Specifying with syntactic theory functors

Article history: Received 9 April 2019 Received in revised form 25 March 2020 Accepted 27 March 2020 Available online 2 April 2020


Introduction
Developing formal specifications for practical problems hits issues that are immaterial to foundational specification theory. One issue is that it might be awkward to specify a simple idea, e.g., writing axioms in first-order-logic expressing that a remote control must have at least 13 distinct buttons. Another issue is that several specifications are conceptually the same, with minor differences in declarations causing them to be duplicated. One might, for instance, want to specify a device similar to an already specified one, but with two more buttons. Or one might want to expand a data type with partial functions and handle partiality with error elements, which forces all existing operations also to deal with the error elements. Or adding an extra argument to a function, but keep the axioms. The list of such examples is endless. However, the current lack of language support to deal with situations like this causes lengthy writing of boilerplate code or repeated adaptation from one context to another.
The theme common to these examples is that they are of transformational nature. Given a specification, one would like to transform it into a different one, e.g., the empty specification to one where there are 13 distinct buttons, a data type specification to one involving an error element. Here, different contexts might ask for the application of essentially the 'same' transformations. Transformations that are conceptually simple, but often prone to errors to get right.
Thus, we propose that specifications involving such patterns should be automatically generated. More concisely, we claim that, like in programming, also in specification there are recurring problems for which there exist 'standard solutions'. On the conceptual side, we call these solutions 'patterns'. On the technical side, we realise such 'patterns' by transformations. Concretely, we suggest the notion of syntactic theory functors (STFs) to support such transformations.
We study and develop syntactic theory functors in the context of Goguen & Burstall's institution theory, and illustrate them with examples developed in the algebraic specification language Casl.

Design patterns and how to formalise them
Design patterns have been a longstanding topic, both in programming and in formal specification. Their purpose is to capture standard solutions for recurring challenges that a programmer or specifier might face. However, while design patterns in programming, cf. [1], are already an established topic which regularly is taught in software engineering courses, how to deal with specification patterns is still an emerging research topic.
In the context of the algebraic specification language Casl [2], Cerioli and Reggio study the interplay between partiality, subsorting and predicates [3]. The purpose of their investigation is to systematically guide the specifier with the help of decision diagrams to the 'best' solution. However, their focus is on guidance rather than on how to formulate patterns.
Also in the context of Casl, "Methodological guidelines" [4] accompany the library of Casl standard datatypes, Part V in [2]. These guidelines are written in controlled language adhering to a strict format, which was inspired by the presentation style of "A Pattern Language" [5]. The purpose of these guidelines was to apply uniform solutions to similar challenges throughout a comprehensive library. Their focus is on identifying specification challenges and arguing why the specific chosen solution is a good one.
In the context of ontology design, various patterns have been described, identified, named, and established. There is an "Association for Ontology Design & Patterns (ODPA)", which focuses on methods and tools arising out of ontology design patterns. 1 ODPA runs the annual workshop on ontology design and patterns (WOP), in 2019 in its 10th edition. Examples of ontology design patterns are the role pattern or the time pattern, cf. [6]. The general objective is to "enable domain ontologists to reuse existing best practices and design decisions and, thus, benefit from the experience of ontology experts" [6]. This overall goal is addressed with different techniques. Krieg-Brückner et al. use institution-independent structuring mechanisms, in particular generic specification, in order to obtain transformations realising the patterns. We considered this approach as well, however, dismissed it as not flexible enough -see Section 2.1.

Requirements on specification transformations
One natural requirement on specification transformations is that they shall be 'flattenable,' i.e., be syntactic sugar only. On the conceptual side this aligns with the observation that the issues to be addressed are immaterial to foundational specification theory. In specification practice, flattenable transformations allow the specifier to expand them like a 'macro,' possibly with tool support. This allows the specifier to check if the generated axioms actually look as expected.
Yet another desirable element of specification transformations is that they shall take, e.g., selected signature elements (such as the sort and a list of constants for defining any number of distinct constants) as their arguments. Such arguments would 'steer' the transformations' use in the concrete application context. For example, we can lift a set of functions on elements to functions on arrays. An n-ary function would lift to a function on n arrays. To specify the effect of lifting, the lifting transformation needs to identify the element type and set of functions to be lifted, as well as the array type, the index type and the indexing function. Thus, we want to describe families of specification transformations rather than single transformations.
In this paper, we propose a framework for creating institution-specific structuring mechanisms, syntactic theory functors (STFs). STFs subsume the standard institution-independent structuring mechanisms, and open up new ways of reusing existing and structuring new specifications. This allows building a rich institution incrementally from a simple institution and appropriate STFs, very much needed when developing ontologies or specification languages for a new domain. Richer institutions yield more versatility to the Distributed Ontology, modelling and specification Language (DOL) [7], which provides structuring and interoperability between any institution-based formalism.

Overview
This paper is organised as follows. First, we present a number of motivating examples exhibiting a number of 'specification patterns'. Then, in Section 3, we provide our suggestion of how to capture 'specification patterns', namely by defining syntactic theory functors (STFs). We establish basic properties of STFs, relate them to the similar concept of theoroidal (co)morphisms, show that established structuring mechanisms are STFs, and, finally, that our examples can be treated with STFs. In Section 4, we establish that STFs can be considered as a new language to structure specifications. We apply STFs to a case study and discuss methodological implications. We then study STFs on a more fundamental level in Section 5.
We establish in what sense the STF examples of this paper reflect and preserve properties. Furthermore, we show that the so-called model consistent STFs give rise to an institution. The following section looks at the pragmatics of using STFs. In Section 7, we review the literature concerning other potential solutions, followed by the final summary section.

Motivating examples
Here we present some examples of recurring challenges, which, for ease of understanding, we formulate in the first order sublanguage of the algebraic specification language Casl [2]. This sublanguage is significant as, e.g., it is supported by automated theorem provers.

Finite set of distinct constants
Specifying that a simple remote control has at least a given set of distinct buttons turns out to be awkward in the first order sublanguage of Casl. The issue being that every button has to be stated as distinct from every other button, giving growth in distinctness axioms proportional to the square of the number of constants.
Writing this standard pattern of axioms is awkward when the number of constants grows, and may easily introduce errors in a conceptually simple specification. We propose that such patterns can be automatically generated by an STF free for a given set of constant declarations. 2 The STF free constructs a specification depending on a given set of constant symbols; i.e., free actually represents a family of constructions, where the indices are sets of qualified symbol names. Such STFs can be combined as the need for constants grows, e.g., starting with a remote control for volume control (distinct buttons for volume up and down), but later extended to a more complex remote control with more buttons for more functionality.

Dismissal of the casl parameterization mechanism
Alternatively to an STF free, one might be tempted to utilize Casl parameterization and instantiation by providing a library that consists of family of specifications as follows: Such parametrised Casl specifications can be instantiated, e.g., in order to specify that for the purpose of volume control the remote shall have two buttons "up" and "dn", which are different from each other: • Casl parameterization fixes the number of symbols in the parameter. There are either two, three, . . . constants that are declared in the formal parameter. These can be reused in any context using a signature morphism, with the induced contravariant model functor transporting models consistently across from the larger context to the component specification.
• There is no language support in Casl to express that the specifications SortWithMinimum2Elements, SortWithMini-mum3Elements, . . . have anything to do with each other: they could stand for completely unrelated concepts.
The first point limits expressivity. As a library can only comprise of finitely many specifications, in specification practice some size is bound to be missing. The second point makes it hard to prove theorems on such a family of specifications as the underlying 'construction principle' of the specification sequence has not been expressed. For instance, we can show that free in n constants implies free in m constants for m ≤ n (assuming the set of m constants is included among the n constants). 3 In Section 5.2, we will prove 'construction principle' theorems for families of STFs.
Overall, we conclude that Casl parametrization fails to be well-suited for expressing 'specification patterns'.

Generatedness
Related to the free STF, we should also consider an STF generated for limiting a type's carrier set to that of the available constants.
Here we need one formula with as many disjunctions as the number of elements we are limiting the carrier to have. Similar to the meta-theory of the free construction, we can show that generated in m constants implies generated in n constants for m ≤ n (assuming the set of m constants is included among the n constants).
Combining the free and generated functors (in either order) for the same set of constants, gives a specification of a type with exactly the given number of elements. If the generated (maximum) number is higher than the free (minimal) number of constants, there are models with varied sets of elements. On the other hand, if the generated number of elements is strictly lower than the free number of elements, the combination is inconsistent and has no models. This shows that an STF, just like the standard institution-independent union operation on specifications, changes the model class in 'arbitrary' ways.

Adding arguments to declarations
Another recurring issue is when we basically want the same function declarations and the same axioms as in another specification, the only difference being that the functions have extra arguments. This augmenting of argument lists with extra parameters controls the 'specialisation' or 'direction' of the functions.
We illustrate this by an example from differential algebra. The Leibniz rule is taken as defining a derivative D on a ring r, here formulated also with a directional parameter dir to define partial derivatives [9]. 3 Akin to the benefits of the meta-theory of Casl 'free types' as opposed to always working on specific instances of the theory.
The augmented specification clearly allows for a richer class of models than the original specification. Only if the D function on the right was forced to yield the same value for all directions, i.e., D(a, x) = D(b, x), would there be an isomorphism between the two model classes. However, for any fixed direction d, there is a projection from DirectionalLeibnizRule into LeibnizRule given by D d : r → r (replacing D on the left) defined by D d (x) = D(d, x) (from the right). This kind of play with notation, moving an argument down as an index on a function or moving an index up as an argument, is common in mathematics. In computing, moving between notation is not that simple, and a mechanism for syntactically modifying specifications in this way is needed. 4 Here an augment STF should be able to generate DirectionalLeibnizRule from LeibnizRule avoiding future maintenance problems.
Note that the corresponding construction will augment a selected subset of functions, cf. Section 3.4 below.

Lifting operators
Functional programmers have demonstrated the convenience of mapping functions across lists, e.g., having a function that doubles integers be mapped across a list to double all element values of that list. In array-oriented programming mapping nary functions across n arrays is a basic operation. Depending on properties of the elemental functions, the mapped functions will inherit similar properties. For arrays we need an index type I and an index function get that gets the element E from an array A.
This specification states that mapping a binary function f across two arrays is applying the elemental function to each corresponding element of the two argument arrays. Furthermore, a partitioning axiom states that equality on arrays is defined component-wise.
Note that the corresponding construction can lift any function, cf. Section 3.4 below, though our motivating example demonstrates it for one binary function only. Given axioms on E, some of these will be valid for the array as well.

Properties can be preserved
Equational formulae on the elemental functions are valid for the mapped functions. For instance, commutativity holds for the lifted operation when it holds for the elements.
The corresponding STF lift can take a specification, e.g., that the elements form a ring, the declaration of an indexing function get : A × I → E, and generate the partitioning axiom, the mapping of all the elemental operations, and all implied equational properties of the mapped functions, i.e., in our case that the arrays also form a ring.

Properties can be destroyed
The integers are an integral domain, i.e., the following property holds: However, when applying lifting to the integers, the lifted variant of this property does not hold. Take the model of BinaryMap where sort E is interpreted by the integers, and the arrays A are integer vectors with two components. Then we obtain through lifted multiplication (0, 1) * (1, 0) = (0, 0) though both of the factors are different from (0, 0).

Partiality
Introducing partiality into total algebraic specifications is an error-prone activity. Mosses [10] presents a few such approaches with a discussion of some of the pitfalls. Here we use the idea of an error algebra in order to show the technicalities involved in changing a simple specification to one that contains error elements.
Let us start with the specification of a commutative ring, From this we can easily prove that a * 0 = 0 by the following sequence 0 = a * 0 + (−(a * 0)) = a * (0 + 0) + (−(a * 0)) = a * 0 + a * 0 + (−(a * 0)) = a * 0. Now we can turn the commutative ring into a field by adding an inverse function and the conditional equation a = 0 ⇒ a * inv(a) = 1. This leaves open of what happens to inv(0). Given a total ring algebra we can turn it into a partial algebra, by keeping the carrier set and all functions from the total algebra, add the inverse as given by the conditional axiom, and just leave inv(0) undefined.
If we want to stay within total algebras, one way to handle inv(0) is to introduce an error element and state that the inverse of inv(0) = error. Wanting to propagate the error element through the other operations, we can add axioms, a + error = error, −error = error, error * a = error, inv(error) = error.
Unfortunately this has the consequence that a = 0 for every element: 0 = error * 0 = error and a = a + 0 = a + error = error.
The problem is that the ring axioms imply that 0 is an absorbing element for multiplication (only) and the new axioms define error as an absorbing element for all operations. Since absorbing elements are unique, this forces 0 = error, which then has the consequence that 0 becomes absorbing and neutral for addition, which is only possible in the trivial ring.
To avoid this we must guard the original axioms with the condition that they only work when the arguments are not the error element, and then add a complete set of error propagation rules, For this special case the axiom list can be simplified since associativity, commutativity, neutrality and distributivity hold also if one or more of the arguments is the error element. The inverse rules for + and * do not hold if a is the error element.
An error STF could add an explicit error element and transform formulae as demonstrated.
Adding an error element is doing a bottom completion of the partial algebra where the expression inv(0) is undefined. Bottom completion defines an adjoint situation between the partial and the total algebra, and does not in general preserve the axioms from the partial algebra to the bottom completed total algebra. Conditionals avoiding error arguments in the axioms are needed.

Syntactic theory functors
The examples in the previous section show that there is a varied need for transporting specifications from the base context to a new context. This breaks the general requirement for institution-independent structuring mechanisms which have to be compatible with the signature morphisms for all signatures.
In this section, we give a definition of STFs in the context of institution theory and prove some elementary properties of STFs. This is followed by a discussion of an alternative approach to reuse. In Subsection 3.3 we prove that the kernel language of syntactic structuring mechanisms, the so-called institution-independent structuring mechanisms, are STFs. We then show that our motivating examples fit into our definition. In the following section, Section 4, we demonstrate that STFs subsume a general class of specification building operations that have been studied in the literature, namely the so-called syntactic structure mechanism.

Definition of STFs and their elementary properties
Here we discuss how to capture construction principles of specifications in an institution-independent way. We are looking for a flexible framework that is capable of capturing the many transformations of specification text that the specifier might want to carry out. We first recall the definition of an institution:  (1) where M is an object of mod( ), and ϕ ∈ for( ).
A formula for a given signature is a tautology if it always holds. A set of formulae is non-trivial if at least one formula is not a tautology.
Objects of our discourse will be theories, more concisely the objects of a discrete theory category. 5 As we shall see in Section 3.3, this is in line with the institution-independent structuring mechanisms.

Definition 2. The discrete theory category Th id for an institution IN ST has theories
, , where is a signature and ⊆ for( ) is a set of formulae for that signature, as objects, and the identity morphisms id : , → , as morphisms.
The discrete signature category Sig id for an institution IN ST has signatures as objects and as morphisms the identity morphisms id : → .
We can decompose a tuple, such as a theory, into its component parts using projection functions _ 1 to access the first component, _ 2 to access the second component, etc. So for a theory T = , , the first projection T 1 = and the second projection T 2 = . 5 A discrete category is a category whose only morphisms are the identity morphisms. Category theory characterizes objects in terms of the relationships, i.e., morphisms, that each object exhibits to other objects in the universe of discourse. In this sense a discrete category is a category where objects fail to have a 'social life' -to use a metaphor coined by the logician Jean-Yves Girard, which was later picked up by the computer scientist José Luiz Fiadeiro in his book "Categories for Software Engineering" [11].
The model functor is trivially extended to the discrete theory category, mod : Th op id → CAT. It is the full subcategory of models for each such that each model satisfies the axioms , with the identity functor on these subcategories, i.e., for each theory , , We will define the STFs to be functors on the discrete theory category. Later we will show how STFs can be used to restore the signature morphisms and the social life of theories.

Example 1.
A discrete theory functor, i.e., a functor T : Th id → Th id , can map any theory to any theory. Take for instance the family of functors T described by when = ∅ for some signature = and some , ∅ when = ∅ and consistent for some signature = , when = ∅ and inconsistent Such 'unregulated' functors have few interesting properties. Therefore, we suggest a restricted version of the discrete theory functor.

Definition 3 (Syntactic theory functor (STF)).
We call a discrete theory functor F : Th id → Th id syntactic if the application of F on objects can be decomposed , and • F for, : for( ) → for(F sig ( )) is a function for every signature ; and the application of F on morphisms is given by Without a social life, the functor F sig is equivalent to a function from signatures to signatures. It captures the effect of F on the signature, i.e., F ( , ) 1 = F sig ( ). The functor F base provides properties related to the signature elements. It is equivalent to a function from signatures to sets of axioms for the target signature. Finally, the function F for , describes the effect of F on individual formulae ϕ ∈ . By abuse of notation we also write F for, for the pointwise application of F for, to a set of formulae . In Section 3.4 we will see that our motivating examples can be formulated using STFs.
The family of functors presented in Example 1 fails to describe STFs for = and = : the value of the resulting signature T ( , ) 1 depends on , i.e., it maps theories over the same signature to theories over different signatures, depending on the formulae.
STFs are well behaved with respect to set operations on collections of axioms. Furthermore, theories and STFs form a category.
Proof. First we note that the function F for is additive for every signature , i.e., F for, ( 1 ∪ 2 ) = F for, ( 1 ) ∪ F for, ( 2 ). Since F for, is defined by its effect on each axiom this is clear. The claim is easily seen to hold by expanding the definition of both sides: We can interpret the identity functor id Th id : Th id → Th id on objects by id Th id ,sig ( ) = , id Th id ,base ( ) = ∅ and id Th id ,for, ( ) = , which taken together gives showing it is a syntactic theory functor.

Proposition 1 (Composition of STFs
Proof. We need to show that this gives the functor G(F ( , )), which follows from the derivation Theorem 2 (Category of theories and STFs). There is a functor category with Th id as its object and STFs as morphisms.
Proof. We know that STFs compose to STFs, and that the identity functor on theories is an STF. Since STFs are theory functors, composition is associative, and the identity theory functor is the identity for STF composition. This gives the claimed functor category. 2

Remarks on the STF definition
Our definition of syntactic theory functors balances between many similar institution and related entailment system morphisms. We therefore look at some aspects of the STF definition which exposes some technical motivations. We use the terminology from [12].
An STF F : Th id → Th id is per definition a signature preserving endofunctor on Th id , i.e., signatures are mapped to signatures without taking into consideration the formulae component of the theory. We can consider the functions F for, : for( ) → for(F sig ( )) for every signature , a natural transformation F for : id Sig id ; for ⇒ F sig ; for. Then the STF F is F for -sensible: it is fully determined by F ( , ∅) and F for .
These properties of STFs admit a more advanced meta-theory. In our current setting with discrete signature and discrete theory categories this does not immediately give much. In the setting of model consistent STFs that allows us to build institutions, see Section 5, many interesting results from [12] should carry over. We do not explore this general setting further here, but we provide some results for the structural properties of specific STFs in Section 5.2.
The STF notion is also similar to the notions of theoroidal (co)morphisms. While these morphisms allow for a more advanced institution, like the one of partial algebras, to be translated into a simpler institution, like the one of total algebras, these results cannot be applied directly to STFs. An STF is allowed to modify the model class in ways not compatible with the requirements for theoroidal maps. Further, STFs allow us to start in the simpler institution, conceptually map to a more complex institution and then do the encoding in the simpler institution. The example in Section 2.5 does this: it takes us from the total algebra of rings, adds a partial function inv, and then encodes this as a total algebra with error elements. Thus STFs have a strong flavour of being theoroidal without satisfying the criteria.
Codescu [13] works with generalised theoroidal comorphisms, which are similar to specification frame comorphisms. These also relate theories and models, but ignore the signature part. The purpose is to allow a minimalistic translation of theories to theories in order to reuse existing tools for one institution when solving problems in another institution. Such tools are better helped if the translation can be adapted to the actual set of formulas being transferred. This achieves the flexibility of translation as exposed in Example 1 above. Codescu's solution is thus deliberately not signature preserving. We believe signature preservation is significant for the purpose of STFs.

The kernel structuring mechanisms are STFs
Here, we consider the kernel language for structuring specifications in an arbitrary institution: presentation, union, renaming and hiding [14]. We present this in order to show that STFs cover the basic structuring mechanisms, but also to motivate why STFs are defined on the discrete theory category. Originally, [14] gives a model-semantics to its institutionindependent structuring operations. However, as STFs concern syntax only, necessarily we have to work with a syntactic characterization. To this end we utilize the classical results concerning normalisation of structuring operations [15].
Presentations are already included in our setting. They are the finite theories: finite signatures with finite sets of finite axioms.
A specification is a syntactic object built from finite theories using structuring operations, i.e., a finite theory is a specification. The notation of a specification usually includes the pragmatic restriction to finite theories. In contrast, our discussion of STFs does not require this restriction. Its results also apply to infinite theories.
The union operator of specifications is a binary operator ∪. Given two specifications Sp 1 and Sp 2 over the same signature for its normal form NF the following holds: Taking theories ( , ) and ( , ) rather than specifications, we can capture the union operation by a family of STFs indexed by theories , , i.e., union , : Since the union operator only works when both argument theories have the same signature, the functor gets a 'bump' when they are equal, and is otherwise the identity functor. This is OK for a functor on the discrete theory category, but will cause problems if the theories are connected with signature morphisms. The 'bump' can be smoothed if the underlying institution, e.g., allows union on signatures, but such a smoother union STF will only work for such institutions and not be an institution-independent solution. Writing = mod for equality of model classes, we can relate union of specifications to our STF.
Renaming applies a signature morphism to a specification. Given a specification Sp and a signature morphism σ : → , for its normal form NF(Sp) = ( , ) the following holds: NF(rename Sp by σ : → ) = ( , for(σ : → )( )). We can capture the renaming operation by a family of STFs indexed by signature morphisms σ : → , i.e., rename σ : → : Here it is quite clear that the 'bump' at will cause problems when interacting with the signature morphisms in a non-discrete theory category. Further note that we get an STF for each signature morphism, somehow 'reconstructing' the structure in the category of signatures we removed. With this rename STF, we obtain: Hiding fails to be a syntactic structuring mechanism in many logics [16], i.e., there are specifications formed with hiding for which there does not exist a specification without hiding which is semantically equivalent, see e.g. [17]. Consequently, we refrain from characterizing hiding as an STF.
Both the union and rename STFs are institution-independent, i.e., can be utilized in any institution-based specification formalism.

STFs for our motivating examples
All of our motivating examples give rise to STFs. They are Casl specific. As Th id and Sig id are discrete categories, it suffices to specify the effect on objects only. We are now working in the Casl institution which allows union of signatures.
Concerning finite sets of distinct constants, cf. Section 2.1, we define for a signature = (S, F ) consisting of a set of sort symbols S and a set of function symbols F and for each formula ϕ over : Here, s is a sort name and c 1 , . . . , c n , n ≥ 0, are constant names. Note that the free functor actually is a family of functors where dir is a sort symbol and D is a set of operations. The idea is that D ⊆ F is a set of existing operations we want to augment with an extra argument. We further define: x is a fresh variable over ϕ, and ϕ is like ϕ but with each term d(t 1 , . . . , t k ) replaced by d (x, t 1 With this STF, we obtain DirectionalLeibnizRule = mod augment dir,{D:r→r} (LeibnizRule).  (a 1 , . . . , a k ) where A is the 'array' sort, to which operations shall be lifted, I is the index sort of A, and E is the sort from which operations should be lifted. An alternative version could also lift equational axioms on E to equational axioms on A by providing the conjunction of the original equation on E with the similarly formulated axiom on A when defining lift A,I,E ,for, S,F (ϕ).
Finally we capture the rule for introducing error elements to a total specification. Here we add an error element for each type S, add new axioms for error propagation for each function declaration in F , and protect all existing axioms against inadvertently applying to error elements. This gives an STF error : Th id → Th id , error sig (S, F ) = S, F ∪ {s error : s | s ∈ S} , where ϕ is the same axiom as ϕ, but where the axiom has a conditional x j = s j,error for every variable x j : s j used in the axiom. 6 Based on the successful representation of all of our motivating examples, we conclude this section with the conjecture that STFs are a concept broad enough to capture design patterns for specifications.

STFs are syntactic structuring operations
Most specification languages provide structuring mechanisms going beyond expressing specifications simply as, often finite, 7 theories T = , . This gives a structured specification language with Struct(Th id ) as the set of all specifications that we can provide.
A structuring language Struct(Th id ) is syntactic over Th id [16] if for every structured specification Sp ∈ Struct(Th id ) there exists a theory T ∈ Th id such that mod(Sp) = mod(T ), i.e., the structuring mechanisms do not offer more expressive power. They rather support the stepwise construction of specifications and help in understanding large specifications by imposing structure on them. Often the relation between a specification Sp and its equivalent theory T can be expressed by a function flatten : Struct(Th id ) → Th id where mod(Sp) = mod(flatten(Sp)). Usually, Struct(Th id ) includes presentations ι : Th id → Struct(Th id ) with semantics mod(ι(T )) = mod(T ).
The set of syntactic structuring mechanisms of a specification language can be extended by STFs:

Proof. (by induction on the terms of the structuring language) Given a theory T , we have by definition mod(ι(T ) = mod(T ).
Consider s(Sp 1 , . . . , Sp k ), k ≥ 1, where s ∈ Struct and Sp i ∈ Struct F , i = 1, . . . , k. Then by I.H., there exist theories T 1 , . . . , T k ∈ Th id with mod(Sp i ) = mod(T i ), i = 1, . . . , k. As s ∈ Struct, we have flatten(s(T 1 , . . . , T k )) ∈ Th id and mod(s(Sp 1 , . . . , Sp k )) = mod(flatten(s(T 1 , . . . , T k ))). Consider F (Sp), where F ∈ F and Sp ∈ Struct F . Then by I.H., there exists a theory T with mod(Sp) = mod(T ). By Definition 4 we have flatten(F (T )) = F (T ) ∈ Th id and mod(F (Sp)) = mod(flatten(F (T ))). 2 A potential critisism to STFs is that they work on discrete signature categories and thus ignore part of the structure given through an institutional setting. Thus, one should note that the moment one works with Struct F (Th id ), where Struct includes the renaming operation, the morphisms are back again: Remark 1. Note that with the renaming STF, on the structuring level we get the signature morphisms back: any signature morphism σ gives rise to an STF rename σ . 6 Note this is a bit simplistic and only works well for axioms in the form of boolean expressions, which includes equational and conditional equational axioms. Axioms with embedded quantifiers need a more advanced treatment. 7 Both, signature and set of formulae are finite.

Case study: remote control
Coming back to our initial example of specifying a remote control, e.g., for a TV, we demonstrate how STFs can ease the development of a specification for such a device.
Abstractly seen, a remote control provides a user interface of several buttons. When a user presses a button, the remote control sends out an (infrared) signal. In remotes for entertainment, this signal is a bit string consisting of three substrings: the first string is an identifier of the company, the second string encodes the type of the device (e.g., TV, DVD, game console, satellite receiver), the third string finally is a code specific to the pressed button. Using a loose specification, this first view on a remote control can be made precise in Casl: Thinking of Boolean strings as the intended carrier set of Signal, in the intended model __++__ stands for string concatenation.
Following the paradigm of step-wise refinement, such abstract view on remote controls in home entertainment can be made more concrete. For easy selection of channels, a remote control shall have at least 10 different buttons for the digits 0 to 9. Furthermore, there should be a button to turn the device on and off. All these buttons should be different. Using our STF free we can specify: Often, a remote control shall control several devices. To this end remote controls work in different modes. Each mode corresponds to a device, i.e., the second string of the signal is mode dependent. Using our augment STF, we can add this mode dependency by turning the constant deviceType into a function: In a next step, we might want to specify that the remote control shall be able to deal at least with TV, DVD, and a SAT (receiver). Here, we can again use our STF free in order to add these as different modes: Finally, one might want to add that there shall be two buttons "up" and "dn" for the purpose of volume control: Note that the STF free specifies a minimal number of elements in the carrier set. Thus, this second application of the STF free to the sort Button is consistent, as it simply increases this minimal number. That the STF doubles certain axioms, such as, e.g., ¬b 0 = b 1 , is unproblematic.
. . . (distinctiveness axioms) . . . end where we leave out the 81 distinctiveness axioms: 78 are needed to express that there are at least 13 distinct buttons, 3 are needed to specify that there are at least 3 different modes. One could argue that these axioms are 'primitive'. However, note they cannot be written any shorter in Casl: Casl's free type construct is semantically different; it would specify that there are exactly 13 different buttons and exactly 3 different modes. Furthermore, as the Casl free construct is not in first order logic, using it in specifications requires specific theorem proving support.
It is important to note that this specification exercise can be re-factored. The order in which we applied the various STFs plays (at least in this example) no role. Thus, one could first build up the infrastructure for modes in two steps, and only then, in a third step, care about the buttons: Without studying this topic further, we mention that this refactoring exercise illustrates that STFs come with algebraic properties such as subsumption or commutativity of STF application.

Methodological analysis of the case study
From a methodological point of view, our case study demonstrates a number of advantages through using STFs: • STFs can concisely express connections between specifications that cannot be expressed otherwise. Without using the augment STF as a specification transformation, it would not be possible to derive the specification RemoteControlWith-Modes from the specification RemoteControlWithElevenDifferentButtons -although this appears to be a 'natural' development step.
• Using a number of STFs in sequence is a way to enrich specifications to capture more and more aspects of a system. • STFs allow for shorter and more concise specification text.
• STFs can keep the specification logic simple, allowing for better theorem proving support.
• The effect of STFs is controllable. Through flattening, the specifier can find out if the application of an STF yields the desired result. This transparency allows for faithful modelling, where specification elements are traced back to a given narrative.

How to make STFs available to specifiers?
The theoretical framework that STFs provide has the potential to greatly support the specifier. This, however, is contingent on proper tool support. Though the formalism is still at an early stage, certain elements of such tools are already clear. They should support: Application of STFs. Tools need to support the application of STFs. This support will essentially be of type-checking nature.
It will ensure that all parameters of an STF are instantiated, e.g., the above free STF requires two parameters, one sort symbol and one set of constant symbols. Furthermore, it will ensure that conditions linking actual parameters of an STF and a specification are fulfilled, e.g., in the above augment STF its second parameter D should be a subset of the operation symbols F of the specification. Flattening. Tools need to be able to flatten STFs and show the result to the specifier. The flattening operation should allow the specifier to select which of the possibly many STF applications to be flattened. Libraries of STFs. Tools need to offer access to different libraries of STFs. These libraries will fall into different categories: some STFs are of general nature, as, e.g., the specification structuring operations or the constructions in Cerioli's and Reggio's study on the interplay between partiality, subsorting and predicates [3]; other STFs will be of domainspecific nature, i.e., they will capture constructions identified by domain engineering. Definition of new STFs STFs gain flexibility through two elements: the shape of their parameters is unrestricted; the functions that they realise are unrestricted. This makes it hard to identify 'standard constructs' that would allow one to build 'all' STFs. However, tools should define an abstract interface for STFs. Such an interface will require the implementation for three component functions. It will also ensure that the component functions only make use of those parts of the specification that should be accessible to them; i.e., only signatures are passed to F sig and F base , while F for depends on both, signature and formulae of a theory.

Building institutions from STFs
When building complex specifications from simpler ones, we are interested in knowing what properties are valid for the new specification and how it relates to the components' properties. For union we know that all properties deducible in each component hold for the combined specification. This holds even if the component specifications contradict each other, in which case the combined specification has no models. Similar results exist for renaming.
In this section we study constructions and property transport between combined and component specifications for STFs. First we look at building syntactic structure from STFs and the property of model consistency. Then we explore how our motivating example STFs transport properties. Finally, we use this insight to create more complex institutions from base institutions with model consistent STFs.

Model consistent STFs
Since STFs are signature preserving we can use that to equip our discrete signature category with morphisms.

Definition 5 (STF induced arcs on signatures).
Let F : Th id → Th id be an STF, let be a signature. Then F defines an arc to another signature, namely F : → F sig ( ). We call an arc F trivial whenever for all ⊆ for(Sig) it holds that F ( , ) = , , non-trivial otherwise.
Note that for an arc F : → it depends on the effect that F has on formulae whether F is trivial or non-trivial. In a trivial arc, F sig ( ) = , F base ( ) = ∅, and F for, ( ) = , for all . An STF F : Th id → Th id is model consistent if, for every F : → F sig ( ), there is a functor μ F : mod( ) ← mod(F sig ( )) such that for all M ∈ mod(F sig ( )) and all ϕ ∈ for( ) the condition holds.
Note the 'asymmetry' in the equivalence (2): there is a single formula on the lhs of the equivalence, while there possibly is a set of formulae on the rhs of the equivalence. Further note that only non-trivial arcs are interesting for deciding model consistency.

Proposition 4 (Trivial arcs generate model consistent functors). Let F : → be a trivial arc for an STF F . Then
Proof. Let ϕ ∈ for( ) be a formula and M ∈ mod(F sig ( )) = mod( ) be a model.
In Definition 6 we have chosen μ F : mod( ) ← mod(F sig ( )) to be a functor, i.e., μ F 'transports' both, objects and morphisms, of the model category. However, model morphisms do not play a role in equivalence (2). Thus, alternatively, one could also work with a discrete model category. There are STFs F that allow the definition of μ F only in discrete model categories -see the discussion of the STF augment in Section 5.2.1 below. The constructions of an STF Path institution and an STF institution in Section 5.3 work also when one replaces the model categories with discrete ones.

Proposition 5. The composition of model consistent STFs is a model consistent STF.
Proof. Let F and G be model consistent STFs with related model functors μ F : mod( ) ← mod(F sig ( )) and μ F sig ( ) G : mod(F sig ( )) ← mod(G sig (F sig ( ))), respectively. Then the model functor μ F • μ G will be model consistent with F ; G. Let N ∈ mod(F sig ( )) and ϕ ∈ for( ), and M ∈ mod(G sig (F sig ( ))) and ψ ∈ for(F sig ( )), then By inserting μ G (M ) for N and F ( , {ϕ}) 2 for ψ we get There is a functor category with Th id as object and model consistent STFs as morphisms. It is a subcategory of the category of theories and STFs.
Proof. The identity functor is a model consistent STF (it has only trivial arcs), and model consistent STFs compose, see Naturally, not all STFs are model consistent. We can make two general observations on having and not having model consistency. The first is a positive result relating model consistency to signature morphisms in the underlying institution. The second is a negative result for model consistency of STFs with non-trivial base axioms.

Proposition 6 (Model consistency and signature morphisms). Let F be a renaming STF for a signature morphism σ : → . Then F is model consistent.
Proof. The renaming STF defines trivial arcs everywhere except at while at it behaves like the signature morphism.
In the former case the identity model functor provides model consistency. In the latter case the reduct functor mod(σ op ) provides model consistency. Thus for every signature the STF F is model consistent. 2 Proposition 6 easily extends to families of STFs defining some subclass of signature morphisms. For instance in Casl this could be STFs defining signature inclusion only, STFs defining name changes only, STFs defining swapping of arguments only, etc. This does not preclude STFs not being related to existing signature morphisms also being model consistent.

Proposition 7 (Model consistency and non-trivial base axioms). Let be a signature for which tautologies exist and let F be an STF
where F base ( ) is non-trivial, i.e., includes a formula which is not a tautology. Then F is not model consistent.
Proof. Let ϕ be a trivial axiom for . By the assumption there exists an M ∈ mod(F sig ( )) such that M / ∈ mod(F base ( )).
Then any functor μ F : mod( ) ← mod(F sig ( )) will have that μ F (M ) |= ϕ while M |= F sig( ) F ( , {ϕ}) 2 . Hence no model functor can make F model consistent. 2 In spite of not being model consistent, STFs may still transport formulae in one or the other direction of (2). Since most of our example STFs add non-trivial base axioms the negative result for such STFs motivates a slightly weaker notion for transporting formulae, which considers only models of the theory (F sig ( ), F base ( )) rather than all models of F sig ( ):

Definition 7 (Formula transportation by STF). The STF F transports formulae when for all signatures
there is a functor such that for each model M ∈ mod(F sig ( ), F base ( )) and for each formula ϕ ∈ for( ) one of holds. Holding with "=⇒", equation (3), is preserving formulae, and holding with "⇐=", equation (4), is reflecting formulae.

Proposition 8. If an STF is model consistent it transports formulae both ways.
Proof. For an STF F and signature we know that F ( , {ϕ}) 2 = F base ( ) ∪ {F for, (ϕ)}. Hence the transport requirements both ways will hold for all M ∈ mod(F sig ( )), specifically for all M ∈ mod(F sig ( ), F base ( )) ⊆ mod(F sig ( )) as required for transport of formulae both ways. 2  free  generated  lift  union  rename  error  augment  augment  model consistent  ----- . 1. Reflection and preservation properties for STFs in the context of Casl. a In addition lifts equational axioms from elements to arrays. b Only for boolean expression axioms. c Only for discrete model categories.
Thus renaming STFs both preserve and reflect formulae. More generally, an STF translates formulae both ways when the formulae mapping component of an STF is compatible with a signature morphism. Proposition 9. Let F be an STF and F : → be a signature morphism in the underlying institution for each F such that F for, = for( F ). Then F both preserves and reflects formulae.
Proof. Since each F is a signature morphism we can define μ F = mod( op F ). This ensures the satisfaction condition (1) for each M ∈ mod(F sig ( )), specifically for those M compatible with the base axioms F base ( ), as required for transporting formulae both ways for the STF F . This tells us that when looking for model consistency of an STF we can first check for formulae transportation properties. If the STF transports formulae both ways, we then can explore if the preservation of formulae can be extended to the whole model class.

Model consistency and formulae transportation for our motivating examples
In this section, we investigate model consistency, reflection and preservation of our STFs within the context of the Casl institution. Fig. 1 summarizes our results. The definition of the STF augment can be found below.
It is interesting to see that the union as an STF is not model consistent, i.e., already 'classical structuring operators' fail to work in an institutional setting. Another interesting observation is that all the results summarized in Fig. 1 concern families of patterns. As STFs are parametrized, it is possible to establish properties on them -this is in contrast to the idea of a library of parametrized Casl specifications, cf. our discussion concerning the "Dismissal of the Casl parameterization mechanism" in Section 2.1.1.
Proof. The error STF enlarges the signature, thus there is an embedding from to error sig ( ) and a related reduct. Let ϕ be a boolean expression axiom with variables x 1 , . . . , x n in signature and M be an algebra in signature error sig ( ).
Case 1: if ϕ fails in the reduct of M , then the formula is preserved. Case 2: Assume the axiom holds in the reduct of M , then the formula x 1 = error ∧ . . . ∧ x n = error ⇒ ϕ will hold in the error algebra, since the new formula is effectively a formula on a subalgebra of the reduct algebra. 2

The STF augment -or why discrete model categories might be useful
The last STF that we discuss is the STF augment. Here, it is hard to come up with a suitable 'reduct' functor μ augment , for each signature , since an extra unbounded parameter is introduced as the direction argument. To illustrate this point, we first discuss a new STF augment .
The STF augment is identical to augment, however, the new STF adds one constant, say a : dir, to the signature: augment dir,a,D ,sig (S, F ) = S ∪ {dir},  Next we prove that the reduct of a morphism fulfills the homomorphism condition on models (by case distinction).
Case 1: Let f : s 1 × · · · × s k → s ∈ F \ D and x i ∈ μ(M (s i )), i = 1 . . . k. Then Case 2: Let f : s 1 × · · · × s n → s ∈ D and x i ∈ μ(M (s i )), i = 1 . . . n. Then Using the same μ as in the previous proof, we have μ( Now we illustrate that it is actually the model morphisms that make it impossible to come up with a 'reduct' μ for the STF augment.

Proposition 14.
The augment STF is reflecting formulae when working with discrete model categories.
Proof. As a 'reduct' functor μ a define for an object M ∈ mod(augment dir,D ,sig (S, F )) that μ a (M )(s) = M (s) for sort symbols s ∈ S and for function systems f : s 1 × · · · × s n → s ∈ F , n ≥ 0, x i ∈ μ a (M )(s i ), i = 1 . . . n and an arbitrary value a ∈ M (dir).
Proof by case distinction.
• There exists no model M with M |= augment dir,D ,sig (ϕ) 2 . Then the premise is false and the implication holds.
• There exists a model M with M |= augment dir,D ,sig (ϕ) 2 . In case that ϕ involves a function symbol f ∈ D, augment dir,D ,sig (ϕ) is of the form ∀d : dir • ϕ , i.e., the formula holds for any direction. Thus, it holds for any specific choice, and in particular for a. 2 The STF augment on the discrete model category fails to preserve formulae for the same reason augment fails to preserve formulae.
The choice of arbitrary values used to define the discrete reduct μ above is completely uncoordinated between models and between homomorphisms on the models. This causes problems when we try to map the homomorphisms.  (1, x), we can establish the homomorphism condition for the reduct of h , as h dir (1) = 1: However, we fail with the homomorphism condition for the reduct of k , as k dir (1) = 2: In case we would work with a discrete model category, there is no problem of choosing values for the direction which are 'consistent' with model homomorphisms -for the simple reason that there are no nontrivial model homomorphisms.

Institution construction from model consistent STFs
Recall the construction of a path category. If we start with a collection of objects and arcs (morphisms without a composition rule), we can create a path category by reusing the objects, and defining every path of such arcs (including the empty path and the singleton path) as a morphism. Path composition is concatenation. It has all the necessary properties: the empty path at each object being the identity morphism and associativity inherited from concatenation. If the collection of arcs is empty, the path constructions yields the discrete category.
Utilizing the idea of a path category, we form an STF path institution IN ST F relatively to a collection F of modelconsistent STFs, with reduct functors μ F for each signature and each STF F ∈ F , over a given institution IN ST : • Its category of signatures is the path category Sig F , where we take the signatures as objects and, for every F ∈ F , the non-trivial F : → F sig ( ) as the arcs. • Its functor for F : Sig F → Set of formulae is given on objects by for F ( ) = for( ). For F ∈ F and any non-trivial F , we define for F ( F )( ) = F ( , ) 2 . This extends to paths in Sig F by function composition in Set.
• Its contravariant functor mod F : Sig op F → CAT of models is given on signatures by mod F ( ) = mod( ) from the underlying institution. As every F ∈ F is model consistent, we can define mod F ( op F : ← F sig ( )) = μ F , extended to paths in Sig F by functor composition in CAT.
• Its satisfaction relation is the one from IN ST .

Theorem 4 (STF path institution). A collection F of model consistent STFs on the discrete theory category associated to an institution
Proof. The constructions above for model consistent STFs ensures the functors have the appropriate sources and targets, and have the needed properties with respect to |= for IN ST F to be an institution. 2 Some collections of STFs F may have morphism composition properties that are not reflected in the STF path signature category Sig F . For instance, consider a signature morphism which has an inverse. Then the two renaming STFs corresponding to the signature morphism and its inverse will compose to the identity functor id Th id on Th id , but as paths the composition of the two renamings will not be id Th id . Since each path is a sequence of non-trivial arcs indexed by the corresponding STFs, we can look at the composition of the underlying STFs in order to identify paths which behave the same on the corresponding theories. The empty path, the identity, on a signature corresponds to the identity STF.
We define an equivalence relation on paths in the STF path institution. Let p, q : → be paths with associated STFs  This allows us to build up an institution IN ST /F step by step, with powerful signature morphisms created from the non-trivial arcs of F . The starting point can be an institution with a discrete signature category, extended with more versatile signature morphisms as they are discovered. Each such addition is by construction connected to a syntactic specification structuring mechanism which can be freely composed with other syntactic specification structuring mechanisms.
Such flexibility is useful when a domain expert starts organising a domain, e.g., as an ontology. An ontology expert may come in at a later stage, suggesting standard or novel syntactic theory functors in collaboration with the domain expert, providing structure (as a series of institutions) and improved reuse capabilities (as collections of STFs) in a consistent and extensible STF framework.

Pragmatics of developing OMSs
Reflecting on the framework we have developed above, we can make the following observations on developing ontologies, models and formal specifications (OMSs). For a specification, modelling or ontology formalism, the institution notion captures its essential aspects: • The (discrete) signature category defines the notation of the formalism. • The formulae functor defines the formulae that can be expressed for each signature.
• The model functor defines the possible semantics of a signature. • The satisfaction relation tells when a semantical model for a signature is compatible with a specific formulae.
The requirements on the institution ensures that whenever there is a mapping between notations of the specification formalism, then the truth of the formulae remains invariant to the change of notation. Coming up with good notions of signature morphisms (notation mappings) that have the required properties is hard due to these requirements.
The STF notion formalises parts of the process of developing large specifications from smaller components. STFs map signatures to signatures, possibly adding base axioms, and allow modifications to formulae by systematically changing them to match the new notation. Some of these STFs are truth invariant (model consistent), and thus provide an apparatus similar to signature morphisms in an institution, others deliberately change the model classes in model inconsistent ways. The latter, like adding error elements to a specification, are not truth-invariant development steps.
Thus specification development along a signature morphism ensures reuse of truth, while other development steps need to be investigated on a case by case basis to identify preserved, reflected or in other ways induced properties. With STFs these insights can be gathered step by step, giving the specification or ontology developer a more powerful toolset as the development process becomes better understood.
Consider the Casl institution [15]. It is a powerful institution in the sense that the Casl rename facility goes far beyond standard practice in most algebraic specification languages. As such the research leading up to this institution is significant. Using the methodology developed in this paper, we could grow this institution piecemeal instead.
The discrete Casl institution would follow from defining the Casl specification language and its semantics. Then the introduction of STFs that allow renaming of type names, similar to simple uses of templates in C++ and generics in Java, can easily be shown to be model consistent. This then gives a Casl institution where truth is invariant of type names. Independently of this, STFs that allow changes to function names can be investigated and shown to be model consistent, giving a different institution for Casl specification reuse. Further, STFs that allow swapping of function argument ordering can be shown to be model consistent, giving a Casl institution where the reordering of function arguments is the signature morphism notion. These STFs can then be combined, giving the standard Casl institution [15] with signature morphisms that allow changing of type and function names as well as function argument reordering.
We can then conceive of going beyond this Casl institution by investigating STFs corresponding to "wrapper functions", commonly needed in programming languages like C++ in order to adapt APIs. Wrapper functions would expand to a new kind of signature morphism which would allow changing the number of arguments to functions. These can also be shown to be model consistent, hence giving a Casl institution with an expressive power far beyond the standard Casl institution. Again, adding this signature morphism to the repertoire of Casl will be compatible with all existing Casl signature morphisms per Theorem 5.
A similar sequence of exploration steps will be valid for other OMS domains, giving a pragmatic approach to growing the underlying institution, with its benefits of truth being invariant of notation, as well as building a useful toolset of STFs for compact specifications in any such formalism.

Related work
There have been a number of different approaches which have tried to address the challenge posed in this paper: how to characterize a class of transformations of specifications which are • expressive enough to be useful in practice, • tame enough to be compatible with semantical frameworks.
Forssell et al. utilize substitution in order to define the effect of actual parameters on formal parameters of templates [18]. As we are also interested in enlarging signatures, cf. the example on lifting as presented in Section 2.4, replacing existing symbols is not general enough.
A number of solutions have been proposed in a language-independent way using institution theory. Castro et al. provide a general specification framework for dynamically reconfigurable systems [19]. In this context, they study how to transform the specification of a component into the specification of a component manager. To this end, they utilize the concept of socalled representation maps [20] as these allow to change the arities of symbols. Similarly, in the context of the specification language Z, the concept of promotion -that can be used to conveniently define large specifications from collections of simpler ones -can be captured as an institution representation [21]. The difference to our work is that representation maps preserve the properties of the original specification, while we are also interested in a framework that allows also to destroy properties, see the examples presented in Section 2.4 and accompanying STFs in Section 3.4.
Diaconescu [22] introduces a notion of a structured institution over an institution through a functor from the signature category of to the signature category of with some additional constraints. Most of the structuring mechanisms relate diagrams in to diagrams in through . A classical example of a structured institution is when is an institution of -theories. The syntactic theory functors allow us to create a similar theory-based institution for any . However, the STF constructed will in general have a discrete signature category, thus it is without any interesting diagrams. Diaconescu's results on normal forms and lifting of entailment systems (proof systems) from to are still valid in the STF context, and can be used to prove properties directly on STF specifications by exploiting the tools for the underlying institution.
See also the discussion of the STFs' relationship to theoroidal and generalised theoroidal maps in Section 3.2.

Summary and future work
In this paper we introduce the notion of a syntactic theory functor (STF) as an institution-independent construction. Institution-independence means STFs are applicable to ontologies, modelling and formal specifications (OMS). STFs add reuse capabilities to an institution, capabilities that can be flattened to basic specifications in the institution. An STF can therefore be understood in terms of the basic specification patterns it supports.
The paper explores this new structuring device both at a formal, institution-independent level, and with concrete examples in the algebraic specification formalism Casl.
At the general, institution-independent level we show that STFs are signature preserving and sensible, and that they in general compose and interoperate in natural ways. STFs subsume the standard set of institution-independent reuse mechanisms. We also provide insights on how formulae of the component specifications are preserved or reflected by the specification constructed using an STF. We further prove that model consistent STFs can be used to grow an institution: building a more advanced institutions stepwise from a simple, even discrete, one. This can be very important when developing, e.g., a new ontology. Then exploring reuse in the form of STFs for the ontology can give the ontology formalism a richer structure and better interoperability with other institutions in the setting of DOL [7]. This can enable using tools originally built for a different institution in the new one.
At the pragmatical level we have given many examples of STFs solving practical specification problems in algebraic specifications. This includes declaring specifications with many distinct constants, lifting specification of functions from elements to arrays, adding extra arguments to functions in specifications, and showing that STFs can be used to deal with partial algebras in a total setting, e.g., by systematically introducing an error element. As discussed in [10] such encodings are error prone and thus should be supported by a tool like STFs to avoid repeating the pitfalls.
In future work we plan to establish a library of concrete STFs together with their properties, e.g., what aspects of a specification they preserve, reflect or if they are model preserving. Especially interesting are STFs for encoding partiality in a total setting. Further, we want to develop a methodology and possibly tool support for specifying with STFs. While our endeavours will focus on algebraic specifications, e.g., Casl, we would hope that -taking, e.g., the interest in design pattern in the ontology community into account -our idea of STFs will be taken up in various other specification contexts.

Declaration of competing interest
The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.