Hybrid Process Algebra

Transcription

1 Hybrid Process Agebra P.J.L. Cuijpers M.A. Reniers Eindhoven University of Technoogy (TU/e) Den Doech MB Eindhoven, The Netherands Abstract We deveop an agebraic theory, caed hybrid process agebra (HyPA), for the description and anaysis of hybrid systems. HyPA is an extension of the process agebra ACP, with the disrupt operator from LOTOS and with fow causes and re-initiaization causes for the description of continuous behavior and discontinuities. The semantics of HyPA is defined by means of deduction rues that associate a hybrid transition system with each process term. A arge set of axioms is presented for a notion of bisimiarity. HyPA may be regarded as an agebraic approach to hybrid automata, athough the specific semantics of re-initiaization causes makes HyPA a itte more expressive. Key words: hybrid systems, process agebra, fows, discrete events, hybrid interaction, discontinuities 1 Introduction 1.1 Hybrid Systems The theory of hybrid systems, studies the combination of continuous/physica and discrete/computationa behavior. When computationa software is combined with mechanica and eectrica components, or is interacting with, for exampe, chemica processes, a hybrid system arises in which the interaction between the continuous behavior of the components, and the discrete behavior of the software is important. Emai addresses: P.J.L.Cuijpers@tue.n (P.J.L. Cuijpers), M.A.Reniers@tue.n (M.A. Reniers). Preprint submitted to Esevier Science 16 February 2004

2 In current practice, often the discrete part of a hybrid system is described and anayzed using methods from computer science, whie the continuous part is handed by contro science. The design of the compete system is usuay such that interaction between the discrete and continuous part is suppressed to a minimum. Because of this suppressed interaction, anaysis is possibe to some extent, but it imits the design options. In the fied of hybrid systems theory, researchers attempt to extend the possibiities for interaction. The goa of this paper, is to deveop an agebraic theory, caed hybrid process agebra (HyPA), to support these attempts. Our hopes are that hybrid process agebra can serve as a mathematica basis for improvement of the design strategies of hybrid systems, and the possibiities to anayse them. Systems Theory Syntax Hybrid Theory Syntax Computer Science Syntax Systems Theory Semantics Hybrid Theory Semantics Computer Science Semantics Fig. 1. Deveoping Hybrid Theory In figure 1, a graphica representation is given of the genera aim of our efforts. The figure shows our desire, that a hybrid theory is, in a sense, a conservative extension of computer science and systems theory. More precisey, a mode from systems theory or computer science, shoud be expressibe, and preferaby ook the same, in the hybrid theory, and theorems from systems theory and computer science shoud be transferabe to the hybrid theory (when restricted to modes from the origina fied of course). What the figure does not show, is that this conservativity is not the ony goa. In that case, a simpe union of the theories woud be sufficient. We aso desire a certain interaction between the theories, refecting the interaction between software and physics described before. This goa is harder to formaize, but in the remainder of this introduction we hope to give some feeing for it, using exampes of deficiencies 2

3 (in our view) in existing hybrid formaisms, and indicating how we intend to improve on those. 1.2 Agebraic Reasoning In systems theory, agebraic reasoning is acknowedged by most peope, as one of the most powerfu toos avaiabe for anayzing physica behavior. This behavior is usuay described by differentia equations and incusions, which mode the rate of change of the vaue of certain continuous variabes, and agebraic equations or inequaities modeing constraints. When certain abstractions are made on physica systems [1], aso discontinuous behavior is sometimes reevant, which is often described using difference equations to mode changes and agebraic inequaities to mode constraints. In this paper, we use a sight generaization of these modeing formaisms, in the form of fow causes for continuous behavior, and re-initiaization causes for discontinuous behavior. This generaization was inspired by the work of [2]. In computer science, the usefuness of agebra is sti a topic of much debate, but nevertheess there are interesting exampes of appications of process agebra (see for exampe [3] for a ist of references to protoco verifications, [4,5] for a start in the description and anaysis of other industria size probems, ike the design of a controer for a coating system and a turntabe system, and [6] for the description and anaysis of raiway interocking specifications). In process agebra, the discrete actions that a system may perform are often considered atomic eements of the agebraic description anguage. These atomic actions can be combined using compositiona operators describing choice between behaviors, sequentia execution of behaviors, and concurrent execution of behaviors. In this paper, we attempt to combine the compositiona view on systems that process agebra gives us, with the continuous and discontinuous physica behaviors described by systems theory. To this end, we take the process agebra ACP [7] and extend it with a new atom, describing continuous behavior through the use of fow causes, and with a new famiy of unary operators, describing discontinuous behavior through re-initiaization causes, as mentioned before. Aso, we import the disrupt operator from LOTOS [8], since it turns out to mode the sequentia composition of fow causes we. The choice for ACP is rather arbitrary, and we expect that the methods described in this paper can be easiy extended to other process agebras. So far, the ony agebraic approaches that we know of regarding hybrid systems, are described in [9 11] (hybrid χ), [12,13] (hybrid versions of ACP), [14] (hybrid CSP) and [15] (φ-cacuus). In the remainder of this introduction, we 3

4 expain the deficiencies that these methods have, in our opinion, in describing hybrid interaction. We shoud note, that within other hybrid formaisms ike hybrid automata [16,17], hybrid Petri nets [18 22] and hybrid action systems [23], the use of agebraic reasoning on differentia equations for anaysis purposes, is not uncommon. It is the process agebraic reasoning that is underexposed. For a transation of hybrid automata into the process agebras CSP, timed µcrl, and hybrid χ, see [24], [25,26], and [10], respectivey. In the hybrid theory that has been deveoped by system theorists (see for exampe [2,27 31]) agebraic reasoning is possibe, but none of these theories support reasoning about non-determinism. A of these theories have a trace semantics, and cannot distinguish between processes that ony differ in their non-deterministic choices. Since we woud ike a conservative extension of process agebra, we woud aso ike to be abe to distinguish systems up to the notion of bisimiarity, and therefore, we consider the system theoretic formaisms as non-conservative with respect to computer science. We shoud note here, that first investigations into what the notion of bisimiarity means for continuous systems, can be found in [32,33]. In section 3, we prove formay that HyPA is a conservative extension of the process agebra ACP, and by construction of the semantics, it is immediatey cear that it is a conservative extension of differentia incusions and difference equations. 1.3 Fows and re-initiaizations Before we discuss our views on hybrid interaction and on discontinuities, which are crucia to some of the choices made in the deveopment of HyPA, we have to expain the concepts of fow and re-initiaization, and iustrate the way they are described traditionay, and in this paper. As mentioned before, continuous physica behavior is often modeed through differentia equations and agebraic inequaities, whie discontinuous physica behavior is modeed in a simiar way through difference equations and agebraic inequaities. As an exampe of a differentia equation, take ẋ = f(x,u), in which x and u are variabes ranging over the rea numbers, and f is a rea-vaued function. This equation modes that the vaue of x changes continuousy through time (indicated by the dot in ẋ) with a rate defined by f(x,u), i.e. by a function of the current vaue of x and u. Aternativey, if there is a choice of rates of change, one may write ẋ F(x,u), in which F is a set-vaued function over the reas. Aso, an inequaity x f(x,y) may denote that x is constrained in its vaue (not its rate of change) for some reason. As an exampe of a difference equation, x + = f(x,u ) denotes that the vaue 4

5 of x is reassigned to f(x,u ), based on the previous vaues of x and u. This notation is for exampe used in [2]. More generay, differentia equations and agebraic inequaities form predicates on the fow of variabes, where a fow is simpy a function of time to vauations of variabes. Difference equations are predicates about the reinitiaization (or discontinuity) of variabes. In systems theory, severa different formaisms are used for the description of continuous and discontinuous behavior, and often the modeing or anaysis question determines which formaism is to be used. For exampe, integra equations are sometimes easier to use than differentia equations, and sometimes even the notion of soution for a differentia equation can vary (athough not within one mode). The consequence for our hybrid approach, is that we have to parameterize our theory in such a way that instantiations of these different formaisms can be chosen at wi, by the modeer. Fow predicates, and their notion of soution, parameterize the modeing of continuous, never terminating, physica behavior, by describing how mode variabes V m are aowed to change through time. A fow predicate describes a set of fows, where a fow is a (partia) function of time T (some totay ordered set with a east eement denoted 0) with a cosed-interva domain starting from 0, to the vauations of mode variabes V m. Both the mode variabes V m (incuding the domains they range over) and an appropriate notion of time T are probem-specific and shoud be given by the modeer. The domain V(x) of a mode variabe x V m is specified by the modeer at the first introduction of the variabes. In this paper, the specification of domains is eft out since, most of the time, it is obvious from the context. Fow predicates are a core part of the fow causes of HyPA, that are formay defined in section 2.1. Formay, we write V = x V m V(x) for the union of a variabe domains, and Va = V m V for the set of variabe vauations. The set of a fows with a cosed-interva domain starting in 0 is F = {f T Va dom(f) = [0,t] for some t T }. The fows that are described by a fow predicate, are caed soutions of that predicate. We consider the set of fow predicates P f, the sets V m of mode variabes and T of time points, and the notion of soution = f F P f, that defines which fows are considered soutions of a fow predicate, parameters of the theory. This means they can be instantiated by the modeer, depending on the specific modeing or anaysis probem. The theory we present in this paper, is argey independent of that choice, except that we assume the existence of a fow predicate fase P f that satisfies no fow from the set F. Re-initiaization predicates describe a set of re-initiaizations, which are pairs of vauations representing the vaues of the mode variabes prior to and immediatey after the re-initiaization. Such re-initiaizations are caed soutions 5

6 of the re-initiaization predicate. The set of a re-initiaizations Va Va is denoted R. As before, the set of re-initiaization predicates P r and the notion of soution = r R P r, that defines which re-initiaizations are considered soutions of a re-initiaization predicate, are considered parameters of the theory. We assume the existence of re-initiaization predicates true,fase P r that satisfy any re-initiaization, and no re-initiaization from the set R, respectivey. Re-initiaization predicates are a core part of the re-initiaization causes of HyPA, defined in section 2.1. Hybrid process agebra, intends to reason about predicates on fows, and about predicates on re-initiaizations, in genera. However, since the use of differentia and agebraic equations is common, we make use of this particuar kind of predicates in the exampes that we give. In this artice, a fow predicate is specified as a differentia or agebraic equation on the variabes V m and their derived 1 versions V m = {ẋ x V m } (with ẋ aso taking vaue in V(x)). Typica fow predicates are, for exampe ẋ = f(x,y), and x f(x,y). For the description of re-initiaization predicates in our exampes, we make use of the sets of variabes V m = {x x V m } and V + m = {x + x V m }, modeing the current and future vaue of a mode variabe, respectivey. Typica reinitiaization predicates are assignments, for exampe x + = f(x,y ) which, in imperative programming, is usuay denoted as x := f(x,y). But, aso booean predicates can be modeed using ony the current vaue of variabes, for exampe x y, which ony aows discontinuities if x is smaer than y to start with. If necessary, this can be combined with equations x = x + and y = y +, enforcing that the vaues of x and y actuay do not change. In section 2.1, re-initiaization causes are introduced formay in such a way that this enforcement can be done more efficienty. In the remaining parts of this section, the above notations wi be used to iustrate our reasons for certain choices in the deveopment of HyPA. 1.4 Hybrid Interaction Many of the hybrid formaisms that we mentioned in section 1.2, have some probem in the definition of parae composition. Surprisingy, in most cases, this probem comes to ight in a purey continuous case study. Let us consider the foowing exampe, depicted in figure 2, of a continuous pant P described by the differentia equation ẋ = f(x, u), and a continuous controer 1 We assume derivation is defined for a mode variabes, but if we want to use a variabe x for which this is not the case (for exampe a computationa data structure), then no forma probems arise as ong as we do not use the derived variabe ẋ in our predicates. In such cases, the vaue of x is assumed constant throughout the fow. 6

7 C described by u = g(x). The composition of pant and controer is denoted P C. P ẋ = f(x,u) u x C u = g(x) Fig. 2. Continuous contro system The hybrid automata of Henzinger [16], as we as the hybrid process agebras of Vereijken [12] and of Jifeng [14], assume that the continuous behavior of two composed systems is independent. Using these formaisms, the system P C woud not mode any interaction between P and C at a, since the ony interaction between systems can be through computationa actions. The variabe x of P woud simpy be regarded different from the variabe x of C. Hence, in our opinion, these formaisms cannot be considered to be a conservative extension of systems theory. At east, they do not support the way in which we woud ike to think about parae composition of systems. In the semantics of the too HyTech [34,35], shared continuous variabes do not pose a probem, because a hybrid trace semantics is used for Henzinger s hybrid automata, rather than a timed transition system semantics. This formaism is not suitabe for us, however, since it is not agebraic, and ony supports a restricted cass of differentia equations. More surprisingy, it turns out that the parae composition of the above processes is not defined for the hybrid I/O automaton mode of Lynch, Segaa and Vaandrager [17] either, at east not without a few amendments. In the formaism of [17], it is necessary to identify variabes as either state variabes of a system, or as externa variabes of the system. These two sets of variabes are supposed to be disjoint. The intuition behind this partition is that the state variabes mode the memory of the system, whie the externa variabes mode the communication with other systems. Therefore, in a parae composition, it is required that two hybrid I/O automata are compatibe, meaning that the state variabes of the one automaton do not intersect with any of the variabes of the other automaton. Now, ooking at the pant P of figure 2, we see that we need to choose x to be a state variabe, otherwise information on x is ost between transitions, but it aso needs to be an externa variabe, since we need to communicate its vaue with the controer C. This contradicts the requirement on hybrid I/O automata that the set of state variabes and the set of externa variabes are disjoint. The probem is not as big as it may 7

8 seem, since by adding an externa variabe y, and the equation y = x, to the description of P, and changing the description of C to u = g(y), we can decare x to be a state variabe, and find that the systems have become compatibe. So, athough the system in figure 2 cannot be modeed as P C directy in this hybrid I/O automaton mode, we can mode the modification depicted in figure 3 instead. u P ẋ = f(x,u) y = x y C u = g(y) Fig. 3. Compatibe continuous contro system In [36] it was aready noted that the partitioning of the variabes of a system into state variabes and externa variabes is not aways uniquey determined by the equations that describe the system. Even in our simpe contro exampe, it is possibe to use the equations x = y and u = g(x), and decare x externa and y a state variabe. Often, there is no cear physica ground to choose a specific partition. This is one reason why we woud ike to avoid the partitioning of the set of variabes of a system, in our semantics. Another reason, is that in basic textbooks on contro theory (for exampe [37]), one usuay starts out with deveoping controers for pants of which the state variabes are aso output variabes. It therefore seems, that the intuition behind compatibiity, that state variabes do not pay a roe in communication with other systems, does not coincide with the system-theoretic intuition. This is confirmed by the theory discussed in [36], where state variabes may aso be output variabes of a system, whie externa variabes may be inputs or outputs. In this paper, we show that partitioning the mode variabes as done for hybrid automata, is in fact not necessary, if a sighty different semantica view is taken. HyPA is deveoped in cose cooperation with the peope working on the forma semantics of the anguage hybrid χ, which is focussed on the simuation of hybrid systems. Their operationa semantics [11] uses a semantica structure simiar to, and based on, the one we have deveoped for HyPA (discussed in section 2.2). Aso the hybrid process agebra of Bergstra and Middeburg [13] uses a hybrid transition system semantics. In section 4, we discuss the reation between HyPA, hybrid χ and the process agebra of [13] in more detai. Admittedy, these three anguages are very simiar, which cas for a more thorough comparison in the near future. 8

9 In φ-cacuus [15], the semantics assumes continuous behavior to be a property of the environment, rather than of the process itsef. There, (urgent) environmenta actions aow the process to change the rues for continuous behavior in an intereaving manner, which eads to the repacement of one differentia equation by another. Again, there is no continuous interaction between P and C. When we write P C in φ-cacuus, the semantics is such that ony the continuous behavior of the pant or of the controer is executed. This, ceary, contradicts with our intuition on the parae composition. In hybrid action systems, the parae composition of P and C eads to the desired resut, ignoring some syntactic differences. However, the parae composition of two differentia equations ẋ = 1 ẋ = 2 resuts in a process that acts ike the differentia incusion ẋ {1, 2}. This, again, contradicts with our intuition. We woud expect contradicting equations to resut in deadock. Nevertheess, both the intereaving approaches from φ-cacuus and hybrid action systems, might turn out to be usefu in situations where our intuition is fawed, and the theories might be considered compementary to HyPA. In concusion, we might state that we aim for an agebraic formaism, in which the parae composition has a simiar intuition as in [17], but without having to require compatibiity of the composed systems. To do this, we have worked out the notion of hybrid transition system, as a semantica framework, in [38]. This framework, formay defined in section 2.2, unifies the discrete behavior of computer science and the continuous behavior of system theory in a simiar way as the hybrid automata of [17] do, whie avoiding the expicit use of state variabes and externa variabes. From a system theoretic point of view, hybrid transition systems are an extension of Sontag machines [39]. Returning to figure 1, one might say that the chosen semantics of the origina fieds are transition systems for computer science, and Sontag machines for system theory. Hybrid transition systems, are our conservative extension of those. On the framework of hybrid transition systems, it turns out to be rather easy to define an operationa semantics for actions, as we as for predicates describing fows and re-initiaizations. Aso a kinds of compositions known from process agebra can be defined easiy using the method for giving an operationa semantics introduced in [40]. As far as we know, HyPA and hybrid χ and the process agebra of [13] are the ony process agebras for hybrid systems so far, that use an operationa semantics in which compete physica fows are taken into account rather than ony the time-behavior of a system. 1.5 Discontinuities Regarding discontinuous behaviors, the semantics for fow predicates in HyPA, differs a itte from the usua interpretation taken in, for exampe, Henzinger s 9

10 hybrid automata. The standard approach there (and in most other hybrid formaisms), is to assume ony continuous behavior of a variabes, uness they are specificay atered by assignment transitions. For some hybrid descriptions of physica behavior, however, it is convenient that certain variabes can aso behave discontinuousy. Take, for exampe, the eectrica circuit depicted in figure 4, in which a switch steers the votage over a resistor-capacity combination. R2 v e R1 C Fig. 4. An eectrica circuit with a switch For such a system, it is desirabe to mode the votage over, and the current through the resistors (v R1, v R2, i R1 and i R2 ) as discontinuous functions of time. A possibe hybrid automaton mode for this circuit, is depicted in figure 5. Note, that there are arbitrary jumps modeed on the transitions, for the discontinuous variabes (i.e. not for v C!). This is necessary, because, without deeper anaysis of the differentia equations, we do not know what kind of discontinuities may occur. In order to avoid discontinuous behavior that vioates the physica properties of the circuit, we may indicate in the hybrid automaton mode, that the agebraic equations used to describe the eectrica circuit are invariants. As an exampe of an undesired discontinuity, one shoud note that, when the switch coses, the current through the second resistor (i R2 ) is determined competey by the source votage v e and the votage over the capacitor v C. The invariants make sure that no other assignments can be made to i R2. Now, in the case of higher index differentia equations, the approach of using invariants to avoid undesired discontinuities breaks down. As an exampe, et us consider a system described by the foowing equations, in which z is a variabe that may behave discontinuousy: ẋ = z, ẏ = z, x = y. As before, an assignment to z that vioates these equations is undesirabe. But the approach that is usuay taken in hybrid automata theory, to take a agebraic equations to be invariants, does not work here. The choice of z is independent from the choice of x and y. Ceary, the system ony can perform continuous behavior, if the vaue of z is reset immediatey to zero. This, 10

11 jmp: v R1,v R2,i R1,i R2,i C : R act: cose fow: v C = C i C inv: i R1 = i R2 v R1 = i R1 R1 v R2 = i R2 R2 v R1 = v R2 + v C i R2 = i C fow: v C = C i C inv: v R1 = v e v R1 = i R1 R1 v R2 = i R2 R2 v R1 = v R2 + v C i R2 = i C jmp: v R1,v R2,i R1,i R2,i C : R act: open Fig. 5. A hybrid automaton modeing the eectrica circuit however, is insight obtained through anaysis of the equations, and shoud therefore not be used when modeing a system. As far as we know, there is no soution in hybrid automaton theory for this probem. This is why we take a different approach regarding discontinuous behavior in HyPA. In HyPA, we recognize that differentiated variabes can sometimes be discontinuous, and therefore, when modeing a differentia equation or other fow predicate, we can indicate expicity whether a variabe is aowed to perform jumps before engaging in a fow. A fow predicate combined with such an indication is caed a fow cause. The notation V P f, that is formay introduced in the next section, shows a (fow) predicate P f, defining which fows are aowed by the cause, whie the set V denotes which variabes are not aowed to jump before engaging in a fow. If z is not aowed to jump initiay (i.e. z V ), we find deadock for the higher index differentia equations of the previous exampe when initiay z 0. If it is aowed to jump (z V ), ony those discontinuities can occur for which a soution exists. Using this way of modeing, the eectrica circuit of figure 4 coud, using HyPA notation, be 11

12 modeed as the process X in the foowing equation: X v C = C i C i R1 = i R2 v R1 = i R1 R1 v c v R2 = i R2 R2 v R1 = v R2 + v C i R2 = i C v C = C i C v R1 = v e v R1 = i R1 R1 v c v R2 = i R2 R2 v R1 = v R2 + v C i R2 = i C X. Notice, that this is not a direct transation of the hybrid automaton. In HyPA, we do not need to give expicit names to the open and cose actions, athough we coud if that were desired from a modeing perspective. Furthermore, it is not necessary to make a distinction between invariants and other fow predicates. In the eectrica circuit, the ony variabe that is not aowed to jump is the votage over the capacitor. An exampe in HyPA notation for the higher index system foows shorty. Assignments in HyPA are modeed, not as a kind of atomic actions (as with hybrid automata), but as re-initiaizations of processes. These re-initiaizations can be used as we to mode conditiona execution of a process. The notation [V P r ] x, formay introduced in the next section, denotes that a process x is executed, but with the vauation of the variabes changed according to the re-initiaization predicate P r. The set V contains, contrary to the notation of fow causes, those variabes that are aowed to change during a re-initiaization. For exampe, an assignment of the vaue 1 to x, using an action a, under the condition that x is arger than 3 to begin with, is modeed as: [x x 3 x + = 1] a. Note, that other variabes are not aowed to change vaue whie this action is executed. Some pecuiar aspects of using reinitiaization are discussed in section 2.2, and sometimes ead to unexpected axioms in section 3. In the case of our higher index probem, it is possibe using axiomatic reasoning, in combination with reasoning on the soutions of differentia equations, to obtain the equivaence [ ] ẋ = z z z + 0 z ẏ = z x = y δ, refecting that an assignment of a vaue other than 0 to z eads to deadock, 12

13 if z is not aowed to jump, and ẋ = z [ ] z z + 0 ẏ = z x = y ẋ = z ẏ = z, x = y refecting that such an assignment is immediatey undone if z is aowed to jump. Pease note, that this can ony be derived if one has a way of cacuating with fow-causes and re-initiaization causes, which is outside the scope of this paper. 1.6 Drawbacks At first sight, there seem to be two major drawbacks to our method. The first drawback, is that we need a kind of bisimiarity that takes into account the vauation of a variabes, in order for it to be a congruence for parae composition. However, this does not render the whoe theory useess, because the same method of requiring compatibiity of processes that was used in [17] in order to define parae composition, can be used in HyPA to guarantee congruence of parae composition under a weaker notion of equivaence (ike the one used in [17]), and furthermore, we give an axiomatization for our notion of equivaence that aows eimination of the parae composition from cosed process terms, so that weaker notions of equivaence can be used for anaysis of processes after appying this eimination. The second drawback, is that some of the axioms become rather confusing due to the discontinuities that may be possibe in some of the variabes of a differentia equation. This can be heped, as we show in section 3, by simpy requiring a variabes to be continuous, as in hybrid automata. So, in concusion, the theory is not more difficut or cumbersome, if we mode processes under the usua restrictions. In fact, as we indicate in section 4.1, we expect that HyPA is a conservative extension of hybrid automata, athough we do not give a forma proof of this caim. Furthermore, we have new constructs to our disposition that are not avaiabe, yet, in other hybrid formaisms, at the cost of having to use more difficut axioms. Lasty, we have to note that the hybrid process agebra we present is not concerned with any form of abstraction so far, because experience with norma process agebra shows that abstraction is a difficut topic to study agebraicay, and we expect it to be convenient, that the basic theory is worked out first [41]. On the other hand, hybrid χ does contain an operator that aows for the hiding of mode variabes (athough there is no axiomatization for it yet), and aso the hybrid process agebra of Bergstra and Middeburg [13] has a form of 13

14 abstraction from mode variabes. Since the semantics of these anguages are comparabe to that of HyPA, we expect that it is possibe to deveop a simiar abstraction operator for our anguage, and hopefuy to find a way to reason about it agebraicay. 1.7 Structure of this paper In section 2.1, the syntax of HyPA is presented, describing how the process agebra ACP [7] is extended with a constant for termination, the so-caed disrupt operator, known from LOTOS [8], and variants of the two types of causes from [2], representing continuous and discontinuous behavior. In section 2.2, a hybrid transition system semantics is defined in the stye of [40], in which continuous behavior is synchronizing, and discrete behavior is intereaving. Section 3 is devoted to an axiomatization of HyPA, for a notion of bisimiarity [42]. In this section, aso the forma reation with ACP is discussed, and a set of basic terms is given into which cosed HyPA terms can be rewritten. In section 4, we give an informa comparison of HyPA with other hybrid formaisms. We concude by giving our own views on the work presented, and by making suggestions for future research. 2 Hybrid Process Agebra 2.1 Syntax In this section, the syntax of HyPA is introduced, which is an extension of the process agebra ACP [7,43], with the disrupt operator from LOTOS [8] and with variants of the fow causes and re-initiaization causes from the event-fow formaism introduced in [2]. The signature of HyPA consists of the foowing constant and function symbos: (1) deadock δ, (2) empty process ɛ, (3) discrete actions a A, (4) fow causes c C, (5) a famiy of process re-initiaization operators (d ) d D, (6) aternative composition, (7) sequentia composition, (8) disrupt and eft-disrupt, (9) parae composition, eft-parae composition, and forcedsynchronization, 14

15 (10) a famiy of encapsuation operators ( H ( )) H A. The atomic process terms δ (caed deadock) and ɛ (caed empty process) are used to mode a deadocking process and a (successfuy) terminating process, respectivey. The atomic discrete actions are used to mode discrete, computationa behavior. The set A of discrete actions is considered a parameter of the theory and can be instantiated at wi by the user of our hybrid process agebra. An atomic fow cause, is a pair V P f of a set of mode variabes V Vm, signifying which variabes are not aowed to jump at the beginning of a fow, and a fow predicate P f P f modeing continuous, never terminating, physica behavior. The set of a fow causes is denoted C. We usuay eave out the brackets for V, and even omit it (and the deimiter) if it is empty. Furthermore, the set C is cosed under conjunction ( ) of fow causes, and using the assumption that there is a fow predicate fase, which is never satisfied, there is aso a fow cause fase, which is the system theoretic equivaent of deadock δ. In section 3, this equivaence is captured in the axiom fase δ. A process re-initiaization d p modes the behavior of p where the mode variabes are submitted to a discontinuous change as specified by the reinitiaization cause d. A re-initiaization cause is a pair [V P r ] of a set of mode variabes V V m and a re-initiaization predicate P r. The set V modes which variabes are aowed to change. Note that this is precisey opposite to fow causes, where V denotes those variabes that do not change. The set of a re-initiaization causes is denoted D. The set D is cosed under conjunction ( ), disjunction ( ), and concatenation ( ) of re-initiaization causes. Aso, there is a satisfiabiity operator (d? ) on causes d D, which does not re-initiaize the vaues of a mode variabe, but ony executes the re-initiaized process, if d can be satisfied in some way. And finay, there is a re-initiaization cause (c jmp ) derived from a fow cause c C, which executes the same discontinuities that are aowed initiay by the fow cause. These ast two operators turn out to be especiay usefu when cacuating with process terms. Using the assumption that there are re-initiaization predicates fase and true, we find the process re-initiaization [fase] p, executing no behavior since there is no re-initiaization satisfying fase, the process re-initiaization [true] p, executing exacty the behavior of p, since none of the variabes is aowed to change, and the process re-initiaization [V m true] p, executing p after an arbitrary re-initiaization. The aternative composition p q modes a (non-deterministic) choice between the processes p and q. The sequentia composition p q modes a sequentia execution of processes p and q. The process q is executed after (successfu) termination of the process p. We use the notations and for aternative and sequentia composition, rather than the usua + and, to avoid confusion 15

16 with the notation used frequenty in the description of fow and re-initiaization predicates for addition and mutipication. We reaize that this might distract peope in the fied of process agebra, yet chose to adapt the process agebraic notation rather than the notation adopted from system theory, simpy because the atter has been in use for a onger time aready. Overoading the operators is aso an option, since it is aways cear from the context whether for exampe addition or choice is intended. When studying HyPA as a new process agebra, as is done in this paper, overoading is probaby to be preferred indeed, as it hardy hampers the search for process agebraic properties. However, when studying hybrid modes in HyPA, and performing anaysis using axioms from both process agebra and system theory in the same proofs, the overoading becomes more of a burden. Furthermore, when presenting these modes to other hybrid researchers who are often not famiiar with process agebra at a, this effect is even stronger. The disrupt p q modes a kind of sequentia composition where the process q may take over execution from process p at any moment, without waiting for its termination. This composition is invauabe when modeing two fow causes executing one after the other, since the behavior of fow causes is ongoing, and never terminates. The disrupt is originay introduced in the anguage LOTOS [8], where it is used to mode for exampe exception handing. Aso, it is used, for exampe in [44], for the description of mode switches. The eftdisrupt is mainy needed for cacuation and axiomatization purposes, rather than for modeing purposes. For exampe, it occurs often when we attempt to eiminate the parae composition from a process term through axiomatic reasoning, as described in section 3. The eft-disrupt p q first executes a part of the process p and then behaves as a norma disrupt. The parae composition p q modes concurrent execution of p and q. The intuition behind this concurrent execution is that discrete actions are executed in an intereaving manner, with the possibiity of synchronization (as in ACP, where synchronization is caed communication), whie fow causes are forced to synchronize, and can ony synchronize if they accept the same soutions. The synchronization of actions takes pace using a (partia, commutative, and associative) communication function γ A A A. For exampe, if the actions a and a synchronize, the resuting action is a = aγa. Actions cannot synchronize with fow causes, and in a parae composition between those, the action executes first. This communication function is considered a parameter of the theory. As with the eft-disrupt, the operators eft-parae composition and forcedcommunication are mainy introduced for cacuation purposes. The eft-parae composition p q modes that either p performs a discrete action first, and then behaves as a norma parae composition with q, or p cannot perform such an action, and the process deadocks. The forced-synchronization p q modes 16

17 how the first behavior (either a discrete action or a part of a fow) of p and q is synchronized, after which they behave as in a norma parae composition. If synchronization is not possibe, then the forced-synchronization deadocks. Encapsuation H (p) modes that certain discrete actions (from the set H A) are bocked during the execution of the process p. This operator is often used in combination with the parae composition to mode that synchronization between discrete actions is enforced. From the signature of HyPA, terms can be constructed using variabes from a given set of process variabes V p (with V p V m = ), as usua. In this paper, the set of a such terms is denoted T (V p ) and these are referred to as terms or open terms. Terms in which no process variabes occur are caed cosed terms. The set of a cosed terms is denoted T. Finay, a the processes shoud be interpreted in the ight of a set E of recursive definitions, caed recursive specification, of the form X p, where X is a process variabe and p is a term. We denote the set of a process variabes that occur in the eft-hand side of a recursive definition from E by V r (V r V p ) and ca these variabes recursion variabes. We ony aow recursive definitions X p where the term p ony contains recursion variabes. Outside the recursive specification, recursion variabes are treated as constants of the theory. Recursion is a powerfu way to mode repetition in a process. We use X p for recursion rather than X = p in order to avoid confusion with equaity as used in many syntaxes for describing fow and re-initiaization predicates. The set T (V r ) denotes the set of a terms in which ony recursion variabes are used. Such eements are referred to as process terms. The binding order of the operators of HyPA is as foows:,,, d,,,,, where aternative composition binds weakest, and sequentia composition binds strongest. With encapsuation ( H ( )), brackets are aways used. As an exampe, a term d a b c c shoud be read as (d (a b)) (c c ). 2.2 Forma Semantics In this section, we give a forma semantics to the syntax defined in the previous section, by constructing a kind of abeed transition system, for each process term and each possibe vauation of the mode variabes. In this transition system we consider two different kinds of transitions: one associated with computationa behavior (i.e. discrete actions), and the other associated with physica behavior (i.e. fow causes). This is why we ca those transition systems hybrid. 17

18 Definition 1 (Hybrid Transition System) A hybrid transition system is a tupe X,A, Σ,,,, consisting of a state space X, a set of action abes A, a set of fow abes Σ, and transition reations X A X and X Σ X. Lasty, there is a termination predicate X. For the semantica hybrid transition systems that are associated with HyPA terms, the state space is formed by pairs of process terms and vauations of the mode variabes, i.e. X = T (V r ) Va. The set of action abes is formed by pairs of actions and vauations, i.e. A = A Va, and the set of fow abes is formed by the set of fows, i.e. Σ = F. Reca that the eements f F have a cosed-interva domain, possiby a singeton, starting in 0. a We use the notation x x for a transition (x,a,x ) with x,x X σ and a A. Simiary, we use x x for a transition (x,σ,x ) with σ Σ, and for arbitrary transitions, we use x x instead of (x,,x ) and A Σ. Finay, termination is denoted x instead of x. Hybrid transition systems [38] can be used to mode computationa behavior through the use of action transitions, which take no time to execute, and to mode physica behavior through the use of fow transitions, which represent the behavior of mode variabes during the passage of time. Note, that there is no variabe in V m that is expicity associated with time. Hence, if one woud ike to refer to time in a fow cause, one woud have to incude the mode of a cock, using for exampe a fow cause ike t ṫ = 1. Before we turn to the actua definition of the semantics of HyPA in terms of hybrid transition systems, a notion of soution for fow causes and reinitiaization causes is needed for the definition of the semantics of these atoms of the agebra. These notions are obtained by ifting the notion of soution of fow predicates and re-initiaization predicates, whie taking into account the infuence of the variabe set V. A fow cause [V P f ] changes the vauation of the mode variabes according to the possibe soutions of its fow predicate P f. In contrast to the fow predicates of [16], an initia jump in the vaue of a variabe x, is aowed in HyPA when x V. Furthermore, discontinuous and non-differentiabe fows of x may be aowed, if such soutions exists for the type of fow predicate that is used. The concept of soution of a fow cause, is ifted from the notion of soutions of its fow predicate as foows. Definition 2 (Soution of a fow cause) A pair (ν,σ) Va F, is defined to be a soution of a fow cause c C, denoted (ν,σ) = c, as foows: (ν,σ) = V P f if σ =f P f, and for a x V we find ν(x) = σ(0)(x); 18

19 (ν,σ) = c c if (ν,σ) = c and (ν,σ) = c. Ceary, the fow cause fase has no soutions, as the fow predicate fase has no soutions. A re-initiaization cause [V P r ] changes the vauation of the mode variabes according to the possibe soutions of its re-initiaization predicate P r. The set V indicates the variabes that are aowed to change their vaue. Whenever x V, the variabe x is fixed. Note that this is precisey opposite to the use of V in fow causes. We define the soutions of a re-initiaization cause in terms of the soutions of a re-initiaization predicate as foows. Definition 3 (Soution of a re-initiaization cause) A re-initiaization (ν,ν ) R is defined to be a soution of a re-initiaization cause d D, denoted (ν,ν ) = d, as foows: (ν,ν ) = [V P r ] if (ν,ν ) = r P r and for a x V we find ν(x) = ν (x); (ν,ν ) = d d if (ν,ν ) = d or (ν,ν ) = d ; (ν,ν ) = d d if (ν,ν ) = d and (ν,ν ) = d ; (ν,ν ) = d d if there exists υ Va with (ν,υ) = d and (υ,ν ) = d ; (ν,ν ) = d? if ν = ν, and there exists υ Va with (ν,υ) = d ; (ν,ν ) = c jmp if there exists σ Σ such that (ν,σ) = c and σ(0) = ν. If we have two re-initiaization causes d,d D, the cause d d accepts exacty those soutions that are a concatenation of the re-initiaizations of d and d. The cause d? does not change the vaue of any of the variabes, and ony has a soution for those vauations for which d has a soution. The cause c jmp imitates the re-initiaizations performed initiay by a fow cause c. Obviousy, the re-initiaization cause [fase] has no soutions, whie [V m true] has every possibe re-initiaization as a soution. Note, that [true] exacty aows a reinitiaizations that do not change any of the variabe vauations. The semantics of the HyPA constants and function symbos is given in the tabes 1 5, using deduction rues in the stye of [40]. In these tabes p,p,q,q denote process terms, a,a,a denote actions, c denotes a fow cause, d denotes a re-initiaization cause, H denotes a set of actions, X denotes a recursion variabe, ν,ν,ν denote vauations, σ denotes a fow, t denotes a point in time, and denotes an arbitrary transition abe. In tabe 1, the semantics of the atomic processes, the fow causes, and the process re-initiaizations is given. Rue (1) captures our intuition that ɛ is a process that ony terminates. Anaogousy, the fact that there is no rue for δ, expresses that this is indeed a deadocking process. Rue (2) expresses that discrete actions dispay their own name, and the vauation of the mode variabes on the transition abe, but do not change this vauation. Changes in the vauation can ony be caused by fow causes and re-initiaization causes, 19

20 Tabe 1 Operationa semantics of HyPA ɛ,ν (1) a,ν a,ν ɛ,ν (2) (ν,σ) = c, dom(σ) = [0,t] c,ν σ (3) c,σ(t) (ν,ν ) = d, p,ν (4) d p,ν (ν,ν ) = d, p,ν p,ν (5) d p,ν p,ν as defined by rues (3) to (5). Tabe 2 Operationa semantics of HyPA, aternative and sequentia composition p,ν (6) p q,ν q p,ν p,ν p q,ν q p,ν p,ν p,ν p,ν (7) p,ν, q,ν p q,ν (8) p,ν p q,ν p,ν p q,ν (9) p,ν, q,ν q,ν (10) p q,ν q,ν The semantics of the other operators is defined in tabes 2, 3, 4, and 5. Rues (6) to (10), for aternative and sequentia composition, are very simiar to that of ACP. However, it is worth noting that we have chosen to mode fow transitions as having the same non-deterministic interpretation as action transitions. This in contrast to many timed process agebras [45], where the passage of time (by itsef) does not trigger a branching in the transition system. The reason for this way of modeing, is our intuition that continuous behavior (i.e. the passing of time) infuences the vauation of the mode variabes, and can therefore introduce choices in the system behavior, just ike discrete actions do. If, in the future, we deveop operators to abstract from the variabes that trigger those choices, we do not want the choices themseves to disappear, through some time-determinism mechanism. The argument for introducing time-determinism, that time is an externa phenomenon that does not infuence the state of a system, does in our opinion not hod for hybrid systems. Aso, the hybrid automata of Henzinger [16], and most other hybrid automata approaches that we know of, are time-non-deterministic, supposedy for the same reasons. 20

21 Interestingy, in [13] a time-deterministic approach to hybrid systems is chosen (ceary, they disagree with the above arguments), whie in hybrid χ [11] operators are introduced for both. Modes in the anguage hybrid χ, therefore, might show the difference between the approaches. As far as we can te, the time-deterministic operator is used most often when, for exampe, a controer makes a choice after some deay, indeed without specifying the dynamics during this deay. This is modeed as a time-deterministic choice between deaying actions. When modeing physica modes of a system, the non-deterministic choice operator is used. The physica behavior of a system can ony be in one mode, even if a particuar evoution is permitted in both modes. In other words, time-determinism pays a roe on a higher eve of abstraction than that which we aim for in HyPA. Tabe 3 Operationa semantics of HyPA, disrupt p,ν (11) p q,ν p q,ν p,ν p q,ν p q,ν p,ν p q,ν p q,ν (12) q,ν p q,ν (13) q,ν q,ν p q,ν q,ν (14) Rues (11) to (14) define the semantics of the disrupt operator and the eftdisrupt operator. If we compare these rues to the rues for sequentia composition, we see that the main difference, is the way in which termination is handed. Firsty, in a composition p q, the process q may start execution without p terminating. Secondy, if the process p terminates, the process p q may aso terminate regardess of the behavior of q. Rues (15) to (19) define the semantics of the parae composition, and in these rues the difference between action transitions and fow transitions is most prominent. For actions, the interpretation of the parae composition is the same as in ACP [7,43]. Discrete actions that are paced in parae are intereaved, but can aso synchronize using a (partia, commutative, and associative) communication function γ A A A. If a discrete action a communicates with an action a (this is the case if aγa is defined), the resut is an action a = aγa. If fow causes are paced in parae, they aways synchronize their behavior such that, intuitivey, the fows that are possibe in a parae composition are a soution of both causes. 21

22 Tabe 4 Operationa semantics of HyPA, parae composition p,ν, q,ν (15) p q,ν p q,ν p,ν σ p,ν, q,ν σ q,ν (16) p q,ν σ p q,ν p q,ν σ p q,ν p,ν σ p,ν, q,ν (17) p q,ν σ p,ν q p,ν σ p,ν p q,ν σ p,ν p,ν a,ν p,ν p q,ν a,ν p q,ν q p,ν a,ν q p,ν p q,ν a,ν p q,ν (18) q p,ν σ p,ν p,ν a,ν p,ν, q,ν a,ν q,ν, a = a γ a p q,ν a,ν p q,ν p q,ν a,ν p q,ν (19) Encapsuation, as defined by rues (20) to (22), ony infuences action transitions. This is not surprising, since, as mentioned before, the H ( ) operator is originay intended to mode enforced synchronization in a parae composition. Parae composition, in genera, may ead to intereaving actions and synchronized actions. The encapsuation operator is then used to bock the intereaving actions. Fow transitions are aready synchronized in the parae composition, so there is no need for encapsuation of those. Rues (23) and (24) mode recursion in the same way as it was done in [7,43]. For a recursive definition X p, a transition for the variabe X is possibe, if it can be deduced from the semantica rues for the process term p. 2.3 Bisimiarity In this section, we discuss the equivaence notion of bisimiarity [42], which is first defined on hybrid transition systems, and then ifted to process terms. Definition 4 (Bisimiarity on hybrid transition systems) Given, a hybrid transition system X,A, Σ,,,, a reation R X X is a bisimuation reation if 22