Hybrid Process Algebra

Transcription

1 Hybrid Process Agebra P.J.L. Cuijpers M.A. Reniers Eindhoven University of Technoogy (TU/e) Den Doech MB Eindhoven, The Netherands Abstract We deveop an agebraic theory, caed hybrid process agebra (HyPA), for the description and anaysis of hybrid systems. HyPA is an extension of the process agebra ACP, with the disrupt operator from LOTOS and with fow causes and re-initiaization causes for the description of continuous behavior and discontinuities. The semantics of HyPA is defined by means of deduction rues that associate a hybrid transition system with each process term. A arge set of axioms is presented for a notion of bisimiarity. HyPA may be regarded as an agebraic approach to hybrid automata, athough the specific semantics of re-initiaization causes makes HyPA a itte more expressive. Key words: hybrid systems, process agebra, fows, discrete events, hybrid interaction, discontinuities 1 Introduction 1.1 Hybrid Systems The theory of hybrid systems, studies the combination of continuous/physica and discrete/computationa behavior. When computationa software is combined with mechanica and eectrica components, or is interacting with, for exampe, chemica processes, a hybrid system arises in which the interaction between the continuous behavior of the components, and the discrete behavior of the software is important. Emai addresses: [email protected] (P.J.L. Cuijpers), [email protected] (M.A. Reniers). Preprint submitted to Esevier Science 16 February 2004

2 In current practice, often the discrete part of a hybrid system is described and anayzed using methods from computer science, whie the continuous part is handed by contro science. The design of the compete system is usuay such that interaction between the discrete and continuous part is suppressed to a minimum. Because of this suppressed interaction, anaysis is possibe to some extent, but it imits the design options. In the fied of hybrid systems theory, researchers attempt to extend the possibiities for interaction. The goa of this paper, is to deveop an agebraic theory, caed hybrid process agebra (HyPA), to support these attempts. Our hopes are that hybrid process agebra can serve as a mathematica basis for improvement of the design strategies of hybrid systems, and the possibiities to anayse them. Systems Theory Syntax Hybrid Theory Syntax Computer Science Syntax Systems Theory Semantics Hybrid Theory Semantics Computer Science Semantics Fig. 1. Deveoping Hybrid Theory In figure 1, a graphica representation is given of the genera aim of our efforts. The figure shows our desire, that a hybrid theory is, in a sense, a conservative extension of computer science and systems theory. More precisey, a mode from systems theory or computer science, shoud be expressibe, and preferaby ook the same, in the hybrid theory, and theorems from systems theory and computer science shoud be transferabe to the hybrid theory (when restricted to modes from the origina fied of course). What the figure does not show, is that this conservativity is not the ony goa. In that case, a simpe union of the theories woud be sufficient. We aso desire a certain interaction between the theories, refecting the interaction between software and physics described before. This goa is harder to formaize, but in the remainder of this introduction we hope to give some feeing for it, using exampes of deficiencies 2

3 (in our view) in existing hybrid formaisms, and indicating how we intend to improve on those. 1.2 Agebraic Reasoning In systems theory, agebraic reasoning is acknowedged by most peope, as one of the most powerfu toos avaiabe for anayzing physica behavior. This behavior is usuay described by differentia equations and incusions, which mode the rate of change of the vaue of certain continuous variabes, and agebraic equations or inequaities modeing constraints. When certain abstractions are made on physica systems [1], aso discontinuous behavior is sometimes reevant, which is often described using difference equations to mode changes and agebraic inequaities to mode constraints. In this paper, we use a sight generaization of these modeing formaisms, in the form of fow causes for continuous behavior, and re-initiaization causes for discontinuous behavior. This generaization was inspired by the work of [2]. In computer science, the usefuness of agebra is sti a topic of much debate, but nevertheess there are interesting exampes of appications of process agebra (see for exampe [3] for a ist of references to protoco verifications, [4,5] for a start in the description and anaysis of other industria size probems, ike the design of a controer for a coating system and a turntabe system, and [6] for the description and anaysis of raiway interocking specifications). In process agebra, the discrete actions that a system may perform are often considered atomic eements of the agebraic description anguage. These atomic actions can be combined using compositiona operators describing choice between behaviors, sequentia execution of behaviors, and concurrent execution of behaviors. In this paper, we attempt to combine the compositiona view on systems that process agebra gives us, with the continuous and discontinuous physica behaviors described by systems theory. To this end, we take the process agebra ACP [7] and extend it with a new atom, describing continuous behavior through the use of fow causes, and with a new famiy of unary operators, describing discontinuous behavior through re-initiaization causes, as mentioned before. Aso, we import the disrupt operator from LOTOS [8], since it turns out to mode the sequentia composition of fow causes we. The choice for ACP is rather arbitrary, and we expect that the methods described in this paper can be easiy extended to other process agebras. So far, the ony agebraic approaches that we know of regarding hybrid systems, are described in [9 11] (hybrid χ), [12,13] (hybrid versions of ACP), [14] (hybrid CSP) and [15] (φ-cacuus). In the remainder of this introduction, we 3

4 expain the deficiencies that these methods have, in our opinion, in describing hybrid interaction. We shoud note, that within other hybrid formaisms ike hybrid automata [16,17], hybrid Petri nets [18 22] and hybrid action systems [23], the use of agebraic reasoning on differentia equations for anaysis purposes, is not uncommon. It is the process agebraic reasoning that is underexposed. For a transation of hybrid automata into the process agebras CSP, timed µcrl, and hybrid χ, see [24], [25,26], and [10], respectivey. In the hybrid theory that has been deveoped by system theorists (see for exampe [2,27 31]) agebraic reasoning is possibe, but none of these theories support reasoning about non-determinism. A of these theories have a trace semantics, and cannot distinguish between processes that ony differ in their non-deterministic choices. Since we woud ike a conservative extension of process agebra, we woud aso ike to be abe to distinguish systems up to the notion of bisimiarity, and therefore, we consider the system theoretic formaisms as non-conservative with respect to computer science. We shoud note here, that first investigations into what the notion of bisimiarity means for continuous systems, can be found in [32,33]. In section 3, we prove formay that HyPA is a conservative extension of the process agebra ACP, and by construction of the semantics, it is immediatey cear that it is a conservative extension of differentia incusions and difference equations. 1.3 Fows and re-initiaizations Before we discuss our views on hybrid interaction and on discontinuities, which are crucia to some of the choices made in the deveopment of HyPA, we have to expain the concepts of fow and re-initiaization, and iustrate the way they are described traditionay, and in this paper. As mentioned before, continuous physica behavior is often modeed through differentia equations and agebraic inequaities, whie discontinuous physica behavior is modeed in a simiar way through difference equations and agebraic inequaities. As an exampe of a differentia equation, take ẋ = f(x,u), in which x and u are variabes ranging over the rea numbers, and f is a rea-vaued function. This equation modes that the vaue of x changes continuousy through time (indicated by the dot in ẋ) with a rate defined by f(x,u), i.e. by a function of the current vaue of x and u. Aternativey, if there is a choice of rates of change, one may write ẋ F(x,u), in which F is a set-vaued function over the reas. Aso, an inequaity x f(x,y) may denote that x is constrained in its vaue (not its rate of change) for some reason. As an exampe of a difference equation, x + = f(x,u ) denotes that the vaue 4

5 of x is reassigned to f(x,u ), based on the previous vaues of x and u. This notation is for exampe used in [2]. More generay, differentia equations and agebraic inequaities form predicates on the fow of variabes, where a fow is simpy a function of time to vauations of variabes. Difference equations are predicates about the reinitiaization (or discontinuity) of variabes. In systems theory, severa different formaisms are used for the description of continuous and discontinuous behavior, and often the modeing or anaysis question determines which formaism is to be used. For exampe, integra equations are sometimes easier to use than differentia equations, and sometimes even the notion of soution for a differentia equation can vary (athough not within one mode). The consequence for our hybrid approach, is that we have to parameterize our theory in such a way that instantiations of these different formaisms can be chosen at wi, by the modeer. Fow predicates, and their notion of soution, parameterize the modeing of continuous, never terminating, physica behavior, by describing how mode variabes V m are aowed to change through time. A fow predicate describes a set of fows, where a fow is a (partia) function of time T (some totay ordered set with a east eement denoted 0) with a cosed-interva domain starting from 0, to the vauations of mode variabes V m. Both the mode variabes V m (incuding the domains they range over) and an appropriate notion of time T are probem-specific and shoud be given by the modeer. The domain V(x) of a mode variabe x V m is specified by the modeer at the first introduction of the variabes. In this paper, the specification of domains is eft out since, most of the time, it is obvious from the context. Fow predicates are a core part of the fow causes of HyPA, that are formay defined in section 2.1. Formay, we write V = x V m V(x) for the union of a variabe domains, and Va = V m V for the set of variabe vauations. The set of a fows with a cosed-interva domain starting in 0 is F = {f T Va dom(f) = [0,t] for some t T }. The fows that are described by a fow predicate, are caed soutions of that predicate. We consider the set of fow predicates P f, the sets V m of mode variabes and T of time points, and the notion of soution = f F P f, that defines which fows are considered soutions of a fow predicate, parameters of the theory. This means they can be instantiated by the modeer, depending on the specific modeing or anaysis probem. The theory we present in this paper, is argey independent of that choice, except that we assume the existence of a fow predicate fase P f that satisfies no fow from the set F. Re-initiaization predicates describe a set of re-initiaizations, which are pairs of vauations representing the vaues of the mode variabes prior to and immediatey after the re-initiaization. Such re-initiaizations are caed soutions 5

6 of the re-initiaization predicate. The set of a re-initiaizations Va Va is denoted R. As before, the set of re-initiaization predicates P r and the notion of soution = r R P r, that defines which re-initiaizations are considered soutions of a re-initiaization predicate, are considered parameters of the theory. We assume the existence of re-initiaization predicates true,fase P r that satisfy any re-initiaization, and no re-initiaization from the set R, respectivey. Re-initiaization predicates are a core part of the re-initiaization causes of HyPA, defined in section 2.1. Hybrid process agebra, intends to reason about predicates on fows, and about predicates on re-initiaizations, in genera. However, since the use of differentia and agebraic equations is common, we make use of this particuar kind of predicates in the exampes that we give. In this artice, a fow predicate is specified as a differentia or agebraic equation on the variabes V m and their derived 1 versions V m = {ẋ x V m } (with ẋ aso taking vaue in V(x)). Typica fow predicates are, for exampe ẋ = f(x,y), and x f(x,y). For the description of re-initiaization predicates in our exampes, we make use of the sets of variabes V m = {x x V m } and V + m = {x + x V m }, modeing the current and future vaue of a mode variabe, respectivey. Typica reinitiaization predicates are assignments, for exampe x + = f(x,y ) which, in imperative programming, is usuay denoted as x := f(x,y). But, aso booean predicates can be modeed using ony the current vaue of variabes, for exampe x y, which ony aows discontinuities if x is smaer than y to start with. If necessary, this can be combined with equations x = x + and y = y +, enforcing that the vaues of x and y actuay do not change. In section 2.1, re-initiaization causes are introduced formay in such a way that this enforcement can be done more efficienty. In the remaining parts of this section, the above notations wi be used to iustrate our reasons for certain choices in the deveopment of HyPA. 1.4 Hybrid Interaction Many of the hybrid formaisms that we mentioned in section 1.2, have some probem in the definition of parae composition. Surprisingy, in most cases, this probem comes to ight in a purey continuous case study. Let us consider the foowing exampe, depicted in figure 2, of a continuous pant P described by the differentia equation ẋ = f(x, u), and a continuous controer 1 We assume derivation is defined for a mode variabes, but if we want to use a variabe x for which this is not the case (for exampe a computationa data structure), then no forma probems arise as ong as we do not use the derived variabe ẋ in our predicates. In such cases, the vaue of x is assumed constant throughout the fow. 6

7 C described by u = g(x). The composition of pant and controer is denoted P C. P ẋ = f(x,u) u x C u = g(x) Fig. 2. Continuous contro system The hybrid automata of Henzinger [16], as we as the hybrid process agebras of Vereijken [12] and of Jifeng [14], assume that the continuous behavior of two composed systems is independent. Using these formaisms, the system P C woud not mode any interaction between P and C at a, since the ony interaction between systems can be through computationa actions. The variabe x of P woud simpy be regarded different from the variabe x of C. Hence, in our opinion, these formaisms cannot be considered to be a conservative extension of systems theory. At east, they do not support the way in which we woud ike to think about parae composition of systems. In the semantics of the too HyTech [34,35], shared continuous variabes do not pose a probem, because a hybrid trace semantics is used for Henzinger s hybrid automata, rather than a timed transition system semantics. This formaism is not suitabe for us, however, since it is not agebraic, and ony supports a restricted cass of differentia equations. More surprisingy, it turns out that the parae composition of the above processes is not defined for the hybrid I/O automaton mode of Lynch, Segaa and Vaandrager [17] either, at east not without a few amendments. In the formaism of [17], it is necessary to identify variabes as either state variabes of a system, or as externa variabes of the system. These two sets of variabes are supposed to be disjoint. The intuition behind this partition is that the state variabes mode the memory of the system, whie the externa variabes mode the communication with other systems. Therefore, in a parae composition, it is required that two hybrid I/O automata are compatibe, meaning that the state variabes of the one automaton do not intersect with any of the variabes of the other automaton. Now, ooking at the pant P of figure 2, we see that we need to choose x to be a state variabe, otherwise information on x is ost between transitions, but it aso needs to be an externa variabe, since we need to communicate its vaue with the controer C. This contradicts the requirement on hybrid I/O automata that the set of state variabes and the set of externa variabes are disjoint. The probem is not as big as it may 7

8 seem, since by adding an externa variabe y, and the equation y = x, to the description of P, and changing the description of C to u = g(y), we can decare x to be a state variabe, and find that the systems have become compatibe. So, athough the system in figure 2 cannot be modeed as P C directy in this hybrid I/O automaton mode, we can mode the modification depicted in figure 3 instead. u P ẋ = f(x,u) y = x y C u = g(y) Fig. 3. Compatibe continuous contro system In [36] it was aready noted that the partitioning of the variabes of a system into state variabes and externa variabes is not aways uniquey determined by the equations that describe the system. Even in our simpe contro exampe, it is possibe to use the equations x = y and u = g(x), and decare x externa and y a state variabe. Often, there is no cear physica ground to choose a specific partition. This is one reason why we woud ike to avoid the partitioning of the set of variabes of a system, in our semantics. Another reason, is that in basic textbooks on contro theory (for exampe [37]), one usuay starts out with deveoping controers for pants of which the state variabes are aso output variabes. It therefore seems, that the intuition behind compatibiity, that state variabes do not pay a roe in communication with other systems, does not coincide with the system-theoretic intuition. This is confirmed by the theory discussed in [36], where state variabes may aso be output variabes of a system, whie externa variabes may be inputs or outputs. In this paper, we show that partitioning the mode variabes as done for hybrid automata, is in fact not necessary, if a sighty different semantica view is taken. HyPA is deveoped in cose cooperation with the peope working on the forma semantics of the anguage hybrid χ, which is focussed on the simuation of hybrid systems. Their operationa semantics [11] uses a semantica structure simiar to, and based on, the one we have deveoped for HyPA (discussed in section 2.2). Aso the hybrid process agebra of Bergstra and Middeburg [13] uses a hybrid transition system semantics. In section 4, we discuss the reation between HyPA, hybrid χ and the process agebra of [13] in more detai. Admittedy, these three anguages are very simiar, which cas for a more thorough comparison in the near future. 8

9 In φ-cacuus [15], the semantics assumes continuous behavior to be a property of the environment, rather than of the process itsef. There, (urgent) environmenta actions aow the process to change the rues for continuous behavior in an intereaving manner, which eads to the repacement of one differentia equation by another. Again, there is no continuous interaction between P and C. When we write P C in φ-cacuus, the semantics is such that ony the continuous behavior of the pant or of the controer is executed. This, ceary, contradicts with our intuition on the parae composition. In hybrid action systems, the parae composition of P and C eads to the desired resut, ignoring some syntactic differences. However, the parae composition of two differentia equations ẋ = 1 ẋ = 2 resuts in a process that acts ike the differentia incusion ẋ {1, 2}. This, again, contradicts with our intuition. We woud expect contradicting equations to resut in deadock. Nevertheess, both the intereaving approaches from φ-cacuus and hybrid action systems, might turn out to be usefu in situations where our intuition is fawed, and the theories might be considered compementary to HyPA. In concusion, we might state that we aim for an agebraic formaism, in which the parae composition has a simiar intuition as in [17], but without having to require compatibiity of the composed systems. To do this, we have worked out the notion of hybrid transition system, as a semantica framework, in [38]. This framework, formay defined in section 2.2, unifies the discrete behavior of computer science and the continuous behavior of system theory in a simiar way as the hybrid automata of [17] do, whie avoiding the expicit use of state variabes and externa variabes. From a system theoretic point of view, hybrid transition systems are an extension of Sontag machines [39]. Returning to figure 1, one might say that the chosen semantics of the origina fieds are transition systems for computer science, and Sontag machines for system theory. Hybrid transition systems, are our conservative extension of those. On the framework of hybrid transition systems, it turns out to be rather easy to define an operationa semantics for actions, as we as for predicates describing fows and re-initiaizations. Aso a kinds of compositions known from process agebra can be defined easiy using the method for giving an operationa semantics introduced in [40]. As far as we know, HyPA and hybrid χ and the process agebra of [13] are the ony process agebras for hybrid systems so far, that use an operationa semantics in which compete physica fows are taken into account rather than ony the time-behavior of a system. 1.5 Discontinuities Regarding discontinuous behaviors, the semantics for fow predicates in HyPA, differs a itte from the usua interpretation taken in, for exampe, Henzinger s 9

10 hybrid automata. The standard approach there (and in most other hybrid formaisms), is to assume ony continuous behavior of a variabes, uness they are specificay atered by assignment transitions. For some hybrid descriptions of physica behavior, however, it is convenient that certain variabes can aso behave discontinuousy. Take, for exampe, the eectrica circuit depicted in figure 4, in which a switch steers the votage over a resistor-capacity combination. R2 v e R1 C Fig. 4. An eectrica circuit with a switch For such a system, it is desirabe to mode the votage over, and the current through the resistors (v R1, v R2, i R1 and i R2 ) as discontinuous functions of time. A possibe hybrid automaton mode for this circuit, is depicted in figure 5. Note, that there are arbitrary jumps modeed on the transitions, for the discontinuous variabes (i.e. not for v C!). This is necessary, because, without deeper anaysis of the differentia equations, we do not know what kind of discontinuities may occur. In order to avoid discontinuous behavior that vioates the physica properties of the circuit, we may indicate in the hybrid automaton mode, that the agebraic equations used to describe the eectrica circuit are invariants. As an exampe of an undesired discontinuity, one shoud note that, when the switch coses, the current through the second resistor (i R2 ) is determined competey by the source votage v e and the votage over the capacitor v C. The invariants make sure that no other assignments can be made to i R2. Now, in the case of higher index differentia equations, the approach of using invariants to avoid undesired discontinuities breaks down. As an exampe, et us consider a system described by the foowing equations, in which z is a variabe that may behave discontinuousy: ẋ = z, ẏ = z, x = y. As before, an assignment to z that vioates these equations is undesirabe. But the approach that is usuay taken in hybrid automata theory, to take a agebraic equations to be invariants, does not work here. The choice of z is independent from the choice of x and y. Ceary, the system ony can perform continuous behavior, if the vaue of z is reset immediatey to zero. This, 10

11 jmp: v R1,v R2,i R1,i R2,i C : R act: cose fow: v C = C i C inv: i R1 = i R2 v R1 = i R1 R1 v R2 = i R2 R2 v R1 = v R2 + v C i R2 = i C fow: v C = C i C inv: v R1 = v e v R1 = i R1 R1 v R2 = i R2 R2 v R1 = v R2 + v C i R2 = i C jmp: v R1,v R2,i R1,i R2,i C : R act: open Fig. 5. A hybrid automaton modeing the eectrica circuit however, is insight obtained through anaysis of the equations, and shoud therefore not be used when modeing a system. As far as we know, there is no soution in hybrid automaton theory for this probem. This is why we take a different approach regarding discontinuous behavior in HyPA. In HyPA, we recognize that differentiated variabes can sometimes be discontinuous, and therefore, when modeing a differentia equation or other fow predicate, we can indicate expicity whether a variabe is aowed to perform jumps before engaging in a fow. A fow predicate combined with such an indication is caed a fow cause. The notation V P f, that is formay introduced in the next section, shows a (fow) predicate P f, defining which fows are aowed by the cause, whie the set V denotes which variabes are not aowed to jump before engaging in a fow. If z is not aowed to jump initiay (i.e. z V ), we find deadock for the higher index differentia equations of the previous exampe when initiay z 0. If it is aowed to jump (z V ), ony those discontinuities can occur for which a soution exists. Using this way of modeing, the eectrica circuit of figure 4 coud, using HyPA notation, be 11

12 modeed as the process X in the foowing equation: X v C = C i C i R1 = i R2 v R1 = i R1 R1 v c v R2 = i R2 R2 v R1 = v R2 + v C i R2 = i C v C = C i C v R1 = v e v R1 = i R1 R1 v c v R2 = i R2 R2 v R1 = v R2 + v C i R2 = i C X. Notice, that this is not a direct transation of the hybrid automaton. In HyPA, we do not need to give expicit names to the open and cose actions, athough we coud if that were desired from a modeing perspective. Furthermore, it is not necessary to make a distinction between invariants and other fow predicates. In the eectrica circuit, the ony variabe that is not aowed to jump is the votage over the capacitor. An exampe in HyPA notation for the higher index system foows shorty. Assignments in HyPA are modeed, not as a kind of atomic actions (as with hybrid automata), but as re-initiaizations of processes. These re-initiaizations can be used as we to mode conditiona execution of a process. The notation [V P r ] x, formay introduced in the next section, denotes that a process x is executed, but with the vauation of the variabes changed according to the re-initiaization predicate P r. The set V contains, contrary to the notation of fow causes, those variabes that are aowed to change during a re-initiaization. For exampe, an assignment of the vaue 1 to x, using an action a, under the condition that x is arger than 3 to begin with, is modeed as: [x x 3 x + = 1] a. Note, that other variabes are not aowed to change vaue whie this action is executed. Some pecuiar aspects of using reinitiaization are discussed in section 2.2, and sometimes ead to unexpected axioms in section 3. In the case of our higher index probem, it is possibe using axiomatic reasoning, in combination with reasoning on the soutions of differentia equations, to obtain the equivaence [ ] ẋ = z z z + 0 z ẏ = z x = y δ, refecting that an assignment of a vaue other than 0 to z eads to deadock, 12

13 if z is not aowed to jump, and ẋ = z [ ] z z + 0 ẏ = z x = y ẋ = z ẏ = z, x = y refecting that such an assignment is immediatey undone if z is aowed to jump. Pease note, that this can ony be derived if one has a way of cacuating with fow-causes and re-initiaization causes, which is outside the scope of this paper. 1.6 Drawbacks At first sight, there seem to be two major drawbacks to our method. The first drawback, is that we need a kind of bisimiarity that takes into account the vauation of a variabes, in order for it to be a congruence for parae composition. However, this does not render the whoe theory useess, because the same method of requiring compatibiity of processes that was used in [17] in order to define parae composition, can be used in HyPA to guarantee congruence of parae composition under a weaker notion of equivaence (ike the one used in [17]), and furthermore, we give an axiomatization for our notion of equivaence that aows eimination of the parae composition from cosed process terms, so that weaker notions of equivaence can be used for anaysis of processes after appying this eimination. The second drawback, is that some of the axioms become rather confusing due to the discontinuities that may be possibe in some of the variabes of a differentia equation. This can be heped, as we show in section 3, by simpy requiring a variabes to be continuous, as in hybrid automata. So, in concusion, the theory is not more difficut or cumbersome, if we mode processes under the usua restrictions. In fact, as we indicate in section 4.1, we expect that HyPA is a conservative extension of hybrid automata, athough we do not give a forma proof of this caim. Furthermore, we have new constructs to our disposition that are not avaiabe, yet, in other hybrid formaisms, at the cost of having to use more difficut axioms. Lasty, we have to note that the hybrid process agebra we present is not concerned with any form of abstraction so far, because experience with norma process agebra shows that abstraction is a difficut topic to study agebraicay, and we expect it to be convenient, that the basic theory is worked out first [41]. On the other hand, hybrid χ does contain an operator that aows for the hiding of mode variabes (athough there is no axiomatization for it yet), and aso the hybrid process agebra of Bergstra and Middeburg [13] has a form of 13

14 abstraction from mode variabes. Since the semantics of these anguages are comparabe to that of HyPA, we expect that it is possibe to deveop a simiar abstraction operator for our anguage, and hopefuy to find a way to reason about it agebraicay. 1.7 Structure of this paper In section 2.1, the syntax of HyPA is presented, describing how the process agebra ACP [7] is extended with a constant for termination, the so-caed disrupt operator, known from LOTOS [8], and variants of the two types of causes from [2], representing continuous and discontinuous behavior. In section 2.2, a hybrid transition system semantics is defined in the stye of [40], in which continuous behavior is synchronizing, and discrete behavior is intereaving. Section 3 is devoted to an axiomatization of HyPA, for a notion of bisimiarity [42]. In this section, aso the forma reation with ACP is discussed, and a set of basic terms is given into which cosed HyPA terms can be rewritten. In section 4, we give an informa comparison of HyPA with other hybrid formaisms. We concude by giving our own views on the work presented, and by making suggestions for future research. 2 Hybrid Process Agebra 2.1 Syntax In this section, the syntax of HyPA is introduced, which is an extension of the process agebra ACP [7,43], with the disrupt operator from LOTOS [8] and with variants of the fow causes and re-initiaization causes from the event-fow formaism introduced in [2]. The signature of HyPA consists of the foowing constant and function symbos: (1) deadock δ, (2) empty process ɛ, (3) discrete actions a A, (4) fow causes c C, (5) a famiy of process re-initiaization operators (d ) d D, (6) aternative composition, (7) sequentia composition, (8) disrupt and eft-disrupt, (9) parae composition, eft-parae composition, and forcedsynchronization, 14

15 (10) a famiy of encapsuation operators ( H ( )) H A. The atomic process terms δ (caed deadock) and ɛ (caed empty process) are used to mode a deadocking process and a (successfuy) terminating process, respectivey. The atomic discrete actions are used to mode discrete, computationa behavior. The set A of discrete actions is considered a parameter of the theory and can be instantiated at wi by the user of our hybrid process agebra. An atomic fow cause, is a pair V P f of a set of mode variabes V Vm, signifying which variabes are not aowed to jump at the beginning of a fow, and a fow predicate P f P f modeing continuous, never terminating, physica behavior. The set of a fow causes is denoted C. We usuay eave out the brackets for V, and even omit it (and the deimiter) if it is empty. Furthermore, the set C is cosed under conjunction ( ) of fow causes, and using the assumption that there is a fow predicate fase, which is never satisfied, there is aso a fow cause fase, which is the system theoretic equivaent of deadock δ. In section 3, this equivaence is captured in the axiom fase δ. A process re-initiaization d p modes the behavior of p where the mode variabes are submitted to a discontinuous change as specified by the reinitiaization cause d. A re-initiaization cause is a pair [V P r ] of a set of mode variabes V V m and a re-initiaization predicate P r. The set V modes which variabes are aowed to change. Note that this is precisey opposite to fow causes, where V denotes those variabes that do not change. The set of a re-initiaization causes is denoted D. The set D is cosed under conjunction ( ), disjunction ( ), and concatenation ( ) of re-initiaization causes. Aso, there is a satisfiabiity operator (d? ) on causes d D, which does not re-initiaize the vaues of a mode variabe, but ony executes the re-initiaized process, if d can be satisfied in some way. And finay, there is a re-initiaization cause (c jmp ) derived from a fow cause c C, which executes the same discontinuities that are aowed initiay by the fow cause. These ast two operators turn out to be especiay usefu when cacuating with process terms. Using the assumption that there are re-initiaization predicates fase and true, we find the process re-initiaization [fase] p, executing no behavior since there is no re-initiaization satisfying fase, the process re-initiaization [true] p, executing exacty the behavior of p, since none of the variabes is aowed to change, and the process re-initiaization [V m true] p, executing p after an arbitrary re-initiaization. The aternative composition p q modes a (non-deterministic) choice between the processes p and q. The sequentia composition p q modes a sequentia execution of processes p and q. The process q is executed after (successfu) termination of the process p. We use the notations and for aternative and sequentia composition, rather than the usua + and, to avoid confusion 15

16 with the notation used frequenty in the description of fow and re-initiaization predicates for addition and mutipication. We reaize that this might distract peope in the fied of process agebra, yet chose to adapt the process agebraic notation rather than the notation adopted from system theory, simpy because the atter has been in use for a onger time aready. Overoading the operators is aso an option, since it is aways cear from the context whether for exampe addition or choice is intended. When studying HyPA as a new process agebra, as is done in this paper, overoading is probaby to be preferred indeed, as it hardy hampers the search for process agebraic properties. However, when studying hybrid modes in HyPA, and performing anaysis using axioms from both process agebra and system theory in the same proofs, the overoading becomes more of a burden. Furthermore, when presenting these modes to other hybrid researchers who are often not famiiar with process agebra at a, this effect is even stronger. The disrupt p q modes a kind of sequentia composition where the process q may take over execution from process p at any moment, without waiting for its termination. This composition is invauabe when modeing two fow causes executing one after the other, since the behavior of fow causes is ongoing, and never terminates. The disrupt is originay introduced in the anguage LOTOS [8], where it is used to mode for exampe exception handing. Aso, it is used, for exampe in [44], for the description of mode switches. The eftdisrupt is mainy needed for cacuation and axiomatization purposes, rather than for modeing purposes. For exampe, it occurs often when we attempt to eiminate the parae composition from a process term through axiomatic reasoning, as described in section 3. The eft-disrupt p q first executes a part of the process p and then behaves as a norma disrupt. The parae composition p q modes concurrent execution of p and q. The intuition behind this concurrent execution is that discrete actions are executed in an intereaving manner, with the possibiity of synchronization (as in ACP, where synchronization is caed communication), whie fow causes are forced to synchronize, and can ony synchronize if they accept the same soutions. The synchronization of actions takes pace using a (partia, commutative, and associative) communication function γ A A A. For exampe, if the actions a and a synchronize, the resuting action is a = aγa. Actions cannot synchronize with fow causes, and in a parae composition between those, the action executes first. This communication function is considered a parameter of the theory. As with the eft-disrupt, the operators eft-parae composition and forcedcommunication are mainy introduced for cacuation purposes. The eft-parae composition p q modes that either p performs a discrete action first, and then behaves as a norma parae composition with q, or p cannot perform such an action, and the process deadocks. The forced-synchronization p q modes 16

17 how the first behavior (either a discrete action or a part of a fow) of p and q is synchronized, after which they behave as in a norma parae composition. If synchronization is not possibe, then the forced-synchronization deadocks. Encapsuation H (p) modes that certain discrete actions (from the set H A) are bocked during the execution of the process p. This operator is often used in combination with the parae composition to mode that synchronization between discrete actions is enforced. From the signature of HyPA, terms can be constructed using variabes from a given set of process variabes V p (with V p V m = ), as usua. In this paper, the set of a such terms is denoted T (V p ) and these are referred to as terms or open terms. Terms in which no process variabes occur are caed cosed terms. The set of a cosed terms is denoted T. Finay, a the processes shoud be interpreted in the ight of a set E of recursive definitions, caed recursive specification, of the form X p, where X is a process variabe and p is a term. We denote the set of a process variabes that occur in the eft-hand side of a recursive definition from E by V r (V r V p ) and ca these variabes recursion variabes. We ony aow recursive definitions X p where the term p ony contains recursion variabes. Outside the recursive specification, recursion variabes are treated as constants of the theory. Recursion is a powerfu way to mode repetition in a process. We use X p for recursion rather than X = p in order to avoid confusion with equaity as used in many syntaxes for describing fow and re-initiaization predicates. The set T (V r ) denotes the set of a terms in which ony recursion variabes are used. Such eements are referred to as process terms. The binding order of the operators of HyPA is as foows:,,, d,,,,, where aternative composition binds weakest, and sequentia composition binds strongest. With encapsuation ( H ( )), brackets are aways used. As an exampe, a term d a b c c shoud be read as (d (a b)) (c c ). 2.2 Forma Semantics In this section, we give a forma semantics to the syntax defined in the previous section, by constructing a kind of abeed transition system, for each process term and each possibe vauation of the mode variabes. In this transition system we consider two different kinds of transitions: one associated with computationa behavior (i.e. discrete actions), and the other associated with physica behavior (i.e. fow causes). This is why we ca those transition systems hybrid. 17

18 Definition 1 (Hybrid Transition System) A hybrid transition system is a tupe X,A, Σ,,,, consisting of a state space X, a set of action abes A, a set of fow abes Σ, and transition reations X A X and X Σ X. Lasty, there is a termination predicate X. For the semantica hybrid transition systems that are associated with HyPA terms, the state space is formed by pairs of process terms and vauations of the mode variabes, i.e. X = T (V r ) Va. The set of action abes is formed by pairs of actions and vauations, i.e. A = A Va, and the set of fow abes is formed by the set of fows, i.e. Σ = F. Reca that the eements f F have a cosed-interva domain, possiby a singeton, starting in 0. a We use the notation x x for a transition (x,a,x ) with x,x X σ and a A. Simiary, we use x x for a transition (x,σ,x ) with σ Σ, and for arbitrary transitions, we use x x instead of (x,,x ) and A Σ. Finay, termination is denoted x instead of x. Hybrid transition systems [38] can be used to mode computationa behavior through the use of action transitions, which take no time to execute, and to mode physica behavior through the use of fow transitions, which represent the behavior of mode variabes during the passage of time. Note, that there is no variabe in V m that is expicity associated with time. Hence, if one woud ike to refer to time in a fow cause, one woud have to incude the mode of a cock, using for exampe a fow cause ike t ṫ = 1. Before we turn to the actua definition of the semantics of HyPA in terms of hybrid transition systems, a notion of soution for fow causes and reinitiaization causes is needed for the definition of the semantics of these atoms of the agebra. These notions are obtained by ifting the notion of soution of fow predicates and re-initiaization predicates, whie taking into account the infuence of the variabe set V. A fow cause [V P f ] changes the vauation of the mode variabes according to the possibe soutions of its fow predicate P f. In contrast to the fow predicates of [16], an initia jump in the vaue of a variabe x, is aowed in HyPA when x V. Furthermore, discontinuous and non-differentiabe fows of x may be aowed, if such soutions exists for the type of fow predicate that is used. The concept of soution of a fow cause, is ifted from the notion of soutions of its fow predicate as foows. Definition 2 (Soution of a fow cause) A pair (ν,σ) Va F, is defined to be a soution of a fow cause c C, denoted (ν,σ) = c, as foows: (ν,σ) = V P f if σ =f P f, and for a x V we find ν(x) = σ(0)(x); 18

19 (ν,σ) = c c if (ν,σ) = c and (ν,σ) = c. Ceary, the fow cause fase has no soutions, as the fow predicate fase has no soutions. A re-initiaization cause [V P r ] changes the vauation of the mode variabes according to the possibe soutions of its re-initiaization predicate P r. The set V indicates the variabes that are aowed to change their vaue. Whenever x V, the variabe x is fixed. Note that this is precisey opposite to the use of V in fow causes. We define the soutions of a re-initiaization cause in terms of the soutions of a re-initiaization predicate as foows. Definition 3 (Soution of a re-initiaization cause) A re-initiaization (ν,ν ) R is defined to be a soution of a re-initiaization cause d D, denoted (ν,ν ) = d, as foows: (ν,ν ) = [V P r ] if (ν,ν ) = r P r and for a x V we find ν(x) = ν (x); (ν,ν ) = d d if (ν,ν ) = d or (ν,ν ) = d ; (ν,ν ) = d d if (ν,ν ) = d and (ν,ν ) = d ; (ν,ν ) = d d if there exists υ Va with (ν,υ) = d and (υ,ν ) = d ; (ν,ν ) = d? if ν = ν, and there exists υ Va with (ν,υ) = d ; (ν,ν ) = c jmp if there exists σ Σ such that (ν,σ) = c and σ(0) = ν. If we have two re-initiaization causes d,d D, the cause d d accepts exacty those soutions that are a concatenation of the re-initiaizations of d and d. The cause d? does not change the vaue of any of the variabes, and ony has a soution for those vauations for which d has a soution. The cause c jmp imitates the re-initiaizations performed initiay by a fow cause c. Obviousy, the re-initiaization cause [fase] has no soutions, whie [V m true] has every possibe re-initiaization as a soution. Note, that [true] exacty aows a reinitiaizations that do not change any of the variabe vauations. The semantics of the HyPA constants and function symbos is given in the tabes 1 5, using deduction rues in the stye of [40]. In these tabes p,p,q,q denote process terms, a,a,a denote actions, c denotes a fow cause, d denotes a re-initiaization cause, H denotes a set of actions, X denotes a recursion variabe, ν,ν,ν denote vauations, σ denotes a fow, t denotes a point in time, and denotes an arbitrary transition abe. In tabe 1, the semantics of the atomic processes, the fow causes, and the process re-initiaizations is given. Rue (1) captures our intuition that ɛ is a process that ony terminates. Anaogousy, the fact that there is no rue for δ, expresses that this is indeed a deadocking process. Rue (2) expresses that discrete actions dispay their own name, and the vauation of the mode variabes on the transition abe, but do not change this vauation. Changes in the vauation can ony be caused by fow causes and re-initiaization causes, 19

20 Tabe 1 Operationa semantics of HyPA ɛ,ν (1) a,ν a,ν ɛ,ν (2) (ν,σ) = c, dom(σ) = [0,t] c,ν σ (3) c,σ(t) (ν,ν ) = d, p,ν (4) d p,ν (ν,ν ) = d, p,ν p,ν (5) d p,ν p,ν as defined by rues (3) to (5). Tabe 2 Operationa semantics of HyPA, aternative and sequentia composition p,ν (6) p q,ν q p,ν p,ν p q,ν q p,ν p,ν p,ν p,ν (7) p,ν, q,ν p q,ν (8) p,ν p q,ν p,ν p q,ν (9) p,ν, q,ν q,ν (10) p q,ν q,ν The semantics of the other operators is defined in tabes 2, 3, 4, and 5. Rues (6) to (10), for aternative and sequentia composition, are very simiar to that of ACP. However, it is worth noting that we have chosen to mode fow transitions as having the same non-deterministic interpretation as action transitions. This in contrast to many timed process agebras [45], where the passage of time (by itsef) does not trigger a branching in the transition system. The reason for this way of modeing, is our intuition that continuous behavior (i.e. the passing of time) infuences the vauation of the mode variabes, and can therefore introduce choices in the system behavior, just ike discrete actions do. If, in the future, we deveop operators to abstract from the variabes that trigger those choices, we do not want the choices themseves to disappear, through some time-determinism mechanism. The argument for introducing time-determinism, that time is an externa phenomenon that does not infuence the state of a system, does in our opinion not hod for hybrid systems. Aso, the hybrid automata of Henzinger [16], and most other hybrid automata approaches that we know of, are time-non-deterministic, supposedy for the same reasons. 20

21 Interestingy, in [13] a time-deterministic approach to hybrid systems is chosen (ceary, they disagree with the above arguments), whie in hybrid χ [11] operators are introduced for both. Modes in the anguage hybrid χ, therefore, might show the difference between the approaches. As far as we can te, the time-deterministic operator is used most often when, for exampe, a controer makes a choice after some deay, indeed without specifying the dynamics during this deay. This is modeed as a time-deterministic choice between deaying actions. When modeing physica modes of a system, the non-deterministic choice operator is used. The physica behavior of a system can ony be in one mode, even if a particuar evoution is permitted in both modes. In other words, time-determinism pays a roe on a higher eve of abstraction than that which we aim for in HyPA. Tabe 3 Operationa semantics of HyPA, disrupt p,ν (11) p q,ν p q,ν p,ν p q,ν p q,ν p,ν p q,ν p q,ν (12) q,ν p q,ν (13) q,ν q,ν p q,ν q,ν (14) Rues (11) to (14) define the semantics of the disrupt operator and the eftdisrupt operator. If we compare these rues to the rues for sequentia composition, we see that the main difference, is the way in which termination is handed. Firsty, in a composition p q, the process q may start execution without p terminating. Secondy, if the process p terminates, the process p q may aso terminate regardess of the behavior of q. Rues (15) to (19) define the semantics of the parae composition, and in these rues the difference between action transitions and fow transitions is most prominent. For actions, the interpretation of the parae composition is the same as in ACP [7,43]. Discrete actions that are paced in parae are intereaved, but can aso synchronize using a (partia, commutative, and associative) communication function γ A A A. If a discrete action a communicates with an action a (this is the case if aγa is defined), the resut is an action a = aγa. If fow causes are paced in parae, they aways synchronize their behavior such that, intuitivey, the fows that are possibe in a parae composition are a soution of both causes. 21

22 Tabe 4 Operationa semantics of HyPA, parae composition p,ν, q,ν (15) p q,ν p q,ν p,ν σ p,ν, q,ν σ q,ν (16) p q,ν σ p q,ν p q,ν σ p q,ν p,ν σ p,ν, q,ν (17) p q,ν σ p,ν q p,ν σ p,ν p q,ν σ p,ν p,ν a,ν p,ν p q,ν a,ν p q,ν q p,ν a,ν q p,ν p q,ν a,ν p q,ν (18) q p,ν σ p,ν p,ν a,ν p,ν, q,ν a,ν q,ν, a = a γ a p q,ν a,ν p q,ν p q,ν a,ν p q,ν (19) Encapsuation, as defined by rues (20) to (22), ony infuences action transitions. This is not surprising, since, as mentioned before, the H ( ) operator is originay intended to mode enforced synchronization in a parae composition. Parae composition, in genera, may ead to intereaving actions and synchronized actions. The encapsuation operator is then used to bock the intereaving actions. Fow transitions are aready synchronized in the parae composition, so there is no need for encapsuation of those. Rues (23) and (24) mode recursion in the same way as it was done in [7,43]. For a recursive definition X p, a transition for the variabe X is possibe, if it can be deduced from the semantica rues for the process term p. 2.3 Bisimiarity In this section, we discuss the equivaence notion of bisimiarity [42], which is first defined on hybrid transition systems, and then ifted to process terms. Definition 4 (Bisimiarity on hybrid transition systems) Given, a hybrid transition system X,A, Σ,,,, a reation R X X is a bisimuation reation if 22

23 Tabe 5 Operationa semantics of HyPA, encapsuation and recursion p,ν a,ν p,ν, a H H (p),ν a,ν H (p ),ν (20) p,ν σ p,ν H (p),ν σ H (p ),ν (21) p,ν H (p),ν (22) p,ν X,ν (23) X p E p,ν p,ν X,ν p,ν (24) X p E for a x,y X such that xry, we find x impies y ; for a x,y X such that xry, we find y impies x ; for a x,x,y X such that xry and A Σ, we find x impies there exists y such that y y and x R y ; for a x,y,y X such that xry and A Σ, we find y impies there exists x such that x x and x R y. x y Two states x,y X are bisimiar, notation x y, if there exists a bisimuation reation that reates x and y. In ifting this notion of equivaence on hybrid transition systems to process terms (and hence abstracting from vauations) we have to be carefu. It is assumed that the mode variabes that are shared by the process terms to be reated represent the same entity. Therefore, both process terms are ony compared with respect to the same (arbitrary) initia vauation of the mode variabes. In order for the equivaence to be robust with respect to interference caused by processes executed in parae, for a states that are reached by performing transitions, it is required that the contained process terms are reated for a vauations that can be obtained through interference. This is what we ca robustness of a reation. An interference can be modeed as a function ι : Va Va. Observe that we appy the same interference function to both variabe vauations. Definition 5 (Robust) A reation R (T (V r ) Va) (T (V r ) Va) is robust if for a p,ν, p,ν X such that p,ν R p,ν, and for a interferences ι Va Va, we find p,ι(ν) R p,ι(ν ). Definition 6 (Robust bisimiarity) Two process terms p,q T (V r ) are 23

24 robusty bisimiar, denoted p q, if there exists a robust bisimuation reation R (T (V r ) Va) (T (V r ) Va) such that p,ν R q,ν for a vauations ν Va. If two process terms are robusty bisimiar, then they describe equivaent transition systems, hence they describe the same process. In appendix B, we show that the notion of robust bisimiarity given here coincides with the notion of bisimiarity (aso caed stateess bisimiarity) used in [46]. We adapted the definition, because it separates the idea of interference from the notion of bisimiarity. In the next section, we discuss an axiomatization of robust bisimiarity for HyPA. First, however, we give two exampes of modeing in HyPA, in order to strengthen the intuition on its syntax and semantics. 2.4 Exampe: Steam Boier This section is intended to iustrate the use of HyPA for modeing hybrid systems. The process beow, is a mode of the ceebrated benchmark probem of the steam boier [47]. For reasons of brevity, the probem is simpified consideraby. It is not our intention to give a comparison with other modes of the steam boier here. We ony want to give a feeing for the syntax and semantics of the anguage. The text beow, expains shorty what the given mode consists of. w max w min w Vave v Water s {op, c} Vave Controer v Water s Heater Heater Fig. 6. The steam boier The boier process, as depicted in figure 6 consists of a water eve w, an in-fow of water v and a steam production s. This steam production is determined by the Heater process, which imits it between the constants s min and s max. The in-fow is determined by a Vave process, which can be opened or cosed using the actions ro and rc respectivey. If the vave is open, the in-fow to the boier is v in. If it is cosed, the in-fow is 0. Furthermore, there is a Controer, that every T seconds interferes with the vave, by teing it to open or cose using the actions so and sc. The goa of this controer, is to keep the water eve between the constants w min and w max. To do this safey, it takes a margin of w safe into account. The tota system is the parae composition of the Water process, the Heater, the two modes of the Vave, and the Controer, over which 24

25 communication is enforced through the definitions op = ro γ so, c = rc γ sc, and H = {so,sc,ro,rc}: Water w ẇ = v s, Heater s min s s max, VaveOpen v = v in rc VaveCose, VaveCose v = 0 ro VaveOpen, [ ] ] Controer t t + = 0 t ṫ = 1 [t t T = T ] [w w max w safe sc Controer ] [w min + w safe w w max w safe Controer, ] [w w min + w safe so Controer Boier H (Water Heater (VaveOpen VaveCosed) Controer). In the next section, we discuss an axiomatization of HyPA that aows us to rewrite the Boier process into a form in which a parae compositions are eiminated. 2.5 Exampe: Impact Contro In this section, we give another modeing exampe. This time, of a system in which the discontinuities are aso governed by physica aws. Figure 7 shows a part of a component mounter, that paces a component, modeed as a simpe mass M c driven by a force f c, onto a printed circuit board (PCB), modeed as a mass M p, in connection with a spring-damper system K p,r p to refect the fexibiity of the board. From a hybrid point of view, mainy the moment of impact is interesting, because it can be modeed using aws of conservation of momentum. Regarding the movement of the masses, two distinct phases can be recognized. In the one phase, where the component and the PCB do not touch, the movement of the component is determined by the force f c, whie the movement of the PCB is determined by the interna force f p of the spring-damper system. In the other phase, where the component touches the PCB, the tota of the forces is divided over the tota of the masses. Note, that in one mode the veocities are not aowed to jump, whie in the other mode they are. There seems to be a reation between this phenomenon and the oss of state described in [1], due to dependencies between masses or other energy storing eements. 25

26 M c h c h p R p f p,v p f c,v c K p M p ground Fig. 7. Schematic Mode of the Impact Process Aso note, that we use a eft-disrupt rather than a disrupt operator, in order to make the definition guarded. This is expained in section 3. We find the foowing mode for the movement of the masses: h c h p f c M p f p M c f c = M c v c h c = h p h M c,v c h c f p = M p v p f c + f p = M c v c + M p v p M. h p,v p h p ḣ c = v c ḣ c = v c ḣ p = v p ḣ p = v p Of course, the force on the PCB is determined by the spring-damper system. This is modeed by the foowing process: SD h p f p = K p h p R p v p. The mode of movement, however, needs to be restricted, since during the coision very wid jumps in the veocities are possibe. We need to pose aws for the conservation of momentum, and the conservation (or rather the decrease) of energy in the system. The foowing process modes that the change in tota momentum p depends on the tota force on the masses, whie this tota momentum is not aowed to jump. The tota momentum is the derivative of the tota energy e in the system, and the tota energy may ony decrease during jumps: [ ] ṗ = f c + f p E e e + e p ė = p E. p = M c v c + M p v p The tota mode of the component mounter then becomes M SD E. One of 26

27 the probems we are faced with at the moment, is to find a suitabe controer for this process, steering the force f c in such a way that the tota pay of forces and the change in veocity at impact, never become such that the component cracks. In other words, to find a process C such that M SD E C has some desired safety properties. This is a topic for future research. 3 Agebraic Reasoning in HyPA The strength of the fied of process agebra, ies in its abiity to use equationa reasoning for the anaysis of transition systems, or, more precisey, for the anaysis of equivaence casses of transition systems, caed processes. In this section, we show that this equationa reasoning is aso possibe in HyPA. In the previous section, a notion of bisimiarity was defined on process terms, refecting equivaence of the underying hybrid transition systems. We study properties of this equivaence, and capture those properties in a set of derivation rues and a set of axioms on the agebra of process terms. Together with a principe for guarded recursion, this forms a proof system in which every derived equaity on process terms represents equaity of the underying hybrid transition systems. In other words, process terms that are derivaby equa, describe transition systems in the same equivaence cass, and hence describe the same process. This section is spit up in four parts. In the first part, we give a forma axiomatization of robust bisimiarity, and we treat the intuition behind the axioms, and the insights they provide us with. In the second part, we prove soundness of this axiomatization. In the third part, we discuss a specification principe that is used for reasoning about recursion, and in the fourth part, we show a few usefu properties of our axiomatization, ike a conservativity theorem with respect to the process agebra ACP and a rewrite system for rewriting cosed terms into a norma form. 3.1 Axiomatization In this subsection, we give the axiomatization of robust bisimiarity in HyPA. In tabe 6, we give a set of derivation rues, and throughout this subsection we give a set of axioms that, to a arge extend, capture the notion of robust bisimiarity. We write HyPA E p q, if we can derive equivaence of p and q using those axioms and recursive definitions from a set E. Definition 7 (Derivation) Let E be a set of recursive definitions over a set of recursion variabes V r. We write HyPA E p q to indicate that equiv- 27

28 aence of (open) terms p and q can be derived from our axiom system and the recursive definitions from E. We define that equivaence can be derived according to the rues given in tabe 6. In this tabe, p,p i,q,q i,r denote terms, d,d denote re-initiaization causes, and c,c,c denote fow causes. In cases where there can be no confusion as to the set of recursive definitions that is intended, we write instead of E. Tabe 6 Derivation rues of HyPA HyPA E p p (1) HyPA E p q HyPA E q p (2) HyPA E p q, HyPA E q r (3) HyPA E p r HyPA E p q, S : V p T (V p ), dom(s) V r = (4) HyPA E S(p) S(q) O an n-ary HyPA operator, 1 i n HyPA E p i q i (5) HyPA E O(p 1,...,p n ) O(q 1,...,q n ) ν,ν (ν,ν ) = d iff (ν,ν ) = d HyPA E d x d x (6) ν,σ (ν,σ) = c iff (ν,σ) = c HyPA E c c (7) p q is an axiom or a recursive definition (8) HyPA E p q ν,σ (ν,σ) = c impies (ν,σ) = c ν,ν,σ (ν,ν ) = d and (ν,σ) = c impy (ν,σ) = c HyPA E d c d c (9) c ν,σ (ν,σ) = c iff (ν,σ) = c or (ν,σ) = c HyPA E c (c c (10) ) c In the remainder of this subsection, the axioms of HyPA, and the insight they provide regarding the operators of the anguage, are presented. Aso, the intuitions behind derivation rues (9) and (10), are discussed. In each of the axioms, x,y,z denote arbitrary terms. The etters a,a denote actions, whie c,c denote fow causes and d,d denote re-initiaization causes. Unike what 28

29 is usua for ACP, one may not choose δ when a is written in an axiom. The first five axioms, known as the axioms of basic process agebra [7], mode properties of choice and sequentia composition. Aternative composition is idempotent, because a choice between equas is not reay considered a choice. Furthermore, it is associative and commutative. Sequentia composition is ony associative. Sequentia composition right-distributes over aternative composition, but does not eft-distribute since that woud ead to a change in the moment of choice. x y y x (x y) z x (y z) x x x (x y) z x z y z (x y) z x (y z) Aternative composition and sequentia composition have deadock and the empty process, respectivey, as a unit eement, whie deadock is a eft-zero eement for sequentia composition. x δ x ɛ x x δ x δ x ɛ x In fact, any fow-cause is a eft-zero eement of sequentia composition, since fow-causes do not terminate. This is a generaization of the previous axiom, recaing a previous remark that fase is the system theoretic equivaent of deadock. For many of the operators, the roe of deadock can be derived from the axioms on fow causes. Often, however, we give the axiom for deadock separatey, for sake of carity of the presentation. c x c fase δ The disrupt operator, can ony be axiomatized using the eft-disrupt (see [44]). x y x y y For the eft-disrupt, we find the foowing axioms, that refect a kind of associativity, and right-distribution over the aternative composition. Deadock is a eft-zero, but a right-unit eement of the eft-disrupt. Aso, there are two axioms formaizing the reation between sequentia composition and eft-disrupt. The ast of these axioms refects that, if the eft argument of the eft-disrupt does not terminate, then sequentia composition distributes over eft-disrupt. 29

30 Derivation rues (9) and (10), which aso dea with the eft-disrupt, are discussed at the end of this section. (x y) z x (y z) (x y) z x z y z δ x δ x δ x a x y a (x y) ɛ x ɛ (x δ y) z x δ y z The axiomatization of parae composition reies on the axiomatization of the eft-parae composition and the forced-synchronization operator. x y x y y x x y Regarding the eft-parae composition and the forced-synchronization, we find the foowing axioms that describe associativity and commutativity properties. The axioms aso describe how a independent behavior of parae composition is executed by the eft-parae composition, whie synchronization amongst actions, amongst fow-causes and between termination and fowcauses is executed by the forced-synchronization operator. Note, that this corresponds to the choice made in [48], and is subty different from the way parae composition is treated in [7]. For the forced-synchronization operator, we find termination if both the eft and the right process terminate. Termination cannot synchronize with actions, and therefore eads to deadock. Actions a and a may synchronize by producing an action aγa if this action is defined, and otherwise the forced-synchronization resuts in deadock. Termination may occur before fow behavior executes, actions and fows cannot synchronize, and fows aways must synchronize. ɛ x δ x ɛ x a x y a (x y) (x y) z x z y z c x y δ (x y) z x (y z) δ x δ (x y) z x (y z) ɛ ɛ ɛ x y y x δ x δ (x y) z x z y z ɛ c x c x (x y) z x (y z) ɛ a x δ 30

31 a x b y (aγb) (x y) if (aγb) defined a x b y (aγb) (x y) if (aγb) undefined a x c y δ x c y c x c y (c c y c x ) x c y y c x Notice, that the axioms on eft-disrupt, eft-parae composition and forcedsynchronization may be used to prove additiona equaities, such as (x y) z x (y z), x y y x, and (x y) z x (y z). As usua, encapsuation of actions distributes over a operators, except over parae composition, eft-parae composition and forced-synchronization. H (c) c H (ɛ) ɛ H (δ) δ H (a) a if a H H (x y) H (x) H (y) H (x y) H (x) H (y) H (x y) H (x) H (y) H (a) δ if a H Finay, we shoud pay attention to the re-initiaization operator. There are re-initiaization causes [true], serving as a unit eement, and [fase], serving as an equivaent for deadock. Deadock itsef a zero-eement. Furthermore, subsequent re-initiaizations can be concatenated using the operation, and a fow-cause c has an impicit re-initiaization c jmp, modeing spontaneous re-initiaizations foowing from initia vaue probems as described in, for exampe, [1]. The re-initiaization operator distributes over most other operators from HyPA, except over the parae composition and the forcedsynchronization. With respect to termination, re-initiaization has pecuiar behavior. Because a re-initiaization d is executed at the beginning of the first transition of a process, whie termination does not perform a transition, the actua re-initiaization never takes pace. Nevertheess, before the termination takes pace, it is evauated whether the re-initiaization has a possibe soution, which is refected in the use of the satisfiabiity operator d? in some of the axioms. This pecuiar behavior for termination, is visibe in one of the distribution axioms for sequentia composition. 31

32 [true] x x [fase] x δ d δ δ d (x y) d x d y (d a) x d a x (d c) x d c d d x (d d ) x (d ɛ) x d? x d x d x (d d ) x (d x) y d x y c jmp c c (d x) y d x y H (d x) d H (x) Using reasoning on re-initiaization causes, we find that ([true] [true]) x [true] x. A trivia consequence of this, is for exampe the equaity x x x, which was stated before as an axiom from basic process agebra, but can aso be derived from the axioms on re-initiaization and aternative composition. Again, using reasoning on re-initiaization causes, we find that [true] x [true]? x, and we may derive another axiom from basic process agebra: ɛ x x. As mentioned before, re-initiaization does not distribute over forced-synchronization. Because of this, many of the axioms given before for forcedsynchronization have to be repeated in the ight of re-initiaizations. In some of these axioms, termination pays its pecuiar roe again. d ɛ d ɛ (d? d? ) ɛ d ɛ d a x δ d a x d a y (d d ) (aγa ) (x y) d a x d a y δ d ɛ d c x (d? d ) c x d c x d a y δ d c x d c y ((d c jmp ) (d c jmp)) x c y (c c y c x ) x c y y c x if aγa defined if aγa undefined Termination ony takes pace, if both re-initiaizations are satisfiabe, independent of each other. If synchronizing actions are re-initiaized, both re-initiaizations shoud be satisfied, i.e. both processes shoud agree on the change of 32

33 vauation. In particuar, if aγa = a, and a is re-initiaized by an assignment x + = x + 1, we find [x x + = x + 1] a a [x x + = x + 1] a [true] a ([x x + = x + 1] [true]) (aγa ) [fase] (aγa ) δ. The action a does not aow any changes in the variabes. In the cacuation, this is refected in the fact that [true] does not aow any changes in vauations. A deadock is the resut of this disagreement between the re-initiaizations of a and a. Re-initiaization shows a cear distinction between the way in which termination behaves in parae to actions and in parae to fows. Since actions cannot synchronize with termination, we find that termination (with a possibe re-initiaization) is deayed, i.e. d a d ɛ d a d? ɛ, whie termination must take pace before a fow is executed, hence d c d ɛ d? d c. The axiom in which fows synchronize after re-initiaization, is quite compicated due to our decision to make it possibe for fow causes to perform spontaneous re-initiaizations. When synchronizing, these fow cause re-initiaizations shoud be taken into account. If we restrict ourseves to fow causes in which a variabes are continuous, and are not aowed to jump (as is done in hybrid automata for exampe), i.e. causes of the form V m P f, we find the equaity d c x d c y (d d ) (c c ) ( x c y y c x x c y y c x ), which is more in ine with the intuition that both re-initiaization causes and fow causes are synchronized. The proof of equaity reies on the observation that, in case of continuity, c jmp = c? jmp (no jumps, hence ony satisfiabiity) and (d 0 d? 1) (d 0 d 1? ) = (d 0 d 0) (d? 1 d 1? ). Derivation rue (9) in tabe 6, expresses how a process re-initiaization can restrict the choice for the first transition of a fow cause. A usefu appication of this rue is in recognizing a particuar soution of a differentia equation given a certain initia condition. For exampe, consider the fow cause x,t ẋ = x ṫ = 1. Ceary, x = e t is a soution of the differentia equation ẋ = x, and if initiay t = 0 and x = 1, this soution is unique. Using derivation rue (9), we now find the foowing equivaence: x t x t x + = 1 x ẋ = x t + = 0 t ṫ = 1 x + = 1 x x = e t t + = 0 t ṫ = 1 x ẋ = x t ṫ = 1. Note, that t and x are both not aowed to jump. Otherwise, the fow causes in this exampe might execute undesired re-initiaizations. Derivation rue (9), aso expresses the repetitive character of fow causes. This is iustrated using 33

34 d = [true] and c = c. We then find the equivaence c c c. Derivation rue (10), aso expresses this repetitive character. This is iustrated by taking c = c = c, we then find again c c c. Furthermore, derivation rue (10) expresses that if we can divide a fow cause c into two (possiby overapping) causes c and c, then the first transition taken by c can be mimicked by either c or c. An appication of this rue, is that a soution of a fow cause can be spit off even if there is no re-initiaization. For exampe, the fow cause ẋ = 3x 2 3 ṫ = 1 contains a set of differentia equations with soutions x = 0 and x = t 3, if initiay x = 0 and t = 0. However, for other initia conditions, other soutions are possibe. Using derivation rue (10), we find the foowing equaity, which describes exacty that x = 0 and x = t 3 are two possibe trajectories of this fow cause: ẋ = 3x 2 3 ṫ = 1 x = 0 ṫ = 1 ẋ = 3x 2 3 ẋ = 3x 2 3 ṫ = 1 ṫ = 1 x = 0 ṫ = 1 x = t 3 ṫ = 1 ẋ = 3x 2 3 ẋ = 3x 2 3 ṫ = 1 ṫ = 1 ẋ = 3x 2 3 ṫ = 1 x = 0 ṫ = 1 ẋ = 3x 2 3 ṫ = 1 x = t 3 ṫ = 1 ẋ = 3x 2 3 ẋ = 3x 2 3 ṫ = 1 ṫ = 1 ẋ = 3x 2 3 ṫ = 1 ẋ = 3x 2 3 ẋ = 3x 2 3 ṫ = 1 ṫ = 1 x = 0 ṫ = 1 ẋ = 3x 2 3 ṫ = 1 x = t 3 ṫ = 1 ẋ = 3x 2 3 ṫ = 1 ẋ = 3x 2 3 ṫ = 1 x = 0 ṫ = 1 x = t 3 ẋ = 3x 2 3 ṫ = 1 ṫ = 1. Note that, in contrast to the exampe for derivation rue (9), we do not need to require that x and t do not jump. 34

35 3.2 Congruence and soundness Rests us to show, that robust bisimiarity is a congruence for a the operators of HyPA, and that a the derivations that can be made about process terms, indeed ead to sound statements about the robust bisimiarity of these terms. In other words, we need to prove the foowing theorems. Theorem 8 (Congruence) Robust bisimiarity is a congruence for a operators of HyPA. PROOF. In appendix A, we sketch the proof of this theorem, by giving witnessing robust bisimuation reations. The proof for parae composition is worked out in detai, since it reies on the notion of robustness against interference. Theorem 9 (Soundness) If, for two process terms p and q, we find HyPA E p q then p q. PROOF. As mentioned before, robust bisimiarity coincides with the notion of bisimiarity used in [46]. Hence, the resut shown in appendix A of that report, that every derivation in HyPA is sound for bisimiarity, transfers to robust bisimiarity. In appendix C of this paper, we give a summary of that proof, adapted for robust bisimiarity. We aso give a witness reation for soundness of the axiom (x δ y) z x δ y z, which was not in [46]. 3.3 Recursion Principes When reasoning about recursion, it is often usefu to have a principe that caims that a soution of certain recursive specifications exists and is unique. That a soution exists foows directy from the operationa semantics of HyPA, but it is not aways cear that that particuar soution is the ony process satisfying the recursive equations. Let us first define what we mean by soution. Definition 10 (Soution) Let E be a recursive specification. An interpretation S V r T (V r ) of recursion variabes as process terms, is a soution of E (denoted S = E) if for every recursive definition X p E we have S(X) S(p), where S(p) denotes the process term induced by appication of S to the variabes of p. In particuar, S(X) is caed a soution of X p E. 35

36 The recursive specification principe RSP, which is quite standard in process agebra [49], states that so caed guarded recursive specifications have at most one soution. For HyPA, guardedness of a recursive specification is defined as foows. Definition 11 (Guardedness) An open process term p is guarded if a occurrences of process variabes in p, are in the scope of an action prefix a or a fow prefix c. A recursive specification E is guarded if for each recursive definition X p E, p can be rewritten into a guarded process term using the axiomatization of HyPA. This eads to the principe given in tabe 7. Tabe 7 Recursive Specification Principe S = E, S = E, E guarded S(X) S (X) X V r Theorem 12 The recursive specification principe is sound. PROOF. This is proven in appendix D. As an exampe, the process terms ɛ a d X and c (X Y ) are guarded, whie the process terms c X and X a X are not. That unguarded recursive equations do not necessariy have a unique soution, can be seen from the fact that the processes c and true are both soutions of the equation Y c Y, and aso the equation Z Z a Z has mutipe soutions, some of which even execute fow transitions! From RSP, it foows that the recursive specification X 1 ɛ a d X 2, X 2 c (X 1 X 2 ) has unique soutions for X 1 and X 2. Indeed, the fact that the disrupt operator is unguarded, whie it occurs naturay in many modes of hybrid systems, impies that some extra care needs to be taken during the modeing stage in order to ensure that cacuation remains possibe. For exampe, the Boier process of section 2.4 may seem unguarded at first sight, but reasoning about the re-initiaization causes wi show that the disrupt operator may be repaced by a eft-disrupt, which makes the process guarded. In the mode of the coiding masses, eft-disrupt was used especiay to guarantee guardedness of the definitions. Another possibe approach, that is not discussed in this paper, is to consider ony the soution that is defined by the operationa semantics of HyPA. The 36

37 soution of X X, for exampe, woud be deadock δ, whie the soution of Z c Z is c. Aso, the eft-disrupts in the definitions of the coiding masses coud be repaced by disrupts. The soution of the operationa semantics is the same for both. Cacuation with this view on recursion, however, is often more eaborate. 3.4 Conservativity and Rewriting One of the things that can be concuded about HyPA, using the given axiomatization, is that it is a conservative extension of the process agebra ACP [7]. This iustrates that HyPA does not vioate the genera ideas behind this process agebra. Theorem 13 (Conservativity) HyPA is a conservative extension of ACP (except for notationa differences and ), meaning that for every two cosed ACP terms p and q, we find that ACP p q if and ony if HyPA p q. PROOF. One direction of the proof, that derivations in ACP can be mimicked in HyPA, is based on the fact that a axioms of ACP can be derived in HyPA. The other direction reies on the construction of a reation that shows that if two cosed ACP terms have robusty bisimiar semantics in HyPA, then they have bisimiar semantics in ACP. Competeness of ACP for bisimiarity then eads to the concusion that derivaby equa processes in HyPA aso have a derivation showing equaity in ACP. The compete proof of this caim can be found in [46]. Furthermore, ike in ACP, it is possibe to define a set of basic terms into which every cosed term can be rewritten. These basic terms ceary show that the parae compositions can be eiminated from a cosed terms. Definition 14 (Basic terms) A basic term is a cosed term of the foowing form: N ::= d ɛ d a N d c N N N, where a A, c C, and d D. Theorem 15 (Eimination) Every cosed term is derivaby equa to a basic term. PROOF. In appendix E, a strongy normaizing rewrite system is given that achieves this, based (in principe) on reading the axioms as rewrite rues from 37

38 eft to right, moduo the use of unit eements. We conjecture that this eimination resut can be extended to a inearization resut, meaning that we expect to be abe to rewrite a broad cass of guarded recursive specifications of a HyPA process into a inear form in which we ony use recursion over basic terms. The usefuness of eimination of the parae composition, was aready noted in the introduction. It was pointed out there, that the notion of robust bisimiarity we use is very strong, because a possibe vauations of the variabes are taken into account at every point in time. Many weaker notions of equivaence, whie sti preserving interesting anaysis properties, are not sensitive to the vauation of variabes. Those equivaences, often, are not congruent for the parae composition operator. Therefore, agebraic reasoning about those notions in the context of parae composition becomes difficut. This is a known phenomenon in process theory, and it is caused by the possibiity of interference in the vaue of shared variabes (see for exampe [50]). Many different soutions have been proposed, aso in the fied of hybrid systems. For exampe, in the hybrid automaton theory of [17], the authors propose a restriction (caed compatibiity of automata) on the systems that may be paced in parae, to ensure that no interference occurs. This is a perfecty reasonabe way of handing the probem, but it has the disadvantage that we have to add extra variabes, if we want to mode processes that intentionay interfere, ike the contro system shown in the introduction. HyPA is, in principe, focussed on being genera. We start out by using a very genera parae composition, that is defined for a possibe processes, and necessariy end up with an equivaence that is very strong, but is at east a congruence for this composition. Now, the eimination resut aows us to eiminate the parae composition from the process description. After eimination, we can start to use agebraic reasoning on a weaker notion of equivaence to anayse the specific properties we are interested in. This method may turn out to be ess practica than the road foowed by [17], because the eimination of parae compositions can become quite cumbersome. On the other hand, it may aso be possibe to formuate derivation rues for reasoning about weaker notions of equivaence, that express a kind of conditiona congruence under compatibiity. In this way, other methods can be imported into HyPA. As an exampe of rewriting into basic terms, we can rewrite the steam boier system of the previous section into the foowing description, in which parae 38

39 composition and encapsuation are eiminated: Boier Open Cosed, Open d 0 c o (d 1 c Cosed d 2 Open), Cosed d 0 c c (d 2 Cosed d 3 op Open), with [ ] d 0 t t + = 0, [ ] [ ] d 1 t = T w w max w safe, [ ] [ ] d 2 t = T w min + w safe w w max w safe, [ ] [ ] d 3 t = T w w min + w safe, c o t,w ṫ = 1 t T ẇ = v s s min s s max v = v in, c c t,w ṫ = 1 t T ẇ = v s s min s s max v = 0. Notice that this rewriting is done here over a recursive definition, hence is an exampe of inearization of such process descriptions. Looking at the axiomatization, one might expect that d 0,...,d 3 woud contain causes of the form c jmp, but those (and other distracting terms) are eiminated using cacuation on reinitiaization causes. Furthermore, ooking at the origina recursive definition, one might suspect that it is non-guarded, but again, cacuation on the reinitiaization causes shows that the definition can be rewritten into a guarded one. Performing the actua eimination by hand is very cumbersome, and eads to a very ong cacuation, which we eft out for reasons of space. Currenty, toos are being deveoped for (partia) automation of such cacuations. Using a preiminary version of one such too, a mistake in the origina cacuation on the steam boier was found aready. Hence the difference between the resut presented here and in [46]. One resut that is missing, so far, is a proof that the given axiomatization is compete for robust bisimiarity of cosed terms. I.e. a proof that for cosed terms p and q, if p q then aso HyPA p q. We do not excude the possibiity yet, moduo competeness of the ogica equivaence of fow predicates and re-initiaization predicates, but the fact that the number of fows that are a soution of a fow cause, and the number of vauation jumps that are a soution of a re-initiaization cause may be infinite, compicates matters seriousy. 39

40 4 Reated Work In this section, we compare HyPA, in an informa way, to hybrid formaisms that were previousy deveoped. 4.1 Hybrid Automata One of the most infuentia of a hybrid formaisms, is the hybrid automaton formaism described by Henzinger [16]. These automata consist of nodes in which certain differentia equations are active under an invariant, and of guarded transitions between those nodes that mode discrete actions. For exampe, the steam boier exampe coud be modeed as the hybrid automaton depicted in figure 8. In the forma definitions of [16], a discrete action is associated with each and every transition. Note, however, that in the same paper there are severa exampes of hybrid automata with transitions without an associated action. We assume that this means that impicity there is there is some specia action, say τ, that does not have to synchronize with other events in case of parae composition. The fact that, in HyPA, it is not necessary to add intermediate actions in order to switch between continuous behaviors, is one of the reasons why we beieve that a transation of HyPA into hybrid automata is impossibe in genera. A transation of hybrid automata into HyPA, however, seems to be possibe. A (part of a) genera hybrid automaton is depicted in figure 9. Such an automaton is easiy transated into a hybrid process agebraic term, using the foowing observations. The fow predicate P f in a node of an automaton, describes fows in a simiar way as in HyPA. Ony, in hybrid automata, a fows are continuous. Hence, we take V = V m and find the cause V m P f. Furthermore, since hybrid automata ony aow differentiabe soutions of fow predicates, we adopt that notion of soution for our fow predicates as we. The invariant P i in a node, is a predicate that can be used in a fow cause, but can aso be transformed to be used in a re-initiaization cause, since ony variabes from the set V m are used in it. The semantics of hybrid automata, contain a kind of ook-ahead such that after a transition to a certain node, the invariant of that node must hod. Otherwise the transition cannot be taken. Transating this to HyPA means that in re-initiaizations the predicate P i +, of the next node, shoud hod. Reca that we have defined P + in section 2.2, as a transformation of a predicate P on V m in which every variabe x is repaced by x +. 40

41 jmp: t = T t := 0 w w min + w safe act: op jmp: t = T t := 0 w w min + w safe act: op jmp: t = T t := 0 w w max w safe act: c fow: ṫ = 1 ẇ = v s inv: t T s min s s max v = v in fow: ṫ = 1 ẇ = v s inv: t T s min s s max v = 0 jmp: t = T t := 0 w min + w safe w w w max w safe jmp: t = T t := 0 w w max w safe act: c jmp: t = T w min + w safe w w w max w safe Fig. 8. Exampe of a Hybrid Automaton Modeing a Steam Boier The transitions of hybrid automata contain actions a. In transation, those actions disrupt the fow causes. Furthermore, the jump condition P j on a transition is transated into a re-initiaization that acts on these actions. Again, we take V = V m, and assume that it is specified in the jump condition which variabes may change, and which remain constant. In a hybrid automaton the initia states are indicated by the initia conditions. For each node X such an initia condition is given by means of a predicate I x over the mode variabes. Using these observations, the more genera automaton in figure 9 is transated 41

42 I y I x X fow: P fx inv: P ix jmp: P jy act: a y jmp: P jz act: a z Y fow: P fy inv: P iy Z fow: P fz inv: P iz I z Fig. 9. Genera Exampe of a Hybrid Automaton into X HA V m P fx P ix [ I + x ] X [ I + y [ ] V m P jy P + a iy y Y, [ ] V m P jz P iz + a z Z ] [ ] Y I z + Z. Of course, this is not a forma transation. The semantics of hybrid automata as given in [16] is one of timed transition systems, whie the hybrid transition systems we use here are subty different. We conjecture that it is possibe to transform the fow transitions of the hybrid transition system into timed transitions, and the action transitions of the hybrid transition system into action transitions of a timed transition system, by abstracting away from a vauations. However, this is eft as a subject for future research. The comparison with hybrid automata is merey intended to give an intuition on how the existing hybrid theories fit into our hybrid process agebraic framework. 4.2 Other Process Agebras With respect to process agebras for hybrid systems, there are four reated works that we must consider. One, hybrid CSP, was aready introduced in 1994 by Jifeng [14]. The others, φ-cacuus [15], hybrid χ [11], and ACP srt hs 42

43 [13], are very recenty introduced. Hybrid CSP has a semantics in which each process represents a set of hybrid traces. Such a hybrid trace, consists of a function of a continuous cosed time domain to vauations, a function of that same domain to sequences (that gives the empty sequence except for on a finite set of time-points), and a few predicates (ike termination). A system is then modeed in hybrid CSP, by giving a predicate that defines which traces are in the system. Comparabe to the way that HyPA has atomic processes and operators, hybrid CSP has atomic predicates, and predicate operators. Apart from the fact that a trace semantics does not respect branching properties of a system, hybrid CSP aso has the drawback that in parae composition the continuous variabes of the composed systems are assumed to be disjoint, and that assignments can ony be made to programming variabes, and not to continuous variabes. We suspect, however, that these probems can be soved by defining new predicate operators, and that the author of [14] did not see the need for them at the time. Interestingy, there are operators defined in [14] whose function is not easiy transated into HyPA. The main reason for this, is that cocks need to be modeed expicity in HyPA, whie they are often a functiona part of the operators of hybrid CSP. Again, we conjecture, that HyPA can be extended with operators that mimic those of hybrid CSP, shoud the need arise. The φ-cacuus has a semantics based on timed transition systems, and given this, has a very interesting way of deaing with paraeism. As we aready mentioned in the introduction, φ-cacuus regards continuous behavior to be a property of the environment, rather than a property of the φ-cacuus program. Execution starts with an empty environment and, whie running the program, differentia equations (or rather their vector-fied equivaents) and invariants, are added and repaced, by (in an intereaving manner) executing so-caed environmenta actions. The upshot of this, is that it is not necessary to require that parae programs have distinct continuous variabes, but sti, the semantics of the parae composition of φ-cacuus does not coincide with our intuition that continuous behavior shoud simpy satisfy both processes. Furthermore, because a vector-fied is used as a representation of differentia equations in the environment, φ-cacuus can ony hande differentia equations with unique soutions (hence, not for exampe the equation ẋ = 3x 2 3). Aso, the notion of equivaence that arises from using bisimiarity in combination with environmenta actions, makes that ony syntacticay equa differentia equations are actuay considered equa. This is a drawback that might be soved by some kind of abstraction, but it sti has an artificia fee to it. Comparing φ-cacuus to HyPA, we may concude that, due to (amongst others) the environmenta action approach, not a HyPA processes can be transated into φ-cacuus. Conversey, the fact that the environmenta actions of φ-cacuus have a maxima progress semantics, φ-cacuus programs cannot be transated into HyPA. This, however, can be soved by extending HyPA with an urgency 43

44 operator, as was done for χ and hybrid χ in [5,11]. As we mentioned aready in the introduction, HyPA is deveoped in cose cooperation with the researchers deveoping hybrid χ. Research on the anguage hybrid χ, as a modeing and simuation anguage for process contro, started in 1982 [51], and has since been through many stages of deveopment, incuding an extension with hybrid description constructs. In 2002 [5], a forma operationa semantics, based on CSP rather than ACP, was defined for the discrete-time part of the anguage, and recenty, a forma semantics has been given for the hybrid part as we [11]. It is interesting to see that many of the theoretica aspects of HyPA (ike the use of hybrid transition systems), have been appied in the forma semantics of hybrid χ, whie on the other hand, the future extensions of HyPA are very ikey to be inspired by the modeing strengths of hybrid χ, incuding their abstraction operators and possiby the maxima progress operator. As research progressed, both anguages seem to have evoved more and more towards each other, and it is not unthinkabe that these paths utimatey converge. In [13] a combination of the process agebra with continuous reative timing of [45] and the process agebra with propositiona fows of [52], ead to a (ony subty) different agebra, that is aso suited for the description of hybrid systems. The deveopment of this agebra and of HyPA has been argey independent, and it is surprising to see how many simiarities exist between the two. Nevertheess, due to different starting points and intuitions, aso some differences can be found. The process agebra of Bergstra and Middeburg [13], was intended to be a conservative extension of timed ACP, whie HyPA was intended to be an extension of norma ACP. This gives rise to the most important difference, in our opinion, between the two anguages, which is that in [13], a timedeterministic setting was chosen (as it was discussed in section 2.2), whie for HyPA time-non-determinism is assumed (which is more in ine with the hybrid automaton approach [16]). As a matter of fact, in hybrid χ, two choice operators exist, one for each view on time. Another difference is that in [13], there was the intension to give an agebraic theory of hybrid automata, which eads to the modeing choice that switching between continuous behaviors can ony take pace through the use of discrete actions, whie in HyPA switching can be arbitrary. This is iustrated, by the fact that the passing of time during which physica behavior takes pace, is modeed expicity in [13], whie, for HyPA, time passing is impicit when writing down a fow cause. 44

45 4.3 Contro Theory Formaisms The formaisms used in contro theory to describe hybrid systems can, from a HyPA point of view, be cassified into two kinds. The first kind, are formaisms regarding continuous time behavior, whie the second kind regards time to evove discretey. Roughy speaking, continuous time modes can be transated into HyPA using fow causes, whie the discrete modes can (amongst many other possibiities that we do not show here) be transated into re-initiaization causes, acting on a time-step process. Computationa actions and sequentia compositions of processes, ony occasionay pay a roe in contro theory. Mode switching, on the other hand, is a centra aspect. In this paragraph, we sketch the genera transation of severa contro theory formaisms into HyPA. We do not intend to be compete, but rather want to give a fee for the reation between HyPA and contro theory. Furthermore, one has to keep in mind that contro theory usuay reasons about trace equivaence of systems, whie HyPA is primariy concerned with (robust) bisimiarity. With respect to the continuous time modes, we conjecture that most of them can be transated into either one singe fow cause c or, in more compicated cases, into one singe recursive term of the form CT (c 0... c n ) CT, where c 0...c n, denote causes representing the different continuous modes a system can be in. If a system can be modeed using ony three continuous variabes, namey the state variabe x R, the output variabe y R m and the input variabe u R n, and using ony causes of the form ẋ = A i x + B i u + f i c i = x y = C i x + D i u + g i, (x,u) H i with A i,b i,c i and D i matrices of appropriate dimensions, and H i a convex poyhedron (i.e. constructed from a finite set of inequaities), for every i, then we say that CT is a continuous time piecewise affine system [31]. If a system can be modeed as one singe continuous fow cause, using the variabes v,w R s in addition to x,y and u, and if this fow cause is of the form ẋ = Ax + B 1 u + B 2 w y = Cx + D c = x 1 u + D 2 w, v = E 1 x + E 2 u + E 3 w + e 4 0 v w 0 45

46 then we say that the system is a continuous time inear compementarity system [30]. Here, A,B 1,B 2,C,D 1,D 2,E 1,E 2 and E 3 are matrices of appropriate dimensions, e 4 is a constant vector and 0 v w 0 denotes that the vectors v and w are orthogona (i.e. 0 v, 0 w and v T w = 0). Discrete time modes can be transated into the HyPA term DT (d 0... d n ) Timestep DT, with [ ] Timestep t t + = 0 {t} V ṫ = 1 t T s x j = 0 j J [ ] t = T s ɛ. Here, the set V = {x j j J} denotes the set of a variabes that are used in the re-initiaization causes d 0...d n, describing the discontinuous changes over time. Timestep denotes the progress of time with one sampe time T s > 0, during which the variabes x j are supposed to remain constant. Simiar to the continuous case, if (and ony if) V = {x,y,u}, and for a re-initiaizations (with i [0,n]) we find x + = A i x + B i u + f i y + = C i x + + D i u + + g i d i = x,y,u y = C i x + D i u + g i, (x +,u + ) H i (x,u ) H i with A i,b i,c i and D i matrices of appropriate dimensions, and H i a convex poyhedron, we say that DT is a discrete time piecewise affine system [31]. Anaogousy, if (and ony if) a system can be written in the form x + = Ax + B 1 u + B 2 w y + = Cx + + D 1 u + + D 2 w + y = Cx + D 1 u + D 2 w x,y DT = v + = E 1 x + + E 2 u + + E 3 w + + e 4 Timestep DT, u,v,w v = E 1 x + E 2 u + E 3 w + e 4 0 v + w v w 0 46

47 we say that it is a discrete time inear compementarity system [30]. A third type of discrete contro formaism is discrete time mixed ogica dynamica systems [28]. Simiary to inear compementarity systems, these systems can be described using ony one re-initiaization cause. This time, however, the cause aso reasons about variabes that take vaue in the domain {0, 1}. A mixed ogica dynamica system may use variabes x R, y R m and u R n, and in addition, the variabes z R r and w {0, 1} s, and can be written in the form x + = Ax + B 1 u + B 2 w + B 3 z y + = Cx + + D 1 u + + D 2 w + + D 3 z + x,y DT = y = Cx + D 1 u + D 2 w + D 3 z Timestep DT. u,v,w E 1 x + + E 2 u + + E 3 w + + E 4 z + e 5 E 1 x + E 2 u + E 3 w + E 4 z e 5 In [29], the reation between the discrete contro formaisms described above is further worked out, and it turns out that most of them are equivaent under certain, from a physica point of view very reasonabe, assumptions. There is aso another natura way of deaing with discrete time modes in HyPA, and that is by using a fow-cause parametrization with discrete time rather than continuous time. Simpy assume that time consists of the natura numbers ony. If there is no interaction to be modeed between the discrete time processes and continuous time processes, then this is a vaid approach as we. However, if interaction is necessary, then one must know what happens in between the discrete steps. The approach we have shown above, is known in contro as the zero-order hod approach. There are many other ways to mode the behavior in between re-initiaizations, but that is a topic outside the scope of this paper. As we mentioned in the beginning of this paragraph, HyPA is primariy concerned with the notion of robust bisimiarity. However, suppose we woud adopt anguage equivaence, or even some weaker appropriate notion of equivaence. This woud mean that we probaby oose congruence of parae composition, but it woud aso mean that we might be abe to abstract away from a ot of computationa behavior and rewrite certain HyPA processes into one of the above forms. Since a ot of contro theory is deveoped for those forms, this might greaty improve the anaysis possibiities of HyPA. 47

48 5 Concusions and Future Work In this paper, the syntax, semantics and axiomatization were presented, of a hybrid process agebraic theory caed HyPA. This theory is aimed at the description and anaysis of hybrid systems. HyPA is a conservative extension of the process agebra ACP [7], with a constant representing termination, a disrupt operator in the stye of LOTOS [8], and causes [2] for the description of continuous and discontinuous behavior of mode variabes. More precisey, the set of discrete actions (and the communication function) and the predicates used for describing fows and re-initiaizations (and the corresponding soution notions) are parameters of the theory. The reason for this is that they are often probem-specific. Using the axiomatization of HyPA, cosed terms can be rewritten into basic terms, in which a parae compositions are eiminated. HyPA turns out to be different from most existing hybrid formaisms, in two major ways. It has a hybrid transition system semantics, for which it is not necessary to distinguish between state variabes and externa variabes in differentia equations. This aows for a genera definition of parae composition in the stye of ACP, that aso aows continuous interaction between a mode variabes. Furthermore, discontinuities in the variabes of differentia equations do not need to be expicity modeed by assignment actions. Aternativey, in HyPA it is expicity written down when a variabe is continuous. Apparent drawbacks of HyPA are its strong notion of equivaence, and the sometimes compex axiomatization. However, we have sketched, how by assuming the same properties that are common on hybrid automata (compatibiity of parae composed systems, and continuity of a mode variabes), both the equivaence may be weakened, and the axiomatization becomes simper. HyPA is very simiar to the anguages hybrid χ [11] and the hybrid process agebra of [13]. The differences are mainy found in the way time-determinism is treated, and in the way in which the passing of time is modeed impicity or expicity. Future work on HyPA can be divided into five categories, given in arbitrary order. The first category, is a formaization of section 4, comparing HyPA to other (hybrid) formaisms. Ceary, since hybrid χ and the works of [13] are very simiar, a forma comparison is indispensabe. Aso, forma comparisons with hybrid automata, φ-cacuus, and hybrid Petri nets, are important. Transations to and from those formaisms are usefu, in order to be abe to use anaysis techniques from one, in the other formaism. This, of course, is aso the case for various contro formaisms and techniques. The second category, is the appication of HyPA to a number of (arger) case studies. Ony this reveas whether the way of modeing we have chosen is indeed as convenient as expected, and whether practica theorems can be 48

49 formuated to support the anaysis of hybrid systems. The third category encompasses work on showing that the axiomatization of HyPA, moduo cacuation on causes, is compete (or can be made compete) for the notion of robust bisimiarity. Aso, extending the resut for rewriting cosed terms into basic terms, to rewriting of recursive specifications into a inear form, is essentia for the anaysis of systems. The fourth category of future work, is the extension of the theory with abstraction. Aso, extension with system theoretic concepts ike, for exampe, a metric or topoogy on the state-space [53], or other notions of imit behavior [54], may then come into pay. One of the cassica probems in the hybrid systems fied, namey the anaysis of Zeno-behavior, where infinite sequences of actions converge to a certain point, arises from such a metric, and we fee that a truy hybrid semantica mode shoud incude it. It is important to note, that without abstraction, our current notion of equivaence is strong enough to capture Zeno-behavior, simpy because process terms need to be equivaent for a vauations of variabes, incuding Zeno-points. After abstraction of certain variabes, however, Zeno-behavior of those variabes cannot be distinguished anymore, and therefore a new notion of equivaence might be needed. Other types of abstraction, ike abstraction from actions [7,43], woud aso greaty improve the anaytic powers of HyPA. Aso for those, new notions of (robust) bisimiarity, known in cassica process agebra for exampe, branching bisimiarity, or observationa equivaence, are needed. The fifth category, is too support. Cacuations, even on a simpe exampe such as the steam boier, quicky become very cumbersome, tedious and error prone. This is a serious probem when appying the theory to any system of interesting size. Using the resut that processes can be rewritten into basic terms using a strongy terminating rewriting system, makes that deveoping a very basic too for partiay automating these cacuations shoud not be difficut. Acknowedgements Finay, we woud ike to thank Pau van den Bosch, Bert van Beek, Jan Friso Groote, Maurice Heemes, Aeksandar Juoski, Ka Lok Man, Kees Middeburg, Mohammad Mousavi, Ramon Schiffeers, Frits Vaandrager and Tim Wiemse, for their comments during severa stages of the deveopment of this paper. We woud ike to thank Peter van den Brand for his quicky but thoroughy deveoped inearization too that made cacuations easier and more reiabe for us. 49

50 References [1] P. Mosterman, Hybrid dynamic systems: A hybrid bond graph modeing paradigm and its appication in diagnosis, Ph.D. thesis, Vanderbit University, Nashvie, Tennessee (1997). [2] A. van der Schaft, J. Schumacher, An Introduction to Hybrid Dynamica Systems, Vo. 251 of Lecture Notes in Contro and Information Sciences, Springer-Verag, London, [3] J. Groote, M. Reniers, Agebraic process verification, in: J. Bergstra, A. Ponse, S. Smoka (Eds.), Handbook of Process Agebra, Esevier Science B.V., Amsterdam, 2001, Ch. 17, pp [4] V. Bos, J. Keijn, Forma specification and anaysis of industria systems, Ph.D. thesis, TU/e, Eindhoven, The Netherands (2002). [5] V. Bos, J. J. Keijn, Redesign of a systems engineering anguage formaisation of χ, Forma Aspects of Computing 15 (4) (2003) [6] W. Fokkink, J. Groote, M. Hoenberg, B. van Vijmen, LARIS 1.0: LAnguage for Raiway Interocking Specifications, CWI, Amsterdam, [7] J. Baeten, W. Weijand, Process Agebra, Vo. 18 of Cambridge Trancts in Theoretica Computer Science, Cambridge University Press, Cambridge, [8] E. Brinksma, A tutoria on LOTOS, in: M. Diaz (Ed.), Proc. Protoco Specification, Testing and Verification V, Amsterdam, The Netherands, 1985, pp [9] R. Schiffeers, D. van Beek, K. Man, M. Reniers, J. Rooda, A hybrid anguage for modeing, simuation and verification, in: Proc. IFAC Conference on Anaysis and Design of Hybrid Systems (ADHS03), Internationa Federation of Automatic Contro (IFAC), Saint-Mao, 2003, pp [10] D. van Beek, N. Jansen, K. Man, M. Reniers, J. Rooda, R. Schiffeers, Reating Chi to hybrid automata, in: S.Chick, P. Sánchez, D. Ferrin, D. Morrice (Eds.), Proceedings Winter Simuation Conference (WSC03), to appear. [11] R. Schiffeers, D. van Beek, K. Man, M. Reniers, J. Rooda, Forma semantics of hybrid Chi, in: Forma Modeing and Anaysis of Timed Systems, to appear, Lecture Notes in Computer Science, Springer-Verag, [12] J. Vereijken, A process agebra for hybrid systems, in: The Second European Workshop on Rea-Time and Hybrid Systems, Grenobe, France, [13] J. Bergstra, C. Middeburg, Process agebra for hybrid systems, Tech. Rep. CSR 03-06, TU/e, Eindhoven, The Netherands (2003). [14] H. Jifeng, From CSP to hybrid systems, in: A.W.Roscoe (Ed.), A Cassica Mind, Essays in Honour of C.A.R. Hoare, Prentice-Ha Internationa, 1994, pp

51 [15] W. Rounds, H. Song, The φ-cacuus: A anguage for distributed contro of reconfigurabe embedded systems, in: F. Wiedijk, O. Maer, A. Pnuei (Eds.), Hybrid Systems: Computation and Contro, 6th Internationa Workshop, HSCC 2003, Vo of Lecture Notes in Computer Science, Springer-Verag, 2003, pp [16] T. Henzinger, The theory of hybrid automata, in: Proceedings of the 11th Annua IEEE Symposium on Logic in Computer Science (LICS 1996), IEEE Computer Society Press, 1996, pp [17] N. Lynch, R. Segaa, F. Vaandrager, Hybrid I/O automata, Information and Computation 185 (1) (2003) [18] J. LeBai, H. Aa, R. David, Hybrid Petri nets, in: Proc. of the 1st European Contro Conference, ECC 91, Grenobe, France, Juy, 1991, pp [19] H. Aa, R. David, Continuous and hybrid Petri nets, Journa of Circuits, Systems and Computers 8 (1) (1998) [20] I. Demongodin, N. Koussouas, Differentia Petri nets: A new mode for hybrid systems, in: Proc. Advanced Summer Institute 96, 1996, pp [21] I. Demongodin, N. Koussouas, Differentia Petri nets: Representing continuous systems in a discrete-event word, IEEE Transactions on Automatic Contro 43 (3) (1998) [22] A. D. Febbraro, A. Giua, G. Menga (Eds.), Specia Issue on Hybrid Petri Nets, Vo. 11 of Discrete Event Dynamic Systems, [23] M. Rönkkö, A. P. Ravn, K. Sere, Hybrid action systems, Theoretica Computer Science 290 (2003) [24] P. Amthor, A CSP mode for hybrid automata, in: Third BCS-FACS Northern Forma Methods Workshop (NFMW98), Ikey, UK, [25] T. Wiemse, Semantics and verification in process agebras with data and timing, Ph.D. thesis, TU/e, Eindhoven, The Netherands (2003). [26] J. Groote, J. van Wame, Anaysis of three hybrid systems in timed µcrl, Science of Computer Programming 39 (2001) [27] A. van der Schaft, J. Schumacher, Compositionaity issues in discrete, continuous, and hybrid systems, Int. J. Robust and Noninear Contro 11 (2001) [28] A. Bemporad, M. Morari, Contro of systems integrating ogic, dynamics, and constraints, Automatica 35 (3) (1999) [29] W. Heemes, B. D. Schutter, A. Bemporad, On the equivaence of casses of hybrid dynamica modes, in: Proc. 40th IEEE Conference on Decision and Contro, IEEE, Orando, Forida, 2001, pp [30] A. van der Schaft, J. Schumacher, Compementarity modeing of hybrid systems, IEEE Transactions on Automatic Contro 43 (1998)

52 [31] E.D.Sontag, Noninear reguation: The piecewise inear approach, IEEE Trans. Autom. Contro 26 (1981) [32] E. Haghverdi, P. Tabuada, G. Pappas, Bisimuation reations for dynamica and contro systems, in: R. Bute, P. Seinger (Eds.), Category Theory and Computer Science (CTCS 02), Vo. 69 of Eectronic Notes in Theoretica Computer Science, Esevier, [33] G. Lafferriere, G. Pappas, S. Sastry, O-minima hybrid systems, Mathematics of Contro, Signas, and Systems 13 (1) (2000) [34] P.-H. Ho, Automatic anaysis of hybrid systems, Ph.D. thesis, Corne University, Ithaca, New York (1995). [35] R. Aur, T. Henzinger, P.-H. Ho, Automatic symboic verification of embedded systems, IEEE Transactions on Software Engineering 22 (3) (1996) [36] J. Poderman, J. Wiems, Introduction to Mathematica Systems Theory: A Behavioura Approach, Vo. 26 of Texts in Appied Mathematics, Springer- Verag, [37] R. Dorf, R. Bishop, Modern Contro Systems, Series in Eectrica and Computer Engineering: Contro Engineering, Addison-Wesey, [38] P. Cuijpers, M. Reniers, W. Heemes, Hybrid transition systems, Tech. Rep. CSR 02-12, TU/e, Eindhoven, The Netherands (2002). [39] E. Sontag, Mathematica Contro Theory: Deterministic Finite Dimensiona Systems, Vo. 6 of Texts in Appied Mathematics, Springer-Verag, [40] G. Potkin, A structura approach to operationa semantics, Tech. Rep. DAIMI FN-19, Computer Science Department, Aarhus University (1981). [41] J. Baeten, C. Verhoef, Concrete process agebra, in: S. Abramsky, D. M. Gabbay, T. Maibaum (Eds.), Semantic Modeing, Vo. 4 of Handbook of Logic in Computer Science, 1995, pp [42] R. Miner, A cacuus of communicating systems, Vo. 92 of Lecture Notes in Computer Science, Springer-Verag, [43] W. Fokkink, Introduction to Process Agebra, Texts in Theoretica Computer Science, Springer-Verag, Berin, [44] J. Baeten, J. Bergstra, Mode transfer in process agebra, Tech. Rep. CSR 00-01, TU/e, Eindhoven, The Netherands (2000). [45] J. Baeten, C. Middeburg, Process Agebra with Timing, Monographs in Theoretica Computer Science, Springer-Verag, [46] P. Cuijpers, M. Reniers, Hybrid process agebra, Tech. Rep. CSR 03-07, TU/e, Eindhoven, The Netherands (2003). [47] J.-R. Abria, Steam-boier contro specification probem, in: Dagstuh Meeting: Methods for Semantics and Specification,

53 [48] J. Baeten, T. Basten, M. Reniers, Agebra of communicating processes, course notes 2M920: Process Agebra (2003). [49] J. Bergstra, J. Kop, Verification of an aternating bit protoco by means of process agebra, in: W. B.. K. Jantke (Ed.), Mathematica Methods of Specification and Synthesis of Software Systems 85, Vo. 215 of Lecture Notes in Computer Science, Springer, 1986, pp [50] S. Owicki, D. Gries, An axiomatic proof technique for parae programs I, Acta Informatica 6 (1976) [51] J. Rooda, Simuation of Logistics Eements (Soe), Enschede, The Netherands, user Manua (1982). [52] J. Baeten, J. Bergstra, Process agebra with propositiona signas, Theoretica Computer Science 177 (1997) [53] P. Cuijpers, M. Reniers, Topoogica (bi-)simuation, Tech. Rep. CSR 02-04, TU/e, Eindhoven, The Netherands (2002). [54] M. Ying, Topoogy in Process Cacuus: Approximate Correctness and Infinite Evoution of Concurrent Programs, Springer-Verag, [55] R. van Gabbeek, The inear time branching time spectrum I: The semantics of concrete, sequentia processes, in: J. Bergstra, A. Ponse, S. Smoka (Eds.), Handbook of Process Agebra, Esevier Science B.V., Amsterdam, 2001, Ch. 1, pp A Congruence In this section, we prove that robust bisimiarity is a congruence for the operators of HyPA. For most of the operators, we ony give the witnessing reations. For the parae composition, we give the fu proof. But before we present this proof, we need to pose a emma that states that transitions that are abeed with a certain vauation, end in a state with that same vauation. This turns out to be vita in many of the proofs for congruence. Lemma 16 (Labeing) A transition abeed with a vauation, eads to a state with that same vauation: If x,ν a,ν y,ν then ν = ν ; If x,ν σ y,ν and dom(σ) = [0,t] then ν = σ(t). PROOF. This is obvious from the semantics of HyPA. It triviay hods for atomic processes, and a semantica rues of the operators of HyPA preserve this connection between abeing and state. 53

54 Theorem 17 Robust bisimiarity is a congruence for a the operators of HyPA. PROOF. We show the proof for parae composition. For the other operators, we ony give the witnessing reations. Congruence means, that if p p and q q, then aso p q p q. Let R be a reation witnessing p p, and et S be a reation witnessing q q. Then, we construct the foowing reation: U = {((x y,ν), (x y,ν )) x,x,y,y T (V r ), ν,ν Va, (x,ν)r(x,ν ), (y,ν)s(y,ν )} R S, and prove that it is a robust bisimuation reation, witnessing x y x y. That it is a witness reation is trivia. That it is a robust reation, is straightforward from the fact that R and S are robust. That it is a bisimuation reation foows from the cases beow. The ony interesting case, is where (x y,ν)u (x y,ν ) for some x,y,x,y T (V r ) and ν,ν Va. Note, that by definition of U we may use the assumption that (x,ν)r(x,ν ) and (y,ν)s(y,ν ). We find the foowing subcases. (1) x y, ν, for which we need the assumption (a) x,ν y,ν. Using the fact that R and S are bisimuation reations, we find x,ν and y,ν and may readiy concude x y,ν. (2) x y,ν, simiar to the previous case. (3) x y,ν z,µ, for which we need one of the foowing assumptions. (a) Σ x,ν z,µ y,ν From the fact that R is a bisimuation reation, we concude that there exist z and µ such that x,ν z,µ and (z,µ)r(z,µ ). From the fact that S is a bisimuation reation, we know y,ν. Finay, we concude that x y,ν z,µ and (z,µ)u (z,µ ) using the fact that R U. (b) Σ y,ν z,µ x,ν Simiar to the previous case. (c) zx,z y Σ z z x z y x,ν z x,µ y,ν z y,µ From the fact that R and S are bisimuation reations, we concude that there exist z x,z y, µ x and µ y such that x,ν z x,µ x and y,ν z y,µ y, with (z x,µ)r(z x,µ x ) and (z y,µ)s(z y,µ y ). Using emma 16 we find µ = µ x = µ y and finay concude that x y,ν z x z y,µ with (z,µ)u (z x z y,µ ). 54

55 (d) zx A z z x y x,ν z x,µ From the fact that R is a bisimuation reation, we find that there exist z x and µ, with x,ν z x,µ and (z x,µ)r(z x,µ ). Using emma 16, we concude that µ = µ, and we can construct an interference ι Va Va such that ι(ν) = ι(ν ) = µ. Because S is robust, we may concude (y,ι(ν))s(y,ι(ν )), and we finay find x y,ν z x y,µ with (z,µ)u (z x y,µ ). (e) zy A z x z y y,ν z y,µ Simiar to the previous case. (f) zx,z y A z z x z y (aγb,ϑ) x,ν a,ϑ z x,µ y,ν b,ϑ z y,µ From the fact that R and S are bisimuation reations, we concude that there exist z x,z y, µ x and µ y such that x,ν a,ϑ z x,µ x and y,ν b,ϑ z y,µ y, with (z x,µ)r(z x,µ x ) and (z y,µ)s(z y,µ y ). Using emma 16 we find ϑ = µ x = µ y and finay concude that x y,ν aγb,µ z x z y,ϑ with (z,µ)u (z x z y,ϑ). (4) x y,ν z,µ, simiar to the previous case. The foowing reations witness congruence for the other operators, given that R witnesses p p and S witnesses q q as before: U = {((x y,ν), (x y,ν )) x,x,y,y T (V r ), ν,ν Va, (x,ν)r(x,ν ), (y,ν)s(y,ν )} R S, U = {((x y,ν), (x y,ν )) x,x,y,y T (V r ), ν,ν Va, (x,ν)r(x,ν ), (y,ν)s(y,ν )} S, U = {((x y,ν), (x y,ν )) x,x,y,y T (V r ), ν,ν Va, (x,ν)r(x,ν ), (y,ν)s(y,ν )} S, U = {((x y,ν), (x y,ν )) x,x,y,y T (V r ), ν,ν Va, (x,ν)r(x,ν ), (y,ν)s(y,ν )} U, U = {((x y,ν), (x y,ν )) x,x,y,y T (V r ), ν,ν Va, (x,ν)r(x,ν ), (y,ν)s(y,ν )} U, 55

56 U = {((x y,ν), (x y,ν )) x,x,y,y T (V r ), ν,ν Va, (x,ν)r(x,ν ), (y,ν)s(y,ν )} U, U d = {((d x,ν), (d x,ν )) x,x T (V r ), ν,ν Va, (x,ν)r(x,ν )} R, U H () = {(( H (x),ν), ( H (x ),ν )) x,x T (V r ), ν,ν Va, (x,ν)r(x,ν )}. B Stateess Bisimiarity In the proof of theorem 9, we caimed that the notion of robust bisimiarity coincides with the notion of bisimiarity used in [46]. In this appendix, we substantiate that caim. Firsty, the notion of bisimiarity on process terms from [46], is defined as foows: Definition 18 (Stateess Bisimiarity) A reation R T (V r ) T (V r ) on process terms, is a stateess bisimuation reation if for a p,q T (V r ) such that p Rq, and for a vauations ν,ν Va and abes A Σ, we find p,ν impies q,ν ; q,ν impies p,ν ; for every p with p,ν p Rq ; for every q with q,ν p Rq. p,ν there exists q s.t. q,ν q,ν there exists p s.t. p,ν q,ν and p,ν and Two process terms x and y are stateess bisimiar, denoted x s y, if there exists a stateess bisimuation reation that reates them. Now we wi show that the two notions coincide. Theorem 19 For a process terms p,q T (V r ), we find p q iff p s q. PROOF. We start by showing that s. In order to do this, suppose that two process terms p and q are stateess bisimiar (p s q), and that R is a reation that witnesses this equivaence. Then we define a reation S = {((x,ν), (y,ν)) xry, ν Va}. It is straightforward to verify that this a bisimuation reation in the sense of this paper, and furthermore, if 56

57 (x,ν)s(y,ν ), then ν = ν and hence ι(ν) = ι(ν ) for every interference ι. Finay, we observe that (x,ν )S(y,ν ) for every ν Va, and particuary for every ι(ν). Hence S is robust, and witnesses p q. Now, we wi show that s. Suppose that we have process terms p and q that are robusty bisimiar (p q), and that S is a robust bisimuation reation that witnesses this. Then, we construct the reation R = {(x,y) ν (x,ν)s(y,ν)}. Ceary, prq, since we have (p,ν)s(q,ν) for every ν. The case for termination, is aso straightforward. Finay, suppose that xry, and there exists a transition x,ν x,ν. Then, by definition of R we know (x,ν)s(y,ν), and because S is a bisimuation reation we find that there is a transition y,ν y,ν. Using emma 16, from appendix A, we find that ν = ν, and hence that (x,ν )S(y,ν ). Using this, we can construct for every µ an interference ι such that ι(ν ) = µ, and using robustness we concude that (x,µ)s(y,µ). From this it foows that x Ry, which proves that R is a stateess bisimuation reation, witnessing p s q. C Soundness In this section, we summarize the proofs for soundness of the axiomatization and of the derivation rues, as given in [46]. The compete proofs are very ong, but rather straightforward, and are given in [46] for a notion of stateess bisimiarity, that has been proven to coincide with robust bisimiarity in appendix B. In this section, we wi confine ourseves to give ony the witnessing robust bisimuation reations for some of the more difficut derivation rues and axioms. Two of the axioms are worked out in more detai. Soundness of derivation rues (1), (2) and (3) foows directy from the fact that robust bisimiarity is an equivaence reation. That bisimiarity is an equivaence is a standard resut [55], and that robustness does not change this, is easy to verify. Derivation rues (4) and (5) are sound, because robust bisimiarity is a congruence for a the operators of HyPA. This is proven in appendix A. Soundness of derivation rues (6) and (7) is straightforward from the operationa semantics of re-initiaization causes and fow-causes, whie soundness of derivation rue (8) foows from soundness of a the axioms separatey, and from the fact that the semantics of a recursive definition indeed refect a soution of the recursive equation. Soundness of derivation rue (9), is witnessed by a reation R such that (d c,ν) R (d c c,ν) (c,ν) R (c c,ν) (x,ν) R (x,ν), for a ν Va, 57

58 x T (V r ) and a c,c C that satisfy the assumption that (µ,σ) = c impies (µ,σ) = c and, (µ,µ ) = d and (µ,σ) = c impies (µ,σ) = c. To verify that this is indeed a robust bisimuation reation, is straightforward. Soundness of derivation rue (10) is witnessed by the reation R such that (c,ν) R ((c c ) c,ν) (c,ν) R (c c,ν) (c,ν) R (c c,ν) (x,ν) R (x,ν) for a ν Va, x T (V r ) and a c,c,c C satisfying the assumption that (µ,σ) = c if and ony if (µ,σ) = c or (µ,σ) = c. Again, it is straightforward to verify that this is a robust bisimuation reation. As exampes of soundness proofs of the axioms, we have seected a few axioms that we study in more detai. The witnessing reations for a the others, and the proofs that these reations are indeed bisimuation reations, can be found in [46] for the notion of stateess bisimiarity. The transation to robust bisimiarity is straightforward using the resuts of appendix B. The first axiom we give a witness reation for, regards distribution of disrupt over sequentia composition. It is the ony axiom that was not mentioned in [46]. The axiom (x δ y) z x δ y z is witnessed by the reation R such that ((x δ y) z,ν) R (x δ y z,ν), ((x δ y) z,ν) R (x δ y z,ν) and (x,ν) R (x,ν) for a x,y,z T (V r ) and ν Va. That this is indeed a robust bisimuation reation is straightforward to verify. The axiom d ɛ d ɛ (d? d? ) ɛ is witnessed by the reation R such that (d ɛ d ɛ,ν) R ((d? d? ) ɛ,ν), for a ν Va and d,d D. Since this is one of the more difficut axioms, we show the fu proof here. Ceary, we ony need to verify bisimiarity for the cases of (d ɛ d ɛ,ν) R ((d? d? ) ɛ,ν) for termination. Furthermore, it is obvious from the construction of R that it is a robust reation. (1) d ɛ d ɛ,ν, for which we need the hypothesis (a) ν (ν,ν ) = d ν (ν,ν ) = d From which we concude that (ν,ν) = d? and (ν,ν) = d?, hence (d? d? ) ɛ,ν. (2) (d? d? ) ɛ,ν, for which we need the hypothesis (a) ν (ν,ν ) = (d? d? ), which comes down to the hypothesis (i) ν = ν υ (ν,υ) = d υ (ν,υ ) = d From which we easiy concude d ɛ,ν and d ɛ,ν, hence d ɛ d ɛ,ν. The axiom d c x d c y ((d c jmp ) (d c jmp)) (c c ) ( x c y y c x x c y y c x ) is witnessed by the reation R such that (d c x d c y,ν) R (N c c M,ν) (c x c y,ν) R (c c M,ν) (x y,ν) R (y x,ν) 58

59 (x,ν) R (x,ν), for a ν Va, c,c C, d,d D and x,y T (V r ), in which we use abbreviations M = x c y y c x x c y y c x and N = ((d c jmp ) (d c jmp)). The proof that this is a bisimuation reation, is rather compicated, and therefore we give it beow. That it is a robust reation, foows straightforwardy from the construction. In the proof beow, we make use of the foowing two emmas, which are proven in [46]. These emmas express that the initia jumps that a fow-cause can make, are cosed under concatenation, and that it is not necessary (yet sti possibe) to jump if there is a soution that starts from the current vauation. This is vita, since the axiom expresses that any number of re-initiaizations c jmp may be performed before actuay executing a fow transition. Incidentay, these emmas are aso needed for the proof of the axiom c jmp c c, in which they are used in a simiar way as in the proof beow. Lemma 20 If (ν,σ ) = c and (σ (0),σ) = c then (ν,σ) = c. Lemma 21 If (ν,σ) = c then (σ(0),σ) = c. The vaidity of these emmas does not depend on the choice of parameters of HyPA, but foows directy from the operationa semantics. For (x,ν) R (x,ν), the proof that R is a bisimuation reation is trivia. For (x y, ν) R (y x, ν), the proof is aso straightforward. For (d c x d c y,ν) R (N c c M,ν), we find the foowing cases. (1) d c x d c y,ν, for which we need the hypothesis (a) d c x,ν d c y,ν, which eads to the hypothesis (i) ν (ν,ν ) = d c x,ν, for which we need the hypothesis (A) c,ν, which cannot be satisfied. (2) N c c M,ν, cannot be satisfied for simiar reasons as in the previous case. (3) d c x d c y,ν p,ν, eading to one of the hypotheses (a) p A d c x,ν p,ν, which can ceary not be satisfied since fow-causes cannot execute action transitions. (b) p,p Σ dom() = [[0,t] p = p p d c x,ν p,ν, for which we need the p,ν d c y,ν hypothesis (i) ν (ν,ν ) = d c x,ν d c y,ν p,ν ν (ν,ν ) = p,ν, eading to the hypothesis 59

60 (A) r p = r x c,ν y c,ν r,ν r p = r r,ν, for which we need the hypothesis (ν,) = c r = c (ν,) = c r = c ν = (t). Using emma 21 we find that ((0),) = (c c ). Furthermore, we may concude that (ν,(0)) = N and p = c x c y, to finay find N c c M,ν (c c ) M,ν and (p,ν ) R (c c M,ν ). (4) N (c c ) M,ν p,ν, eading to the hypothesis (a) ν (ν,ν ) = N (c c ) M,ν p,ν, for which we need the hypothesis (i) r p = r M (c c ),ν r,ν ν1,σ 1 (ν,ν 1 ) = d (ν 1,σ 1 ) = c ν2,σ 2 (ν,ν 2 ) = d (ν 2,σ 2 ) = c ν = σ 1 (0) = σ 2 (0), and finay we need the hypothesis (A) Σ r = (c c ) (ν,) = (c c ) ν = (t). From this we may concude that p = (c c ) M, but furthermore we can use emma 20, together with the facts that (ν 1,σ 1 ) = c and (ν,) = c and ν = σ 1 (0) to find (ν 1,) = c and simiary (ν 2,) = c. This eads to the observations that d c x c x,ν and d c y c y,ν, and finay d c x d c y,ν c x c y,ν and (c x c y,ν ) R (p,ν ). For (c x c y,ν) R (c c M,ν), we find the foowing cases. (1) c x c y,ν, for which we need the hypothesis (a) c x,ν c y,ν, for which we need the hypothesis (i) x,ν y,ν From which we may concude x y,ν hence M,ν and (c c ) M,ν. (2) c c M,ν, for which we need the hypothesis M,ν and hence one of the foowing hypotheses (a) x c y,ν, which cannot occur. (b) y c x,ν, which cannot occur. (c) x c y,ν, for which we need the hypothesis (i) x c y,ν. From this we may concude that c x,ν and hence c x c y,ν. (d) y c x,ν, is simiar to the previous case. (3) c x c y,ν p,ν, for which we need one of the foowing hypotheses: (a) a,a,p,p = (aγa,µ) p = p p c x,ν a,µ p,ν c y,ν a,µ p,ν, which eads to the hypothesis 60

61 (i) x,ν a,µ p,ν y,ν a,µ p,ν, from which we concude x c y,ν aγa,µ p p,ν, and hence (c c ) M,ν p,ν with (p,ν ) R (p,ν ). (b) p A p = p c y c x p,ν, for which we need the hypothesis (i) x,ν p,ν from which we concude that x c y,ν p c y,ν and hence (c c ) M,ν p,ν with (p,ν ) R (p,ν ). (c) p A p = c x p c y p,ν, which is simiar to the previous case. (d) p,p,t Σ dom() = [[0,t] p = p p c x,ν p,ν c y,ν p,ν, for which we need one of the foowing hypotheses: (i) r p = r x c,ν r,ν r p = r y c,ν r,ν, for which we need the hypothesis (A) r = c r = c (ν,) = c (ν,) = c ν = (t) From this we concude that p = c x c y and (c c ) M,ν c c M,ν, with (p,ν ) R ((c c ) M,ν ). (ii) r p = r x c,ν r,ν y,ν p,ν, for which we need the hypothesis (A) r = c. Now, we concude that p = c x p, and that y c x,ν p c x,ν. Hence (c c ) M,ν p c x,ν with (p c x,ν ) R (p,ν ). (iii) x,ν p,ν r p = r y c,ν r,ν, for which we need the hypothesis (A) r = c. Now, we concude that p = p c y, and that x c y,ν p,ν. Hence, (c c ) M,ν p,ν with p Rp. (iv) x,ν p,ν y,ν p,ν From which it foows directy that x c y p,ν Hence, (c c ) M,ν p,ν with (p,ν ) R (p,ν ). (e) Σ c x,ν p,ν c y,ν, for which we need the hypothesis (i) y,ν. From this we may concude y c x p,ν. Hence, (c c ) M,ν p,ν with (p,ν ) R (p,ν ). (f) Σ c x,ν c y,ν p,ν, for which we need 61

62 the hypothesis (i) x,ν. From this we may concude x c y p,ν. Hence, (c c ) M,ν p,ν with (p,ν ) R (p,ν ). (4) c c M,ν p,ν, which needs one of the foowing hypotheses: (a) r p = r M (c c ),ν r,ν, for which we need the hypothesis (i) t Σ dom() = [[0,t] r = (c c ) ν = (t) (ν,) = c (ν,) = c. From this we may readiy concude that p = (c c ) M σ and c x,ν c x,ν. Consequenty, we find c x c y,ν c x c y,ν with (c x c y,ν ) R (p,ν ). (b) M,ν p,ν, which comes down to one of the hypotheses: (i) x c y,ν p,ν, for this we need the hypothesis (A) r A p = r c y x,ν r,ν. From which we concude c x r,ν and finay c x c y,ν p,ν with (p,ν ) R (p,ν ). (ii) y c x,ν p,ν, for this we need the hypothesis (A) r A p = r c x y,ν r,ν. From which we concude c y r,ν and finay c x c y,ν c x r,ν with (p,ν ) R (c x r,ν ). (iii) x c y,ν p,ν, for which we need one of the hypotheses (A) a,a,p,p,µ = (aγa,µ) p = p p x,ν a,µ p,ν c y,ν a,µ p,ν, which eads to the hypothesis y,ν a,µ p,ν From which we readiy concude c x c y,ν p,ν with (p,ν ) R (p,ν ). (B) p,p Σ p = p p x,ν p,ν c y,ν p,ν, which eads to one of the hypotheses r p = r y c y,ν r,ν, then we need the hypothesis r = c From which we concude that p = p c y and c x c y,ν p,ν with (p,ν ) R (p,ν ). y,ν p,ν From which we readiy concude c x c y,ν p,ν with (p,ν ) R (p,ν ). 62

63 (iv) y c x,ν p,ν, for which we need one of the hypotheses (A) a,a,p,p,µ = (aγa,µ) p = p p y,ν a,µ p,ν c x,ν a,µ p,ν, which eads to the hypothesis x,ν a,µ p,ν From which we readiy concude c x c y,ν p p,ν with (p,ν ) R (p p,ν ). (B) p,p Σ p = p p y,ν p,ν c x,ν p,ν, which eads to one of the hypotheses r p = r x c x,ν r,ν, then we need the hypothesis r = c From which we concude that p = p c x and c x c y,ν c x p,ν with (p,ν ) R (c x p,ν ). x,ν p,ν From which we readiy concude c x c y,ν p p,ν with (p,ν ) R (p p,ν ). D Recursion principes The recursive specification principe RSP states that a guarded recursive specification has at most one soution. Formay, the rue is stated as foows: S = E, S = E, E guarded S(X) S (X) X V r, where, S = E denotes that the interpretation S V r T (V r ) of recursion variabes is a soution of a guarded recursive specification E. The proof of this, usuay goes via another principe, caed the approximation induction principe AIP [49], which makes use of a famiy of projection operators π n. AIP states that if every finite projection of two processes is bisimiar, then the two processes are bisimiar. For the kind of semantica mode we use, AIP is restricted in the sense that one of the compared processes shoud have bounded non-determinism. This is usuay referred to as the restricted approximation induction principe AIP. In this section, we introduce the famiy of projection operators, and formaize the notion of bounded non-determinism. Then we pose the approximation induction principe, and prove it sound. After that, we show the existence of a bounded soution for guarded recursive specifications, and prove a projection property for guarded process terms. Finay, this aows us to prove soundness of RSP using AIP. 63

64 Projection has the foowing operationa semantics: p,ν, π n (p),ν p,ν π n+1 (p),ν p,ν π n (p ),ν. Without proof, we caim that robust bisimiarity is a congruence for projection. Bounded non-determinism B(p) is defined as foows. Definition 22 (Bounded non-determinism) Bounded non-determinism is recursivey defined as: Every state has bounded non-determinism in 0 steps. A state (p,ν) has bounded non-determinism in n+1 steps, if for every the set R = {(p,ν ) p,ν p,ν } is finite, and a eements (p,ν ) R have bounded non-determinism in n steps themseves. A state (p,ν) has bounded non-determinism (denoted B(p,ν)) if it has bounded non-determinism for any arbitrary number of steps. A process p has bounded non-determinism (denoted B(p)) if for every vauation ν Va we find that (p,ν) has bounded non-determinism. These definitions aow us to state the restricted approximation induction principe AIP : n π n (p) π n (q) B(q) AIP p q Next, we prove that this principe is sound. Theorem 23 AIP is sound for the semantics of HyPA. PROOF. To prove this principe sound, suppose that R is the union of a robust bisimuation reations. In particuar, it contains the robust bisimuation reations witnessing π n (p) π n (q). Note, that R is an equivaence reation on states. We now construct the foowing reation S = {((x,ν), (y,µ)) n (π n (x),ν)r(π n (y),µ), B(y,ν)}, and show that this is a robust bisimuation reation witnessing p q. It is obvious that for a ν and a n we have (π n (p),ν)r(π n (q),ν), therefore we know (p,ν)s(q,ν). So, if S is a robust bisimuation reation, then it is a witness. In order to verify that S is a bisimuation reation, assume (x,ν)s(y,µ) and study the foowing cases: 64

65 (1) x,ν. Using the semantics of projection, we find π n (x),ν for a n, and using the definition of S we get (π n (x),ν)r(π n (y),µ). From which we concude, using the fact that R is a bisimuation reation, that π n (y),µ, and using the semantics of projection we finay find y,µ. (2) y,µ. Simiar to the previous case. (3) x,ν x,ν. We hande this case aong the ines of [7]. Using the semantics of the projection operator, we find: π n+1 (x),ν π n (x ),ν, for any n. Furthermore, using the definition of S, we find for every n that (π n+1 (x),ν)r(π n+1 (y),µ). Now, we create a sequence Q n = {(y,µ ) y,µ y,µ, (π n (x ),ν )R(π n (y ),µ )}, and using the definition of projection and the fact that R is a bisimuation reation, we concude that this sequence is non-empty for every n. Furthermore, it is decreasing (Q n Q n+1 ) because in genera we have π n+1 (x) π n+1 (y) π n (x) π n (y) and R contains a bisimuation reations that witness this. Lasty, every Q n is finite, because y has bounded non-determinism. Therefore, the sequence Q n eventuay becomes constant. In other words, there exists (y,µ ) such that for a n we have (y,µ ) Q n. Hence, by definition of Q n, we have for a n that (π n (x ),ν )R(π n (y ),µ ). Now, using the definition of S and the fact that (y,µ ) has bounded nondeterminism because it is reachabe from (y,µ), we finay concude that (x,ν )S(y,µ ). (4) y,µ y,µ. This case is aso handed aong the ines of [7]. Simiary to the previous case, we create a sequence Q n = {(x,ν ) x,ν x,ν, (π n (x ),ν)r(π n (y ),µ )}, and may concude that this sequence is decreasing, and non-empty for every n. However, Q n is not necessariy finite. Nevertheess, for every n and every (x n,ν n ) Q n there exists, using the previous case, a (y n,µ n ) such that y,µ y n,µ n and (x n,ν n )S(y n,µ n ). Using bounded non-determinism of y, one of these eements occurs infinitey often. In other words, there is a k such that for every n there is an m n with (y k,µ k ) (y m,µ m ). Now, because x k Sy k, we may concude π n (x k )Rπ n (y k ). Because R contains the identity reation, we find π n (y k )Rπ n (y m ). Because R is symmetric, we find π n (y m )Rπ n (x m ) and because Q m Q n we find π n (x m )Rπ n (y ). With transitivity of R we concude π n (x k )Rπ n (y ) and finay x k Sy, which concudes the case. In order to verify that S is robust, assume that (x,ν)s(y,µ). By definition of S we find that (π n (x),ν)r(π n (y),µ) for every n. Since R is robust, we may concude for every interference ι and every n that (π n (x),ι(ν))r(π n (y),ι(µ)), and hence (x,ι(ν))s(y,ι(µ)). Therefore, S is aso robust. Before we can use AIP to prove RSP, we need to study bounded non- 65

66 determinism and projections of guarded recursive specifications in more detai. We need to show existence of a bounded non-deterministic soution for each guarded recursive specification, and we need an axiomatization for projection with respect to guarded process terms. Theorem 24 (Bounded non-determinism) Each guarded recursive specification E has a bounded non-deterministic soution. PROOF. This theorem is a strengthening of the recursive definition principe RDP, that states that every recursive specification has a soution. RDP is easiy proven sound, using the fact that the semantics of HyPA actuay gives one such soution. Let E be a guarded recursive specification. For the sake of convenience, assume that if X p E, then p is aready rewritten into a guarded process term, and furthermore assume that this term is of the form ( j J dj a j q j d j c j q j d j ɛ ), where J is a finite set and q j and q j are arbitrary process terms of HyPA. In this case, we can show that the soution defined by the semantics of HyPA, if we treat possiby occurring recursion variabes as constants, has bounded non-determinism. Let S V r T (V r ) be the identity. I.e. the soution of E formed by the semantics of HyPA. By definition, every process, hence aso every S(X), with X V r, has bounded non-determinism in 0 steps. If we then assume the induction hypothesis that every S(X) has bounded non-determinism in n steps, we ony need to prove that bounded non-determinism in n+1 steps foows. By definition of the semantics of HyPA, we know for S(X) = X p, that X,ν p,ν if and ony if p,ν p,ν. Using the specific form of p, and the semantics of HyPA, we know that there is ony a finite number of these transitions, and that p is either q j or q j, for some j. Furthermore, the semantics of a process operators of HyPA is such that they ead to bounded non-deterministic compositions if the composed processes are bounded non-deterministic. So, even if q j and q j contain recursion variabes, they are bounded non-deterministic in n steps, from which we may concude that p, and hence S(X), is bounded non-deterministic in n + 1 steps. With induction, this concudes the proof, for the case where E is aready rewritten as suggested above. For the case that the definitions in E sti need to be rewritten, we may concude ony that there exists a bounded non-deterministic soution. It may not necessariy be the case that the soution defined by the semantics has this property. 66

67 We caim, without proof, that the foowing axioms are sound for projection: π n (ɛ) ɛ π 0 (a) δ π 0 (c) δ π n+1 (a x) a π n (x) π n+1 (c x) π 1 (c) π n (c x) π n (x y) π n (x) π n (y) π n (x y) π n (π n (x) y) π n (x y) π n (π n (x) y) π n (x y) π n (π n (x) y) π n (x y) π n (x π n (y)) This brings us to the foowing two theorems. π n (d x) d π n (x) π n (x y) π n (x π n (y)) π n (x y) π n (x π n (y)) π n (x y) π n (x π n (y)) π n (π m (x)) π min(n,m) (x) Theorem 25 (Projection push) Define the interpretation Π n V r T (V r ) of recursion variabes, such that Π n (X) = π n (X) for a X V r. Then, for p T (V r ), the foowing axiom is sound: π n (p) π n (Π n (p)), where Π n (p) denotes the appication of Π n to a the variabes of p. PROOF. It is straightforward from the axiomatization of projection, that any subterm p of a process π n (p) may be repaced by π n (p ), and if a subterm p of π n (p) is of the form π n (p ), then it may be repaced by p. Theorem 26 (Guarded projection push) Define the interpretation Π n V r T (V r ) as before, and et S be an arbitrary interpretation of recursion variabes. Then, we find the foowing axioms for guarded process terms p: π 0 (p) π 0 (S(p)), π n+1 (p) π n+1 (Π n (p)). PROOF. Without oss of generaity, assume that p is of the form j J ( dj a j q j d j c j q j d j ɛ ), with J finite, and q j and q j arbitrary HyPA terms, possiby containing recur- 67

68 sion variabes. We use the axiomatization of projection to derive. ( ( π 0 (p) π 0 j J dj a j q j d j c j q j d j ɛ )) ( π 0 j J d j ɛ ) ( ( π 0 j J dj a j S(q j ) d j c j S(q j) d j ɛ )) π 0 (S(p)). More eaboratey, we aso use the projection push to find: π n+1 (p) π n+1 ( j J (d j a j q j d j c j q j d j ɛ) ) π n+1 ( j J (d j a j π n (q j ) d j c j π n (q j) d j ɛ) ) ( π n+1 j J (d j a j π n (Π n (q j )) d j c j π n (Π n (q j)) d j ɛ) ) ( π n+1 j J (d j a j Π n (q j ) d j c j Π n (q j) d j ɛ) ) π n+1 (Π n (p)). This concudes the proof. Now, using the guarded projection push theorem, the theorem on bounded non-determinism of guarded recursive specifications, and AIP, it is easy to derive soundness of RSP. Theorem 27 The recursive specification principe is sound. PROOF. For convenience assume that X p E impies that p is aready rewritten into a guarded term. Using the theorem on bounded nondeterminism, we know that there exists a soution S of E that has bounded non-determinism, i.e. B(S(X)) for every X V r. Suppose that S is an arbitrary other soution for E. We wi show by induction on n that for every X V r we have π n (S(X)) π n (S (X)). From that we then may concude S(X) S (X) using AIP. Note, that if we have two arbitrary soutions of E, that we may concude them equa by showing that both are equa to S. The base case, where n = 0, is derived using congruence (derivation rue (4)) and the first part of the guarded projection theorem: π 0 (S(X)) π 0 (S(p)) π 0 (p) π 0 (S (p)) π 0 (S (X)). Using the second part of the guarded projection theorem, and the induction hypothesis that π n (S(X)) π n (S (X)) we find firsty, using congruence again, 68

69 that S(Π n (p)) S (Π n (p)), and using this we derive: π n+1 (S(X)) π n+1 (S(p)) S(π n+1 (p)) S(π n+1 (Π n (p))) π n+1 (S(Π n (p))) π n+1 (S (Π n (p))) S (π n+1 (Π n (p))) S (π n+1 (p)) π n+1 (S (p)) π n+1 (S (X)). E Rewriting into basic terms In this appendix, we prove that every cosed HyPA term is derivaby equa to a basic term. Thereto, et p be an arbitrary cosed HyPA term. For the first step of this proof, assume that a occurrences of δ, ɛ, atomic actions a and fow causes c are underined. We use the notation p for the underined version of p. On this underined version of p we appy the rewrite system consisting of the foowing four rewrite rues: [ ] δ fase ɛ, [ ] ɛ true ɛ, [ ] [ ] a true a true ɛ, [ ] [ ] c true c fase ɛ. First, observe that this term rewrite system is strongy normaizing as in each rewrite step the number of underined symbos decreases. Second, a four rewrite rues are derivabe using the axioms of HyPA (negecting the underining): [ ] δ fase ɛ, [ ] ɛ true ɛ, [ ] [ ] [ ] a a ɛ true a ɛ true a true ɛ, [ ] [ ] [ ] c c δ true c δ true c fase ɛ. Finay, the norma forms of underined versions of cosed HyPA terms are necessariy of the form N ::= d ɛ d a N d c N N N d N N N N N N N N N N N N N H (N ). 69

70 Observe that basic terms are aso of this form. Thus we have achieved that for any cosed HyPA term there exists an N term that is derivaby equa. In the remainder of this appendix, we show that for any N term there exists a basic term that is derivaby equa. E.1 The rewrite system Next, we give a rewrite system that is constructed for the task of rewriting N terms into basic terms. (1) d d x (d d ) x (2) d (x y) d x d y (3) (d ɛ) x d? x (4) (d a x) y d a (x y) (5) (d c x) y d c x y (6) (x y) z x z y z (7) x y x y y (8) (d ɛ) x d ɛ (9) (d a x) y d a (x y) (10) (d c x) y d c (x y) (11) (x y) z x z y z (12) H (d ɛ) d ɛ (13) H (d a x) d a H (x) if a H [ ] (14) H (d a x) fase ɛ if a H (15) H (d c x) d c H (x) (16) H (x y) H (x) H (y) (17) x y x y y x x y [ ] (18) d ɛ x fase ɛ (19) d a x y d a (x y) [ ] (20) d c x y fase ɛ (21) (x y) z x z y z 70

71 (22) (x y) z x z y z (23) x (y z) x y x z (24) d ɛ d ɛ (d? d? ) ɛ [ ] (25) d ɛ d a x fase ɛ [ ] (26) d a x d ɛ fase ɛ (27) d ɛ d c x (d? d ) c x (28) d c x d ɛ (d? d) c x (29) d a x d a y (d d ) (aγa ) (x y) if (aγa ) defined [ ] (30) d a x d a y fase ɛ if (aγa ) undefined [ ] (31) d a x d c y fase ɛ [ ] (32) d c x d a y fase ɛ (33) d c x d c y ((d c jmp ) (d c jmp )) (c c ) ([ ] [ ] ) x true c fase ɛ y ([ ] [ ] ) y true c fase ɛ x ([ ] [ ] ) x true c fase ɛ y ([ ] [ ] ) y true c fase ɛ x In the foowing section we show that this rewrite system ony aows to rewrite N terms into derivaby equa N terms (soundness of the rewrite system, see appendix E.2), that the rewrite system is strongy normaizing (see appendix E.3), and that every norma form of an N term is necessariy a basic term (see appendix E.4). E.2 Soundness of the rewrite system In this subsection we show that for each rewrite rue s t of the rewrite system introduced in appendix E.1, we have HyPA s = t. For the rewrite rues (1), (2), (3), (6), (7), (11), (16), (17), (21), (22), (23), (24), (27), and (29), this foows directy from the axioms as for each of these rewrite rues there is an axiom that states that the eft-hand and right-hand sides are derivaby equa. For the rewrite rues (25), [ (30), ] and (32) this is obtained from the axioms and appication of δ fase ɛ and/or c [ ] [ ] true c fase ɛ. Both these equaities have been proven in first step of the eimination resut in this appendix. For the rewrite rues (26), (28), 71

72 (31), and (33) this foows from the soundness of other rewrite rues and the axiom x y y x. For the other rewrite rues the derivations are shown beow: (4) (d a x) y ((d a) x) y (d a) (x y) d a (x y) (5) (d c x) y ((d c) x) y ((d c) δ x) y (d c) δ x y (d c) x y d c x y (8) (d ɛ) x d ɛ x d ɛ (9) (d a x) y d a x y d a (x y) (10) (d c x) y d (c x) y d c (x y) (12) H (d ɛ) d H (ɛ) d ɛ (13,14) H (d a x) d H (a x) d H (a) H (x) d a H (x) if a H d δ H (x) d δ δ [ ] fase ɛ if a H (15) H (d c x) d H (c x) d c H (x) (18) d ɛ x d ( ɛ x ) [ ] d δ δ fase ɛ (19) d a x y d ( a x y ) d a (x y) (20) d c x y d ( c x y ) [ ] d δ δ fase ɛ E.3 The rewrite system is strongy normaizing That the above rewrite system is strongy normaizing can be demonstrated using semantica abeing in combination with the recursive path ordering technique as (among others) described in [41]. We define the foowing rankingnorm on N terms: ɛ = a = 0; c = 1; d x = H (x) = x + 1; x y = x y = x y = x y = x y = x y = x y = x + y. Now, we abe the operators d,,,,,, and with the norm of the term they are the eading symbos of. I.e. we write x x + y y in stead of x y. Then, we define the foowing (we-founded) ordering on abeed operators. (Note that we sti treat d x as a unary operator.) 72

73 ɛ, a (for a A) and are smaer than a other operators; d n < d n+1 for a n,d,d ; d n < 0 for a n; n < n < n < n+1 for a n; ɛ < H (); n < H () for a n; n < 0 for a n; n < n < n < n+1 for a n. It is straightforward, but cumbersome, to show for each of the rues that they are stricty decreasing with respect to the recursive path ordering based on <. E.4 Norma forms are basic terms Now, we prove that every norma form of an N term is a basic term. Let s be such a norma form. Suppose that s is not a basic term. Then, as the term rewrite system ony rewrites N terms into N terms and a basic terms are N terms, s must contain a smaest subterm s which is not a basic term. Then, s is of one of the foowing forms: d s 1, s 1 s 2, s 1 s 2, s 1 s 2, s 1 s 2, s 1 s 2, s 1 s 2, or H (s 1 ) for some N terms s 1 and s 2. Actuay, as s is a smaest subterm of s that is not a basic term, necessariy, s 1 and s 2 are basic terms. By inspection of the rewrite rues it is obvious that in any case a rewrite rue is appicabe. Hence, s is not a norma form. This contradiction eads to the concusion that s is a basic term. Hence, every norma form of an N term is a basic term. 73