Hybrid dynamic logic institutions for event/data-based systems

We propose ε↓(D→)\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\varepsilon^\downarrow(\mathcal{\vec{D}})$$\end{document}-logic as a formal foundation for the specification and development of event-based systems with data states. The framework is presented as an institution in the sense of Goguen and Burstall and the logic itself is parametrised by an underlying institution D→\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\mathcal{\vec{D}}$$\end{document} whose structures are used to model data states. ε↓(D→)\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\varepsilon^\downarrow(\mathcal{\vec{D}})$$\end{document}-logic is intended to cover a broad range of abstraction levels from abstract requirements specifications up to constructive specifications. It uses modal diamond and box operators over complex actions adopted from dynamic logic. Atomic actions are pairs where e is an event and ψ\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\psi$$\end{document} a state transition predicate capturing the allowed reactions to the event. To write concrete specifications of recursive process structures we integrate (control) state variables and binders of hybrid logic. The semantic interpretation relies on event/data transition systems. For the presentation of constructive specifications we propose operational event/data specifications allowing for familiar, diagrammatic representations by state transition graphs. We show that ε↓(D→)\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\varepsilon^\downarrow(\mathcal{\vec{D}})$$\end{document}-logic is powerful enough to characterise the semantics of an operational specification by a single ε↓(D→)\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\varepsilon^\downarrow(\mathcal{\vec{D}})$$\end{document}-sentence. Thus the whole (formal) development process for event/data-based systems relies on ε↓(D→)\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\varepsilon^\downarrow(\mathcal{\vec{D}})$$\end{document}-logic and its semantics as a common basis. It is supported by a variety of implementation constructors which can express, among others, event refinement and parallel composition. Due to the genericity of the approach, it is also possible to change a data state institution during system development when needed. All steps of our formal treatment are illustrated by a running example.


Introduction
Event-based systems are an important kind of software systems that are open to the environment to react to certain events.A crucial characteristic of such system is that their reaction to events will differ over time due to their internal state; in particular, not any event may be meaningful at any time.Hence the control flow of the system is significant and should be modelled by appropriate means.On the other hand components administer data which may change upon the occurrence of an event.Thus also the specification of admissible data changes caused by events plays a major role.
There is quite a lot of literature on modelling and specifying event-based systems.Several approaches, often underpin ned by graphical notations, provide formalisms aiming at being constructive enough to suggest particular designs or implementations, like e.g., Event-B [Abr13,FMP17], symbolic transition systems [PR06], and UML behavioural and protocol state machines [OMG17, KMRG15].On the other hand, there are logical formalisms to express desired properties of event-based systems.Among them are temporal logics integrating state and eventbased styles [tBFGM08], and various kinds of modal logics involving data, like first-order dynamic logic [HKT00] or the modal μ-calculus with data and time [GM14].The gap between logics and constructive specification is usually filled by checking whether the model of a constructive specification satisfies certain logical formulae.
In this paper we are interested in investigating a logic which is capable to express properties of event/data-based systems on various abstraction levels in a common formalism.For this purpose we follow ideas of [MBHM18], but there data states, effects of events on them and constructive operational specifications (see below) were not considered.The advantage of an expressive logic is that we can split the transition from system requirements to system implementation into a series of gradual refinement steps which are more easy to understand, to verify, and to adjust when certain aspects of the system are to be changed or when a product line of similar products has to be developed.
To that end we propose E ↓ ( D)-logic, a dynamic logic enriched with features of hybrid logic and parametrised by an underlying logic D for data states.The dynamic part uses diamond and box operators, λ and [λ] resp., over structured actions λ adopted from dynamic logic [HKT00].Atomic actions are of the form e ψ with e an event and ψ a state transition predicate specifying the admissible effects of e on the data.Using sequential composition, union, and iteration we obtain complex actions that, in connection with the modal operators, can be used to specify required and forbidden behaviours.In particular, if E is a finite set of events, though data is infinite we are able to capture all states of the system, reachable from initial ones by events of E , and thus to express liveness and safety properties, the latter by sentences of the form [E E E * ] .But E ↓ ( D)-logic is also powerful enough to specify concrete, recursive process structures by integrating state variables x , binders ↓x .and jumps (@ F x ) from hybrid logic [Bra10] with the subtle difference that our state variables are used to denote control states only and that we relativise jumps by a set F of events.
An axiomatic specification Sp ( , Ax) in E ↓ ( D) is given by an event/data signature (E , δ) with a set E of events and a data signature δ to model data states, and a set of E ↓ ( D)-sentences Ax, called axioms, describing desired system properties.For the semantic interpretation we use event/data transition systems (edts).Their states are reachable configurations (c, d ) showing a control state c that records the current state of execution, and a data state d .Transitions between configurations are labelled by events.The semantics of a specification Sp is "loose" in the sense that it consists of all edts satisfying the axioms of the specification.Such structures are called models of Sp.Loose semantics allows us to define a simple refinement notion: Sp 1 refines to Sp 2 if the model class of Sp 2 is included in the model class of Sp 1 .We may also say that Sp 2 is an implementation of Sp 1 .
Our refinement process starts typically with axiomatic specifications whose axioms involve only the dynamic part of the logic.Hybrid features will successively be added in refinements when specifying more concrete behaviours by introducing variables for control states, variable binders and jumps.Aiming at a concrete design, the use of an axiomatic specification style may, however, become cumbersome since we have to state explicitly also all negative cases, what the system should not do.For a convenient presentation of constructive specifications we propose operational event/data specifications, which are a kind of symbolic transition systems equipped (again) with a model class semantics in terms of edts.We will show that E ↓ ( D)-logic, by use of the hybrid features, is powerful enough to characterise the semantics of an operational specification.Therefore, we do not really move outside E ↓ ( D)-logic when refining axiomatic by operational specifications.Moreover, since several constructive notations in the literature, including (essential parts of) Event-B, symbolic transition systems, and UML protocol state machines, can be expressed as operational specifications, E ↓ ( D)-logic provides a logical umbrella under which event/data-based systems can be developed.
In order to consider more complex kinds of refinements we take up an idea of Sannella and Tarlecki [ST88,ST12] who have proposed the notion of constructor implementation.This is a generic notion applicable to specification formalisms based on signatures and their semantic structures.As both are available in the context of E ↓ ( D)-logic, we complement our approach by introducing a couple of constructors, among them event refinement and parallel composition.For the latter we provide a powerful refinement criterion relying on a relationship between syntactic and semantic parallel composition.We show under which additional assumptions our criterion is even a necessary condition which sharpens a corresponding result in [HMK19].The logic and the use of the implementation constructors will be illustrated by a running example.We have also implemented a small, prototypical tool 2 that allows to check E ↓ ( D)-formulae on finite-state edts and the refinement of finite-state operational specifications using constructor implementations such that the running example can be reproduced.This paper is a significant extension of the conference paper [HMK19].We provide a formalisation of our specification theory for event data-based systems as an "institution".The notion of an institution has been proposed by Goguen and Burstall in [GB92] as an abstract concept to capture the essential ingredients that a logical system should provide when being used in formal software development.Since then the ideas of an institution became quite popular and many different logical systems have been presented as institutions; see [ST12] for an overview.Formalising a logical system as an institution has several advantages: It provides a better insight in the used concepts with a clear structure concerning syntax (in terms of signatures and sentences), semantics (in terms of mathematical structures) and the relationship between the two in terms of a satisfaction relation.Having an institution supports the process of software development by formalising system extensions, reducts and component-wise development by means of signature morphisms.It also allows to reuse abstract results that are valid in arbitrary institutions concerning, e.g., structured specifications and refinement.All this does not come for free but with a proof obligation: The logical system at hand must guarantee the "satisfaction condition" which expresses that validity of logical sentences is invariant under change of context or notation.This is an important requirement for modular software design.
We present E ↓ ( D)-logic as a generic institution which is parametrised by an underlying data state institution D. In particular, we show that for E ↓ ( D) the satisfaction condition holds.The proof relies, besides on the satisfaction condition for D, (a) on the data state labelling for configurations of event/data transition systems and (b) on a generalisation of the jump operator (@x ) of hybrid logic to a relativised jump operator (@ F x ) which moves the state of evaluation to all configurations whose control state is denoted by x and which are reachable by an explicitly stated set F of events.This way the scope of the events usable for "jumping" remains under control of the formula and thus is independent of the context in which the formula is used.Both, (a) and (b) were not incorporated in [HMK19] and the logic there could not be reused as it is to get an institution.
Due to the genericity of E ↓ ( D)-logic, any concrete data state institution satisfying a few assumptions, most importantly the amalgamation property, can be used to instantiate E ↓ ( D).Of course, this improves significantly the applicability of E ↓ ( D).An important consequence is also that during system development the data state institution can be changed if different, usually more expressive, constructs are needed when moving towards an implementation.As a tool for sound migration of data state institutions we use institution comorphisms.How this works is exemplified by our running example.
Being parametric in the underlying data state institution requires a proper institutional treatment of pairs of data states representing pre-and post-states of transitions.For this purpose, we introduce the novel concept of a 2-data state institution 2 D over D which, by itself, is a new research result that should be applicable to institutionalise other kinds of pre/post-condition style specification formats.The formalisation of 2 D uses pushouts and amalgamations.The latter allow to combine two data states, a pre-and a post-state, over which state transition predicates can be interpreted.These predicates are formalised as sentences of the corresponding pushout signature.The base signature of such pushouts models "rigid" symbols, i.e., symbols whose interpretation remains unchanged when moving from one data state to another.
Related to the genericity of E ↓ ( D)-logic are approaches which deal with "temporalisation" [FG92], "modalisation" [FF02,DS07] and "hybridisation" [MMDB11,DM16].In these papers the idea is to extend an arbitrary base logic or institution with temporal, modal, or hybrid features and thus to be able to work out the characteristic features of the respective logical extensions and to study preservation of certain properties.The motivation of our work is not to find yet another hybridisation process but to provide support for system development.As a consequence, we consider (a) only models reachable from initial states, (b) operational specifications, and (c) implementation constructors useful in a refinement methodology.In this context, an important point for us is to be able to express safety and liveness properties by navigation through all reachable states and to be able to express concrete process structures as well by using operational specifications, which can be equivalently expressed in our logic by binders and (relativised) jumps.A relevant point is also that our 2-data state institutions allow to relate logically pre-and post-states of transitions on the basis of pushout constructions and amalgamated unions.Therefore neither quantification of hybrid logical formulae is needed as in [MMDB11] nor a particular "rigidification" of symbols as in [DM16].Outline.The remainder of this paper is structured as follows: In Sect. 2 we recall the notion of an institution and some related concepts.Then, in Sect.3, we consider institutions for data states and their transitions.The constituents of the generic E ↓ ( D)-logic institution are introduced in Sect. 4. A significant part of this section concerns the proof of the satisfaction condition.In Sect. 5 we consider axiomatic as well as operational specifications of event/data-based systems and demonstrate the expressiveness of E ↓ ( D)-logic.Refinement of both types of specifications using several implementation constructors is considered in Sect.6. Section 7 provides some concluding remarks.
Readers who are more interested in the stepwise (hierarchical) formalisation of institutions for data states ( D), data state transitions (2 D), and the hybrid dynamic logic E ↓ ( D) built on top of these can concentrate on Sections 2 to 4; readers who want to focus on the usage of E ↓ ( D) as a methodology for the stepwise development of event/databased systems can put their attention to Sections 4 to 6 with some occasional references to Sections 2 and 3.

Institutions
The concept of an institution has been introduced in [GB92].It formalises some basic ingredients that a logical system should provide when it is used as a specification framework in program development.The notion relies on a clear separation between syntax (signatures, sentences) and semantics (models) such that models and sentences are related by a satisfaction relation.Differently to the original terminology models will be called structures to avoid ambiguity when we talk about models of a specification later on.For the categorical terminology used in the sequel of this paper we refer the reader to the book by Mac Lane [Mac98] (where, however, functional order of morphism composition g • f is used instead of the diagrammatic order f ; g often employed here).
The propositional sentences functor Sen Prop : S Prop → Set maps each signature P ∈ |S Prop | to the set Sen Prop (P ) defined by the grammar for p ∈ P ; and each morphism π : P → P to the sentence translation Sen Prop (σ ) : Sen Prop (P ) → Sen Prop (P ) replacing each propositional variable p by σ (p).Finally, for each signature P ∈ |S Prop |, each structure μ ∈ |Str Prop (P )|, and each sentence ρ ∈ Sen Prop (P ) the propositional satisfaction relation μ | Prop P ρ is defined inductively as usual: and similarly for the other connectives, such that the satisfaction condition is fulfilled.
A many-sorted signature (S , F ) consists of sets of sorts S and function symbols F ; the latter have argument sorts and a result sort, a function symbol without arguments is a constant.A many-sorted signature morphism σ (σ S , σ F ) : → maps the sorts and function symbols of to their counterparts in such that the sorting of function symbols is transferred.Many-sorted signatures and signature morphisms form the category of signatures S F O .A -algebra A for a many-sorted signature (S , F ) consists of non-empty carrier sets s A for each sort s and functions f A : s A 1 × . . .× s A n → s A for each f ∈ F with argument sorts s 1 , . . ., s n and result sort s; a -algebra homomorphism h : A 1 → A 2 is given by an S -indexed family of functions (h s : -algebras and -algebra homomorphisms form the category Str F O ( ).For a many-sorted signature morphism σ (σ S , σ to the category Str F O ( ) and σ : → to the functor −|σ .For constructing terms and formulae over a many-sorted signature (S , F ) an S -indexed family of variables X is assumed.The S ( )-indexed family of terms T ( , X ) is inductively given by x ∈ T ( , X ) s for x ∈ X s and f (t 1 , . . ., t n ) ∈ T ( , X ) s for f ∈ F with arguments sorts s 1 , . . ., s n and result sort s and t i ∈ T ( , X ) s i .The set of formulae F ( , X ) is given by the grammar where in ∀ x : s .ϕ the variable x is bound by the quantifier.Term and formulae translation along a many-sorted signature morphism σ : → preserve the term and formulae structure as well as unbound, free variables.The sentence functor Sen F O : S F O → Set maps to the sentences over , i.e., the formulae over that show no free variables, and σ : → to the formula translation along σ .For a -algebra A and a valuation β where β{x : s → a}(x ) a and β{x : s → a}(y) β(y) for y x .Let us now recall some useful properties of institutions.

Amalgamation Property
The amalgamation property will be used later to construct the union of two data states (intuitively pre-and post-states) over which state transition predicates, formalised as sentences over a pushout signature, can be interpreted.

Institution comorphisms
During system development 'it is sometimes useful to switch from one institution to another.To do this institution comorphisms [GR02] are an appropriate tool.They allow to express a kind of embedding of a "poorer" source into a "richer" target logic [MDT09].→ Str I , and a natural transformation ν Sen : Sen I .→ ν S ; Sen I , such that for all ∈| S I |, M ∈|Str I (ν S ( ))|, and ϕ ∈ Sen I ( ) the following satisfaction condition holds:

Institutions for data states and transitions
Data institutions are used to model data states as well as data state changes which are typical in event/data-based systems.We are interested in a generic approach which can be instantiated by concrete data institutions needed in particular application domains.
General assumption.Throughout this paper we assume given an arbitrary institution D (S D , Str D , Sen D , | D ) which is closed under boolean connectives and satisfies the amalgamation property.
We proceed in two steps: First, in Sect.3.1, we show how to construct "data state institutions" on the basis of D to model single data states (in terms of structures) and to specify properties of them (in terms of sentences).To formalise transitions from one data state to another (and their properties) we introduce so-called "2-data state institutions" in Sect.3.2.Structures of a 2-data state institution are pairs of structures of a data state institution modelling pre-and post-states of transitions.

Data state institutions
In principle, an institution D with the assumed properties could already serve as a formal framework for data states.In general, however, it is useful to take not all signatures of D but to select only particular ones.For instance, one may be interested to admit only signatures which are extensions of some (base) signature having a unique interpretation.To treat this intuitively simple idea in a formal way we need some additional technicalities.
First, the category of signatures of a data state institution over D, which we call D, should be a subcategory of the arrow category (S D ) → .This means that signatures in D are signature morphisms δ : 0 → in D and signature morphisms (σ 0 , σ ) : (δ : 0 → ) → (δ : 0 → ) in D are pairs of signature morphisms σ 0 : 0 → 0 and σ : → in D such that σ 0 ; δ δ; σ .In order to facilitate compositions, we also require that this subcategory of (S D ) → is closed under pushouts.
Moreover, the form of signatures in a data state institution D has a semantic counterpart concerning the structures functor Str D .We require that for each D-signature δ : 0 → the (base) signature 0 has a unique interpretation in all structures of Str D (δ).The sentences and satisfaction relations of D are those inherited from D. Definition 2 A data state institution D (S D , Str D , Sen D , | [ D] ) over D consists of the following parts: -A category S D of D-signatures which is a subcategory of the arrow category (S D ) → and which is closed under pushouts, i.e., if -The functor Sen D : S D → Set, giving for each signature δ : 0 → ∈ |S D1 | the set Sen D ( ) of -sentences in D, i.e., Sen D (δ) Sen D ( ), and for each D-signature morphism (σ 0 , σ ) : -For each signature δ Moreover, D inherits closure under boolean connective from D.
Example 5 (a) The propositional logic institution Prop of Ex. 1(a) is readily usable as data state institution as no specific base propositional signature has to be selected that would need a fixed interpretation.Technically, we can turn Prop into the data state institution Prop ∅ as follows: For the category of signatures we choose S Prop ∅ as the subcategory of (S Prop ) → consisting of all propositional signature morphisms δ P : ∅ → P for P ∈ |S Prop | as objects and all (∅, π) : δ P → δ P with π : P → P in S Prop as morphisms.In fact, S Prop ∅ is isomorphic to S Prop and also closed under pushouts.For the structures functor we set Str Prop ∅ (δ P ) Str Prop (P ) and Str Prop ∅ ((∅, π) :

Comorphisms between data state institutions
To get an institution comorphism between data state institutions it is sufficient to provide a comorphism between their underlying base institutions if this comorphism satisfies some specific conditions: Let D be a data state institution over D, D a data state institution over D , and let ν : D → D be an institution comorphism such that

2-Data state institutions
We introduce 2-data state institutions as a formal framework to model data state transitions.The basic idea is that structures of a 2-data state institution are pairs (M 1 , M 2 ) of structures of an underlying data state institution representing pre-and post-states of a transition.The data state institution and the 2-data state institution rely both on the base institution D. Properties of pre-/post-state pairs can be specified by sentences of a 2-data state institution which are built according to a pushout construction in the underlying institution D. ).For each signature morphism (σ 0 , σ ) : (δ : is the unique signature morphism in S D such that the following diagram commutes: Note that such a signature morphism exists due to the pushout property of + δ Then, for any ψ ∈ Sen 2 D (δ), i.e., ψ ∈ Sen D ( + δ 0 ), the 2 D-satisfaction relation is given by Considering M 1 and M 2 as pre-and post-states respectively, we see that the base signature 0 in δ : 0 → determines that part of data states whose interpretation, given by M δ , has to be kept invariant while interpretations of the remaining part are flexible.
To show that 2 D is indeed an institution we must prove the satisfaction condition.
Theorem 1 (Satisfaction condition of 2 D) Let (σ 0 , σ ) : Proof.Using the satisfaction condition for D, we get Example 7 (a) For obtaining the propositional 2-data state institution 2Prop ∅ from the data state institution Prop ∅ of Ex. 5(a) we choose the specific pushout signature P + δ P ∅ P in S Prop for a signature morphism δ P : ∅ → P in S Prop ∅ to contain all propositional variables from P together with primed copies p of them (assuming that P does not already contain primed propositional variables).δ P -sentences in 2Prop ∅ , also called state transition predicates, are then (P + δ P ∅ P )-sentences in Prop, like, e.g., p ↔ p or p ∨ q → q .The amalgamated union μ 1 × δ P μ 2 for a 2Prop ∅ -structure (μ 1 , μ 2 ) consisting of two functions μ i : P → B interprets all propositional variables p ∈ P using μ 1 and all primed propositional variables p by μ 2 for the non-primed propositional variables p.A for ι : b → A the F O -signature that contains all symbols of A together with primed copies a : s of all attributes a : s in A; possible state transition predicates here then are a < a or a a + 1.The amalgamated union interprets all symbols a : s in the signature A like A 1 does and all primed attributes a : s by the values of the non-primed attributes a : s in A 2 .Note that A 1 and A 2 have the same interpretation for all symbols in the base signature b which therefore cannot be changed in data state transitions.

Comorphisms between 2-data state institutions
We show that under certain conditions institution comorphisms between 2-data state institutions can be obtained from comorphisms between their underlying base institutions.Let ν : D → D be an institution comorphism that can be lifted to an institution comorphism ν : D → D such that ν S preserves the specific choices of pushouts in S D and S D made for the construction of 2 D and 2 D .Define ( ν 2 ) S ν S , ( ν 2 ) Str ν Str × ν Str , and ( ν 2 ) Sen δ: 0 → ν Sen + δ 0 .Then ( ν 2 ) Str and ( ν 2 ) Sen are natural transformations and for all (δ : 0

Particular sentences of 2-data state institutions
We finish this section by considering some particular sentences of 2-data state institutions.First, the set of sentences of the 2-institution 2 D contains translations of the sentences of D that refer either to the first or to the second component of a 2 D-structure (M 1 , M 2 ).Such sentence translations are satisfied by (M 1 , M 2 ) if, and only if, their untranslated versions are satisfied by the respective component.
Expanding the satisfaction relation for 2 D and using the satisfaction condition in D we have Hence, validity of the sentence Sen F O (ι 1 )(ϕ) ↔ Sen F O (ι 2 )(ϕ) in a 2Attr b ,A b -structure (A 1 , A 2 ) expresses that the sentence ϕ holds in A 1 if, and only if, it holds in A 2 .
Sentences over a signature δ : 0 → in the 2 D-institution take into account two D-structures M 1 and M 2 at the same time.Semantically it is already ensured that the common part Str D (δ)(M 1 ) Str D (δ)(M 2 ) remains unchanged.It will, however, be useful to be able to express that certain additional parts of M 1 and M 2 are identical.In particular, this will be needed when we define the (syntactic) parallel composition of operational specifications in Sect.5.2.Definition 3 (Invariance sentence) Let δ 0 : 0 → 1 be a D-signature and σ 1 : In general, we cannot expect that Sen 2 D provides invariance sentences.In this case we extend, for each 2 D signature δ : 0 → and for each split δ 0 : 0 → 1 and σ 1 : 1 → with δ δ 0 ; σ 1 the set Sen 2 D (δ) of 2 D-sentences by the special invariance sentence id (δ 0 ,σ 1 ) for which satisfaction is defined as follows: ) .Note that id (id 0 ,δ) simply expresses true.
Using a general, though "intuitively somewhat artificial way of dealing with the translation of sentences" [ST12, p. 184], an institution extending 2 D by such invariance sentences can be obtained directly [ST12, Ex. 4.1.46].However, if certain additional pushouts are chosen specifically, invariance sentences can be translated along signature morphisms in 2 D as follows: Let (σ 0 , σ ) : (δ : 0 → ) → (δ : 0 → ) be a signature morphism in 2 D, i.e., a pair of signature morphisms σ 0 : 0 → 0 and σ : → in D such that σ 0 ; δ δ; σ .Then the invariance sentence id (δ 0 ,σ 1 ) ∈ Sen 2 D (δ) is translated to the invariance sentence id ( σ0 ,σ 1 ) ∈ Sen 2 D (δ ) according to the following diagram where the left quadrilateral is a pushout diagram and σ 1 is the unique morphism from the pushout signature to : It is in order to obtain a proper mapping id (δ 0 ,σ 1 ) → id ( σ0 ,σ 1 ) that the pushout 0 + σ 0 ,δ 0 0 1 has to be fixed.Then the next lemma shows that the satisfaction condition of 2 D still holds if it is extended by invariance sentences; so it remains an institution.

Generic E ↓ ( D)-logic
We present E ↓ ( D)-logic which forms an event/data institution for any underlying data state institution D. Hence E ↓ ( D)-logic is a generic logic parametrised by D. It is an extension of dynamic logic with binders [MBHM18] taking into account data.Like its data-less predecessor in [MBHM18], E ↓ ( D) is intended to support the whole development process for event/data-based systems from abstract requirements specifications down to concrete designs specifying the (recursive) structure of processes.For the former we use constructs from dynamic logic [HKT00] which allow us to integrate complex actions into modal formulae with diamond and box operators.For the latter we use constructs from hybrid logic [Bra10] which allow us to refer (and thus to jump) to computation states of transition systems by means of state variables.
We assume given an arbitrary data state institution D as considered in Sect.3.1 and the 2-data state institution 2 D as constructed in Sect.3.2.We illustrate E ↓ ( D)-logic by specifying properties of an ATM which will be our running example further on.In the examples of the section we use Prop ∅ (see Ex. 5(a)) as data state institution, i.e., we work in E ↓ ( Prop ∅ ).In further refinement steps later on we will switch to the more expressive data state institution Attr b ,A b .

Signatures of E ↓ ( D)
A crucial ingredient of any event/data-based system are the events which may occur at a certain instance of time and may change the computation state as well as the data state of a system.In E ↓ ( D)-logic signatures consist of an event part, determined by a set of events, and a data part, determined by a signature of D.
Definition 4 An event/data signature (ed signature for short) (E , δ : 0 → ) consists of a set of events E and a data signature δ : 0 → in |S D |.We write E ( ) for E and δ( ) for δ.
Event/data signatures and their morphisms form a category denoted by S E ↓ ( D) .
Example 11 We consider a (rather simplified) ATM application.We start with its exposition in E ↓ ( Prop ∅ ) based on the propositional logic institution Prop and its corresponding data state institution Prop ∅ ; see Ex. 5(a).
A first relevant set of events for our ATM is E 0 {insertCard, enterPIN, ejectCard}.For the data part of the ATM, we use the propositional variable check.Our first ed signature for the ATM system thus is 0 (E 0 , δ P : ∅ → P ) where P {check}.
If we wish to be able to cancel transactions, we extend E 0 with the event cancel and get the larger ed signature 1 (E 1 , δ P : ∅ → P ) with E 1 E 0 ∪{cancel}.Then σ 0 (η 0 , 1 δ P ) : 0 → 1 with η 0 : E 0 → E 1 the inclusion is an ed signature morphism.(For shortening the presentation we omit further events like withdrawing money, etc.)

Structures of E ↓ ( D)
Any ed signature determines a class of semantic structures, called event/data transition systems, which are transition systems with sets of initial states and events as labels on transitions.Since we are interested here in describing (properties of) reactive systems which start their executions in some initial states, the state space of our semantic models will be restricted to reachable states only.To capture the dynamic and the data aspect of event/based systems, the states of our transition systems are pairs γ (c, d ), called configurations, where c is a control state recording the current execution state and the data state d is labelled by a D-structure ω(d ) over δ( ).The usefulness of the data state labelling will be detailed in Ex. 17 in connection with the satisfaction condition of institutions.It is related to the function M in hybridised logics [MMDB11] which maps states to structures of an underlying base institution.A -edts morphism h : M 1 → M 2 is given by a function h : (M 1 ) → (M 2 ) such that c(M 2 )(h(γ 1 )) c(M 2 )(h(γ 1 )) for all γ 1 , γ 1 ∈ (M 1 ) with c(M 1 )(γ 1 ) c(M 1 )(γ 1 ); h(γ 1,0 ) ∈ 0 (M 2 ) for all γ 1,0 ∈ 0 (M 1 ); and -(h(γ 1 ), h(γ 1 )) ∈ R(M 2 ) e for all (γ 1 , γ 1 ) ∈ R(M 1 ) e and e ∈ E ( ).
For any ed signature , the class of -edts and their morphisms form a category denoted by , ω(M )(γ 1 ) ω(M )(γ 2 ) implies γ 1 γ 2 ; in this case the data states and the data labels can be identified.
Example 12 Continuing Ex. 11, a 1 -edts M 1 in Str E ↓ ( Prop ∅ ) ( 1 ) is shown in Fig. 1a.Its control states are Card, PIN , and Return.The data states are check and ¬check standing for the functions μ check , μ ¬check : {check} → B with μ check (check) tt and μ ¬check (check) f f .The data labelling ω is just the identity such that M 1 is extensional.The control state Card is initial with two initial data states, check and ¬check.There is no configuration with control state PIN and data state check in M 1 since such a configuration is not reachable.There is a non-deterministic choice for enterPIN when the control state is PIN .The first alternative going to configuration (Return, check) models the situation where a correct PIN has been entered.The other alternatives either allow to repeat entering an incorrect PIN or stop the process if sufficiently often an incorrect PIN has been entered.In the latter case the card is kept.
Thus we have already defined the first part of the (contravariant) structures functor Str E ↓ ( D) : (S E ↓ ( D) ) op → Cat mapping each ed signature to the category of -edts.D) , the reduct functor Str E ↓ ( D) (σ ) : Str E ↓ ( D) ( ) → Str E ↓ ( D) ( ) that sends -edts and their morphisms to their reducts.Special care has to be taken because of the reachability property of event/data transition systems: for any -edts M its reduct along σ must be a -edts with reachable configurations.Therefore we propose an inductive definition for reducts of edts.Of course, the reducts of the data parts of configurations will be the reducts of data states as provided by the data state institution D. Example 13 Continuing Ex. 12, the reduct M 0 of the 1 -edts M 1 in Fig. 1a along the ed signature morphism σ 0 : 0 → 1 of Ex. 11 is shown in Fig. 1b.It does not contain the configuration (Return, ¬check) any more, as 0 does not show the event cancel and thus (Return, ¬check) becomes unreachable.

Lemma 4 Let
Proof.The well-definedness of h |σ follows directly from the inductive definition of reducts.
For any σ : → in S E ↓ ( D) , the map Str E ↓ ( D) (σ ) : ) that sends -edts and their morphisms to their reducts is a functor.This lifts to the desired functor Str E ↓ ( D) : (S E ↓ ( D) ) op → Cat mapping each ed signature to the category of its structures and each ed signature morphism to its reduct functor.

Sentences of E ↓ ( D)
Actions.Atomic actions over an ed signature are given by expressions of the form e ψ with e ∈ E ( ) an event and ψ ∈ Sen 2 D (δ( )) a state transition predicate formalised as a sentence in the 2-data state institution 2 D; see Sect.3.2.The intuition is that the occurrence of the event e causes a state transition in accordance with ψ, i.e., the pre-and post-data states satisfy ψ.Thus ψ specifies the possible effects of e.Following the ideas of dynamic logic we also use complex, structured actions formed over atomic actions by union "+" (expressing alternatives), sequential composition "; " and iteration " * ".

Definition 7
Let (E , δ : 0 → ) be an ed signature.The set ( ) of -event/data actions ( -ed actions) is given by the grammar where e ∈ E and ψ ∈ Sen 2 D (δ).
We use the following shorthand notations for ed actions taking into account that 2 D comprises the sentence true.For an event e ∈ E , we also write e for the atomic action e true, and for a finite subset F {e 1 , . . ., e k } ⊆ E , we also write {e 1 , . . ., e k } or simply F F F to denote the complex action e 1 + . . .+ e k .In particular, if E is finite we write E E E for the composed action obtained by combining with "+" all elements of E .This captures the choice of all possible events with arbitrary effects.Moreover, if E is finite we write −{e 1 , . . ., e k } for the composed action obtained by combining with "+" all elements of E \ {e 1 , . . ., e k } and briefly −e for −{e}.
Example 14 For the ATM signature 0 in Ex. 11, a 0 -ed action enterPIN check expresses that after enterPIN has occurred the propositional variable check is true.The action E E E * 0 ; insertCard here abbreviates (insertCard true + enterPIN true + ejectCard true) * ; insertCard true and means an arbitrary sequence of event occurrences and data transitions ending in an occurrence of insertCard.
Let σ : → be an ed signature morphism.The event/data action translation (σ ) : ( ) → ( ) along σ is recursively given by -(σ )(e ψ) E (σ )(e) Sen 2 D (δ(σ ))(ψ); Formulae and sentences.The logical formulae of E ↓ ( D) are a combination of features from dynamic logic [HKT00] and hybrid logic [Bra10].From dynamic logic we use modalities filled with regular expressions of actions.In our context the atomic actions are event/data actions e ψ as introduced above.As usual a diamond formula λ expresses that it is possible to execute λ in the current state such that is satisfied in the subsequent state; the derived box modality [λ] expresses that whenever λ is executed in the current state then it is necessary that holds in any subsequent state.From hybrid logic we use state variables which can be bound to the current control state by the binder operator ↓x .for further reference in formula , and the jump operator (@ F x ) which moves the state of evaluation for to the state bound by x .The binder operator was first studied by [Gor94].In contrast to the classical approach we are dealing here with configurations which are pairs of control and data state.We claim that state variables should refer to the current point of control flow of a system and that binders and jumps should provide means to model the control flow.For instance, a sentence like ↓x .inc c c + 1 x should model a looping behaviour where an attribute c is constantly incremented by 1. Thus x should not be bound to a configuration including a data state.Therefore, variables in E ↓ ( D)-formulae denote just control states and not configurations; i.e., for the hybrid part of our logic, data states are disregarded.This will be reflected in the satisfaction of E ↓ ( D)-formulae below.Another variation concerns the jump operator (@ F x ) which parametrises the jump operator (@x ) of hybrid logic by a set F of events.It has the effect that will be evaluated in all configurations having the control state determined by x and being reachable with events from F .We will illustrate later, in Ex. 18, that this relativisation is useful to get the satisfaction condition of an institution for E ↓ ( D)-logic.E ↓ ( D) retains from hybrid logic the use of binders and jumps, but omits free nominals.Thus sentences, i.e., formulae without free variables, become restricted to express properties of configurations reachable from the initial ones.
In the following of this paper we always assume given a countably infinite set X of control state variables.

Definition 8
The set F ( ) of -event/data formulae over an ed signature is defined by the following grammar where ϕ ∈ Sen D (δ( )), x ∈ X , F ⊆ E ( ), λ ∈ ( ).The set of free variables of a formula is defined as usual with ↓x being the unique operator binding variables.A -event/data sentence ( -ed sentence) is a -event/data formula without free variables.The set Sen E ↓ ( D) ( ) consists of all -ed sentences.
We write [λ] for ¬ λ ¬ and we use the usual boolean connectives.Furthermore, we express the (unrelativised) jump operator (@x ) of hybrid logic by (@ E ( ) x ) .
Using additionally the shorthand notations for actions, we can specify safety properties with [E E E * ] ; deadlock freedom is expressed by [E * ] E E E true.Liveness properties, like "whenever an event e has happened, an event e can eventually occur", can be expressed by [E E E * ; e] E E E * ; e true.We can also express that an event e must never occur when an event e has happened before with [E E E * ; e; E E E * ; e ]false.Of course, events e and e standing for e true and e true could be more generally replaced by e ψ and e ψ .These kinds of properties are suited for abstract requirements specifications.They use only the dynamic logic fragment of E ↓ ( D).
Example 15 Continuing Ex. 14, we can express some abstract properties required for an ATM using ed signature 0 of Ex. 11: (0.1) "Whenever a card has been inserted, a correct PIN can eventually be entered." enterPIN check true (0.2) "Whenever a correct PIN has been entered, the card can eventually be ejected." ejectCard true (0.3) "A card cannot be ejected if it was not inserted before."[(−insertCard) * ; ejectCard]false Note that the complex action −insertCard in (0.3) ranges over all events of 0 except insertCard.
The logic E ↓ ( D) is also suited to directly express process structures and, thus, the implementation of abstract requirements.The binder operator is crucial for this.The ability to give names to visited control states, together with the modal features to express transitions, makes possible a precise description of the whole dynamics of a process structure in a single sentence.This will be significant in Sect.5.3.Binders allow to express recursive patterns, namely loop transitions from the current to some already visited control state.Actually, this kind of properties cannot be specified in the absence of a feature to refer to specific control states in a model, as in standard modal logic.For example, sentence ↓x 0 .e x 0 ∧ f ↓x 1 .( e x 0 ∧ f x 1 ) specifies process structures with two states represented by x 0 and x 1 .Event e loops in x 0 , event f moves to x 1 and loops in x 1 while e moves back to x 0 .To model that this is the only allowed behaviour one could expand the sentence within the scope of x 0 and x 1 by Clearly, structures like this can also involve specific data properties which will be illustrated later in our development.
To get the sentence functor of an institution it remains to define sentence translation.Let σ : → be an ed signature morphism.The event/data formulae translation F (σ ) : F ( ) → F ( ) along σ is recursively given by The event/data sentence translation Mapping each signature ∈| S E ↓ ( D) | into the set of event/data sentences Sen E ↓ ( D) ( ) and each ed signature morphism σ : → in S E ↓ ( D) into the event/data sentence translation Sen E ↓ ( D) (σ ) defines a functor Sen E ↓ ( D) : S E ↓ ( D) → Set.

Satisfaction relation of E ↓ ( D)
To define the satisfaction relation for E ↓ ( D)-logic we must first, as usual in dynamic logic, provide an interpretation of the actions ( ) over a -edts M as the family of relations (R(M Let be an ed signature, F ⊆ E ( ), and M a -edts.A configuration γ ∈ (M ) is F -reachable in M if there are γ 0 ∈ 0 (M ), n ≥ 0, e 1 , . . ., e n ∈ F , and (γ i , γ i+1 ) ∈ R(M ) e i+1 for all 0 ≤ i < n with γ n γ .The set of F -reachable configurations of M is denoted by F (M ).
Definition 9 Given an ed signature and a -edts M , the satisfaction of an event/data formula ∈ F ( ) is inductively defined w.r.t.valuations v : X → C (M ) mapping control state variables to control states, and configurations γ ∈ (M ): for all γ 0 ∈ 0 (M ) and an arbitrary valuation v (which is anyway irrelevant since sentences do not contain free variables).
Example 16 Continuing Ex. 15, let us check that the statements (0.1) to (0.3) are satisfied in the 0 -edts M 0 depicted in Fig. 1b: For (0.1), whenever an insertCard has happened, configuration (PIN , ¬check) is entered.Then it is (immediately) possible to enter enterPIN with the effect that check holds.For (0.2), whenever an enterPIN has happened such that check holds, configuration (Return, check) is reached.Then ejectCard is (immediately) possible.Finally, (0.3) is obviously satisfied by M 0 , since its first event is insertCard.

Satisfaction condition for E ↓ ( D)
The idea of the satisfaction condition is to ensure that satisfaction is invariant under change of notation.Formally, a change of notation is expressed by a signature morphism σ : → .In the context of E ↓ ( D)-logic the satisfaction condition requires that for any -edts M and for any -sentence the reduct of M along σ satisfies if, and only if, M satisfies the sentence translation of w.r.t.σ .For the proof we use the following lemmas.The first lemma will be used to prove the satisfaction condition for sentences involving the diamond modality.It is crucial here that the 2-data institution 2 D satisfies the satisfaction condition for state transition predicates, i.e., sentences in 2 D.
The next lemma is needed to get the satisfaction condition for sentences involving the relativised jump operator.
Proof.Let γ ∈ (M ).By induction, it holds that γ ∈ E (σ )(F ) (M ) if, and only if, there are γ 0 , . . ., γ n ∈ (M ) and e 1 , . . ., e n ∈ F with n ≥ 0, Finally, the next lemma is formulated for formulae, possibly involving free variables, in order to be able to perform induction on the structure of formulae.The satisfaction condition for sentences stated in the subsequent corollary is a direct consequence.
Lemma 7 Let σ : → be an ed signature morphism and M a -edts.For all ∈ F ( ), all γ ∈ (M |σ ) ⊆ (M ), and all v : Proof.We apply induction on the structure of -event/data formulae.We only consider the cases ϕ, x , ↓x ., (@ F x ) , and λ ; negation and disjunction are straightforward.
Case ϕ: Corollary 1 (Satisfaction condition for E ↓ ( D)) For any ed signature morphism σ : Proof.By unfolding the definitions we obtain for all γ 0 ∈ 0 (M |σ ) 0 (M ) and some valuation v : As an immediate consequence we obtain: ) is an institution for each data state institution D.
Example 17 This example illustrates the usefulness of the data state labelling ω in the definition of ed structures to get the satisfaction condition.We work in the institution E ↓ ( Prop ∅ ).Let E E {e} and P {p}, P {p, q}.Thus we have two ed signatures (E , δ P : ∅ → P ) and (E , δ P : ∅ → P ), and an ed signature morphism σ from to whose event part is the identity and whose data part is the inclusion.The following -edts M has two configurations being pairs (c, p ∧ q) and (c, p ∧ ¬q) with the same control state c.The data state p ∧ q represents the function μ p∧q with μ p∧q (p) μ p∧q (q) tt and p ∧ ¬q represents the function μ p∧¬q with μ p∧¬q (p) tt and μ p∧¬q (q) f f .The data state labelling ω(M ) is the identity.
The reduct of M along σ is the following -edts M |σ : c p ∧ q c p ∧ ¬q e M |σ has the same configurations as M but the data state labelling ω(M |σ ) restricts both data states p ∧ q and p ∧ ¬q to p, pictorally represented by shadowing q and ¬q respectively.Intuitively this means that q is hidden but the data states of the configurations are still different; only their labellings coincide (i.e.M |σ is not extensional).This has the effect that both edts satisfy the -sentence e true ∧ [e; e]false, i.e., Without using a data state labelling, M |σ would just have a single configuration (c, p) where the event e is either enabled, leading to a loop, or not.In each case M |σ would not satisfy the above sentence but M does.Hence, the satisfaction condition would be violated.
Example 18 This example illustrates why the relativisation of the jump operator is needed to get the satisfaction condition.We work again in the institution E ↓ ( Prop ∅ ).Let E {e} and E {e, e } be two sets of events and P P {p}.Thus we have two ed signatures (E , δ P : ∅ → P ) and (E , δ P : ∅ → P ) and an ed signature morphism σ from to whose event part is the inclusion and whose data part is the identity.Consider the following extensional -edts M with just one control state c and with configurations (c, p) and (c, ¬p): The σ -reduct of M has no e -transition; it is just c p e Assume that we would use the unrelativised jump operator (@x ) in ↓x .(@x )p referring to all configurations whose control state is bound by x and not only to those reachable by E {e}.In M this would include the configuration (c, ¬p) which is not reachable in M |σ .Thus we have Thus the satisfaction condition would be violated.Using the relativised jump operator (@ E x ) we have, however, Example 19 Continuing Ex. 16, consider again the 1 -edts M 1 shown in Fig. 1a and its σ 0 -reduct M 0 shown in Fig. 1b.As shown in Ex. 16, M 0 satisfies the sentences (0.1) to (0.3).Hence, by the satisfaction condition for E ↓ ( Prop ∅ ), M 1 satisfies the sentences (0.1) to (0.3) as well (after applying the trivial sentence translation by inclusion).Conversely, one could also show first that M 1 satisfies the sentences (0.1) to (0.3) and deduce, by using the satisfaction condition, that M 0 satisfies (0.1) to (0.3).

Institution comorphisms for E ↓ ( D)
Let : D → D be an institution comorphism.We know that it can be lifted to an institution comorphism ν : D → D on data state institutions which in turn can be lifted to an institution comorphism ν 2 : 2 D → 2 D on 2-data state institutions.We can then provide a final lifting into an institution comorphism ν ↓ : E ↓ ( D) → E ↓ ( D ) on event/data institutions as follows: -For event/data signatures, ν S is applied to the data signature: Define ( ν ↓ ) S (E , δ) (E , ν S (δ)) and ( ν ↓ ) S (η, ϑ) (η, ν S (ϑ)).-For event/data structures, ν Str is applied to the data labels of configurations: ) for all γ ∈ , and ( ν ↓ ) Str (h) h.-For event/data sentences, ν Sen is lifted to event/data actions via ν : ( ) → (( ν ↓ ) S ( )) with ν (e ψ) e ( ν 2 ) Sen δ( ) (ψ) etc., and to event/data formulae via ν ) which changes the underlying data state institution of our event/data logic by moving from propositional logic data states to attribute-based data states.

Specifications of event/data-based systems
For specifying event/data-based systems in E ↓ ( D) we consider two specification styles: An axiomatic specification uses sentences as axioms to express requirements.This textual style is complemented by operational specifications with a graphical representation.Operational specifications also offer a (syntactic) parallel composition operator.We show that finitary operational specifications can be axiomatised such that we do not leave E ↓ ( D)-logic.

Axiomatic specifications of event/data-based systems
Sentences of any E ↓ ( D)-logic can be used to specify properties of event/data-based systems and thus to write system specifications in an axiomatic way.
Definition 10 An axiomatic specification Sp ( , Ax) in E ↓ ( D) consists of a signature ∈| S E ↓ ( D) | and a set of axioms Ax ⊆ Sen E ↓ ( D) ( ).We write (Sp) for and Ax(Sp) for Ax.
The semantics of Sp is given by the pair ( (Sp), Mod where Example 21 We continue with the ATM example considered from Ex. 11 onward.Now we provide a first axiomatic specification that will be gradually extended and refined later on in Sect.6.Our first specification is Sp 0 ( 0 , Ax 0 ), where 0 (E 0 , δ P ) and Ax 0 requires the properties (0.1-0.3) described in Ex. 15.The 0 -edts M 0 shown in Fig. 1b is a model of Sp 0 ; it satisfies the required axioms as demonstrated in Ex. 16.

Operational specifications
Operational specifications are introduced as a means to specify in a constructive style the properties of event/databased systems.They are not appropriate for writing abstract requirements for which axiomatic specifications should be used.Though E ↓ ( D)-logic is able to specify concrete process structures as well, cf.Sect.4.3, operational specifications provide a convenient representation of desired behaviours while undesired behaviours are automatically excluded and need not be explicitly formalised like in the declarative, axiomatic specification style.Operational specifications allow a graphic representation close to well-known formalisms in the literature, like UML protocol state machines, cf.[OMG17, KMRG15].Nevertheless, as will be shown in Sect.5.3, finite operational specifications can be characterised by a sentence in E ↓ ( D)-logic.Therefore, E ↓ ( D)-logic is still the common basis of our development approach.
Transitions in an operational specification are tuples (c, ϕ, e, ψ, c ) with c a source control state, ϕ a precondition, e an event, ψ a state transition predicate specifying the possible effects of the event e, and c a target control state.In the semantic models an event must be enabled whenever the respective source data state satisfies the precondition (condition (1) in Def.11).Thus isolating preconditions has a semantic consequence that is not expressible by transition predicates only.The effect of the event must respect ψ; no other transitions are allowed, i.e., any semantic transition must be justified by a syntactic one (condition (2) in Def.11).

Example 22
We construct an operational specification ATM for the ATM example using Attr b ,A b as data state institution; see Ex. 5(c).ATM will reappear in Sect.6 in a refinement chain for the implementation of Sp 0 .The ed signature of ATM is AT M (E 1 , ι : b → A ) where E 1 {insertCard, enterPIN, ejectCard, cancel}, b is the base signature of Attr b ,A b , and A is the attribute signature induced by the set of attributes A {check : Bool, trials : Int}.The integer-valued attribute trials is used to count the number of the attempts to enter a correct PIN (with the same card).Specification ATM is graphically presented in Fig. 2. The initial control state is Card and the initial state predicate is true.If no precondition is explicitly indicated, it is true.
Operational specifications can be composed by a syntactic parallel composition operator which synchronises shared events.Two ed signatures 1 and 2 are composable if δ( 1 ) : 0 → 1 and δ( 2 ) : 0 → 2 (for the same 0 ); their parallel composition is given by 1 ⊗ 2 with E ( 1 ⊗ 2 ) E ( 1 ) ∪ E ( 2 ) and δ( 1 ⊗ 2 ) : Let us abbreviate 1 + For a similar construction for transition predicates ψ i ∈ Sen 2 D (δ( i )) we note that by the uniqueness of pushouts in D up to isomorphism, there are uniquely determined D-signature morphisms 2 δ( i With these morphisms a transition predicate Moreover, let id ( i ) denote the invariance sentence id (δ( i ), δ( i )) ∈ Sen 2 D (δ( 1 ⊗ 2 )) for 1 ≤ i ≤ 2 which requires that composite states do not change on the i part.
Note that joint moves with e cannot become inconsistent due to composability of ed signatures.An example for parallel composition of operational specifications is shown in Fig. 4.

Expressiveness of E ↓ ( D)-logic
We show that the semantics of an operational specification O with finitely many control states can be characterised It is fin(c) where this algorithm mainly deviates from [MBHM18]: In order to ensure that no other transitions from c exist than those specified in O, fin(c) produces the requirement that at state c, for every event e and for every subset P of the transitions outgoing from c, whenever an e-transition can be done with the combined effect of P but not adhering to any of the effects of the currently not selected transitions, the e-transition must have one of the states as its target that are target states of P .The rather complicated formulation is due to possibly overlapping preconditions where for a single event e the preconditions of two different transitions may be satisfied simultaneously.For a state c, where all outgoing transitions for the same event have (semantically) disjoint preconditions, the E ↓ ( D)-formula returned by fin(c) is equivalent to In both cases the actions involve a conjunction of a state predicate ϕ and a transition predicate ψ that indeed can be combined faithfully using Prop. 1.

Example 23
We show the first few steps of representing the operational specification ATM of Fig. 2  As there is only a single outgoing transition from Card, the special case of disjoint preconditions applies for the finalisation call, and is the result of fin(Card).

Constructor implementations and refinement in E ↓ ( D)
The semantics of a specification is loose and allows usually several different models for its realisation.A refinement step is therefore understood as a restriction of the model class of an abstract specification.Following the terminology of Sannella and Tarlecki [ST88, ST12], we will call a specification which refines another one an implementation.Formally, a specification Sp is a simple implementation of a specification Sp over the same signature, in symbols Sp Sp , whenever (Sp) (Sp ) and Mod(Sp) ⊇ Mod(Sp ).This implementation notion is, however, too simple for many practical applications.It requires the same signature for specification and implementation and does not support the process of constructing an implementation.Therefore, Sannella and Tarlecki have proposed the notion of constructor implementation which is a generic notion applicable to specification formalisms which are based on institutions.We will reuse the ideas in the context of E ↓ ( D)-logic, of course staying generic w.r.t. the underlying data institution.

Constructor implementations
We apply the notion of a constructor implementation [ST88,ST12] to E ↓ ( D)-logic and extend it to take into account a change of institutions.For signatures 1 , . . ., n , ∈| S E ↓ ( D) |, a constructor κ from ( 1 , . . ., n ) to is a (total) function κ Given a constructor κ from ( 1 , . . ., n ) to and a set of constructors κ i from ( 1 i , . . ., k i i ) to i , 1 ≤ i ≤ n, the constructor (κ 1 , . . ., κ n ); κ from ( 1 1 , . . ., k 1 1 , . . ., 1 n , . . ., k n n ) to is obtained by the usual composition of functions.The following definitions apply to both axiomatic and operational specifications since the semantics of both is given in terms of ed signatures and model classes of edts.In particular, the implementation notion allows to implement axiomatic specifications by operational specifications.
Definition 13 Given specifications Sp, Sp 1 , . . ., Sp n and a constructor κ from ( (Sp 1 ), . . ., (Sp n )) to (Sp), the tuple Sp 1 , . . ., Sp n is a constructor implementation via κ of Sp, in symbols Sp κ Sp 1 , . . ., Sp n , if for all It may sound strange to call the case n > 1 a decomposition since κ composes structures.But indeed the idea is to split the implementation of a specification into parts (the decomposition) and then to justify that the implementation is correct by showing that those parts composed by the n-ary constructor κ satisfy the requirements of the original specification.In the sequel all constructors apart from parallel composition will have arity n 1.The notion of simple implementation is also captured by the above definition if we choose the identity constructor.
Using an institutional approach in system development has also the advantage that one can work in heterogeneous logical environments where several institutions may be used depending on different kinds of properties, views, and aspects to be expressed by the formalism.This can even be supported by tools, like the heterogeneous tool set HeTS [MML07].A particularly relevant case is the change of institution when moving from a higher abstraction level to a more concrete one.The need for such a change may be motivated by the need of richer expressiveness when moving towards an implementation.For that purpose we will use institution comorphisms; cf.

Sect. 2. The next definition incorporates institution comorphisms in the definition of constructor implementation.
It is a particular application of the notion of a generalised constructor in [ST12].
Definition 14 Let ν ↓ : E ↓ ( D) → E ↓ ( D ) be a lifted comorphism between event/data institutions; see Sect.4.6.Given a specification Sp over E ↓ ( D), specifications Sp 1 , . . ., Sp n over E ↓ ( D ) and a constructor κ from ( (Sp 1 ), . . ., (Sp n )) to ( ν ↓ ) S ( (Sp)), the tuple Sp 1 , . . ., Sp n is a constructor implementation via κ and ν ↓ of Sp, in symbols Sp We now introduce a set of constructors in the context of E ↓ ( D)-signatures and edts.The constructors will be illustrated by a refinement chain of implementation constructions starting with the abstract ATM specification Sp 0 in Ex. 21.The first three specifications are developed in E ↓ ( Prop ∅ ).Then we change the data state institution and continue with E ↓ ( Attr b ,A b ).From ATM onwards we use operational specifications:

Reduct constructors and institution change
Reduct constructors allow us to move from one signature to another one via a signature morphism σ .The refinement is correct if the σ -reducts of the models of the more concrete specification are models of the abstract specification.Depending on the form of σ a variety of implementation constructions can be expressed.If σ is bijective we obtain a one-to-one renaming; if σ is just injective the target signature is larger and the reduct, going in the converse direction, hides the added details when constructing abstract models from concrete ones.This kind of semantic constructions going in the converse direction led to the name "constructor implementation".
Definition 15 Let σ : → be an ed signature morphism.The reduct constructor κ σ from to maps any The following characterisation of implementation correctness for reduct constructors is a direct consequence of the satisfaction condition of E ↓ ( D).It shows that for implementing an axiomatic specification Sp via a reduct constructor it is sufficient to check that the (syntactically translated) axioms of Sp hold in the concrete specification.
Example 24 Consider the specification Sp 0 from Ex. 21.We provide a refinement of this specification by adding the possibility to cancel an ATM transaction.For this purpose we use a specification Sp 1 ( 1 , Ax 1 ) with the ed signature 1 (E 1 , δ P ) containing the cancel event; cf.Ex. 11.The axioms of Sp 1 are the following sentences, which are similar to the axioms of Sp 0 but take into account cancel.
(1.1) "Whenever a card has been inserted, a correct PIN can be entered and also the transaction can be cancelled."[E E E  * 1 ; insertCard]( enterPIN check true ∧ cancel true) (1.2) "Whenever either a correct PIN has been entered or the transaction has been cancelled, the card can be ejected." [E E E * 1 ; (enterPIN check ) + cancel] ejectCard true (1.3) "A card cannot be ejected if it was not inserted before."

[(−insertCard) * ; ejectCard]false
The 1 -edts M 1 shown in Fig. 1a is a model of Sp 1 .To formally justify that specification Sp 1 is a correct implementation of Sp 0 we use the reduct constructor κ σ 0 associated to the ed signature (inclusion) morphism σ 0 : 0 → 1 described in Ex. 11.In fact, κ σ 0 is an event restriction constructor.To check that Sp 0 κ σ 0 Sp 1 is a constructor implementation it is sufficient, by Thm. 3, to show that for all M 1 ∈ Mod E ↓ ( Prop ∅ ) (Sp 1 ) it holds that M 1 satisfies the axioms (0.1-0.3) of Sp 0 .Axiom (0.1) is an obvious consequence of axiom (1.1) of Sp 1 since the latter strengthens (0.1).Similarly, axioms (1.2) and (1.3) of Sp 1 strengthen (0.2) and (0.3) respectively.Note that in the axioms of Sp 1 , E E E 1 ranges over all events of 1 and hence includes cancel.The complex action −insertCard in (1.3) ranges over all events of 1 except insertCard.

Example 25
In a second refinement step we provide a simple implementation Sp 1 Sp 2 such that the specification Sp 2 ( 1 , Ax 2 ) has the same signature as Sp 1 .The axioms of Sp 2 are the sentences (2.1-2.4)below which have already a constructive flavour.Axioms (2.1) to (2.3) specify that only the desired behaviour should happen.Axioms (2.3) and (2.4) use binders and state variables from hybrid logic to specify a loop.Axiom (2.4) deals, additionally to the previous specifications, with the situation when an incorrect PIN has been entered too often.
(2.1) "At the beginning and whenever the control state of the beginning is reached, a card can be inserted with the effect that check is false, and nothing else is possible." "Whenever the control state of the beginning is reached" is expressed by the jump operator @x 0 .(2.2) "Whenever a card has been inserted, a correct and an incorrect PIN can be entered and also the transaction can be cancelled; but nothing else." [E E E * 1 ; insertCard]( enterPIN check true ∧ enterPIN ¬check true ∧ cancel true ∧ [−{enterPIN, cancel}]false) (2.3) "Whenever either a correct PIN has been entered or the transaction has been cancelled, the card can be ejected and the ATM starts at the control state from the beginning.Nothing else is possible then." ) "Whenever an incorrect PIN has been entered three times in a row the ATM goes back to the initial control state."Hence the current card is not ejected; it is kept.
x 0 It can easily be checked that all models of Sp 2 must satisfy the axioms (1.1-1.3) of Sp 1 , i.e., Sp 1 Sp 2 holds: Axiom (1.1) is obviously a consequence of the stronger axiom (2.2).Similarly, (1.2) is a consequence of the stronger axiom (2.3).Axiom (1.3) is a consequence of (2.1) which requires that the first event is always insertCard.Note that the 1 -edts M 1 shown in Fig. 1a is not a model of Sp 2 since it does not satisfy (2.4).A model M 2 of Sp 2 is shown in Fig. 3. Since Sp 1 Sp 2 , M 2 is also a model of Sp 1 and, since Sp 0 κ σ 0 Sp 1 holds, the σ 0 -reduct of M 2 is a model of Sp 0 .This reduct removes from M 2 all cancel transitions, the configuration (Return, ¬check), and its outgoing ejectCard transition.
During the development process it may turn out that the data state institution at hand is not expressive enough to model more concrete solutions.In such cases a change of institution is necessary.Then one can continue with constructors in the new institution as considered in Def.14.If the constructor is a reduct constructor, the next theorem, generalising Thm. 3, is helpful to prove implementation correctness with institution change.It is a direct consequence of the satisfaction conditions of event/data institutions and institution comorphisms.a specification into parts (the decomposition) and then to justify that the implementation is correct by showing that the parallel, synchronous product of the parts satisfies the requirements of the original specification.
An obvious question is how the semantic parallel composition constructor is related to the syntactic parallel composition of operational specifications.The following proposition shows that semantic parallel composition is included in the semantics of syntactic parallel composition.
Proposition 2 Let O 1 , O 2 be operational specifications with composable signatures.Then where

Example 28
We finish the refinement chain for the ATM specifications by applying a decomposition into two parallel components.The operational specification ATM of Fig. 2 (and Ex. 26) describes the interface behaviour of an ATM interacting with a user.For a concrete realisation, however, an ATM will also interact internally with other components, like, e.g., a clearing company which supports the ATM for verifying PINs.Our last refinement step hence realises the specification ATM by two parallel components, represented by the operational specification ATM in Fig. 4a and the operational specification CC of a clearing company in Fig. 4b.Models of both specifications communicate (via shared events) when a model of ATM sends a verification request verifyPIN to a model of CC.The clearing company model can answer with correctPIN or wrongPIN and then the ATMmodel continues following its specification.For the implementation construction we use the parallel composition constructor outputs as in I/O-automata [Lyn03].Then also communication compatibility, see [dAH01] for interface automata without and [MCM09] with data, as well as [MCM09,BHW11] for interface theories with data, would become relevant when applying the parallel composition constructor.E ↓ ( D)-logic is not equipped with a proof system for deriving consequences of specifications which is a working package for its own.This would also support the proof of refinement steps which is currently achieved by purely semantic reasoning.A proof system for E ↓ ( D)logic must cover dynamic and hybrid logic parts at the same time, like the proof system in [MBHM18], which, however, does not consider data states, and the recent calculus of [BP18], which extends differential dynamic logic but does not handle events and reactions to events.Both proof systems could be appropriate candidates for incorporating the features of E ↓ ( D)-logic.On the other hand, what concerns operational specifications we have already implemented a tool for the verification of refinements supporting our constructors for implementations; see the reference in Sect. 1.An integration into HeTS would allow for a combination of E ↓ ( D) with other provers and heterogeneous institutions.

Definition 1
An institution (S, Str, Sen, | ) consists of -a category S whose objects are called signatures and arrows signature morphisms; -a functor Str : S op → Cat, giving for each signature a category whose objects are called -structures, and whose arrows are called -(structure) morphisms; each arrow σ : → in S (i.e., σ : → in S op ), is mapped to a functor Str(σ ) : Str( ) → Str( ) called reduct functor, whose effect is to cast a structure of as a structure of ; when M Str(σ )(M ) we say that M is the σ -reduct of M ; -a functor Sen : S → Set, giving for each signature a set whose elements are called sentences over that signature; each arrow σ : → in S is mapped to a sentence translation function Sen(σ ) : Sen( ) → Sen( ); -a family | (| ⊆ |Str( ) | × Sen( )) ∈|S| of satisfaction relations determining, for each signature , satisfaction of -sentences by -structures (where |Str( )| denotes the objects of the category Str( )) such that for each signature morphism σ : → in S, the satisfaction condition M | Sen(σ )(ϕ) ⇐⇒ Str(σ )(M ) | ϕ holds for each M ∈ |Str( )| and ϕ ∈ Sen( ); graphically,

Finally, the satisfaction
relation A | F O ϕ for a -algebra A ∈ |Str F O ( )| and a sentence ϕ ∈ Sen F O ( ) is defined by A, β | F O ϕ for an arbitrary valuation β (as ϕ shows no free variables).

Finally
can be checked by structural induction over ρ.
is given by the satisfaction relation | in D, i.e., for each M ∈ |Str D (δ)|⊆ |Str D ( )| and ϕ ∈ Sen D (δ) Sen D ( ): M | D δ ϕ if, and only if, M | D ϕ. Remark 1.A data institution D over D is indeed an institution.The satisfaction condition follows from condition * taking into account that the satisfaction relation in D is inherited from D and that D is an institution.More precisely, let (σ 0 , σ ) : (δ : 0 → ) → (δ : 0 → ) be a signature morphism in S D and M ∈ |Str D (δ )|, ϕ ∈ Sen D (δ).Then

Remark 2 .
A data institution D over D is uniquely defined once a subcategory S D of the arrow category (S D ) → and a functor Str D : (S D ) op → Cat satisfying the above conditions are selected.According to condition * there is only one way to define the reduct functor Str D (σ 0 , σ ) for signature morphisms (σ 0 , σ ) : (δ : 0 → ) → (δ : 0 → ) in S D .In fact Str D (σ 0 , σ ) works like the reduct functor Str D (σ ) in D. In concrete examples the critical part is to check that for every M ∈ |Str D (δ ) | indeed Str D (σ )(M ) ∈ |Str D (δ) | holds and that for every morphism μ : which directly satisfies (*).(b) A first data state institution Attr F O b ,A b over the institution F O of many-sorted first-order logic with equality, see Ex. 1(b), considers sorted attributes over a base signature b and a fixed algebra A b .We fix a many-sorted base signature b ∈ |S F O | providing sorts and function symbols for primitive data types like booleans, integers, etc., and we fix a (standard) interpretation given by a b -algebra A b ∈ |Str F O ( b )|.In particular, we assume that b contains a sort Bool and constants tt : Bool, ff : Bool such that A b interprets Bool by B with tt A b tt and ff A b f f .An attribute over b is a constant function symbol, denoted by a : s, whose sort s belongs to the sorts of b .Any set A of attributes over b defines an attribute signature A which is a many-sorted signature with subsignature b such that A and b have the same sorts and the function symbols of A extend the function symbols of b by the attributes A. For the signature category S Attr F O b ,A b of Attr F O b ,A b we take as objects all the inclusion signature morphisms ι : b → A in F O where A is an attribute signature over b .These inclusion signature morphisms are also closed under pushouts which correspond to disjoint unions.As signature morphisms (σ 0 , σ ) : (ι : b → A ) → (ι : b → A ) in Attr F O b ,A b we take σ 0 1 b and all signature morphisms σ : A → A in F O such that the restriction of σ to b is the identity on b .Hence there is a one-to-one correspondence between the signature morphisms in S Attr F O b ,A b and the set of sort-preserving mappings from A to A .Obviously, 1 b ; ι ι; σ holds and the category S Attr F O b ,A b of signatures in Attr F O b ,A b is a subcategory of the arrow category (S F O ) → .For the structures functor Str Attr F O b ,A b we take for each ι : b → A ∈ |S Attr F O b ,A b | the category whose objects are all A -algebras A ∈ |Str F O ( A )| such that A|ι A b and whose morphisms h : A 1 → A 2 are all A -algebra homomorphisms such that h|ι 1 A b .Hence there is a one-to-one correspondence between the class of Attr F O b ,A bstructures with signature ι : b → A and the class of all valuations mapping attributes (a : s) ∈ A to values of sort s in the algebra A b .For each signature morphism (1 b , σ ) : (ι : b well-defined: By the functorial property of the reduct functor in F O and since 1 b ; ι ι; σ , we obtain that (A |σ )|ι (A |ι )|1 b A |ι A b , i.e., A |σ ∈|Str Attr F O b ,A b (ι)|; it follows similarly that h |σ is a morphism in Str Attr F O b ,A b (ι).For each ι : b → A the sentences in Sen Attr F O b ,A b (ι) are the first-order A -sentences in F O and the satisfaction relation in Attr F O b ,A b is the first-order satisfaction relation.(c) A second data state institution Attr b ,A b over F O is defined just as Attr F O b ,A b but omits quantification in the sentences, i.e., S Attr b ,A b S Attr F O b ,A b and, for each (ι : b → A ) in S Attr b ,A b , the sentences in Sen Attr b ,A b (ι) are the quantifier-free A -sentences in F O .The satisfaction relation in Attr b ,A b is the first-order satisfaction relation but restricted to quantifier-free sentences.Other variants of attribute-based institutions are also possible, like, for instance, allowing only finite sets of attributes in the signatures.

)Example 6
Thus the institution comorphism ν : D → D can be lifted to the institution comorphism ν : D → D .The institution comorphism ν : Prop → F O of Ex. 4 maps a Prop-signature P to P ({Bool}, {tt : Bool} ∪ {p : Bool | p ∈ P }) such that b → P as b (see Ex. 5(b)) shows at least the additional function symbol ff .Thus the first condition on signatures for lifting an institution comorphism to a comorphism between data state institutions is violated.However, we may consider a subtly changed institution comorphism ν b : Prop → F O that maps P to b,P b ∪ ({Bool}, {p : Bool | p ∈ P }) but otherwise is defined as the comorphism in Ex. 4. Then an institution comorphism ν b : Prop ∅ → Attr b ,A b from the data state institution Prop ∅ to the data state institution Attr b ,A b (see Ex. 5(c)) can be obtained by lifting ν b to the extended data signatures since (ν b ) S (∅) b and (ν b ) Str P (A ) is an object and (ν b ) Str P (h ) a morphism in Str Prop ∅ (δ P : ∅ → P ) Str Prop (P ).
The satisfaction relation in a 2-data state institution relies on the construction of an amalgamation of M 1 and M 2 in D. The existence of such pushouts and amalgamations is guaranteed since D satisfies the amalgamation property.Let D (S D , Str D , Sen D , | D ) be a data state institution over D. The 2-data state institution 2 D (S 2 D , Str 2 D , Sen 2 D , | 2 D ) over D consists of the following parts: -The category S 2 D of 2 D-signatures is the category S D .-The structures functor Str 2 D : (S 2 D ) op → Cat maps each δ ∈ |S 2 D | |S D | to the cartesian product of categories Str D (δ) × Str D (δ) and each signature morphism (σ 0 , σ ) : δ → δ in S 2 D S D to the cartesian product of functors Str D (σ 0 , σ ) × Str D (σ 0 , σ ) : Str D (δ ) × Str D (δ ) → Str D (δ) × Str D (δ).Hence, for each δ : 0 → , structures in |Str 2 D (δ)| are pairs of structures M 1 , M 2 ∈ |Str D (δ)|, and reducts of 2 D-structures (M 1 , M 2 ) are computed pairwise.-The sentence functor Sen 2 D : S 2 D → Set is defined as follows: For each signature δ : 0 → ∈ |S 2 D | |S D |, we assume given a specifically chosen pushout of δ with itself in S D , denoted by ( + δ 0 , ( δi : → + δ Sen 2 D (δ) of 2 D-sentences is Sen D (2δ) Sen D ( + δ 0

0 .-
The satisfaction relations in 2 D are defined as follows: For each 2 D-signature δ : 0 → ∈ |S 2 D | |S D | together with the pushout diagram above, and for any (M 1 , M 2 ) ∈ |Str 2 D (δ) | |Str D (δ) | ×|Str D (δ) | the amalgamation property for D yields the amalgamation M 1 × δ M 2 ∈ |Str D ( + δ 0 ) | as illustrated in the subsequent diagram, since Str D (δ)(M 1 ) M δ Str D (δ)(M 2 ) as required for structures in |Str D (δ)|: (b) Similarly to 2Prop ∅ , the construction of a 2-data state institution 2 Attr b ,A b of equational attributes from Attr b ,A b defined in Ex. 5(c) can choose as the pushout signature A + ι b Thus the institution comorphism ν : D → D obtained from ν : D → D can be further lifted to the institution comorphism ν 2 : 2 D → 2 D .Example 8 The institution comorphism ν b of Ex. 6 obtained as a lifting from the institution comorphism ν b can be further lifted to an institution comorphism ν 2 b : 2Prop ∅ → 2 Attr b ,A b since, using the notation of Ex. 6, ν b maps P + δ P ∅ P to b,P + ι P b + b,P with ι P : b → b,P .
and only if, Str D (σ 1 )(M 1 ) Str D (σ 1 )(M 2 ).Example 10 Let ι : b → A be a signature in 2 Attr b ,A b and A f ⊆ A be a finite subset of attributes.Then the sentence a∈A f a a in 2 Attr b ,A b is an invariance sentence w.r.t.(ι 0 : b
e., reflexive-transitive closure of relations.The satisfaction of state formulae ϕ relies on the satisfaction relation of the underlying data state institution D. Similarly, satisfaction of diamond formulae λ relies, for λ e ψ, on the satisfaction relation of the 2-data institution 2 D (via the relations R(M ) e ψ ).To define satisfaction of formulae involving the jump operator we use the following (generalised) reachability notion: and γ γ n .Now, γ ∈ 0 (M |σ ) if, and only if, γ ∈ 0 (M ); and, if γ ∈ (M |σ ), γ ∈ (M ), and e ∈ E ( ), then (γ , γ ) ∈ R(M |σ ) e if, and only if (γ , γ ) ∈ R(M ) E (σ )(e) .Thus by induction, γ ∈ F (M |σ ) if, and only etc., which then defines ( ν ↓ ) Sen as ν F on sentences.The satisfaction condition is routinely checked by structural induction on E ↓ ( D)-formulae.Example 20 We can lift the institution comorphisms ν b : Prop ∅ → Attr b ,A b and ν 2 b : 2Prop ∅ → 2 Attr b ,A b for data state institutions in Ex. 6 and Ex. 8 to an institution comorphism ν ↓ b

Fig. 4 .
Fig. 4. Operational specifications ATM , CC and their parallel composition κ ⊗ from ( ( AT M ), (CC)) to ( AT M ) ⊗ (CC) which synchronises the models of ATM and CC on shared events.The signature of CC consists of the events shown on the transitions in Fig. 4b.Moreover, there is one integer-valued attribute count counting the number of verification tasks performed.The signature of ATM extends (ATM ) by the events verifyPIN, correctPIN and wrongPIN.The ed signature (ATM ) ⊗ (CC) is therefore ( Ê , ι : b → Â) with Ê {insertCard, enterPIN, ejectCard, cancel, verifyPIN, correctPIN, wrongPIN} P → B to μ 2 : P → B if {p | μ 1 (p) tt} ⊆ {p | μ 2 (p) tt}; and each signature morphism π : P → P to the reduct functor Str Prop (π ) : Str Prop (P ) → Str Prop (P ) defined by Str Prop (π )(μ ) π ; μ for each μ ∈ |Str Prop (P ) | such that indeed Str Prop [ST12]le 1 We sketch propositional logic and many-sorted first-order logic with equality as institutions Prop and F O , respectively (for detailed expositions see, e.g.,[ST12]).(a) Propositional logic Prop (S Prop , Str Prop , Sen Prop , | Prop ).The category of propositional signatures S Prop has sets P of propositional variables as objects and functions π : P → P as morphisms.The propositional structures functor Str Prop : (S Prop ) op → Cat maps each signature P ∈ |S Prop | to the category Str Prop (P ) with functions μ : P → B { f f , tt} as objects and h : μ 1 → μ 2 a (unique) morphism from μ 1 : Institutions Prop and F O from Ex. 1 are closed under boolean connectives by definition.