Syntax and Formal Semantics of Hybrid Chi

Preliminary Report: Syntax and Formal Semantics of Hybrid Chi R.R.H. Schiffelers1 , D.A. van Beek1 , K.L. Man2 , M.A. Reniers2 , J.E. Rooda1 1 Department of Mechanical Engineering 2 Department of Mathematics and Computer Science Eindhoven University of Technology, P.O.Box 513 5600 MB Eindhoven, The Netherlands {r.r.h.schiffelers,d.a.v.beek,k.l.man,m.a.reniers,j.e.rooda}@tue.nl April 8, 2004 Abstract The hybrid χ (Chi) formalism integrates concepts from the dynamics and control theory with concepts from computer science. It also integrates a high expressivity with an elegant straightforward semantics, which is formally specified using a structured operational semantics. User-friendly modeling extensions are defined by means of a small straightforward syntactic translation. The χ language has a relatively large number of operators for discrete-event modeling, but it also allows specification of general differential algebraic equations, such as higher index systems. Its process instantiation mechanism enables encapsulation, hierarchical composition and reuse of processes. Modular composition is supported by means of parallel composition, and by means of different interaction mechanisms: handshake synchronization and synchronous communication for discrete-event processes, and shared variables for continuous-time processes. The syntax and semantics are illustrated using many different examples.

1 Introduction Hybrid systems related research is based on two, originally different, world views: on the one hand the dynamics and control (DC) world view, and on the other hand the computer science (CS) world view. The DC world view is that of a predominantly continuous-time system, which is modeled by means of differential (algebraic) equations, or by means of a set of trajectories. Hybrid phenomena are modeled by means of discontinuous functions and/or switched equation systems. The evolution of a hybrid system in the continuoustime domain is considered as a set of functions of time (one for each variable), where each function is continuous almost everywhere. Analysis and synthesis of hybrid systems in the DC domain are done, among others, by means of piecewise affine (PWA) systems, mixed logic dynamical (MLD) systems or linear complementarity (LC) systems, see [25] for an overview relating these different classes, and see Section 6.1 for a translation of PWAs to χ (Chi). A different 1

kind of hybrid systems are differential (algebraic) equations with discontinuous right hand sides, the semantics of which is defined using differential inclusions. Such differential equations allow modeling of relays, valves or any kind of on/off switching elements at a high level of abstraction in control systems with so-called sliding modes [23, 42]. The CS world view is that of a predominantly discrete-event system. A wellknown model is a (hybrid) automaton, but modeling of discrete-event systems is also based on, among others, process algebra’s, Petri nets, and data flow languages. For modeling and analysis of hybrid phenomena, discrete-event formalisms are extended in different ways with some form of differential (algebraic) equations. The most influential hybrid system model is that of a hybrid automaton [2]. An essential difference between a hybrid automaton and a DC hybrid system model is that where in a DC hybrid model there are no actions, in a hybrid automaton, discontinuities can take place only by means of (labeled) actions. By means of actions, a hybrid automaton switches from one mode/location to another mode/location, where in each location all variables behave according to an absolutely continuous, and even differentiable, function of time. The DC and CS world views each have their own advantages. The CS world view is obviously better suited to discrete-event modeling. On the other hand, a DC model x˙ = step(t − 1), where t denotes time and step is a discontinuous function such that step(x) is 0 for x < 0 and 1 for x ≥ 0, is much more straightforward than the corresponding hybrid automaton. Such a hybrid automaton requires two locations, one that specifies behavior for t ≤ 1 and one for t ≥ 1, that are connected by an edge with a transition function and action label. Clearly, hybrid systems represent a domain where the DC and CS world views meet, and we believe that a formalism that integrates the DC and CS world views is an valuable contribution to-wards integration of the DC and CS tools, methods, and techniques. The χ language is such a formalism. On the one hand, it can deal with continuous-time systems, including higher index systems, PWA/MLD/LC systems, and hybrid systems based on sets of differential algebraic equations using discontinuous functions (the DC approach). On the other hand, it can deal with discrete-event systems, without continuous variables or differential equations, and with hybrid systems such that in each mode behavior is continuous (the CS approach). The intended use of χ is for modeling, simulation, verification, and real-time control. Its application domain ranges from physical phenomena, such as dry friction, to large and complex manufacturing systems. Although the semantics is formally defined, including a solution concept for general algebraic differential equations, the straightforward and elegant syntax and semantics is also highly suited to non-computer scientists. We aim at verification of model properties by means of translating χ models to the input languages of verification tools, as mentioned in Section 7. The history of the hybrid χ language dates back quite some time. It was originally designed as a modeling and simulation language for specification of discrete-event, continuous-time or combined discrete-event/continuous-time models. The first simulator, however, was suited to discrete-event models only. The simulator was successfully applied to a large number of industrial cases, such as an integrated circuit manufacturing plant, a brewery, and process industry plants [47]. Later, the hybrid language and simulator were developed [46]. For the purpose of verification, the discrete-event part of the language was mapped onto the process algebra χσ by means of a syntactical 2

translation. The semantics of χσ was defined using a structured operational semantics style (SOS), bisimulation relations were derived, and a model checker was built [13]. In this way, verification of discrete-event χ models was made possible [12]. The new hybrid χ language defined in this paper integrates the modeling language and the verification formalism. It integrates, extends and improves the syntax and semantics defined in [40] and [39]. The remainder of this report is organized as follows. Section 2 describes the syntax of the χ language. In Section 3, the semantics of χ is formally specified. Several examples in Section 4 are used to illustrate the use of the language. In Section 5, a notion of equivalence is defined, and it is shown to be a congruence for all χ operators. Furthermore, some useful properties of closed χ process terms are given. Full proofs are presented in the appendices. Section 6 discusses related work, and Section 7 terminates with conclusions and points out directions of future work.

2 Syntax of the Chi language 2.1 Syntax of Chi processes A χ process is a triple h p, σ, Ei, where p denotes a process term, σ denotes a valuation, and E denotes an environment. A valuation is a partial function from variables to values. Syntactically, a valuation is denoted by a set of pairs {x 0 7→ c0 , . . . , x n 7→ cn }, where x i denotes a variable and ci its value. An environment is a triple (S, I, R), where S denotes the set of discrete variables (S ⊆ dom(σ )). The continuous variables in process h p, σ, (S, I, R)i are given by dom(σ ) \ S. Set I denotes the initialized continuous variables, which is a subset of the continuous variables (I ⊆ (dom(σ ) \ S)). The semantics of the different kinds of variables is explained in Section 3.2.2. In the environment, R denotes a partial function from recursion variables to process terms. Syntactically, such a function is denoted by a set of pairs {X 0 7→ p0 , . . . , X m 7→ pm }, where X i denotes a recursion variable and pi the process term defining it. The triple notation h p, σ, Ei is convenient for the definition of the semantics. For modeling purposes, however, the notation is difficult to read. To increase readability of χ processes, an additional notation is defined by means of syntactic sugar. Notation h , , , | i

disc s1 = c1 , . . . , sk = ck init x 1 = c10 , . . . , x n = cn0 00 cont y1 = c100 , . . . , ym = cm X 1 7→ p1 , . . . , X l 7→ pl p

is syntactic sugar for the following χ process: h π(∂(T ( p))) , { s 1 7 → c1 , . . . , sk 7 → ck , x 1 7→ c10 , . . . , x n 7→ cn0 00 , y1 7→ c100 , . . . , ym 7→ cm } , ({s1 , . . . , sk }, {x 1 , . . . , x n }, {X 1 7→ p1, . . . , X l 7→ pl }) i 3

where maximal progress operator π in π(∂( p)) ensures that actions in p have priority over delays, encapsulation operator ∂ ensures synchronous, two-party behavior of communication in p, and translation function T defines additional syntactic sugaring. This is explained in more detail in the following sections. In many cases, such as when modeling for control system design, time is the independent variable for which no behavior should be specified. For this purpose, the modeler can define the name of the independent time variable by means of the keyword time followed by the name of the time variable. Formally, if the time variable is t, its behavior is given by t˙ = 1. This is reflected in the following notation: h , , , , | i

time t = c0 disc s1 = c1 , . . . , sk = ck init x 1 = c10 , . . . , x n = cn0 00 cont y1 = c100 , . . . , ym = cm X 1 7→ p1 , . . . , X l 7→ pl p

which is syntactic sugar for the χ process: h π(∂(T ( p))) || t˙ = 1 , { t 7 → c0 , s1 7 → c1 , . . . , s k 7 → ck , x 1 7→ c10 , . . . , x n 7→ cn0 00 , y1 7→ c100 , . . . , ym 7→ cm } , ({s1 , . . . , sk }, {x 1 , . . . , x n , t}, {X 1 7→ p1 , . . . , X l 7→ pl }) i If there are no variables of a certain type (disc , init , or cont ), the preceding keyword is omitted as in h disc n = 1, cont x, y | p i, where there are no initialized continuous variables and no recursion definitions. If no variables and recursion definitions are declared at all, the separation bar is also omitted as in h pi. The initialization part in variable declarations (= ci in x i = ci ) is optional. If the initialization part of a variable is missing, the value of the variable is undefined. E.g. h disc k, n = 2, m , cont y | p i is syntactic sugar for hπ(∂(T ( p))), {k 7→⊥, n 7→ 2, m 7→⊥, y 7→⊥}, ({k, n, m}, ∅, ∅)i where ⊥ denotes that the value of the variable is undefined.

2.2 Syntax of Chi process terms This section presents a concise, and incomplete, definition of the syntax of χ process terms. The syntax of predicates, expressions etc. are not defined. Process terms P in χ are divided into three categories: The core process terms Pcore , the SOS process 4

terms PSOS , and the modeling process terms PM . The core process terms are used both for modeling purposes and for the definitions of the semantics. The SOS process terms are used for the definition of the (structured operational) semantics only. The modeling process terms are used for modeling purposes to ensure better readability of χ models. The semantics of the modeling process terms is defined in terms of the core process terms and SOS process terms by means of syntactic translation function T , defined in Section 2.3. Pcore ::= u | 1d (P) | PBP PSOS ::=

| la | b→P | P || P

| | |

h ! en P; P π(P)

| |

h ? xn P⊕P

| |

X P [] P

W : i | W : i P | ι I + ,I − (P) | |[ σ, S, C, R ‘|’P ]| | ∂(P) | δ

PM

::= | | | | | |

u 1 , . . . , u n | xn : i | skip | x := e hxn i := hen i | hx 1 := e1 ; . . . ; x n := en i | 1d h ! | h ? | h ∼ | h !! en | h ?? xn | h !! | h ?? | h ≈ ∗ b :→ P | xn : i P | P I P | ∗P | b → P (init xn \ ym ‘|’P) |[ disc L, init L 0 , cont L 00 , chan L C , L R ‘|’P ]| lp (xk , hm , en )

P

::=

Pcore

|

PSOS

|

PM

An informal, concise explanation of this syntax, together with some additional syntactic definitions, is given below. Section 3 gives a more detailed account of their meaning. In principle, the continuous variables change arbitrarily over time. A delay predicate u or u 1 , . . . , u n over variables and dotted variables (e.g. x) ˙ is used to restrict the allowed behavior of the continuous variables in such a way that the value of the predicate remains true. Action labels l a are used to model distinct actions that do not change the valuation. Processes interact by means of shared variables or by means of synchronous pointto-point communication via a channel. Channels are denoted as labels (identifiers). By means of h ! en , where en denotes e1 . . . en , the values of expressions e1 , . . . , en are sent via channel h. By means of h ? xn , where xn denotes x 1 , . . . , x n values for x 1 , . . . , x n are received from channel h. Synchronization of two processes is possible by means of directed synchronization (h ! and h ?), or undirected synchronization (h ∼ ). The acts of sending and receiving (values) have to take place at the same moment in time. The encapsulation operator ∂ is introduced to block internal send and receive actions in order to assure that only their synchronous execution takes place. If communication or synchronization is not immediately possible, h ! en , h ? xn , h !, h ?, and h ∼ can delay. Process terms h !! en , h ?? xn , h !!, h ??, and h ≈ are the respective non-delayable equivalents. Process term X denotes a recursion variable (identifier) that is defined either in a χ process, or in a scope operator process term |[ · · · | P ]|. It is used to model repetition, and mode switches in combination with the disrupt operator B. Action predicate W : i or xn : i denotes instantaneous changes to the variables from set W (or variables x 1 , . . . , x n ), by means of an internal action, such that predicate i over variables and ‘− ’ superscripted variables (e.g. x − ) is satisfied. Since different 5

instantaneous changes may satisfy the predicate, this may result in non-determinism. Process term skip is an abbreviation for an internal action that does not change the values of variables, and assignment x := e is an abbreviation for an internal action that changes the value of variable x to the value of expression e. Multi-assignment hxn i := hen i is an abbreviation for an internal action that changes variables x 1 , . . . , x n to the values of expressions e1 , . . . , en , respectively, and multi-assignment hx 1 := e1 ; . . . ; x n := en i is an abbreviation for a sequence of assignments that is executed as one action. By means of the delay operator 1d ( p), a process term is forced to delay for the amount of time units specified by the value of numerical expression d, and then proceeds as p. The abbreviation 1d denotes a process that first delays for d time units, and then terminates. Strictly speaking, a process term p itself does not delay, but the process h p, σ, Ei, that is obtained by adding a valuation and environment to p, delays. Therefore when we refer to a process term as a ‘process’, we refer to the process term together with a valuation and environment. Process term b :→ p denotes the process term that behaves as process term p in case the boolean expression b evaluates to true and deadlocks otherwise. Process term W : i p denotes the process term that behaves as p starting from a state that is the result of execution of action predicate W : i . Process term b → p behaves as b :→ p for action behavior of p. For delay behavior, b → p can delay according to p as long as the boolean expression b evaluates to true. While b evaluates to false, b → p can perform any delay. The sequential composition of process terms p and q behaves as process term p until p terminates, and then continues to behave as process term q. The closed disrupt operator (I) is used for describing that a process may take over the execution from another process even if that process is not finished yet (this in contrast with sequential composition). The (open) disrupt operator (B) is used mainly for describing mode switches, where the behavior of each mode is specified by means of delay predicates (equations). In χ, two operators can be used for the purpose of describing alternative behaviors; the choice operator (⊕) and the alternative composition operator ([]). The choice operator is mainly used to model choice between different kinds of continuous behavior of a process, where the choice depends on the initial state of the continuous-time or hybrid process. The alternative composition operator allow choice between different actions/events of a process, usually between action predicates (such as assignments), time-events (a delay process term 1d that terminates), state-events (a variable that crosses a threshold) or communication events of a discrete-event controller. In such a case, time-passing should not make a choice. The choice is delayed until the first action is possible. The parallel composition p || q (has as its behavior with respect to action transitions the interleaving of the behaviors of p and q. The time transitions of p and q have to synchronize to obtain the time transition (with the same trajectory ρ and the same time step t) of their parallel composition. The parallel composition allows the synchronization of matching send and receive actions. By means of the maximal progress operator π, execution of actions can be given priority over passage of time. Process term ∗ p represents the infinite repetition of process term p. Guarded ∗ repetition b → p can be interpreted as “while b do p”. 6

Initial value operator ι I + ,I − ( p), where I + and I − denote sets of variables, and its modeling operator equivalent (init xn \ ym | p) are used to enlarge or reduce the set of initialized continuous variables. The trajectory of such a variable starts at the last value of the variable before delaying. If I − is empty, then, in the modeling process term, the set subtraction symbol ‘\’ is omitted as in (init xn | p). In most cases, initialized continuous variables coincide with differential variables. A scope process term |[ σ, S, C, R | p ]| and its modeling analogon |[ disc L, init L 0 , cont L 00 , chan L C , L R ‘|’ P ]| are used to declare a local scope consisting of local discrete variables (set S, or list L), local initialized continuous variables (list L 0 ), local (normal) continuous variables (list L 00 ), local channels (set C, or list L C ), and local recursion definitions (function R, or list L R , for the syntax see Section 2.1). In the SOS process term, σ denotes a valuation of local variables. In the modeling process term L, L 0 , and L 00 denote lists of variables, optionally with initial values, of the form x 1 [= c1 ], . . . , x n [= cn ], where the brackets [ ] enclose optional items. Section 2.3.1 presents more information on the syntax and on the relation between the core and the modeling scope operator process terms. Process instantiation process term l p (xk , hm , en ), where lp denotes a process label (identifier), enables (re)use of a process definition, as discussed in Section 2.3.2. A process definition is specified once, but the associated processes can be instantiated many times, possibly with different parameters: external variables x k , external channels hm , and expressions en . The deadlock process term δ denotes ‘no behavior’: it cannot perform actions nor delays. Starting with the semicolon, the operators are listed in descending order of their ∗ binding strength as follows ; , B, I {, :→ , → , → , ∗}, || , [], and ⊕. The operators inside the braces have equal binding strength. In addition, operators of equal binding strength associate to the right, and parentheses may be used to group expressions. For example, p B q B r B s means p B (q B (r B s)).

2.3 Syntactic sugar The modeling process terms are defined in terms of core process terms or SOS process terms. The only exception is process instantiation, which is defined in terms of syntactic expansion into its associated scope operator process term (see Section 2.3.2), which itself may consist of other modeling process terms. In Table 1, the modeling process terms are defined in terms of core process terms and SOS process terms by means of translation function T ∈ (Pcore ∪ PSOS ∪ PM ) → (Pcore ∪ PSOS ). In this table, e[x− n /xn ] denotes the result of replacing all occurrences of variables x 1 , . . . , x n in e by x 1− , . . . , x n− , respectively. For example, the translation of process term x := 2x + y is defined as {x} : x = 2x − + y, and the translation of hx, yi := hx + y, x − yi is defined as {x, y} : (x = x − + y − ) ∧ (y = x − − y − ). The translation function T leaves the atomic core and SOS process terms unchanged: T ( p) = p for p ∈ {u, l a , h ! en , h ? xn , X, W : i, δ}. It distributes over the other core and SOS process terms. For all binary operators: T ( p β q) = T ( p) β T (q) for β ∈ {; , B, ⊕, [], || }. Furthermore, T (b → p) = b → T ( p), T (W : i p) = W : i T ( p), T (η( p)) = η(T ( p)) for η ∈ {1d , π, ι I + ,I − , ∂}, and T (|[ σ, S, C, R | p ]|) = |[ σ, S, C, R | T ( p) ]|. 7

Process term P u1, . . . , un xn : i xn : i p skip x := e hxn i := hen i

hx 1 := e1 ; . . . ; x n := en i

1d b :→ p pIq ∗p ∗ b → p h! h? h∼ h !! e h ?? x h !! h ?? h≈ (init xn \ ym | p)

Syntactic translation T (P) u1 ∧ · · · ∧ un {xn } : i T ({xn } : i p) ∅ : true {x} : x = e[x − /x] {xn } : (x 1 = e1 [x− n /xn ]) ∧ · · · ∧ (x n = en [x− n /xn ] {x 1 , . . . , x n } : (x 1 = e1 [x 1− , . . . , x n− /x 1 , . . . , x n ]) ∧ (x 2 = e1 [x 2− , . . . , x n− /x 2 , . . . , x n ]) ∧ · · · ∧ (x n = en [x n− /x n ]) T (1d (skip)) T (∅ : true p) T ( p B q ⊕ q) T (|[ ∅, ∅, ∅, {X 7→ p; X} | X ]|) T (|[ ∅, ∅, ∅, {X 7→ b → skip; p; X [] ¬b → skip} | X ]|) h ! true |[ {x 7→⊥}, ∅, ∅, ∅ | h ? x ]| T (h ! [] h ?) π(h ! e) π(h ? x) T (π(h !)) T (π(h ?)) T (π(h ∼ )) T (ι{xn },{ym } ( p))

Table 1: Syntactic translation of the modeling process terms. 2.3.1 Scope operator The scope operator modeling process term is defined as syntactic sugar for the scope operator combined with the initial value operator, both defined in PSOS : T ( |[ disc s1 = c1 , . . . , sk = ck , init x 1 = c10 , . . . , x k 0 = ck0 0 , cont y1 = c100 , . . . , yk 00 = ck0000 , chan h 1 , . . . , h m , X 1 7 → p1 , . . . , X n 7 → pn |p ]| )= |[ {s1 7→ ck , . . . , sk 7→ ck , x 1 7→ c10 , . . . , x k 0 7→ ck0 0 , y1 7→ c100 , . . . , yk 00 7→ ck0000 } , {s1 , . . . , sk }, {h 1 , . . . , h m }, {X 1 7→ T ( p1 ), . . . , X n 7→ T ( pn )} | ι{x1 ,...,xk0 },∅ (T ( p)) ]| In a similar way as defined for χ processes, the keyword preceding variables of a certain type is omitted when there are no variables of that type, and the keyword chan 8

is omitted when there are no local channel declarations. Also, the initialization part of a variable may be omitted, indicating that the variable is undefined. E.g. T (|[ disc s | p ]|) = |[ {s 7→⊥}, {s}, ∅, ∅ | ι∅,∅ ( p) ]|. 2.3.2 Process instantiation Chi specifications in which process instantiations l p (xk , hm , en ) are used have the following structure: pd1 .. . pd j h disc · · · , init · · · , cont · · · | p i, where for each process instantiation l p (xk , hm , en ) occurring in p, a matching process definition pdi of the form lp (ext x0k , chan h0m , val vn ) = |[ disc zd , init zi , cont zc , chan h00m0 , X 7→ p | pbody ]| must be present among the j process definitions pd 1 . . . pd j . Here lp denotes a process label, xk denotes the ‘actual external’ variables x 1 , . . . , x k , hm denotes the ‘actual external’ channels h 1 , . . . , h m , en denotes the expressions e1 , . . . , en , x0k denotes the ‘formal external’ variables x 10 , . . . , x k0 , h0m denotes the ‘formal external’ channels h 01 , . . . , h 0m , vn denotes the ‘value parameters’ v1 , . . . , vn , h00m0 denotes the local channels h 001 , . . . , h 00m 0 , and X 7→ p denotes the recursion definitions X 1 7→ p1 , . . . , X r 7→ pr . In a similar way, zd , zi , and zc denote comma separated lists, of arbitrary length, of local variables. In χ specifications, h disc · · · , init · · · , cont · · · | p i is referred to as the ‘main process’. The order of the process definitions and the main process is not important; e.g. the main process can also come before the process definitions, instead of after them. We use the term ‘main process’ instead of the formal term ‘process’, as used in Section 2.1, to distinguish the main process from the process instantiations. We informally refer to a process instantiation l p (xk , hm , en ) as a ‘process’. Such a ‘process’ in fact refers to a process hl p (xk , hm , en ), σ, Ei that is obtained by adding a valuation and an environment to the process instantiation process term. A process definition is specified once. Processes that refer to a process definition can be instantiated many times by means of process instantiation process terms, possibly with different arguments. In this way, process reuse is supported. In process term pbody, apart from the local variables zd , zi , zc and local channels h00m0 , also the formal external variables x0k , formal external channels h0m , and value parameters vn may be used. We assume that the formal external variables x0k , the value parameters vn , the local variables zd , zi , zc , and the recursion variables X are all different and do not begin with an underscore. In the same way, the formal external channels h0m must be different from the local channels declared in h00m0 . Furthermore, all variables and channels used in pbody must be declared: 9

V( pbody) ⊆ {x0k } ∪ {vn } ∪ {zd } ∪ {zi } ∪ {zc } ∪ {X} C( pbody) ⊆ {h0m } ∪ {h00m0 } Functions V ∈ P → P(V ) ∪ P(XS) and C ∈ P → P(C), where P denotes the powerset function, V denotes the set of variables, XS denotes the set of recursion variables, and C denotes the set of channel labels (see Section 3), operate on process terms; V( p) and C( p) extract the variables and channels from p, respectively. Formally, the syntactic translation of process instantiation lp (xk , hm , en ) with corresponding process definition lp (ext x0k , chan h0m , val vn ) = |[ disc zd , init zi , cont zc , chan h00m0 , X 7→ p | pbody ]| is defined as T ( lp (xk , hm , en ) )= T ( |[ disc Rα (zd ), Rα (v), init Rα (zi ), cont Rα (zc ), chan Rβ (h00m0 ) , (Rα,β (X 7→ p))[xk , hm /x0k , h0m ] | Rα (vn ) : Rα (vn ) = en (Rα,β ( pbody))[xk , hm /x0k , h0m ] ]| ) Here, Rα (vn ) denotes Rα (v1 ), . . . , Rα (vn ), and Rα (zd ), Rα (zi ), Rα (zc ), Rβ (h00m0 ) likewise denote the distribution of renaming functions Rα , Rβ over the individual items of the respective variable / channel lists zd , zi , zc , h00m0 . Furthermore, (Rα,β (X 7→ p))[xk , hm /x0k , h0m ] denotes Rα (X 1 ) 7→ (Rα,β ( p1 ))[xk , hm /x0k , h0m ], . . . , Rα (X r ) 7→ (Rα,β ( pr ))[xk , hm /x0k , h0m ]. The translation declares the value parameters vn as local discrete variables, with initial values en . By convention, however, process term pbody normally does not change the values of these variables. Set α ∈ P(V ) denotes {xk } ∪ V(en )) \ {x0k }, where V(en ) denotes V(e1 ) ∪ · · · ∪ V(en ). Set β ∈ P(C) denotes {hm } \ {h0m }, and p[xk , hm /x0k , h0m ] denotes the process term obtained by substitution of all occurrences of the formal external variables x 0k and formal external channels h0m in process term p by the actual external variables xk and the actual external channels hm , respectively. Renaming function R ∈ (V × C × χ) → χ operates on syntactic entities in χ. The two abbreviations Rα , Rβ denote Rα,∅ , and R∅,β , respectively. The renaming function renames the value parameters vn , local variables zd , zi , zc , local channels h00m0 , and local recursion variables Xr that conflict with (have the same name as) one of the external variables xk or channels hm by prefixing the local variables or channels by as many underscores as needed to create a variable or channel different from the external variables or channels, respectively. Since local variables and channels are not visible outside of the scope operator, this renaming does not change the meaning of the scope operator process term. The only actual external variables and channels that can conflict with local variables and channels are {xk } \ {x0k }, and {hm } \ {h0m }, respectively. Set {x0k } is subtracted from {xk }, because an actual external variable that has the same name as one of the formal external variables {x0k } cannot conflict with any of the local variables. Set subtraction removes these actual external variables. 10

The actual renaming by Rα (eχ ), where eχ is a χ expression, list of variables, predicate, or recursion variable is done by renaming all variables in e χ that also occur in set α by prefixing them with the minimum number of underscores (possibly zero) required to obtain variables different from those occurring in α. Renaming of channels is defined in a similar way: Rβ (h) = h 0 , where h 0 denotes channel label h prefixed by the minimum number (possibly zero) of underscores such that h 0 6∈ β. The renaming function R is further defined as follows for the core and SOS process terms: Rα,β (u)

=

Rα (u)

Rα,β (la ) Rα,β (h ! e)

= =

Rβ (la ) Rβ (h) ! Rα (e)

Rα,β (h ? x) Rα,β (1d ( p))

= =

Rβ (h) ? Rα (x) 1Rα (d) (Rα,β ( p)

Rα,β (X) Rα,β (b → p)

= =

Rα (X) Rα (b) → Rα,β ( p)

Rα,β (W : i ) Rα,β (W : i p)

= =

Rα (W ) : Rα (i ) Rα (W ) : Rα (i ) Rα,β ( p)

Rα,β (ι I + ,I − ( p))

=

ιRα (I + ),Rα (I − ) (Rα,β ( p))

Renaming distributes over the other core and SOS process terms: Rα,β ( p β q) = Rα,β ( p) β Rα,β (q) for all binary operators β ∈ {; , B, ⊕, [], || }, and Rα,β (π( p)) = π(Rα,β ( p)), Rα,β (∂( p)) = ∂(Rα,β ( p)), Rα,β (δ) = δ. The SOS scope operator process term is renamed as follows: Rα,β ( |[ σ, S, C, X 7→ p | pbody ]| ) = |[ Rα (σ ), Rα (S), Rβ (C), (Rα,β (X 7→ p))[xk , hm /x0k , h0m ] | Rα,β ( pbody) ]| The process instantiation process term is renamed by renaming the arguments. Rα,β ( lp (xk , hm , en ) )= lp (Rα (xk ), Rα (hm ), Rα (en )) The remaining modeling process terms are renamed in a similar way as the corresponding SOS process terms. E.g. Rα,β (h !) = Rβ (h) !, Rα,β (∗( p)) = ∗Rα,β ( p), ∗ ∗ Rα,β (b → p) = Rα (b) → Rα,β ( p). The translation function is illustrated using the following example. Given process definition P(ext x) = |[ disc y = 2 | y := x + 1 ]|, process term P(y) || P(x) is translated as follows: T (P(y) || P(x)) = T (P(y)) || T (P(x)) = T (|[ disc R{y}\{x},∅ (y = 2) | (R{y}\{x},∅ (y := x + 1))[y/x] ]|) || T (|[ disc R{x}\{x},∅ (y = 2) | (R{x}\{x},∅ (y := x + 1))[x/x] ]|) = T (|[ disc y = 2 | ( y := x + 1)[y/x] ]|) || T (|[ disc y = 2 | (y := x + 1)[x/x] ]|) =

11

T (|[ disc y = 2 | y := y + 1 ]|) || T (|[ disc y = 2 | y := x + 1 ]|) = |[ { y 7→ 2}, { y}, ∅, ∅ | ι∅,∅ ({ y} : y = y + 1) ]| || |[ {y 7→ 2}, {y}, ∅, ∅ | ι∅,∅ ({y} : y = x + 1) ]|. The following χ specification P(ext x) = |[ disc y = 2 | y := x + 1 ]| h disc x = 0, y = 1 | P(y) || P(x) i is syntactic sugar for h π( ∂( |[ { y 7→ 2}, { y}, ∅, ∅ | ι∅,∅ ({ y} : y = y + 1) ]| || |[ {y 7→ 2}, {y}, ∅, ∅ | ι∅,∅ ({y} : y = x + 1) ]| ) ) , {x 7→ 0, y 7→ 1}, ({x, y}, ∅, ∅) i, as defined in Section 2.1. For additional examples of the translation function we refer to Sections 4.2 and 4.7.

2.4 Data types The χ language is statically strongly typed. Besides the classification of variables as discrete or continuous, all variables have a type. The type of a variable defines the allowed values of the variable and the allowed operations on the variable. The atomic types are nat (natural numbers, including zero), int (integers), real (real-valued numbers), bool (booleans), string (strings), and enum (enumerations). Type constructors operate on existing types to create structured types. The χ language defines type constructors to create sets, lists, array tuples, record tuples, dictionaries, functions, and distributions (for stochastic models). Channels also have a type that indicates the type of data that is communicated via the channel. Pure synchronization channels, that do not communicate data, are of the predefined type void. The χ type system is strictly enforced in the χ tools. However, since the type system is not formalized, it is omitted from the specifications in this paper.

3 Semantics of the Chi Language In this section, the structured operational semantics (SOS) of χ is presented. It associates a hybrid transition system [18] with a χ process. The semantics is defined only for a subset of the syntactically allowed χ processes. E.g. the semantics of the χ process hx ≥ 1 → p, σ, Ei is defined only for variables x that have a defined value. These additional semantical restrictions on χ processes, if present, are specified together with the SOS rules for each process term in Sections 3.2 and 3.3.

3.1 General Description of the SOS The main purpose of such an SOS is to define the behavior of χ processes at a certain chosen level of abstraction. The meaning of a χ process depends on the values of the variables and on the environment. A set V of variables, a set V˙ ⊆ {x˙ | x ∈ V } 12

of dotted variables, a set V − = {x − | x ∈ V } of ‘− ’ superscripted variables, a set A of action labels, and a set C of channel labels are assumed. The values of the variables at a specific moment in time are captured by means of a valuation, i.e., a partial function from the variables to the union of the set of values 3 (containing at least the booleans B, and the reals R) and a “value” ⊥ (indicating undefinedness). The set of all valuations is denoted 6: 6 = V 7→ (3 ∪ {⊥}). The set T is used to represent points in time; usually T = R≥0 . The set of environments ES is defined as ES = P(V ) × P(V ) × RS, where P denotes the powerset function and RS = XS 7→ P denotes the set of all partial functions of recursion variables XS to process terms P. We assume V ∩ XS = ∅. The SOS is chosen to represent the following: 1. discrete behavior by means of action transitions: (a)

→ − ⊆ (P × 6 × ES) × (A τ × 6) × (P × 6 × ES), where A τ denotes the set of actions, and is defined as A τ = {α(h, c) | α ∈ {isa, ira, ca}, h ∈ C, c ∈ 3} ∪ {la , τ }. Here, isa, ira, and ca denote action labels for internal send action, internal receive action, and communication action respectively, h ∈ C denotes a channel, c ∈ 3 denotes a value, l a ∈ A denotes an action label, and a,σ 0

τ is the internal action. The intuition of an action transition h p, σ, Ei −−→ h p0 , σ 00 , E 0 i is that the process h p, σ, Ei executes the discrete action a ∈ Aτ with valuation σ 0 and thereby transforms into the process h p 0 , σ 00 , E 0 i, where σ 00 and E 0 denote the accompanying valuation and environment of the process term p 0 , respectively, after the discrete action a is executed. (b)

→ − hX, , i ⊆ (P × 6 × ES) × (A τ × 6) × (6 × ES). The intuition a,σ 0

of a (termination) transition h p, σ, Ei −−→ hX, σ 00 , E 0 i is that the process h p, σ, Ei executes the discrete action a with valuation σ 0 and thereby transforms into the terminated process hX, σ 00 , E 0 i. 7−→ ⊆ (P × 6 × ES) ×

2. continuous behavior by means of time transitions:

t,ρ

(T × (T 7→ 6)) × (P × 6 × ES). The intuition of a time transition h p, σ, Ei 7−→ h p0 , σ 0 , E 0 i is that the variables in dom(σ ) behave (continuously) according to the trajectories in ρ until (and including) time t and then result in the process h p0 , σ 0 , E 0 i. a,σ 0

In this paper, for all action transitions h p, σ, Ei −−→ h p0 , σ 00 , E 0 i, valuation σ 0 equals valuation σ 00 , and dom(σ ) = dom(σ 0 ) = dom(σ 00 ). For all time transitions t,ρ

h p, σ, Ei 7−→ h p, σ 0 , E 0 i, the resulting valuation σ 0 equals the value of the trajectory ρ(t) at the end time point of the transition, dom(σ ) = dom(σ 0 ), and dom(ρ) = [0, t]. Furthermore, for all transitions, environment E equals environment E 0 . The relations and predicates mentioned above are defined through so-called deduction rules. A deduction rule is of the form Hξ , where H is a number of hypotheses separated by commas and ξ is the result of the rule. The result of a deduction rule can be derived if all of its hypotheses are derived. In case the set of hypotheses is empty, the deduction rule is called an axiom. The notation HR , where R is a number of results separated by commas, is a shorthand for a set of deduction rules of the form Hξ ; one for each ξ ∈ R. In order to increase the readability of the χ deduction rules, some additional abbreviations are used. Notation a1 ,σ10

am ,σm0

E h p1 , σ1 i −−−→ hq1 , σ100 i, . . . , h pm , σm i −−−→ hqm , σm00 i 13

is an abbreviation for a1 ,σ10

am ,σm0

h p1 , σ1 , Ei −−−→ hq1 , σ100 , Ei, . . . , h pm , σm , Ei −−−→ hqm , σm00 , Ei Notation * q1 1 + * qm 1 + 0 a ,σ m m . . .. , σ100 , . . . , h pm , σm i −−−→ .. , σm00 , C E 0 h p1 , σ1 i −−−→ q1 n qm n * s1 + b,σ 0 . 00 .. , σ E hr, σ i −−→ sn a1 ,σ10

where q j i , si ∈ P ∪ {X}, pi , r ∈ P, and C denotes an optional hypothesis that must be satisfied in the deduction rule, is an abbreviation for the following rules (one for each i ): a1 ,σ10

am ,σm0

E 0 h p1 , σ1 i −−−→ hq1 i , σ100 i, . . . , h pm , σm i −−−→ hqm i , σm00 i, C b,σ 0

E hr, σ i −−→ hsi , σ 00 i a,σ 0

Furthermore, notation h p, σ, Ei 9 denotes @a,σ 0 , p0 ,σ 00 ,E 0 h p, σ, Ei −−→ h p0 , σ 00 , E 0 i. Based on [32], the following definitions of operators ∪, , and ↓ applied on functions are used. If f is a function, dom( f ) and range( f ) denote the domain and range of f , respectively. If S is a set, f S denotes the restriction of f to S, that is, the function g with dom(g) = dom( f ) ∩ S, such that g(c) = f (c) for each c ∈ dom(g). If f and g are functions with dom( f ) ∩ dom(g) = ∅, then f ∪ g denotes the unique function h with dom(h) = dom( f ) ∪ dom(g) satisfying the condition: for each c ∈ dom(h), if c ∈ dom( f ) then h(c) = f (c), and h(c) = g(c) otherwise. If f is a function whose range is a set of functions and S is a set, then f ↓ S denotes the function g with dom(g) = dom( f ) such that g(c) = f (c) S for each c ∈ dom(g). If f is a function whose range is a set of functions, all of which have a particular element d in their domain, then f ↓ d denotes the function g with dom(g) = dom( f ) such that g(c) = f (c)(d) for each c ∈ dom(g). Function µ ∈ 6 × 6 → 6 merges two valuations. If σ , σ 0 ∈ 6, µ(σ, σ 0 ) = (σ dom(σ ) \ dom(σ 0 )) ∪ σ 0 denotes the combined valuation of σ and σ 0 , such that σ 0 overrides σ .

3.2 Deduction rules for atomic process terms The semantics of the atomic process terms is defined only for χ processes h p, σ, (S, I, R)i for which S, I ⊆ dom(σ ). We further require σ¯ (e), σ¯ (e n ), c ∈ 3 in the rules below, where σ¯ (e) denotes the value of expression e for valuation σ . 3.2.1 Action predicate Action predicate process term W : i denotes instantaneous changes to the variables from set W , by means of an internal action τ , such that predicate i over variables from V and V − is satisfied. Variables occurring with a ‘− ’ superscript in i remain unchanged, since the values of these variable are evaluated in σ − , where dom(σ − ) = 14

{x − | x ∈ dom(σ )} and σ − (x − ) = σ (x). Variables not in W also remain unchanged, since these variables are evaluated in σ . For variables occurring with a ‘ − ’ superscript in i , and variables occurring in i but not in W , it is assumed that their values in σ are in 3. The instantaneous changes σ W are merged with the old valuation σ in µ(σ, σ W ), where σW ∈ 6 denotes a valuation with dom(σ W ) = W . σ − ∪ µ(σ, σW ) |= i

1

τ,µ(σ,σW )

E hW : i, σ i −−−−−−→ hX, µ(σ, σ W )i 3.2.2 Delay predicate The main purpose of delay predicate process term u is to restrict the trajectories ρ of time transitions in such a way that at each point of time t 0 ∈ [0, t], ρ(t 0 ) satisfies predicate u, as defined by solution function below. Note that the solution function enforces t > 0. ρ ∈ (σ, S, I, u, t) t,ρ

2

(S, I, R) hu, σ i 7−→ hu, ρ(t)i The values of the discrete and the initialized continuous variables must be defined in σ : ∀x ∈ (S ∪ I ) : σ (x) ∈ 3. Furthermore, the variables occurring with a dot in u must exist in the domain of σ . I.e. D(u) ⊆ dom(σ ), where function D is defined below the solution function . Function ∈ 6 × P(V ) × P(V ) × U × T → P(T 7→ 6), where U denotes the set of all predicates over V and V˙ , returns a set of trajectories from time to a valuation for the variables, given a valuation representing the current values of the variables, a set of discrete variables, a set of initialized continuous variables, a delay predicate and a time point that denotes the duration of the trajectory. Formally, function is defined as: (σ, S, I, u, d) = { ρ 0 ↓ dom(σ ) | ρ 0 ∈ T 7→ ((V ∪ V˙ ) 7→ 3) , dom(ρ 0 ) = [0, d], d > 0 ˙ , ∀σ 0 ∈ range(ρ 0 ) dom(σ 0 ) = dom(σ ) ∪ D(u) 0 , ∀t ∈ [0, d] ρ (t) |= u ˙ , ∀x ∈ dom(σ ) ∪ D(u) ρ 0 ↓ x is a bounded function that is continuous almost everywhere. , ∀t ∈ [0, d], x ∈ S (ρ 0 ↓ x)(t) = σ (x) 0 , ∀x ∈ I (ρ  ↓ 0x)(0) = σ (x) 0 Rt ˙  (ρ ↓ x)(t) = (ρ ↓ x)(0) + 0 (ρ 0 ↓ x)(s)ds , ∀t ∈ [0, d], x ∈ D(u) ρ 0 ↓ x is differentiable in t H⇒  d (ρ 0 ↓ x))(t) (ρ 0 ↓ x)(t) ˙ = ( dt } Function D ∈ U → P(V ) extracts the differential variables from a predicate, function D˙ ∈ U → P(V˙ ), extracts the dotted variables from a predicate. E.g. D(x = y˙ ) = {y}, ˙ = y˙ ) = { y˙ }. and D(x Trajectory ρ 0 satisfies the predicate u for all time points of its domain (∀t∈[0,d] ρ 0 (t) |= u). The behavior ρ 0 ↓ x of a variables is restricted to a bounded function (not set-valued) that is continuous almost everywhere (except for a set of measure 15

zero). The behavior of discrete variables x ∈ S is further restricted to constant functions (∀t∈[0,d] (ρ 0 ↓ x)(t) = σ (x)). The initial value of the trajectory for each of the initialized continuous variables ∈ I equals the value in valuation σ ((ρ 0 ↓ x)(0) = σ (x)). Initialized continuous variables usually are differential variables, as in, for example, h init x = 0, cont y | x˙ = y, y = 1 i. Algebraic variable y need not be initialized, since its value is completely determined by predicate y = 1. If predicate y = 1 is changed to y = x, it would be possible to initialize y, as in h init y = 0, cont x | x˙ = y, y = x i. Such initializations of algebraic variables are common in, among others, chemical systems. Section 4.6 presents an example. The relation between the trajectory of a differential variable x ∈ D(u) and the ˙ trajectory of its ‘derivative’ x˙ ∈ D(u) R t is given by the Caratheodory solution concept 0 0 ˙ This allows a non-smooth (but [23] (ρ ↓ x)(t) = (ρ ↓ x)(0) + 0 (ρ 0 ↓ x)(s)ds. continuous) trajectory for a differential variable in the case that the trajectory of its ‘derivative’ is non-smooth or even discontinuous, as in, for example, h cont y | y˙ = step(t − 1) i, where step(x) equals 0 for x ≤ 0 and 1 for x > 0. The disadvantage of the Caratheodory solution concept is that it introduces spurious solutions in higher index systems, as in, for example, h cont y, z | y = 1, z = y˙ i. Here, the trajectory for z should be 0. The Caratheodory solution concept, however, allows trajectories for z that are 0 almost everywhere, except for discontinuity points where any other value is allowed. To prevent such spurious discontinuities in the case that the trajectory for a differential variable x is smooth, and thus ρ 0 ↓ x is differentiable in t, the trajectory for its derivative ρ 0 ↓ x˙ should indeed be the derivative function of the trajectory of the d (ρ 0 ↓ x)(t). differential variable ρ 0 ↓ x: (ρ 0 ↓ x)(t) ˙ = dt t,ρ

In several SOS rules describing delay behavior, E htrue, σ i 7−→ hq, σ 0 i is used as a hypothesis. The true predicate does not restrict trajectory ρ other than by means of the default restrictions: the trajectories of all variables are bounded and continuous almost everywhere, t > 0, the discrete variables remain constant, and the starting point of the trajectory of each initialized continuous variable (variables in set I ) is initialized to its value in σ . 3.2.3 Action label Action labels l a from the set A are used to model distinct actions that do not change the valuation. la ,σ

3

E hla , σ i −−→ hX, σ i 3.2.4 Send and receive Send and receive process terms are intended to be used in parallel composition (see Rule 26). The values of expressions e1 , . . . , en which are sent via channel h are evaluated in valuation σ , see Rule 4 where en denotes e1 , . . . , en , and σ¯ (en ) denotes σ¯ (e1 ), . . . , σ¯ (en ). The receive process term h ? x 1 , . . . , x n can receive any values c1 , . . . , cn , see Rule 5, where xn denotes x 1 , . . . , x n , cn denotes c1 , . . . , cn , and σxc denotes the valuation with dom(σ xc ) = {x 1 , . . . , x n } and σxc (x 1 ) = c1 , . . . , σxc (x n ) = cn . The delay behavior of the send and receive process term equals the delay behavior of the delay predicate true. 16

4

isa(h,σ¯ (en )),σ

5

ira(h,cn ),µ(σ,σx c )

E hh ! en , σ i −−−−−−−−→ hX, σ i

E hh ? xn , σ i −−−−−−−−−−→ hX, µ(σ, σ xc )i t,ρ

t,ρ

E htrue, σ i 7−→ hq, σ 0 i

E htrue, σ i 7−→ hq, σ 0 i

6

t,ρ

7

t,ρ

E hh ! en , σ i 7−→ hh ! en , σ 0 i

E hh ? xn , σ i 7−→ hh ? xn , σ 0 i

3.3 Deduction rules for operators 3.3.1 Recursion variable Recursion process term X simply behaves as the process term given by R(X). Here R(X) is the process term that is defined for recursion variable X in function R. It is assumed that X ∈ dom(R). The syntactic sugar for repetition and guarded repetition is defined in terms of recursion, see Section 2.3. Recursion variables are explicitly used to model different modes in switched equation systems. Therefore, recursion variables are also referred to as mode variables, and recursion definitions are also referred to as mode definitions. a,σ 0

(S, I, R) hR(X), σ i −−→ h a,σ 0

(S, I, R) hX, σ i −−→ h

X , σ 00 i p0

X , σ 00 i p0

t,ρ

8

(S, I, R) hR(X), σ i 7−→ h p0 , σ 0 i t,ρ

9

(S, I, R) hX, σ i 7−→ h p0 , σ 0 i

3.3.2 Delay operator Here d ∈ E n denotes a real-valued numerical expression. a,σ 0

E h p, σ i −−→ h

X , σ 00 i, σ¯ (d) = 0 p0 a,σ 0

E h1d ( p), σ i −−→ h

X , σ 00 i p0

t,ρ

10

E h p, σ i 7−→ h p0 , σ 0 i, σ¯ (d) = 0 t,ρ

11

E h1d ( p), σ i 7−→ h p0 , σ 0 i

t,ρ

E htrue, σ i 7−→ hq, σ 0 i, t ≤ σ¯ (d) t,ρ

12

E h1d ( p), σ i 7−→ h1σ¯ (d)−t ( p), σ 0 i 3.3.3 Reinitialization operator Process term W : i p behaves as p starting from the valuation that is the result of execution of action predicate W : i , see Section 3.2.1. Valuation σ W has domain W . a,σ 0

E h p, µ(σ, σW )i −−→ h

X , σ 00 i, σ − ∪ µ(σ, σW ) |= i p0 a,σ 0

E hW : i p, σ i −−→ h

X , σ 00 i p0

13

t,ρ

E h p, µ(σ, σW )i 7−→ h p0 , σ 0 i, σ − ∪ µ(σ, σW ) |= i t,ρ

E hW : i p, σ i 7−→ h p0 , σ 0 i 17

14

3.3.4 Guard operator We assume σ¯ (b) to be defined in Rule 15. The guarded process term b → p can do whatever actions p can do under the condition that the guard evaluates to true in the current state (i.e. σ |= b). The guarded process term can delay according to p, under the condition that for all intermediate valuations during the delay the guard holds (∀t 0 ∈[0,t] ρ(t 0 ) |= b). The guarded process term can delay according to the delay predicate true, under the condition that for the intermediate valuations up to, but not including, the last valuation during the delay the guard does not hold (∀ t 0 ∈[0,t) ρ(t 0 ) |= ¬b). At the end point t of the delay, there is no restriction on the valuation ρ(t). This ensures that, for example, the process h init x = 0 | x˙ = 1 || x ≥ 1 → skip i behaves as expected: it can first do a time transition of 1, such that the value of x becomes 1, and second it can do a τ action to the terminated process. If the condition in Rule 17 were ∀t 0 ∈[0,t] ρ(t 0 ) |= ¬b, then a time transition of 1 would not be possible. This is because ρ(t 0 ) |= ¬(x ≥ 1) should then also hold for the last time point of the time transition. Therefore, the value of x during the delay would have to satisfy σ¯ (x) < 1 at all points during the delay, including the last point. a,σ 0

X , σ 00 i, σ |= b p0

E h p, σ i −−→ h

X E hb → p, σ i −−→ h 0 , σ 00 i p a,σ 0

15

t,ρ

E h p, σ i 7−→ h p0 , σ 0 i, ∀t 0 ∈[0,t] ρ(t 0 ) |= b t,ρ

16

E hb → p, σ i 7−→ hb → p0 , σ 0 i t,ρ

E htrue, σ i 7−→ hq, σ 0 i, ∀t 0 ∈[0,t) ρ(t 0 ) |= ¬b t,ρ

17

E hb → p, σ i 7−→ hb → p, σ 0 i 3.3.5 Sequential composition operator The sequential composition of process terms p and q behaves as process term p until p terminates, and then continues to behave as process term q. a,σ 0

E h p, σ i −−→ h

X , σ 00 i p0

q E h p; q, σ i −−→ h 0 , σ 00 i p ;q a,σ 0

t,ρ

18

E h p, σ i 7−→ h p0 , σ 0 i t,ρ

19

E h p; q, σ i 7−→ h p0 ; q, σ 0 i

3.3.6 Choice operator Applying the choice operator to process terms p and q models a non-deterministic choice between p and q, both for action transitions and time transitions. a,σ 0

E h p, σ i −−→ h a,σ 0

E h p ⊕ q, σ i −−→ h

X , σ 00 i p0

a,σ 0 X X , σ 00 i, hq ⊕ p, σ i −−→ h 0 , σ 00 i p0 p

18

20

t,ρ

E h p, σ i 7−→ h p0 , σ 0 i t,ρ

21

t,ρ

E h p ⊕ q, σ i 7−→ h p0 , σ 0 i, hq ⊕ p, σ i 7−→ h p0 , σ 0 i 3.3.7 Alternative composition operator Applying the alternative composition operator to process terms p and q models a nondeterministic choice between p and q for action transitions (see Rule 22). The passage of time by itself cannot result in making a choice between two alternatives that can perform that time transition with the same trajectory ρ and the same time step t. This is captured in Rule 23. The χ process terms can terminate only by means of an internal action. In this way, alternative composition makes a choice after termination of the first statement. Consider for example the χ process h(h !; p []110; q) || r i, where p, q, r denote some process terms ∈ P. The alternative composition specifies a send process term with a time-out of 10 time units. Depending on r , either the send succeeds first, followed by p, or the time-out succeeds first, followed by q, regardless of q. This is different from, for example, the χσ process algebra [13]. There, h ! [] 110; 11 does not make a choice after expiration of 110. a,σ 0

E h p, σ i −−→ h a,σ 0

E h p [] q, σ i −−→ h

X , σ 00 i p0

a,σ 0 X X , σ 00 i, hq [] p, σ i −−→ h 0 , σ 00 i p p0

t,ρ

22

t,ρ

E h p, σ i 7−→ h p0 , σ 0 i, hq, σ i 7−→ hq 0 , σ 0 i t,ρ

23

E h p [] q, σ i 7−→ h p0 [] q 0 , σ 0 i 3.3.8 Disrupt operator The disrupt operator process term p B q, must first perform an action or time transition according to p. If p terminates, the disrupt terminates. If p goes to p 0 , the disrupt goes to p0 B q ⊕ q, which also allows behavior according to q. The disrupt operator makes it easy to specify guarded recursion in the case of switched equation systems, see for example Section 4.1 - 4.3. a,σ 0

E h p, σ i −−→ h a,σ 0

E h p B q, σ i −−→ h

X , σ 00 i p0

t,ρ

X , σ 00 i p0 B q ⊕ q

24

E h p, σ i 7−→ h p0 , σ 0 i t,ρ

E h p B q, σ i 7−→ h p0 B q ⊕ q, σ 0 i

3.3.9 Parallel composition operator The parallel composition of process terms p and q has as its behavior with respect to action transitions the interleaving of the behaviors of p and q (see Rule 27). The time transitions of the parallel composition of two process terms have to synchronize to obtain the time transition (with the same trajectory ρ and the same time step t) of their parallel composition as defined by Rule 28. The parallel composition allows the 19

25

synchronization of matching send and receive actions. A send action isa(h, c n ) and a receive action ira(h 0 , c0n ) match iff h = h 0 and cn = c0n ; i.e. the channels used for sending and receiving are same, and also the values sent and the values received are identical, where cn denotes c1 , . . . , cn as defined in Section 3.2.4. The result of the synchronization is a communication action that is represented by ca(h, c n ) as defined by Rule 26. + * X + * X 0 ira(h,c ),σ p0 X n 00 y y ,σ E h p, σ i −−−−−−−→ , σ , hq, σ i −−−−−−→ q0 X 0 0 q p isa(h,cn ),σ x

ca(h,cn ),σ 0

E h p || q, σ i −−−−−−→

*

X + * X + 0 0 ca(h,c ),σ p0 p n , σ 00 , hq || p, σ i −−−−−−→ , σ 00 q0 q0 p0 || q 0 q 0 || p0 a,σ 0

E h p, σ i −−→ h a,σ 0

E h p || q, σ i −−→ h

X , σ 00 i p0

a,σ 0 q q , σ 00 i , σ 00 i, hq || p, σ i −−→ h 0 q || p0 p || q

t,ρ

27

t,ρ

E h p, σ i 7−→ h p0 , σ 0 i, hq, σ i 7−→ hq 0 , σ 0 i t,ρ

28

E h p || q, σ i 7−→ h p0 || q 0 , σ 0 i 3.3.10 Initial value operator Initial value process term ι I + ,I − ( p) behaves as p in an environment where the set I + is added to the set of initialized continuous variables I , and the set I − is subtracted from this set. It is assumed that I + ∩ I − = ∅. a,σ 0

(S, (I ∪ I + ) \ I − , R) h p, σ i −−→ h a,σ 0

(S, I, R) hι I + ,I − ( p), σ i −−→ h

X , σ 00 i p0

X , σ 00 i ι I + ,I − ( p0 )

29

t,ρ

(S, (I ∪ I + ) \ I − , R) h p, σ i 7−→ h p0 , σ 0 i t,ρ

30

(S, I, R) hι I + ,I − ( p), σ i 7−→ hι I + ,I − ( p0 ), σ 0 i 3.3.11 Scope operator By means of the scope operator, local variables (optionally with an initial value), local channels and local recursion definitions can be introduced in a χ process. The application of the scope operator to a process term p with a ‘global’ valuation σ and a ‘global’ environment E behaves as p after the addition of the local variables (in fact the valuation σ0 for the local variables) to the global valuation (µ(σ, σ0 )), the addition of local discrete variables to the set of global discrete variables (S ∪ S0 ), and the addition of 20

26

local recursion definitions to the global recursion definitions (µR (R, R0 )). Function µR ∈ RS × RS → RS merges two recursion definition functions. If R, R 0 ∈ RS are two recursion definition functions, µR (R, R 0 ) = (R dom(R) \ dom(R 0 )) ∪ R 0 denotes the combined recursion definition function for R and R 0 , such that R 0 overrides R. Discrete variables introduced by means of a scope operator must be local. Therefore, S0 ⊆ dom(σ0 ) must hold. The scope operator is the only operator that affects the set of discrete variables S. In this way, it is ensured that variables in any χ process h p, σ, Ei cannot change from being discrete to being continuous, or the other way round. Continuous variables, on the other hand, can change to initialized continuous variables, and vice versa, using the initial value operator. The scope operator also defines action abstraction and data abstraction. By means of action abstraction, communication actions on local channels are made invisible outside of the scope operator. By means of data abstraction, changes to local variables are made invisible outside of the scope operator. Action abstraction is done by substituting communication actions ca(h, c) via a local channel (h ∈ C 0 , see Rule 31) by internal (τ ) actions. The internal send and receive actions (isa(h, c) and ira(h, c), see Rules 4 and 5) on a local channel h are blocked, since Rule 31 only specifies behavior for communication actions ca(h, c). Therefore, internal send and receive actions cannot be visible outside of the scope operator, and need not be abstracted to internal τ -actions. Function ch ∈ A τ → C ∪ {⊥ } extracts the channel label from an action. It is defined as ch(α(h, c)) = h, ch(l a ) = ⊥ and ch(τ ) = ⊥. Data abstraction is done by removing changes to local variables from the valuations/trajectories on the transition arrow, and from the valuation of the resulting process, and in case of variables that already exists globally, by restoring their old values for action transitions. For time transitions, globally existing variables that are redefined by local variables are allowed to change ‘freely’, that is they delay according to the delay predicate true. For action transitions, this is done by means of the data abstraction function abs ∈ V × 6 × 6 → 6 that is defined as abs0W (σ, σ 0 ) = (σ 0 dom(σ ) \ W ) ∪ (σ W ) where W denotes a set of variables, and σ , σ 0 denote valuations. In Rules 31 and 32 abs0dom(σ0 ) (σ, σ 00 ) denotes the valuation that is obtained by taking the union of 1) σ 00 restricted to those global variables that are not redefined by local variables (the variables in dom(σ ) \ dom(σ0 )) and 2) σ restricted to those global variables that are redefined by local variables (variables from dom(σ ) ∩ dom(σ0 )). For time transitions as specified by Rule 33, data abstraction is done in a similar way. The resulting transition trajectory label (ρ ↓ dom(σ ) \ dom(σ 0 )) ∪ ρtrue denotes the trajectory that is obtained by taking the union of 1) trajectory ρ for those global variables that are not redefined by local variables (the variables in dom(σ ) \ dom(σ 0 )) and 2) trajectory ρtrue , which is the result of an arbitrary time transition (according to the delay predicate true) for those global variables that are redefined by local variables (variables from dom(σ ) ∩ dom(σ0 )). 21

ca(h,c),σ 0

(S ∪ S0 , I, µR (R, R0 )) h p, µ(σ, σ0 )i −−−−−→ h

X , σ 00 i, h ∈ C0 p0

τ,abs0dom(σ ) (σ,σ 0 )

31

0

(S, I, R) h|[ σ0 , S0 , C0 , R0 | p ]|, σ i −−−−−−−−−−→ X h , abs0dom(σ0 ) (σ, σ 00 )i |[ σ 0 dom(σ0 ), S0 , C0 , R0 | p0 ]| a,σ 0

(S ∪ S0 , I, µR (R, R0 )) h p, µ(σ, σ0 )i −−→ h

X , σ 00 i, ch(a) 6∈ C0 p0 a,abs0dom(σ ) (σ,σ 0 )

32

0

(S, I, R) h|[ σ0 , S0 , C0 , R0 | p ]|, σ i −−−−−−−−−−→ X h , abs0dom(σ0 ) (σ, σ 00 )i |[ σ 0 dom(σ0 ), S0 , C0 , R0 | p0 ]| t,ρ

(S ∪ S0 , I, µR (R, R0 )) h p, µ(σ, σ0 )i 7−→ h p0 , σ 0 i, t,ρtrue

(S ∩ dom(σ0 ), I ∩ dom(σ0 ), ∅) htrue, σ dom(σ0 )i 7−→ hq, σtrue i t,(ρ↓dom(σ )\dom(σ0 ))∪ρtrue

33

(S, I, R) h|[ σ0 , S0 , C0 , R0 | p ]|, σ i 7−→ h|[ σ 0 dom(σ0 ), S0 , C0 , R0 | p0 ]|, (σ 0 dom(σ ) \ dom(σ0 )) ∪ σtrue i An example of a χ process using the scope operator to declare a local variable x, that already exists in an outer scope is shown below. The process performs a time transition for 1 time unit. For better readability, syntactic sugar as defined in Section 2 is used. h init x = 0, cont y | |[ init x = 1, z = 0, | x˙ = 2, y = x, z˙ = 4 ]| || x˙ = 1 i 1,ρ

7−→ h init x = 1, cont y = 3 | |[ init x = 3, z = 4 | x˙ = 2, y = x, z˙ = 4 ]| || x˙ = 1 i where dom(ρ) = {x, y} and ∀t ∈ [0, 1] : (ρ ↓ x)(t) = t, (ρ ↓ y)(t) = 2t + 1. Local variable z is invisible outside of the scope operator. 3.3.12 Encapsulation operator The behavior of the encapsulation of a process ∂( p) is the same as the behavior of the process argument p with the restriction that only actions from the set Ax = {ca(h, c) | h ∈ C, c ∈ 3} ∪ {τ } can be executed (see Rule 34). In this way, internal send actions isa(h, c) and internal receive actions ira(h, c) are blocked, and only communication actions ca(h, c) and τ actions are allowed. Encapsulation has no effect on time transitions, as defined by Rule 35. ax ,σ 0

E h p, σ i −−−→ h

X , σ 00 i, ax ∈ Ax p0

X E h∂( p), σ i −−−→ h , σ 00 i ∂( p0 ) ax ,σ 0

t,ρ

34

E h p, σ i 7−→ h p0 , σ 0 i t,ρ

E h∂( p), σ i 7−→ h∂( p0 ), σ 0 i

22

35

3.3.13 Maximal progress operator The maximal progress operator gives action transitions a higher priority than time transitions. Action behavior is not affected by maximal progress, see Rule 36. Time transitions are allowed only if no action transitions can be performed (denoted by the notation 9) for the initial valuation σ , see Rule 37. a,σ 0

X , σ 00 i p0

a,σ 0

X , σ 00 i π( p0 )

E h p, σ i −−→ h E hπ( p), σ i −−→ h

36

t,ρ

E h p, σ i 7−→ h p0 , σ 0 i, h p, σ, Ei 9 t,ρ

37

E hπ( p), σ i 7−→ hπ( p0 ), σ 0 i

4 Examples 4.1 Diode An ideal diode has two operating modes: the diode can either block or conduct the current. In mode block, the diode voltage v ≤ 0, and the current i = 0. In mode conduct, the diode voltage v = 0, and the current i ≥ 0. Figure 1 shows the characteristics of an ideal diode. i conduct block v

Figure 1: Characteristics of an ideal diode. The χ model (process term) of a diode is: |[ block 7→ v ≤ 0, i = 0 B conduct , conduct 7→ i ≥ 0, v = 0 B block | block ⊕ conduct ]| The modes of the diode are each specified by means of a mode definition. The disrupt operator is used to switch between the two modes. Initially, the diode can be in either one of the two modes, depending on its environment; or more specific, depending on, among others, voltage or current sources in its environment. The choice composition block ⊕ conduct delays according to the mode variable that can delay. If v = 0 and i = 0, both modes block and conduct can delay. In this case, a nondeterministic choice between the two modes is made. The diode can also be specified in χ as: (v < 0 ⇒ i = 0), (i > 0 ⇒ v = 0), v ≤ 0, i ≥ 0 , 23

where ⇒ denotes logical implication. The difference between the two specifications is that in the first specification, a delay transition must take place within a mode. In case of a mode switch, the delay transition is ‘divided’ into two separate delay transitions: one delay transition according to the first mode, until the time point where the mode switch occurs, and another delay transition according to the second mode. This limits the length of the delay transitions. The second specification does not limit the length of delay transitions. Here, a ‘mode switch’ can occur within a delay transition.

4.2 Half wave rectifier circuit Figure 2 shows a half wave rectifier circuit. It consists of a diode D, two resistors with resistance R0 and R1 , respectively, a capacitor with capacity C 0 , and a voltage source with voltage v0 . In the χ model, symbols f , π, C 0 , R0 and R1 denote constants. v0

i0

R0

D

v1

v2

i2

i1 C0

R1

vG

Figure 2: Half wave rectifier circuit. The χ model is as follows: h time t = 0, init v2 = 0, cont vG , v0 , v1 , i 0 , i 1 , i 2 | v0 = sin(2π f t) || R(i 0 , v0 , v1 , R0 ) || D(i 0 , v1 , v2 ) || C(i 1 , v2 , vG , C0 ) || R(i 2 , v2 , vG , R1 ) || vG = 0 || i 0 = i 1 + i 2 i The process definitions of a diode D, a resistor R, and a capacitor C follow below. D(ext i, vin , vout ) = |[ block 7→ vout ≥ vin , i = 0 B conduct , conduct 7→ i ≥ 0, vin = vout B block | block ⊕ conduct ]| R(ext i, vin , vout , val R) = |[ vin − vout = i R ]| Note that the same identifier R is used to denote both the value parameter and the process name in the resistor model. Using a different name for the value parameter, e.g. R0 : 24

R(ext i, vin , vout , val R0 ) = |[ vin − vout = i R0 ]| does not change the meaning of the model. The capacitor model is: C(ext i, vin , vout , val C) = |[ cont v | v = vin − vout , C v˙ = i ]| After replacing the process instantiations by their process bodies as defined in Section 2.3.2, the following χ process is obtained: h time t = 0, init v2 = 0, cont vG , v0 , v1 , i 0 , i 1 , i 2 | v0 = sin(2π f t) || |[ disc R | R : R = R0 ( v0 − v1 = i 0 R ) ]| || |[ conduct 7→ i 0 ≥ 0, v1 = v2 B block , block 7→ v2 ≥ v1 , i 0 = 0 B conduct | conduct ⊕ block ]| || |[ disc C , cont v | C : C = C0 ( v = v2 − vG , C v˙ = i 1 ) ]| || |[ disc R | R : R = R1 ( v2 − vG = i 2 R ) ]| || vG = 0 || i 0 = i 1 + i 2 i

4.3 Constrained pendulum Figure 3 shows a constrained pendulum. The equations of motion of this pendulum are given by Equation 1. The angle between the pendulum and the vertical is denoted by θ, ω denotes the angular velocity of the pendulum, and l denotes the distance between the rotation point and the mass. θ˙ = ω ml ω˙ = −mg sin(θ) − dlω

(1)

The mass and maximum length of the pendulum are represented by m and L, respectively. The damping coefficient and the acceleration due to gravity are denoted by d and g. The angle of the constraint is denoted by θp . In order to keep the example as small and clear as possible, it is assumed that θp ≥ 0 and |θ| ≤ π/2. Also, it is assumed that the pendulum always remains in a straight line from the rotation point to the end point. The χ model is: h , , |

init θ = θ0 , cont ω = ω0 , l long 7→ θ ≤ θp , l = L B (ω := LLs ω short) short 7→ θ ≥ θp , l = L s B (ω := LLs ω long) ( init ω | long ⊕ short ) 25

O

O Lp

Lp

θp P

θp

P

L −θ

Ls = L − Lp θ m

m

Figure 3: Constrained Pendulum. || θ˙ = ω , ml ω˙ = −mg sin(θ) − dlω i When θ ≤ θp or θ ≥ θp , the pendulum can delay in mode long or short, respectively. In mode long, first, process term θ ≤ θp , l = L must delay. Process term (ω := LLs ω short) can take over only if actual behavior is possible in mode short starting from the reinitialized state, after execution of the assignment to ω. If no behavior is possible in the new mode, then no mode switch can occur. The reinitialization process term (ω := LLs ω short) atomically executes the assignment and the subsequent delay behavior in mode short. For all initial conditions but one, behavior is possible in exactly one mode. Only for the case that θp = θ0 = ω0 = 0, behavior is possible in mode long as well as in mode short. For these initial conditions, the values of θ and ω do not change while delaying because θ˙ = ω˙ = 0. After each delay with θp = θ0 = ω0 = 0, a mode switch to the other mode is possible, but not necessary. Angular velocity ω is declared to be an initialized continuous variable in modes long and short by means of the init declaration ( init ω | long ⊕ short ). The angular velocity cannot be declared as initialized continuous variable at the top level, in the same way as angle θ. This is due to the discontinuous change of ω in reinitializations ω := LLs ω short and ω := LLs ω long. Consider for example process h init x = 0, y = 0 | x := 1 x˙ = 1 || y˙ = 1 i Process term x := 1 x˙ = 1 first reinitializes x to 1, and then delays according to delay predicate x˙ = 1, starting from valuation {x 7→ 1, y 7→ 0}. Variables x and y are both initialized continuous variables. Therefore, delay trajectory ρ x:=1x=1 must ˙ satisfy (ρx:=1x=1 ↓ x)(t) = t + 1 and (ρ x:=1x=1 ↓ y)(0) = 0. Process term y˙ = 1 ˙ ˙ on the other hand delays from valuation {x 7→ 0, y 7→ 0}. Therefore, delay trajectory ρ y˙ =1 must satisfy (ρ y˙ =1 ↓ x)(0) = 0 and (ρ y˙ =1 ↓ y)(t) = t. The parallel composition 26

requires trajectories ρ x:=1x=1 and ρ y˙ =1 to be the same. This is impossible, since ˙ (ρx:=1x=1 ↓ x)(0) = 1, and (ρ y˙ =1 ↓ x)(0) = 0. Therefore, there is no possible ˙ behavior, and the process deadlocks. If the process is changed into h init y = 0, cont x = 0 | (init x | x := 1 x˙ = 1) || y˙ = 1 i, variable x is no longer an initialized continuous variable for predicate y˙ = 1. Therefore, delay trajectory ρ y˙ =1 need only satisfy (ρ y˙ =1 ↓ y)(t) = t. The complete process can now delay according to (ρ ↓ x)(t) = t + 1 and (ρ ↓ y)(t) = t.

4.4 Dry Friction Phenomenon Figure 4 shows a driving force Fd applied to a body on a flat surface with frictional force Ff . When the body is moving with positive velocity v, the frictional force is given by Ff = µFN , where FN = mg. When the velocity of the body equals zero and −µ0 FN ≤ Fd ≤ µ0 FN , where µ0 > µ, the frictional force neutralizes the applied driving force. FN Ff

Fd

v

Figure 4: Dry Friction. In the χ specification of the dry friction phenomenon, modes neg, stop, and pos are specified by means of mode definitions. Mode stop is maintained for as long as the delay predicate v = 0, −µ0 FN ≤ Fd ≤ µ0 FN can delay. When such a delay is not, or no longer, possible, process term (Fd ≤ −µ0 FN :→ neg ⊕ Fd ≥ µ0 FN :→ pos) after the closed disrupt operator I takes over. Therefore, depending on the value of Fd , either the process term specified for mode variable neg or pos is executed. The mode pos (or neg) is maintained until condition v ≤ 0 ∧ Fd ≤ µ0 FN (or v ≥ 0 ∧ Fd ≥ −µ0 FN ) becomes true. When v ≤ 0 and Fd ≤ µ0 FN , the internal action skip is enabled and immediately executed. Subsequently mode stop is executed again. Initially either mode neg, stop or pos is chosen (neg ⊕ stop ⊕ pos), based on the initial values of v and Fd . Identifier f denotes some function ∈ R → R; m , FN , µ0 , µ (µ0 > µ) are constants. h time t = 0, init x = 0, v = 0, cont Fd = f (0) , stop 7→ v = 0, −µ0 FN ≤ Fd ≤ µ0 FN I ( Fd ≤ −µ0 FN :→ neg ⊕ Fd ≥ µ0 FN :→ pos ) , pos 7→ m v˙ = Fd − µFN , v ≥ 0 [] ( v ≤ 0 ∧ Fd ≤ µ0 FN → skip; stop ) , neg 7→ m v˙ = Fd + µFN , v ≤ 0 [] ( v ≥ 0 ∧ Fd ≥ −µ0 FN → skip; stop ) | Fd = f (t), x˙ = v || (neg ⊕ stop ⊕ pos) i 27

4.5 Railroad gate control Consider a train on a circular track, a gate and a controller. When the train approaches the gate, the controller must lower the gate. The controller has a reaction delay u of at most 5 time units. After the train has passed the gate the controller must raise the gate. The purpose of the model is to determine whether or not the gate is always fully lowered when the train is at a certain distance from the gate. Figures 5, 6, and 7 show automaton models of the train, gate and controller respectively. Together, they form the rail gate control system as defined in [27]. Note that in a vertex, the predicate at the top denotes the flow predicate, and the predicate at the bottom denotes the invariant predicate of the vertex. Furthermore, as usual, event labels of edges which do not have to synchronize with other edges, and init predicates false are omitted in the figures. Far x ≤ 5000 −50 ≤ x˙ ≤ −40 x ≥ 1000

x = −100∧ 1900 ≤ x 0 ≤ 4900

Near

x = 1000∧ x0 = x approach

exit

−50 ≤ x˙ ≤ −30 x ≥0

x = 0 ∧ x0 = x

Past −50 ≤ x˙ ≤ −30 x ≥ −100

Figure 5: Train Automaton. A direct translation of a hybrid automaton to χ is defined in [45]. The χ model below is a shorter and more elegant model than the model which is obtained by the direct translation. The χ model takes into account that there is only one train on the circular track, as defined in [27], which implies that the transitions of the self loops of the controller automaton can never occur. Figure 8 shows the iconic χ model of the railroad gate controller. The dashed lines with arrow heads represent synchronization channels (approach, exit, raise, lower), no data is communicated. The following process is a formal specification of the informal iconic model from Figure 8. The maximum reaction delay (5 time units) of the controller is specified in its process instantiation C. h init x, y = 90 | Train(x, approach, exit) || Gate(y, raise, lower) || C(approach, exit, raise, lower, 5) i The train is modeled by the following process definition: 28

true

Move up

raise y0 = y

Open

y = 90∧ y0 = y

y˙ = 9 y ≤ 90

raise y0 = y

y˙ = 0 y = 90

lower y0 = y raise y0 = y lower y0 = y

lower y0 = y

Move down y˙ = −9 y≥0

raise y0 = y Closed

y = 0∧ y0 = y

lower y0 = y

y˙ = 0 y=0

Figure 6: Gate Automaton. true

Idle lower z0 = z

approach z0 = 0 approach z0 = z

exit z0 = 0

z˙ = 1 true raise z0 = z About to raise

About to lower z˙ = 1 z≤5

approach z0 = 0

z˙ = 1 z≤5 exit z0 = z

exit z0 = z Figure 7: Control Automaton.

Train(ext x , chan approach, exit) = |[ x : x ≤ 5000 ; ∗( (−50 ≤ x˙ ≤ −40 [] x ≥ 1000 → approach !!) ; (−50 ≤ x˙ ≤ −30 [] x ≤ −100 → exit !!; x : x ∈ [1900, 4900]) ) 29

lower Gate

approach

C exit

raise

Train

Figure 8: Iconic χ model of the railroad gate controller. ]| Variable x is initialized to a value ≤ 5000 in action predicate x : x ≤ 5000, where after the infinite loop ∗(· · · ) is executed. The velocity x˙ of the train can be any function of time, the value of which remains between −50 and −40. The process waits until the train has reached position x = 1000 and then synchronizes with the controller (approach !!). The train is now approaching the gate. If the train has reached the exit position, such that x = −100, the process synchronizes with the controller, the position x of the train is reset to a value between 1900 and 4900, and the loop is re-executed. The gate is modeled by the following process definition: Gate(ext y , chan raise, lower) = |[ disc n = 0 | y˙ = n || ∗( n < 0 ∧ y ≤ 0 → n := 0 [] n > 0 ∧ y ≥ 90 → n := 0 [] raise ?; n := 9 [] lower ?; n := −9 ) ]| It consists of a parallel composition of an equation ( y˙ = n), where n denotes a local discrete variable, and an infinite loop. The infinite loop is an alternative composition of four process terms. The first process term waits until the gate is lowered (y = 0) and then stops the gate from lowering (n := 0). The second process term waits until the gate is raised (y = 90). The third and fourth process term wait for synchronization with the controller in order to raise or lower the gate (raise ? and lower ? respectively). The four process terms delay in parallel until y becomes equal to 0 or 90, or one of the synchronizations raise ? or lower ?) succeeds. The controller is modeled by the following process definition: C(chan approach, exit, raise, lower, val u) = |[ disc atr = false, t | ∗( approach ?; atr := false; t : t ∈ [0, u]; 1 t ; lower !! [] exit ?; atr := true; t : t ∈ [0, u] [] atr → 1 t ; atr := false; raise !! ) ]| The main part is an infinite loop of three alternatives. The process waits for one of the following events to occur: an approaching train (approach ?), a leaving train (exit ?), 30

or if atr is true, the end of the reaction delay (1t) that precedes raising of the gate. Value parameter u denotes the maximum reaction delay in the controller. Variable t is initialized to a value between 0 and u in action predicate t : t ∈ [0, u], and 1t terminates after t units of time. Boolean variable atr is true if and only if the hybrid automaton that models the controller is in control mode (vertex) ‘About to raise’. Note that variable z in the hybrid automaton is used to model a clock. In χ, clocks need not be modeled explicitly. Delay process terms 1t are used for that purpose.

4.6 Bottle filling system The bottle filling system from Figure 9 consists of a liquid storage tank, and two identical bottle filling lines. Qu

Q a , ca

VT , n, c, pH

Q F1

Q F2

Figure 9: The bottle filling system.

The bottles are filled with liquid from the storage tank. A control system keeps the volume V in the storage tank between 2 and 10, and the pH level (acidity) of the liquid in the storage tank between 7 and 7.1. The liquid in the storage tank slowly becomes less acid (pH level increases). To correct this, a strong acid is dribbled into the storage tank when the acidity of the liquid becomes too low (pH ≥ 7.1). Figure 10 shows the iconic model of the bottle filling system. The lines ending in a small circle represent shared variables (VT , Q F1 , Q F1 ). The acid and liquid supply processes are not modeled, since we consider the acid always to be available, and we are not interested in the amount of acid that is used. The χ specification of the bottle filling system is as follows: h init VT = 2, cont Q F1 , Q F2 | T(VT , Q F1 , Q F2 ) || F(VT , Q F1 ) || F(VT , Q F2 ) i The storage tank and the two bottle filling lines are connected by means of the variables Q F1 , and Q F2 , respectively. Since a bottle may start filling only if the storage 31

T VT

VT Q F1 Q F2 F

F

Figure 10: Iconic representation of the bottle filling system model.

tank contains at least a volume of 2, the volume VT of the storage tank is available in both bottle filling processes. The molar quantity and molar concentration of the acid in the storage tank are denoted by n and c, respectively. The incoming flows of liquid and acid of the liquid storage tank T are denoted by Q u and Q a , respectively. The outgoing flows to the two bottle filling processes are denoted by Q F1 , and Q F2 , respectively. It is assumed that the liquids are incompressible, and that the volumes of the fluids remain the same when they are mixed. In such a case, the volume V of the mixed liquid equals the sum of its components which leads to the following equation V˙ = Q u + Q a − Q F1 − Q F2 . Next, the mass balance (actually mol balance) for the dissolved substance is derived. Acid comes into the tank by means of the flows Q u and Q a . Acid leaves the tank in outgoing flows Q F1 and Q F2 . Because the concentrations are in [mol/m3 ], they can be directly multiplied with the flows (in [m3 /s]), which leads to n˙ = cu Q u + ca Q a − cQ F1 − cQ F2 , where n = cV . The gradual reduction of the acidity of the liquid is modeled by means of a constant K loss, which leads to n˙ = cu Q u + ca Q a − cQ F − K loss V . It is assumed that the acid is completely decomposed. Taking into account that the units of c are in [mol/m3 ] instead of [mol/l], the pH is given by pH = − log c/1000. Initially, the values of V (VT in Figure 9) and pH are known, therefore these two variables are declared as initialized continuous variables. The model of the liquid storage tank illustrates that a differential variable (n) is not necessarily declared as an initialized (continuous) variable. There is still a relation between differential variables and initialized continuous variables, in that the number of initialized continuous variables equals the number of differential variables. For higher index system, even this relation need not hold, see [43]. In the specification below, symbols Q seta , Q setu , ca , cu , and K loss denote constants. The χ specification of the liquid storage tank is given by: 32

T(ext V, Q F1 , Q F2 ) |[ disc α = 0, β = 0 , init pH = 7, cont n, Q a , Q u | V˙ = Q u + Q a − Q F1 − Q F2 , n˙ = cu Q u + ca Q a − cQ F1 − cQ F2 − K loss V , n = cV , pH = − log c/1000 , Q a = α Q seta , Q u = β Q setu || ∗( pH ≥ 7.1 → α := 1; pH ≤ 7 → α := 0 ) || ∗( V ≤ 5 → β := 1; V ≥ 10 → β := 0 ) ]| Initially, the pH of the liquid in the storage tank equals 7. It is assumed that the pH level of the incoming liquid is 7 or more, since the acidity controller can only make the acidity of the storage tank increase, causing the pH to decrease. If the pH value exceeds the maximum value (pH ≥ 7.1), the acid valve is opened (α := 1) so that acid is dribbled into the tank. Dribbling of the acid continues until the pH value comes back at 7, where after the valve is closed (α := 0). In a similar way, the controller tries to keep the level of the storage tank between 5 and 10. A bottle filling line is modeled as follows, where symbols Q setF , and ttr denote constants. F(ext VT , Q F ) = |[ disc α = 0, init V = 0 | V˙ = Q F , Q F = α Q setF || ∗( pH ≤ 7.1 → α := 1 ∗ ; α = 1 → ( V ≥ 1 → α := 0 [] VT ≤ 0.5 → α := 0; VT ≥ 0.7 → α := 1 ) ; 1ttr ; V := 0 ) ]| The valve switching the flow Q F is modeled by means of discrete variable α. When the acidity of the liquid in the storage tank is less than or equal to 7.1, the bottle filling process can be started (α := 1). Filling stops when the volume in the storage tank drops below 0.5 (VT ≤ 0.5 → α := 0). Filling resumes when the volume in the storage tank is at least 0.7. When the bottle is full (V ≥ 1), the valve is closed. The time needed to place a new bottle under the filling nozzle is given by t tr . After that, the bottle volume is reset to 0, which models the arrival of a new bottle, and the filling process is repeated.

4.7 Conveyor system Figure 11 shows a conveyor system that is used for transportation and buffering of boxes. It consists of a line of conveyor belts driven by motors. Each conveyor belt is equipped with a sensor (represented in the figure by a small rectangle), that detects the presence of a box. 33

lc ls

lb x

V

V

Figure 11: The conveyor system.

pci

s0

G p0

sprev

v

p1

V

s1 sprev pi

pci

s

v1 s

p2

sprev

po

Figure 12: Iconic model of the conveyor system.

34

CE

s1

v

V

po

pc2

v

s

s0

pco

C

s

v0 s

pi

pci

pc1

v

s

pc0

pco

C

VE pi

Figure 12 shows the iconic model of a generator G, two conveyor belts V and the associated control processes C. Processes VE and CE are added to obtain a closed system; they do not model actual behavior. The model is a simplified version of the model treated in [44]. The dashed lines with arrow heads represent directed synchronization channels (pc0 , pc1 , pc2 ), the solid lines with arrow heads represent directed communication channels ( p0 , p1 , p2 ), and the lines ending in a small circle represent shared variables (s0 , s1 , v0 , v1 ). The χ specification of the iconic model from Figure 12 is as follows: h disc sG , s0 = false, s1 = false, ls = 2, init v0 = 0, v1 = 0 | G(pc0 , p0 ) || C(v0 , s0 , pc0 , pc1 ) || C(v1 , s1 , pc1 , pc2 ) || CE (pc2 ) || V (sG , s0 , v0 , p0 , p1 , 10, 15, ls ) || V (s0 , s1 , v1 , p1 , p2 , 10, 15, ls ) || VE (s1 , p2 , 10, ls ) i, where ls represents the distance l s as shown in Figure 11. Channels p0 , p1 , p2 are used to communicate box numbers. Channels pc0 , pc1 , pc2 are directed synchronization channels. Variables s0 , s1 , v0 , v1 are shared variables, where s0 and s1 represent the sensors that indicate the presence of a box, and v0 and v1 are actuators that determine the velocity of the respective conveyors. The process definitions are: G(chan pco , po ) = |[ disc box = 1 | ∗( pco !; po ! box; box := box + 1 ) ]| C(ext v, s , chan pci , pco ) = |[ ∗( v := 1; ¬s → pci ?; s → v := 0; pco ! ) ]| V (ext sprev , s, v, chan pi , po , val lb , lc , ls ) = |[ disc box = 0, init x = 0 | box = 0 ⇒ x = −1 || box 6= 0 ⇒ x˙ = v || ∗( pi ? box; x := 0 ; x ≥ lb − ls → sprev := false ; x ≥ lc − ls → s := true ; x ≥ lc → po ! box; box := 0 ) ]| CE (chan pci ) = |[ ∗( pci ? ) ]| VE (ext sprev , chan pi , val lb , ls ) = |[ disc box | ∗( pi ? box; 1(lb − ls ); sprev := false ) ]| 35

After replacing the process instantiations by their process bodies as defined in Section 2.3.2, the following χ process is obtained: h disc sG , s0 = false, s1 = false, ls = 2, init v0 = 0, v1 = 0 | |[ disc box = 1 | ∗( pc0 !; p0 ! box; box := box + 1 ) ]| || |[ ∗( v0 := 1; ¬s0 → pc0 ?; s0 → v0 := 0; pc1 ! )]| || |[ ∗( v1 := 1; ¬s1 → pc1 ?; s1 → v1 := 0; pc2 ! )]| || |[ ∗( pc2 ? ) ]| || |[ disc lb , lc , ls , box = 0, init x = 0 | lb , lc , ls : lb = 10, lc = 15, ls = ls ( box = 0 ⇒ x = −1 || box 6= 0 ⇒ x˙ = v0 || ∗( p0 ? box; x := 0 ; x ≥ lb − ls → sG := false ; x ≥ lc − ls → s0 := true ; x ≥ lc → p1 ! box; box := 0 ) ) ]| || |[ disc box | ∗( pc2 ? box ) ]| || |[ disc lb , lc , ls , box = 0, init x = 0 | lb , lc , ls : lb = 10, lc = 15, ls = ls ( box = 0 ⇒ x = −1 || box 6= 0 ⇒ x˙ = v1 || ∗( p1 ? box; x := 0 ; x ≥ lb − ls → s0 := false ; x ≥ lc − ls → s1 := true ; x ≥ lc → p2 ! box; box := 0 ) ) ]| || |[ disc lb , ls , box | lb , ls : lb = 10, ls = ls ( ∗( p2 ? box; 1(lb − ls ); s1 := false ) ) ]| i In the process body of the first instantiation of control process C, first the conveyor is switched on (v0 := 1), where v0 is the actuator that determines the velocity of the first conveyor belt. The process subsequently waits until the sensor is off (¬s 0 , where ¬ means logical not). Initially, the conveyor is empty and the sensor is off. The process then waits until it can synchronize with the preceding control process by executing pc0 ?. This means that a box may enter the conveyor. Subsequently, the process waits until the box has reached the sensor position (s0 ) so that the sensor is on (value of s0 equals true). Then the conveyor is switched off (s0 → v0 := 0). Subsequently, the control process tries to synchronize with the next control process (pc1 !). After execution of the synchronization (pc1 ! in the first control process, simultaneous with pc1 ? in the second control process), the repetition is re-executed, and the conveyor is switched on again. In the conveyor process V , variable x models the position of the front of the box 36

on the conveyor, and variable box stores the identification number of the box. Identification number 0 means that there is no box on the conveyor. In that case, the value of variable x equals -1 (box = 0 ⇒ x = −1, where ⇒ denotes logical implication). When there is a box on the conveyor, it moves with velocity v (box 6= 0 ⇒ x˙ = v). The physical representation of variables l b , lc , and ls is shown in Figure 11. The value parameters l b , lc , ls in the process definition of V are defined as local discrete variables (lb , lc , ls ) in the translation of the process instantiation, in accordance with the translation rules defined in Section 2.3.2. Value parameter l s is renamed to l s by prefixing it with an underscore, because it conflicts with the global variable l s that is used in the process instantiations (e.g. V ( p0 , p1 , sG , s0 , v0 , 10, 15, ls )). The values of the local discrete variables l b , lc , and ls are defined by action predicate lb , lc , ls : lb = 10, lc = 15, ls = ls . In the infinite repetition of the process body of the first instantiation of the conveyor process, the process starts by waiting until it can receive a box, and initializes the position of the box to 0 ( p0 ? box; x := 0). When x = l b − ls , the back end of the box has just passed the sensor of the previous “conveyor”, which in this case is generator process G. Subsequently, the sensor of the previous conveyor (s prev in the process definition of V , sG in the first conveyor) is switched off. After that, the conveyor process waits until the box has reached the sensor of the conveyor (x ≥ l c − ls ), and the sensor is switched on (s0 := true). Finally, when the box has reached the end of the conveyor (x = l c ), the box is sent to the next conveyor ( p1 ! box), and the loop is re-executed. Simultaneously with execution of p1 ! box by the first conveyor, the second conveyor executes p1 ? box. The box has now crossed the boundary of the two conveyors, and its position is registered by the second conveyor process. The last conveyor process VE is always on, meaning that the belt moves with velocity 1. Therefore, the duration of a box on this conveyor is given by 1(l b − ls ). An alternative specification of conveyor process V follows below. In this model, when a box enters a conveyor ( pi ? box), a new continuous variable x with initial value 0 is created by means of the scope operator |[ init x = 0 | · · · ]|. The position of the box is defined by equation x˙ = v until x ≥ l b − ls . Then, sensor sprev is switched off (sprev := false) , which causes the alternative composition (x˙ = v [] x ≥ l b − ls → sprev := false) to terminate. The difference between this conveyor model and the previous model, is that in the previous model, absence of a box was modeled by means of predicate x = −1, whereas in the model below, absence of the conveyor means that variable x, which models the position of the front of the conveyor, does not exist.

V (ext sprev , s, v, chan pi , po , val lb , lc , ls ) = |[ disc box | ∗( pi ? box ; |[ init x = 0 | (x˙ = v [] x ≥ lb − ls → sprev := false) ; (x˙ = v [] x ≥ lc − ls → s := true) ; (x˙ = v [] x ≥ lc → po ! box) ]| ) ]| 37

4.8 Discrete-event model of a manufacturing line A manufacturing line consists of a generator G, a distributor D, two manufacturing cells C, and an assembling machine MA . Figure 13 shows the iconic model of the manufacturing line. Processes R and E are added to obtain a closed system; they do not model actual behavior. C dc1 G

gd

cm1

D

dr

MA dc2

me

E

cm2 C

R

Figure 13: Iconic model of a manufacturing line. The manufacturing line is modeled as follows, where tgen , tout, ptmin1 , ptmax1 , ptmin2 , ptmax2 , ptmin3 , ptmax3 , ptmin4 , ptmax4 , and pt denote constants. h G(gd, tgen ) || D(gd, dc1 , dc2 , dr, tout ) || R(dr) || C(dc1 , cm1 , ptmin1 , ptmax1 , N1 , ptmin2, ptmax2 ) || C(dc2 , cm2 , ptmin3 , ptmax3 , N2 , ptmin4, ptmax4 ) || MA (cm1 , cm2 , me, pt) || E(me) i G(chan gd, val tgen ) = |[ disc x = false | ∗(1tgen ; gd !! x) ]| D(chan gd, dc1 , dc2 , dr, val tout ) = |[ disc x | ∗(gd ? x ; (dc1 ! x [] dc2 ! x [] 1tout ; dr ! x)) ]| R(chan dr) = |[ disc x | ∗(dr ? x) ]| MA (chan cm1 , cm2 , me, val pt) = |[ disc x, y | ∗((cm1 ? x || cm2 ? y); 1pt; me ! x ∧ y) ]| E(chan me) = |[ disc x | ∗(me ? x) ]| 38

Every tgen time units (assuming tgen ≥ tout , see processes G and D), a product is generated by generator G. A product is modeled by a boolean variable x that is initially false. The boolean indicates whether the product has done the second round in one of the manufacturing cells C. A product enters the manufacturing line via channel gd. The distributor tries to send a product via channel dc 1 or channel dc2 . In case this is not possible within tout time units, the product is rejected and sent to reject process R via channel dr (dc1 ! x [] dc2 ! x [] 1tout ; dr ! x). Process R consumes the rejected products. A manufacturing cell, shown in Figure 14, consists of two machines (Mrw , M) and a N-place FIFO (first-in-first-out) buffer B. in

Mrw

mb

B

bm

M

out

mm

Figure 14: Iconic model of a manufacturing cell. The χ specification of the manufacturing cell is as follows: C(chan in, out, val pt min1, ptmax1 , N, ptmin2 , ptmax2 ) |[ chan mb, bm, mm | Mrw (in, mb, mm, ptmin1, ptmax1 ) || B(mb, bm, N) || M(bm, out, mm, ptmin2 , ptmax2 ) ]| Products enter the cell via channel in. The routing of a product in the manufacturing cell is as follows: Mrw , B, M, Mrw , B, M. Products leave the manufacturing cell via channel out. The process definitions of the buffer and the machines are given by B(chan in, out, val N) = |[ disc x, xs = [ ] | ∗( len(xs) < N → in ? x ; xs := xs ++[x] [] len(xs) > 0 → out ! hd(xs); xs := tl(xs) ) ]| Mrw (chan in, out, mm, val ptmin , ptmax ) = |[ disc x, pt | ∗((in ? x [] mm ? x ; x := true); pt : pt ∈ [ptmin , ptmax ]; 1pt; out ! x) ]| M(chan in, out, mm, val ptmin , ptmax ) = |[ disc x, pt | ∗(in ? x ; pt : pt ∈ [ptmin , ptmax ]; 1pt; (x → out ! x [] ¬x → mm ! x)) ]| The buffer can store up to N products, which are stored in a list xs (len(xs) < N → in ? x ; xs := xs ++[x]), where [x] denotes a list with one element x, and ++ 39

denotes list concatenation. The empty list is denoted by [ ]. If the buffer is not empty, the first product in the buffer can be sent to the machine via channel out (len(xs) > 0 → out ! hd(xs); xs := tl(xs)), where hd(xs) denotes the first element (head) of list xs, and tl(xs) denotes the remainder (tail) of list xs without its first element. Machine M rw receives products from channels in and mm. A product received from mm is assigned the value true, which indicates that this product is processed by machine M rw for the second time (in ? x [] mm ? x ; x := true). The machine has a processing time between ptmin and ptmax time units (pt : pt ∈ [ptmin , ptmax ]; 1pt). Processed products are sent via channel out to the buffer B. Machine M receives products via channel in, and processes them for pt time units. Depending on the value of product variable x, the product is sent either via channel mm to machine Mrw (x equals false) or it leaves the manufacturing cell via channel out (x equals true) (x → out ! x [] ¬x → mm ! x). After processing in one of the two manufacturing cells C, products are sent to machine MA . Machine MA waits to receive one product via channel cm1 , and one product via channel cm2 , in a non-deterministic order (cm1 ? x || cm2 ? y). After processing these two products, the combination of them leaves the manufacturing line via channel out (out ! x ∧ y). Process E consumes the processed products.

5 Validation of the semantics In this section, a notion of equivalence is defined, called stateless bisimulation [35], which is similar to the well-known notion of bisimulation [37, 33]. In Section 5.3, it is shown that this relation is an equivalence and a congruence for all χ operators.

5.1 Well-definedness of the semantics In the term deduction system negative premises are used in Rule 37. As a consequence it is not obvious at first sight whether the term deduction system defines a unique transition system for each closed process term. Well-definedness of the term deduction system can be obtained by providing a stratification [10]. The mapping that associates with every positive formula the number of occurrences of operator π in the left-handside of that formula turns out to be a stratification. Hence, the term deduction system is well-defined.

5.2 Stateless Bisimulation Two closed χ process terms are considered equivalent if they have the same behavior (in the bisimulation sense) in case both are considered from the same initial valuation of model variables and the same environment. Definition 1 (Stateless bisimulation for hybrid systems) A stateless bisimulation on closed process terms is a relation R ⊆ P × P such that ∀( p, q) ∈ R, the following holds: a,σ 0

1. ∀σ, E, a, σ 0 , σ 00 , E 0 : h p, σ, Ei −−→ hX, σ 00 , E 0 i a,σ 0

⇔ hq, σ, Ei −−→ hX, σ 00 , E 0 i, 40

a,σ 0

2. ∀σ, E, a, p0 , σ 0 , σ 00 , E 0 : h p, σ, Ei −−→ h p0 , σ 00 , E 0 i a,σ 0

⇒ ∃q 0 : hq, σ, Ei −−→ hq 0 , σ 00 , E 0 i ∧ ( p0 , q 0 ) ∈ R, a,σ 0

3. ∀σ, E, a, q 0 , σ 0 , σ 00 , E 0 : hq, σ, Ei −−→ hq 0 , σ 00 , E 0 i a,σ 0

⇒ ∃ p0 : h p, σ, Ei −−→ h p0 , σ 00 , E 0 i ∧ ( p0 , q 0 ) ∈ R, t,ρ

4. ∀σ, E, t, ρ, p0 , σ 0 , E 0 : h p, σ, Ei 7−→ h p0 , σ 0 , E 0 i t,ρ

⇒ ∃q 0 : hq, σ, Ei 7−→ hq 0 , σ 0 , E 0 i ∧ ( p0 , q 0 ) ∈ R, t,ρ

5. ∀σ, E, t, ρ, q 0 , σ 0 , E 0 : hq, σ, Ei 7−→ hq 0 , σ 0 , E 0 i t,ρ

⇒ ∃ p0 : h p, σ, Ei 7−→ h p0 , σ 0 , E 0 i ∧ ( p0 , q 0 ) ∈ R. Two closed process terms p and q are stateless bisimilar, denoted by p ↔ q, if there exists a stateless bisimulation relation R such that ( p, q) ∈ R. Before congruence of stateless bisimilarity with respect to the operators of χ is proved in Section 5.3, first some useful properties about the semantics of χ are introduced that can be applied in the remainder of the paper (especially the proofs). Note that in the above definition of stateless bisimilarity it is possible for the valuation of model variables as displayed on an action transition and the valuation of model variables of the state reached by performing the transition to be different. With the current set of deduction rules for the semantics of χ, however, these two valuations are always identical. A similar reasoning applies to the last valuation of a trajectory on a time transition and the valuation in the resulting state. Also note that the environment is never changed in a transition. The following lemma captures these facts. Lemma 1 Let p and p 0 be closed process terms; σ, σ 0 and σ 00 be valuations, E and E 0 be environments, a be an action, ρ be a trajectory, and t be a positive real number. Then a,σ 0

h p, σ, Ei −−→ hX, σ 00 , E 0 i a,σ 0

h p, σ, Ei −−→ h p0 , σ 00 , E 0 i t,ρ

h p, σ, Ei 7−→ h p0 , σ 00 , E 0 i

⇒ σ 0 ≡ σ 00 ∧ E ≡ E 0 , ⇒ σ 0 ≡ σ 00 ∧ E ≡ E 0 , ⇒ ρ(t) ≡ σ 00 ∧ E ≡ E 0 .

where ≡ denotes syntactic equality. Proof. The proof is trivial. Inspection of the result of each χ deduction rule reveals that the indicated syntactic equalities hold necessarily. As a consequence of this lemma, the definition of stateless bisimilarity can be simplified considerably. Yet, with in mind future extensions of the χ language, such as for example variable abstraction, it might well be the case that these properties of the semantics are lost. Since we prefer not to redo all the coming proofs (in such a future), this presentation was chosen. Since in some of the deduction rules negative premises are used, the following lemma is convenient in some of the proofs found in the appendices. It states that two bisimilar process terms not only agree on the transitions they can perform, but also on the transition they cannot perform. 41

Lemma 2 Let p and q be closed process terms such that p ↔ q, σ be a valuation and E be an environment. Then, h p, σ, Ei 9 ⇒ hq, σ, Ei 9 . Proof.

a,σ 0

We assume hq, σ, Ei −−→ hq 0 , σ 00 , E 0 i for some σ, E, a, σ 0 , q 0 , σ 00 , E 0 . a,σ 0

According to Condition 3 of Definition 1, hq, σ, Ei −−→ hq 0 , σ 00 , E 0 i ⇒ ∃ p0 : a,σ 0

h p, σ, Ei −−→ h p0 , σ 00 , E 0 i ∧ ( p0 , q 0 ) ∈ R. This is a contradiction.

5.3 Stateless bisimilarity is a congruence In this section, stateless bisimilarity is proved to be a congruence with respect to all χ operators. As a consequence, algebraic reasoning is facilitated, since it is allowed to replace equals by equals in any context. Theorem 1 (Congruence) Stateless bisimilarity is a congruence with respect to all χ operators. Proof. The deduction rules of the χ language, satisfy the process-tyft format of [35]. Therefore, stateless bisimilarity is a congruence.

6 Related work The χ language is a hybrid process algebra, and is thus related to the other hybrid process algebras: HyPA [17], process algebra for hybrid systems ACPsrt hs [11], the φCalculus [38], the hybrid formalisms based on CSP [30, 15], and the process algebra [48]. The latter three process algebras differ from χ, the other process algebras and most other hybrid formalisms, such as most hybrid automata, in that they [30, 15, 48] do not have shared variables. Shared variables are essential for modular specification of continuous and hybrid systems. The two CSP based formalisms also differ from the other process algebras in that they use a denotational semantics instead of an operational semantics. An operational semantics is generally believed to be more intuitive and easier to understand than a denotational semantics [1]. The φ-Calculus differs from the other process algebras in that continuous behavior is not defined by means of predicates in process terms as in the other process algebras. Instead, continuous behavior is defined by means of an environment. Process terms operate on the environment to update initial values, vector-fields, and algebraic constraints. In this way, the φ-Calculus can deal with dynamically reconfigurable processes. The resulting differential equations are required to be autonomous. This limits the specification of continuous systems, using the φ-Calculus, to that of ordinary differential equations (ODEs). With respect to the integration between the DC and CS world views χ has much in common with HyPA. In fact, several of the concepts present in χ were inspired by HyPA. In particular, the use of delay predicates as atomic process term, the choice 42

operator, the disrupt operator (which in turn was inspired by the LOTOS disabling operator [14]), and the reinitialization operator. There are also several differences between χ and HyPA. Where the HyPA semantics does not specify a solution concepts for delay predicates (algebraic differential equations), the χ semantics rigorously defines a solution concept, that deals with discrete variables, initialized variables, higher index systems and discontinuous trajectories. Of course, since the solution concept of HyPA is a parameter of the semantics, it could use the solution concept defined in χ. Other differences are the higher expressivity of χ with respect to discrete-event behavior, the scope operator and process definition and instantiation. The recently defined process algebra for hybrid systems ACPsrt hs is an extension of a combination of the process algebra with relative timing from [9] and the process algebra with propositional signals from [8]. At the same time, ACPsrt hs has been strongly influenced by hybrid automata: switching between continuous behaviors can take place only by means of actions. In HyPA and χ on the other hand, switching between continuous behaviors does not require actions. Where HyPA is a conservative extension of normal ACP [7], ACPsrt hs is a conservative extension of timed ACP. One of the differences between the two formalisms is that ACPsrt hs ensures time-determinism, HyPA has adopted time-nondeterminism. In ACPsrt hs , passage of time cannot make a choice. This is a result of adopting the alternative composition operator. In HyPA, passage of time can make a choice, which is the result of adopting the choice operator. In χ, both operators are available. The alternative composition operator is essential for modeling discrete-event systems, and the choice operator increases the expressivity for modeling systems consisting of switched equations. Also in hybrid automata there can be both time-determinism and time-nondeterminism. Depending on the initial state, a nondeterministic choice is made for the first location where continuous behavior or discrete behavior may take place. After this first choice, a hybrid automaton behaves in a time-deterministic way. Another difference between χ and HyPA/ACPsrt hs is that the latter two formalisms have derived large sets of axioms to support equational reasoning. In χ, so far, only a limited set of properties has been derived. ACPsrt hs is the only process algebra that ensures consistency of the state with the ‘active predicates’. In ACPsrt hs , the state is a function (valuation) from the normal and dotted variables to their values. The active predicates can be informally defined as those predicates that define the delay behavior of a process term. Informally, using the χ syntax, consistency with the state with the active equations ensures that in x := 1 || y = x, the values of x and y are 1 after assigning 1 to x, independently of the initial value of y. ACPsrt hs also ensures that inconsistent states cannot be reached. Informally, in x := 1 || x = 2, the assignment to x cannot be executed if x is a variable that cannot jump. Such restrictions on jumps or discontinuities of variables are specified using transition propositions (ACPsrt hs uses the term proposition to refer to predicates). Although the concept of ensuring consistency is quite nice, it comes at the cost of considerable complexity of the semantics with more than twice the number of SOS rules than χ. Also, the consistency concept requires the dotted variables to be part of the state, unlike in other formalisms. The semantics achieves consistency for ODEs and for index 1 differential algebraic equations. Consistency of higher index systems is not achieved by the semantics due to the hidden constraints [36, 43] that are present in higher index systems. Other formalisms for hybrid system specification are hybrid Petri nets [19, 22], hybrid I/O automata [32], hybrid automata [2], and formalisms based on hybrid automata 43

such as Charon [3] and Masaccio [26]. There are many differences and similarities between χ and these other formalisms. The main difference, however, between χ and other formalisms is that χ is overall a more expressive formalism. Higher expressivity means either that certain phenomena can be modeled in χ whereas they cannot be modeled in another formalism, or that certain phenomena can be modeled more concisely or more intuitively in χ. The higher expressivity is a result of the following aspects: 1. The integration between the DC and CS world views as explained in Section 1. In this respect χ differs from the other formalisms mentioned above, apart from HyPA. 2. The combination of expressive language primitives, well suited to modeling, with a straightforward semantics, well suited to verification. This was in fact the biggest challenge in the design of χ. After numerous attempts to define the language primitives with associated syntax and semantics, it appeared that either the language was expressive and well suited to modeling, but with complex semantics, unsuited to verification; or the semantics was straightforward and elegant, but at the same time the language was unexpressive and cumbersome for modeling. The reason for this apparent contradiction is that the requirements for language primitives for verification and the requirements for language primitives for modeling are not the same. In the current definition of the χ language, the language is divided into the following three closely related parts: • The core language elements that are suited to both modeling and verification. The semantics of these language elements is defined by means of a structured operational semantics. • The SOS language elements that are suited to verification. The semantics of these language elements is also defined by means of a structured operational semantics. • The modeling language elements that are suited to modeling. The semantics of these language elements is defined by means of a straightforward, small syntactical translation to the core and SOS language elements. One of the concepts that allow concise and intuitive modeling in χ are the so called ‘initialized variables’. In χ, continuous variables can be declared as ‘initialized variables’, either for the whole model or for a certain part of the model, using the initial value operator. The effect of such a declaration for a continuous variable x is comparable to a jump predicate x + = x − (or x 0 = x depending on the syntax used) for every transition where the value of x is not explicitly changed. Such jump predicates occur so frequently in hybrid automata, that they are often • • silently omitted from the edges to avoid clutter. In ACPsrt hs the predicate x = x + − would be used instead of x = x . In HyPA, instead of using jump predicates of the form x + = x − , delay predicates (equations) are prefixed by a set of variables for which discontinuities at the beginning of a time transition are not allowed. 3. The relatively large number of operators dedicated to modeling of discrete-event behavior: This makes it easy to abstract from continuous behavior and specify timed discrete-event models, without any continuous variables and without differential (algebraic) equations. In this respect, χ has much in common with the hybrid formalisms based on CSP [30, 15], and with ACPsrt hs . 44

4. The syntactical and semantical concepts that enable specification of general differential algebraic equation systems, including higher index systems. This enables initialization of algebraic variables, mode switches accompanied by index changes [34], and variables changing dynamically from differential to algebraic. In HyPA, such phenomena could in principle also be specified, using the solution concept defined in χ. Hybrid automata can deal with initialization of algebraic variables using jump predicates on edges, but they cannot deal with higher index systems. This is due to the presence of hidden constraints [36, 43] in higher index systems. The separation of flow conditions and invariants in hybrid automata breaks in the presence of hidden constraints. Consider for example the flow condition y˙ = z with invariant y = 1. A jump to this location would be possible for z having a value of 1. This would however violate the hidden constraint z = 0, which can be obtained after differentiation of equation y = 1. 5. Process instantiation, based on the scope operator: this enables hierarchical composition of processes. It also provides encapsulation and data hiding, and it enables reuse of processes: parameterized processes can be defined once and instantiated many times with the same or different parameters. In this respect, the χ language is related to Charon and Masaccio, which allow components to be defined and instantiated. The χ formalism, being a process algebra, does not only allow parallel composition (as Charon and Masaccio) and sequential composition (as Masaccio), but also provides alternative composition and choice. Local variables, variable abstraction and/or action abstraction are present also in other formalisms. ACPsrt hs provides data abstraction by means of the signal hiding operator. Hybrid I/O automata [32] define both action abstraction and variable abstraction, which are referred to as hiding of external actions and external variables. Hybrid (I/O) automata, however, need to be ‘compatible’ to allow parallel composition. Hybrid I/O automata, for example, require disjointness of the internal variables of the automata in parallel composition. In χ, the concepts of variable abstraction and channel abstraction (comparable with action abstraction in other formalisms) are integrated in the scope operator, which also provides a local scope for variables, channels, and recursion definitions. In this respect, the χ scope operator is a high level modeling primitive unavailable in the other hybrid formalisms. Also, there are no compatibility restrictions on processes for parallel composition. Modular composition of processes is further supported by means of different interaction mechanisms. Processes can interact in three different ways: • By means of shared variables, which is the main interaction mechanism for continuous-time processes consisting of systems of differential algebraic equations. Interaction between processes in Charon and Masaccio also takes place by means of shared variables. Synchronization by means of actions is, however, not supported. • By means of channel based ‘handshake synchronization’. It is comparable to actions in (hybrid) (I/O) automata and actions in ACP-based process algebras. A difference is that actions can be used to express multi-party synchronization. The synchronization mechanism used in χ is CSP [28] based. A channel can be shared by any number of processes, but synchronization always occurs on a point-to-point basis, so between exactly two processes. 45

Another difference is that the interaction mechanism in χ also allows synchronous communication, as explained below, whereas actions are strictly used for synchronization. • By means of synchronous communication, which is the CSP interaction mechanism that combines synchronization with data-transfer, as also used in [30, 15]. The following section discusses translations from piecewise affine systems to χ. For a translation of a hybrid automaton to χ we refer to [45].

6.1 Translations of piecewise affine systems to Chi In this section, two general translation schemes are given. One scheme defines the translation of continuous-time piecewise affine systems to a χ specification. The other scheme defines a translation of discrete-time piecewise affine systems to χ. 6.1.1 Continuous-time PWA Continuous-time piecewise affine systems are described by N systems of affine differential equations x(t) ˙ = Ai x(t) + Bi u(t) + fi x(t) for ∈ i , y(t) = Ci x(t) + Di u(t) + gi u(t) where i (i = 1, . . . , N) is the number of the mode. Each mode i is defined in a region i , which is a convex polyhedron, given by a finite number of linear inequalities, in the input/state space. Here, u(t) ∈ Rm , x(t) ∈ Rn , and y(t) ∈ Rl denote the input, state and output, respectively, at time t. Furthermore, f i , and gi denote constants. In each mode, the trajectories of the state variables x are continuous functions of time. The trajectories of the input/output variables in a mode may be discontinuous functions of time. Continuous-time PWA systems, which are well-posed using the Caratheodory solution concept, can be translated to χ as follows: h time t = 0, init x = x 0 , cont y , R 7→ ( 1 , x˙ = A1 x + B1 u + f 1 , y = C1 x + D1 u + g1 ⊕ .. . ⊕ N , x˙ = A N x + B N u + f N , y = C N y + D N u + g N ) BR | R i The state variables x are modeled by means of initialized continuous variables, with initial value x 0 . The output variables y are modeled by means of (normal) continuous variables. The behavior of u is not specified, as in the original PWA model. In the χ model, u could denote a function of time, or u could be defined as a continuous variable and additional equations specifying the behavior of u could be added. The behavior associated to a mode i is described by means of a delay predicate ( i , x˙ = Ai x + Bi u + f i , y = Ci x + Di u + gi ). The choice composition of the behavior of the modes allows only the behavior of one mode at a time, i.e. only that mode for which the corresponding delay predicate holds. 46

6.1.2 Discrete-time PWA Discrete-time PWA systems are described by x(k + 1) = Ai x(k) + Bi u(k) + fi y(k) = Ci x(k) + Di u(k) + gi

for

x(k) u(k)

∈ i

for i = 1, . . . , N. Here, u(k) ∈ Rm , x(k) ∈ Rn , and y(k) ∈ Rl denote the input, state and output, respectively, at the k’th time-point. Discrete-time PWA systems can be translated to χ as follows: h disc x = x 0 , y, k = 0 | ∗( ( 1 → hx, yi := hA1 x + B1 u.k + f 1 , C1 x + D1 u.k + g1 i [] .. . [] N → hx, yi := hA N x + B N u.k + f N , C N y + D N u.k + g N i ) ; k := k + 1 ) i The state variables x are modeled as discrete variables, and are initialized to x 0 . The output variables y are also modeled by means of discrete variables. We assume u to denote an array of points, such that u.i denotes the value of u at the i ’th time-point. In the repetition ∗( ), the state and output variables are assigned new values according to one of the modes. Subsequently, k is increased by one. The behavior associated to a mode is described by means of a multiple assignment hx, yi := hA i x + Bi u.k + f i , Ci x + Di u.k + gi i. The alternative composition of the behavior of the modes allows the state and output variables to be assigned new values according to the mode for which the corresponding guard (i ) holds.

7 Conclusions and Future Work The χ language combines a high expressivity with a an elegant, straightforward, formal semantics. It is suited to modeling, simulation and verification of timed discreteevent systems without (differential) equations, continuous-time systems consisting of general differential algebraic equations, and combined discrete-event/continuous-time systems. It is especially suited for the specification and analysis of complex systems. Process instantiation enables encapsulation, data hiding, hierarchical composition and reuse of processes. Modular composition is supported by means of the parallel composition and sequential composition operators, and by means of the different interaction mechanisms: handshake synchronization and synchronous communication for discrete-event processes, and shared variables for continuous-time processes. Future work entails among others: • Derivation of properties of the χ operators. • The definition of a translation from χ to hybrid automata and input languages of verification tools to enable verification of model properties. For timed models, without differential equations, such tools could be K RONOS [20], U PPAAL [31], Spin [29], and µCRL [24]. For hybrid models H Y T ECH [5], CheckMate [41], d/dt [6], and the tools [4, 16] are options. 47

• Redesign of the hybrid χ simulator [21]. • Formalization of distributions, that are extensively used to model stochastic behavior in χ discrete-event simulation models, and possibly extension of the χ formalism with stochastic differential equations.

Acknowledgments The authors would like to thank Jos Baeten, Pieter Cuijpers, Albert Hofkamp, Niek Jansen, Erjen Lefeber, Henk Nijmeijer, Sasha Pogromsky, and Frits Vaandrager for helpful comments and stimulating discussions.

References [1] Luca Aceto, Willem Jan Fokkink, and Chris Verhoef. Structural operational semantics. In Handbook of Process Algebra. Elsevier, 1999. [2] R. Alur, C. Courcoubetis, N. Halbwachs, T. A. Henzinger, P. H. Ho, X. Nicollin, A. Olivero, J. Sifakis, and S. Yovine. The algorithmic analysis of hybrid systems. In Theoretical Computer Science, volume 138, pages 3–34. SpringerVerlag, 1995. [3] R. Alur, T. Dang, J. Esposito, Y. Hur, F. Ivan˜cić, V. Kumar, I. Lee, P. Mishra, G. J. Pappas, and O. Sokolsky. Hierarchical modeling and analysis of embedded systems. In First Workshop on Embedded Software EMSOFT’01, Lecture Notes in Computer Science 2211. Springer Verlag, 2001. [4] R. Alur, T. Dang, and F. Ivan˜cić. Progress on reachability analysis of hybrid systems via predicate abstraction. In Oded Maler and Amir Pnueli, editors, Hybrid Systems : Computation and Control, 6th International Workshop, Lecture Notes in Computer Science 2623, pages 4–19. Springer-Verlag, 2003. [5] R. Alur, T. A. Henzinger, and P. H. Ho. Automatic symbolic verification of embedded systems. IEEE Transactions on Software Engineering, 22:102–119, 1996. [6] E. Asarin, O. Bournez, T. Dang, and O. Maler. Approximate reachability analysis of piecewise-linear dynamical systems. In Nancy A. Lynch and Bruce H. Krogh, editors, Hybrid Systems : Computation and Control, Third International Workshop, Lecture Notes in Computer Science 1790, pages 21–31. Springer-Verlag, 2000. [7] J. Baeten and W. Weijland. Process Algebra, volume 18 of Cambridge Tracts in Theoretical Computer Science. Cambridge University Press, Cambridge, United Kingdom, 1990. [8] J.C.M. Baeten and J.A. Bergstra. Process algebra with propositional signals. In Theoretical Computer Science, volume 177, pages 381–406. Springer-Verlag, 1997. [9] J.C.M. Baeten and C.A. Middelburg. Process algebra with timing. In EACTS Monographs in Theoretical Computer Science. Springer-Verlag, 2002. 48

[10] J.C.M. Baeten and C. Verhoef. Concrete process algebra. In S. Abramsky, D.M. Gabbay, and T.S.E. Maibaum, editors, Handbook of Logic in Computer Science, volume 4, chapter Semantic Modelling, pages 149–268. Oxford University Press, 1995. [11] J. A. Bergstra and C. A. Middelburg. Process algebra for hybrid systems. Technical Report CS-Report 03-06, Eindhoven University of Technology, Department of Computer Science, The Netherlands, 2003. [12] V. Bos and J. J. T. Kleijn. Automatic verification of a manufacturing system. Robotics and Computer Integrated Manufacturing, 17(3):185–198, 2000. [13] V. Bos and J. J. T. Kleijn. Formal Specification and Analysis of Industrial Systems. PhD thesis, Eindhoven University of Technology, 2002. [14] E. Brinksma. A tutorial on LOTOS. In Michel Diaz, editor, Proc. Protocol Specification, Testing and Verification V, pages 171–194, Amsterdam, 2002. [15] Zhou Chaochen, Wang Ji, and Anders P. Ravn. A formal description of hybrid systems. In Rajeev Alur, Thomas A. Henzinger, and Eduardo D. Sonntag, editors, Hybrid Systems III - Verification and Control, Lecture Notes in Computer Science 1066, pages 511–530. Springer-Verlag, 1996. [16] E. Clarke, A. Fehnker, Z. Han, B.H. Krogh, O. Stursberg, and M. Theobald. Verification of hybrid systems based on counterexample-guided abstraction. In Hubert Garavel and John Hatcliff, editors, Tools and Algorithms for the Construction and Analysis of Systems, Lecture Notes in Computer Science 2619, pages 192–207. Springer-Verlag, 2003. [17] P. J. L. Cuijpers and M. A. Reniers. Hybrid process algebra. Technical Report CS-Report 03-07, Eindhoven University of Technology, Department of Computer Science, The Netherlands, 2003. [18] P. J. L. Cuijpers, M. A. Reniers, and W. P. M. H. Heemels. Hybrid transition systems. Technical Report CS-Report 02-12, Eindhoven University of Technology, Department of Computer Science, The Netherlands, 2002. [19] R. David and H. Alla. On hybrid Petri nets. Discrete Event Dynamic Systems: Theory & Applications, 11(1-2):9–40, 2001. [20] C. Daws, A. Olivero, S. Tripakis, and S. Yovine. The tool Kronos. In Rajeev Alur, Thomas A. Henzinger, and Eduardo D. Sonntag, editors, Hybrid Systems III - Verification and Control, Lecture Notes in Computer Science 1066, page 208219. Springer-Verlag, 1996. [21] G. Fábián. A Language and Simulator for Hybrid Systems. PhD thesis, Eindhoven University of Technology, 1999. [22] A. Di Febbraro, A. Giua, and G. Menga, editors. Special Issue on Hybrid Petri Nets, volume 11, no. 1 and 2 of Journal of Discrete Event Dynamic Systems, 2001. [23] A. F. Filippov. Differential Equations with Discontinuous Right Hand Sides. Kluwer Academic Publishers, Dordrecht, 1988. 49

[24] J.F. Groote. The syntax and semantics of timed µCRL. Technical Report SENR9709, CWI, The Netherlands, 1997. [25] W. P. M. H. Heemels, B. De Schutter, and A. Bemporad. Equivalence of hybrid dynamical models. Automatica, 37(7):1085–1091, 2001. [26] T. A. Henzinger. Masaccio: A formal model for embedded components. In First IFIP International Conference on Theoretical Computer Science (TCS), Lecture Notes in Computer Science 1872, pages 549–563. Springer-Verlag, 2000. [27] T. A. Henzinger. The theory of hybrid automata. In M.K. Inan and R.P. Kurshan, editors, Verification of Digital and Hybrid Systems, volume 170 of NATO ASI Series F: Computer and Systems Science. Springer-Verlag, New York, 2000. [28] C. A. R. Hoare. Communicating sequential processes. Communications of the ACM, 21(8):666–677, 1978. [29] Gerard J. Holzmann. The SPIN Model Checker: Primer and Reference Manual. Addison Wesley Professional, Boston, 2003. [30] He Jifeng. From CSP to hybrid systems. In A. W. Roscoe, editor, A Classical Mind, Essays in Honour of C.A.R. Hoare, pages 171–189. Prentice Hall, 1994. [31] Kim G. Larsen, Paul Pettersson, and Wang Yi. U PPAAL in a Nutshell. Int. Journal on Software Tools for Technology Transfer, 1(1–2):134–152, 1997. [32] N. A. Lynch, R. Segala, and F. W. Vaandrager. Hybrid I/O automata. Technical Report MIT-LCS-TR-827d, MIT Laboratory for Computer Science, Cambridge, MA 02139, 2003. To appear in Information and Computation. [33] R. Milner. A Calculus of Communicating Systems, volume 92 of lncs. springer, 1980. [34] Pieter J. Mosterman and John E. Ciolfi. Embedded code generation for efficient reinitialization. In 15th Triennial World Congress of the International Federation of Automatic Control, 2002. CD-ROM. [35] M.A. Reniers en J.F. Groote M.R. Mousavi. Congruence for SOS with data. Technical Report CS-Report 04-05, Eindhoven University of Technology, Department of Computer Science, The Netherlands, 2004. [36] C. C. Pantelides. The consistent initialization of differential-algebraic systems. SIAM J. Sci. Stat. Comput., 9(2):213–231, 1988. [37] D.M.R. Park. Concurrency and automata on infinite sequences. In P. Deussen, editor, Proceedings 5th GI Conference, volume 104 of lncs, pages 167–183. springer, 1981. [38] William C. Rounds and Hosung Song. The φ-calculus - a hybrid extension of the π-calculus to embedded systems. Technical Report CSE 458-02, University of Michigan, USA, 2002. [39] R. R. H. Schiffelers, D. A. van Beek, K. L. Man, M. A. Reniers, and J. E. Rooda. Formal semantics of hybrid Chi. In First International Workshop on Formal Modeling and Analysis of Timed Systems. Springer-Verlag, 2003. To be published. 50

[40] R. R. H. Schiffelers, D. A. van Beek, K. L. Man, M. A. Reniers, and J. E. Rooda. A hybrid language for modeling, simulation and verification. In S. Engell, H. Guéguen, and J. Zaytoon, editors, IFAC Conference on Analysis and Design of Hybrid Systems, pages 235–240, Saint-Malo, Brittany, France, 2003. [41] B. I. Silva, K. Richeson, B. H. Krogh, and A. Chutinan. Modeling and verification of hybrid dynamical system using CheckMate. In S. Engell, S. Kowalewski, and J. Zaytoon, editors, Hybrid Dynamical Systems—Proc. of 4th International Conference on Automation of Mixed Processes, pages 323–328, Dortmund, 2000. [42] V. I. Utkin. Sliding Modes in Control Optimization. Springer-Verlag, Berlin, 1992. [43] D. A. van Beek, V. Bos, and J. E. Rooda. Declaration of unknowns in dae-based hybrid system specification. ACM Transactions on Modeling and Computer Simulation, 13(1):1–23, 2003. [44] D. A. van Beek, S. H. F. Gordijn, and J. E. Rooda. Integrating continuoustime and discrete-event concepts in modelling and simulation of manufacturing machines. Simulation Practice and Theory, 5:653–669, 1997. [45] D. A. van Beek, N. G. Jansen, K. L. Man, M. A. Reniers, J. E. Rooda, and R. R. H. Schiffelers. Relating Chi to hybrid automata. In S. Chick, P. J. Saánchez, D. Ferrin, and D. J. Morrice, editors, Proceedings of the 2003 Winter Simulation Conference, pages 632–640, New Orleans, United States, 2003. [46] D. A. van Beek and J. E. Rooda. Languages and applications in hybrid modelling and simulation: Positioning of Chi. Control Engineering Practice, 8(1):81–91, 2000. [47] D. A. van Beek, A. van den Ham, and J. E. Rooda. Modelling and control of process industry batch production systems. In 15th Triennial World Congress of the International Federation of Automatic Control, Barcelona, 2002. CD-ROM. [48] J.J. Vereijken. A process algebra for hybrid systems. In Bouajjani and Maler, editors, The Second European Workshop on Real-Time and Hybrid Systems, Grenoble, France, 1995.

51

Syntax and Formal Semantics of Hybrid Chi

Syntax and Formal Semantics of Hybrid Chi

Suggest Documents

Formal Semantics of Hybrid Chi - CiteSeerX

Formal Syntax and Semantics of Programming Languages

Formal Syntax and Semantics of Programming Languages

Syntax and Semantics of Timed Chi - Semantic Scholar

Syntax and Semantics

SYNTAX AND SEMANTICS - arXiv

formal semantics, syntax, pragmatics: an essence of programming ...

between semantics and syntax

Russian syntax and semantics

LOIS: Syntax and Semantics - MIMUW

(Syntax)âSemantics

Syntax-Semantics Interface

THE SYNTAX-SEMANTICS INTERFACE

Syntax and Semantics of Fluid Construction Grammar

The Syntax and Semantics of ÂµCRL - CiteSeerX

THE SYNTAX AND SEMANTICS OF UNSELECTED ... - CiteSeerX

The Syntax and Semantics of Locating Adverbials

Formal Tropos: language and semantics

Syntax-Semantics Interface - Google Sites

Syntax-Semantics Interface - Google Sites

Syntax-Semantics Interface - Google Sites

Russian syntax and semantics - Springer Link

Syntax and Semantics in Algebra Introduction - CiteSeerX

Dissociating Syntax and Semantics in Sentence Comprehension

Syntax and Formal Semantics of Hybrid Chi