, V[16,27] ub atifie the emantic of the firt car edge and V ub [28,30] doe the ame for the econd edge of thi type (for that, we let ν(e 1 ) = 3 and ν(e 3 ) = 2. We can choe thee value, ince the variable are exitentially quantified for the evaluation of the layer). Conider now V[27,28] ub and the free edge. If we examine re, clm V[27,28] ub V[27,28] ub and len, we ee that for the car C and B in the traffic naphot, both clm V[27,28] ub V[27,28] ub (A) = [28, 28], which interected and re V ub [27,28] return. For A, we get that len V ub [27,28] with (27, 28) reult in the empty et. Similar reaoning hold for E. Hence, if we let ν(e 2 ) = 1, the emantic of thi edge i fulfilled. 103

118 5 Viual Logic for Freeway Traffic ego ego [1, 5) wd r(a) a equence p at i p ty tarrow t i precie p equence i i p layer ty tart layer i ty wd r(a) i partial at n lane i partial at n l r i t lane car i ({ego}, ) l r t car ({ego}, ) [1, 5) t arrow l r t t free car ({a}, ) Figure 5.30: Concrete and Abtract Syntax of an Example Diagram Now we turn to the ditance arrow. Since the edge viit the ame node a the r tentacle of it ource a well a the l tentacle of it target, we have to check, whether the following hold: ((ν(e 1 ) + ν(e 2 )) ν(e 1 )) [1, 5) Thi i true, ince ν(e 2 ) = 1. Hence, T S, V and ν atify the diagram. 5.6 Decidability of Spatial Traffic Diagram In thi ection, we ketch a deciion procedure for atifiability of atomic patial diagram according to Def For that, we tranlate an atomic patial diagram S into two independent formula F X (S) and F L (S): F X (S) i a formula of linear arithmetic over real number which decribe the poible relation of the car along the extenion of view. F L (S) i a formula of Preburger arithmetic which define the lane the car may occupy, either with their reervation or with their claim. Then, S i atifiable if and only if both F X (S) and F L (S) are atifiable. b ego a ego d [2, 5] Figure 5.31: Example of a Spatial Diagram 104

119 5.6 Decidability of Spatial Traffic Diagram We will not give a formal tranlation of thi procedure, but illutrate the main idea by an example. Conider the patial diagram in Fig To each car c (i.e., each variable and ego) referenced in the diagram, we aociate the following five variable: 1. c l and c r denote the left and right border of the extenion of c, 2. c 1 R and c2 R refer to the lane reerved by c, and 3. c C refer to the lane poibly claimed by c. In addition to thee variable, we introduce four variable decribing the view V itelf. 1. v l and v r decribe the border of the extenion of V. 2. v and v denote the upper and lower lane, repectively. The formula F X (S) will only refer to variable of the form c l and c r for car c and to the correponding variable v l and v r for the border of the view. Similarly, F L (S) will ue the variable of the form c 1 R, c2 R and c C for car a well a the variable v and v for the lowet and uppermot lane in the view. Tranlating the Relation of Poition of Car The firt part of the tranlation of Fig i imply a formaliation of Convention 3.2, i.e., the perceived length of the car and the extenion of the view are non-empty: conv(s) a l < a r b l < b r d l < d r ego l < ego r v l < v r. Then we have to relate the border of the car to the extenion of the view: relative(s) a l > v l a r < v r b l > v l b r < v r d l v l d r < v r ego l > v l ego r < v r. Now recall that the relation between car on different lane are not contrained at all, a long a no ditance arrow connect uch car. Hence we can treat each lane eparately. The lower lane only contain the car d, i.e., no new contraint arie for thi lane. For the lane in the middle, we have to relate the car a and ego. By inpection of the emantic of Traffic Diagram, we ee that the diagram only enure that an overlap between a and e exit. It would till be atified, if a and ego completely overlap (thi i due to the emantic of the car edge, which only require the mentioned car to be preent, but do not prohibit other car to reide at thee part of the lane). Hence we get the following tranlation for the upper lane: topo 2 (S) a l ego l ego r a r, topo 3 (S) b r < ego l. The ditance arrow can be tranlated by referring to the correponding border of the car: So finally, we arrive at the formula F X (S): dit(s) 2 ego r d r ego r d r 5. F X (S) conv(s) relative(s) topo 2 (S) topo 3 (S) dit(s). 105

120 5 Viual Logic for Freeway Traffic Tranlating what Lane are Occupied by Car We tipulate the following convention: The value 0 correpond to the empty et. That i, we will require the lowet lane of the view to have at leat the value 1. With thi convention, the contraint for the lane of the view are a follow: lane(s) v 1 v = v + 2. Thi enure, that the view contain exactly three lane. Now we can encode the propertie that we can derive from the diagram in the formula dicrete(s) a 1 R = v + 1 b C = v d 1 R = v ego 2 R = v ego 2 R = ego 1 R + 1. Note that ome of the variable, like for example a 2 R, are not contrained in any way. Thu, the formula till allow for many poible valuation of thee variable, which do not correpond to a valid model. To contrain the remaining variable, we tranlate the anity condition. For all car c, we ue the following formula: an(c) c 1 R c 2 R c 2 R = c 1 R + 1 c 1 R c 2 R c C = 0 c C 0 ((c C = c 1 R + 1 c 1 R = c C + 1 c 1 R < v c 1 R > v) c 1 R = c 2 R). So the full formula F L (S) i given by F L (S) lane(s) dicrete(s) an(a) an(b) an(d) an(e). Deciding Satifiability of Atomic Spatial Diagram On the one hand, F X (S) i a formula over the real, which hould be checked for atifiability in conjunction with the axiom of an ordered, real cloed field, where i a total order. Furthermore, F X (S) only define linear contraint, for which the atifiability problem i decidable [FR75]. On the other hand, the formula F L (S) i a formula of integer arithmetic without multiplication. Satifiability for thee kind of formula i alo decidable [Coo72]. Hence, to decide the atifiability of an atomic patial diagram S, we contruct the formula F X (S) and F L (S) and check for atifiability of the formula independently. Thi i poible, ince the propertie defined in the formula are not interdependent. S 1 S 2 Figure 5.32: Problematic Example for Decidability However, we cannot extend thi approach directly to Boolean combination of patial diagram. Conider for example the diagram S, coniting of the negation of the two negated atomic patial diagram S 1 and S 2 (cf. Fig. 5.32). If we ue the tranlation naively, we would contruct F X ( F X (S 1 ) F X (S 2 )) and F L ( F L (S 1 ) F L (S 2 )). Then we would check for atifiability of each of thee formula on it own and return 106

121 5.7 Related Work Satifiable, if both are. But the diagram tate in effect, that S 1 or S 2 ha to be true, for the whole diagram to be true. Now aume that F L (S 1 ) i atifiable, but F X (S 1 ) i not and vice vera for S 2, i.e., F L (S 2 ) i not atifiable, but F X (S 2 ) i. Then the diagram i not atifiable, ince neither S 1 nor S 2 i. But our deciion procedure would in effect decide whether (F X (S 1 ) F X (S 2 )) (F L (S 1 ) F L (S 2 )) i atifiable, which i indeed true. Hence thi naive procedure yield wrong reult. For a correct procedure, the connection between the atifiability reult would have to mimic the Boolean tructure between the atomic diagram. We will not explore thi problem more deeply here. 5.7 Related Work Even though diagram have often been ued for informal argumentation during mathematical proof, the formaliation of diagrammatic reaoning ha only been carried out in the recent pat. The main focu often lie on very abtract diagrammatic ytem, like Euler and Venn diagram. Shin defined a ound and complete formal deduction ytem for Venn Diagram [Shi95], which i equally expreive a monadic firt-order logic. The exitential graph of Peirce and their deduction rule have been formalied and proven to be ound, complete and equivalent to propoitional logic by Hammer [Ham96]. Minehima et al. compared a natural deduction tyle proof ytem for Euler diagram with a proof ytem baed on reolution for Venn diagram [MOT10]. Even though thee type of diagram make extenive ue of patial propertie in their preentation, patial reaoning itelf i not the intended application. Mot work on patial propertie and diagram cope with the repreentation of arbitrary relation (like et incluion) in term of patial relation in diagram. One of the few exception i given by Erwig and Schneider, who preented a diagrammatic ytem a a query language for patio-temporal databae [ES99]. Their approach abtract from extent, form and exact location of an object, only topological relation are conidered. The movement of object i indicated by trajectorie in vertical direction. 8 : 00 8 : 10 A B C RE 123 ICE 2 8 : 20 8 : 30 8 : 40 Figure 5.33: A Time-Ditance Diagram for Railway For the definition and evaluation of railway chedule, diagram are often ued to viualie the dependencie between occupied track and the time a train take to leave the 107

122 5 Viual Logic for Freeway Traffic x Figure 5.34: A Time-Space Diagram t track [HP08]. There are different type of diagram, ued for different purpoe. In the following, we will decribe diagram that are ued to decribe dependencie on the track between tation. Conider the example in Fig The horizontal axi i labelled with the name of the tation A, B and C, while the vertical axi decribe the flow of time. Train are denoted by diagonal line going from one tation to another. The lope of the train define whether they go from left to right or the other way round. For example, the train named RE 123 drive from tation A to C, while the train ICE 2 goe from C to A. Both the train top at tation B. Such diagram allow for the examination whether a chedule i poible for the ingle track egment. For example, the line of both train interect on the egment between B and C. That i, both drive on thi egment at the ame time, and hence it ha to be a double track. If thi i not the cae, the chedule ha to be adapted appropriately. In the context of decribing ituation of vehicular traffic, diagram are often ued, but with imprecie or even undefined emantic. E.g., time-pace diagram are ued to analye the conequence of different timing behaviour of traffic light [Koo+08]. The horizontal axi of uch a diagram denote time, while the vertical axi denote pace. Horizontal block of alternating green and red repreent the tate of traffic light over time. Car driving along a treet are denoted by trajectorie. For example, in Fig a ingle car ha to wait at the firt interection at a red light. Afterward it drive uch that it reache the next interection during the green phae. Thee diagram may then, e.g., decribe queuing of everal car due to inappropriate choice for the interval of traffic light. To the bet of our knowledge, the only other approach to viually reaon explicitly about traffic ituation with formal emantic i due to Kemper and Etzien [KE14]. The main application of their language i for the pecification and imulation of advanced driver aitance ytem (ADAS). Within the viual logic, they depict patial ituation to define, what ituation are conidered. The ituation are contrained qualitatively by implying topological relation, i.e., in what order and on which lane. the car drive on the road. For quantitative contraint, they ue arrow annotated with interval. For the emantic, the patial ituation are tranlated to linear contraint over the poition of the car. Hence the main idea of thi part of both the viual language and it emantic i imilar to our approach. However, the diagram differ in the econd part of the viual language, which i baically a reduced live equence chart (ee below) connecting the traffic ituation with meage paed within the ADAS. They ue thi viual logic to 108

123 5.7 Related Work analye whether run of a imulation atify the logical contraint. Due to the lack of logical operator, their approach i not uited to reaon about afety propertie of traffic. Since we abtract from the hybrid dynamic of car in our etting, the ytem under conideration may alo be regarded a a pecial kind of real-time ytem, i.e., ytem which are required to react within certain time interval. Due to the broadne of the UML framework [RJB04], it i not urpriing that a ubet uited for pecifying real-time ytem accompanied with tool upport [Fab+11] ha been developed. While in thi approach the overall tructure and dicrete behaviour may be defined diagrammatically by uing cla diagram, component diagram and tatechart [Har88], the precondition and effect of method execution are defined in Object-Z [Smi00], while the real-time apect themelve are given a Duration Calculu (DC) [ZHR91] formula. For verification purpoe, uch a pecification can be tranlated into a formal pecification language [Hoe06]. In contrat, Kleuker introduced Contraint Diagram (CD) [Kle00] (not to be confued with the Contraint Diagram of Kent [Ken97]), which are deigned to pecify real-time apect of ytem diagrammatically. Their abtract yntax i not contructed within a general formalim but a a mathematical tructure pecific to the peculiaritie of CD. Contraint Diagram are given a emantic in term of Duration Calculu formula and hence can be ued in conjunction with DC by definition. Live equence chart (LSC) [DH01], both an extenion and formaliation of meage equence chart (MSC), are capable of decribing real-time apect of different interacting object. Object may ynchronie and communicate via meage. The emantic of a LSC i a ymbolic tranition ytem induced by the tructure of the diagram. Therefore, a partial order on the meage ent and received by each object and the event (e.g. execution of method) occurring during the exitence of an object i defined. A long a only event occur, i.e., no communication between object take place, the order in which thee event occur i only retricted within one object. Thi reemble the independence of lane in traffic diagram, where the patial relation between car on different lane are only contrained, if ditance arrow imply a certain order. While all of thee approache to real-time ytem are uitable for the pecification of uch ytem, none are initially capable of taking patial apect into account. While LSC and the UML diagram may be augmented with a treatment of pace by introducing uited variable and domain, uch approache will lack in intuition and clarity. Several different approache to define the abtract yntax of diagram have been developed, but all fall into two ditinct categorie, ad-hoc approache, i.e., mathematical tructure which are deigned to fit to a pecific language, and intance of a general framework. Both approache have their own benefit and diadvantage. Ad-hoc definition are well-uited for a diagrammatic language at hand, but are often initially hard to grap and to define. Example for thi type of abtract yntax are Concept Graph with negation a defined by Dau [Dau04a] and the Contraint Diagram of Kleuker [Kle00]. Uing a general framework implie on the one hand the need to undertand the framework firt, before attempting to undertand the abtract yntax. Furthermore, the generality may caue unaethetic part within the yntax, to overcome the quirk of the framework. On the other hand, defining the yntax within a framework eae relating the diagram to other language given in the ame framework. In addition, tool to 109

124 5 Viual Logic for Freeway Traffic analye the framework may alo be ued to examine the abtract yntax. Example of uited framework for the definition of abtract yntax of diagram are hypergraph rewriting ytem [Min00], triple graph grammar [AER98; RS95] or imply the definition of relation of diagrammatic element in term of logical formula [Haa98]. We defined Traffic Diagram in term of the general framework of hypergraph rewriting ytem. The ue of hypergraph enable u to eaily ue extenion of rewriting ytem in the form of HR condition for the more complicated rule. For paring purpoe, a typical ditinction within the yntax of diagram uing a framework of graph rewriting ytem i done between the patial relation graph (SRG) and the abtract relation graph (ARG) [RS95; Min00]. The SRG i a direct abtraction of the concrete yntax, inofar a it edge directly reflect the form of the element, and not their intended ue. Thi part of the yntax i determined by the ARG. That i, the edge in the SRG are denoting, how element are depicted (e.g. a circle), while the edge in the ARG refer to what i meant by the element (e.g. tate of an automaton). In thi preentation, the main focu lie on the definition of the language itelf, and not on general paring, hence we choe to omit a definition for the patial relation graph. If we wanted to make ue of exiting paring approache, the tool DiaGen [MV95] baed on Mina work i the mot promiing candidate to create a parer and editor for Traffic Diagram. It ue hypergraph a the underlying repreentation tructure of the diagram and make ue of hyperedge replacement rule for the creation and analyation of diagram. Unfortunately, even though DiaGen can ue ome application condition for the rewriting rule, it i currently not able to cope with the complex condition we need for our abtract yntax. Another example of a language with an abtract yntax defined by graph rewriting ytem on hypergraph i the graphical ecurity protocol modelling language (GSPML) [McD05; MA08], intended to pecify ecurity protocol. The emantic of GSPML i a labelled tranition ytem. While the graphical yntax of GSPML incorporate incluion of element a a patial apect, thi i only ued to define the cope of parallelim operator. Even though many different production rule are needed for the definition of the yntax, they only rely on embedding context a ide condition. In Traffic Diagram, mot of the patial apect are alo very eaily defined, like incluion in layer, or equence. However, for the definition of the ditance arrow, i.e., the diagrammatic element with a ditinguihed patial interpretation, we need the more complex condition. Thi highlight the difficultie patial interpretation of patial relation impoe not only on the emantic, but alo on the abtract yntactic element and the way they may poibly be related. 110

125 6 Combining Text and Diagram Content 6.1 Comparion of Expreivity Verification Framework Related Work In the previou chapter, we defined the logic EMLSL and the diagrammatic language of Traffic Diagram, which are both evaluated on the ame emantic model. In Sect 6.1, we will dicu the expreive power of Traffic Diagram in comparion with EMLSL. A it turn out, Traffic Diagram can be tranlated to equivalent formula, but there are propertie definable with EMLSL but not with diagram. We will then ketch in Sect. 6.2 how formula and diagram can be ued in combination to allow for the exploitation of the advantage of both. For that, we integrate EMLSL formula into the abtract yntax graph of Traffic Diagram and define, how they are then evaluated emantically. 6.1 Comparion of Expreivity While the language of traffic diagram eem very expreive, it i not a expreive a EMLSL in everal way. Conider for example the formula l = 3 free re(ego), i.e., there i a free extenion behind the reervation of ego with the length 3. Intuitively, an equivalent Traffic Diagram hould be 3 ego 111

126 6 Combining Text and Diagram But thi i not a yntactically correct Traffic Diagram, ince Definition 5.3 require ditance arrow to connect border of reervation or claim, while the arrow in the diagram above tart at the border of the layer. More generally, Traffic Diagram are not able to tate propertie concerning quantitative propertie of the whole view under conideration. They may only relate the length of and pace between reervation and claim. Figure 6.1: Schema of a Spatial Diagram Furthermore, the diagram do not allow for arbitrary chop. Conider the chema of a patial diagram S a given in Fig 6.1 coniting of three topological equence within a full layer. If we compute the emantic of S with repect to a traffic naphot T S, a view V and a valuation ν, we firt have to compute the emantic of the lane equence within S. That i, V will be vertically chopped two time to V 1, V 2 and V 3 which all have to conit of exactly one lane. Only afterward do the V i get horizontally chopped. In general, each atomic patial diagram conit of a equence of lane, each of which i divided horizontally. That i, it i not poible in general to find a correponding Traffic Diagram for a formula ϕ, where the horizontal chop i the topmot operator, e.g., if ϕ i of the form ( ) ( ) φ1 ψ1 ϕ =. φ 2 Another retriction of Traffic Diagram i the lack of a general equality predicate. It i not poible to ditinguih two car C and D, which occupy the ame pace, except if one of them i the car denoted by ego. Then the definition of exitential quantification enure that the bound variable i evaluated to a car different from the owner of the current view. In EMSLS however, we can ditinguih between an arbitrary finite number of car in every formula. ψ 2 Tranlation of Traffic Diagram to EMLSL. Each diagram can be tranformed into an equivalent EMLSL formula. Similar to the definition of the emantic of diagram, we ditinguih between the qualitative and the quantitative apect of layer. For the former, we define the qualitative tranformation function and for the latter the metric tranformation function. Thee tranformation are then combined within the complete tranformation function T : D Φ. We tart with the definition of the metric tranformation. The metric tranlation mimic the emantic of ditance arrow a given in Sect It ue the implicit variable of a diagram by making them explicit. A an example, 112

127 6.1 Comparion of Expreivity e 2 1 e 2 2 e 2 3 d c (4, 8] e 1 1 e 1 2 e 1 3 Figure 6.2: Example for the Metric Tranformation conider the Traffic Diagram in Fig Let A be the ditance arrow in that diagram. The main idea of the tranlation i to um up the length left to the ource of A and left of the target of A, and then ubtract the former from the latter. Recall that we defined an order within topological equence in Sect. 5.5, Def We will denote the edge repreenting the topological equence in the lower lane by e 1 i and imilarly e2 i for the upper lane a indicated in the figure. Furthermore, let χ be the implicit length function, i.e., the mapping of edge to implicit variable. Then we want the repreentation of A to be 4 < (χ(e 2 1) + χ(e 2 2) χ(e 1 1)) (χ(e 2 1) + χ(e 2 2) χ(e 1 1)) 8. That i, we um up the implicit variable of all edge preceding the reervation of c (ince A i connected to the left border of thi ituation) and imilarly, we add up the implicit variable of the edge preceding the reervation of d, but include the topological ituation labelled d (ince A i connected to the right border of it). Thi approach i formalied in the following definition. Definition 6.1 (Metric Tranformation Function). Let L be the repreentation of a lane equence and S be the et of all hyperedge repreenting ditance arrow within L, i.e., d S θ(d) = arrow. Furthermore, let χ be the implicit length function of the abtract yntax graph of L and l it labelling function. For an edge d S, we will refer to the edge viiting the ame node a the tentacle of d a (d). Similarly, we ue t(d) for the edge viiting the ame node a the t tentacle of d. The metric tranformation M : D Φ i defined by L M = i l l χ(e) χ(e) χ(e) χ(e) r i r, d S e a(d) e b t(d) e a(d) e b t(d) where a = if the tentacle incident with the tentacle of the edge d i labelled with l and a = otherwie (and imilar for b ). Furthermore, let i = l(d) and i l (i r ) refer to 113

128 6 Combining Text and Diagram the left (right, repectively) border of i. Then l =< if i i left-open, otherwie l = and imilar for r. We ue the following definition of the qualitative tranformation function to tranlate the qualitative patial apect to uitable EMLSL formula. The lane eparation correpond to vertical chop, either a ingle one to repreent an exact lane eparation, or a double chop with an additional formula to imulate the emantic of wide lane eparation. The content of topological equence are tranlated one after another and connected by horizontal chop. Here, the emantic of the atom, a well a the definition of free enure, that the part where thee topological equence are evaluated are non-empty interval. Additionally, the end of a topological equence contrain the formula to be evaluated on a ingle lane. Definition 6.2 (Qualitative Tranformation Function). Let L and L be lane equence, T a topological equence. Recall that the abtract yntax graph of a topological equence i an ordered equence of edge of the type car, free and true. In the tranlation, the name of the edge under conideration will be denoted by e. Let the function aociating implicit variable with hyperedge be denoted by χ. The qualitative tranformation function QD Φ i given by the following definition. L Q L = Q T Q T L Q L Q = T T Q Q t car T = (( r R re(r)) ( c C cl(c)) l = χ(e) ) T Q (R, C) ( ) Q t free T = (free l = χ(e)) T Q ( ) Q t totrue T = l = χ(e) T Q (T ) Q = l = 0 ω = 1, if T i the empty equence The complete tranformation function i baed on the qualitative and metric tranformation for the tranlation of layer. For the tranlation of implicit variable, we denote the et of implicit variable ued in a layer L by χ(l) and for a et of variable S, we ue the notation S ϕ a an abbreviation for the exitential quantification of all element of S. Definition 6.3 (Tranformation Function). In the following, let D, D 1, D 2 be patial or Traffic Diagram, S a patial diagram and L a lane equence. Furthermore, let χ be the 114

129 6.1 Comparion of Expreivity implicit length function of the abtract yntax. The tranformation function T : D Φ tranlating Traffic Diagram into formula of EMLSL i given by the following definition. ( ) T D = (D T ) ( ) T D 1 D 2 = D T T 1 D 2 T x = x (x ego D T ) D ( ) T L = χ(l) (L Q L M ) ( ) T = ( ) T L = χ(l) ( L Q L M ) S T = S D T ( D T ) S D T = S T F ( D T ) That i, on the Boolean operator the tranlation act imply a a homomorphim. Each precie temporal arrow i tranlated to the diamond-like modality referring to the tranition the arrow i labelled with. Similarly, a faint arrow correpond to the ue of the finally modality F. Oberve that for quantification, we enure that the bound variable ha a different value than ego, a the emantic in Sect. 5.5 require. Before we prove the oundne of the tranlation, we give a hort example. Example 6.1. In the tranlation of the following diagram, we denote the i-th edge in the abtract yntax graph of the j-th topological equence by e j i. c,d [2, 3] c d [1, 2] T 115

130 6 Combining Text and Diagram = c, d c ego d ego d [1, 2] [2, 3] c T = c, d c ego d ego [2,3] d [1, 2] c T = c, d c ego d ego ( ( [2,3] d [1, 2] c Q (1 χ(e 2 1) χ(e 1 1)) (χ(e 2 1) χ(e 1 1) 2) )) = c, d c ego d ego ( ( free l = χ(e 2 1 ) re(c) l = χ(e 2 2 ) l = 0 ω = 1 [2,3] cl(d) l = χ(e 1 1 ) free l = χ(e1 2 )) ) l = 0 ω = 1 (1 χ(e 2 1) χ(e 1 1)) (χ(e 2 1) χ(e 1 1) 2) Now for proving oundne of thi tranlation, we firt have to relate the different valuation for EMLSL and Traffic Diagram to each other. For that, recall that valuation for EMLSL alo evaluate term, while valuation for Traffic Diagram are lifted to interval with variable a bound. But both type of valuation are baed on a valuation which only evaluate variable. Furthermore, full term do not occur in Traffic Diagram and interval do not occur within EMLSL formula. Hence we can extend the variable valuation ν to a valuation for EMLSL a defined in Def. 4.3, a well a a valuation for Traffic Diagram a given in Def

131 6.1 Comparion of Expreivity Propoition 6.1. The tranlation of Traffic Diagram to EMLSL i ound, i.e., for all traffic naphot T S, view V, valuation ν and Traffic Diagram D, T S, V, ν = D if and only if T S, V, ν = D T. Before we can prove thi propoition, we have to how the equivalence of the qualitative propertie of the diagram and the equivalence of the interpretation of ditance arrow. For proving the equivalence of the qualitative propertie, we will employ ome intermediate lemma, imilar to the proof for the uniquene of abtract yntax graph given in Chap. 5. That i, we firt prove the equivalence for a ingle topological equence, and afterward the equivalence for a lane equence. Recall that = S i the conequence relation for the qualitative apect of patial diagram. Lemma 6.1. Let T be a topological equence. Then for all traffic naphot T S, view V and valuation ν, we have T S, V, ν = S T iff T S, V, ν = T Q. Proof. By induction on the length of the topological equence. Let T be a topological equence coniting of one topological ituation and let G = (V, E, τ, θ, l) be it repreentation. I.e., within G, there i exactly one edge e l of the type lane whoe i tentacle viit the ame node a the tentacle of an edge e t of the type totrue, free or car. 1. Let e t be of the type totrue. According to the emantic of lane equence (Fig. 5.27) and topological equence (Fig. 5.28), the emantic of G with repect to a traffic naphot T S, a view V = (L, X, E) and a valuation ν i L = 1 X = X 1 ɵ X 2 ν(χ(e t )) = X 1 X 2 = 0. On the other hand, the tranlation of T i T Q l = χ(e t ) l = 0 ω = 1. A brief calculation of the emantic of T Q yield exactly the ame condition for T S, V and ν. 2. Let e t be of the type free. The qualitative tranformation of T i given a follow: Expanding the abbreviation free yield T Q free l = χ(e t ) l = 0 ω = 1. T Q l > 0 ω = 1 c l (cl(c) re(c)) l = χ(e t ) l = 0 ω = 1, and imilarly, expreing l in term of horizontal chop and removing the redundant conjunct ω = 1 give u T Q l > 0 c ( (cl(c) re(c)) ) l = χ(e t ) l = 0 ω =

132 6 Combining Text and Diagram Oberve that thi formula require a view V = (L, X, E) to be chopped horizontally, i.e., V = V 1 ɵ V 2, uch that the extenion X 2 of V 2 ha the meaure 0 and the extenion X 1 of V 1 both greater than zero and exactly the value of χ(e t ). Now, the emantic of G i L = 1 X = X 1 ɵ X 2 ν(χ(e t )) = X 1 X 1 > 0 X 2 = 0 C I len V (C) I(X 1 ) = re V (C) clm V (C) =. Oberve that for the extenion of V 1 and V 2 a well a the et of lane, thi formula expree imilar retriction a the tranlation. Moreover, it alo require the meaure of X 1 to have the ame value a the value of χ(e t ). Hence we only have to how the equivalence between the univerally quantified conjunct. Let T S be a traffic naphot, V a view and ν a valuation. Note that X 2 = 0 implie X = X 1. I.e., we will reaon about X, to avoid unneceary ubcript. Aume that there i a car C uch that len V (C) I(X) and re V (C) clm V (C). According to Convention 3.2, len V (C) cannot be a ingleton et, i.e., the only poible difference between len V (C) and len V (C) I(X) may be the lack of (one or both) border of the latter. However, within len V (C) I(X) there exit a cloed non-empty interval X C. Now let u conider the ubview V C = (X C, L, E) of V, i.e., it retriction to the extenion X C. Then len VC (C) = X C. Becaue the et of lane i hared between V and V C, we alo know re VC (C) clm VC (C), i.e., at leat one of the et re VC (C) and clm VC (C) i non-empty. From thee two obervation, we get that on the ubview V C of V 1 either T S, V 1, ν {c C} = re(c) or T S, V 1, ν {c C} = cl(c) hold. Hence T S, V 1, ν = c ( (cl(c) re(c)) ). The other direction i imilar. 3. Let e t be of the type car and let l(e t ) = (R, C). The emantic of G i L = 1 X = X 1 ɵ X 2 ν(χ(e t )) = X 1 X 1 > 0 X 2 = 0 c R re(ν(c)) = L len V1 (ν(c)) = X 1 c C clm(ν(c)) = L len V1 (ν(c)) = X 1, where V 1 = (L, X 1, E). The tranlation of T yield (( ) ( ) ) re(r) cl(c) l = χ(e t ) l = 0 ω = 1. r R c C Thi formula enure that V can be chopped into two ubview, where the econd one i of length 0. Since ω = 1 i horizontally rigid, both view have to conit of exactly one lane, i.e. V alo atifie L = 1. Furthermore, the atom re(c) and cl(c) both require the view V 1 to have a non-empty extenion, i.e. X 1 > 0, and the length contraint enure X 1 = ν(χ(e t )). The remaining contraint are alo part of the emantic of the atom. 118

133 6.1 Comparion of Expreivity Now aume that for all equence T with a length maller or equal to n, we have T S, V, ν = S T iff T S, V, ν = T Q. Conider a topological equence T of length n + 1 uch that T S, V, ν = S T. Let e t be the lat edge of T. Removing e t yield a equence T, of length n. The emantic of each of the edge within a topological equence need the view under conideration to be chopped horizontally into two ubview, i.e., we get that there have to be two view V 1 and V 2 uch that V = V 1 ɵ V 2 and T S, V 1, ν = S T and T S, V 2, ν = S e t. By the induction hypothei, we know that T S, V 1, ν = T Q. Thi formula require V 1 to conit of exactly one lane, and hence implie that alo V and V 2 conit of thi lane. Now imilar to the induction bae, we can calculate the value of the tranformation function for e t and compare thi formula to the emantic of e t to get the equivalence. Lemma 6.2. Let L be a lane equence. Then for all traffic naphot T S, view V and valuation ν, we have T S, V, ν = S L iff T S, V, ν = L Q. Proof. By induction on the length of lane equence, i.e., the number of topological ituation within the equence. If L ha the length 1, it conit of only one topological equence T, for which Lemma 6.1 yield the equivalence. Now aume that for all lane equence L of length maller or equal to n, the equivalence hold. Conider L of length n + 1 uch that T S, V, ν = S L with V = (L, X, E). Then L conit of a lane equence L of length n, an additional topological equence L t and an edge e, which connect L t with the lat equence of L and repreent the lane eparation. 1. Let θ(e ) = exact. Then by the emantic of L, there are two et of lane uch that L = L 1 L 2 and T S, V L 1, ν = S L and T S, V L 2, ν = S L t. Since L t i a ingle topological equence, we get by Lemma 6.1 that T S, V L 2, ν = L t Q. The induction hypothei yield T S, V L 1, ν = L Q. So overall we get that there have to exit L 1 and L 2 uch that L = L 1 L 2, T S, V L 1, ν = L Q and T S, V L 2, ν = L t Q. That i, we have that T S, V, ν = S L i equivalent to T S, V, ν = L t Q L Q which i by definition equivalent to T S, V, ν = L Q. 2. Let θ(e ) = wide. Thi cae i imilar to the previou one, with the exception that we have to have et of lane uch that L = L 1 L m, L m = L m L 2 with T S, V L 1, ν = L Q and T S, V L 2, ν = L t Q. Since all view and naphot atify, we then get that T S, V, ν = S L i equivalent to T S, V, ν = L t Q L Q which i by definition equivalent to T S, V, ν = L Q. 119

134 6 Combining Text and Diagram Hence in both cae the lemma hold. Now we can proceed to prove Prop For the qualitative patial apect of Traffic Diagram we ue the preceding lemma. Then, we mainly need to concentrate on the metric tranformation and the tranlation of the temporal arrow. Proof of Prop We proceed by induction on the tructure of Traffic Diagram. In the induction bae we will prove the equivalence of the atifaction of an atomic patial diagram with it tranlation to EMLSL. Firt oberve that the metric emantic of a ingle ditance arrow i imilar to the metric tranformation of jut thi one arrow. The only difference i that in the diagram emantic the ditance i required to be an element of the interval defined by the label, while the metric tranformation explicitly tate the relation between the border of the interval and the reult of the difference. Hence both formaliation are equivalent. Now let S be an atomic patial diagram. Then S conit of either a full or partial layer together with it content, or of a ingle haded rectangle. For the lat cae, the propoition i eaily verified. So we now conider the other cae. 1. Let T S, V, ν = S, where S conit of a full layer. Furthermore let L be the lane equence within S. Then by the emantic of S, we know that for all implicit variable ṽ = v 0,..., v n, of L, there are element α = α 0,..., α n, uch that T S, V, ν {ṽ α} = S L and T S, V, ν {ṽ α} = M L. By the remark at the beginning of the proof concerning the metric tranformation, we have T S, V, ν {ṽ α} = M L iff T S, V, ν {ṽ α} = L M and by Lemma 6.2, we have T S, V, ν {ṽ α} = L Q. So, all in all, we have T S, V, ν {ṽ α} = L Q L M. By the emantic of exitential quantification, thi i equivalent to T S, V, ν = χ(l) (L Q L M ), which i by definition equivalent to T S, V, ν = S T. 2. Thi cae i imilar to the previou one, except that the emantic of S require a ubview of V to atify the metric and qualitative apect of the lane equence L. Oberve that the formula L M i rigid. Hence it i not important, whether we interpret it on V or a ubview of V. That L Q i atified by a ubview V of V mean that we can both vertically and horizontally chop V to get V. That i T S, V, ν = L Q i equivalent to T S, V, ν = L Q. Hence the equivalence hold alo for thi cae. For the induction hypothei, aume that the propoition hold for the Traffic Diagram D 1 and D 2 a well a for the patial diagram S. In the induction tep, the cae for the Boolean operator and quantification are tandard. Let D be the Traffic Diagram coniting of a precie temporal arrow A connecting S and D 1 and aume T S, V, ν = D. Let A be a precie arrow labelled with a real-valued interval i. The emantic of D yield that T S, V, ν = S and that there exit another naphot T S and a duration t T uch that T S t T S with t i and T S, V, ν = D 1, where V = mv T S S (V ). By the induction hypothei, we get that T S, V, ν = S T and T S, V, ν = D T 1. That i, T S, V, ν = S T i (D T 1 ), which i by definition equivalent to T S, V, ν = D T. The cae for the other type of temporal arrow are imilar. 120

135 6.2 Verification Framework 6.2 Verification Framework In thi ection we will decribe how the logic and the diagram defined in Chap. 4 and 5 can be combined to gain a heterogeneou reaoning ytem. Furthermore, we decribe in what way we aume thi combined ytem to be helpful to reaoner about traffic ituation. We bae our heterogeneou reaoning ytem on the concrete and abtract yntax of Traffic Diagram defined in Sect. 5.1 and 5.4. Formula may be written at any place, where an atomic diagram or a temporal equence may be drawn according to Definition 5.5. For the abtract yntax, the et of type Θ get extended by a new terminal type formula, which denote the exitence of a formula at thi poition. Therefore, we require that for each edge e with θ(e) = formula, the labelling function l return the correponding formula ϕ, i.e., l(e) = ϕ. To achieve that thee edge may appear at the correct poition within the abtract yntax graph, we need a new rewriting rule. Recall that the rule R B D given in Fig create the logical tructure of Traffic Diagram, where the rule inerting edge of the type equence define the place, where either an atomic diagram or a temporal equence reide. Hence we introduce a new rule for the replacement of the non-terminal B D a hown in Fig B D 1 p formula ϕ Figure 6.3: New Rule R 5 B D : Formula (ϕ Φ) The atifaction relation for Traffic Diagram a given in Def ha to be extended to cope with edge of thi new type. However, the extenion i traightforward. A traffic naphot T S, a view V and a valuation ν atify the graph coniting of the edge e with θ(e) = formula and l(e) = ϕ iff T S, V, ν = ϕ. In thi way, we can exploit the advantage of formula and diagram alike. While the diagram allow for a very intuitive pecification of the patial relation of car (quantitative a well a qualitative), formula let u expre more involved propertie a well a aertion about identitie of car. For example, while a contraint for the endpoint of reervation of car on different lane i eaily expreible with Traffic Diagram, the length of the whole view can be meaured with the EMLSL formula l = x. Since Traffic Diagram and formula may ue the ame variable, thi meaurement may alo be ued within Traffic Diagram. An example combining an EMLSL formula within a Traffic Diagram i given in Fig The diagrammatic part contrain that one reervation of c lie in front of one reervation of ego, and the EMLSL formula that no reervation of another car overlap with c reervation. In general, the main advantage of thi combination i due to the equality contraint of EMLSL, and the arbitrary poibilitie to chop and net the behavioural modalitie. We now decribe the method how the combination of Traffic Diagram and EMLSL 121

136 6 Combining Text and Diagram c ego c d ( re(c) re(d) c = d) Figure 6.4: Example of a Combination of EMLSL and Traffic Diagram formula can and hould from our point of view be ued. For that, recall that we only gave a proof ytem for EMLSL, and no imilar ytem for Traffic Diagram. Hence, to explicitly and yntactically proof that a ytem poee a certain property, the ytem ha to be given a formula of EMLSL. Our propoed methodology i a follow. Firt, decribe a minimal ytem S and prove that thi ytem fulfil the verification property P. Then, augment thi ytem with uitable Traffic Diagram and formula to further contrain the ytem behaviour, reulting in the ytem S. If P i a afety property, thee additional contrain cannot harm the validity of the proof done in the firt tep. In thi way, the core pecification S can be gradually refined to get the more realitic ytem S, while till retaining the afety of S. S S T S P Figure 6.5: Proving Safety with EMLSL and Traffic Diagram Figure 6.5 viualie thi method. The wiggly line denote formula of EMLSL, while the boxe, hook and vertical arrow repreent Traffic Diagram. Oberve that the diagram in S can be tranlated into equivalent EMLSL formula. Hence by the addition of thee diagram, we get a et S T of EMLSL formula, which i a uperet of the et S ued to derive P. Since provability i monotone with repect to finite et of aumption, we can till find a uitable derivation of P. 6.3 Related Work The ancetor of all heterogeneou logical ytem (i.e., logical ytem which ue more than one language) i the Hyperproof ytem [BE92; BE96], which ue Tarki world a an example for teaching purpoe. It integrate firt-order logic with predicate over the patial relation and propertie of the element within the world with a (poibly incomplete) diagrammatic repreentation of a world. The tudent then ha to draw 122

137 6.3 Related Work concluion from both the logical tatement a well a the graphical repreentation to finally give a concrete world which atifie both pecification. The Openproof ytem [Bar+08] i a generaliation of Hyperproof ince it i not retricted to a particular application but allow for uing arbitrary textual and diagrammatic repreentation of the underlying emantic. Neither of thee approache ue a o-called interlingua, i.e., a language into which both repreentation are tranlated for reaoning purpoe. The ytem preented in thi chapter i imilar, inofar a EMLSL i given in term of textual definition and Traffic Diagram are baed on an abtract yntax of hypergraph. However, a hown in Sect. 6.1, we could tranlate each diagram into EMLSL, which would then erve a an interlingua. Even though we did not define proof rule for Traffic Diagram, thi approach would directly enable the uer to ue the proof ytem of Sect. 4.2 for the verification of heterogeneou pecification. The combination of Traffic Diagram and EMLSL i not trictly a heterogeneou reaoning ytem in the ene of Barwie and Etchemendy [BE96; Shi04], ince it lack not only proof rule for Traffic Diagram but alo tranformation rule, which allow for the tranfer of information from EMLSL to Traffic Diagram and vice vera. However, the imilar emantical model of both language make an analyi in the term of ituation theory, a ued by Barwie and Etchemendy [BE90], worthwhile. In their paper, intead of uing a model of truth, they introduced a model of information in term of ditributive lattice to jutify the heterogeneou proof rule within Hyperproof. Since they explicitly refer to partial information, it would be intereting to compare their approach to the view and different enor implementation of the abtract model (c.f. Chap. 3). A dicued in Sect. 4.4, an implementation of thi proof ytem within the context of Iabelle eem promiing. For further integration of Traffic Diagram into uch an implementation, an examination of Diabelli [UJ12] i worthwhile. Diabelli give the poibility to ue pider diagram within Iabelle [Pau94] by providing an integration with a diagrammatic theorem prover called Speedith [Urb+12]. Urba and Jamnik further generalied the approach of Diabelli [UJ14] to almot arbitrary combination of entential and diagrammatic theorem prover. They ditinguih between mater and lave reaoner. The mater reaoner provide the more meta-theoretical apect, e.g., the concept of a proof, while the lave reaoner only ha to provide inference rule. For our purpoe, uing imple diagrammatic inference rule in combination with a more general implementation of the proof ytem for EMLSL in Iabelle would be probably appropriate. All thee heterogeneou ytem concentrate on the derivation of theorem from a et of aumption. An heterogeneou proof ytem defined explicitly for verification purpoe i the ytem of ribbon proof [WDP13; Bea06]. The goal of thi ytem i to enure program correctne [Hoa69] baed on eparation logic [Rey02]. While the definition of ribbon proof i mainly diagrammatic, the current implementation in Iabelle need textual input to prove intermediate tep. However, even within the definition, excerpt decribing the current heap tructure imilar to the notion in eparation logic are ued, hence ribbon proof are more heterogeneou than purely graphical in our opinion. Similar to Traffic Diagram, they employ a relatively involved graph tructure for yntax, i.e., neted hypgergraph. 123

138

139 7 Cae tudy Content 7.1 Controller Specification Safety Proof Refining the Specification The main motivation for the definition of EMLSL and Traffic Diagram wa the derivation of a afe protocol to perform lane change manoeuvre. In our previou work, we preented a pecification a an extended timed automaton [Hil+11], where guard and invariant could alo contain formula of (E)MLSL. However, the emantic of thee automata and the afety proof were only given informally. Only recently, within her Mater thei, Schwammberger took tep toward a completely formal emantic for thee kind of automata [Sch14]. In thi chapter, we take a denotational approach. That i, we give a pecification for controller a everal EMLSL formula. While the automata mentioned above only pecify the behaviour of a ingle car, we explicitly require all car to behave imilarly. Furthermore, our preentation here i much more abtract. We only contrain ome of the poible tranition, in particular the creation of reervation. All other tranition may occur almot without limitation. The only other contrain we impoe i on the dynamical behaviour. In contrat, a pecification uing automata would explicitly tate which tranition can be taken by a car according to the current tate of the controller. Hence, the controller pecification given in Sect. 7.1 i le retrictive. In Sect. 7.2, we ue the proof ytem preented in Chap. 4 to derive the deired afety predicate. Finally, we ue the diagram given in Chap. 5 to preent a pecification which i cloer to poible implementation. For that we combine the pecification of Sect. 7.1 with a et of diagram and get a heterogeneou pecification in the ene of Chap

140 7 Cae tudy 7.1 Controller Specification We proceed in three tep. Firt, we preent the afety predicate afe(e), i.e., the formula whoe validity the controller hall enure during all poible tranition equence. Intuitively, it tate that there i no car c, whoe reervation overlap anywhere with the reervation of the car e: afe(e) df c c e re(e) re(c). The afety predicate ued in our previou work wa afe(ego), i.e., there we only proved afety with repect to the pecial car ego. However, ince we aumed all car to be alike, we could ue an informal ymmetry argument to derive the afety predicate for all car. In the preent form however, we will be more concrete about the invariant. Firt, we will how that with the appropriate controller, G afe(e) hold, i.e., afe(e) i an invariant along all tranition equence. Since we will not make any additional aumption on e, we can then derive that G afe(e) hold for all car e, i.e., we get e G afe(e). In the pecification of the controller, we need to be aware of patial ituation which may reult in unafe behaviour. In particular, we have to prohibit the car to mutate their claim to reervation if thee claim already overlap with any part of other car. We call thee ituation potential colliion, and the following formula pc(c, d) the potential colliion check: pc(c, d) df c d cl(d) (re(c) cl(c)). The definition of the potential colliion check i the ame a for the informal afety proof [Hil+11]. Oberve that thi definition i a bit more retrictive than needed. We could omit the dijunction with cl(c), and till get a afe controller pecification, due to our ue of interleaving emantic. If the claim of two different car overlap, one car ha to be firt to change it claim to a reervation. Then, the other car could identify the reulting ituation a a potential colliion and react appropriately. However, we till choe to ue thi lightly more retrictive definition, ince it doe not complicate the proof very much, and will alo enure afety if we aume ynchronou creation of reervation. Now we proceed with the pecification of what we call the ditance controller. To that end, recall that τ φ i an abbreviation for [0, ) φ (cf. Convention 4.1). Thi formula enure that afe ituation will be preerved under all poible evolution, i.e., a long a only time pae and acceleration are changed: DC df G c, d c d ( re(c) re(d) τ re(c) re(d) ). Thi definition i a direct formaliation of the very important aumption A2 of the informal proof: Aumption A2. [Hil+11] Every car C i equipped with a ditance controller that keep the afety property invariant under time and acceleration tranition, i.e., for every tranition T S T t S and T S T acc(c,a) S if T S i afe alo T S i afe. 126

141 7.2 Safety Proof The premie of DC tate that the traffic naphot T S i afe. Then, the concluion enure that under all poible evolution, i.e., tranition equence, where only the dynamic of car may change and time may pa in between, the afety property i preerved. The invariance modality at the front of the formula guarantee that the ditance controller keep working during all tranition equence. Note that if patial tranition occur, DC doe not enure afety of the reulting naphot. Finally, the lane change controller retricting the dicrete tranition i given by the following formula LC. We employ the potential colliion check to prohibit the creation of unafe reervation: LC df G d ( c pc(c, d) r(d) ). Thi formula define that whenever the claim of a car denoted by d overlap with the claim or reervation of another car, d i not allowed to mutate it claim into a reervation. For that we ue the ubformula r(d). It tate that after for all tranition creating the reervation of d, the reulting traffic naphot, view and valuation have to atify. Since no model atifie, no uch tranition i poible. Oberve that thi formula neither prohibit any other tranition nor doe it enforce the withdrawal of the claim which i reponible for the potential colliion. 7.2 Safety Proof We want to how that under the right circumtance, the formula e afe(e) i an invariant along all tranition equence. In particular, we want that whenever we tart with a afe ituation and all car ue a controller implementation repecting the pecification hown in Sec 7.1, e G afe(e) i true. Uing the ytem of Labelled Natural Deduction (cf. Sect. 4.2), thi mean we have to prove ({t, v : DC, t, v : LC, t, v : e afe(e)}, ) t, v : e G afe(e). Since e doe not occur free in any element of Γ = {t, v : DC, t, v : LC, t, v : e afe(e)}, we can proceed to prove (Γ, ) t, v : G afe(e) and apply I afterward. To apply the invariance rule, we have to how that afe(e) i derivable under all poible tranition, i.e., we have to prove the exitence of the following five derivation. 127

142 7 Cae tudy (Γ {t 1, v 1 : afe(e)}, {t, v = t 1, v 1, t 1, v 1 r(d) t 1, v 1}) t 1, v 1 : afe(e) (Γ {t 2, v 2 : afe(e)}, {t, v = t 2, v 2, t 2, v 2 c(d) t 2, v 2}) t 2, v 2 : afe(e) (Γ {t 3, v 3 : afe(e)}, {t, v = t 3, v 3, t 3, v 3 wd r(d) t 3, v 3}) t 3, v 3 : afe(e) (Γ {t 4, v 4 : afe(e)}, {t, v = t 4, v 4, t 4, v 4 wd c(d) t 4, v 4}) t 4, v 4 : afe(e) (Γ {t 5, v 5 : afe(e)}, {t, v = t 5, v 5, t 5, v 5 t t 5, v 5}) t 5, v 5 : afe(e) We will now prove thee propoition one after the other. The main idea i alway the ame: For the i-th propoition, we aume that there i an overlap between two reervation on the world t i, v i and how that thi reult in a contradiction with the aumption. Formally, we aume t i, v i : c c e re(e) re(c) and derive t i, v i :. Then we can ue the derived rule I (cf. Sect.2.3) to get t i, v i : afe(e). In all of the following proof, we will ue v i a a horthand for the locality formula v i = v L ɵ v m, v m = v m ɵ v R, v m = v D v m and v m = vi ub v U. Thee are needed to denote the part of v i, where the overlap between car occur. Note that no problem arie by the ue of imilar name v L,... within the different derivation in the following proof, ince all thee aumption will be eliminated before we apply the invariance rule. The following derivation, denoted by Π,j i where {r(d), c(d), wd r(d), wd c(d)}, i ued a an auxiliary proof tree to relate the world of our aumption to the ubview where re(e) re(c) hold. Thi i poible, ince the dicrete tranition do not change the view (cf. Sect ). Within the tree, i {1,..., 4} i the index of the traffic naphot and view, while j denote the rule ued to eliminate the aumption. t i, v i t i, v i t i, v i t i, v i t i, v m t i, v m [v i = v L ɵ v m] j t i, v m t i, v m [v m = v m ɵ v R ] j m t i, v t i, v [v m = v D v m] j m [v t i, v ub t i, vub i i m = v ub v U ] j Lemma 7.1. The afety predicate i preerved if ome car create a reervation, i.e., (Γ {t 1, v 1 : afe(e)}, {t, v = t 1, v 1, t 1, v 1 r(d) t 1, v 1}) t 1, v 1 : afe(e). Proof. We tart with the root of the proof tree. i [t 1, v 1 : c e re(e) re(c) ] 6 Π t 1, v 1 : re(e) re(c) t 1, v 1 : E 5 [t 1, v 1 : c c e re(e) re(c) ] 7 t 1, v 1 : E 6 t 1, v 1 : I 7 t 1, v 1 : c c e re(e) re(c) 128

143 7.2 Safety Proof For the derivation Π, we make a firt cae ditinction between the cae where d = e and d e, i.e., whether the car denoted by e i creating the reervation or not. In principle, both cae are very imilar, which i why we concentrate on the firt cae. That i, we will not pecify the proof tree Π d e. t 1, v ub 1 : d = e d e Π re(e) Π t 1, vub 1 : re(e) cl(e) t 1, v 1 : t 1, v 1 : t 1, v 1 : Π cl(e) t 1, v 1 : E 3 Π d e t 1, v 1 : E 4 The derivation Π i baically an application of the backward activity rule for the creation of a reervation. [t 1, vub 1 : re(e) re(c)] 5 t 1, vub 1 : re(e) Π r(d),5 1 r(d) t 1, v1 ub t 1, vub 1 [t 1, v1 ub : d = e] 4 t 1, vub 1 : re(e) cl(e) The main part of the proof lie in the derivation Π re(e) and Π cl(e). In both cae, we have to derive a contradiction. In the former, we will ue the aumption t 1, v 1 : afe(e), and in the latter the pecification of the lane change controller. We tart with Π re(e). The beginning of thi derivation i another cae ditinction. Thi time we have to ditinguih the cae d = c and d c. The firt cae i a contradiction to the aumption that c e. t 1, v ub 1 : d = c d c Π tran [t 1, v 1 : c e re(e) re(c) ] 6 t 1, v 1 : c = e t 1, v 1 : c e t 1, v 1 : t 1, v 1 : Π d c t 1, v 1 : E 1 In the tree Π tran, we derive c = e by tranitivity, ymmetry and rigidity of equality. [t 1, vub 1 : d = c] 1 t 1, vub 1 : c = d [t 1, vub 1 : d = e] 4 t 1, vub 1 : c = e t 1, v 1 : c = e Now we proceed with the cae that d c, i.e., Π d c. t 1, v 1 : afe(e) Π re(e) r(d) t 1, v 1 t 1, v 1 t 1, v 1 : re(e) re(c) t 1, v 1 : re(e) re(c) t 1, v 1 : c e re(e) re(c) t 1, v 1 : c c e re(e) re(c) t 1, v 1 : t 1, v 1 : [t 1, v 1 : c e re(e) re(c) ] 6 t 1, v 1 : c e t 1, v 1 : c e We can derive the exitence of an overlap by uing the backward tability rule for the creation of a reervation, ince we know that c i not the car creating the reervation. 129

144 7 Cae tudy [ v 1 ] 5 [t 1, v ub 1 : re(e)] 3 [t 1, vub 1 : re(e) re(c)] 5 t 1, vub 1 : re(c) t 1, v 1 : re(e) re(c) t 1, v ub 1 : re(e) re(c) Π r(d),5 1 r(d) t 1, v1 ub t 1, vub 1 [t 1, v1 ub : d c] 1 t 1, v1 ub : re(c) We are now finihed with the cae where a reervation of e wa preent on t 1, v ub 1 and turn our attention to the preence of a claim at thi world, i.e., we create the derivation Π cl(e). In thi part of the derivation, we will finally make ue of our lane change controller pecification. Like for the other cae, we begin with a cae ditinction between d = c and d c. The firt cae i derived imilarly a before, and hence omitted. The idea for the other cae i to derive an overlap between the claim of e and a reervation or claim of c and employ the controller pecification to derive r(e). Then we can employ Subt ri to replace e with d and get the deired contradiction. t 1, v ub 1 : d = c d c Π d=c t 1, v 1 : t 1, v 1 : Π LC t 1, v 1 : r(e) t 1, v 1 : r(d) [t 1, vub 1 : d = e] 4 t 1, v 1 : d = e t 1, v 1 : E 2 t 1, v 1 r(d) t 1, v 1 In the derivation Π LC, we ue the controller pecification and the fact the we could derive that the potential colliion check pc i atified. Π pcc t 1, v 1 : c c e cl(e) (re(c) cl(c)) t 1, v 1 : r(e) t 1, v 1 : LC t, v = t 1, v 1 t 1, v 1 : d ( c pc(c, d) r(d) ) t 1, v 1 : c pc(c, e) r(e) Now we can turn our attention to the derivation of the potential colliion Π pcc. Thi i imilar to the cae, where a reervation of e reide at the ubview v1 ub, i.e., the final goal i to ue the tability rule. But firt, we have to introduce the exitential quantifier, the omewhere modality and replace v 1 by v 1. [t 1, v 1 : c e re(e) re(c) ] 6 t 1, v 1 : c e t 1, v 1 : c e [t 1, v ub 1 : cl(e)] 3 Π c t 1, v ub 1 : re(c) t 1, v ub 1 : re(c) cl(c) [ v 1 ] 5 t 1, v1 ub : cl(e) (re(c) cl(c)) t 1, v 1 : cl(e) (re(c) cl(c)) t r(d) 1, v 1 t 1, v 1 t 1, v 1 : cl(e) (re(c) cl(c)) t 1, v 1 : c e cl(e) (re(c) cl(c)) t 1, v 1 : c c e cl(e) (re(c) cl(c)) Finally, we arrive at the application of the tability rule in the derivation Π c. [t 1, vub 1 : re(e) re(c)] 5 t 1, vub 1 : re(c) Π r(d),5 1 r(d) t 1, v1 ub t 1, vub 1 [t 1, v1 ub : d c] 2 t 1, v1 ub : re(c) 130

145 7.2 Safety Proof Now we contructed a well formed proof tree, where the only open aumption are either r(d) element of Γ or of {t, v = t 1, v 1, t 1, v 1 t 1, v 1, t 1, v 1 : afe(e)}. Lemma 7.2. The afety predicate i preerved if ome car create a claim, i.e., (Γ {t 2, v 2 : afe(e)}, {t, v = t 2, v 2, t 2, v 2 c(d) t 2, v 2}) t 2, v 2 : afe(e). Proof. We begin like in the proof of Lemma 7.1 by preenting the root of the tree, to motivate the upper part of the derivation. [t 2, v 2 : c c e re(e) re(c) ] 5 [t 2, v 2 : c e re(e) re(c) ] 4 t 2, v 2 : re(e) re(c) t 2, v 2 : E 4 Π t 2, v 2 : t 2, v 2 : E 3 t 2, v 2 : I 5 t 2, v 2 : c c e re(e) re(c) Now we have to how how to derive the contradiction on t 2, v 2. Thi i done in the tree Π. Note the ue of the view invariance over dicrete tranition in the rule IV. t 2, v 2 : afe(e) IV t 2, v 2 c(d) t 2, v 2 Π t 2, v 2 : re(e) re(c) t 2, v 2 : re(e) re(c) t 2, v 2 : c e re(e) re(c) t 2, v 2 : c c e re(e) re(c) t 2, v 2 : [t 2, v 2 : c e re(e) re(c) ] 4 t 2, v 2 : c e t 2, v 2 : c e The tree Π combine the reult from the tree Π re(e), Π re(e)= and Π re(c). We will only how the tree concerning the variable e in detail, ince Π re(c) i imilar. t 2, v ub 2 : d e d = e Π re(e) t 2, vub 2 : re(e) t 2, v ub 2 : re(e) Π re(e)= t 2, vub 2 : re(e) E1 Π re(c) t 2, v ub 2 : re(c) t 2, v 2 : re(e) re(c) [ v 2 ] 3 t 2, v 2 : re(e) re(c) The tree Π re(e) and Π re(e)= are imilar, with the exception that t 2, v2 ub : d e ha to be ubtituted with t 2, v2 ub : d = e. The backward tability rule for the creation of claim i till applicable, ince reervation are not changed while creating claim. [t 2, vub 2 : re(e) re(c)] 3 t 2, vub 2 : re(e) Π c(d),3 2 c(d) t 2, v2 ub t 2, vub 2 [t 2, v2 ub : d e] 1 t 2, v2 ub : re(e) The derivation tree Π re (c) i imilar to the tree coniting of Π re(e)=, Π re(e) and the application of a dijunction elimination E 2, where we ubtitute c for e. 131

146 7 Cae tudy Lemma 7.3. The afety predicate i preerved if ome car withdraw one of it reervation, i.e., (Γ {t 3, v 3 : afe(e)}, {t, v = t 3, v 3, t 3, v 3 wd r(d) t 3, v 3}) t 3, v 3 : afe(e). Proof. The proof tree i tructurally imilar to the proof of Lemma 7.2, except that c(d) all indice are changed to 3, all occurrence of t 2, v 2 t 2, v 2 are exchanged with wd r(d) t 3, v 3 t 3, v 3 and all application of c(d) S are ubtituted with application of wd r(d) S. Lemma 7.4. The afety predicate i preerved if ome car withdraw it claim, i.e., (Γ {t 4, v 4 : afe(e)}, {t, v = t 4, v 4, t 4, v 4 wd c(d) t 4, v 4}) t 4, v 4 : afe(e). Proof. Like the proof for Lemma 7.3, the proof tree i tructurally imilar to the proof of Lemma 7.2, with the appropriate change. Lemma 7.5. The afety predicate i preerved if time pae and acceleration change, i.e., (Γ {t 5, v 5 : afe(e)}, {t, v = t 5, v 5, t 5, v 5 t t 5, v 5}) t 5, v 5 : afe(e) Proof. The root of the tree i imilar to all the other derivation, i.e. contradiction on t 5, v 5. we derive a Π t 5, v 5 : re(e) re(c) t 5, v 5 : c e re(e) re(c) t 5, v 5 : c c e re(e) re(c) [t 5, v 5 : c c e re(e) re(c) ] 3 t 5, v 5 : I 3 t 5, v 5 : c c e re(e) re(c) [t 5, v 5 : c e re(e) re(c) ] 2 t 5, v 5 : c e t 5, v 5 : c e t 5, v 5 : t 5, v 5 : E 2 t 5, v 5 : afe(e) To derive the exitence of an overlap on t 5, v 5 in the tree Π, we ue the definition of τ. [t 5, v 5 : c e re(e) re(c) ] 2 t 5, v 5 : re(e) re(c) t t 5, v 5 t 5, v 5 t 5, v 5 : τ re(e) re(c) t 5, v 5 : τ re(e) re(c) t 5, v 5 : t 5, v 5 : re(e) re(c) In the following derivation Π DC, we ue the abbreviation and DC d for DC [e d]. Π DC t 5, v 5 : τ re(e) re(c) E 1 DC c e ( re(e) re(c) τ re(e) re(c) ) 132

147 7.3 Refining the Specification t, v : DC t, v = t 5, v 5 t 5, v 5 : c, d DC d t 5, v 5 : d DC d t 5, v 5 : DC [t 5, v 5 : c e re(e) re(c) ] 2 t 5, v 5 : c e t 5, v 5 : c e t 5, v 5 : re(e) re(c) τ re(e) re(c) [t 5, v 5 : re(e) re(c) ] 1 t 5, v 5 : τ re(e) re(c) Now we have contructed a well-formed derivation of the deired form. We are now in the poition to apply the invariance rule to get the deired reult, i.e., the afety predicate i an invariant under all tranition allowed by our controller DC and LC. Theorem 7.1. The afety predicate i an invariant for all car uing the controller pecification given in Sect. 7.1, i.e., Proof. We can derive ({t, v : DC, t, v : LC, t, v : e afe(e)}, ) t, v : e G afe(e). (Γ, ) t, v : afe(e) with a ingle application of E. Then we can employ Lemma 7.1 to Lemma 7.5, to get the derivation needed for the application of G I, i.e., (Γ, ) t, v : G afe(e). Oberve that all application condition of G I are atified, ince each world t i, v i only occur in the derivation of t i, v i : afe(e) and d (the car referred to in the dynamic formula) doe not occur free in any element of Γ. A tated before, ince e doe not occur free in any element of Γ, we can ue I to derive (Γ, ) t, v : e G afe(e). 7.3 Refining the Specification Now that we defined which rule a afe controller mut adhere to, we give everal example for a more refined controller pecification. However, the formula LC and DC will till be at the heart of each of thee pecification. Our modelling language i the combination of traffic diagram and EMLSL a preented in Chap. 6. Still, we will allow for many non-determinitic choice of an actual controller implementation. In the following, we aume that the controller pecification i a conjunction of both LC and DC a well a the diagram preented below. Firt, we define everal poible poitive condition for the creation of reervation. Note that the controller pecification of Sect. 7.1 only retrict uch tranition, but by no mean enure that any reervation will ever be created. 133

148 7 Cae tudy c ego [5, ) c r(ego) c ego c r(ego) (a) Reerving with Car Ahead (b) Reerving without Car Ahead Figure 7.1: Poitive Condition for the Creation of Reervation The diagram in Fig. 7.1a decribe that the car ego may create a reervation, whenever the next car i at leat 5 meter ahead. However, thi condition will not enure the creation of any reervation, when no car c i preent. Hence we alo introduce the diagram in Fig. 7.1b, which explicitly tate the abence of a car ahead of ego a a precondition. For reading thee diagram, recall that a diagram of the form A B i baically the implication A B. Furthermore, by definition we know that F φ G φ, i.e., F φ G φ. So, uing thi equivalence and thinking of the faint temporal arrow a an invariance rather than an exitence tatement, the ubdiagram after the arrow can be thought of a an implication, where the left diagram implie the right one. Oberve that we do not need to tate that there exit no potential colliion for ego. For if a potential colliion exited a well a a ituation atifying e.g. Fig. 7.1a, the formula LC implie that the creation of a reervation reult in a contradiction, i.e., the tranition would till not be allowed. Figure 7.2 define a livene property for the withdrawal of reervation. The overall tructure i imilar to the previou figure. However, the concluion tate only that there will finally be a tranition withdrawing one of the reervation. It doe not enure that a actual lane change happened and it doe not require the withdrawal to happen within a pecified time frame. For an upper bound for the withdrawal of a reervation, we would need a metric extenion of the invariance modality. That i, the modality F [a,b] ϕ would enure that there i an abtract tranition, in which time between a and b pae and the reulting naphot atifie ϕ. With the exiting temporal modality i or the precie temporal arrow, we require that no dicrete tranition apart from change of acceleration occur. Hence we would needlely (and unjutifiably) retrict the behaviour of all car on the freeway. 134

149 7.3 Refining the Specification ego ego wd r(ego) Figure 7.2: Withdrawal of Reervation To pecify that an actual lane change occurred, we would have to refer to the original lane of the car. In Fig. 7.2 however, we cannot ditinguih anymore between the lane the car tarted the lane change on and the target lane. We could try to overcome thi problem by adding a layer denoting, e.g., that the upper lane contained the claim of ego in between the unpecified pace at the beginning of the equence and the implication. However, the faint temporal arrow are not expreive enough to tate that the decribed withdrawal i the firt withdrawal of ego after the lane change. Still, the diagram decribe a minimal livene property every controller hould atify. We can alo refine the behaviour of the ditance controller for pecific ituation. The traffic diagram in Fig. 7.3a and 7.3b decribe behaviour of a ditance controller which add more retriction on DC. In particular, the diagram enure that whenever there i free pace in front of the car ego, thi free pace i preerved during time tranition. That i, imilar to DC, the pecification of Fig. 7.3 do not retrict ituation where overlap occur due to the creation of claim or reervation. The pecification ha to be plit into two diagram concerning ituation outide and during a lane change manoeuvre, ince we cannot ditinguih the lane during uch a manoeuvre. If we jut ued Fig. 7.3a and dropped the condition that the car i not uing two lane at once, the pecification would till be atified if the free pace on one lane wa conumed, a long a the free pace on the other lane i preerved. Uing both diagram enure the preervation of pace in both cae. Even though the diagram eem to define a tronger controller at firt ight, the property they enure i weaker than DC. For example, if the reervation of a car c i directly adjacent to the reervation of ego, the diagram do not guarantee anything, while DC till implie that the reervation will not overlap after an arbitrary time. The diagram given above only concretie the controller implemented in the car ego. For more concrete controller implementation for the ret of car, we would have to repeat all thee diagram, replacing all occurrence of ego with a new variable d and 135

150 7 Cae tudy ego ego ego ego ego ego ego ego (a) Free Space Outide of a Lane Change (b) Free Space During a Lane Change Figure 7.3: Ditance Controller Preerving Free Space in Front of Car quantifying d exitentially for the equence under the outermot negation. To avoid thi duplication, we could change the emantic of the quantifier and remove the need for the car to be different from ego. Such a change would decreae the expreive power of pure traffic diagram, ince ego could not be ditinguihed from other car any more. However, in the combination with EMLSL, we could imply adjoin the inequality c ego for each quantification of a variable c. 136

151 8 Concluion Content 8.1 Summary Future Work In thi final chapter, we firt ummarie the content of the thei in Sect Afterward, in Sect. 8.2, we give everal poibilitie how the reult of thi work may be extended. 8.1 Summary We preented an abtract model of freeway traffic, where pace and it occupancy i the main focu. The dynamic of car are motly hidden within the model, and emphai lie on the dicrete change car may perform, in particular etting their turn ignal and changing lane. Furthermore, we defined how the model are reduced to a finite part of the freeway, to give a notion of locality a baic part the model. Intance of thee model erve a the emantic tructure for the extended multi-lane patial logic EMLSL. Thi logic take method from interval logic and typical modal logic, to form a many-dimenional multi-modal logic, which may be ued to reaon about freeway traffic. Satifiability of EMLSL formula wa hown to be undecidable, but neverthele, we defined a proof ytem in the tyle of Natural Deduction, which wa proven to be ound. Several derived rule enhance the uability of the proof ytem. To make the approach of thi thei more feaible to end-uer, we preented the viual language of Traffic Diagram. To give an idea what type of propertie are expreible with Traffic Diagram, we gave exemplary diagram which capture prominent feature of the intended emantic model. The underlying tructure of the depiction of Traffic Diagram wa formalied in term of hypergraph, which reflect both the diagrammatic element, a well a important relation between thee element. We proved that each 137

152 8 Concluion diagram poee a unique hypergraph a it type. Uing thee hypergraph, we defined a emantic baed on the ame model a EMLSL. We ketched a poibility to decide atifiability of a ubcla of Traffic Diagram. Since both EMLSL and Traffic Diagram hare the ame emantic model, they may be ued in combination to exploit the advantage of each language. We formalied uch a combination by incorporating the formula into the hypergraph repreenting the yntax of the diagram. By howing the limit of Traffic Diagram and defining a tranlation into EMLSL, the diagram were hown to be le expreive than the formula. Finally, we ued EMLSL to preent minimal pecification for two controller. The firt one avoid colliion while time pae, while the econd one enure a afe lane-change. Thi pecification wa proven to enure afety for all poible tranition equence uing the proof ytem for EMLSL. We then ue different Traffic Diagram to refine thi pecification, e.g., to guarantee a limited form of livene. 8.2 Future Work In thi ection, we decribe poibilitie to extend the work preented in the thei. Even though mot of thee extenion affect the model itelf, e.g., to incorporate notion of robutne or different topologie, other extenion concern tool upport and the identification of new decidable ubet of the formalim. Different Model of Senor A tated in Chap. 3, we only conidered etting where every car know both the poition and afety envelope of all other car within it view. Obviouly, uch a requirement need perfect enor intalled in the car. If we permit more realitic implementation of enor, i.e., a ituation where each car know it own ditance needed for an emergency braking and only the phyical ize of the other car, our approach doe not enure afety of traffic anymore. Within uch a etting explicit communication i needed for a afe lane-change protocol, a hown in previou work [Hil+11]. Hence to reaon about afety in uch a etting, we need to incorporate mean of decribing communication between everal agent within our logic. Furthermore, we probably need method to relate view of different owner to each other. That i, the current emphai on a ingle, ditinguihed car ha to be more explicit within the logic itelf, with additional yntactic element to witch view within a ingle formula. Robutne Another poibility to increae the realim of our model i to allow for incorrect enor value, within certain bound. That i, intead of the exact atifaction relation defined in Chap. 4, a more robut notion allowing for mall deviance i needed. Thi alo lead to the quetion, into which part of the model uch diturbance hould be introduced. It eem reaonable to at leat allow for error in ditance meaurement, ince thee are dependent on enor reading. Similarly, no car can poibly enure to change it tate at a ingle point in time, which implie that robutne within tranition may alo be conidered. In particular, that the dicrete tranition of Chap. 3 do not take any time ha to be quetioned. 138

153 8.2 Future Work Synchronou Parallelim Even though traffic on freeway can be thought of a an inherently parallel ytem of multiple agent, our model i defined uing an interleaving emantic. That i, no two tranition occur exactly imultaneouly. In particular, in every trace, the order of conecutive dicrete tranition i fixed, while the tranition may tem from different car. However, in a ytem of multiple, autonomou agent, a model of true concurrency i more realitic. Hence the labelled tranition ytem implied by our model could be replaced by either an event tructure or a ditributed tranition ytem [Lod+92], which both allow for the imultaneou occurrence of tranition. Connecting the Abtract Model with Dynamic We preented only a imple definition of the dynamic in Chap. 3. For concrete implementation, our approach ha to be connected with more concrete pecification, e.g., in term of hybrid automata or imply differential equation. A concrete model of the dynamical behaviour of car ha to fulfil everal contraint. It ha to able to return the length needed for a afe emergency braking to the upper level (i.e., it ha to compute the value of the enor function at leat for the current, ditinguihed car), and it ha to enure that each car only drive on the lane it reerved. Furthermore, the dynamical model ha to enure, that the car a well a the value of the enor function only evolve continuouly. Increaing the Domain of Application To analye different cenario, the abtract model ha to be changed everely. Even though, oncoming traffic may be incorporated rather eaily [HLO13], modelling urban traffic cenario, i.e., croing, i more of a challenge. The topology of the model ha to be changed dratically to allow for different treet to cro. However, vatly different topologie may alo be of interet to decribe other traffic cenario, for example airborne traffic, where air plane reerve corridor in three-dimenional pace. Furthermore, lane which follow certain trajectorie may be ueful to reaon about hipping traffic. Decidability A hown in Chap. 4, our main tool of reaoning, the logic EMLSL, i undecidable in general. It i not directly obviou, what retriction on the model or the yntax yield decidable ubet. A promiing approach i to retrict the number of car to be finite, to get a tranlation into a decidable ubet of Schäfer Shape Calculu [Sch07]. Retricting the number and neting of chop i alo enible to ue the dove-tailing approach of Gabbay [Gab98; Gab+03]. The atifiability problem of atomic patial diagram probably i decidable, a ketched in Chap. 5. However, the procedure till ha to be formally proven correct, and enhanced to cope with a larger ubet of Traffic Diagram. Tool Support Several part of the work in thi thei ugget the implementation of a tool, or rather a framework incorporating different tool. The proof ytem preented in Chap. 4 could be implemented within a general theorem prover. Iabelle [Pau94] eem like a uitable election, ince it i baed on natural deduction, and ince everal labelled deductive ytem for modal- and interval logic have already been implemented within 139

154 8 Concluion Iabelle [BMV98; Ra02; Vig00]. For the diagrammatic ytem of Chap. 5, a graphical editor i of inherent importance, to eae the ue and creation of diagram. With uch an editor, an implementation of the tranlation given in Chap. 6 i enible to gain a direct connection between the implementation of both. Then, technique for heterogeneou reaoning a implemented in, e.g., the Diabelli ytem [UJ12] can probably be adapted to our etting. 140

155 Bibliography [AB96] [Abr10] [AER98] [All83] [APB07] [Bar+08] [BB13] [BB14] [BE90] [BE92] G. Allwein and J. Barwie, ed. Logical Reaoning with Diagram. Oxford Univerity Pre, J.-R. Abrial. Modeling in Event-B: Sytem and Software Engineering. Cambridge Univerity Pre, M. Andrie, G. Engel, and J. Reker. How to Repreent a Viual Specification. In: Viual Language Theory. Ed. by K. Marriott and B. Meyer. Springer, J. F. Allen. Maintaining knowledge about temporal interval. In: Communication of the ACM (1983), pp M. Aiello, I. Pratt-Hartmann, and J. van Benthem, ed. Handbook of Spatial Logic. Springer, D. Barker-Plummer, J. Etchemendy, A. Liu, M. Murray, and N. Swoboda. Openproof-a flexible framework for heterogeneou reaoning. In: Diagrammatic Repreentation and Inference International Conference on the Theory and Application of Diagram DIAGRAMS Ed. by G. Stapleton, J. Howe, and J. Lee. Vol LNAI. Springer, 2008, pp R. Banach and M. Butler. Cruie Control in Hybrid Event-B. In: International Colloquium on Theoretical Apect of Computing ICTAC Ed. by Z. Liu, J. Woodcock, and Huibiao Z. Vol LNCS. Springer, 2013, pp R. Banach and M. Butler. A Hybrid Event-B Study of Lane Centering. In: International Conference on Complex Sytem Deign & Management CSD&M Ed. by M. Aiguier, F. Boulanger, D. Krob, and C. Marchal. Springer, 2014, pp J. Barwie and J. Etchemendy. Information, Infon, and Inference. In: Situation Theory and it application. Ed. by R. Cooper, K. Mukai, and J. Perry. Vol. 1. CSLI Lecture Note Number 22. CSLI: Center for the Study of Language and Information, 1990, pp J. Barwie and J. Etchemendy. Hyperproof: Logical reaoning with diagram. In: Working Note of the AAAI Spring Sympoium on Reaoning with Diagrammatic Repreentation

156 Bibliography [BE96] [Bea06] [Ben86] [BKK03] [BMV98] [BRZ99] [Bya+09] [CC01] [CC04] [CG98] [Coo72] [CSS05] [CSS11] [Dau04a] J. Barwie and J. Etchemendy. Heterogeneou Logic. In: Logical Reaoning with Diagram. Ed. by G. Allwein and J. Barwie. Oxford Univerity Pre, 1996, pp J. M. L. Bean. Ribbon Proof: A Proof Sytem for the Logic of Bunched Implication. PhD thei E. Bencivenga. Free Logic. In: Handbook of Philoophical Logic. Ed. by D. M. Gabbay and F. Guenthner. Vol Springer, 1986, pp P. Baldan, B. König, and B. König. A Logic for Analyzing Abtraction of Graph Tranformation Sytem. In: International Sympoium on Static Analyi SAS Ed. by R. Couot. Vol LNCS. Springer, 2003, pp D. Bain, S. Matthew, and L. Viganò. Natural Deduction for Non-Claical Logic. In: Studia Logica 60 (1 1998), pp R. Barua, S. Roy, and Zhou C. Completene of Neighbourhood Logic. In: Sympoium on Theoretical Apect of Computer Science STACS 99. Ed. by C. Meinel and S. Tion. Vol LNCS. Springer, 1999, pp A. B. Byachkov, C. Cattani, E. M. Noova, and M. P. Yuhkov. The Simplet Model of the Turning Movement of a Car with it Poible Sidelip. In: TECHNISCHE MECHANIK 29.1 (2009), pp L. Caire and L. Cardelli. A patial logic for concurrency (Part I). In: International Sympoium on Theoretical Apect of Computer Software TACS Ed. by N. Kobayahi and B. C. Pierce. Vol LNCS. Springer. 2001, pp L. Caire and L. Cardelli. A patial logic for concurrency (Part II). In: Theoretical Computer Science (2004), pp L. Cardelli and A. D Gordon. Mobile ambient. In: International Conference on Foundation of Software Science and Computation Structure FoSSaCS Ed. by M. Nivat. Vol LNCS. Springer. 1998, pp D. C. Cooper. Theorem proving in arithmetic without multiplication. In: Machine Intelligence (1972), p C. Caleiro, A. Sernada, and C. Sernada. Fibring Logic: Pat, Preent and Future. In: We Will Show Them! Eay in Honour of Dov Gabbay, Volume 1. Ed. by S. Artemov, H. Barringer, A. d Avila Garcez, L. C. Lamb, and J. Wood. Colledge Publication, 2005, pp M. E. Coniglio, A. Sernada, and C. Sernada. Preervation by fibring of the finite model property. In: Journal of Logic and Computation 21.2 (2011), pp F. Dau. The Logic Sytem of Concept Graph with Negation. Vol LNAI. Springer,

157 Bibliography [Dau04b] [Dau09] [DH01] [DHO06] [DMR14] [Dut95] [EC82] [ES99] [Fab+11] [FG92] F. Dau. Type and Token for Logic with Diagram. In: International Conference on Computational Science ICCS Ed. by M. Bubak, G. D. van Albada, P. M. A. Sloot, and J. Dongarra. Vol LNCS. Springer, 2004, pp F. Dau. The Advent of Formal Diagrammatic Reaoning Sytem. In: International Conference on Formal Concept Analyi ICFCA Ed. by S. Ferré and S. Rudolph. Vol LNCS. Springer, 2009, pp W. Damm and D. Harel. LSC: Breathing Life into Meage Sequence Chart. In: Formal Method in Sytem Deign 19 (Jan. 2001), pp W. Damm, H. Hungar, and E.-R. Olderog. Verification of Cooperating Traffic Agent. In: International Journal of Control 79.5 (2006), pp W. Damm, E. Möhlmann, and A. Rakow. Component Baed Deign of Hybrid Sytem: A Cae Study on Concurrency and Coupling. In: International Conference on Hybrid Sytem: Computation and Control HSCC Ed. by M. Fränzle and J. Lygero. ACM, 2014, pp B. Dutertre. Complete Proof Sytem for Firt Order Interval Temporal Logic. In: IEEE Sympoium on Logic in Computer Science LICS Ed. by D. C. Kozen. IEEE Computer Society, 1995, pp E. A. Emeron and E. M. Clarke. Uing branching time temporal logic to yntheize ynchronization keleton. In: Science of Computer Programming 2.3 (1982), pp M. Erwig and M. Schneider. Viual Specification of Spatio-Temporal Development. In: IEEE International Sympoium on Viual Language VL IEEE Computer Society, 1999, pp J. Faber, S. Linker, E.-R. Olderog, and J.-D. Queel. Sypect - Modelling, Specifying, and Verifying Real-Time Sytem with Rich Data. In: International Journal of Software and Informatic (2011), pp M. Finger and D. M Gabbay. Adding a temporal dimenion to a logic ytem. In: Journal of Logic, Language and Information 1.3 (1992), pp [FM98] M. Fitting and R. L. Mendelohn. Firt-Order Modal Logic. Springer, [FR75] [Gab+03] [Gab96] J. Ferrante and C. Rackoff. A deciion procedure for the firt order theory of real addition with order. In: SIAM Journal on Computing 4.1 (1975), pp D. M. Gabbay, A. Kurucz, F. Wolter, and M. Zakharyachev. Manydimenional modal logic: Theory and application. Vol Studie in logic and the foundation of mathematic. Elevier, D. M. Gabbay. Labelled deductive ytem. Vol. 1. Oxford Logic Guide. Oxford Univerity Pre,

158 Bibliography [Gab98] [Gen35] [Haa98] [Ham96] D. M. Gabbay. Fibring logic. Oxford Logic Guide. Oxford Univerity Pre, G. Gentzen. Unteruchungen über da logiche Schließen. I. In: Mathematiche Zeitchrift 39 (1 1935), pp V. Haarlev. A Fully Formalized Theory for Decribing Viual Notation. In: Viual Language Theory. Ed. by K. Marriott and B. Meyer. Springer, E. Hammer. Peircean Graph for Propoitional Logic. In: Logical Reaoning with Diagram. Ed. by G. Allwein and J. Barwie. Oxford Univerity Pre, 1996, pp [Har88] D. Harel. On Viual Formalim. In: Communication of the ACM 31.5 (1988). [Hil+11] M. Hilcher, S. Linker, E.-R. Olderog, and A. P. Ravn. An Abtract Model for Proving Safety of Multi-lane Traffic Manoeuvre. In: Formal Method and Software Engineering International Conference on Formal Engineering Method ICFEM Ed. by Z. Qiu S. Qin. LNCS. Springer, 2011, pp [Hil14] M. Hilcher. Private communication [HLO13] [Hoa69] [Hoe06] [How+02] [HP08] [HP09] [HR10] M. Hilcher, S. Linker, and E.-R. Olderog. Proving Safety of Traffic Manoeuvre on Country Road. In: Theorie of Programming and Formal Method Eay Dedicated to Jifeng He on the Occaion of Hi 70th Birthday. Ed. by Z. Liu, J. Woodcock, and Huibiao Z. Vol LNCS. Springer, 2013, pp C. A. R. Hoare. An Axiomatic Bai for Computer Programming. In: Communication of the ACM (1969), pp J. Hoenicke. Combination of Procee, Data, and Time. PhD thei. Carl von Oietzky Univerität Oldenburg, J. Howe, F. Molina, S.-J. Shin, and J. Taylor. On Diagram Token and Type. In: Diagrammatic Repreentation and Inference International Conference on the Theory and Application of Diagram DIAGRAMS Ed. by M. Hegarty, B. Meyer, and N. H. Narayanan. Vol LNAI. Springer, 2002, pp I. A. Hanen and J. Pachl, ed. Railway Timetable & Traffic Analyi, Modelling, Simulation. Eurailpre, A. Habel and K.-H. Pennemann. Correctne of high-level tranformation ytem relative to neted condition. In: Mathematical Structure in Computer Science 19 (02 Apr. 2009), pp A. Habel and H. Radke. Expreivene of graph condition with variable. In: Electronic Communication of the EASST 30 (2010). 144

159 Bibliography [HS91] [Hu+94] [ITU96] [JKI99] [KE14] [Ken97] [Kle00] [Koo+08] [LGS98] [LH13] [Lin07] [Lin10] J. Y. Halpern and Y. Shoham. A Propoitional Modal Logic of Time Interval. In: Journal of the ACM 38.4 (Oct. 1991), pp A. Hu, F. Ekafi, S. Sach, and P. Varaija. Protocol deign for an automated highway ytem. In: Dicrete Event Dynamic Sytem 2.1 (1994), pp International Telecommunication Union (ITU). Z.120. ITU-TS recommendation Z.120: Meage Sequence Chart (MSC) H. Jula, E. B. Komatopoulo, and P. A. Ioannou. Colliion Avoidance Analyi for Lane Changing and Merging. Tech. rep. UCB-ITS-PRR California Partner for Advanced Tranit and Highway (PATH), Univerity of California at Berkeley, S. Kemper and C. Etzien. A Viual Logic for the Decription of Highway Traffic Scenario. In: International Conference on Complex Sytem Deign & Management CSD&M Ed. by M. Aiguier, F. Boulanger, D. Krob, and C. Marchal. Springer, 2014, pp S. Kent. Contraint diagram: viualizing invariant in object-oriented model. In: ACM SIGPLAN Conference on Object-Oriented Programming, Sytem, Language & Application OOPSLA Ed. by M. E. S. Loomi, T. Bloom, and A. M. Berman. ACM, 1997, pp C. Kleuker. Contraint Diagram. PhD thei. Carl von Oietzky Univerität Oldenburg, P. Koonce, L. Rodegerdt, K. Lee, S. Quayle, S. Beaird, C. Braud, J. Bonneon, P. Tarnoff, and T. Urbanik. Traffic Signal Timing Manual. Tech. rep. U.S. Department of Tranportation, Federal Highway Adminitration, J. Lygero, D. N. Godbole, and S. Satry. Verified hybrid controller for automated vehicle. In: IEEE Tranaction on Automatic Control 43.4 (1998), pp S. Linker and M. Hilcher. Proof theory of a multi-lane patial logic. In: International Colloquium on Theoretical Apect of Computing ICTAC Ed. by Z. Liu, J. Woodcock, and Huibiao Z. Vol LNCS. Springer, 2013, pp S. Linker. Natürliche Schließen für den Shape Calculu. fileadmin/uer_upload/f2inform- cd/linker07.pdf. Minor thei. Carl von Oietzky Univerität Oldenburg, S. Linker. Diagrammatic Specification of Mobile Real-Time Sytem. In: Diagrammatic Repreentation and Inference International Conference on the Theory and Application of Diagram DIAGRAMS Ed. by A. K. Goel, M. Jamnik, and N. H. Narayanan. Vol LNAI. Springer, 2010, pp

160 Bibliography [Lod+92] [LPN11] [MA08] [McD05] [Min00] K. Lodaya, M. Mukund, R. Ramanujam, and P.S. Thiagarajan. Model and logic for true concurrency. In: Sadhana (Academy Proceeding in Engineering Science). Vol Indian Academy of Science. 1992, pp S. M. Loo, A. Platzer, and L. Nitor. Adaptive Cruie Control: Hybrid, Ditributed, and Now Formally Verified. In: International Sympoium on Formal Method FM Ed. by M. Butler and W. Schulte. Vol LNCS. Springer, 2011, pp J. McDermott and G. Allwein. A Formalim for Viual Security Protocol Modeling. In: Journal of Viual Language & Computing 19.2 (2008), pp J. P. McDermott. A Formal Syntax and Semantic for the GSPML Language. Tech. rep. Naval Reearch Laboratory, Information Technology Diviion, M. Mina. Hypergraph a a Uniform Diagram Repreentation Model. In: Selected Paper of the International Workhop on Theory and Application of Graph Tranformation TAGT Ed. by H. Ehrig, G. Engel, H.-J. Kreowki, and G. Rozenberg. Vol LNCS. Springer, 2000, pp [Min67] M. L. Minky. Computation: finite and infinite machine. Prentice-Hall, [Mo85] [MOT10] [MP95] [MPW92] [MV95] B. C. Mozkowki. A Temporal Logic for Multilevel Reaoning about Hardware. In: Computer 18.2 (1985), pp K. Minehima, M. Okada, and R. Takemura. Two Type of Diagrammatic Inference Sytem: Natural Deduction Style and Reolution Style. In: Diagrammatic Repreentation and Inference International Conference on the Theory and Application of Diagram DIAGRAMS Ed. by A.. Goel, M. Jamnik, and N. H. Narayanan. Vol LNCS. Springer, 2010, pp Z. Manna and A. Pnueli. Temporal Verification of Reactive Sytem: Safety. Springer, R. Milner, J. Parrow, and D. Walker. A Calculu of Mobile Procee, I. In: Information and Computation (Sept. 1992), pp M. Mina and G. Viehtaedt. DiaGen: a generator for diagram editor providing direct manipulation and execution of diagram. In: IEEE International Sympoium on Viual Language VL Ed. by V. Haarlev. IEEE Computer Society, 1995, pp [MV97] M. Marx and Y. Venema. Multi-dimenional modal logic. Springer, [Pau94] L. Paulon. Iabelle: A Generic Theorem Prover. Springer, [Pla10a] A. Platzer. Logical Analyi of Hybrid Sytem: Proving Theorem for Complex Dynamic. Springer,

161 Bibliography [Pla10b] [Pnu77] [PQ09] A. Platzer. Quantified Differential Dynamic Logic for Ditributed Hybrid Sytem. In: EACSL Conference on Computer Science Logic CSL Ed. by A. Dawar and H. Veith. Vol LNCS. Springer, 2010, pp A. Pnueli. The Temporal Logic of Program. In: IEEE Sympoium on Foundation of Computer Science SFCS IEEE Computer Society, 1977, pp A. Platzer and J.-D. Queel. European Train Control Sytem: A Cae Study in Formal Verification. In: Formal Method and Software Engineering International Conference on Formal Engineering Method ICFEM Ed. by A. Cavalcanti and K. Breitman. Vol LNCS. Springer, 2009, pp [Pra06] D. Prawitz. Natural Deduction: A Proof-theoretical Study. Dover, [Pri57] A. N. Prior. Time and Modality. Oxford Univerity Pre, [Rad13] [Ra+02] [Ra01] [Ra02] [RCC92] [Rey02] [RJB04] [Roz97] [RS95] [Sch01] H. Radke. HR* Graph Condition Between Counting Monadic Second-Order and Second-Order Graph Formula. In: Electronic Communication of the EASST 61 (2013). J. Raga, A. Sernada, C. Sernada, and L. Viganò. Fibring Labelled Deduction Sytem. In: Journal of Logic and Computation 12.3 (2002), pp T. M. Ramuen. Labelled Natural Deduction for Interval Logic. In: EACSL Conference on Computer Science Logic CSL Ed. by L. Fribourg. Vol LNCS. Springer, 2001, pp T. M. Ramuen. Interval logic. Proof theory and theorem proving. PhD thei. Technical Univerity of Denmark, D. A. Randell, Z. Cui, and A. G. Cohn. A Spatial Logic baed on Region and Connection. In: International Conference on Principle of Knowledge Repreentation and Reaoning KR Ed. by B. Nebel, C. Rich, and W. Swartout. Morgan Kaufmann, 1992, pp J. C. Reynold. Separation Logic: A Logic for Shared Mutable Data Structure. In: IEEE Sympoium on Logic in Computer Science LICS Ed. by G. D. Plotkin. IEEE Computer Society, 2002, pp J. Rumbaugh, I. Jacobon, and G. Booch. The Unified Modeling Language Reference Manual (2nd Edition). Pearon Higher Education, G. Rozenberg, ed. Handbook of graph grammar and computing by graph tranformation: volume I. foundation. World Scientific Publihing, J. Reker and A. Schürr. A graph grammar approach to graphical paring. In: IEEE International Sympoium on Viual Language VL Ed. by V. Haarlev. IEEE Computer Society, 1995, pp R. C. Schlör. Symbolic Timing Diagram: A Viual Formalim for Model Verification. PhD thei. Carl von Oietzky Univerität Oldenburg,

162 Bibliography [Sch05] [Sch07] [Sch14] [Sha+13] [Shi04] [Shi95] [Sim94] [SM07] A. Schäfer. A calculu for hape in time and pace. In: International Colloquium on Theoretical Apect of Computing ICTAC Ed. by Z. Liu and K. Araki. Vol LNCS. Springer, 2005, pp A. Schäfer. Axiomatiation and decidability of multi-dimenional Duration Calculu. In: Information and Computation (2007). Special Iue: TIME 2005, pp M. Schwammberger. Semantik von Controllern für icheren Fahrpurwechel. Mater Thei. Carl von Oietzky Univerität Oldenburg, Z. Shao, J. Liu, Z. Ding, M. Chen, and N. Jiang. Spatio-Temporal Propertie Analyi for Cyber-Phyical Sytem. In: Engineering of Complex Computer Sytem ICECCS IEEE. 2013, pp S.-J. Shin. Heterogeneou Reaoning and it Logic. In: Bulletin of Symbolic Logic 10.1 (2004), pp S.-J. Shin. The logical tatu of diagram. Cambridge: Cambridge Univerity Pre, A. K. Simpon. The Proof Theory and Semantic of Intuitionitic Modal Logic. PhD thei. Univerity of Edinburgh, G. Stapleton and J. Mathoff. Incorporating Negation into Viual Logic: A Cae Study Uing Euler Diagram. In: Viual Language and Computing (2007), pp [Smi00] G. Smith. The Object-Z Specification Language. Springer, [Sta+05] [Tob08] [UJ12] [UJ14] [UML12] G. Stapleton, S. Thompon, A. Fih, J. Howe, and J. Taylor. A New Language for the Viualization of Logic and reaoning. In: International Conference on Ditributed Multimedia Sytem DMS Ed. by P. Cox and T. Smedley. Knowledge Sytem Intitute, 2005, pp T. Toben. Counterexample Guided Spotlight Abtraction Refinement. In: International Conference on Formal Technique for Networked and Ditributed Sytem - FORTE Ed. by K. Suzuki, T. Higahino, K. Yaumoto, and K. El-Fakih. Vol LNCS. Springer, 2008, pp M. Urba and M. Jamnik. Diabelli: A heterogeneou proof ytem. In: International Joint Conference on Automated Reaoning IJCAR Ed. by B. Gramlich, D. Miller, and U. Sattler. Vol LNAI. Springer, 2012, pp M. Urba and M. Jamnik. A Framework for Heterogeneou Reaoning in Formal and Informal Domain. In: Diagrammatic Repreentation and Inference International Conference on the Theory and Application of Diagram DIAGRAMS Ed. by T. Dwyer, H. Purchae, and A. Delaney. Vol LNAI. Springer, 2014, pp Unified Modeling Language (UML): Supertructure verion formal/ url: 148

163 Bibliography [Urb+12] M. Urba, M. Jamnik, G. Stapleton, and J. Flower. Speedith: a diagrammatic reaoner for pider diagram. In: Diagrammatic Repreentation and Inference International Conference on the Theory and Application of Diagram DIAGRAMS Ed. by P. T. Cox, B. Plimmer, and P. Rodger. Vol LNAI. Springer, 2012, pp [Vig00] L. Viganò. Labelled Non-Claical Logic. Kluwer Academic Publiher, [WDP13] [WW07] [ZHR91] [ZHS93] J. Wickeron, M. Dodd, and M. Parkinon. Ribbon proof for eparation logic. In: Programming Language and Sytem European Sympoium on Programming ESOP Ed. by M. Felleien and P. Gardner. Vol LNCS. Springer, 2013, pp B. Wachter and B. Wetphal. The potlight principle. In: International Conference on Verification, Model Checking, and Abtract Interpretation VMCAI Ed. by B. Cook and A. Podelki. Vol LNCS. Springer. 2007, pp Zhou C., C. A. R. Hoare, and A. P. Ravn. A Calculu of Duration. In: Information Proceing Letter 40.5 (1991), pp Zhou C., M. R. Hanen, and P. Setoft. Decidability and undecidability reult for duration calculu. In: Sympoium on Theoretical Apect of Computer Science STACS Ed. by P. Enjalbert, A. Finkel, and K.W. Wagner. Vol LNCS. Springer, 1993, pp

164 Index Symbol Index ɵ, 27, 37, 27, 37 acc, 21, 32 l, 34 τ, 34 clm V, 28 CVar, 31, 7, 32 clm, 21 cl, 32 = M, 99 = (HR condition), 15 = (diagram), 98 = (formula), 33 = (labelled formula), 38 = (relational formula), 38 = S, 99 c C, 105 c i R, 105 c l, 105 c r, 105, 38 v i, 128 p, 12, 13 D, 75 l, 34 DC, 126 dri, 39 E, 11 ego, 32 [ ], 33 (P C, c), 14 (h, c), 14 E, 37 F X, 104 F L, 104 F, 34 Φ, 32 t, v : φ, 37 w : ϕ, 9 φ r, 35 Γ, 38 G, 32 G, 11 halt, 62 hcf, 39 hri, 39 I, 20 init, 60 I, 6 I, 6 I Var, 6 len V, 28 L, 20 L, 25 l, 11 LC, 127 LVar, 32 l, 32 λ, 38 marker, 60 M, 113 mv, 26 mutex, 60 N, 5, 6 O, 11, 101 Per, 60 Π,j i,

165 SYMBOL INDEX P, 5 pc, 126 periodic, 61 po, 21, 39 Q, 114 R +, 6 re V, 28 R, 6 R, 6 re, 21 ρ, 37 re, 32 RVar, 32, 71 ri, 39 [ ], 9 afe, 126 (equence), 6 σ, 38 (modality), 33 pd, 21 t, 23 acc(c,a), 23 t, 23 c(c,n), 22 r(c), 22 wd c(c), 22 wd r(c,n), 23 T S, 21 TS, 21 T, 20 =, 24, 37 Θ, 32 t, 37 TS, 37 τ, 11 θ, 32, 37 T, 115 c(c), 37 r(c), 37 wd c(c), 37 wd r(c), 37 t, 37 θ, 11 T, 11 T T, 81 T NT, 81 V, 25 V L, 25 V X, 25 v, 37 v, 105 v, 105 ν, 32 ν I, 97 ν V, 32 Var, 32, 70 vcf, 39 V, 11 V, 37 vri, 39 v l, 105 v r, 105 ω, 32 X, 25 χ, 98 { }, 6 Ω E,

166 Index Subject Index advanced driver aitance ytem, 108 application (graph rewriting), 12 arithmetic Preburger, 106 real, 106 aumption elimination, 8 atom equality, 32 free, 35 patial, 32 attachment function, 11 axiom (graph rewriting), 13 car action, 71 braking ditance, 19 phyical ize, 19 afety envelope, 19, 27 chop-free, 11 claim, 21, 72 creation, 23 withdrawal, 23 compoition, 6 derivation, 8, 39 derivation (graph rewriting), 13 diagram patial, 74 Traffic Diagram, 75 ditance arrow, 73 ditance controller, 126 domain, 6 edge, 11 EMLSL, 31 expreivity, 111 flexible, 8, 35 formula, 32 dynamic, 37 labelled, 9, 37 locality, 37 relational, 9, 37 timing, 37 function, 6 modification, 6 global contradiction, 9 graph homomorphim, 11 graph rewriting, 13 Traffic Diagram, 83 graph rewriting rule, 12 graph ubtitution, 14 HR condition, 13 heterogeneou reaoning, 121 horizon, 25 hyperedge replacement, 13 hypergraph, 11 image, 6 implicit length, 98 interlingua, 123 interval, 6, 71 chop, 27 variable, 6, 71 labelled natural deduction, 9 EMLSL, 36 labelling algebra, 36 lane change controller, 127 lane eparation, 73 lane equence, 73 layer, 74 full, 74 partial, 74 left-hand ide, 12 logic computational tree logic (CTL), 7 interval temporal logic (ITL), 7 linear temporal logic (LTL), 7 igned interval logic (SIL), 10 temporal, 7 match,

167 SUBJECT INDEX meaure, 26 modality chop, 7, 32 everywhere, 33 invariance, 32 omewhere, 33 modification, 32 natural deduction, 8 neted condition, 13 potential colliion check, 126 precedence, 101 preimage, 6 production, ee graph rewriting rule proof, 8 proof rule, ee rule range, 6 relation, 6 repreentation, 84 reervation, 20, 72 creation, 23 lemma, 55 withdrawal, 23 right-hand ide, 12 rigid, 8, 36 dynamically, 36 horizontally, 36 vertically, 36 rule, 8 activity, 46 backward activity, 47 backward tability, 47 elimination, 9 introduction, 9 invariance/induction, 52 tability, 46 run, 59 afety predicate, 126 ane, ee anity condition anity condition, 21 formaliation, 77 atifaction HR condition, 15 EMLSL, 33 labelled formula, 38 relational formula, 38 Traffic Diagram, 98 emantic HR condition, 15 EMLSL, 33 metric, 99 patial, 99 Traffic Diagram, 98 enor function, 27 equence, 6 ingle decompoition, 11 oundne, 53 pace free, 72 unpecified, 72 ubview, ee view yntax abtract (diagram), 70 concrete (diagram), 70 EMLSL, 32 ubtitution, 9 temporal arrow dicrete, 75 duration, 75 faint, 75 precie, 74 temporal equence, 75 tentacle, 11 term, 32 timing, 37 topological equence, 72 topological ituation, 72 Traffic Diagram, 69 traffic naphot, 21 tranformation, 115 metric, 113 qualitative, 114 tranition, 22 abtract, 24 dynamic,

168 Index evolution, 23 global, 22 local, 22 modality, 32 patial, 22 two-counter machine, 59 type non-terminal, 81 terminal, 81 type function, 11 typed hypergraph, ee hypergraph valuation, 32 interval, 97 locality, 38 naphot, 38 variable, 32, 70 car, 31, 70 implicit, 98 lane, 32 length, 32, 71 timing, 37 traffic naphot, 37 view, 37 vertex, 11 view, 25 extenion, 25 lane, 25 length, 32 moving, 26 owner, 25, 32 tandard, 25 ubview, 25 width, 32 viiting a vertex,

169 Curriculum Vitae Curriculum Vitae 20/02/2015 Defene of the diertation Reearch aitant in the group Correct Sytem Deign lead by Ernt-Rüdiger Olderog at the Carl von Oietzky Univerity Member of the Reearch Training Group TrutSoft at the Carl von Oietzky Univerity of Oldenburg Studie Diplom Informatik at the Carl von Oietzky Univerity of Oldenburg Alternative civilian ervice 2002 Abitur 03/03/1983 Born in Uelzen, Germany 155