www.elsevier.com/locate/datak

Data & Knowledge Engineering 51 (2004) 277–294

A transition logic for schemata conflicts

Veselka Boeva *, Love Ekenberg

Department of Computer Systems, Technical University of Plovdiv, Str. Tsanko Dyustabanov 25,

4000 Plovdiv, Bulgaria

Department of Computer and System Sciences, Stockholm University and The Royal Institute of Technology,

SE-164 40 Stockholm, Sweden

Received 22 September 2003; received in revised form 21 January 2004; accepted 12 May 2004

Available online 11 June 2004

Abstract

Conflict detection and analysis are of high importance, e.g., when integrating conceptual schemata, such

as UML-Specifications, or analysing goal-fulfilment of sets of autonomous agents. In general, models for

this introduce unnecessarily complicated frameworks with several disadvantages regarding semantics as

well as complexity. This paper demonstrates that an important set of static and dynamic conflicts betweenspecifications can be diagnosed using ordinary first-order modal logic. Furthermore, we show how the

framework can be extended for handling situations when there are convex sets of probability measures over

a state-space. Thus, representing specifications as conceptual schemata and using standard Kripke models

of modal logic, augmented with an interval-valued probability measure, we propose instrumental defini-

tions and procedures for conflict detection.

� 2004 Elsevier B.V. All rights reserved.

Keywords: Interval probability; Modal logic; Conflict detection; Schema integration; UML

1. Background

Quality is one of the main concerns in today’s systems and software development and use. Oneimportant instrument for this purpose is the use of formal methods, where sets of requirementsand detailed designs are analysed formally to determine their relationships. Formal methods have

* Corresponding author. Address: Department of Computer Systems, Technical University of Plovdiv, Str. Tsanko

Dyustabanov 25, 4000 Plovdiv, Bulgaria.

E-mail addresses: veselka_boeva@hotmail.com (V. Boeva), lovek@dsv.su.se (L. Ekenberg).

0169-023X/$ - see front matter � 2004 Elsevier B.V. All rights reserved.

doi:10.1016/j.datak.2004.05.004

278 V. Boeva, L. Ekenberg / Data & Knowledge Engineering 51 (2004) 277–294

mainly been used for technical systems, including safety critical applications. However, the rapidtechnological development, and increasing number and complexity of software systems is grad-ually blurring the borders––systems become more complex. In this context, detection of conflictsare of great importance for software systems, e.g., for integration of conceptual schemata, veri-fication of design specifications and for analysis of goal fulfilment in multi-agent systems.However, most frameworks, particularly for dynamic conflict detection introduce non-standardobjects and formalisms, leading to severe confusion, both regarding the semantics and thecomputability.

Conflict detection and schema integration have proliferated in various contexts for a couple ofyears mainly in database integration literature, but these typically deal with simple first-orderintegration conflicts. Schema integration in this sense have occurred in distributed databasemanagement for investigating the issue of combining one or more database systems into anintegrated system [5,7,34,39].

More generally, formal aspects on these issues and specification languages have been exten-sively treated in the literature and the approaches to this can basically be sorted into four basiccategories. Formal notations have been developed for particular purposes, such as Z, Z++,Object-Z, etc. [17,32]. Another category consists of semi-formal languages, [12]. Another ap-proach is to integrate an informal technique with a formal one, e.g., FuZed [8] or Fusion [11]. Thefourth category is consisting of approaches for using or modifying more standard formal lan-guages like logic or algebra.

For instance, [9,16,36] discuss different varieties of temporal logic and BDI logic for the targetlanguage, but also here, unnecessarily complicated machineries are introduced. An object-ori-ented approach to conceptual schema has been developed in [25,38]. It introduces a semanticscentered around modal theories as descriptions of objects. Further, Distefano et al. [15], present alogic called object-based temporal logic, that facilitates the specification of dynamic and staticproperties of object-based systems. An approach based on modal transition systems [33] andprobabilistic specifications [29] has been considered in [31]. However, most of the existing ap-proaches to schema integration have not discussed the problems of conflict identification and arebasically concerned with the representation and the conflict resolution, see e.g., [35,41].

Some approaches to more elaborated methods for conflict identification have nevertheless beensuggested earlier, e.g., in [2,3,18,19], where various aspects of schema integration were discussedand later applied to integration of multi-agent architecture designs for handling problematic casesof global inconsistency in distributed information systems [6,14,21]. In [21], a formal model for theanalysis of conflicts in sets of autonomous agents described in a first-order language and by atransaction mechanism was presented. The approach took static as well as dynamic aspects ofinteraction into account. Some technical details of such a model was also considered in [18], wherean approach using integration assertions [27,28] was chosen to demonstrate how different aspectsof integration of the models formulated in first-order logic can be analysed with respect to freenessof conflicts.

However, due to complexity considerations in particular domains, these approaches introducedan unnecessarily complicated framework. This complication can be reduced by the introductionof modal operators and herein, an approach using standard modal logic for expressing propertiesof specifications or schemata is introduced. A schema is represented as a normal system of modallogic. The advantage here is that many different systems of modal logic can be handled in a

V. Boeva, L. Ekenberg / Data & Knowledge Engineering 51 (2004) 277–294 279

uniform way, since all these systems can be given a clear interpretation in terms of commonKripke’s semantics of possible worlds. Furthermore, it is demonstrated that a quite weak lan-guage is sufficient for the purpose of modelling and analysing some important aspects of schemadynamics.

Based on these ideas, this paper elaborates upon that the semantics for a schema can beinterpreted in terms of canonical models for a system of modal logic. Two schemata can then beanalysed, e.g., for freeness of conflicts by considering the standard models of modal logic thatdetermine them.

Furthermore, an important problem is that the available information often is of imprecisenature. For instance in [20], conflicting telephone services are modelled as an agent system. Suchsituations involve large amount of stochastic data with quite large confidence intervals. Thus, theprovision of schema semantics, including reasonable measures of imprecise information over thesets of states, is clearly motivated in many contexts. A representational format for conflictdetection should therefore allow for probability measures over schema state representation.Therefore, this paper also suggests a framework for the integration of probability distributionswith a logic representation and conflict detection of conceptual schemata.

We are using semantics for individual conflicts with respect to first-order logic extended withcommon modal operators. Concept of freeness of conflicts is then defined in terms of Kripkemodels augmented with interval-valued probability measures. Using this, schemata can further beanalysed for freeness of conflicts, taking in view that constituting formulae may hold with dif-ferent probability in different states of the models.

To make these results more directly useful also for practitioners, we also demonstrate howstatic and dynamical properties in the widely used Unified Modelling Language (UML)mechanically can be translated to the proposed format.

The next section describes the representation format in details. Thereafter, the UML transla-tion to this format is described. Section 4 discusses how static and dynamic conflict detection isperformed in the framework, and finally the conflict identification procedures are augmented bya probabilistic extension.

2. Schema representation framed in modal logic

This section provides a brief background to basic modal logic as well as a brief overview of amodal first-order logic framework for conceptual schemata.

2.1. Modal logic

Modal logic can be seen as a generalisation of classical propositional logic. It has beendeveloped for formalizing arguments involving the notions of possibility and necessity. As wasdemonstrated in [26] modal logic (propositional and predicate) can be seen as a sub-logic ofpredicate logic (possibly with many sorts and generalized quantifiers).

The language of modal logic consists of a set of atomic formulae, logical connectives, e.g., ^, _,:, !, $, as well as modal operators of possibility } and necessity �. The formulae of the

280 V. Boeva, L. Ekenberg / Data & Knowledge Engineering 51 (2004) 277–294

language are of the following form: (i) atomic formulae; (ii) if p and q are formulae, so are :p,p ^ q, p _ q, p ! q, p $ q, �p, }p. Any system of modal logic contains the axiom

1 A2 �

Df}: }p $ :�:p

and the various different systems of modal logic can be obtained by imposing other additionalaxioms.

The most important fact in this context is that the different systems have a clear interpretationin terms of Kripke’s semantics of possible worlds. Thus, the semantic analysis of a system ofmodal logic is performed using the notion of a model of modal logic, which is usually viewed as astructure of the form, M ¼ hW ;R; V i, where W denotes a set of possible worlds (or states), R is abinary relation on W called accessibility relation and V is a multi-valued mapping from the set ofatomic formulae into W called value assignment function.

The interpretation of the accessibility relation R in a model of modal logic can vary signifi-cantly, but in general it may be thought as expressing the fact that some things may be possiblefrom the standpoint of one world and impossible from the standpoint of another. Thus, v 2 RðwÞmeans that world v is an alternative to w or v is possible to world w. When imposing variousconditions on the accessibility relation, we obtain different classes of models of modal logic thatdetermine different systems of modal logic. For instance, a system containing the axiom [10]

T : �p ! p

corresponds to a class of reflexive models. The latter system is known as the normal system ofmodal logic, KT . 1

We use kpkM to denote the truth set of a formula p, i.e. the set of all worlds in which p is true.Hence V ðpÞ ¼ kpkM for any atomic formula p. We say that a formula p is true (valid) in a modelM ¼ hW ;R; V i if and only if kpkM ¼ W , i.e. �M p. 2 The truth set is inductively extended to allnon-modal formulae (formulae that do not contain } and �) in the standard way. The truthconditions of modal formulae are defined using the accessibility relation R. Thus, for any formulap and any world w 2 W , we have

w 2 k}pkM () ð9v 2 W Þðv 2 RðwÞ ^ v 2 kpkMÞ;w 2 k�pkM () ð8v 2 W Þðv 2 RðwÞ ) v 2 kpkMÞ:

2.2. Schema representation

In the sequel, we give a short overview of an approach to schema representation. It suggeststranslations of the set of concepts, introduced in [19,21], in terms of standard modal logic.

Definition 1. Let L be a finite first-order language extended with the modal operators of possibilityand necessity.

A schema S is a normal system of modal logic KT consisting of a finite set of closed first-orderformulae in L.

detailed consideration of normal systems of modal logic can be found in [10].M p means that M is a model for p.

V. Boeva, L. Ekenberg / Data & Knowledge Engineering 51 (2004) 277–294 281

LðSÞ is the restriction of L to S, i.e. LðSÞ is the set {p jp 2 L, but p does not contain any predicatesymbols that are not components of formulas in S}.

Transitions between different states of a schema are represented in terms of formulae containingmodal operators.

Definition 2. Given a schema S. P ðzÞ ! }QðzÞ is a transition between two states of S, where P ðzÞand QðzÞ are first-order formulae in L, and z is a vector of variables in the alphabet of L. 3

Informally, P ðzÞ ! }QðzÞ expresses that a transition to a state containing QðzÞ is possible froma state such that P ðzÞ belongs to it.

We interpret the description of a schema in terms of standard model of modal logic. This isbased on the fact that a normal system of modal logic is determined by each of its canonicalstandard models [10]. A model M is a canonical model for a system of modal logic S iff it verifiesjust those formulae that are the theorems of the system.

Definition 3. The description of a schema S is a standard model of modal logic M ¼ hW ;R; V i, i.e.M is characterized by

1. W ¼ fw jw is S-maximal set of formulaeg; 4

2. ð8w 2 W Þðð}F ðxÞ 2 wÞ () ðð9v 2 W Þðv 2 RðwÞ ^ F ðxÞ 2 vÞÞÞ.3. For every atomic formula F ðxÞ 2 LðSÞ; V ðF ðxÞÞ is the proof set 5 of the formula F ðxÞ.

Thus, W is the set of S-maximal sets of formulae, and in M just those atomic formulae are trueat a world as are contained by it, i.e. V �ðwÞ is the set of all atomic formulae that are true in w. 6

Moreover, R is defined so that a world collects all the possibilitations of formulae occurring in itsalternatives [10]. Further, because the worlds in a canonical model for a system of modal logicalways verify just those formulae they contain, it follows that for any F ðxÞ 2 LðSÞ, kF ðxÞkM is theproof set of F ðxÞ.

Example 1. Let us consider a schema

3 Th4 w5 A6 V

S1 ¼ f:rðaÞ _ rðbÞ; rðcÞ $ rðaÞ; rðaÞ ! }rðbÞ;:rðaÞ ! }ð:rðbÞ ^ :rðcÞÞg:

The description of schema S1 is a model M1 ¼ hW1;R1; V1i, where W1 ¼ fw1;w2;w3g and

w1 ¼ frðaÞ; rðbÞ; rðcÞ;:rðaÞ _ rðbÞ; rðcÞ $ rðaÞ;rðaÞ ! }rðbÞ;:rðaÞ ! }ð:rðbÞ ^ :rðcÞÞ;}rðbÞ; . . .g;

e notation AðxÞ means that x is free in AðxÞ.is an S-maximal set of formulae when it is S-consistent and has only S-inconsistent proper extensions [10].proof set of a formula F ðxÞ, is the set of S-maximal sets of formulae containing F ðxÞ.

� is the inverse of the value assignment function V .

282 V. Boeva, L. Ekenberg / Data & Knowledge Engineering 51 (2004) 277–294

w2 ¼ f:rðaÞ;:rðbÞ;:rðcÞ;:rðaÞ _ rðbÞ; rðcÞ $ rðaÞ;

rðaÞ ! }rðbÞ;:rðaÞ ! }ð:rðbÞ ^ :rðcÞÞ;}ð:rðbÞ ^ :rðcÞÞ; . . .g;

w3 ¼ f:rðaÞ; rðbÞ;:rðcÞ;:rðaÞ _ rðbÞ; rðcÞ $ rðaÞ;

rðaÞ ! }rðbÞ;:rðaÞ ! }ð:rðbÞ ^ :rðcÞÞ;}ð:rðbÞ ^ :rðcÞÞ; . . .g:

Then, due to Definition 3, the accessibility relation R1 is given by the pairs fðw1;w1Þ; ðw1;w3Þ;ðw2;w2Þ; ðw3;w2Þ; ðw3;w3Þg, and the value assignment function V1 by

V1ðrðaÞÞ ¼ fw1g; V1ðrðbÞÞ ¼ fw1;w3g; V1ðrðcÞÞ ¼ fw1g;V1ð:rðaÞÞ ¼ fw2;w3g; V1ð:rðbÞÞ ¼ fw2g; V1ð:rðcÞÞ ¼ fw2;w3g:

In the next section, we will demonstrate how modal logic approach recalled above can bestraightforwardly applied to translation of UML language specifications into a logic based for-malism.

3. UML dynamics as a modal first-order logic

In [23], some possible transformations between UML specifications and first-order transitionlogic have been developed. The proposed approach takes into account static as well dynamicfeatures of UML constructs and the dynamics is modelled by means of the event concept.

Furthermore, in [1], the relationship between logic and various constructs in conceptualmodelling is investigated. Within that work UML is chosen as a modelling notation for thepurpose of expressing conceptual models. Such a UML schema is referred to as a UML speci-fication. The obtained result maps a fully expressive set of UML in terms of class diagrams,methods, state diagrams and collaboration diagrams into a first-order transition logic.

However, when analysing designs that are created using the UML, there is still roomfor ambiguities, and lack of correct interpretations. This is especially sensitive when design-ing dependable systems such as safety critical applications, where designers can encounterproblems, using UML because such systems require precise formal verification at each phase.This situation has fuelled the motivation to improve upon the existing standard, and severalsolutions have been proposed in the literature. The notion is that the UML on its own is not yetcomplete.

In the context herein we therefore extend the first-order logic framework to modal logic byconsidering how dynamic properties of UML specifications can be expressed by modal first-orderformulae. In this way, a subset of static and dynamic concepts modelled in UML can be translatedin terms of modal first-order logic for conceptual schemata. Thus, due to considering togetherstatic and dynamic features of specifications, namely as a system of modal logic, a basis for furtheranalyses and conflict detection is provided.

First, we briefly recall the translation of static part of UML in terms of first-order formulae[1,23]. Then, in Section 3.2, we show how dynamic features of UML specifications can betransformed into modal logic based formalism.

V. Boeva, L. Ekenberg / Data & Knowledge Engineering 51 (2004) 277–294 283

3.1. First-order logic translator

A class diagram is the standard modelling concept for static properties in UML. The com-ponents of a class diagram are classes that represent concepts in the world. These can have one ormore lexical attributes. Classes can related to each other, which is represented in UML byassociations. Associations can further specified by cardinality constraints expressing propertiessuch as, e.g., injectivity, surjectivity and totality. Aggregations in UML are special type ofassociations that indicate a lifetime dependency among the related parts. Furthermore, variouskind of subset relations can be represented.

According to the approach considered in [23], the static properties of class diagrams can berepresented by a set of first-order formulae. Next in [1], is demonstrated the implementation of atranslation tool for specifications in UML language into first-order logic. Note, that the proposedapproach suggests independent translations of different parts of UML (class diagrams, statediagrams and collaboration diagrams) without introducing peculiar formalisms. For the actualimplementation is used a scripting language within Rational Rose [37]. Since the implementationlanguage for the script in Rational Rose cannot accommodate the standard first-order logicsymbols the alphabet given in the following definition is used.

Definition 41. Variable symbols: x, y.2. Connectives: Not (�), And (&), Or (#), Implies (¼>), If and only if (<¼>).3. Quantifiers:

• Universal ðAÞ––ðAxÞCðxÞmeans that C holds for all values of x in the domain associated withthe variable.

• Existential ðEÞ––ðExÞCðxÞ means that C holds for some value of x in the domain associatedwith the variable.

Now, let us illustrate the first-order logic approach by the next example. 7

Example 2. Let us consider the UML class diagram, depicted in Fig. 1.Thus, saving_account, account, person and portfolio are classes in UML. The attribute amount

represents the current balance. The relation client, from saving_account to person meaning that aclient is a person with an account, is represented by an association. An account must be owned bya person, and person can have at most one saving account. Furthermore, at maximum two clientcan share an account. The class saving_account is subclass to account. The aggregation fromsaving_account to portfolio represents that saving_account is a component of the portfolio of thebank. The methods deposit and withdraw, representing possible transactions for an account, willbe considered in the framework of modal first-order formulae in the next section. 8

7 A formal consideration can be found in [23].8 In [23], methods in UML classes are modelled by event rules. The preconditions and postconditions of the event

rules are represented by first-order formulae, see, e.g. [19,21].

saving accountamount

accountdeposit()withdraw()

person portfolio

ISA

client0..1

1..2part_of

Fig. 1. UML class diagram.

284 V. Boeva, L. Ekenberg / Data & Knowledge Engineering 51 (2004) 277–294

The considered UML class diagram is transformed into the following first-order formulae.

% - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -% ISA relation% - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -AðxÞ ðsaving accountðxÞ ! accountðxÞÞ% - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -% Association client% - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -AðxÞAðyÞ ðclientðx; yÞ ! ðsaving accountðxÞ&personðyÞÞÞ% - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Attribute amount% - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -AðxÞAðyÞ ðamountðx; yÞ ! ðsaving accountðxÞ& lexðyÞÞÞ% - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -% Aggregation part_of% - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -AðxÞAðyÞ ðpart of ðx; yÞ ! ðportfolioðxÞ& saving accountðyÞ&aggðx; yÞÞÞ% - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -% Cardinality 1% - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -AðxÞEðyÞ ðsaving accountðxÞ ! ðclientðx; yÞÞÞ% - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -% Cardinality ..2% - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -AðxÞAðy1ÞAðy2ÞAðy3Þððclientðx; y1Þ&clientðx; y2Þ&clientðx; y3ÞÞ ! ððy1 ¼ y2Þ# ðy1 ¼ y3Þ#ðy2 ¼ y3ÞÞÞ% - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -% Cardinality ..1% - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -AðyÞAðx1ÞAðx2Þ ððclientðx1; yÞ&clientðx2; yÞÞ ! ðx1 ¼ x2ÞÞ

V. Boeva, L. Ekenberg / Data & Knowledge Engineering 51 (2004) 277–294 285

Thus, using the rules given in [23], the class diagram in Fig. 1, is translated to a set of first-orderformulae. For instance, the class definitions are predicate symbols of arity one, whereas theassociations and attributes are represented by predicate symbols of arity two. Furthermore, as itcan be seen from the above example, the typing constraints for attributes, aggregations and ISArelationships are given by first-order formulae, as well. 9

3.2. Translating UML dynamics into modal logic

In this section, the static translations considered in [23] are extended with a logic transfor-mation of dynamic concepts in UML. The latter ones are formulated in terms of first-orderformulae containing modal operators. In UML dynamics can be presented by methods in classes,by state diagrams, and by interaction diagrams. We shall discuss herein the translation of methodsand state diagrams.

Methods in UML describe operations within specifications. A method is labeled by a signaturewith a vector of variables. In [23], it is assumed that the semantics of a signature gðyÞ can beformulated by a pair hpreðxÞ;postðxÞi, where preðxÞ is a first-order formula expressing the pre-condition of the method and postðxÞ is a first-order formula expressing the postcondition of themethod.

Definition 5. Given a set of methods M in a UML specification, where the string inv does notoccur. A schema SM for M is constructed as follows:

1. Alphabet• If gðyÞ ¼ hpreðxÞ;postðxÞi is a method in M, then the corresponding predicate symbols with

the same arities are in LðSMÞ.• inv is a predicate symbol of arity one in LðSMÞ.

2. MethodsLet gðyÞ ¼ hpreðxÞ; postðxÞi be a method in a class k. If gðyÞ 2 M, then ðinvðgðyÞÞ ^preðxÞÞ ! }ðpostðxÞ ^ :invðgðyÞÞÞ 2 SM. 10

According to the above definition a method can be represented by a modal first-order formulaexpressing the fact that the postcondition of the method is possible from the standpoint of itsprecondition when the method is invoked. For example, the method deposit declared for the classaccount, see Fig. 1, can be substituted by the formula: ðinvðdepositð ÞÞ ^ amount > 0Þ !} (a ¼ balanceþ amount ^ balanceðaÞ ^ :invðdepositð ÞÞ).

In a UML specification, each class can be associated with state diagrams. Each state diagramconsists of a set of nodes, events and conditions for when transitions between these states mayoccur.

9 lex and agg are predicate symbols of arity one and arity two, respectively. They are used in the typing constraints

for attributes and aggregations.10 invðgðbÞÞ expresses that the method gðyÞ is invoked with the vector b.

286 V. Boeva, L. Ekenberg / Data & Knowledge Engineering 51 (2004) 277–294

Definition 6. A state diagram for a class k is a triple hN ;A;Gi, where

1. N is a set of nodes, representing a set of states.2. A is a set of directed arcs, i.e. pairs over N , representing a set of transitions between states in N .3. G is a set of quadruples ha; ueðx; yÞ; guardðx; yÞ; pðx; yÞik, specifying the pre- and postconditions

of transitions in A.

In G, a is an arc. ueðx; yÞ is a UML event, where x is an object (reference) of class k and y is avector of objects and values. guardðx; yÞ is an open first order formula. pðx; yÞ is a set of formulae,where each formula has one of the following forms:

11 s

insertðaðx; yiÞÞ; deleteðaðx; yiÞÞ; or invokeðumlevðzÞÞ:

Here, x is an object (reference) of class C, yi is a member of y and z is a vector of objects andvalues.

When a UML event ueðx; yÞ occurs, it is captured by the state machine of the object x. If theguard guardðx; yÞ is true, the state machine will make a transition according to the arc a.Thereafter, the procedure pðx; yÞ will be executed, which inserts and deletes a number of linksbetween x and other objects and values. Finally, a number of other UML events will occur, whichother state machines will handle.

A state diagram in this sense is readily translated to modal logic. The quadruples in the set Gare expressed by first-order formulae containing modal operators.

Definition 7. Given a set S of state diagrams hN ;A;Gik in a UML specification, where the stringstate does not occur. A schema SS for S is constructed as follows:

1. Alphabet• If hhti; tji; ueðx; yÞ; guardðx; yÞ; pðx; yÞi is in G, then the corresponding predicate symbols and

constants with the same arities are in LðSSÞ.• state is a predicate symbol of arity two in LðSSÞ.

2. Rules for an object in a statef8xðstateðx; tiÞÞ ! :stateðx; tjÞ j ðti; tj 2 NÞ ^ ði 6¼ jÞg [f8x9tðstateðx; tÞÞg [ f8xðstateðx; tiÞ ! kðxÞÞ j ti 2 Ng � SS, where ti is state in class k. 11

3. ArcsIf hhti; tji; ueðx; yÞ; guardðx; yÞ; pðx; yÞi 2 G, theninvðueðx; yÞÞ ^ stateðx; tiÞ ^ guardðx; yÞÞ ! }ðstateðx; tjÞ ^ :invðueðx; yÞÞ^:invðgðyÞÞ ^ ð^aðx; yiÞ j insertðaðx; yiÞÞ 2 pðx; yÞÞ ^ ð^:aðx; yiÞ jdeleteðaðx; yiÞÞ 2pðx; yÞ) ^ð^invðumlevðzÞÞ j invokeðumlevðzÞÞ 2 pðx; yÞÞÞ 2 SS.

Example 3. In view of the above definition, we obtain the following translations for the statediagram in Fig. 2.

tateðx; tÞ means that x is in state t.

Start Open Closed

Frozen

open close

deposit(amount) withdraw(amount)[amount<Balance]

deposit(amount)[amount>-Balance] withdraw(amount)[amount>Balance]

Fig. 2. UML state diagram for the class account.

V. Boeva, L. Ekenberg / Data & Knowledge Engineering 51 (2004) 277–294 287

% - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -% Rules for an object in a state% - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -fAðxÞðstateðx; StartÞ xor stateðx;OpenÞ xor stateðx;ClosedÞ xor stateðx; FrozenÞÞgfAðxÞðstateðx; StartÞ# stateðx;OpenÞ# stateðx;ClosedÞ# stateðx; FrozenÞÞ ! accountðxÞg% - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -% Event rules% - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -finvðopenð ÞÞ& stateðaccount; StartÞ ! }ðstateðaccount;OpenÞ&:invðopenð ÞÞÞ,invðcloseð ÞÞ& stateðaccount;OpenÞ ! }ðstateðaccount;ClosedÞ&:invðcloseð ÞÞÞ,invðwithdrawðamountÞÞ& stateðaccount;OpenÞ& ðamount > BalanceÞ! }ðstateðaccount; FrozenÞ&:invðwithdrawðamountÞÞÞ,invðdepositðamountÞÞ& stateðaccount;OpenÞ! }ðstateðaccount;OpenÞ&:invðdepositðamountÞÞÞ,invðwithdrawðamountÞÞ& stateðaccount;OpenÞ& ðamount < BalanceÞ! }ðstateðaccount;OpenÞ&:invðwithdrawðamountÞÞÞ,invðdepositðamountÞÞ& stateðaccount; FrozenÞ& ðamount > �BalanceÞ! }ðstateðaccount;OpenÞ&:invðdepositðamountÞÞÞg

Definition 8.Given a set of class diagrams C, a set of methodsM, and a set of state diagramsS ina UML specification U. Furthermore, let SC, SM and SS be the corresponding schemata, then aschema S for U is constructed as follows:

12 T

extend

S ¼ SC [ SM [ SS:12

he static concepts and relations in U are translated accordingly to the approach recalled in Section 3.1. An

ed consideration can be found in [24].

288 V. Boeva, L. Ekenberg / Data & Knowledge Engineering 51 (2004) 277–294

Consequently, the set S is a translation of the UML specification into a schema in the sense ofDefinition 1.

At the beginning of Section 3.1 we referred to [1] suggesting the actual implementation on bothstatic part and dynamic part of UML into a common framework, namely first-order logic. Ascripting language within Rational Rose is used in that work as a tool to visually create UMLconstructs. The latter is achieved by using the translation language recalled in Definition 4.Evidently, extending this language with primitives for the modal operators of possibility andnecessity it can easily be obtained the implementation of an automatic translation of UML tomodal first-order logic.

4. Conflict detection

Conflict detection is the key issue for software system design and use. For instance, conflict is amajor complication in any schema integration process. Schemata are developed by different usergroups or designers therefore, some constructs in the integrated schemata, while the modelledreality may be equivalent, may be incompatible and they must be modified before integration maytake place. The latter is a subject of conflict resolution methods, whereas our interests herein areconcerning conflict identification problems.

Many different approaches to schema integration have been presented. We referred to some ofthem in the introduction as for instance, [18,19,27,28] discussing various aspects of schemaintegration process in the framework of first-order logic. An approach using integration asser-tions, i.e. relating equivalent constructs in the schemata, is chosen in these works to analysedifferent features of this process with respect to freeness of conflicts. The first-order logicframework can be extended to standard modal logic. This approach has several advantages. First,as it was shown in Section 2.2, a quite weak language is sufficient for the purpose of modelling andanalysing important aspects of schema dynamic. Then, due to considering together static anddynamic features of specifications, namely as a system of modal logic, various procedures fordetecting dynamic conflicts can be proposed.

In view of the above, our considerations in this section are based on the modal logic frameworkfor conceptual schemata. We suggest a definition of non-stochastic freeness of conflicts. Basically,this means that a schema is not allowed to restrict another schema when they are integrated, i.e.,that all states that was possible to access before the integration, still are accessible after theintegration. If restrictions are necessary for some reasons, they should instead be added explicitly.Such a definition has been demonstrated to be meaningful from a pragmatic as well as from acomputational viewpoint. More formally, two schemata are free of conflicts with respect to a setof integration assertions iff for each world in the first model, there exists a world in the second onesuch that their union is a model for the set of integration assertions.

Definition 9. An integration assertion expressing a schema S2 in a schema S1 is a closed first-orderformula: 8ðpðxÞ $ F ðxÞÞ, where p is a predicate symbol in LðS2Þ and F ðxÞ 13 is a formula in LðS1Þ.

13 F ðxÞ does not contain modal operators of possibility and necessity.

V. Boeva, L. Ekenberg / Data & Knowledge Engineering 51 (2004) 277–294 289

Here, an integration assertion specifies what extra constraints that are imposed when schemataare integrated (merged) to a combined specification. Thus, the set of integration assertions ex-presses the correspondence between two schemata. The choice of this set is depending on whatactual correspondences between the schemata. This set can also be considered as defining aprotocol for the schema integration. However, more formally, a set of integration assertions is justanother set of formulae like the conceptual schemata. The choice of the set of such assertions isthen a design issue as well as the definition of a conceptual schema.

Consider schemata S1 and S2, determined by the standard models of modal logic M1 ¼hW1;R1; V1i and M2 ¼ hW2;R2; V2i, respectively (see Section 2.2). Let IA be a set of integrationassertions expressing S2 in S1. Moreover, assume that LðS1Þ \ LðS2Þ ¼ ;. Further, we regard amodel M ¼ hW1 � W2;R; V i, where R is defined by

ð8ðw1;w2Þ 2 W1 � W2ÞðR ðw1;w2Þð Þ ¼ R1ðw1Þ � R2ðw2ÞÞ ð1Þ

and V is given by

V ðF ðxÞÞ ¼ V1ðF ðxÞÞ � W2; if F ðxÞ 2 LðS1ÞW1 � V2ðF ðxÞÞ; if F ðxÞ 2 LðS2Þ

;

�ð2Þ

for any atomic formula F ðxÞ 2 LðS1Þ [ LðS2Þ. It follows immediately from (1) and (2) that M is amodel for the system S1 [ S2, i.e. each formula F ðxÞ 2 S1 [ S2 is valid in M .

Now, let us consider the set of all worlds ðw1;w2Þ 2 W1 � W2, that are models for IA, i.e. theformula

FIA ¼^

F ðxÞ2IAF ðxÞ

holds in such worlds. Henceforth, the worlds in the set kFIAkM will be called secure states. Thename refers to the fact that each world in kFIAkM is a S1 [ S2 [ IA-consistent set of formulae.

Intuitively, two schemata are in conflict with respect to a set of static integration assertions ifone of them together with the integration assertion (IA) restrict the set of worlds (states) for theother one. In the framework presented herein, the concept of freeness of conflicts is given in termsof secure states. Such a definition is shown to be useful for the further extension of the frameworkwith interval probabilities.

Definition 10. The schemata S2 and S1 are free of conflicts w.r.t. IA iff

ð8w1 2 W1Þðð9w2 2 W2Þððw1;w2Þ 2 kFIAkMÞÞ:

Note that in case of flatly contradiction between the schemata, kFIAkM ¼ ;. Moreover, obvi-

ously when the cardinality of kFIAkM is less than the cardinality of W1 then S2 and S1 are inconflicts w.r.t. IA.

In the next section, we demonstrate how the above framework can easily be extended to handleuncertainty in terms of interval probabilities. The schema semantics is provided with possibility toinclude an interval-valued probability measure over the set of states. Then using this schemata areanalysed for freeness of conflicts taking into account the probability of formulae in the differentstates.

290 V. Boeva, L. Ekenberg / Data & Knowledge Engineering 51 (2004) 277–294

Example 4. Consider the schema S1 from Example 1 and a schema

14 S

extens

S2 ¼ fpðaÞ ! pðbÞ; pðcÞ _ :pðbÞ; ðpðaÞ ^ pðbÞÞ ! }:pðbÞg:

Let 8xðpðxÞ $ rðxÞÞ be a possible integration assertion for the schemata. The description ofschema S2 is a model M2 ¼ hW2;R2; V2i, where W2 ¼ fv1; v2; v3; v4g and

v1 ¼ fpðaÞ; pðbÞ; pðcÞ; pðaÞ ! pðbÞ; pðcÞ _ :pðbÞ; ðpðaÞ ^ pðbÞÞ ! }:pðbÞ;}:pðbÞ; . . .g;v2 ¼ f:pðaÞ; pðbÞ; pðcÞ; pðaÞ ! pðbÞ; pðcÞ _ :pðbÞ; ðpðaÞ ^ pðbÞÞ ! }:pðbÞ; . . .g;v3 ¼ f:pðaÞ;:pðbÞ; pðcÞ; pðaÞ ! pðbÞ; pðcÞ _ :pðbÞ; ðpðaÞ ^ pðbÞÞ ! }:pðbÞ; . . .g;v4 ¼ f:pðaÞ;:pðbÞ;:pðcÞ; pðaÞ ! pðbÞ; pðcÞ _ :pðbÞ; ðpðaÞ ^ pðbÞÞ ! }:pðbÞ; . . .g:

Then R2 ¼ fðv1; v1Þ; ðv2; v2Þ; ðv3; v3Þ; ðv4; v4Þ; ðv1; v3Þ; ðv1; v4Þg and

V2ðpðaÞÞ ¼ fv1g; V2ðpðbÞÞ ¼ fv1; v2g; V2ðpðcÞÞ ¼ fv1; v2; v3g;V2ð:pðaÞÞ ¼ fv2; v3; v4g; V2ð:pðbÞÞ ¼ fv3; v4g; V2ð:pðcÞÞ ¼ fv4g:

Obviously, S1 and S2 are in conflicts w.r.t. the integration assertion, since kFIAkM ¼fðw1; v1Þ; ðw2; v4Þg in the model M ¼ hW1 � W2;R; V i.

5. Probabilistic extension

Approaches such as the framework above, explore the state-space without considering possibleinformation about the probability of their occurrence. However, as was mentioned in the intro-duction, in many cases it is meaningful to investigate such issues. For instance, a set of goals canbe found compatible and desirable when investigating a multi-agent system from, a design per-spective. Nevertheless, it might not be reasonable in the sense that the agents does not actuallyhave a reasonable possibility to fulfil the goals. The latter may be the case when the agents areforced to abandon possible paths, leading to goals in a particular environment, because theprobability to achieve them along a specific path is too low.

In Definition 10, it was not taken into account that some states may be more preferred or moreprobable (or more desired or more important, etc.) than others, and we will now demonstrate howimprecise information can be handled in the present context.

Some approaches to reasoning about knowledge and explicit probabilities together have beensuggested earlier. For instance, in [24,30] it is demonstrated how a first-order language can be ex-tended to allow for formulae of the formprðF ðxÞÞP a, where F ðxÞ is a formula and a is a real numberin the interval ½0; 1�, with the intendedmeaning that ‘‘Formula F ðxÞ holdswith probability at least a.’’This basic idea can be used for augment schemata in our framework with probability distributions.

Moreover, following [6,13], indeterminate information can be represented using sentences, suchas ‘‘the probability of state wi is between the numbers ai and bi’’, translated to P ðwiÞ 2 ½ai;bi�(which, of course, can be given a linear representation, such as P ðwiÞP ai and P ðwiÞ6 bi). Tothese are added normalisation constraints depending of the structure. 14 Obviously, the con-

imilarly, qualitative sentences such as P ðwiÞP P ðwjÞ can be represented in the same linear systems, but this

ion will not be taken into consideration herein.

V. Boeva, L. Ekenberg / Data & Knowledge Engineering 51 (2004) 277–294 291

junction of such constraints for each schema involved determines an interval-valued probabilityon the set of states, i.e., a non-empty convex set of probabilities verifying the constraints. Thus,there exist intervals ½ai; bi�wi2W such that

15 T

conseq

proba16 I

M ¼ hconsid

ð8wi 2 W Þðai 6 P ðwiÞ6 biÞ andXwi2W

P ðwiÞ ¼ 1:

Needless to say, other representation models could have been used instead and there are severalcandidates, but the preference for the above is the possibility to represent imprecise as well asqualitative information in a computationally meaningful way. 15 However, we do not discussvarious aspects of this in the context herein and refer the reader to, e.g., [22] for a more detaileddiscussion.

Next, the language L (see Section 2.2) is extended in addition to allow formulae of the formprðF ðxÞÞP a, where F ðxÞ is a formula and a is a real number in the interval ½0; 1�. The intendedmeaning of formula such as prðF ðxÞÞP a is ‘‘Formula F ðxÞ holds with probability at least a’’, andthe semantics of a such formula in a Kripke model, augmented with an interval-valued probabilitymeasure on PðW Þ, is readily defined by

�Mw prðF ðxÞÞP a () ðw 2 kF ðxÞkM ^ P ðkF ðxÞkM jRðwÞÞP aÞ:

That is, the formula prðF ðxÞÞP a is true in a world w if F ðxÞ holds in w, and moreover, theconditional probability of the truth set of F ðxÞ given the set of w’s alternatives is at least a.Obviously, the probability of formula F ðxÞ at w is dependent not only on the probability distri-bution given to w but also on the probabilities of w’s alternatives in which F ðxÞ is true. Thesemantics for formulae of the form prðF ðxÞÞ6 b is defined analogously. These formulae can alsobe considered as abbreviations of :prðF ðxÞÞ > b.

Now, let us return to the standard models of modal logic M1 and M2 that are descriptions ofschemata S1 and S2, respectively. Assume that they are extended with interval-valued probabilitiesP1 and P2 on the sets of states. Then we consider a model M ¼ hW1 � W2;R; V ; P i, where P isdefined by the expression 16

ð8ðw1;w2Þ 2 W1 � W2ÞðPððw1;w2ÞÞ ¼ P1ðw1ÞP2ðw2ÞÞ:

Obviously, it holds

PðUÞ ¼X

ðw1;w2Þ2UP ðw1ÞPðw2Þ; for any U 2 PðW1 � W2Þ:

Using the above considerations, Definition 10 can be modified in order to take in view that aformula may hold with different probabilities in different states. Thus, we reconsider the set ofsecure states kFIAkM , taking into account only those states of it in which FIA holds with a prob-ability that is greater than or equal to a certain value a (a 2 ½0; 1�). This value, e.g., may be thought

he common feature of these approaches is that they do not include the additivity axiom of probability theory and

uently do not require precise probability (and, in some cases, utility) estimates. A survey of theories of imprecise

bilities is provided in, e.g., [42].

n [4], a modal logic interpretation of Dempster’s rule of combination is developed by considering a model

W1 � W2;R; V1 � V2; Pi. This model corresponds to the conjunctive case of combination whereas the model

ered herein fits to the disjunctive case, see e.g., [40].

292 V. Boeva, L. Ekenberg / Data & Knowledge Engineering 51 (2004) 277–294

as a defined in advance threshold dependent on the application. If the probability of formula FIAin a state is below this threshold then the state is not taken into consideration.

Definition 11. The schemata S2 and S1 are a-free of conflicts w.r.t. IA iff

ð8w1 2 W1Þðð9w2 2 W2Þððw1;w2Þ 2 kprðFIAÞP akMÞÞ;

where a 2 ½0; 1�.

According to the above definition we have that two schemata are free of conflicts w.r.t. a set ofintegration assertions (IA) iff for each world w1 in the first model, there exists a world w2 in thesecond one such that their union (w1 [ w2) is a IA-consistent set of formulae and in addition theconditional probability of the set of all such pairs of worlds given the set of ðw1;w2Þ’s alternativesis above a defined in advance value a. Further, it is clear that this is a straightforward general-isation of Definition 10, since kprðFIAÞP akM � kFIAkM and moreover when a ¼ 0 the conditionsfor freeness of conflicts in Definition 11 coincide with those stated in Definition 10.

6. Conclusions

Detection of goal conflicts are of great importance, not the least when indeterminate infor-mation prevails. A problem in this context, as was stressed in the introduction, is that frameworksfor dynamic conflict detection, in general, introduce non-standard objects and formalisms, leadingto severe confusion, both regarding the semantics and the computability. However, this isunnecessary and the main contribution of this paper is to provide an integrated and computa-tionally meaningful framework for detecting conflicts in specifications, using a representationformat in ordinary first-order modal logic. We have also shown how such a framework easily canbe extended for incorporating, e.g., an interval-valued probability measure.

References

[1] B. Amon, L. Ekenberg, P. Johannesson, M. Munguanaze, U. Njabili, R.M. Tesha, From first-order logic to

automated word generation for Lyee, Knowledge-Based Systems 16 (2003) 413–429.

[2] C. Batini, M. Lenzerini, S.B. Navathe, A comparative analysis of methodologies for database schema integration,

ACM Computing Surveys 18 (4) (1986) 323–364.

[3] J. Biskup, B. Convent, A formal view integration method, SIGMOD (1986) 398–407.

[4] V. Boeva, Dempster’s rule of combination in modal logic, in: Proceedings of the ISIPTA’01, Shaker Publishing,

Maastricht, 2001, pp. 62–67.

[5] M. Boman, J. Bubenko, P. Johanesson, B. Wangler, Conceptual Modelling, Prentice-Hall, Englewood Cliffs, NJ,

1997.

[6] M. Boman, L. Ekenberg, Risk constraints in agent conflicts, in: Proceedings of the LUMIS’2000, IEEE Computer

Society Press, Silver Spring, MD, 2000.

[7] M.W. Bright, A.R. Hurson, S.H. Pakzad, Automated resolution of semantic heterogeneity in multidatabases,

ACM Transactions of Database Systems 19 (2) (1994) 212–253.

[8] J. Bruel, R.B. France, Transforming UML models to formal specifications, in: Proceedings of International

Conference on the Unified Modelling Language (UML): beyond the notation, 1998.

V. Boeva, L. Ekenberg / Data & Knowledge Engineering 51 (2004) 277–294 293

[9] J. Carmo, A. Sernadas, A temporal logic framework for a layered approach to systems specification and

verification, in: C. Rolland, F. Bodart, M. Leonard (Eds.), Temporal Aspects of Information Systems, North-

Holland, Amsterdam, 1988, pp. 31–46.

[10] B. Chellas, Modal Logic, an Introduction, Cambridge University Press, Cambridge, 1980.

[11] D. Coleman, Object-oriented Development: The Fusion Method, Prentice-Hall, Emglewood Cliffs, MA, 1993.

[12] S. Cook, J. Daniels, Let’s get formal, Journal of Object-Oriented Programming (JOOP) 22–24 (1994) 64–66.

[13] M. Danielson, L. Ekenberg, A framework for analysing decisions under risk, European Journal of Operation

Reasoning 104 (3) (1998) 474–484.

[14] G. Davies, L. Ekenberg, P. Johannesson, Detecting temporal conflicts in integrated agent specifications, in:

Mueller, Dieng (Eds.), Computational Conflicts, Springer Verlag, Berlin, 2000, pp. 103–124.

[15] D. Distefano, J. Katoen, A. Rensink, On a temporal logic for object-based systems, in: S.F. Smith, C.L. Talcott

(Eds.), Fourth International Conference on Formal Methods for Open Object-based Distributed Systems, Kluwer

Academic Publishers, Stanford, CA, USA, 2000, pp. 305–326.

[16] C. Dixon, M. Fisher, M. Wooldridge, Resolution for temporal logics of knowledge, Journal of Logic and

Computation 8 (1998) 345–372.

[17] R. Duke, P. King, G.A. Rose, G. Smith, The Object-Z specification language, in: Timothy D. Korson, Vijay K.

Vaishnavi, Bertrand Meyer (Eds.), Technology of Object Oriented Languages and Systems: TOOLS 5, Prentice-

Hall, Englewood Cliffs, NJ, 1991, pp. 465–483.

[18] L. Ekenberg, P. Johannesson, Conflict freeness as a basis for schema integration, in: Proceedings of the

CISMOD’95, Lecture Notes in Computer Science, Springer-Verlag, Berlin, 1995, pp. 1–13.

[19] L. Ekenberg, P. Johannesson, A formal basis for dynamic schema integration, in: Proceedings of the ER’96,

Lecture Notes in Computer Science, Springer-Verlag, Berlin, 1996, pp. 211–226.

[20] L. Ekenberg, SDeLphi: Detection of Service Inference using Formal Methods. Report NP-K-LE-005, Issue 2, Telia

Research AB, Logikkonsult NP AB, 1996.

[21] L. Ekenberg, The logic of conflicts between decision making agents, Journal of Logic and Computation 10 (4)

(2000) 583–602.

[22] L. Ekenberg, Risk constraints in agent based decisions, in: A. Kent, J.G. Williams (Eds.), Encyclopedia of

Computer Science and Technology, vol. 43(28), Marcel Dekker, New York, 2000, pp. 263–280.

[23] L. Ekenberg, P. Johannesson, UML as a transition logic, in: Proceedings of the 12th European–Japanese

Conference on Information Modelling and Knowledge Bases, 2002.

[24] R. Fagin, J.Y. Halpern, Reasoning about knowledge and probability, Journal of the ACM 41 (2) (1994) 340–367.

[25] J. Fiadeiro, C. Sernadas, T. Maibaum, A. Sernadas, Describing and structuring objects for conceptual schema

development, in: P. Loucopoulos, R. Zicari (Eds.), Conceptual Modelling, Databases and CASE: An Integrated

View of Information Systems Development, John Wiley, Wiley, 1992, pp. 117–138.

[26] P. Hajek, Metamathematics of Fuzzy Logic, Kluwer Academic Publishers, Netherlands, 1998.

[27] P. Johannesson, A logic based approach to schema integration, in: T. Teorey (Ed.), Proceedings of the

10th International Conference on Entity-Relationship Approach, San Francisco, North-Holland, Amsterdam,

1991.

[28] P. Johannesson, A logical basis for schema integration, in: H. Schek (Ed.), Third International Workshop on

Research Issues in Data Engineering––Interoperability in Multidatabase Systems, IEEE Press, Vienna, 1993.

[29] B. Jonsson, K.G. Larsen, Specification and Refinement of Probabilistic Processes, IEEE Computer Society Press,

Silver Spring, MD, 1991, pp. 266–277.

[30] J.Y. Halpern, A logical approach to reasoning about uncertainty: a tutorial, in: X. Arrazola, K. Korta, F.J.

Pelletier (Eds.), Discourse, Interaction and Communication, Kluwer, 1998.

[31] M. Huth, A unifying framework for model checking labeled Kripke structures, modal transition systems, and

interval transition systems, in: FST&TCS’99, Chennai, India, 1999.

[32] K. Lano, Z++ an object-oriented extension to Z, in: J.E. Nichols (Ed.), Z User Workshop, Oxford 1990,

Workshops in Computing, Springer-Verlag, Berlin, 1991, pp. 151–172.

[33] K.G. Larsen, Modal specifications, in: J. Sifakis (Ed.), Automatic Verification Methods for Finite State Systems,

International Workshop, Grenoble, France, Lecture Notes in Computer Science, no. 407, Springer Verlag, Berlin,

1989, pp. 232–246.

294 V. Boeva, L. Ekenberg / Data & Knowledge Engineering 51 (2004) 277–294

[34] S.E. Madnick, From VLDB to VMLDB (Very MANY Large Data Bases): dealing with Large-Scale Semantic

Heterogeneity, VLDB (1995) 11–16.

[35] F. Polat, S. Shekhar, H.A. Guvenir, Distributed conflict resolution among cooperating expert systems, Expert

Systems 10 (4) (1993) 227–236.

[36] A.S. Rao, M.P. Georgeff, Decision procedures for BDI logics, Journal of Logic and Computation 8 (1998) 293–

342.

[37] Available from RationalRoseWebSite. Available from <http://www.rational.com>.

[38] C. Sernadas, J.L. Fiadeiro, Towards object-oriented conceptual modelling, Data and Knowledge Engineering 6

(1991) 479–508.

[39] A.P. Sheth, V. Kashyap, So Far (Schematically) yet So Near (Semantically), DS-5, 1992, pp. 283–312.

[40] Ph. Smets, Belief functions: the disjunctive rule of combination and generalized Bayesian theorem, International

Journal of Approximate Reasoning 9 (1993) 1–35.

[41] S. Spaccapietra, C. Parent, View integration: a step forward in solving structural conflicts, IEEE Transactions on

Knowledge and Data Engineering 6 (2) (1994) 258–274.

[42] P. Walley, Statistical Decision Functions, John Wiley and Sons, New York, 1991.

Veselka Boeva received the M.Sc. degree in mathematics and computer science from the University of Plovdiv,Bulgaria in 1985 and the Ph.D. degree in computer science from the Technical University of Plovdiv, Bulgariain 2000. Since 1990, she has been working as an Assistant-Professor in computer science at the Department ofComputer Systems of the Technical University of Plovdiv. Her research activities are centered aroundDempster–Shafer theory and modelling uncertainty with Kripke’s semantics. She is currently doing researchin decision making, formal methods and aggregation operators.

Love Ekenberg is specialist and consultant in risk and decision analysis and is working with development ofproducts and methodologies within these areas. He has extensive experience from various industrial andpublic sectors, e.g., risk-cost modelling and analyses from the telecom sector and national insurance policiesfor flood catastrophes. He has also several years experience of logic verification of complex industrial systems,inter alia at Swedish nuclear power plants. He has worked as project leader, manager and coordinator ofnational and international IT projects, and has published numerous research papers on formal methods aswell as risk and decision analysis. He is a Ph.D. and Full Professor in Computer and Systems Sciences atStockholm University as well as in Computer Science at Mid Sweden University.