Hybrid Process Algebra PROEFSCHRIFT
ter verkrijging van de graad van doctor aan de Technische Universiteit Eindhoven, op gezag van de Rector Magnificus, prof.dr. R.A. van Santen, voor een commissie aangewezen door het College voor Promoties in het openbaar te verdedigen op donderdag 9 december 2004 om 14.00 uur door
Pieter Jan Laurens Cuijpers geboren te Helden
Dit proefschrift is goedgekeurd door de promotoren: prof. dr. ir. J.F. Groote en prof. dr. ir. P.P.J. van den Bosch
Copromotor: dr. ir. M.A. Reniers
CIP-DATA LIBRARY TECHNISCHE UNIVERSITEIT EINDHOVEN Cuijpers, Pieter J.L. Hybrid process algebra / by Pieter Jan Laurens Cuijpers. - Eindhoven : Technische Universiteit Eindhoven, 2004. Proefschrift. - ISBN 90-386-0972-8 NUR 993 Subject headings: process algebra / dynamical systems / hybrid computers CR Subject Classification: F.4.3, F.3.2, I.6.5
Voor mijn vader, die mij de interesse voor zowel de informatica als de natuurkunde bijbracht.
Eerste promotor:
prof. dr. ir. J.F. Groote
Tweede promotor:
prof. dr. ir. P.P.J. van den Bosch
Copromotor:
dr. ir. M.A. Reniers
Kerncommissie: prof. dr. I. Lee prof. dr. ir. C.A. Middelburg
The work in this thesis is supported by the Technology Foundation STW/PROGRESS grant EES.5173.
The work in this thesis has been carried out under the auspices of the research school IPA (Institute for Programming research and Algorithmics). IPA dissertation series 2004-20 c °
Pieter J.L. Cuijpers 2004. All rights are reserved. Reproduction in whole or in part is prohibited without the written consent of the copyright owner. Printing: Eindhoven University Press Cover design: Paul Verspaget Illustration front cover: Hypatia of Athens
Contents 1 Introduction 1.1 The research field of hybrid systems 1.2 Mathematical modeling . . . . . . . 1.3 Hybrid systems modeling . . . . . . 1.4 Hybrid interaction . . . . . . . . . . 1.5 Modeling discontinuities . . . . . . . 1.6 Algebraic reasoning . . . . . . . . . . 1.7 Structure of this thesis . . . . . . . .
I
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
Hybrid Process Algebra
1 2 3 5 6 10 13 15
19
2 Semantic models for hybrid systems 2.1 A general model of systems . . . . . . . . . . . . . 2.2 Hybrid system types . . . . . . . . . . . . . . . . . 2.3 Embedding of classical theories . . . . . . . . . . . 2.3.1 Embedding into hybrid behavioral systems 2.3.2 Embedding into hybrid automata . . . . . . 2.3.3 Embedding into hybrid transition systems . 2.3.4 Comparison . . . . . . . . . . . . . . . . . . 2.4 Notions from computer science and control science 2.4.1 Runs and transfinite runs . . . . . . . . . . 2.4.2 Equivalence . . . . . . . . . . . . . . . . . . 2.4.3 Control notions . . . . . . . . . . . . . . . . 2.5 Conclusion . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . .
. . . . . . . . . . . .
. . . . . . . . . . . .
. . . . . . . . . . . .
. . . . . . . . . . . .
. . . . . . . . . . . .
. . . . . . . . . . . .
. . . . . . . . . . . .
. . . . . . . . . . . .
21 22 27 30 30 31 32 39 40 40 42 48 54
3 Hybrid process algebra 3.1 Syntax and semantics of HyPA 3.1.1 Syntax . . . . . . . . . . 3.1.2 Formal semantics . . . . 3.2 Steam boiler example . . . . . 3.3 Algebraic reasoning in HyPA .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
55 56 56 60 66 67
. . . . . i
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
3.3.1 3.3.2 3.3.3 3.3.4 3.3.5
Robust bisimilarity of processes Axiomatization . . . . . . . . . Congruence and soundness . . Recursion principles . . . . . . Conservativity and rewriting .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
68 70 77 78 79
4 Related Work 4.1 Hybrid automata . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.2 Other process algebras . . . . . . . . . . . . . . . . . . . . . . . . . 4.3 Control theory formalisms . . . . . . . . . . . . . . . . . . . . . . .
83 84 87 89
II
93
Modeling and Analysis of Hybrid Processes
5 Modeling hybrid physical processes 5.1 Modeling physical systems . . . . . . . . . 5.1.1 Constitutive equations . . . . . . . 5.1.2 Bond graphs . . . . . . . . . . . . 5.1.3 Time-scale abstraction . . . . . . . 5.2 Constitutive hybrid processes . . . . . . . 5.2.1 Bond . . . . . . . . . . . . . . . . . 5.2.2 Resistance . . . . . . . . . . . . . . 5.2.3 Inductance and capacitance . . . . 5.2.4 Sources . . . . . . . . . . . . . . . 5.2.5 Junctions . . . . . . . . . . . . . . 5.2.6 Controlled junctions and switches . 5.2.7 Transformers and gyrators . . . . . 5.3 Examples . . . . . . . . . . . . . . . . . . 5.3.1 Collision . . . . . . . . . . . . . . . 5.3.2 Impact control at Assembleon . . . 5.3.3 An electrical circuit . . . . . . . . 5.3.4 Newton’s cradle . . . . . . . . . . . 5.4 Conclusions . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . .
95 97 97 98 105 109 114 114 114 115 116 116 121 121 121 123 126 132 138
6 Safety of hybrid processes 6.1 Specification of safety . . . . . . . . . . . . . . . . 6.2 Algebraic safety analysis of linear hybrid processes 6.3 Safety of a hybrid variant of Fischer’s protocol . . 6.4 Conclusive remarks . . . . . . . . . . . . . . . . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
141 143 147 149 154
. . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . .
7 Modeling and control of a component mounter 157 7.1 Preliminaries about process algebraic reasoning in a physical context158 7.2 The pick-and-place module . . . . . . . . . . . . . . . . . . . . . . 163 7.2.1 Adapting the actuator model . . . . . . . . . . . . . . . . . 164 ii
7.3 7.4 7.5
7.6
7.2.2 Switching in a physical context Control strategy . . . . . . . . . . . . Safety requirements . . . . . . . . . . Analysis . . . . . . . . . . . . . . . . . 7.5.1 Seek . . . . . . . . . . . . . . . 7.5.2 Bounce . . . . . . . . . . . . . 7.5.3 Inelastic bounce . . . . . . . . 7.5.4 Detect . . . . . . . . . . . . . . Conclusion . . . . . . . . . . . . . . .
8 Conclusions 8.1 A conservative extension . . . 8.2 Algebraic reasoning . . . . . . 8.3 Modeling of hybrid processes 8.4 Analysis of hybrid processes .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
166 169 171 172 173 178 184 191 194
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
197 198 199 201 202
A Definitions and theorems from topology
213
B Robust bisimulation coincides with stateless bisimulation
217
C Soundness of the axiomatization of robust bisimulation
219
D The recursive specification principle for robust bisimulation
227
E Conservativity of HyPA with respect to ACP 233 E.1 ACP ⊢ p ≈ q implies HyPA ⊢ p ≈r q . . . . . . . . . . . . . . . . . 233 E.2 HyPA ⊢ p ≈r q implies ACP ⊢ p ≈ q . . . . . . . . . . . . . . . . . 238 F Details of the elimination of parallel composition F.1 The rewrite system . . . . . . . . . . . . . . . F.2 Soundness of the rewrite system . . . . . . . . F.3 The rewrite system is strongly normalizing . F.4 Normal forms are basic terms . . . . . . . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
G Specification of safety: proof
247 248 249 249 250 251
H Soundness of axioms for predicate encapsulation H.1 ∂Pm (d ≫ δ) ≈r δ . . . . . . . . . . . . . . . . H.2 ∂Pm (d ≫ ǫ) ≈r d ≫ ǫ . . . . . . . . . . . . . − H.3 ∂Pm (d ≫ a) ≈r (d ∼ [¬Pm ]) ≫ a . . . . . . . H.4 ∂Pm (d ≫ c) ≈r d ≫ (c ∧ (¬Pm )) . . . . . . . H.5 ∂Pm (x ⊕ y) ≈r ∂Pm (x) ⊕ ∂Pm (y) . . . . . . H.6 ∂Pm (x ⊙ y) ≈r ∂Pm (x) ⊙ ∂Pm (y) . . . . . . H.7 ∂Pm (x ⊲ y) ≈r ∂Pm (x) ⊲ ∂Pm (y) . . . . . . iii
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
253 253 253 253 254 255 255 255
I
Soundness of axioms for (initially stateless) bisimilarity 257 I.1 d ≫ a ⊙ x ≈ d ≫ a ⊙ d! ≫ x . . . . . . . . . . . . . . . . . . . . 257 I.2 d ≫ c ⊲ x ≈ d ≫ c ⊲ (d ∼ D(c))! ≫ x . . . . . . . . . . . . . . . 258
J RSP for (initially stateless) bisimilarity
261
K Linearization of Fischers protocol
265
L Congruence of (initially stateless) bisimilarity
271
iv
Preface “In een dwarsstraat kom je vaak de mooiste dingen tegen” [Loesje]
Writing a PhD-thesis is in many ways like a hiking trip in the outdoors. You need stamina and perseverance, never giving up when the mosquitoes bite you, or when a proof turns into a counter example. You need to stand fast when a bear, or some professor from another university, crosses your path and gives you that look as if he’s going to eat you. Remember that he doesn’t mean it personally. You need to know that in the end the panorama, or the deep mathematical insight, may be very rewarding, but also that when you get home, you find out you can’t really explain it to anybody who hasn’t been there. Most of all, however, you need a good base camp, and partners you can rely upon. That is why I would like to thank, first of all, my promotores prof. dr. ir. Jan Friso Groote and prof. dr. ir. Paul van den Bosch, for making this expedition possible, and for occasionally giving advice on how to develop into a good researcher. Especially, I would like to thank my daily supervisor dr. ir. Michel Reniers, whom I’d rather simply call Michel, and who was never far away if the bears or the mosquitoes became too overwhelming. Also, STW-Progress, Philips CFT and Assembleon are thanked for their financial and material support of this project. My project partner Aleksandar Juloski is appreciated for the often polarizing discussions we had. Secondly, I would like to thank all the researchers that I met on the trail. Especially, of course, my co-authors who inspired me with their ideas, gave me confidence in my own ideas, helped me along with some proofs, and were simply nice people to work with. In order of appearance: Michel Reniers (again), Andr´e Engels, Maurice Heemels, Jan Broenink and Pieter Mosterman. Furthermore, there are Erik Gaal and Arno de Vet, who were occasionally involved in discussions around the whole project, and there are the people from (E)ESI, from the GRASP-lab at PENN University, and from OAS and HG6.45, that I shared rooms, ideas, lunches, and dart-games with, especially Mohammad, Steph3 an, Giovanni, Peter, Ramon, Ka-Lok and Bert. Thirdly, there is a number of people that listened patiently to all my excited babbling about balls that bounce infinitely often and other things that are really not that interesting when you are at a dinner, at a birthday party, playing go or badminton, or making music. Of course, I do not feel pity for you, because you could have known in advance that’s what happens if you ask a question like “what is your research actually about?”. Still, you make me feel at home. So, all my friends, team-mates and fellow musicians, represented by my paranimphs Michiel and Harm, thank you very much. Finally, there is my family to thank. My father, to whom I dedicate this thesis because he inspired me to become a researcher. My mother, who joined forces with my German language teacher Vos to get me to work in a more neat and tidy way. That turned out to be an invaluable achievement after all. My brother Mathijs, my sister Willemijn, my almost-brother-in-law Gerard and my actual-brother-in-law Dick, for simply being family and good company, which includes all the adventures, vi
the mischief and the quarrels resulting from that. Mijn schoonouders, Bas en Rita, wil ik niet alleen bedanken voor hun geweldige dochter, maar ook voor al de keren dat ze geheel vrijwillig in Eindhoven vakantie kwamen vieren, wat toch aanzienlijke verbeteringen heeft opgeleverd aan ons thuis. Ook de ‘Willemientjes’ kwamen erg goed van pas als er gedurende de avonduren nog wat getyped en nagedacht moest worden. My wife Ingrid and my daughter Marieke have become so invaluable that I could fill a thesis on them alone. I love you both very much, and I hope that you will continue to join me on the hiking trips that are yet to come.
vii
Chapter 1
Introduction “In these days of specialization there are too few people who have such a deep understanding of two departments of our knowledge that they do not make fools of themselves in one or the other.” [“The meaning of it all”, Richard P. Feynman]
2
1.1
Chapter 1 Introduction
The research field of hybrid systems
Engineers use models of systems to make predictions about the performance of their new designs, to locate errors in existing machines, and for many other reasons. Such a model of a system is always an abstraction, a simplification, of reality. The goal that the engineer has with a model, determines which details from reality should at least be included. For example, if an engineer wants to verify whether a car engine always starts correctly, the electronics and mechanics of the engine need to be modeled fairly accurately, while the design of the chassis is probably unimportant and can be abstracted from. Furthermore, the type of model one makes, determines what kind of details can at most be included. In the case of the car engine, it is important to make a model that contains both the electronics and mechanics. Only drawing an electrical circuit, or a mechanical diagram, is simply insufficient when the interaction between both is important. When the goal of a model requires more detail than any single type of model can cope with, different model types need to be combined. For the combination of electronics and mechanics, this has already lead to so-called mechatronics in the past. But in new design cars, also computer software is involved in the process of starting the engine. The need for a combination of electronics, mechanics and software in one single model, was one of the reasons why the field of hybrid systems came into existence. Recent developments in industry (and not only the car industry) show a rapid growth of the application of so-called embedded software. This is software used to control parts of a mechanical, electrical, or chemical (for short physical) device while at the same time providing an interface with the user of the device. As it turns out, embedded software gives great flexibility when designing a new product, or adapting an existing one. However, it also gives rise to a need for new ways of modeling. The control-engineers that design the physical device use different modeling and analysis techniques than the software-engineers that design the software. In order to be able to make statements about the common end-product, there is a need for a common modeling language that allows for models in which the necessary details of both fields can be included and analyzed. The goal of this thesis is the creation of such a language. In the remainder of this chapter we make this goal more precise by explaining our views on the concept of mathematical modeling. This gives some insight in the underlying reasons for many of the choices that are made throughout this thesis. We also discuss the consequences of this view in the context of hybrid systems theory, and study what a hybrid modeling formalism should consist of. Subsequently, we study some alleged shortcomings in existing hybrid formalisms, in particular with respect to the modeling of hybrid interactions and the modeling of discontinuities. Lastly, we explain our own interest in algebraic reasoning, and the consequences of this on the work presented in this thesis.
1.2 Mathematical modeling
1.2
3
Mathematical modeling
A mathematical formalism provides us with a structure in which we can describe systems, and in which we can analyze them. Mathematical modeling often makes use of two of such formalisms called syntax and semantics (see figure 1.1). Syntactical Formalism
Syntactical Description
analysis using
Calculation Rules
axiomatization
solution
Semantical Description
analysis using
Theoretical Notions
Semantical Formalism Figure 1.1 Mathematical Modeling
The semantical formalism (in short: semantics) is intended to support the modeling of a system on a low level of abstraction. The semantical description of a system uses a relatively simple mathematical structure. Motion, on a semantical level, can for example be modeled using functions of time to space, while an algorithm running on a computer can be modeled using a graph-like structure called a transition system. The semantical formalism contributes to the analysis of systems by the intuitive definitions it provides of the theoretical notions we want to analyze. Because of its simplicity as a mathematical structure, the semantical formalism allows us to give a precise, and intuitive, definition of several notions like equivalence, stability, absence of deadlock, controllability, and observability (some of these terms are explained in more detail in chapter 2). The syntactical formalism (in short: syntax) is intended to facilitate a less cumber-
4
Chapter 1 Introduction
some description of a system. In contrast to the mathematically simple description method that the semantical formalism provides, the syntactical description is focussed on the ease of notation. Writing down, on paper, the complex ways in which planets move using functions of time, would be impossible because there are simply too many (infinitely many) possible evolutions, especially when no initial condition is given. Describing them using, for example, differential equations, provides us with a finite representation of the same set of functions. Similarly, writing down a counting algorithm as a transition system leads to problems if the counting can proceed in an unlimited way, since an infinite number of transitions may be needed. Pascal or C++ code is far better suited for such a task. Syntax provides a concise, finite way of handling semantical, and often infinite, mathematical objects. This suggests that the syntactical and semantical formalism are coupled. A differential equation has solutions in terms of functions of time. A piece of C++ code, although perhaps not formally, represents a transition system. In figure 1.2, the connection between syntax and semantics is depicted for two classical theories, namely differential algebra (for system theory) and process algebra (for computer science). Differential Equations
Lyapunov Theorems
Process Terms
Axioms on Bisimulation
Behavioural Systems
Stability
Transition Systems
Bisimulation Equivalence
Figure 1.2 Examples in the Mathematical Modeling Scheme of Classical
Theories The contribution of syntax to the analysis of systems is through axioms, theorems and other ways of reasoning, that we refer to in figure 1.1 as calculation rules. Because syntax and semantics are coupled, the notions that are defined in the semantics, can be described and analyzed using the syntax. Axioms (for example) usually represent notions of equivalence on the semantics, while the theorems about the stability of systems correspond to the definition of stability in semantical terms. For the analysis of systems it is important that the coupling between syntax and semantics is formal. Programming languages like C++ lack this formal coupling, which makes them very hard to analyze. This is one of the
1.3 Hybrid systems modeling
5
reasons for the development of a formal semantics for languages like UML [David et al., 2002, Gogolla and Parisi-Presicce, 1998, Evans et al., 1998], and χ [Bos and Kleijn, 2002, Arends, 1996, van Beek and Rooda, 2000]. Those languages were originally intended for other purposes, like simulation, and can now be used for analysis as well. Typical syntactical languages that were developed with the intention of analysis from the beginning, are process algebras like ACP (Algebra of Communicating Processes) [Baeten and Weijland, 1990, Fokkink, 1998], µCRL (micro Common Representation Language) [Groote and Reniers, 2001, Reniers et al., 2002] and CCS (Calculus of Communicating Systems) [Milner, 1980]. In this thesis, we develop a mathematical formalism for the modeling and analysis of hybrid systems. In the remainder of this chapter, we explain in more detail, what the requirements on such a hybrid formalism are. In chapter 2, we concentrate on the semantical part of our formalism. A good semantics helps in finding a good syntax and makes the formalization of intuitions possible. In chapter 3, we develop a syntax to this semantics and show, amongst others, that the new hybrid formalism is a conservative extension of control science and computer science. A conservative extension, in short, is a formalism in which models from control science and computer science (and all theorems about those models) are still valid. Finally, in chapter 4 we discuss the relation between our theory and other hybrid formalisms that can be found in literature.
1.3
Hybrid systems modeling
As was already explained in more detail in section 1.1, the theory of hybrid systems studies the combination of continuous/physical and discrete/computational behavior. When computational software is combined with mechanical and electrical components, or is interacting with, for example, chemical processes, a hybrid system arises in which the interaction between the continuous behavior of the components, and the discrete behavior of the software is important. In current practice, often the continuous part of a system is described and analyzed using methods from control science while the discrete part is handled by computer science. The design of the complete system is usually such that interaction between the continuous and discrete part is suppressed to a minimum. Because of this suppressed interaction, analysis is possible to some extent, but it limits the design options. In the field of hybrid systems theory, researchers attempt to extend the possibilities for interaction. The main goal of this thesis, is to develop a mathematical formalism theory, to support these attempts. Our hopes are that this hybrid formalism can serve as a mathematical basis for improvement of the design strategies of hybrid systems, and the possibilities to analyze them. In figure 1.3, a graphical representation is given of the general aim of our efforts. The figure shows our desire that a hybrid formalism is, in a sense, a conservative
6
Chapter 1 Introduction
Hybrid Theory Syntax Systems Theory Syntax
Computer Science Syntax
Hybrid Theory Semantics Systems Theory Semantics
Computer Science Semantics
Figure 1.3 Developing Hybrid Theory
extension of systems theory and computer science. More precisely, all models from systems theory and computer science should be expressible, and preferably look the same, in the hybrid formalism. Also, theorems from systems theory and computer science should be transferable to the hybrid formalism, when restricted to models from the original field. In the remainder of this thesis, system theory and computer science are often also referred to as classical formalisms, as opposed to combinations of those in hybrid formalisms. To have a conservative extension of the classical formalisms, is the first goal of our hybrid formalism. The second goal is that there should also be a certain interaction possible between continuous and discrete behavior, reflecting the interaction between software and physics described before. This goal is harder to formalize, but in the next section we hope to give some feeling for it, by pointing out deficiencies (in our opinion) of existing hybrid formalisms. In section 1.5, we point out another deficiency of many hybrid formalisms, regarding the modeling of discontinuous behavior. We hope to improve on both deficiencies with our hybrid formalism. As a third goal, we aim at a formalism in which algebraic reasoning is possible. This is further discussed in section 1.6.
1.4
Hybrid interaction
Many of the existing hybrid formalisms that stem from computer science, like the hybrid automata of Henzinger [Henzinger, 1996] and Lynch et all. [Lynch et al.,
1.4 Hybrid interaction
7
2003], as well as the hybrid process algebras of Vereijken [Vereijken, 1995], Jifeng [Jifeng, 1994] and Rounds [Rounds and Song, 2003], are restricted in their definition of interaction between systems. Surprisingly, in most cases, the consequences of these restrictions come to light in a purely continuous case study. Let us consider the following example, depicted in figure 1.4, of a continuous plant P described by the differential equation x˙ = f (x, u), and a continuous controller C described by u = g(x). The interaction between plant and controller is denoted P k C. P x˙ = f (x, u) u
x C u = g(x)
Figure 1.4 Continuous control system
The hybrid automata of Henzinger [Henzinger, 1996], as well as the hybrid process algebras of Vereijken [Vereijken, 1995] and of Jifeng [Jifeng, 1994], assume that the continuous behavior of two composed systems is independent. Using these formalisms, the system P k C would not model any interaction between P and C at all, since the only interaction between systems can be through computational actions. The variable x of P would simply be regarded different from the variable x of C. Hence, in our opinion, these formalisms cannot be considered to be a conservative extension of systems theory. At least, they do not support the way in which we would like to think about parallel composition of systems. The semantics of the tool HyTech [Ho, 1995, Alur et al., 1996] are constructed in such a way that shared continuous variables do not pose a problem. However, this formalism is not suitable for our purposes, since it is not algebraic (see section 1.6), and only supports a restricted class of differential equations. More surprisingly, it turns out that the parallel composition of the above processes is not properly defined for the hybrid I/O automaton model of Lynch, Segala and Vaandrager [Lynch et al., 2003] either, at least not without a few amendments. In the formalism of [Lynch et al., 2003], it is necessary to identify variables as either state variables of a system, or as external variables of the system. These two sets of variables are supposed to be disjoint. The intuition behind this partition
8
Chapter 1 Introduction
is that the state variables model the memory of the system, while the external variables model the communication with other systems. Therefore, in a parallel composition, it is required that two hybrid I/O automata are compatible, meaning that the state variables of the one automaton do not intersect with any of the variables of the other automaton. Now, looking at the plant P of figure 1.4, we see that we need to choose x to be a state variable, otherwise information on x is lost between transitions, but it also needs to be an external variable, since we need to communicate its value with the controller C. This contradicts the requirement on hybrid I/O automata that the set of state variables and the set of external variables are disjoint. The problem is not as big as it may seem, since by adding an external variable y, and the equation y = x, to the description of P , and changing the description of C to u = g(y), we can declare x to be a state variable, and find that the systems have become compatible. So, although the system in figure 1.4 cannot be modeled as P k C directly in this hybrid I/O automaton model, we can model the modification depicted in figure 1.5 instead.
P x˙ = f (x, u) y=x y
u
C u = g(y) Figure 1.5 Compatible continuous control system
In [Polderman and Willems, 1998] it was already noted that the partitioning of the variables of a system into state variables and external variables is not always uniquely determined by the equations that describe the system. Even in our simple control example, it is possible to use the equations x = y and u = g(x), and declare x external and y a state variable. This is one reason why we would like to avoid the partitioning of the set of variables of a system, in our semantics. Another reason, is that in basic textbooks on control theory (for example [Dorf and Bishop, 1995]), one usually starts out with developing controllers for plants of which the state variables are also output variables. It therefore seems, that the intuition behind compatibility, that state variables do not play a role in communication with other systems, does not coincide with the system-theoretic intuition. This is confirmed
1.4 Hybrid interaction
9
by the theory discussed in [Polderman and Willems, 1998], where state variables may also be output variables of a system, while external variables may be inputs or outputs. In this paper, we show that partitioning the model variables as done for hybrid automata, is in fact not necessary if a slightly different semantical view is taken. The hybrid process algebra we present in this thesis was developed in close cooperation with the people working on the formal semantics of the language hybrid χ, which is focussed on the simulation of hybrid systems. Their operational semantics [Schiffelers et al., 2003a] uses a semantical structure similar to the hybrid transition systems we introduce in section 2. Also the hybrid process algebra of Bergstra and Middelburg [Bergstra and Middelburg, 2003] uses a hybrid transition system semantics. In chapter 4, we discuss the relation between our hybrid process algebra, hybrid χ and the process algebra of [Bergstra and Middelburg, 2003] in more detail. In the φ-calculus [Rounds and Song, 2003], the semantics assumes continuous behavior to be a property of the environment, rather than of the process itself. There, (urgent) environmental actions allow the process to change the rules for continuous behavior, specified by differential equations and invariants, in an interleaving manner. This leads to a consistent update of the differential equations and invariants in the environment. The semantics of the φ-calculus is such, that the environment can only execute time transitions, if the total set of differential equations that is placed in the environment is autonomous. Since the φ-calculus only takes the differential equations into account for autonomicity, the environment resulting from P k C is not considered autonomous in this language. This, ultimately, leads to a deadlocking situation in the process P k C. In the φ-calculus the processes (x˙ = f (x, u)) k (u = g(x)) and (x˙ = f (x, g(x))) k (u = g(x)) are not equivalent. These observations contradict with our intuition on the parallel composition. In hybrid action systems [R¨onkk¨o et al., 2003], the parallel composition of P and C leads to the desired result, ignoring some syntactic differences. However, the parallel composition of two differential equations (x˙ = 1) k (x˙ = 2) results in a process that acts like the differential inclusion x˙ ∈ {1, 2}. This, again, contradicts with our intuition. We would expect contradicting equations to result in deadlock. Nevertheless, both the ‘interleaving’ approaches from the φ-calculus and hybrid action systems, might turn out to be useful in situations where our intuition is flawed, and the theories might be considered complementary to the hybrid process algebra introduced in this thesis. In conclusion, we might state that we aim for a formalism, in which the parallel composition has a similar intuition as in [Lynch et al., 2003], but without having to require compatibility of the composed systems. Furthermore, we aim for a process algebraic formalism, which means that we emphasize the compositional structure of systems, as is explained in the next section. As far as we know, the hybrid process algebra developed in this thesis, together with hybrid χ and the
10
Chapter 1 Introduction
process algebra of [Bergstra and Middelburg, 2003], are the only process algebras for hybrid systems so far, in which interaction is defined according to the above requirement. In the next section, we will discuss another requirement on the theory we are developing, which has to do with the modeling of discontinuous behavior.
1.5
Modeling discontinuities
In this section, we informally discuss our views on the modeling of discontinuous behavior. We point out certain modeling restrictions in existing theories, and indicate how the theory presented in this thesis intends to improve on those restrictions. In order to illustrate our intuitions, we sometimes make use of notation that is formally introduced in chapter 3. In Henzinger’s hybrid automata [Henzinger, 1996], and most other hybrid formalisms, it is assumed that physical variables perform only continuous behavior, unless they are specifically altered by assignment transitions. For some hybrid descriptions of physical behavior, however, it is convenient that certain variables can also behave discontinuously. Take, for example, the electrical circuit depicted in figure 1.6, in which a switch determines the voltage over a resistor-capacity combination. + R2 − + ue −
+ R1 −
+ C −
Figure 1.6 An electrical circuit with a switch
For such a system, it is desirable to model the voltage over, and the current through the resistors (uR1 , uR2 , iR1 and iR2 ) as discontinuous functions of time. A possible hybrid automaton model for this circuit, is depicted in figure 1.7. Note, that there are arbitrary jumps modeled on the transitions, for the discontinuous variables (i.e. not for uC !). This is necessary, because, without deeper analysis of the differential equations, we do not know what kind of discontinuities may occur. In order to avoid discontinuous behavior that violates the physical properties of the circuit, we may indicate in the hybrid automaton model, that the algebraic equations used to describe the electrical circuit are invariants. As an example of an undesired discontinuity, one should note that, when the switch closes, the
1.5 Modeling discontinuities
11
current through the second resistor (iR2 ) is determined completely by the source voltage ue and the voltage over the capacitor uC . The invariants make sure that no other assignments can be made to iR2 .
jmp: uR1 , uR2 , iR1 , iR2 , iC :∈ R act: close
flow: u˙ C = C1 iC inv: iR1 = −iR2 uR1 = iR1 R1 uR2 = iR2 R2 uR1 = uR2 + uC iR2 = iC
flow: u˙ C = C1 iC inv: uR1 = ue uR1 = iR1 R1 uR2 = iR2 R2 uR1 = uR2 + uC iR2 = iC
jmp: uR1 , uR2 , iR1 , iR2 , iC :∈ R act: open Figure 1.7 A hybrid automaton modeling the electrical circuit
Now, in the case of higher index differential equations, the approach of using invariants to avoid undesired discontinuities breaks down. As an example, let us consider a system described by the following equations, in which z is a variable that may behave discontinuously: x˙ = z, y˙ = −z, x = y. As before, an assignment to z that violates these equations is undesirable. But the approach that is usually taken in hybrid automata theory, to take all algebraic equations to be invariants, does not work here. The choice of z is independent from the choice of x and y. Clearly, the system only can perform continuous behavior, if the value of z is reset immediately to zero. This, however, is insight obtained through analysis of the equations, and should therefore not be used when modeling a system. As far as we know, there is no solution in hybrid automaton theory for this problem, which is why we take a different approach regarding discontinuous behavior in the theory presented in this thesis. We recognize that, due to switching between modes, differentiated variables can sometimes be discontinuous. Therefore, when writing down a differential equation (or more generally, a flow predicate) in our hybrid formalism, we indicate explicitly
12
Chapter 1 Introduction
whether a variable is allowed to perform jumps before engaging in a flow. A flow predicate combined with such an indication is called a flow clause. The notation ( V | Pf ), that is formally introduced in chapter 3, shows a flow predicate Pf , defining which flows are allowed by the clause, while the set V denotes which variables are not allowed to jump before engaging in a flow. If z is not allowed to jump initially (i.e. z ∈ V ), we find deadlock for the higher index differential equations of the previous example when initially z 6= 0. If it is allowed to jump (z 6∈ V ), only those discontinuities can occur for which a solution exists. Using this way of modeling, the electrical circuit of figure 1.6 could, with abuse of some more notation that is formally introduced in chapter 3, be modeled as the process X in the following recursive definition:
X : {uc }
¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯
u˙ C = C1 iC iR1 = −iR2 uR1 = iR1 R1 uR2 = iR2 R2 uR1 = uR2 + uC iR2 = iC
⊕ {uc }
¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯
u˙ C = C1 iC uR1 = ue uR1 = iR1 R1 uR2 = iR2 R2 uR1 = uR2 + uC iR2 = iC
⊲ X.
Notice, that this is not a direct translation of the hybrid automaton. In the theory we are developing, we do not need to give explicit names to the ‘open’ and ‘close’ actions, although we could if that were desired from a modeling perspective. Furthermore, it is not necessary to make a distinction between invariants and other flow predicates. In this thesis, discontinuities are modeled not as a kind of atomic actions (as with hybrid automata), but as re-initializations of processes. These re-initializations can be used as well to model conditional execution of a process. The notation [ V | Pr ] ≫ x, formally introduced in chapter 3, denotes that a process x is executed, but with the valuation of the variables changed according to the re-initialization predicate Pr . The set V contains, contrary to the notation of flow clauses, those variables that are allowed to change during a re-initialization. For example, an assignment of the value 1 to x, using an action a, under the condition that x is larger than 3 to begin with, is modeled as: [ x| x− > 3 ∧ x+ = 1] ≫ a. Note, that other variables are not allowed to change value while this action is executed. Some peculiar aspects of using re-initialization are discussed in section 3.1.2, and sometimes lead to unexpected axioms in section 3.3. In the case of our higher index problem, the following equivalences can be derived using our hybrid formalism in combination with reasoning on the solutions of
1.6 Algebraic reasoning
13
differential equations. £
¯ ¯ x˙ = z ¯ − ¯ ¤ ¯ ∅ ¯ z 6= 0 ≫ {z} ¯ y˙ = −z ¯ x=y x˙ = z ¯ − £ ¤ y˙ = −z ∅ ¯ z 6= 0 ≫ x=y
≈r ≈r
δ x˙ = z y˙ = −z x=y
The first of these equivalences reflects that an initial value other than 0 for z will block the whole process, if z is not allowed to jump by the flow clause. The second equivalence reflects that the initial value is irrelevant if z is allowed to jump. These equivalences seem to express a certain intuition on which variables form a fixed part of the state of a process, and which variables are free to choose. If we capture more of these basic insights into equivalences, the set of equivalences we obtain can be considered a set of axioms for our formalism. The derivation of more complex insights using the axioms, is called algebraic reasoning. This is the topic of the next section.
1.6
Algebraic reasoning
In systems theory, algebraic reasoning is acknowledged by most people, as one of the most powerful tools available for analyzing physical behavior. This behavior is usually described by differential equations and inclusions, which model the rate of change of the value of certain continuous variables, and algebraic equations or inequalities modeling constraints. In this thesis, we use a generalization of differential inclusions, in the form of so-called flow clauses, for the modeling of continuous behavior. This generalization is inspired by the work of [van der Schaft and Schumacher, 2000b]. In computer science, the usefulness of algebra is still a topic of much debate, but nevertheless there are interesting examples of applications of process algebra (see for example [Groote and Reniers, 2001] for a list of references to protocol verifications, [Bos and Kleijn, 2002, 2003] for a start in the description and analysis of other industrial size problems, like the design of a controller for a coating system and a turntable system, and [Fokkink et al., 2000] for the description and analysis of railway interlocking specifications). In process algebra, the discrete actions that a system may perform are often considered atomic elements of the algebraic description language. These ‘atomic actions’ can be combined using compositional operators describing choice between behaviors, sequential execution of behaviors, and concurrent execution of behaviors. The way in which processes are combined using operators tells us something about the structure of the resulting process. The added value of process algebra over other approaches from computer science is, in our opinion, that process algebra
14
Chapter 1 Introduction
allows us to study different structural representations of the same system. This means that we can draw conclusions about the behavior of the whole system, based on analysis of subsystems. Subsystems are smaller, and therefore often easier to analyse. Furthermore, if one of the subsystems is difficult to analyse, the other subsystems can still be studied analytically, while only resorting to less precise methods like for example simulation for the difficult part. If the discrete actions of process algebra interact with the variables that play a role in the flow clauses, this is described by using so-called re-initialization clauses. These clauses can be used to precisely specify the discontinuous behavior of model variables. Also the concept of re-initialization clauses is inspired by [van der Schaft and Schumacher, 2000b]. In chapter 3, we combine the compositional view on systems that process algebra gives us, with the continuous and discontinuous physical behaviors described by systems theory. To this end, we take the process algebra ACP [Baeten and Weijland, 1990] and extend it with a new atom, describing continuous behavior through the use of flow clauses, and with a new family of unary operators, describing discontinuous behavior through re-initialization clauses, as mentioned before. Also, we import the disrupt operator from the process algebra LOTOS [Brinksma, 1985], since it turns out to model the sequential composition of flow clauses well. The choice for ACP is rather arbitrary, and we expect that the methods described in this thesis can be easily extended to other process algebras. Other attempts to develop a hybrid process algebra, can be found in [Schiffelers et al., 2003b, van Beek et al., 2003, Schiffelers et al., 2003a] (hybrid χ), [Vereijken, 1995, Bergstra and Middelburg, 2003] (hybrid versions of ACP), [Jifeng, 1994] (hybrid CSP) and [Rounds and Song, 2003] (φ-calculus). In chapter 4, we will discuss the differences and similarities between these algebras, and the process algebra developed in this thesis. Finally, we should note, that within other hybrid formalisms that stem from computer science, like hybrid automata [Henzinger, 1996, Lynch et al., 2003], hybrid Petri nets [Bail et al., July, 1991, Alla and David, 1998, Demongodin and Koussoulas, June, 1996, 1998, Febbraro et al., 2001] and hybrid action systems [R¨onkk¨o et al., 2003], the use of algebraic reasoning on differential equations for analysis purposes, is not uncommon. It is the process algebraic reasoning that is underexposed. For a translation of hybrid automata into the process algebras CSP, timed µCRL, and hybrid χ, see [Amthor, 1998], [Willemse, 2003, Groote and van Wamel, 2001], and [van Beek et al., 2003], respectively. In the hybrid theory that has been developed by system theorists (see for example [van der Schaft and Schumacher, 2000b, 2001, Bemporad and Morari, 1999, Heemels et al., 2001, van der Schaft and Schumacher, 1998, E.D.Sontag, 1981]) algebraic reasoning is usually possible. However, none of these theories support reasoning about, what is called ‘non-determinism’ in process algebraic terms. Non-
1.7 Structure of this thesis
15
determinism is the possibility to have different internal behaviors, while the external behavior of a system is the same. Non-deterministic models arise when one abstracts from the precise way in which choices are made. This is explained in more detail in chapter 2. Since we would like to construct a theory in which computer scientists can perform the same abstractions as they did before, we would also like to be able to handle non-determinism. Therefore, we consider the system theoretic formalisms as non-conservative with respect to computer science. Dealing with non-determinism is intimately connected to the equivalence notion of bisimulation. We should note here, that first investigations into what the notion of bisimilarity means for continuous systems, can be found in [Haghverdi et al., 2003, Lafferriere et al., van der Schaft, 2004]. In section 3.3, we prove formally that the hybrid process algebra that is developed in chapter 3, is a conservative extension of the process algebra ACP, and by construction of the semantics, it is immediately clear that it is a conservative extension of differential inclusions. In other words, our hybrid theory encompasses reasoning about process algebra and differential inclusions. But, more importantly, it also allows interaction between them. It is a suitable hybrid theory according to the goals we mentioned in section 1.3.
1.7
Structure of this thesis
Apart from the introduction and the conclusions in chapter 8, this thesis consists of two parts that are rather different in character. In part one, consisting of chapters 2, 3 and 4, the hybrid process algebra HyPA is developed. In chapter 2, different hybrid semantical formalisms are studied, and one is chosen as a semantical basis for HyPA. The work presented in this chapter, is a combination of what appeared earlier as [Cuijpers et al., 2001, Cuijpers and Reniers, 2002, Cuijpers et al., 2002, Cuijpers and Reniers, 2003b]. In chapter 3, the syntax of HyPA, and its formal semantics are explained. Furthermore, an axiomatization of a notion of bisimulation is given, and it is shown that HyPA forms a conservative extension of the process algebra ACP and of the system theoretic formalism of algebraic differential equations. The work presented in chapter 3 appeared earlier as [Cuijpers and Reniers, 2003a, 2004b]. In chapter 4 we discuss the relation between HyPA and other hybrid formalisms. This discussion also appeared in [Cuijpers and Reniers, 2004b]. Part two of this thesis, consisting of chapters 5, 6 and 7, is focussed on the application of HyPA for the modeling and analysis of hybrid systems. In section 5, a subset of HyPA is used to explain a structured way of modeling physical systems, while abstracting away from short-time phenomena such as impact-mechanics and electrical switching. The work developed in this chapter, appeared earlier as [Cuijpers et al., 2004a,b]. In section 6, a method for analyzing safety-properties of
16
Chapter 1 Introduction
HyPA processes is discussed. This method appeared also in [Cuijpers and Reniers, 2004a]. In section 7, a small industrial case study is performed, in which the modeling techniques of chapter 5 and the analysis techniques of chapter 6 are put to use. This work is new, and has not been published before. In figure 1.8 we have given an overview of the structure of this thesis. It displays the ways in which the chapters and sections depend on each other. Since most readers will not be familiar with both computer science and control science, it is important to know that part of this thesis one is oriented more towards computer scientists, and especially towards researchers from the field of formal methods. Part two is more generally readable. Apart from a few formal details, it can be read without much knowledge from part one. Especially chapters 5 and 7 rely only on an intuitive feeling for the syntax of HyPA, which is explained in section 3.1.1. For chapter 6 and section 7.1 of chapter 7, also a basic feeling for the axiomatization of HyPA, as explained in section 3.3 is needed.
1.7 Structure of this thesis
17
1 : Introduction
Part I Hybrid Process Algebra
Part II Modeling and Analysis of Hybrid Processes
2 : Semantic models for hybrid systems
5 : Modeling hybrid physical processes
3 : Hybrid process algebra
6 : Safety of hybrid processes
4 : Related Work
7 : Modeling and control of a component mounter
8 : Conclusions Figure 1.8 Structure of this thesis
18
Chapter 1 Introduction
Part I
Hybrid Process Algebra
19
Chapter 2
Semantic models for hybrid systems “Semantiek was een van zijn geliefde woorden, hoewel Jeremy James wist dat het alleen maar de naam was van een gestreepte kat drie deuren verder.” [“Olifanten zitten niet op autos”, David Henry Wilson]
22
Chapter 2 Semantic models for hybrid systems
This chapter starts with the explanation of a general form for defining semantical models of systems. In this form, the semantical formalisms of the classical theories, system theory and process theory, are studied. Further on in the chapter, the general form is used to combine these classical semantical formalisms into hybrid semantical formalisms. Several possible hybrid formalisms are compared, and a well-considered choice is made for the formalism that is to be used in the remainder of this thesis. To strengthen the intuition on the formalism that is ultimately chosen, we discuss briefly how several notions from the different classical theories (like bisimulation equivalence, controllability and stability) are defined in the new, hybrid, context.
2.1
A general model of systems
The semantics of classical theories all give their view of the world through the definition of a certain kind of system. Transition systems are a semantical formalism that has been adopted by most computer scientists (amongst many others see: [Groote and Reniers, 2001, Baeten and Weijland, 1990, Fokkink, 1998]). Behavioral systems [Polderman and Willems, 1998] and Sontag machines [Sontag, 1998, Philips, 2001] are two semantical formalisms in use in control science. Behavioral systems take a functional view on systems, and focus especially on the way in which a system evolves over time. Sontag machines and transition systems, on the other hand, take a more operational view in modeling systems, and describe the way in which interactions cause a system to evolve from one state to another. Both models choose between different possible behaviors, based on interaction with the environment. In this section, a unified view on systems is proposed, that is more or less in line with the literature available on the different classical semantics under study. Central to this view, is the following informal definition. A system is a phenomenon of state, interaction and time. This informal definition leads to a partial formal definition, in which only the concept of mathematical structure is still open. Specific instantiations of this mathematical structure are used to complete the definition for the different semantical models introduced later on. Definition 1 (System) A system is a tuple < X, Σ, T, φ >, in which X denotes the state space, or memory, of the system, Σ denotes the interaction space (also called signal space, control space, or alphabet), and T denotes the time axis. The type of the system is determined by the structure φ, a mathematical structure on the state and interaction spaces and the time axis of the system. Additionally, X, Σ and T can have some additional structure of their own.
2.1 A general model of systems
23
A systems type is determined by the structure φ on the state space, the interaction space and the time axis. Furthermore, the state space, interaction space and time axis may have a certain structure themselves. The structure φ and these additional structures, may all be exploited in the analysis of a system. As an example, T is usually assumed to be a totally ordered set (this is why it is usually referred to as an axis). In fact, in this thesis, we will assume that T is not only totally ordered, but that it is also an Abelian group, i.e. a group on which addition (+), subtraction (-), and a zero element (0), are defined. For example, the real numbers R form an Abelian group. Furthermore, in models from systems and control theory, X and Σ are often manifolds, or at least equipped with a metric or other topology (hence they are referred to as spaces). This is discussed in more detail in section 2.4. For an introduction into the field of topology, see for example [Dugundji, 1966, Eisenberg, 1974]. As mentioned before, the types of systems that are most important for our goal can be found in the literature on classical theories, although in many books on control science in particular, the semantical formalism is not formally defined. We believe that the following systems form good representatives of the semantics used throughout literature. • A Labeled Transition System, in which φ ⊆ X × Σ × X, is a relation that models how a state x ∈ X can evolve into another state x′ ∈ X due to σ an interaction σ ∈ Σ. Usually, (x, σ, x′ ) ∈ φ is denoted < x > → < x′ >. Labeled transition systems, in this particular or a similar form, are a common way of modeling systems in computer science. Note, that the time axis T does not play a role in these systems, and for convenience, we therefore assume T = ∅. • A Timed Labeled Transition System, is a transition system in which timing information does play a role. Many forms of timed labeled transition systems occur in literature, among which are the following three. – Absolute-Time Labeled Transition Systems [Baeten and Middelburg, 2002], in which φ ⊆ (X × T ) × Σ × (X × T ), essentially model the current time as a part of the state of the labeled transition system. σ Often, it is required that < x, t > → < x′ , t′ > implies t ≤ t′ . This signifies that time increases during transitions. – Relative-Time Labeled Transition Systems [D’Argenio, 1999, Fidge and ˘ 1995], in which φ ⊆ X × (Σ × T ) × X, model time by specifying Zic, the duration of a certain interaction. – Mixed-Time Labeled Transition Systems [Baeten and Bergstra, 1991, Baeten and Middelburg, 2002], in which φ ⊆ X×(Σ∪T )×X, model time and the interaction as separate ways to go from one state to another. t Usually, the time-transitions < x > → < x′ > are considered relative
24
Chapter 2 Semantic models for hybrid systems
in these models, i.e. t models a duration rather than a specific point in time. Other possibilities are also possible. For example, in [Reniers et al., 2002] a system of the form φ ⊆ X ×(Σ×T )×X is used, but a labeling (σ, t) indicates there that the signal σ occurs at the absolute time t. The choice between absolute-time, relative-time and mixed-time labeled transition systems is, usually, only based on convenience for a certain modeling assignment. • A Behavioral System [Polderman and Willems, 1998, Weiland, 1991], in which φ ⊆ T 7→ (X × Σ), is a set of (partial) functions, modeling the possible evolutions of state and interaction of a system through time. These functions are restricted to those with an interval domain. Behavioral systems form a particularly intuitive semantics to specify the solutions of, for example, differential equations, and are used in control science mainly by those who seek for a meta-theoretic approach to control. To model the idea that the state of a system contains all relevant information about the past of the system, a behavioral system is assumed to have the property of state [Polderman and Willems, 1998]. For all evolutions (x, σ), (x′ , σ ′ ) ∈ φ (with a little abuse of notation) and times t ∈ T we have that x(t) = x′ (t) ⇒ (x ⊖t x′ , σ ⊖t σ ′ ) ∈ φ , in which ( f (τ ) (f ⊖t g)(τ ) = g(τ )
τ < t, τ ≥ t.
• A Sontag Machine [Sontag, 1998], in which φ ∈ (X × (T 7→ Σ)) 7→ X, is a different kind of (functional) transition relation with a labeling consisting of partial functions of time to interaction. The relation reflects, in an operational way, how certain partial signal trajectories let the system evolve from one state to another. The labels of the transitions in Sontag machines are partial functions that have a left-closed right-open interval domain starting in 0, i.e. a domain of the form [0, t) ⊆ T . To reflect certain intuitions on dynamical systems, Sontag machines are usually assumed to have a number of closure properties that we will not discuss in detail here. Graphical impressions of these systems can be found in figures 2.1, 2.2, 2.3, 2.4, 2.5, and 2.6.
2.1 A general model of systems
25
c x1
a
a c
x2
x4
x3 b
x5
Figure 2.1 Example of a Labeled Transition System, a transition relation
between states x1 , x2 , x3 , x4 , x5 ∈ X, labeled with interactions a, b, c ∈ Σ, in which time does not play a role
c x1 , 1
a
x2 , 2
a c
x4 , 5
x3 , 3 b
x5 , 6
Figure 2.2 Example of an Absolute-Time Labeled Transition System, a
transition relation between states x1 , x2 , x3 , x4 , x5 ∈ X, at times 1, 2, 3, 5, 6 ∈ T , labeled with interactions a, b, c ∈ Σ
x1
a, 1
x2
c, 0 c, 1
a, 2
x4
b, 3
x5
x3
Figure 2.3 Example of a Relative-Time Labeled Transition System, a
transition relation between states x1 , x2 , x3 , x4 , x5 ∈ X, labeled with interactions a, b, c ∈ Σ of different durations.
26
Chapter 2 Semantic models for hybrid systems
c x1
a
1
x′1
x2
x′3
2 c
1
x′2
a
x4
x3 b
x′′3
3
x5
Figure 2.4 Example of a Mixed-Time Labeled Transition System, a tran-
sition relation between states x1 , x2 , x3 , x4 , x5 ∈ X, labeled with interactions a, b, c ∈ Σ and time transitions 1, 2, 3 of different durations.
X ×Σ
T Figure 2.5 Example of a Behavioral System, a system consisting of a set
of functions from time to interactions and states
x3
Σ T
x1
x2
b b b
x4 Figure 2.6 Example of a Sontag Machine, a functional transition relation
on states x1 , x2 , x3 , x4 ∈ X, labeled with partial functions from time to the interaction space
Recall, that the goal of this chapter, is to investigate different possibilities to combine the system types of the classical theories into hybrid system types. In
2.2 Hybrid system types
27
the next section, we will give several possible definitions that are used throughout literature, and study their differences. Ultimately, one of the studied hybrid system types is chosen as the semantical framework for the remainder of this thesis.
2.2
Hybrid system types
We have a number of classical semantical formalisms that we would like to incorporate into one hybrid formalism. In this section, we discuss three different attempts to do so. The first attempt, is to combine the definition of Sontag machines with mixedtime labeled transition systems. Observe, that the domain of a flow-label of a Sontag machine can be interpreted as a timed transition. In this way we obtain the following definition.
Definition 2 (Hybrid Transition System) A hybrid transition system is a system < X, Σ, T, φ > with Σ = ΣC ∪ ΣD divided in a continuous and discrete part. The type φ of a hybrid transition system, is the hybrid transition relation
φ ⊆ X × ((T 7→ ΣC ) ∪ ΣD ) × X , where the labels σ ∈ T 7→ ΣC are restricted to those that have a closed interval domain of the form dom(σ) = [0, t].
Note, that the signal space is divided into a continuous and discrete part for clarity of the definition only. It shows which part of the definition originates from computer science, and which part originates from system theory. Furthermore, we use closed intervals for labeling instead of the left-closed right-open intervals that were used in Sontag machines. This proves useful later on, in the proofs of expressivity of hybrid transition systems. Although we suspect that these proofs can still be given when left-closed right-open intervals are used, it would unnecessarily complicate them. Finally, the condition that the transition relation is a function, which was used in Sontag machines, is dropped. This has the advantage that also differential equations with multiple solutions can be modeled. A graphical impression of a hybrid transition system is depicted in figure 2.7.
28
Chapter 2 Semantic models for hybrid systems
Σ
a1 T
x1
x3
a3
x5
x2 a2
x4
x6
Figure 2.7 Example of a Hybrid Transition System
From literature, we have two other possible semantics for hybrid systems that merge labeled transition systems with behavioral systems. The first one, hybrid automata (as defined in [Lynch et al., 1999, 2001]), takes the union of the complete structures. Definition 3 (Hybrid Automaton) A hybrid automaton consists of a tuple < X, Σ, T, φ > with a signal space Σ = ΣC ∪ ΣD divided in a continuous and discrete part, and a structure φ ⊆ (X × (ΣD × T ) × X) ∪ (T 7→ (X × ΣC )) , in which the partial functions from T 7→ (X × ΣC ) are assumed to have an (arbitrary) interval domain. A graphical impression of this is difficult because two different mathematical structures are used in φ. The third possible definition for a hybrid system type is called ‘hybrid behaviors’. They are behavioral systems that extend the time axis to be able to support multiple transitions at a single time instance. In [van der Schaft and Schumacher, 2000b,a], the notion of time enrichment was introduced to this extend. Here we use a slightly different definition that has the same power as the time enrichment, based on a Cartesian product of time and ordinal numbers (see for example [Kunen, 1988]). We denote the collection of ordinal numbers as Ω. Definition 4 (Hybrid Behavioral System) A hybrid behavioral system consists of a tuple < X, Σ, T, φ >, with the signal space Σ = ΣC ∪ ΣD divided into a continuous and a discrete part, and having the extended behavioral structure φ ⊆ (T × Ω) 7→ (X × (ΣC ∪ ΣD )) .
2.2 Hybrid system types
29
The set (T × Ω) is totally ordered by the relation relation ¹ such that (t, n) ¹ (t′ , n′ ) ⇔ (t < t′ ) ∨ (t = t′ ∧ n ≤ n′ ). As before, φ is assumed to have the property of state. Furthermore, the domain of (x, σ) ∈ φ is restricted to a special kind of interval (see also [van der Schaft and Schumacher, 2000b]). For every (x, σ) ∈ φ we have that: • abstract interval: ∀t,t′ ,t′′ ∈T ∀n,n′′ ∈Ω t ≤ t′ ≤ t′′ ∧ (t, n), (t′′ , n′′ ) ∈ dom(x) ⇒ ∃n′ ∈Ω (t′ , n′ ) ∈ dom(x); • local closed interval: ∀n,n′ ,n′′ ∈Ω ∀t∈T n ≤ n′ ≤ n′′ ∧ (t, n), (t, n′′ ) ∈ dom(x) ⇒ (t, n′ ) ∈ dom(x). The most important difference between this definition and the definition of (normal) behavioral systems is that the time-elements have a successor. The successor of (t, n) simply is (t, n + 1). This means that one can speak of a sequence of multiple actions that occur at the same time t ∈ T . The special domain restrictions then indicate that the domain of the evolutions is an interval with respect to T , but that those sequences of actions do not have to be of length Ω. A graphical representation of a hybrid behavioral system is depicted in figure 2.8. In this picture, the arrows depict discrete signals, while the arcs depict continuous signal evolutions.
c X ×Σ
a
b a
b
b T
Figure 2.8 Example of a Hybrid Behavioral System
As it turns out in the next section, hybrid behavioral systems are slightly more expressive than hybrid automata, and in turn hybrid automata are slightly more expressive than hybrid transition systems. Nevertheless, all three formalisms turn out to be expressive enough for our purpose.
30
2.3
Chapter 2 Semantic models for hybrid systems
Embedding of classical theories
From section 1.3, we know that, in order to be sure that a proposed hybrid system type is indeed a suitable candidate as semantical framework, we have to translate the classical system types into the hybrid one. In this section, we therefore give a formal embedding of labeled transition systems and behavioral systems into hybrid behavioral systems, hybrid automata and hybrid transition systems. The embedding of Sontag machines is not discussed in detail in this thesis because, as was already pointed out in [Sontag, 1998, Cuijpers et al., 2002], Sontag machines are less expressive than behavioral systems. In principle, an embedding of Sontag machines into behavioral systems may be used to find an embedding of Sontag machines into hybrid behavioral systems, hybrid automata and hybrid transition systems. However, this is left as a topic for future investigation. The embedding of timed labeled transition systems is left out because we do not consider it to be part of the classical theories of control science and computer science. Rather, timed labeled transition systems are considered an early attempt to embed a particular property of control science (namely time) into computer science.
2.3.1
Embedding into hybrid behavioral systems
The embedding of behavioral systems into hybrid behavioral systems is trivial. Since there are no computational interactions, all behavior takes place on ordinal 0. Definition 5 (Behavioral embedding) Let B = < X, Σ, T, φ > be a behavioral system, then the hybrid behavioral embedding of B is the hybrid behavioral system Hyb(B) = < Xh , Σh , Th , φh > such that Xh = X, Σh = ΣCh = Σ, and (xh , σh ) ∈ φh if there exists (x, σ) ∈ φ such that for all t we have xh (t, 0) = x(t), σh (t, 0) = σ(t) and dom(xh , σh ) = dom(x, σ) × {0}. Reversely, we can abstract from a hybrid behavioral system to a behavioral system, by only considering what happens at ordinal 0. This is perhaps not the most intuitive abstraction that can be found, but it serves to show that no information is lost in the translations. Definition 6 (Behavioral abstraction) Let H = < X, Σ, T, φ > be a hybrid behavioral system, then the behavioral abstraction of H is the behavioral system Beh(H) = < Xb , Σb , Tb , φb > such that Xb = X, Σb = Σ, and (xb , σb ) ∈ φb if there exists (x, σ) ∈ φ such that for all t we have xb (t) = x(t, 0), σb (t) = σ(t, 0). Obviously, we find that this is truly an embedding. Theorem 1 For any behavioral system B we find B = Beh(Hyb(B)).
2.3 Embedding of classical theories
31
Proof It is trivial to verify that Xb = Xh = X and Σb = Σh = Σ. Furthermore it is easy to see that (x, σ) ∈ φ if and only if there exists (xb , σb ) ∈ φb and (xh , σh ) ∈ φh with xb (t) = xh (t, 0) = x(t) and σb (t) = σh (t, 0) = σ(t) for all t. ⊠ For labeled transition systems, we find the following embedding. Definition 7 (Operational embedding) Let L = < X, Σ, T, φ > be a labeled transition system, then the hybrid behavioral embedding of L is the hybrid behavioral system Hyb(L) = < Xh , Σh , Th , φh > such that Xh = X, Σh = ΣDh = Σ, and (xh , σh ) ∈ φh if for all (t, n) ∈ dom(xh ) we find t = 0, and if (t, n + 1) ∈ dom(xh )
then < xh (t, n) >
σ(t,n)
→
< xh (t, n + 1) >.
Note, that there is no timing information in labeled transition systems, which is interpreted here as the behavior that all computational actions occur at t = 0. At first sight, it may seem more logical to allow computational actions at any arbitrary time, but this would result in behavioral signals that are partly undefined. Because our only goal is to show that no information is lost, we have chosen the simpler solution. The abstraction from hybrid behavioral systems to labeled transition systems is defined as follows. Definition 8 (Operational abstraction) Let H = < X, Σ, T, φ > be a hybrid behavioral system, then the operational abstraction of H is the labeled transition system system Op(H) = < Xl , Σl , Tl , φl > such that Xl = X, Σl = Σ, and σ < xl > →l l < x′l > if there exists (x, σ) ∈ φ such that xl = x(t, n), x′l = x(t, n + 1) and σl = σ(t, n) for some t ∈ T and n ∈ Ω. Obviously, this is a successful embedding. Theorem 2 For any labeled transition system L we find L = Op(Hyb(L)). Proof It is trivial to see that Xl = Xh = X and Σl = Σh = Σ. Furthermore, σ σ one may easily verify that < x > → < x′ > if and only if there exists < xl > →l l < x′l > and (xh , σh ) ∈ φh such that xl = xh (0, n) = x, x′l = xh (0, n + 1) = x′ and σl = σh (0, n) = σ for some n. ⊠
2.3.2
Embedding into hybrid automata
The embedding into hybrid automata, is completely trivial. Every behavioral system, and every labeled transition system, is in itself a hybrid automaton. On the one hand, this is one of the strengths of the hybrid automaton approach. On the other hand, it is one of its weaknesses, because, by keeping the classical formalisms separated, it becomes harder to obtain insight in the interaction between them.
32
2.3.3
Chapter 2 Semantic models for hybrid systems
Embedding into hybrid transition systems
The embedding of labeled transition systems into hybrid transition systems, is again trivial. Every labeled transition system is also a hybrid transition system. The embedding of behavioral systems, is not trivial at all. In fact, it is only possible for a restricted class of behavioral systems. This is not surprising, since hybrid transition systems are an extension of Sontag machines, which are also limited in expressivity. Indeed, some of the modeling restrictions that are inherent to Sontag machines are circumvented in hybrid transition systems by adopting a transition relation rather than a transition function, but some others remain, as is shown further on. We argue that the restricted class of behavioral systems is still large enough for our modeling purposes, and that the information that is possibly lost in the embedding of behavioral systems in general, is not crucial for the theory we are developing. Therefore, at least for the time being, hybrid transition systems are expressive enough for our needs. The embedding of behavioral systems into hybrid transition systems is defined as follows. Definition 9 (Behavioral embedding) Let B = < X, Σ, T, φ > be a behavioral system. Its hybrid operational embedding Hyb(B) = < Xl , Σl , Tl , φl > is a hybrid σ transition system such that X = Xl ,Σ = Σl , T = Tl and < xl > →l < x′l > if there ′ ′ exists (x, σ) ∈ φ such that x(t) = xl and x(t ) = xl and σl = (σ|[t,t′ ] )−t , for some t ≤ t′ . We use σ|D to denote the restriction of the function σ to the subdomain D ⊆ dom(σ), and σ t to denote the shifted function σ such that σ t (t′ + t) = σ(t′ ) for all t′ ∈ dom(σ) and undefined elsewhere. The behavioral abstraction of a hybrid transition system is defined as follows. Definition 10 (Behavioral abstraction) Let L = < X, Σ, T, φ > be a hybrid transition system. Its behavioral abstraction Beh(L) = < Xb , Σb , Tb , φb > is a behavioral system such that (x, σ) ∈ φ if for all t, t′ ∈ dom(x) with t ≤ t′ we find < x(t) >
(σ|[t,t′ ] )−t
→
< x(t′ ) >.
In the remainder of this section, we focus on proving that B = Beh(Hyb(B)), when B is taken from a certain class of behavioral systems. Concretely, we show that B = Beh(Hyb(B)) if B is time-invariant and closed under domain restrictions, and furthermore that its external behavior is locally specified, while its state behavior is finitely specified. The meaning of these terms will be explained next. Time-invariance Taking a closer look on the definitions regarding the embedding, one may observe that the time shift is necessary, because hybrid transition systems take a relative view on the passage of time. This, indeed, is one of the
2.3 Embedding of classical theories
33
problems of our translation. If the precise time influences the behavior of the system, the embedding fails. In this thesis, we therefore take the viewpoint on behavioral systems, that time should be modeled explicitly as a part of the state space in such a case. In other words, we assume that a behavioral system is time-invariant. Definition 11 (Time-invariance) A behavioral system < X, Σ, T, φ > is timeinvariant if (x, σ) ∈ φ implies (x, σ)t ∈ φ for every t ∈ T . Note, that the notion of time-invariance is not very severe, because the influence of time can always be modeled explicitly using a clock (i.e. a variable x such that x˙ = 1). Closure under domain restrictions Studying the definitions once more, it becomes clear that also the information on the domain of the evolutions of the behavioral system is lost. In other words, the behavioral system should be closed under restriction of the domain. Definition 12 (Closure under domain restriction) A behavioral system < X, Σ, T, φ > is closed under restriction of the domain if (x, σ) ∈ φ implies (x, σ)|D ∈ φ for every bounded interval D ⊆ dom(x). Also this restriction is not severe, since the notion of solution of differential algebraic equations can always be considered closed in this sense. Local specification It is less obvious that time-invariance and closure under domain restriction are not sufficient to make the embedding of behavioral systems into hybrid transition systems possible. As an example of a system that is timeinvariant and closed under domain restrictions, but for which the embedding goes wrong, we study the behavior depicted graphically in figure 2.9.
X
T
Figure 2.9 Example of a time-invariant behavioral system that cannot be
translated
34
Chapter 2 Semantic models for hybrid systems
The state-behavior of this system consists of many “instable” evolutions, that “start” in minus infinity and “end” in plus infinity. Stated this way, the 0-function is clearly not part of this behavior, while every interval-restriction of this function is a behavior. Now, if we would translate this behavior into a hybrid transition system, by constructing transitions between two states if they are connected by a partial evolution, this information about the 0-function is lost. Obviously, there are transitions from state 0 to itself, labeled with the 0-function. Therefore, there is no way to decide from the transitions only, that the 0-function is not in the behavior of the system. The system in figure 2.9, lacks the property that it is locally specified. That is, one needs to study an evolution over an infinite period of time, to determine whether it is part of the behavior, or not. Behavioral systems that are defined using differential algebraic equations usually are locally specified, and for those, only a finite period of time is needed to refute a ‘wrong’ evolution. This is captured in the following definition, which is adapted from [Polderman and Willems, 1998] (we claim, without proof, that for behavioral systems in which only total evolutions occur, the two definitions coincide). Definition 13 (Local specification) A behavioral system B = < X, Σ, T, φ > is locally specified when (x, σ) ∈ φ if and only if (x, σ)|D ∈ φ|D for every bounded, closed interval D = [t, t′ ] ⊆ dom(x). Here, φ|D denotes, obviously, the set of all evolutions in φ restricted to D. Finite specification Sadly, even local specification is not sufficient for the translatability of behavioral systems into hybrid transition systems. We need to strengthen it even further. Instead of being able to refute an evolution on the basis of a finite interval, we require that we can refute it on the basis of a finite number of points. In [Cuijpers et al., 2002], this property was called finite-set refutability. A reformulation of the definition, however, clearly indicates a relation with local specification, which is why we chose to change the name into finite specification. Definition 14 (Finite specification) A behavioral system B = < X, Σ, T, φ > is finitely specified, when (x, σ) ∈ φ if and only if (x, σ)|F ∈ φ|F for every finite subset F ⊆ dom(x). Not surprisingly, finite specification is strictly stronger than local specification. Theorem 3 A finitely specified behavioral system that is closed under domain restrictions is locally specified. Proof Suppose that B = < X, Σ, T, φ > is a finitely specified behavioral system. By definition, (x, σ) ∈ φ implies (x, σ)|D ∈ φ|D , for every bounded interval D. Vice versa, suppose that for every bounded interval D we have (x, σ)|D ∈ φ.
2.3 Embedding of classical theories
35
Obviously, every finite set F ⊆ dom(x) is a subset of some bounded interval D ⊆ dom(x). So, for every F there exists a bounded interval D ⊇ F with (x, σ)|D ∈ φ|D and consequently (x, σ)|F ∈ φ|F . Using the assumption that B is finitely specified, we obtain (x, σ) ∈ φ, which concludes the proof. ⊠ Finite specification of a behavioral system turns out to be sufficient in order to embed it into a hybrid transition system. However, we can relax the conditions a little bit, by assuming that the whole system is locally specified, while for each external behavior, the according state-behavior is finitely specified. Definition 15 (Finite specification of the state behavior) The state behavior of a behavioral system < X, Σ, T, φ > is finitely specified when (x, σ) ∈ φ if and only if x|F ∈ φ(σ)|F , for every finite set F ⊆ dom(x). Here, we use the notation φ(σ) = {x′ p (x′ , σ) ∈ φ}. Theorem 4 If a behavioral system is finitely specified, then its state behavior is finitely specified. Proof Let B = < X, Σ, T, φ > be a finitely specified behavioral system. Clearly, (x, σ) ∈ φ implies x|F ∈ φ(σ)|F . Vice versa, suppose that x|F ∈ φ(σ)|F , for every finite set F ⊆ dom(x). Then (x, σ)|F ∈ (φ(σ) × {σ})|F = φ|F . Hence, using finite specification, (x, σ) ∈ φ. This concludes the proof. ⊠ Using finite specification of the state behavior, we find necessary and sufficient conditions for the above embedding of behavioral systems into hybrid transition systems. Theorem 5 (Sufficiency) For any behavioral system B = < X, Σ, T, φ > that is time-invariant, closed under domain restriction, locally specified, and has finitely specified state behavior, we have B = Beh(Hyb(B)). Proof We will use φ to denote the behavioral structure of B, and φ′ to denote the behavioral structure of Beh(Hyb(B)). It is straightforward to verify that any evolution of B is also in Beh(Hyb(B)), i.e. that φ ⊆ φ′ . We therefore focus on the reverse case. Assume that (x, σ) ∈ φ′ . Using the definitions of embedding and abstraction, we obtain that for every t, t′ ∈ dom(x) with t ≤ t′ , there exists (y, ς) ∈ φ and τ, τ ′ such that x(t) = y(τ ), x(t′ ) = y(τ ′ ) and (σ|[t,t′ ] )−t = (ς|[τ,τ ′ ] )−τ . Equivalence of the domains of σ and ς, tells us that τ ′ − τ = t′ − t, and using the assumption that φ is time-invariant and closed under domain restrictions, we find that there must also exist an evolution (y ′ , ς ′ ) ∈ φ with x(t) = y(t), x(t′ ) = y(t′ ) and
36
Chapter 2 Semantic models for hybrid systems
σ|[t,t′ ] = ς ′ . Using the property of state, we may concatenate any finite number of these evolutions, so we find that for every finite set F ⊆ dom(x) there exists an evolution (y ′′ , ς ′′ ) ∈ φ with x|F = y ′′ |F and σ|D = ς ′′ , where D is the smallest bounded, closed interval such that D ⊆ F . In other words, for every finite set F ⊆ dom(x) we find that x|F ∈ φ(σ|D ). Using finite specification of the state, this leads to (x, σ)|D ∈ φ. Finally, we may conclude for every bounded closed interval D′ ⊆ dom(x) that (x, σ)|D′ ∈ φ, by appropriate choice of the finite sets F . By local definition of φ, we then obtain (x, σ) ∈ φ, which concludes the proof. ⊠ Lemma 1 Let L = < X, Σ, T, φ > be a hybrid transition system, then Beh(L) is time-invariant. Proof Let φ′ be the behavioral structure of Beh(L), and assume that (x, σ) ∈ ′ φ . Then, by definition of abstraction, for any t, t′ ∈ dom(x) with t ≤ t′ we find < x(t) >
(σ|[t,t′ ] )−t
→
< x(t′ ) >.
(σ|[t−τ,t′ −τ ] )τ −t
→ < xτ (t − τ ) > This concludes the proof.
Time shifting then gives us the transition
< xτ (t′ − τ ) >, and hence (x, σ)τ ∈ φ′ , for any τ . ⊠
Lemma 2 Let L = < X, Σ, T, φ > be a hybrid transition system, then Beh(L) is closed under domain restrictions. Proof Let φ′ be the behavioral structure of Beh(L), and assume that (x, σ) ∈ ′ φ . Then, by definition of abstraction, for any t, t′ ∈ dom(x) with t ≤ t′ we find (σ|[t,t′ ] )−t
< x(t) > → < x(t′ ) >. From this, it is clear that for any t, t′ ∈ D ⊆ dom(x) the same holds, hence (x, σ)|D ∈ φ′ . This concludes the proof. ⊠ Lemma 3 Let L = < X, Σ, T, φ > be a hybrid transition system, then Beh(L) is locally specified. Proof Let φ′ be the behavioral structure of Beh(L), and assume that for all closed and bounded intervals D we have (x, σ)|D ∈ φ′ |D . Then, for every D, there must be (x′ , σ ′ ) ∈ φ such that (x, σ)|D = (x′ , σ ′ ). By definition of abstraction, we find that for any t, t′ ∈ dom(x′ ) with t ≤ t′ we find < x′ (t) >
(σ|[t,t′ ] )
′ −t (σ[t,t ′])
−t
→
< x′ (t′ ) >
and hence, for any such t, t′ ∈ D we have < x(t) > → < x(t′ ) >. But, for D we can take any interval D ⊆ dom(x), from which we conclude that < x(t) >
(σ|[t,t′ ] )−t
→
< x(t′ ) > holds for any t, t′ ∈ dom(x) with t ≤ t′ . Finally,
2.3 Embedding of classical theories
37
we obtain (x, σ) ∈ φ′ by definition of abstraction, which concludes the proof.
⊠
Lemma 4 Let L = < X, Σ, T, φ > be a hybrid transition system, then Beh(L) is finitely specified in its state behavior. Proof Let φ′ be the behavioral structure of Beh(L), and let σ be an external behavior, such that for all finite sets F we have x|F ∈ φ′ (σ)|F . Then, for every F , there must be (x′ , σ) ∈ φ′ such that x|F = x′ |F . Furthermore, from the definition of abstraction it follows that, for every t, t′ ∈ dom(x′ ), with t ≤ t′ , we have < x′ (t) > < x(t) >
(σ|[t,t′ ] )
→
−t
(σ|[t,t′ ] )−t
(σ|[t,t′ ] )−t
→
< x′ (t′ ) >, and hence for every t, t′ ∈ F we have
< x(t′ ) >. But since we can choose any F ⊆ dom(x), we find
< x(t) > → < x(t′ ) > for any t, t′ ∈ dom(x), and obtain (x, σ) ∈ φ′ . This concludes the proof. ⊠
Theorem 6 (Necessity) Let B = < X, Σ, T, φ > be a behavioral system, then Beh(Hyb(B)) is time-invariant, closed under domain restriction, locally specified and finitely specified in its state behavior. Proof
Trivial, using lemma 1, 2, 3 and 4.
⊠
In order to illustrate the notion of finite specification a little further, observe that the definition says that if a certain function is intersected arbitrarily often by piecewise concatenations of evolutions, then this function is an evolution itself. An example of a behavior that is time-invariant, closed under domain restrictions, locally specified, but not finitely specified, is depicted in figure 2.10. The set of all possible sine waves, when closed under property of state, still does not contain the 0-function, although it can be intersected arbitrarily often, by concatenation of sine waves that cross the axis.
Figure 2.10 Impression of behavioral system that is not finitely specified
38
Chapter 2 Semantic models for hybrid systems
Looking at it from a different perspective, we see that every crossing of evolutions can be regarded as a branching of the transition system. This means that if we translate a behavioral system without finite specification of the state behavior into a hybrid transition system, then we loose information about the continuous branching options of that system. We cannot conclude the difference between a system that has a certain branching at arbitrarily small finite times apart, and a system that branches continuously. This all, makes clear that hybrid transition systems are not expressive enough to completely embed behavioral systems. Whether this lack in expressivity leads to problems for the modeling of hybrid systems, is an entirely different matter. Behavioral systems, namely, are intended to describe physical phenomena, and physical phenomena, can only be studied using a finite number of observations. The difference between continuous branching and arbitrary fast branching, is therefore not observable in physics. Hence, a behavioral system should be considered observably equal to its closure under finite specification. This is in line with the theory of hybrid automata framework of [Lynch et al., 2003], in which a notion of (bisimulation) equivalence is proposed, that abstracts from the finite specification of the state evolutions. However, we suspect that this happened unknowingly in [Lynch et al., 2003], since no mention of finite specification, or similar properties, is made in that paper. We should add that the systems that are studied in control theory usually are deterministic, in the sense that for a given initial state, and a given interaction, the trajectory of the state is uniquely defined. Definition 16 (Determinism) A behavioral system B = < X, Σ, T, φ > is deterministic if for any (x, σ) ∈ φ, (x′ , σ) ∈ φ and t ∈ T , with x(t) = x′ (t), we find x(t′ ) = x′ (t′ ) for t′ ≥ t. Theorem 7 Any locally specified, deterministic behavioral system has finitely specified state behavior. Proof Let B = < X, Σ, T, φ > be a locally specified, deterministic behavioral system. Furthermore, assume that for every finite set F , we have that x|F ∈ φ(σ)|F . Then, clearly, for every F there exists (x′ , σ) ∈ φ with x|F = x′F . Furthermore, because B is deterministic, we find that x(t) = x′ (t) for any t ∈ D where D is a closed bounded interval of which the minimum coincides with the minimum of F . Since we may choose arbitrary F , we can also choose arbitrary D. Hence (x, σ)|D ∈ φ|D for any closed bounded interval D, and using local specification of B, we obtain that (x, σ) ∈ φ. This concludes the proof. ⊠ Lastly, if we divide the set of state variables into a set X of variables, and a set X˙ = {x˙ p x ∈ X} of derived variables, and if we define solutions of predicates on X
2.3 Embedding of classical theories
39
and X˙ as was done in [Bergstra and Middelburg, 2004b,a], then the resulting set of flows for a given predicate turns out to be finitely specified, and hence finitely specified in the state behavior. We do not prove this formally here, because we do not want to fix the syntax for describing flow-behavior, but the result easily follows from the observation in proposition 4.1 of [Bergstra and Middelburg, 2004a] that every witness of a time-transition departing from a certain state (and conversely every state-flow underlying a hybrid transition), is also a witness of any timetransition of the same length, departing from a bisimilar state. In conclusion, all sets of solutions of differential inclusions and differential equations are finitely specified if we consider the value of the derivatives x˙ part of the state.
2.3.4
Comparison
Hybrid behavioral systems and hybrid automata are, clearly, both expressive enough to support an embedding of labeled transition systems and behavioral systems. Hybrid behavioral systems seem to be a little more expressive than hybrid automata, because of the density with which discrete interactions may occur through time, but this is outside the scope of this thesis. If we restrict ourselves to behavioral systems that are time-independent, closed under domain restrictions, locally specified in the external behavior, and finitely specified in the state behavior, then also hybrid transition systems are expressive enough. These restrictions turn out not to be very severe. In particular, they hold for the sets of solutions of algebraic differential equations. So, it may be concluded safely that all three types of hybrid systems are good candidates as semantical framework for the remainder of this thesis. Choosing a semantical formalism, merely becomes a matter of taste. In the field of process algebra, this taste is dominated by the operational view on systems, i.e. the description of state changes as a result of interactions. It is expected, therefore, that an operational view on hybrid systems, makes the development of a hybrid process algebra easier. Hybrid behavioral systems focus on functional view, i.e. the evolution of state and interaction over time. They lack this operational view. Hybrid automata do have an operational view on the discrete interactions, but a functional view on the continuous interaction. Finally, hybrid transition systems fully support the operational view on hybrid behavior, and this is the main reason why they are chosen as a semantics for hybrid systems theory in this thesis. In the next section, we study a number of notions from computer science and control science in the context of hybrid transition systems. This study serves to show that hybrid transition systems are not only expressive enough for the translation of semantical models from control science and computer science, but that also important analysis notions from these field can be transferred.
40
Chapter 2 Semantic models for hybrid systems
2.4
Notions from computer science and control science
It was shown that hybrid transition systems are expressive enough to give a natural embedding of labeled transition systems and behavioral systems. However, for these embeddings to be completely convincing, a number of notions regarding behavioral systems and labeled transition systems (such as reachability, deadlock, stability, controllability etc.) should be successfully transferred as well. In this section, such a transfer is given for various notions of equivalence from computer science, and for a number of notions from control. We claim, without further discussion, that other notions can be transferred in a similar manner.
2.4.1
Runs and transfinite runs
Although hybrid transition systems take an operational view on systems, the functional view still plays an important role in its analysis. The notion of run, that is well known from computer science, in fact gives a translation from labeled transition systems to behavioral systems with a natural time axis (T = N). For hybrid transition systems, the notion of run still gives a functional view of system behavior, although it is not directly associated with hybrid behaviors. Definition 17 (Hybrid Run) Given a hybrid transition system < X, Σ, T, φ >, a hybrid run of this system is a pair (x, σ) of sequences x ∈ N 7→ X, and σ ∈ N 7→ ((T 7→ ΣC ) ∪ ΣD ) such that • dom(x) and dom(σ) are intervals in N; • 0 ∈ dom(σ) ⊆ dom(x) ∧ ∀n∈dom(x) n ∈ dom(σ) ⇒ n + 1 ∈ dom(x); σ(n)
• ∀n∈dom(σ) < x(n) > → < x(n + 1) >. The length of a run, is the cardinality of dom(σ). The notion of run as a functional view of a system, has one important drawback that manifests itself when runs become infinite in length. As it turns out, there can exist infinite runs for which the total passage of time remains finite. In such a case, using the definitions we have so far, the evolution of the system simply stops at, or before, that time. This is rather strange, since it will never happen in a physical system that time simply stops. A typical occurrence of such behavior is usually referred to as Zeno-behaviour after the Eleatic philosopher (488 BC) who first described the problems with infinite runs in his famous example of Achilles and the tortoise. In a running contest
2.4 Notions from computer science and control science
41
between Achilles the half-god and a tortoise, the tortoise gets a little head start. Zeno reasoned that every time Achilles comes at a point where the tortoise was, the tortoise has walked just a little further. Hence, Achilles cannot take over, and the tortoise wins the race. What Zeno did not realize (or at least did not tell his stunned audience), is that the infinite number of steps he describes, only take a finite amount of time to execute. The steps converge to a point where Achilles has actually caught up with the tortoise, and at that point Achilles can take over. Convergence is a notion from the mathematical field of topology (see for example [Dugundji, 1966, Eisenberg, 1974, Berge, 1963]). As mentioned in section 2.1, it is sometimes assumed that there is a topological structure on the state-space. If this is the case, we can formalize the idea of reaching a convergence point in the notion of transfinite run. A very brief summary of definitions and notations from topology is given in appendix A. A transfinite run is a run over ordinal numbers (see for example [Kunen, 1988]) rather than natural numbers. The idea is that for limit ordinals the state-value of the run is one of the limit points of the preceding part of the run (if a sequence x ∈ Ω → X has a limit point y ∈ X (or more precisely, a cluster point), this is denoted by x ⊸ y), see appendix A). Definition 18 (Transfinite Hybrid Run) Let Ω denote the ordinal numbers and < X, Σ, T, φ > be a hybrid transition system with topologies on X and T , then a pair (x, σ) of transfinite sequences x ∈ Ω 7→ X and σ ∈ Ω 7→ (Σ ∪ (T 7→ Σ)) is a transfinite hybrid run if • dom(x), and dom(σ) are intervals in Ω; • 0 ∈ dom(σ) ⊆ dom(x) ∧ ∀n∈dom(x) n ∈ dom(σ) ⇒ n + 1 ∈ dom(x); σ(n)
• ∀n∈dom(σ) < x(n) > → < x(n + 1) >; • ∀n∈dom(x),n
limit ordinal
x|[0..n) ⊸ x(n) ∧ Σni=0 ↑ dom(σ(i)) < ∞.
Here, we use ↑ I to denote the maximum of an interval I ⊆ T . Again, we define the length of a run to be the cardinality of dom(σ). In philosophy the accumulation of events in general is also referred to as supertask [Zalta, 2001, Norton, 1999, Salmon, 1970]. Transfinite hybrid runs form a way to deal with such supertasks in the context of hybrid systems. Usually, Zeno-behavior is caused by some abstraction made by the modeler. Whether this abstraction is justified cannot be judged without considering the analysis question that the modeler had in mind when the abstraction was made. Nevertheless,
42
Chapter 2 Semantic models for hybrid systems
most tools that aid in the analysis of hybrid systems, cannot deal with limit points of transfinite runs, and even in many theoretical works on hybrid systems, nonZenoness is an essential assumption. In this thesis, Zeno-behavior is considered to be a natural consequence of assuming a topology on the state space of a system. In this section, some ideas are presented on how to deal with such a topology in general. However, in the remainder of this thesis, these ideas are not worked out in detail, because there is very little knowledge on the relation between topology and process algebra. Research on this relation, is considered to be of the utmost importance for the future development of hybrid systems theory.
2.4.2
Equivalence
In section 1.2 already, the notion of equivalence was mentioned. Although not formally defined, the notion of bisimulation equivalence was given as an example.
x
a
a b
c
b
x
a c
Figure 2.11 Trace Equivalent but not Bisimilar States
On a semantical level, the notion of equivalence on a system reflects which things an external observer can see during the evolution of a system. The first intuition we have about this equivalence, for systems in general, is that only the interaction space is observable. This intuition is firm, and all notions of equivalence from literature agree on it. The second intuition is motivated by the introduction of non-determinism in a system. If a system displays non-determinism, then a choice between different evolutions of the state can be made without a visible difference in the signals. See for example figure 2.11. There, the observer cannot conclude from the set of runs of the system that the two states marked x are different. Both systems contain the runs a followed by b and a followed by c. However, an observer can conclude difference from the fact that, after a has occurred, in one system there is still a choice between b and c, while in the other system this choice has vanished. This difference between observing only complete runs and observing choices as well is only of interest for non-deterministic systems, and therefore it is
2.4 Notions from computer science and control science
43
not surprising that the equivalence notions concerned with it stem from computer science rather than from control. If the outside observer cannot see which choices a system makes, we study so-called trace equivalence between systems. If the outside observer can observe the fact that a choice has been made, we study bisimulation equivalence. The notion of trace equivalence, formally, compares the interactions that occur in the possible runs of a system. Definition 19 (Trace Equivalence) Given the hybrid transition systems M = < X1 , Σ1 , T1 , φ1 > and N = < X2 , Σ2 , T2 , φ2 >, using the same interaction space Σ1 = Σ2 , the states x0 ∈ X1 and y0 ∈ X2 are trace equivalent denoted x0 ≃ y0 , if for every hybrid run (x, σ) on M with x(0) = x0 , there exists a hybrid run (y, σ) on N with y(0) = y0 and vice versa. The notion of bisimulation equivalence does not compare complete runs, but compares the states after every transition again to differentiate between the choices between transitions. It relies on the notion of bisimulation relation. Definition 20 (Bisimulation Equivalence) Given the hybrid transition systems M = < X1 , Σ1 , T1 , φ1 > and N = < X2 , Σ2 , T2 , φ2 > with Σ1 = Σ2 . A relation R ⊆ X1 × X2 is a bisimulation relation iff σ
• for every transition < x > → < x′ > of M and every state y ∈ X2 such that σ x R y there exists a transition < y > → < y ′ > of N such that x′ R y ′ ; σ
• and for every transition < y > → < y ′ > of N and every state x ∈ X1 such σ that x R y there exists a transition < x > → < x′ > of M such that x′ R y ′ . Two states x ∈ X1 and y ∈ X2 are bisimilar, denoted x - y, iff there exists a bisimulation relation R such that x R y. Two systems are bisimilar if every state in one system has a bisimilar state in the other system. It is a known result from computer science [Bergstra et al., 2001] that bisimulation on states is a stronger equivalence than trace equivalence on states. Theorem 8 - ⊆ ≃. Proof
See e.g. [van Glabbeek, 2001].
⊠
Clearly, with topologies on the state spaces, extending the notion of trace equivalence is straightforward. Transfinite trace equivalence is concerned with transfinite runs instead of normal runs. It is denoted by ≃∞ . The bisimulation case, however, is not that simple. The notion of bisimulation focusses on single transitions and is
44
Chapter 2 Semantic models for hybrid systems
therefore not able to “see” beyond a countable number of transitions. In [Cuijpers and Reniers, 2002], a notion of topological bisimulation was defined to include the accumulation points of runs. The following definition is a reformulation of this definition. Definition 21 (Topological Bisimulation) Let M = < X1 , Σ1 , T1 , φ1 > and N = < X2 , Σ2 , T2 , φ2 > be two hybrid transition systems such that Σ1 = Σ2 and such that M and N have topologies on the state spaces X1 and X2 , the relation R ⊆ X1 × X2 is a topological bisimulation relation iff it is a bisimulation relation that also relates accumulation points of transfinite hybrid runs, i.e.: • for every transfinite hybrid run (x, σ) in M and state y0 ∈ X2 such that x(0)Ry0 , there is a transfinite hybrid run (y, σ) in N with y0 = y(0) and x(n)Ryn for every n ∈ dom(x). • for every transfinite hybrid run (y, σ) in N and state x0 ∈ X1 such that x0 Ry(0), there is a transfinite hybrid run (x, σ) in M with x0 = x(0) and x(n)Ryn for every n ∈ dom(y). A state pair x ∈ X1 is topologically bisimilar to a state y ∈ X2 , denoted x -∞ y, if and only if there exists a topological bisimulation relation R ⊆ X1 × X2 such that x R y. Since we have added structure to the hybrid transition system, it is only logical that the notion of equivalence that we obtain is stronger than the equivalence for the system without the additional structure. Theorem 9 -∞ ⊆ -. Proof length 1.
This is trivial, because every single transition corresponds to a run of ⊠
As with normal bisimulation and trace equivalence, topological bisimulation is also stronger than transfinite trace equivalence. Theorem 10 -∞ ⊆ ≃∞ . Proof This easy to see, since by definition of topological bisimulation, for every transfinite hybrid run in the one system, there exists a similarly labeled transfinite hybrid run in the other. ⊠ Topological bisimulation still abstracts away from a lot of information on the topological structure. For example, it compares the behavior of two states, but does not
2.4 Notions from computer science and control science
45
consider the behavior of neighboring states. In control science, it is important that systems are robust for small deviations in measurements and state-estimations. In other words, the neighboring states are often also considered reachable in a sense. In order to support this intuition, we define a stronger notion of equivalence, called continuous bisimulation. This notion relies on the definition of an upper and lower inverse of a relation. Definition 22 (Inverses and images) Given a relation R ⊆ X × Y , and sets A ⊆ X,B ⊆ Y , we define the following inverses and images. • relational inverse: yR−1 x iff xRy; • lower image: Rl (A) = {x p ∃y xRy ∧ x ∈ A} • upper image: Ru (A) = {x p ∀y xRy ⇒ x ∈ A} • lower inverse image R−l (B) = {y p ∃x xRy ∧ y ∈ B} • upper inverse image R−u (B) = {y p ∀x xRy ⇒ y ∈ B} The following theorems on these images turn out to be useful later on. Theorem 11 We find the following general properties of the different inverses on a relation R ⊆ X × Y . As before, assume A ⊆ X and B ⊆ Y . • (R−1 )u (B) = R−u (B), (R−1 )l (B) = R−l (B); • Rl (R−u (B)) ⊆ B ⊆ Ru (R−l (B)); • Ru (A) = Rl (A); Proof These are all adaptations from lemmas in chapter II of [Berge, 1963], although we use slightly different notational conventions. ⊠
Definition 23 (Continuous Bisimulation) Let M = < X1 , Σ1 , T1 , φ1 > and N = < X2 , Σ2 , T2 , φ2 > be two hybrid transition systems such that Σ1 = Σ2 and such that M and N have topologies on the state spaces X1 and X2 . The relation R ⊆ X1 × X2 is a continuous bisimulation relation iff it is a bisimulation relation but also a bi-continuous relation (see [Berge, 1963]), i.e. σ
• for every transition < x > → < x′ > of M and every state y ∈ X2 such that σ x R y there exists a transition < y > → < y ′ > of N such that x′ R y ′ ; σ
• and for every transition < y > → < y ′ > of N and every state x ∈ X1 such σ that x R y there exists a transition < x > → < x′ > of M such that x′ R y ′ .
46
Chapter 2 Semantic models for hybrid systems
• for every open set U ⊆ X2 the lower inverse image R−l (U ) is open • for every open set U ⊆ X1 the lower image Rl (U ) is open • for every open set U ⊆ X2 the upper inverse image R−u (U ) is open
1
• for every open set U ⊆ X1 the upper image Ru (U ) is open • for every state x ∈ X2 the lower image Rl ({x}) is compact • for every state x ∈ X1 the lower inverse image R−l ({x}) is compact Two states x ∈ X1 and y ∈ X2 are continuously bisimilar, denoted x -c y, iff there exists a continuous bisimulation relation R such that x R y. Interestingly, we need a few assumptions, before we may conclude that continuous bisimulation is a stronger notion of equivalence than topological bisimulation. Firstly, we need that the topologies on the state spaces are metric [Berge, 1963, Eisenberg, 1974]. This turns out not to be a severe restriction, because the state spaces that are usually used in hybrid modeling are always products of discrete spaces (which are metric) and Euclidean spaces (which are metric). Secondly, we need that the bisimulation relations are total, i.e. that the sets {y p xRy} and {y p yRx} are non-empty for every x. This is also not a severe restriction, since in the remainder of this thesis we always use auto-bisimulations (i.e. bisimulation relations from a certain transition system to itself), of which we can assume without loss of generality that they include the identity relation. Theorem 12 Let x0 ∈ X and y0 ∈ X be states of the same hybrid transition system L = < X, Σ, T, φ >, and let the topology on X be defined by a metric d. Then x -c y ⇒ x -∞ y. Proof Let R ⊆ X × X be a continuous auto-bisimulation relation on the state space X. We must prove that x0 Ry0 implies that for each transfinite run (x, σ) with x(0) = x0 there exists a transfinite run (y, σ) with y(0) = y0 . Because R is a bisimulation, it is easy to construct for any finite run (x, σ), a sequence y such that y(0) = y0 , (y, σ) is a run, and x(n)Ry(n) for n ∈ dom(x). This 1 Equivalently,
R−l (U )
one might also require that for every closed set U ⊆ X2 the lower inverse image is closed. This is, because R−u (A) = R−l (A), as mentioned before.
2.4 Notions from computer science and control science
47
construction is also used in the proof of theorem 8. Using transfinite induction, we may also construct such a sequence for transfinite runs, if we can construct it for runs of limit-ordinal length. To this end, assume that we have a run (x, σ) of limit-ordinal length N . Analogously to the construction for finite runs, we can then construct a sequence y such that x(n)Ry(n) for all n < N and such that (y, σ)|[0,n] is a run for every n < N . Because (x, σ) is a run, we find that x ⊸ x(N ). We may conclude that (y, σ) is a run, if we can prove that we can choose y(N ) such that y ⊸ y(N ) and x(N )Ry(N ). Without loss of generality, we may assume that the identity is part of our bisimulation relation R, i.e. that zRz, for all z ∈ X. So, {z ′ p z ′ Rz} 6= ∅, for any z. According to [Berge, 1963], Thm. 1, §6, Chp. VI, we may then conclude that R can be interpreted as a continuous, single-valued function R ∈ X → K, where K ⊆ 2X is the set of compact subsets of X (note, that we require the fact that the topology on X is metric for this). Hence, using [Eisenberg, 1974] Thm. 3.53, we find that R(x) ⊸ R(x(N )) (because accumulation is convergence of a subsequence). Using the topology on K, as defined in [Berge, 1963], §6, Chp. VI, we find (after some calculation) that: ∀ǫ>0 ∀i ∃j≥i max(sup{inf{d(v, w) p v ∈ R(x(j))} p w ∈ R(x(N ))}, sup{inf{d(v, w) p w ∈ R(x(N ))} p v ∈ R(x(j))}) ≤ ǫ. Selecting y(j) ∈ R(x(j)), we may conclude that inf{d(y(j), w) p w ∈ R(x(j))} ≤ ǫ. And using the fact that R(x(j)) is compact, we find that the infimum is, in fact, a minimum (see [Berge, 1963], §4, Chp. IV). Selecting this minimum, we can construct a transfinite sequence u ∈ Ω 7→ R(x(N )) such that ∀ǫ>0 ∀i ∃j≥i d(y(j), u(j)) ≤ ǫ. Furthermore, because R(x(N )) is a compact set, the sequence u has an accumulation point in R(x(N )). I.e. there exists y ′ such that u ⊸ y ′ , or, by definition of accumulation, ∀ǫ>0 ∀i ∃j≥i d(u(m), y ′ ) ≤ ǫ. Lastly, because d is a metric, we find that d(y(j), y ′ ) ≤ d(y(j), u(j)) + d(u(j), y ′ ), and therefore ∀ǫ>0 ∀i ∃j≥i d(y(j), y ′ ) ≤ ǫ. We choose y(N ) = y ′ and find y ⊸ y(N ) and x(N )Ry(N ). This concludes the proof. ⊠ The fact that it is indeed the topological structure that distinguishes bisimulation from topological bisimulation and continuous bisimulation, becomes clear if a finite state space is assumed for both systems, and a discrete topology on those state spaces. This gives us the classical situation from computer science. For this particular case, the three notions coincide. Theorem 13 Let M1 = < X1 , Σ1 , T1 , φ1 > and M2 = < X2 , Σ2 , T2 , φ2 > be hybrid transition systems such that X1 and X2 are finite, and equipped with the discrete topology, and with Σ1 = Σ2 . For x ∈ X1 and y ∈ X2 we find x - y if and only if x -∞ y if and only if x -c y. Proof
That continuous bisimulation implies topological bisimulation, and
48
Chapter 2 Semantic models for hybrid systems
topological bisimulation implies bisimulation, follows directly from theorems 9 and 12. Furthermore, in a discrete topology, all sets are open, and all finite sets are compact [Dugundji, 1966, Eisenberg, 1974]. Hence every bisimulation relation on finite sets is a continuous bisimulation relation, which concludes the proof. ⊠ Note, that we cannot drop the assumption that the state spaces are finite. Both, continuous bisimulation and topological bisimulation, can observe the difference a between a transition system with < x0 > → < x0 > and a transition system with a < xi > → < xi+1 >. In the first transition system, there is a converging sequence, while in the second there is none (see also [Cuijpers and Reniers, 2003b]). Now we have covered the notions of run and equivalence, which are arguably the most important notions on systems from a computer science point of view. Also, we have seen how an added topological structure on the state space, may influence these notions. In the next section, we look at control theory, and sketch the way in which standard control notions can be defined on hybrid transition systems. Also, we show how these control notions are preserved by the notions of equivalence that we discussed.
2.4.3
Control notions
The notion of evolution, or run, defines arguably the most important characteristic of any type of system. Equivalence notions turn out to be invaluable if we want to consider hybrid transition systems as an algebraic structure. However, other notions are important from a practical point of view. In this section, we sketch the definitions of a few notions from control theory as an example of how this theory can be incorporated into the hybrid structure. It is not our intention, to go into a detailed discussion on how to do analysis for those notions. This is left for future research. One of the most fundamental notions from control theory, is controllability of the state of a system. Controllability means that it is possible to steer the system from one state into another state, by applying the right interactions. In its more general definition, the notion depends on the notion of run, and on the kind of equivalence that is used. We only discuss controllability based on finite hybrid runs and bisimulation here. The topological variants, as well as the trace equivalence variants, we leave for future research (see also [Cuijpers et al., 2002]). The definition of controllability, expresses that a system can be steered from one state into another by some interaction. Note, that the definition is recursive, which makes it a little more complicated than previous definitions from control science (see for example [Polderman and Willems, 1998, Sontag, 1998]). This is because this definition also has to take the possibility of non-determinism into account. Definition 24 (Controllability) Let < X, Σ, T, φ > be a hybrid transition system, then the state y ∈ X can be steered into state y ′′ ∈ X by the sequence of
2.4 Notions from computer science and control science
49
interactions σ ∈ N 7→ ((T 7→ ΣC ) ∪ ΣD ) of length n, if y - y ′′ and dom(σ) = ∅ or if recursively: σ(0)
• there exists y ′ such that < y > → < y ′ >, and σ(0)
• for every y ′ with < y > → < y ′ > we find that y ′ can be steered into y ′′ by σ|[1,n] . A system is controllable if every state can be steered into every other state. This notion coincides with a controllability as defined in definition 5.2.2. of [Polderman and Willems, 1998], which we repeat below, provided we restrict ourselves to time-invariant, locally specified, total, deterministic behavioral systems. Total, in this case, means that for every state, there exists a behavior that goes through that state. Definition 25 (Controllability [Polderman and Willems, 1998]) A timeinvariant behavioral system B = < X, Σ, T, φ > is controllable if for every (x, σ) ∈ φ and (x′ , σ ′ ) ∈ φ there exists (y, ς) ∈ φ and τ > 0 such that x(t) = y(t) for t ≤ 0 and x′ (t − τ ) = y(t) for t ≥ τ . Definition 26 (Totality) A behavioral system B = < X, Σ, T, φ > is total if for every x0 ∈ X there exists an evolution (x, σ) ∈ φ such that x0 = x(0). Theorem 14 If a total, deterministic behavioral system is controllable according to definition 25, then its hybrid embedding is controllable according to definition 24. Proof If a behavioral system B = < X, Σ, T, φ > is controllable according to [Polderman and Willems, 1998], then, by definition, for every two trajectories (x, σ), (x′ , σ ′ ) ∈ φ, we find that there exists a trajectory (y, ς) ∈ φ and a time τ ∈ T such that x(t) = y(t) and σ(t) = ς(t) for t ≤ 0, and x′ (t) = y(t) and σ ′ (t) = ς(t) ς|[0,τ ]
for t ≥ τ . From this, we conclude that the transition < x(0) > → < x(τ ) > exists in the hybrid embedding of B. Hence, assuming B is total, we find that, for σ every x, x′ ∈ X there exists σ such that < x > → < x′ >. Furthermore, we find σ < x > → < x′′ > implies x′ = x′′ , because B is deterministic. Hence, the hybrid embedding can be steered from any state into any other state using a single interaction. This concludes the proof. ⊠
Theorem 15 A time-invariant, deterministic behavioral system is controllable according to definition 25, if its hybrid embedding is controllable according to definition 24.
50
Chapter 2 Semantic models for hybrid systems
Proof Let B = < X, Σ, T, φ > be a behavioral system, and let L be its hybrid embedding. Furthermore, assume that we have two evolutions (x, σ), (x′ , σ ′ ) ∈ φ. By definition of controllability of L, we may assume that x(0) can be steered into a state x′′ , with x′′ - x′ (τ ), for any arbitrary τ > 0, by some sequence of interactions σ ∈ N 7→ (T 7→ Σ) of length n (we do not need to consider discrete actions, since there are none in the hybrid embedding of a behavior). Furthermore, because B is deterministic, we can strengthen this to find x′′ = x′ (τ ). So, by definition of embedding and time invariance, there exists a sequence (xi , σ(i)) ∈ φ, such that x0 (0) = x and xn (↑ dom(σ(n))) = y. Then, by property of state of the behavioral ′ system, Pn there is also an evolution (y, ς) ∈ φ, with y(0) = x(0) and y(t) = x (τ ), for t = i=0 dom(σ(i)), resulting from the concatenation of this sequence. Shifting (x′ , σ ′ ) using time-invariance, and concatenating this evolution with the other two, gives us (x, σ) ⊖0 (y, ς) ⊖t (x′ , σ ′ )t−τ ∈ φ. This concludes the proof. ⊠
Corollary 1 A time-invariant, total, deterministic behavioral system is controllable if and only if its hybrid embedding is controllable. Proof
Directly from theorems 14 and 15.
⊠
Furthermore, controllability according to definition 24, is preserved under bisimulation. This means that if two hybrid behavioral systems are bisimilar, and one is controllable, then the other is controllable as well. Recall that bisimulation of two systems requires that for every state in the one system there is a bisimilar state in the other system. Theorem 16 Controllability is preserved under bisimulation. Proof Let L1 and L2 be two bisimilar hybrid behavioral systems, and let L1 be controllable. We will show that L2 is also controllable. Take any two states x, x′ ∈ X2 . By definition of bisimilarity on systems, there must then also be two states y, y ′ ∈ X1 with y - x and y ′ - x′ . Furthermore, by definition of controllability, there exists a sequence σ that steers y into y ′ . Using induction on the length of σ, it is easy to show that this sequence also steers x into a state bisimilar to x′ . Firstly, assume that dom(σ) = ∅, then we easily find x - y - y ′ - x′ . Furthermore, if dom(σ) 6= ∅, then, by definition of controllability, there exists y ′′ σ(0)
such that < y > → < y ′′ > and such that σ|[1,n] steers y ′′ into y ′ . By definition σ(0)
of bisimulation, there exists x′′ such that < x > → < x′′ > and x′′ - y ′′ . With induction, we find that σ|[1,n] steers x′′ into a state bisimilar to x′ . This concludes the proof. ⊠
2.4 Notions from computer science and control science
51
Another important notion from control theory is called stability of a system. Stability of a system guarantees that the behavior of a system remains within reasonable bounds. In literature, many different notions of stability have been given. One example from this large pool of possibilities, defines a system to be stable around a certain state x, if all the state evolutions that start near to x remain near to x. To define this formally, it is necessary to have a topology on the state space of a system. Many alternative notions of stability that can be found in literature, have a similar topological nature. Definition 27 (Stability) A hybrid transition system with a topology on the state space X is stable around a state xs ∈ X, if for every open set U ⊆ X with xs ∈ U , there exists an open set V ⊆ U , such that for every (transfinite) hybrid run (x, σ) with x(0) ∈ V , we find that x(i) ∈ U for all i ∈ dom(x). It is straightforward to prove, that stability according to this definition implies stability according to definition 7.5.1 in [Polderman and Willems, 1998]. For convenience, we have lifted that notion to arbitrary behaviors and topologies. Definition 28 (Stability [Polderman and Willems, 1998]) Given a behavioral system B = < X, Σ, T, φ >, we define the point xs ∈ X to be stable if for every open set U ⊆ X with xs ∈ U , there exists an open set V ⊆ U , such that for every (x, σ) ∈ φ we find that x(t) ∈ V implies x(t′ ) ∈ U , with t′ > t. Theorem 17 A behavioral system is stable according to definition 28, if its hybrid embedding is stable according to definition 27. Proof Let xs be a stable point according to definition 27, then we’ll show it is a stable point according to definition 28. Let U be an open set around xs . For every evolution (x, σ), and for every t′ > t, we find that there are transitions σ|−t [t,t′ ]
< x(t) > → < x(t′ ) >. These transitions can be interpreted as runs of length one, and, using stability of the hybrid embedding, we obtain that there exists an open set V ⊆ U such that x(t) ∈ V implies x(t′ ) ∈ U , for all t ≤ t′ . This concludes the proof. ⊠ Perhaps surprisingly, we have not been able to prove the reverse case. This is due to the fact that transfinite runs, always take their possible limit points into account as well, whereas in behavioral systems, it is not customary to consider limit points for t ⊸ ∞. The following, weakened definition of stability, does coincide completely with the definition from [Polderman and Willems, 1998]. It is important to stress, that we have not yet found an example that shows the difference between definition 27 and definition 29 either!
52
Chapter 2 Semantic models for hybrid systems
Definition 29 (Finite Stability) A hybrid transition system with a topology on the state space X is finitely stable around a state xs ∈ X, if for every open set U ⊆ X with xs ∈ U , there exists an open set V ⊆ U , such that for every hybrid run (x, σ) of length n ∈ N, with x(0) ∈ V , we find that x(i) ∈ U for all i ≤ n. Theorem 18 If a hybrid transition system is stable around a state xs , then it is finitely stable around that state. Proof Trivial. If the behavior of a system stays within bounds for any finite or transfinite run, then it stays within bounds for any finite run. ⊠
Theorem 19 If a time-invariant behavioral system is stable according to definition 28, then its hybrid embedding is finitely stable. Proof Let B = < X, Σ, T, φ > be a behavioral system, and L be its hybrid embedding. Furthermore, let xs be a stable point of B according to definition 28, then we’ll show it is also a finitely stable point of L. Let U be an open set around xs . For every hybrid run (x, σ) of length n ∈ N, there exist evolutions (xi , σi ) ∈ φ, such that the concatenation of those (y, σ) = (x0 , σ0 ) ⊖ . . . ⊖ (xn , σn ) is again an evolution (y, σ) ∈ φ. Because B is stable, there exists an open set V such that y(0) ∈ V implies y(t) ∈ U for all t ≥ 0. Hence, using time-invariance, if x(0) ∈ V , then x(n) ∈ U for all n ≥ 0. This concludes the proof. ⊠ Corollary 2 A time-invariant behavioral system is stable according to definition 28, if and only if its hybrid embedding is finitely stable. Proof
Straightforward from theorems 19,18 and 17.
⊠
Interestingly, none of the equivalences discussed in section 2.4.2 preserve the notions of stability and finite stability! Even continuous bisimulation, of which one would expect it most, turns out not to be strong enough. As an example of a system that has a stable state, but is equivalent (under all the notions of equivalence mentioned so far) to a system that does not have a stable state, consider the hya brid transition system L1 = < X1 , Σ1 , T1 , φ1 >, with X1 = {0}, < 0 > →1 < 0 >, and the discrete topology on X1 , and the system L2 = < X2 , Σ2 , T2 , φ2 >, with a a X2 = {0, 1}, < 0 > →2 < 1 > and < 1 > →2 < 0 >, and the discrete topology on X2 . These systems have also been depicted in figure 2.12. The main reason for this lack of congruence, is that the equivalences of section 2.4.2 do not count the number of states that are taken into account. As it was
2.4 Notions from computer science and control science
a x2
53
x4 a x5
Figure 2.12 A stable hybrid transition system, an equivalent unstable hy-
brid transition system, and the continuous bisimulation relation (dashed) between them.
mentioned in [Berge, 1963], one cannot reason about the elements of the compared spaces, when using continuous relations. For this, one needs continuous functions. In our case, this would mean that we have to revert to isomorphism of the hybrid transition systems. We feel, however, that isomorphism is too strong a notion for reasoning about software systems. Furthermore, it is unreasonable to require from a piece of software that it remains in a certain state, for it to be stable. Therefore, we propose a new notion of stability, which allows transitions within a compact set of states, and which is preserved under continuous bisimulation. Definition 30 (Set-stability) A hybrid transition system < X, Σ, T, φ >, with a topology on the state space X, is stable around a set S ⊆ X, if S is compact, and for every open set U ⊆ X with S ⊆ U , there exists an open set V ⊆ U , such that S ⊆ V and for every (transfinite) hybrid run (x, σ) with x(0) ∈ V , we find that x(i) ∈ U for all i ∈ dom(x). We also say that S is a stable subset of X. Note, that we require compactness of S, to ascertain boundedness of stable sets in a metric setting [Eisenberg, 1974]. Alternative definitions, without this requirement, are conceivable. Furthermore, if the stable set is a singleton (i.e. S = {x}) then we obtain the definition of stability around a point. The notion of stability of sets is preserved under continuous bisimulation in the following way, provided that the topologies on the state spaces are Hausdorff [Eisenberg, 1974] (meaning that different states always have non-intersecting neighborhoods). Theorem 20 Set-stability is preserved under continuous bisimulation, if the topologies are Hausdorff. I.e. let L1 = < X1 , Σ1 , T1 , φ1 > and L2 = < X2 , Σ2 , T2 , φ2 > be two hybrid transition systems, and let S be a stable set of L1 . Then, if s ∈ S and s -′c s′ , there exists a stable set S ′ of L2 with s′ ∈ S ′ , and for every y ∈ S ′ there exists x ∈ S with x -c y. Proof Let R be a continuous bisimulation relation witnessing s -c s′ . Then we can construct the set S ′ = Rl (S), so that, clearly s′ ∈ S ′ , and by definition for
54
Chapter 2 Semantic models for hybrid systems
all y ∈ S ′ there exists x ∈ S with xRy, and thus x -c y. Next, we show that this set is a stable set of L2 . Clearly, S ′ is compact, because continuous bisimulation relations map compact sets to compact sets (see [Berge, 1963], chp VI, §1, thm 3). For every open set U around S ′ , we create the set V = R−u (U ). This set is open, due to continuity of R. Furthermore S ⊆ R−u (Rl (S)) = R−u (S ′ ) ⊆ R−u (U ) = V . Because L1 is stable, there must exist an open set V ′ ⊆ V such that S ⊆ V ′ and such that every transfinite run (x, σ) with x(0) ∈ V ′ has the property that x(n) ∈ V for every n ∈ dom(x). We create the set U ′ = Rl (V ′ ). Clearly, this set is open, and furthermore S ′ = Rl (S) ⊆ Rl (V ′ ) = U ′ . Also, we observe that every run (y, σ) with y(0) ∈ U ′ is related to a run (x, σ) with x(0) ∈ V ′ and x(n) ∈ V , for every n ∈ dom(x). Therefore, for every n ∈ dom(y), we find y(n) ∈ Rl (V ) = Rl (R−u (U )) ⊆ U . This concludes the proof. ⊠ We conjecture, without proof, that stability of sets is not preserved under any of the other equivalences mentioned in section 2.4.2, because open sets in general are not preserved.
2.5
Conclusion
In this chapter, we have discussed several possible semantical frameworks for the modeling of hybrid systems. After some considerations, we have chosen hybrid transition systems as a suitable framework for our goals, mainly because of the operational view it provides. Hybrid transition systems have the drawback, that not all behavioral systems can be translated into a hybrid transition system without loss of information. However, we have also argued that the behavioral systems that we are most interested in, are translatable. To be complete, we have shown how several definitions of notions from computer science and control science, can be transferred to the hybrid transition system framework. There turned out to be some problems in transferring the notion of stability, because the equivalences from computer science, even after extension to the topological domain, do not allow us to distinguish separate states. Because, in our opinion, the notion of graph-isomorphism is too strong for use in computer science, the problem was solved by proposing a subtly weaker notion of safety within a set of states. In the next chapter, we will discuss the syntactical framework that is used to describe our hybrid transition systems, and the axioms and derivation rules that we use to reason about them. We will not return to topological issues in the remainder of this thesis, because there is little experience in literature, regarding the combination of process algebra and topology. The creation of a non-topological hybrid process algebra is considered difficult enough for the time being.
Chapter 3
Hybrid process algebra “The only sure criticism that can be made is that a mixture of cultures always results in a blend of the worst of both.” [“Shibumi”, Trevanian] “The egocentric ideal of a future reserved for those who have managed to attain egoistically the extremity of ‘everyone for himself’ is false and against nature. No element could move and grow except with and by all the others with itself. ” [“The Phenomenon of Man”, Pierre Teilhard de Chardin]
56
Chapter 3 Hybrid process algebra
In this chapter, the complete hybrid process algebra, called HyPA, is developed. In section 3.1, the reader is introduced to the syntax and semantics of the algebra. In section 3.2, a model of the benchmark steam boiler is discussed as an examples of modeling in HyPA. Finally, in section 3.3, we discuss the calculation rules that may be used to reason about equivalence of hybrid processes. Examples of calculation with those rules, can be found throughout the remainder of this thesis.
3.1 3.1.1
Syntax and semantics of HyPA Syntax
In this section, the syntax of HyPA is introduced, which is an extension of the process algebra ACP [Baeten and Weijland, 1990, Fokkink, 1998], with the disrupt operator from LOTOS [Brinksma, 1985] and with variants of the flow clauses and re-initialization clauses from the event-flow formalism introduced in [van der Schaft and Schumacher, 2000b]. The signature of HyPA consists of the following constant and function symbols: 1. deadlock δ, 2. empty process ǫ, 3. discrete actions a ∈ A, 4. flow clauses c ∈ C, 5. a family of process re-initialization operators (d ≫ )d∈D , 6. alternative composition 7. sequential composition 8. disrupt
◮
⊕ , ⊙ ,
and left-disrupt
⊲ ,
9. parallel composition k , left-parallel composition k , and forced-synchronization | , 10. a family of encapsulation operators (∂H ( ))H⊆A . Deadlock and the empty process The atomic process terms δ (called deadlock ) and ǫ (called empty process) are used to model a process that shows no behavior at all (i.e. that has inadvertently stopped functioning) and a (successfully) terminating process, respectively.
3.1 Syntax and semantics of HyPA
57
Discrete actions The atomic discrete actions are used to model discrete, computational behavior. The set A of discrete actions is considered a parameter of the theory and can be instantiated at will by the user of our hybrid process algebra. Flow clauses Flow clauses are used to model continuous physical behavior. Traditionally, in systems theory, several different formalisms are used for the description of continuous behavior, and often the modeling or analysis question determines which formalism is to be used. For example, integral equations are sometimes easier to use than differential equations, and sometimes even the notion of solution for a differential equation can vary (although not within one model). The consequence for our hybrid approach, is that we have to parametrize our theory in such a way that instantiations of these different formalisms can be chosen at will, by the modeler. Common to all approaches, is that continuous behavior is described by some sort of predicate on S the flow of values of model variables Vm through time. Formally, we write V = x∈Vm V(x) for the union of all model variable domains, and Val = Vm → V for the set of variable valuations. The set of all flows is F = {f ∈ T 7→ Val | dom(f ) = [0, t] for some t ∈ T }. Note, that these functions all have a closed-interval domain starting in 0, as was the case in the labeled transition systems defined in chapter 2. The flows that are described by a flow predicate, are called solutions of that predicate. We consider the set of flow predicates Pf , the sets Vm of model variables and T of time points, and the notion of solution |=f ⊆ F × Pf , that defines which flows are considered solutions of a flow predicate, parameters of our theory. This means they can be instantiated by the modeler, depending on the specific modeling or analysis problem. The theory we present in this chapter, is largely independent of that choice, except that we assume the existence of a flow predicate false ∈ Pf that satisfies no flow from the set F.
An atomic flow clause, finally, is a pair ( V | Pf ) of a set of model variables V ⊆ Vm , signifying which variables are not allowed to jump at the beginning of a flow, and a flow predicate Pf ∈ Pf modeling continuous, never terminating, physical behavior. The set of all flow clauses is denoted C. We usually leave out the brackets for V , and even omit it (and the ‘|’ delimiter) if it is empty. Furthermore, the set C is closed under conjunction (∧) of flow clauses, and using the assumption that there is a flow predicate false, which is never satisfied, there is also a flow clause (false), which is the system theoretic equivalent of deadlock δ. Re-initializations As with continuous physical behavior, there are several formalisms in systems theory that deal with discontinuous physical behavior, and, again, the modeling or analysis question determines which formalism is to be used in a specific situation. In general, one may say that discontinuous behavior is described through predicates about the re-initialization (or discontinuity, or change) of variables. As an example of such a predicate, consider a difference equation,
58
Chapter 3 Hybrid process algebra
x+ = f (x− , u− ), which denotes that the value of x is reassigned to f (x− , u− ), based on the previous values of x and u. (This notation is for example used in [van der Schaft and Schumacher, 2000b].) Re-initialization predicates describe a set of re-initializations, which are pairs of valuations representing the values of the model variables prior to and immediately after the re-initialization. Such re-initializations are called solutions of the reinitialization predicate. The set of all re-initializations Val × Val is denoted R. As before, the set of re-initialization predicates Pr and the notion of solution |=r ⊆ R × Pr , that defines which re-initializations are considered solutions of a re-initialization predicate, are considered parameters of the theory. We assume the existence of re-initialization predicates true, false ∈ Pr that satisfy any reinitialization, and no re-initialization from the set R, respectively.
A process re-initialization d ≫ p models the behavior of p where the model variables are submitted to a discontinuous change as specified by the re-initialization clause d. A re-initialization clause is a pair [ V | Pr ] of a set of model variables V ⊆ Vm and a re-initialization predicate Pr . The set V models which variables are allowed to change. Note that this is precisely opposite to flow clauses, where V denotes those variables that do not change. The set of all re-initialization clauses is denoted D. The set D is closed under conjunction (∧), disjunction (∨), and concatenation (∼) of re-initialization clauses. Also, there is a satisfiability operator (d? ) on clauses d ∈ D, which does not re-initialize the values of a model variable, but only executes the re-initialized process, if d can be satisfied in some way. And finally, there is a re-initialization clause (cjmp ) derived from a flow clause c ∈ C, which executes the same discontinuities that are allowed initially by the flow clause. These last two operators turn out to be especially useful when calculating with process terms. Using the assumption that there are re-initialization predicates false and true, we find the process re-initialization [false] ≫ p, executing no behavior since there is no re-initialization satisfying false, the process re-initialization [true] ≫ p, executing exactly the behavior of p, since none of the variables is allowed to change, and the process re-initialization [ Vm | true] ≫ p, executing p after an arbitrary re-initialization. Alternative and sequential composition The alternative composition p ⊕ q models a (non-deterministic) choice between the processes p and q. The sequential composition p ⊙ q models a sequential execution of processes p and q. The process q is executed after (successful) termination of the process p.
We use the notations ⊕ and ⊙ for alternative and sequential composition, rather than the usual + and ·, to avoid confusion with the notation used frequently in the description of flow and re-initialization predicates for addition and multiplication. We realize that this might distract people in the field of process algebra, yet chose to adapt the process algebraic notation rather than the notation adopted from system theory, simply because the latter has been in use for a longer time already.
3.1 Syntax and semantics of HyPA
59
Overloading the operators is also an option, since it is always clear from the context whether for example addition or choice is intended. When studying HyPA as a new process algebra, as is done in this thesis, overloading is probably to be preferred indeed, as it hardly hampers the search for process algebraic properties. However, when studying hybrid models in HyPA, and performing analysis using axioms from both process algebra and system theory in the same proofs, the overloading becomes more of a burden. Furthermore, when presenting these models to other hybrid researchers who are often not familiar with process algebra at all, this effect is even stronger. Disrupt The disrupt p ◮ q models a kind of sequential composition where the process q may take over execution from process p at any moment, without waiting for its termination. This composition is invaluable when modeling two flow clauses executing one after the other, since the behavior of flow clauses is ongoing, and never terminates. The disrupt is originally introduced in the language LOTOS [Brinksma, 1985], where it is used to model for example exception handling. Also, it is used, for example in [Baeten and Bergstra, 2000], for the description of mode switches. The left-disrupt is mainly needed for calculation and axiomatization purposes, rather than for modeling purposes. For example, it occurs often when we attempt to eliminate the parallel composition from a process term through axiomatic reasoning, as described in section 3.3. The left-disrupt p ⊲ q first executes a part of the process p and then behaves as a normal disrupt. Parallel composition The parallel composition p k q models concurrent execution of p and q. The intuition behind this concurrent execution is that discrete actions are executed in an interleaving manner, with the possibility of synchronization (as in ACP, where synchronization is called communication), while flow clauses are forced to synchronize, and can only synchronize if they accept the same solutions. The synchronization of actions takes place using a (partial, commutative, and associative) communication function γ ∈ A × A 7→ A. For example, if the actions a and a′ synchronize, the resulting action is a′′ = aγa′ . Actions cannot synchronize with flow clauses, and in a parallel composition between those, the action executes first. This communication function is considered a parameter of the theory. As with the left-disrupt, the operators left-parallel composition and forced-synchronization are mainly introduced for calculation purposes. The left-parallel composition pk q models that either p performs a discrete action first, and then behaves as a normal parallel composition with q, or p cannot perform such an action, and the process deadlocks. The forced-synchronization p | q models how the first behavior (either a discrete action or a part of a flow) of p and q is synchronized, after which they behave as in a normal parallel composition. If synchronization is not possible, then the forced-synchronization deadlocks.
60
Chapter 3 Hybrid process algebra
Encapsulation Encapsulation ∂H (p) models that certain discrete actions (from the set H ⊆ A) are blocked during the execution of the process p. This operator is often used in combination with the parallel composition to model that synchronization between discrete actions is enforced. From the signature of HyPA, terms can be constructed using variables from a given set of process variables Vp (with Vp ∩ Vm = ∅), as usual. In this thesis, the set of all such terms is denoted T (Vp ) and these are referred to as terms or open terms. Terms in which no process variables occur are called closed terms. The set of all closed terms is denoted T . Finally, all the processes should be interpreted in the light of a set E of recursive definitions, called recursive specification, of the form X : p, where X is a process variable and p is a term. We denote the set of all process variables that occur in the left-hand side of a recursive definition from E by Vr (Vr ⊆ Vp ) and call these variables recursion variables. The set T (Vr ) denotes the set of all terms in which only recursion variables are used. Such elements are referred to as process terms. We only allow recursive definitions X : p where the term p is a process term. Outside the recursive specification, recursion variables are treated as constants of the theory. Recursion is a powerful way to model repetition in a process.
The binding order of the operators of HyPA is as follows: ⊙ , ◮ , ⊲ , d ≫, k , k , | , ⊕ , where alternative composition binds weakest, and sequential composition binds strongest. With encapsulation (∂H ( )), brackets are always used. As an example, a term d ≫ a ⊙ b ⊕ c k c′ should be read as (d ≫ (a ⊙ b)) ⊕ (c k c′ ).
3.1.2
Formal semantics
In this section, we give a formal semantics to the syntax defined in the previous section, by constructing a hybrid labeled transition system, for each process term and each possible valuation of the model variables. The hybrid transition systems we use here, have a little more structure than the ones introduced in chapter 2. Not only do we consider two different kinds of transitions: one associated with computational behavior (i.e. discrete actions), and the other associated with physical behavior (i.e. flow clauses), but there is also a termination predicate (X) on states, indicating successful termination of a computation. Such a termination predicate, in one form or another, is not unusual in computer science [Baeten and Weijland, 1990, Aceto and Hennessy, 1992]. Furthermore, we have adapted the notation in this chapter, to the notation that is more commonly used in the development of process algebras. The system structure is no longer indicated by φ ⊆ X × (Σ ∪ A) × X, but by two separate transition relations ;⊆ X × Σ × X and 7→⊆ X × A × X. Definition 31 (Hybrid Transition System, Revisited) A hybrid transition system is a tuple < X, A, Σ, 7→, ;, X >, consisting of a state space X, a set of
3.1 Syntax and semantics of HyPA
61
action labels A, a set of flow labels Σ, and transition relations 7→⊆ X × A × X and ;⊆ X × Σ × X. Lastly, there is a termination predicate X ⊆ X. For the semantical hybrid transition systems that are associated with HyPA terms, the state space is formed by pairs of process terms and valuations of the model variables, i.e. X = T (Vr ) × Val . The set of action labels is formed by pairs of actions and valuations, i.e. A = A × Val , and the set of flow labels is formed by the set of flows, i.e. Σ = F. Recall that the elements f ∈ F have a closed-interval domain, possibly a singleton, starting in 0. a
Let x, x′ ∈ X be two states. We use the notation < x > 7→ < x′ > for a transition σ (x, a, x′ ) ∈ 7→ with a ∈ A. Similarly, we use < x > ; < x′ > for a transition l
(x, σ, x′ ) ∈ ; with σ ∈ Σ. For arbitrary transitions, we use < x > → < x′ > instead of (x, l, x′ ) ∈7→ ∪ ;, with l ∈ A ∪ Σ. Finally, termination is denoted < x > X instead of x ∈ X.
Before we turn to the actual definition of the semantics of HyPA in terms of hybrid transition systems, a notion of solution for flow clauses and re-initialization clauses is needed for the definition of the semantics of these atoms of the algebra. These notions are obtained by lifting the notion of solution of flow predicates and reinitialization predicates, while taking into account the influence of the variable set V. A flow clause ( V | Pf ) changes the valuation of the model variables according to the possible solutions of its flow predicate Pf . In contrast to the flow predicates of [Henzinger, 1996], an initial jump in the value of a variable x, is allowed in HyPA when x 6∈ V . Furthermore, discontinuous and non-differentiable flows of x may be allowed, if such solutions exists for the type of flow predicate that is used. The concept of solution of a flow clause, is lifted from the notion of solutions of its flow predicate as follows. Definition 32 (Solution of a flow clause) A pair (ν, σ) ∈ Val × F, is defined to be a solution of a flow clause c ∈ C, denoted (ν, σ) |= c, as follows: • (ν, σ) |= ( V | Pf ) if σ |=f Pf , and for all x ∈ V we find ν(x) = σ(0)(x);
• (ν, σ) |= c ∧ c′ if (ν, σ) |= c and (ν, σ) |= c′ .
Clearly, the flow clause (false) has no solutions, as the flow predicate false has no solutions. A re-initialization clause [ V | Pr ] changes the valuation of the model variables according to the possible solutions of its re-initialization predicate Pr . The set V indicates the variables that are allowed to change their value. Whenever x 6∈ V , the variable x is fixed. Note that this is precisely opposite to the use of V in flow clauses. We define the solutions of a re-initialization clause in terms of the solutions of a re-initialization predicate as follows.
62
Chapter 3 Hybrid process algebra
Definition 33 (Solution of a re-initialization clause) A re-initialization (ν, ν ′ ) ∈ R is defined to be a solution of a re-initialization clause d ∈ D, denoted (ν, ν ′ ) |= d, as follows: • (ν, ν ′ ) |= [ V | Pr ] if (ν, ν ′ ) |=r Pr and for all x 6∈ V we find ν(x) = ν ′ (x); • (ν, ν ′ ) |= d′ ∨ d′′ if (ν, ν ′ ) |= d′ or (ν, ν ′ ) |= d′′ ; • (ν, ν ′ ) |= d′ ∧ d′′ if (ν, ν ′ ) |= d′ and (ν, ν ′ ) |= d′′ ; • (ν, ν ′ ) |= d′ ∼ d′′ if there exists υ ∈ Val with (ν, υ) |= d′ and (υ, ν ′ ) |= d′′ ; • (ν, ν ′ ) |= d′? if ν = ν ′ , and there exists υ ∈ Val with (ν, υ) |= d′ ; • (ν, ν ′ ) |= cjmp if there exists σ ∈ Σ such that (ν, σ) |= c and σ(0) = ν ′ . If we have two re-initialization clauses d, d′ ∈ D, the clause d ∼ d′ accepts exactly those solutions that are a concatenation of the re-initializations of d and d′ . The clause d? does not change the value of any of the variables, it just models the condition under which d has a solution. The clause cjmp imitates the re-initializations performed initially by a flow clause c. Obviously, the re-initialization clause [false] has no solutions, while [ Vm | true] has every possible re-initialization as a solution. Note, that [true] exactly allows all re-initializations that do not change any of the variable valuations. The semantics of the HyPA constants and function symbols is given in the tables 1–5, using deduction rules in the style of [Plotkin, 1981]. In these tables p, p′ , q, q ′ denote process terms, a, a′ , a′′ denote actions, c denotes a flow clause, d denotes a re-initialization clause, H denotes a set of actions, X denotes a recursion variable, ν, ν ′ , ν ′′ denote valuations, σ denotes a flow, t denotes a point in time, and l denotes an arbitrary transition label. In table 3.1, the semantics of the atomic processes, the flow clauses, and the process re-initializations is given. Rule (1) captures our intuition that ǫ is a process that Table 3.1 Operational semantics of HyPA
< ǫ, ν > X
(1)
a,ν
< a, ν > 7→ < ǫ, ν >
(ν, ν ′ ) |= d, < p, ν ′ > X (4) < d ≫ p, ν > X
(2)
(ν, σ) |= c, dom(σ) = [0, t] (3) σ < c, ν > ; < c, σ(t) > l
(ν, ν ′ ) |= d, < p, ν ′ > → < p′ , ν ′′ > l
< d ≫ p, ν > → < p′ , ν ′′ >
(5)
only terminates. Analogously, the fact that there is no rule for δ, expresses that this
3.1 Syntax and semantics of HyPA
63
is indeed a deadlocking process. Rule (2) expresses that discrete actions display their own name, and the valuation of the model variables on the transition label, but do not change this valuation. Changes in the valuation can only be caused by flow clauses and re-initialization clauses, as defined by rules (3) to (5). Table 3.2 Operational semantics of HyPA, alternative and sequential
composition < p, ν > X (6) < p ⊕ q, ν > X < q ⊕ p, ν > X < p, ν > X, < q, ν > X (8) < p ⊙ q, ν > X
l
< p, ν > → < p′ , ν ′ > l
< p ⊕ q, ν > → < p′ , ν ′ >
(7)
l
< q ⊕ p, ν > → < p′ , ν ′ > l
< p, ν > → < p′ , ν ′ > l
< p ⊙ q, ν > → < p′ ⊙ q, ν ′ >
(9)
l
< p, ν > X, < q, ν > → < q ′ , ν ′ > l
< p ⊙ q, ν > → < q ′ , ν ′ >
(10)
The semantics of the other operators is defined in tables 3.2, 3.3, 3.4, and 3.5. Rules (6) to (10), for alternative and sequential composition, are very similar to that of ACP. However, it is worth noting an important difference with timed versions of ACP.
Intermezzo: time-determinism It is important to note that we have chosen to model flow transitions as having the same non-deterministic interpretation as action transitions. This in contrast to many timed process algebras [Baeten and Middelburg, 2002], where the passage of time can not trigger a branching in the transition system. The reason for this way of modeling, is our intuition that continuous behavior (i.e. the passing of time) influences the valuation of the model variables, and can therefore introduce choices in the system behavior, just like discrete actions do. That the choice for time non-determinism is indeed convenient, is shown in [van de Brand, 2004]. There, an operator is defined, and partly axiomatized, that abstracts from a given set of model variables. If we use this abstraction to hide model variables that trigger choices, the flows of these variables become invisible, but the choices they make can still be distinguished. Admittedly, this can also be done in a time-deterministic setting by introducing τ -transitions for every choice, but we suspect that such a time-deterministic variable-abstraction operator would be very difficult to describe axiomatically.
64
Chapter 3 Hybrid process algebra
The argument for introducing time-determinism [Baeten and Middelburg, 2002], that time is an external phenomenon that does not influence the state of a system, does in our opinion not hold for hybrid systems. Also, the hybrid automata of Henzinger [Henzinger, 1996], and most other hybrid automata approaches that we know of, are time-non-deterministic, supposedly for the same reasons. Interestingly, in [Bergstra and Middelburg, 2003] a time-deterministic approach to hybrid systems is chosen (clearly, they disagree with the above arguments), while in hybrid χ [Schiffelers et al., 2003a] operators are introduced for both. Models in the language hybrid χ, therefore, might show the difference between the approaches. As far as we can tell, the time-deterministic choice operator is used most often when, for example, a controller makes a choice after some delay, indeed without specifying the dynamics during this delay. This is modeled as a time-deterministic choice between delaying actions. When modeling physical modes of a system, the non-deterministic choice operator is used. The physical behavior of a system can only be in one mode, even if a particular evolution is permitted in both modes. In other words, time-determinism plays a role on a higher level of abstraction than that which we aim for in HyPA. Table 3.3 Operational semantics of HyPA, disrupt
< p, ν > X (11) < p ◮ q, ν > X < p ⊲ q, ν > X < q, ν > X (13) < p ◮ q, ν > X
l
< p, ν > → < p′ , ν ′ > l
< p ◮ q, ν > → < p′ ◮ q, ν ′ >
(12)
l
< p ⊲ q, ν > → < p′ ◮ q, ν ′ > l
< q, ν > → < q ′ , ν ′ > l
< p ◮ q, ν > → < q ′ , ν ′ >
(14)
Rules (11) to (14) define the semantics of the disrupt operator and the left-disrupt operator. If we compare these rules to the rules for sequential composition, we see that the main difference, is the way in which termination is handled. Firstly, in a composition p ◮ q, the process q may start execution without p terminating. Secondly, if the process p terminates, the process p ◮ q may also terminate regardless of the behavior of q. Rules (15) to (19) define the semantics of the parallel composition, and in these rules the difference between action transitions and flow transitions is most prominent. For actions, the interpretation of the parallel composition is the same as in ACP [Baeten and Weijland, 1990, Fokkink, 1998]. Discrete actions that are placed in parallel are interleaved, but can also synchronize using a (partial, commutative, and associative) communication function γ ∈ A × A 7→ A. If a discrete action a
3.1 Syntax and semantics of HyPA
65
Table 3.4 Operational semantics of HyPA, parallel composition
< p, ν > X, < q, ν > X (15) < p k q, ν > X < p | q, ν > X
σ
σ
< p, ν > ; < p′ , ν ′ >, < q, ν > ; < q ′ , ν ′ > (16) σ < p k q, ν > ; < p′ k q ′ , ν ′ > σ < p | q, ν > ; < p′ k q ′ , ν ′ > a,ν ′
σ
< p, ν > ; < p′ , ν ′ >, < q, ν > X (17) σ < p k q, ν > ; < p′ , ν ′ > σ < q k p, ν > ; < p′ , ν ′ > σ < p | q, ν > ; < p′ , ν ′ > σ < q | p, ν > ; < p′ , ν ′ > a,ν ′
< p, ν > 7→ < p′ , ν ′′ > a,ν ′
< p k q, ν > 7→ < p′ k q, ν ′′ >
(18)
a,ν ′
< q k p, ν > 7→ < q k p′ , ν ′′ > a,ν ′
< p k q, ν > 7→ < p′ k q, ν ′′ > a′,ν ′
< p, ν > 7→ < p′ , ν ′′ >, < q, ν > 7→ < q ′ , ν ′′ >, a′′ = a γ a′ a′′,ν ′
< p k q, ν > 7→ < p′ k q ′ , ν ′′ >
(19)
a′′,ν ′
< p | q, ν > 7→ < p′ k q ′ , ν ′′ >
communicates with an action a′ (this is the case if aγa′ is defined), the result is an action a′′ = aγa′ . If flow clauses are placed in parallel, they always synchronize their behavior such that, intuitively, the flows that are possible in a parallel composition are a solution of both clauses. Encapsulation, as defined by rules (20) to (22), only influences action transitions. This is not surprising, since, as mentioned before, the ∂H ( ) operator is originally intended to model enforced synchronization in a parallel composition. Parallel composition, in general, may lead to interleaving actions and synchronized actions. The encapsulation operator is then used to block the interleaving actions. Flow transitions are already synchronized in the parallel composition, so there is no need for encapsulation of those. Rules (23) and (24) model recursion in the same way as it was done in [Baeten and Weijland, 1990, Fokkink, 1998]. For a recursive definition X : p, a transition for the variable X is possible, if it can be deduced from the semantical rules for the process term p.
66
Chapter 3 Hybrid process algebra
Table 3.5 Operational semantics of HyPA, encapsulation and recursion a,ν ′
< p, ν > 7→ < p′ , ν ′′ >, a 6∈ H a,ν ′
< ∂H (p) , ν > 7→ < ∂H (p′ ) , ν ′′ > σ
< p, ν > ; < p′ , ν ′ > (21) σ < ∂H (p) , ν > ; < ∂H (p′ ) , ν ′ > < p, ν > X (23) X : p ∈ E < X, ν > X
3.2
(20)
< p, ν > X (22) < ∂H (p) , ν > X
l
< p, ν > → < p′ , ν ′ > l
< X, ν > → < p′ , ν ′ >
(24) X : p ∈ E
Steam boiler example
This section is intended to illustrate the use of HyPA for modeling hybrid systems. We do this by discussing a model of the celebrated benchmark problem of the steam boiler [Abrial, 1995]. In part II of this thesis, many other examples are worked out and discussed in more detail. For reasons of brevity, the steam boiler problem is simplified considerably. It is not our intention to give a comparison with other models of the steam boiler here. We only want to give a feeling for the syntax and semantics of the language. The text below, explains shortly what the given model consists of.
Qs
Valve Vmax V
Qi Valve
Water
Qi Water
Vmin
{op, cl} Controller
Qs Heater
Heater Figure 3.1 The steam boiler
The boiler process, as depicted in figure 3.1 consists of a volume of water V [m3 ], 3 m3 an in-flow of water Qi [ m sec ] and a steam production Qs [ sec ]. The relation between volume, in-flow and steam production, is described by the differential equation V˙ =
3.3 Algebraic reasoning in HyPA
67
Qi −Qs . The steam production is determined by the Heater process, which limits it 3 m3 between the constants Qmin [ m sec ] and Qmax [ sec ]. We do not have more information on the Heater, and can therefore not describe the behavior of s in more detail. The in-flow is determined by a Valve process, which can be opened or closed using the actions ro and rc respectively. If the valve is open, the in-flow to the boiler has 3 m3 value Qin [ m sec ]. If it is closed, the in-flow is 0[ sec ]. Furthermore, there is a Controller that interferes with the valve by telling it to open or close using the actions so and sc. The goal of this controller, is to keep the volume of water between the constants Vmin [m3 ] and Vmax [m3 ]. The controller uses a clock t [sec] to measure the sampling time T [sec] between interactions. Furthermore, it takes a margin of Vsafe [m3 ] into account, to compensate for errors due to the sampling time. The total system is the parallel composition of the Water process, the Heater, the two modes of the Valve, and the Controller, over which communication is enforced through the definitions op = ro γ so, cl = rc γ sc, and H = {so, sc, ro, rc}: Water
:
Heater ValveOpen
:
ValveClose
:
Controller
:
Boiler
:
¯ V ¯ V˙ = Qi − Qs , Qmin ≤ Qs ≤ Qmax , Qi = Qin ◮ (rc ⊙ ValveClose ⊕ ro ⊙ ValveOpen) , Qi = 0 ◮ (ro ⊙ ValveOpen ⊕ rc ⊙ ValveClose) , ¯ ¯ t˙ = 1 ¯ + £ − ¤ £ ¤ ¯ ¯ t =T ≫ t t =0 ≫ t ¯ ◮ t≤T ¤ £ − ≫ sc ⊙ Controller ⊕ £ V ≥ Vmax − Vsafe ¤ − , + Vsafe ≤ V ≤ £ Vmin ¤ Vmax − Vsafe ≫ Controller ⊕ V − ≤ Vmin + Vsafe ≫ so ⊙ Controller
∂H (Water k Heater k (ValveOpen ⊕ ValveClosed) k Controller) .
In the next section, we discuss an axiomatization of HyPA that allows us to rewrite the Boiler process into a form in which all parallel compositions are eliminated.
3.3
Algebraic reasoning in HyPA
The strength of the field of process algebra, lies in its ability to use equational reasoning for the analysis of transition systems, or, more precisely, for the analysis of equivalence classes of transition systems, called processes. In this section, we show that this equational reasoning is also possible in HyPA. We start out by defining a notion of bisimilarity on process terms, reflecting equivalence of the underlying hybrid transition systems. Then, we study properties of this equivalence, and capture those properties in a set of derivation rules and a set of axioms on the algebra of process terms. Together with a principle for guarded recursion, this forms a proof system in which every derived equality on process terms represents equality of the underlying hybrid transition systems. In other
68
Chapter 3 Hybrid process algebra
words, process terms that are derivably equal, describe transition systems in the same equivalence class, and hence describe the same process. This section is split up in five parts. In the first part, we define the notion of robust bisimilarity. In the second part, we give a formal axiomatization of this notion, and we treat the intuition behind the axioms, and the insights they provide us with. In the third part, we prove soundness of this axiomatization. In the fourth part, we discuss a specification principle that is used for reasoning about recursion, and in the fifth part, we show a few useful properties of our axiomatization, like a conservativity theorem with respect to the process algebra ACP and a rewrite system for rewriting closed terms into a normal form.
3.3.1
Robust bisimilarity of processes
In this subsection, we revisit the equivalence notion of bisimilarity, known from section 2.4.2, and adapt it to become a suitable equivalence notion on process terms. As was mentioned previously, the hybrid transition systems that are used to give a semantics of HyPA, contain an additional termination structure. Therefore, we start out by adapting the notion of bisimilarity on hybrid transition systems as follows. Definition 34 (Bisimilarity on hybrid transition systems) Given, a hybrid transition system < X, A, Σ, 7→, ;, X >, a relation R ⊆ X × X is a bisimulation relation if • for all x, y ∈ X such that x R y, we find < x > X implies < y > X; • for all x, y ∈ X such that x R y, we find < y > X implies < x > X; l
• for all x, x′ , y ∈ X such that x R y and l ∈ A ∪ Σ, we find < x > → < x′ > l implies there exists y ′ such that < y > → < y ′ > and x′ R y ′ ; l
• for all x, y, y ′ ∈ X such that x R y and l ∈ A ∪ Σ, we find < y > → < y ′ > l implies there exists x′ such that < x > → < x′ > and x′ R y ′ . Two states x, y ∈ X are bisimilar, notation x - y, if there exists a bisimulation relation that relates x and y. In lifting this notion of equivalence on hybrid transition systems to process terms (and hence abstracting from valuations) we have to be careful. It is assumed that the model variables that are shared by the process terms to be related represent the same entity. Therefore, both process terms are only compared with respect to the same (arbitrary) initial valuation of the model variables.
3.3 Algebraic reasoning in HyPA
69
Definition 35 (Bisimilarity) Two process terms p, q ∈ T (Vr ) are bisimilar, denoted p - q, if there exists a bisimulation relation R ⊆ (T (Vr )×Val )×(T (Vr )×Val ) such that < p, ν > R < q, ν > for all valuations ν ∈ Val . As it turns out, this notion of equivalence leads to problems in combination with the parallel composition of processes. This is due to a possible sharing of variables between processes. As an example, one might study the following discrete systems. X
:
Y
:
¯ ¤ £ ¤ x ¯ x+ = 1 ≫ a1 ⊙ x− = 1 ≫ a2 ¯ + £ ¤ x ¯ x = 1 ≫ a1 ⊙ a2
£
Using bisimilarity, we find that X - Y , since the value of x is set to 1 by the first action a1 , the second re-initialization of X is irrelevant. However, placing these processes in parallel with the process Z
:
£
¯ ¤ x ¯ x+ = 2 ≫ a3
clearly shows a difference. One might expect that X k Z - Y k Z, but the sharing of variables, leads to the result that the sequence a1 followed by a3 gives a deadlock situation for X k Z, while the action a2 can still occur for Y k Z. The interference of Z shows a difference between X and Y . In order for the equivalence to be robust with respect to interference caused by processes executed in parallel, for all states that are reached by performing transitions, it is required that the contained process terms are related for all valuations that can be obtained through interference. This is what we call robustness of a relation. An interference can be modeled as a function ι : Val → Val . Observe that we apply the same interference function to both variable valuations. Definition 36 (Robust) A relation R ⊆ (T (Vr ) × Val ) × (T (Vr ) × Val ) is robust if for all hp, νi, hp′ , ν ′ i ∈ X such that hp, νi R hp′ , ν ′ i, and for all interferences ι ∈ Val → Val , we find hp, ι(ν)i R hp′ , ι(ν ′ )i. Definition 37 (Robust bisimilarity) Two process terms p, q ∈ T (Vr ) are robustly bisimilar, denoted p -r q, if there exists a robust bisimulation relation R ⊆ (T (Vr ) × Val ) × (T (Vr ) × Val ) such that hp, νi R hq, νi for all valuations ν ∈ Val . In this thesis, robust bisimilarity is selected as the core equivalence between hybrid processes. Admittedly, this equivalence is rather fine-grained. The use of robust bisimilarity is therefore limited to showing equivalence of different structural representations of a process. For example, in section 3.3.5, we show how every closed process term can be represented as a robustly bisimilar basic process term (i.e. a closed term from which
70
Chapter 3 Hybrid process algebra
for example the parallel compositions and encapsulations have been eliminated). For the analysis of functional properties of a system, we need to drop the robustness requirement, at the cost of loosing congruence for the parallel composition. In chapter 6, we show an example of this, by performing safety analysis of statespace representations of processes (i.e. recursive process definitions in which no parallel composition occurs). In the next subsection, we discuss an axiomatization of robust bisimilarity for HyPA. As a last note, we mention that in appendix B it is shown that the notion of robust bisimilarity given here coincides with the notion of bisimilarity (also called stateless bisimilarity) used in [Cuijpers and Reniers, 2003a] and [Mousavi et al., 2004]. We adapted the definition, because it separates the idea of interference from the notion of bisimilarity.
3.3.2
Axiomatization
In this subsection, we give the axiomatization of robust bisimilarity in HyPA. In table 3.6, we give a set of derivation rules, and throughout this subsection we give a set of axioms that, to a large extend, capture the notion of robust bisimilarity. We write HyPA ⊢E p ≈r q, if we can derive equivalence of p and q using those axioms and recursive definitions from a set E. Definition 38 (Derivation) Let E be a set of recursive definitions over a set of recursion variables Vr . We write HyPA ⊢E p ≈r q to indicate that equivalence of (open) terms p and q can be derived from our axiom system and the recursive definitions from E. In cases where there can be no confusion as to the set of recursive definitions that is intended, we write ⊢ instead of ⊢E . We define that equivalence can be derived according to the rules given in table 3.6. In this table, p, pi , q, qi , r denote process terms, d, d′ denote re-initialization clauses, and c, c′ , c′′ denote flow clauses. Rules (1), (2) and (3) of table 3.6 express that ≈r is an equivalence. Rules (4) and (5) express that it is a congruence. Rules (6) and (7) express that equivalence of flow predicates and re-initialization predicates transfers to equivalence of flow clauses and re-initialization clauses respectively. Rule (8) expresses that a recursive specification X : p gives rise to an equivalence of X and p. In the remainder of this subsection, the axioms of HyPA, and the insight they provide regarding the operators of the language, are presented. Rule (9) expresses that these axioms indeed define equivalences. In each of the axioms, x, y, z denote arbitrary terms. The letters a, a′ denote actions, while c, c′ denote flow clauses and d, d′ denote re-initialization clauses. Unlike what is usual for ACP, one may not choose δ when a is written in an axiom. At the end of this subsection, the intuitions behind derivation rules (10) and (11), are discussed.
3.3 Algebraic reasoning in HyPA
71
Table 3.6 Derivation rules of HyPA
HyPA ⊢E p ≈r p
(1)
HyPA ⊢E p ≈r q (2) HyPA ⊢E q ≈r p
HyPA ⊢E p ≈r q, HyPA ⊢E q ≈r r (3) HyPA ⊢E p ≈r r HyPA ⊢E p ≈r q, S : Vp → T (Vp ), dom(S) ∩ Vr = ∅ (4) HyPA ⊢E S(p) ≈r S(q) O an n-ary HyPA operator, ∀1≤i≤n HyPA ⊢E pi ≈r qi (5) HyPA ⊢E O(p1 , . . . , pn ) ≈r O(q1 , . . . , qn ) ∀ν,ν ′ (ν, ν ′ ) |= d iff (ν, ν ′ ) |= d′ (6) HyPA ⊢E d ≫ x ≈r d′ ≫ x X:p∈E (8) HyPA ⊢E X ≈r p ∀ν,ν ′ ,σ
∀ν,σ (ν, σ) |= c iff (ν, σ) |= c′ (7) HyPA ⊢E c ≈r c′ p ≈r q is an axiom (9) HyPA ⊢E p ≈r q
∀ν,σ (ν, σ) |= c′ implies (ν, σ) |= c (ν, ν ′ ) |= d and (ν ′ , σ) |= c imply (ν ′ , σ) |= c′ (10) HyPA ⊢E d ≫ c ≈r d ≫ c′ ⊲ c
∀ν,σ (ν, σ) |= c iff (ν, σ) |= c′ or (ν, σ) |= c′′ (11) HyPA ⊢E c ≈r (c′ ⊕ c′′ ) ⊲ c
The first five axioms, known as the axioms of basic process algebra [Baeten and Weijland, 1990], model properties of choice and sequential composition. x (x ⊕ y) x (x ⊕ y) (x ⊙ y)
⊕ ⊕ ⊕ ⊙ ⊙
y z x z z
≈r ≈r ≈r ≈r ≈r
y x x x x
⊕ x ⊕ (y ⊕ z) ⊙ z ⊕ y ⊙ z ⊙ (y ⊙ z)
Alternative composition is idempotent, because a choice between equals is not really considered a choice. Furthermore, it is associative and commutative. Sequential composition is only associative. Sequential composition right-distributes
72
Chapter 3 Hybrid process algebra
over alternative composition, but does not left-distribute since that would lead to a change in the moment of choice. Alternative composition and sequential composition have deadlock and the empty process, respectively, as a unit element, while deadlock is a left-zero element for sequential composition.
x ⊕ δ ≈r δ ⊙ x ≈r
x δ
ǫ ⊙ x ≈r x ⊙ ǫ ≈r
x x
In fact, any flow-clause is a left-zero element of sequential composition, since flowclauses do not terminate. This is a generalization of the previous axiom, recalling a previous remark that (false) is the system theoretic equivalent of deadlock. For many of the operators, the role of deadlock can be derived from the axioms on flow clauses. Often, however, we give the axiom for deadlock separately, for sake of clarity of the presentation.
c ⊙ x ≈r
c
(false)
≈r
δ
The disrupt operator, can only be axiomatized using the left-disrupt (see [Baeten and Bergstra, 2000]). ≈r
x ◮ y
x ⊲ y ⊕ y
For the left-disrupt, we find the following axioms, that reflect right-distribution over the alternative composition and a kind of associativity. Deadlock is a leftzero, and a right-unit element of the left-disrupt. Also, there are two axioms formalizing the relation between sequential composition and left-disrupt. The last of these axioms reflects that, if the left argument of the left-disrupt does not terminate, then sequential composition distributes over left-disrupt. Derivation rules (10) and (11), which also deal with the left-disrupt, are discussed at the end of this section. (x ⊕ y) (x ⊲ y) a⊙ x (x ⊙ δ ⊲ y)
⊲ ⊲ ⊲ ⊙
z z y z
≈r ≈r ≈r ≈r
x x a x
⊲ ⊲ ⊙ ⊙
z ⊕ y ⊲ z (y ◮ z) (x ◮ y) δ ⊲ y ⊙ z
δ ⊲ x ≈r x ⊲ δ ≈r ǫ ⊲ x ≈r
δ x ǫ
3.3 Algebraic reasoning in HyPA
73
The axiomatization of parallel composition relies on the axiomatization of the left-parallel composition and the forced-synchronization operator. xk y
≈r
x k y ⊕ y k x ⊕ x| y
Regarding the left-parallel composition and the forced-synchronization, we find the following axioms that describe associativity and commutativity properties. The axioms also describe how all independent behavior of parallel composition is executed by the left-parallel composition, while synchronization amongst actions, amongst flow-clauses and between termination and flow-clauses is executed by the forced-synchronization operator. Note, that this corresponds to the choice made in [Baeten et al., 2003], and is subtly different from the way parallel composition is treated in [Baeten and Weijland, 1990]. For the forced-synchronization operator, we find termination if both the left and the right process terminate. Termination cannot synchronize with actions, and therefore leads to deadlock. Actions a and a′ may synchronize by producing an action aγa′ if this action is defined, and otherwise the forced-synchronization results in deadlock. Termination may occur before flow behavior executes, actions and flows cannot synchronize, and flows always must synchronize.
ǫk x a ⊙ xk y c ⊲ xk y δk x ǫ|ǫ δ|x ǫ|c ⊲ x ǫ|a ⊙ x
≈r ≈r ≈r ≈r ≈r ≈r ≈r ≈r
δ a ⊙ (x k y) δ δ ǫ δ c ⊲ x δ
a ⊙ x| b ⊙ y a ⊙ x| b ⊙ y a ⊙ x| c ⊲ y
≈r ≈r ≈r
c ⊲ x | c′ ⊲ y
≈r
xkǫ (x ⊕ y) k z (x k y) k z (x | y) k z x| y (x ⊕ y) | z (x | y) | z
≈r ≈r ≈r ≈r ≈r ≈r ≈r
x xk z ⊕ yk z x k (y k z) x | (y k z) y|x x| z ⊕ y| z x | (y | z)
(aγb) ⊙ (x k y) if (aγb) defined (aγb) ⊙ (x k y) if (aγb) undefined δ x k c′ ◮ y ⊕ yk c ◮ x ⊕ (c ∧ c′ ) ⊲ x | c′ ◮ y ⊕ y|c ◮ x
Notice, that the axioms on left-disrupt, left-parallel composition and forced-synchronization may be used to prove additional equalities, such as x k y ≈r y k x, (x ◮ y) ◮ z ≈r x ◮ (y ◮ z), and (x k y) k z ≈r x k (y k z).
74
Chapter 3 Hybrid process algebra
As usual, encapsulation of actions distributes over all operators, except over parallel composition, left-parallel composition and forced-synchronization. ∂H (c) ≈r ∂H (ǫ) ≈r ∂H (δ) ≈r ∂H (a) ≈r
c ǫ δ a if a 6∈ H
∂H (x ⊕ y) ∂H (x ⊙ y) ∂H (x ⊲ y) ∂H (a)
≈r ≈r ≈r ≈r
∂H (x) ⊕ ∂H (y) ∂H (x) ⊙ ∂H (y) ∂H (x) ⊲ ∂H (y) δ if a ∈ H
Finally, we should pay attention to the re-initialization operator. There are reinitialization clauses [true], serving as a unit element, and [false], which always results in deadlock. Deadlock itself a zero-element. Furthermore, subsequent reinitializations can be concatenated using the ∼ operation, and a flow-clause c has an implicit re-initialization cjmp , modeling spontaneous re-initializations following from initial value problems as described in, for example, [Mosterman, 1997]. The re-initialization operator distributes over most other operators from HyPA, except over the parallel composition and the forced-synchronization. With respect to termination, re-initialization has peculiar behavior. Because a re-initialization d is executed at the beginning of the first transition of a process, while termination does not perform a transition, the actual re-initialization never takes place. Nevertheless, before the termination takes place, it is evaluated whether the re-initialization has a possible solution, which is reflected in the use of the satisfiability operator d? in some of the axioms. This peculiar behavior for termination, is visible in one of the distribution axioms for sequential composition.
[true] ≫ x [false] ≫ x d≫δ d ≫ d′ ≫ x d ≫ x ⊕ d′ ≫ x cjmp ≫ c
≈r ≈r ≈r ≈r ≈r ≈r
x δ δ (d ∼ d′ ) ≫ x (d ∨ d′ ) ≫ x c
d ≫ (x ⊕ y) (d ≫ a) ⊙ x (d ≫ c) ⊙ x (d ≫ ǫ) ⊙ x (d ≫ x) ⊲ y (d ≫ x) k y ∂H (d ≫ x)
≈r ≈r ≈r ≈r ≈r ≈r ≈r
d≫x ⊕ d≫y d≫a ⊙ x d≫c d? ≫ x d≫x ⊲ y d≫ xk y d ≫ ∂H (x)
Using reasoning on re-initialization clauses, we find that ([true] ∨ [true]) ≫ x ≈r [true] ≫ x. A trivial consequence of this, is for example the equality x ⊕ x ≈r x, which was stated before as an axiom from basic process algebra, but can also be derived from the axioms on re-initialization and alternative composition. Again, ? using reasoning on re-initialization clauses, we find that [true] ≫ x ≈r [true] ≫ x, and we may derive another axiom from basic process algebra: ǫ ⊙ x ≈r x.
As mentioned before, re-initialization does not distribute over forced-synchronization. Because of this, many of the axioms given before for forced-synchronization
3.3 Algebraic reasoning in HyPA
75
have to be repeated in the light of re-initializations. The earlier axioms can all ? be recovered by filling in [true] for the re-initialization clauses d and d′ . In some cases this requires calculation on clauses, but this calculation can always be performed independent from the chosen parametrization. In some of these axioms, termination plays its peculiar role again. d ≫ ǫ | d′ ≫ ǫ d ≫ ǫ | d′ ≫ a ⊙ x d ≫ a ⊙ x | d′ ≫ a′ ⊙ y d ≫ a ⊙ x | d′ ≫ a′ ⊙ y d ≫ ǫ | d′ ≫ c ⊲ x d ≫ c ⊲ x | d′ ≫ a ⊙ y d ≫ c ⊲ x | d′ ≫ c′ ⊲ y
≈r ≈r ≈r ≈r ≈r ≈r ≈r
(d? ∧ d′? ) ≫ ǫ δ (d ∧ d′ ) ≫ (aγa′ ) ⊙ (x k y) δ (d? ∼ d′ ) ≫ c ⊲ x δ ((d ∼ cjmp ) ∧ (d′ ∼ c′jmp )) ≫ x k c′ ◮ y ⊕ yk c ◮ x ⊕ (c ∧ c′ ) ⊲ x | c′ ◮ y ⊕ y|c ◮ x
if aγa′ defined if aγa′ undefined
Termination only takes place, if both re-initializations are satisfiable, independent of each other. If synchronizing actions are re-initialized, both re-initializations should be satisfied, i.e. both processes should agree on the change of valuation. In particular, if aγa′ = a′′ , and a is re-initialized by an assignment x+ = x− + 1, we find [ x| x+ = x− + 1] ≫ a | a′ ≈r [ x| x+ = x− + 1] ≫ a | [true] ≫ a′ ≈r ([ x| x+ = x− + 1] ∧ [true]) ≫ (aγa′ ) ≈r [false] ≫ (aγa′ ) ≈r δ. The action a′ does not allow any changes in the variables. In the calculation, this is reflected in the fact that [true] does not allow any changes in valuations. A deadlock is the result of this disagreement between the re-initializations of a and a′ . Re-initialization shows a clear distinction between the way in which termination behaves in parallel to actions and in parallel to flows. Since actions cannot synchronize with termination, we find that termination (with a possible re-initialization) ? is delayed, i.e. d ≫ a k d′ ≫ ǫ ≈r d ≫ a ⊙ d′ ≫ ǫ, while termination must ? take place before a flow is executed, hence d ≫ c k d′ ≫ ǫ ≈r d′ ≫ d ≫ c. It is not the case that the parallel composition prefers the execution of actions over termination and flows, but there is a certain order in which parallel processes are executed that makes actions, in a sense, faster than termination and termination faster than flows. The axiom in which flows synchronize after re-initialization, is quite complicated due to our decision to make it possible for flow clauses to perform spontaneous reinitializations. When synchronizing, these flow clause re-initializations should be taken into account. If we restrict ourselves to flow clauses in which all variables are continuous, and are not allowed to jump (as is done in hybrid automata for example), i.e. clauses of the form ( Vm | Pf ), we find the equality d ≫ c ⊲ x | d′ ≫ c′ ⊲
76
Chapter 3 Hybrid process algebra
¡ ¢ y ≈r (d∧d′ ) ≫ (c∧c′ ) ⊲ x k c′ ◮ y ⊕ y k c ◮ x ⊕ x | c′ ◮ y ⊕ y | c ◮ x , which is more in line with the intuition that both re-initialization clauses and flow clauses are synchronized. The proof of equality relies on the observation that, in case of continuity, cjmp = c?jmp (no jumps, hence only satisfiability) and (d0 ∼ d?1 ) ∧ (d′0 ∼ d′1 ? ) = (d0 ∧ d′0 ) ∼ (d?1 ∧ d′1 ? ).
Derivation rule (10) in table 3.6, expresses how a process re-initialization can restrict the choice for the first transition of a flow clause. A useful application of this rule is in recognizing a particular solution of a differential ¡equation given a cer¢ tain initial condition. For example, consider the flow clause x, t| x˙ = x ∧ t˙ = 1 . Clearly, x = et is a solution of the differential equation x˙ = x, and if initially t = 0 and x = 1, this solution is unique. Using derivation rule (10), we now find the following equivalence: ·
≈ ·r
¯ ¸ x ¯¯ x+ = 1 ≫ t ¯ t+ = 0
¯ x ¯¯ x˙ = x t ¯ t˙ = 1
¯ ¯ ¯ ¸ x ¯¯ x+ = 1 x ¯¯ x = et x ¯¯ x˙ = x ≫ ⊲ . t ¯ t+ = 0 t ¯ t˙ = 1 t ¯ t˙ = 1
Note, that t and x are both not allowed to jump. Otherwise, the flow clauses in this example might execute undesired re-initializations. Derivation rule (10), also expresses the repetitive character of flow clauses. This is illustrated using d = [true] and c′ = c. We then find the equivalence c ≈r c ⊲ c.
Derivation rule (11), also expresses this repetitive character. This is illustrated by taking c = c′ = c′′ , we then find again c ≈r c ⊲ c. Furthermore, derivation rule (11) expresses that if we can divide a flow clause c into two (possibly overlapping) clauses c′ and c′′ , then the first transition taken by c can be mimicked by either c′ or c′′ . An application of this rule, is that a solution of a flow clause split off ´ ³ can be 2 even if there is no re-initialization. For example, the flow clause x˙ = 3x 3 ∧ t˙ = 1 contains a set of differential equations with solutions x = 0 and x = t3 , if initially x = 0 and t = 0. However, for other initial conditions, other solutions are possible. Using derivation rule (11), we find the following equality, which describes exactly that x = 0 and x = t3 are two possible trajectories of this flow clause:
≈r ≈r ⊲ ≈r
2 x˙ = 3x 3 ˙ t=1 µ 2 2 ¶ x = 0 x˙ = 3x 3 x˙ = 3x 3 ⊲ ˙ ⊕ ˙ ˙ t=1 t=1 t=1 ¶ µ µ 2 3 x = 0 x=t x˙ = 3x 3 ⊲ ˙ ˙ ˙ ⊕ ⊕ t=1 t=1 t=1 2 x˙ = 3x 3 ˙ t=1 2 x˙ = 3x 3 ⊲ x = 0 t˙ = 1 t˙ = 1
2 x˙ = 3x 3 ˙ t=1
¶
3.3 Algebraic reasoning in HyPA
⊕ ⊕ ≈r ≈r
µ 2 ¶ 2 x = t3 x˙ = 3x 3 x˙ = 3x 3 ˙ ˙ ⊲ ˙ ⊲ t=1 t = 1 t = 1 µ 2 ¶ 2 2 x˙ = 3x 3 x˙ = 3x 3 x˙ = 3x 3 ˙ ˙ ⊲ ⊲ ˙ t = 1 t= 1 t = 1 2 2 3 x = 0 x˙ = 3x 3 x˙ = 3x 3 x=t ˙ ⊲ ˙ ˙ ⊲ ˙ ⊕ t=1 t=1 t=1 t = 1 3 ¶ µ 2 3 x = 0 x = t x ˙ = 3x . ˙ ˙ ⊕ ˙ ◮ t=1 t=1 t=1
77
⊕
2 x˙ = 3x 3 ˙ t=1
Note that, in contrast to the example for derivation rule (10), we do not need to require that x and t do not jump.
3.3.3
Congruence and soundness
Rests us to show, that robust bisimilarity is a congruence for all the operators of HyPA, and that all the derivations that can be made about process terms, indeed lead to sound statements about the robust bisimilarity of these terms. In other words, we need to prove the following theorems. Theorem 21 (Congruence) Robust bisimilarity is a congruence for all operators of HyPA. Proof In [Cuijpers and Reniers, 2003a, 2004b], the proof of congruence was worked out by constructing witnessing bisimulation relations. However, an easier proof is obtained by verifying that the semantics of HyPA is in the SFSL-format introduced in [Mousavi et al., 2004]. This is straightforward to do. In appendix B, we prove that the notion of robust bisimilarity indeed coincides with the notion of stateless bisimilarity used in [Cuijpers and Reniers, 2003a] and [Mousavi et al., 2004]. ⊠
Theorem 22 (Soundness) If, for two process terms p and q, we find HyPA ⊢E p ≈r q then p -r q. Proof As mentioned before, robust bisimilarity coincides with the notion of bisimilarity used in [Cuijpers and Reniers, 2003a]. Hence, the result shown in appendix A of that report, that every derivation in HyPA is sound for bisimilarity, transfers to robust bisimilarity. In appendix C of this thesis, we give a summary of that proof, adapted for robust bisimilarity (see also [Cuijpers and Reniers, 2004b]). We also give a witness relation for soundness of the axiom (x ⊙ δ ⊲ y) ⊙ z ≈r x ⊙ δ ⊲ y ⊙ z, which was not in [Cuijpers and Reniers, 2003a]. ⊠
78
Chapter 3 Hybrid process algebra
3.3.4
Recursion principles
When reasoning about recursion, it is often useful to have a principle that claims that a solution of certain recursive specifications exists and is unique. That a solution exists follows directly from the operational semantics of HyPA, but it is not always clear that this particular solution is the only process satisfying the recursive equations. Let us first define what we mean by solution. Definition 39 (Solution) Let E be a recursive specification. An interpretation S ∈ Vr → T (Vr ) of recursion variables as process terms, is a solution of E (denoted S |= E) if for every recursive definition X : p ∈ E we have S(X) -r S(p), where S(p) denotes the process term induced by application of S to the variables of p. In particular, S(X) is called a solution of X : p ∈ E. The recursive specification principle RSP, which is quite standard in process algebra [Bergstra and Klop, 1986], states that so called guarded recursive specifications have at most one solution. For HyPA, guardedness of a recursive specification is defined as follows. Definition 40 (Guardedness) An open process term p is guarded if all occurrences of process variables in p, are in the scope of an action prefix a ⊙ or a flow prefix c ⊲ . A recursive specification E is guarded if for each recursive definition X : p ∈ E, p is derivably equal to a guarded process term, using the axiomatization of HyPA. This leads to the principle given in table J.1. Table 3.7 Recursive Specification Principle
S |= E, S ′ |= E, E guarded X ∈ Vr S(X) ≈r S ′ (X)
Theorem 23 The recursive specification principle is sound. Proof
This is proven in appendix D.
⊠
As an example, the process terms ǫ ⊕ a ⊙ d ≫ X and c ⊲ (X ⊕ Y ) are guarded, while the process terms c ◮ X and X ⊕ a ⊙ X are not. That unguarded recursive
3.3 Algebraic reasoning in HyPA
79
equations do not necessarily have a unique solution, can be seen from the fact that the processes c and (true) are both solutions of the equation Y ≈r c ◮ Y . Also the equation Z ≈r Z ⊕ a ⊙ Z has multiple solutions, some of which even execute flow transitions! Sadly, we do not have notation in HyPA to specify these unexpected solutions. From RSP, it follows that the set of equations X1 ≈r ǫ ⊕ a ⊙ d ≫ X2 , X2 ≈r c ⊲ (X1 ⊕ X2 ) has unique solutions for X1 and X2 .
Indeed, the fact that the disrupt operator is unguarded, while it occurs naturally in many models of hybrid systems, implies that some extra care needs to be taken during the modeling stage in order to ensure that calculation remains possible. For example, the Boiler process of section 3.2 may seem unguarded at first sight, but reasoning about the re-initialization clauses will show that the disrupt operator may be replaced by a left-disrupt, which makes the process guarded. In the HyPAmodel of the electrical circuit, that was only briefly discussed in section 1.5, a left-disrupt was used especially to guarantee guardedness of the specification. Another possible approach, that is not discussed in this thesis, is to consider only the solution that is defined by the operational semantics of HyPA. The solution of X : X, for example, would be deadlock δ, while the solution of Z : c ◮ Z is c. Also, the left-disrupts in the specification of the electrical circuit of section 1.5 could be replaced by disrupts. The solution of the operational semantics is the same for both. Calculation with this view on recursion, however, is often more elaborate.
3.3.5
Conservativity and rewriting
One of the things that can be concluded about HyPA, using the given axiomatization, is that it is a conservative extension of the process algebra ACP [Baeten and Weijland, 1990]. This illustrates that HyPA does not violate the general ideas behind this process algebra. Theorem 24 (Conservativity) HyPA is a conservative extension of ACP (except for notational differences ⊕ and ⊙ ), meaning that for every two closed ACP terms p and q, we find that ACP ⊢ p ≈r q if and only if HyPA ⊢ p ≈r q. Proof One direction of the proof, that derivations in ACP can be mimicked in HyPA, is based on the fact that all axioms of ACP can be derived in HyPA. The other direction relies on the construction of a relation that shows that if two closed ACP terms have robustly bisimilar semantics in HyPA, then they have bisimilar semantics in ACP. Completeness of ACP for bisimilarity then leads to the conclusion that derivably equal processes in HyPA also have a derivation showing equality in ACP. The complete proof of this claim can be found in appendix E. ⊠
80
Chapter 3 Hybrid process algebra
Furthermore, like in ACP, it is possible to define a set of basic terms into which every closed term can be rewritten. This clearly shows that parallel compositions can be eliminated from all closed terms. Definition 41 (Basic terms) A basic term is a closed term of the following form: N ::= d ≫ ǫ p d ≫ a ⊙ N p d ≫ c ⊲ N p N ⊕ N, where a ∈ A, c ∈ C, and d ∈ D.
Theorem 25 (Elimination) Every closed term is derivably equal to a basic term. Proof In appendix F, a strongly normalizing rewrite system is given that achieves this, based (in principle) on reading the axioms as rewrite rules from left to right, modulo the use of unit elements. ⊠ We conjecture that this elimination result can be generalized to a linearization result, meaning that we expect to be able to rewrite a restricted class of guarded recursive specifications of a HyPA process into a linear form in which we only use recursion over basic terms. First results in this direction can be found in [van de Brand, 2004]. The usefulness of elimination of the parallel composition, was already noted in the introduction. It was pointed out there, that the notion of robust bisimilarity we use is very strong, because all possible valuations of the variables are taken into account at every point in time. Many weaker notions of equivalence, while still preserving interesting analysis properties, are not sensitive to the valuation of variables. Those equivalences, often, are not congruent for the parallel composition operator. Therefore, algebraic reasoning about those notions in the context of parallel composition becomes difficult. This is a known phenomenon in process theory, and it is caused by the possibility of interference in the value of shared variables (see for example [Owicki and Gries, 1976]). Many different solutions have been proposed, also in the field of hybrid systems. For example, in the hybrid automaton theory of [Lynch et al., 2003], the authors propose a restriction (called compatibility of automata) on the systems that may be placed in parallel, to ensure that no interference occurs. This is a perfectly reasonable way of handling the problem, but it has the disadvantage that we have to add extra variables, if we want to model processes that intentionally interfere, like the control system shown in the introduction. HyPA is, in principle, focussed on being general. We start out by using a very general parallel composition, that is defined for all possible processes, and necessarily end up with an equivalence that is very strong, but is at least a congruence for this composition. Now, the elimination result allows us to eliminate the parallel composition from the process description. After elimination, we can start to
3.3 Algebraic reasoning in HyPA
81
use algebraic reasoning on a weaker notion of equivalence to analyze the specific properties we are interested in. This method may turn out to be less practical than the road followed by [Lynch et al., 2003], because the elimination of parallel compositions can become quite cumbersome. On the other hand, it may also be possible to formulate derivation rules for reasoning about weaker notions of equivalence, that express a kind of conditional congruence ‘under compatibility’. In this way, other methods can be imported into HyPA. Evidence in this direction, can be found throughout the second part of this thesis. In particular in chapters 6 and 7. As an example of rewriting into basic terms, we can rewrite the steam boiler system of section 3.2 into the following description, in which parallel composition and encapsulation are eliminated: Boiler Open Closed
≈r
≈r
≈r
Open ⊕ Closed,
d0 ≫ co ⊲ (d1 ≫ cl ⊙ Closed ⊕ d2 ≫ Open ⊕ d3 ≫ op ⊙ Open),
d0 ≫ cc ⊲ (d1 ≫ cl ⊙ Closed ⊕ d2 ≫ Closed ⊕ d3 ≫ op ⊙ Open),
with d0 d1 d2
≡
≡
≡
d3
≡
co
≡
cc
≡
¯ ¤ t ¯ t+ = 0 , ¤ £ − ¤ t− = T V ≥ Vmax − Vsafe , ∧ ¤ £ − ¤ £ t =T Vmin + Vsafe ≤ V − ≤ Vmax − Vsafe , ∧ ¤ £ − ¤ £ − t =T V ≤ Vmin + Vsafe , ∧ ¯ t, V ¯ t˙ = 1 ∧ t ≤ T ∧ V˙ = Qi − Qs ∧ Qmin ≤ Qs ≤ Qmax ∧ Qi = Qin , ¯ t, V ¯ t˙ = 1 ∧ t ≤ T ∧ V˙ = Qi − Qs ∧ Qmin ≤ Qs ≤ Qmax ∧ Qi = 0 . £
£
Notice that this rewriting is done here over a recursive definition, hence is an example of linearization of such process descriptions. Looking at the axiomatization, one might expect that d0 , . . . , d3 would contain clauses of the form cjmp , but those (and other distracting terms) are eliminated using calculation on re-initialization clauses. Furthermore, looking at the original recursive definition, one might suspect that it is non-guarded, but again, calculation on the re-initialization clauses shows that the definition can be rewritten into a guarded one. Performing the actual elimination by hand is very cumbersome, and leads to a very long calculation, which we left out for reasons of space. Currently, tools are being developed for (partial) automation of such calculations. Using a preliminary version of one such tool [van de Brand, 2004], a mistake in the original calculation on the steam boiler was found already. Hence the difference between the result presented here and in [Cuijpers and Reniers, 2003a]. One result that is missing, so far, is a proof that the given axiomatization is complete for robust bisimilarity of closed terms. I.e. a proof that for closed terms p and q, if p -r q then also HyPA ⊢ p ≈r q. We do not exclude the possibility
82
Chapter 3 Hybrid process algebra
yet, modulo completeness of the logical equivalence of flow predicates and reinitialization predicates, but the fact that the number of flows that are a solution of a flow clause, and the number of valuation jumps that are a solution of a reinitialization clause may be infinite, complicates matters seriously.
Chapter 4
Related Work “(But) his divergences from his community must be - and must be seen to be - adaptations of something people already understand. They must not be allowed to indicate a contempt for the majority or their way of life; they must include a recognizable basis of loyalty to the community.” [“Man and Development”, Julius K. Neyerere]
84
Chapter 4 Related Work
In this chapter, we compare HyPA, in an informal way, to hybrid formalisms that were previously developed.
4.1
Hybrid automata
One of the most influential of all hybrid formalisms, is the hybrid automaton formalism described by Henzinger [Henzinger, 1996]. These automata consist of nodes in which certain differential equations are active under an invariant, and of guarded transitions between those nodes that model discrete actions. For example, the steam boiler example could be modeled as the hybrid automaton depicted in figure 4.1.
t=T jmp: t := 0 ≤ V jmp: V safe + Vmin Vsafe x− V ≤ Vma act:
flow: t˙ = 1 V˙ = Qi − Qs inv: t ≤ T Qmin ≤ Qs ≤ Qmax Qi = Qin
t=T t := 0 V ≤ Vmin + Vsafe op
jmp: t=T t := 0 V ≤ act: Vmi n +V op saf
e
flow: t˙ = 1 V˙ = Qi − Qs inv: t ≤ T Qmin ≤ Qs ≤ Qmax Qi = 0
jmp: t = T jmp: t=T t := 0 t=T t := 0 V V ≥ Vmax − Vsafe jmp: t := 0 e≤ V ≥V + V saf V safe act: cl n i Vm − max − V act: cl safe V max V ≤ Figure 4.1 Example of a Hybrid Automaton Modelling a Steam Boiler
In the formal definitions of [Henzinger, 1996], a discrete action is associated with
4.1 Hybrid automata
85
each and every transition. Note, however, that in the same paper there are several examples of hybrid automata with transitions without an associated action. We assume that this means that implicitly there is some special action, say τ , that does not have to synchronize with other events in case of parallel composition. The fact that, in HyPA, it is not necessary to add intermediate actions in order to switch between continuous behaviors, is one of the reasons why we believe that a translation of HyPA into hybrid automata is impossible in general. A translation of hybrid automata into HyPA, however, seems to be possible. A (part of a) general hybrid automaton is depicted in figure 4.2. Such an automa-
Pinit−y
Pinit−x
jmp: Pxy act: ay
Y flow: Pflow−y inv: Pinv−y
jmp: Pxz act: az
Z flow: Pflow−z inv: Pinv−z
X flow: Pflow−x inv: Pinv−x
Pinit−z Figure 4.2 General Example of a Hybrid Automaton
ton is easily translated into a hybrid process algebraic term, using the following observations. • The flow predicate Pflow in a node of an automaton, describes flows in a similar way as in HyPA. Only, in hybrid automata, all flows are continuous. Hence, we take V = Vm and find the clause ( Vm | Pflow ). Furthermore, since hybrid automata only allow differentiable solutions of flow predicates, we adopt that notion of solution for our flow predicates as well. • The invariant Pinv in a node, is a predicate that can be used in a flow clause, but can also be transformed to be used in a re-initialization clause,
86
Chapter 4 Related Work
since only variables from the set Vm are used in it. The semantics of hybrid automata, contains a kind of look-ahead such that after a transition to a certain node, the invariant of that node must hold. Otherwise the transition cannot be taken. Translating this to HyPA means that in re-initializations + the predicate Pinv , of the next node, should hold. As an abbreviation, we + use P to denote a transformation of a predicate P on Vm in which every variable x is replaced by x+ . • The transitions of hybrid automata contain actions a. In translation, those actions disrupt the flow clauses. Furthermore, the jump condition Pij on a transition from i to j is translated into a re-initialization that acts on these actions. Again, we take V = Vm , and assume that it is specified in the jump condition which variables may change, and which remain constant. • In a hybrid automaton the initial states are indicated by the initial conditions. For each node X such an initial condition is given by means of a predicate Pinit over the model variables. Using these observations, the more general automaton in figure 4.2 is translated into X
:
HA
:
£ Vm ¯ Vm ¯ Pflow−x ∧ Pinv−x ◮ ⊕ £ Vm ¤ £ ¤ £ − £ − Pinit−x ≫ X ⊕ Pinit−y ≫ Y ⊕
or more generally Xi
:
¯ ¤ ¯ Pxy ∧ P + ≫ ay ⊙ Y inv−y , ¯ ¤ ¯ Pxz ∧ P + ≫ a ⊙ Z z inv−z ¤ − Pinit−z ≫ Z.
M £ ¯ ¯ ¤ + Vm ¯ Pflow−i ∧ Pinv−i ◮ Vm ¯ Pij ∧ Pinv−j ≫ aij ⊙ Xj j∈J(i)
HA
:
M£ i∈I
− Pinit−i
¤
≫ Xi
where I is the total set of nodes, and J(i) ∈ I → P(I) is the transition map of the automaton. Of course, this is not a formal translation. The semantics of hybrid automata as given in [Henzinger, 1996] is one of timed transition systems, while the hybrid transition systems we use here are subtly different. We conjecture that it is possible to transform the flow transitions of the hybrid transition system into timed transitions, and the action transitions of the hybrid transition system into action transitions of a timed transition system, by abstracting away from all valuations. However, this is left as a subject for future research. The comparison with hybrid automata is merely intended to give an intuition on how the existing hybrid theories fit into our hybrid process algebraic framework.
4.2 Other process algebras
4.2
87
Other process algebras
With respect to process algebras for hybrid systems, there are four related works that we must consider. One, hybrid CSP, was already introduced in 1994 by Jifeng [Jifeng, 1994]. The others, φ-calculus [Rounds and Song, 2003], hybrid χ [Schiffelers et al., 2003a], and ACPsrt hs [Bergstra and Middelburg, 2003], are very recently introduced. Hybrid CSP Hybrid CSP has a semantics in which each process represents a set of hybrid traces. Such a hybrid trace, consists of a function of a continuous closed time domain to valuations, a function of that same domain to sequences (that gives the empty sequence except for on a finite set of time-points), and a few predicates (like termination). A system is then modeled in hybrid CSP, by giving a predicate that defines which traces are in the system. Comparable to the way that HyPA has atomic processes and operators, hybrid CSP has atomic predicates, and predicate operators. Apart from the fact that a trace semantics does not respect branching properties of a system, hybrid CSP also has the drawback that in parallel composition the continuous variables of the composed systems are assumed to be disjoint, and that assignments can only be made to programming variables, and not to continuous variables. We suspect, however, that these problems can be solved by defining new predicate operators, and that the author of [Jifeng, 1994] did not see the need for them at the time. Interestingly, there are operators defined in [Jifeng, 1994] whose function is not easily translated into HyPA. The main reason for this, is that clocks need to be modeled explicitly in HyPA, while they are often a functional part of the operators of hybrid CSP. Again, we conjecture, that HyPA can be extended with operators that mimic those of hybrid CSP, should the need arise. φ-Calculus The φ-calculus has a semantics based on timed transition systems, and given this, has a very interesting way of dealing with parallelism. As we already mentioned in the introduction, φ-calculus regards continuous behavior to be a property of the environment, rather than a property of the φ-calculus program. Execution starts with an empty environment and, while running the program, differential equations (or rather their vector-field equivalents) and invariants, are added and replaced, by (in an interleaving manner) executing so-called environmental actions. The upshot of this, is that it is not necessary to require that parallel programs have distinct continuous variables, but still, the semantics of the parallel composition of φ-calculus does not coincide with our intuition that continuous behavior should simply satisfy both processes. Furthermore, because a vector-field is used as a representation of differential equations in the environment, φ-calculus can only handle differential equations with unique solutions (hence, not 2 for example the equation x˙ = 3x 3 ). Also, the notion of equivalence that arises
88
Chapter 4 Related Work
from using bisimilarity in combination with environmental actions, makes that only syntactically equal differential equations are actually considered equal. This is a drawback that might be solved by some kind of abstraction, but it still has an artificial feel to it. Comparing φ-calculus to HyPA, we may conclude that, due to (amongst others) the environmental action approach, not all HyPA processes can be translated into φ-calculus. Conversely, the fact that the environmental actions of φ-calculus have a maximal progress semantics, φ-calculus programs cannot be translated into HyPA. This, however, can be solved by extending HyPA with an urgency operator, as was done for χ and hybrid χ in [Bos and Kleijn, 2003, Schiffelers et al., 2003a]. Hybrid χ As we mentioned already in the introduction, HyPA is developed in close cooperation with the researchers developing hybrid χ. Research on the language hybrid χ, as a modeling and simulation language for process control, started in 1982 [Rooda, 1982], and has since been through many stages of development, including an extension with hybrid description constructs. In 2002 [Bos and Kleijn, 2003], a formal operational semantics, based on CSP rather than ACP, was defined for the discrete-time part of the language, and recently, a formal semantics has been given for the hybrid part as well [Schiffelers et al., 2003a]. It is interesting to see that many of the theoretical aspects of HyPA (like the use of hybrid transition systems), have been applied in the formal semantics of hybrid χ, while on the other hand, the future extensions of HyPA are very likely to be inspired by the modeling strengths of hybrid χ, including their abstraction operators and possibly the maximal progress operator. As research progressed, both languages seem to have evolved more and more towards each other, and it is not unthinkable that these paths ultimately converge. ACPsrt In [Bergstra and Middelburg, 2003] a combination of the process algebra hs with continuous relative timing of [Baeten and Middelburg, 2002] and the process algebra with propositional signals of [Baeten and Bergstra, 1997], lead to a different algebra, that is also suited for the description of hybrid systems. The development of this algebra and of HyPA has been largely independent, and it is surprising to see how many similarities exist between the two. Nevertheless, due to different starting points and intuitions, there are also some important differences. The process algebra of Bergstra and Middelburg [Bergstra and Middelburg, 2003], was intended to be a conservative extension of timed ACP, while HyPA was intended to be an extension of ‘normal’ ACP. This gives rise to the most important difference, in our opinion, between the two languages, which is that in [Bergstra and Middelburg, 2003], a time-deterministic setting was chosen (see also section 3.1.2), while for HyPA time-non-determinism is assumed (which is more in line with the hybrid automaton approach [Henzinger, 1996]). As a matter of fact, in hybrid χ, two choice operators exist, one for each view on time. Another differ-
4.3 Control theory formalisms
89
ence is that in [Bergstra and Middelburg, 2003], there was the intention to give an algebraic theory of hybrid automata, which leads to the modeling choice that switching between continuous behaviors can only take place through the use of discrete actions, while in HyPA switching can be arbitrary. This is illustrated, by the fact that the passing of time during which physical behavior takes place, is modeled explicitly in [Bergstra and Middelburg, 2003], while for HyPA time passing is implicit when writing down a flow clause.
4.3
Control theory formalisms
The formalisms used in control theory to describe hybrid systems can, from a HyPA point of view, be classified into two kinds. The first kind, are formalisms regarding continuous time behavior, while the second kind regards time to evolve discretely. Roughly speaking, continuous time models can be translated into HyPA using flow clauses. Discrete time models can be translated in two ways. One is to translate them into re-initialization clauses, acting on a ‘time-step’ process. Another, is to translate them using flow clauses, by choosing the time axis T = N. Computational actions and sequential compositions of processes, only occasionally play a role in control theory. Mode switching, on the other hand, is a central aspect. In this paragraph, we sketch the general translation of several control theory formalisms into HyPA. We do not intend to be complete, but rather want to give a feel for the relation between HyPA and control theory. Furthermore, one has to keep in mind that control theory usually reasons about trace equivalence of systems, while HyPA is primarily concerned with the stronger notion of (robust) bisimilarity. With respect to the continuous time models, we conjecture that most of them can be translated into either one single flow clause c or, in more complicated cases, can be represented by a recursive specification of the form CT
:
(c0 ⊕ . . . ⊕ cn ) ⊲ CT,
where c0 . . . cn , denote clauses representing the different continuous modes a system can be in. If a system can be modeled using only three continuous variables, namely the state variable x ∈ Rl , the output variable y ∈ Rm and the input variable u ∈ Rn , and using only clauses of the form ci
=
¯ ¯ x˙ = Ai x + Bi u + fi ¯ x ¯¯ y = Ci x + Di u + gi ¯ (x, u) ∈ Hi
,
with Ai , Bi , Ci and Di matrices of appropriate dimensions, fi and gi constant vectors, and Hi a convex polyhedron (i.e. constructed from a finite set of inequalities), for every i, then we say that CT is a continuous time piecewise affine system [E.D.Sontag, 1981, Heemels et al., 2001]. If a system can be modeled as one single continuous flow clause, using the variables v, w ∈ Rs in addition to x,y and u, and
90
Chapter 4 Related Work
if this flow clause is of the form
c
=
¯ ¯ ¯ ¯ x ¯¯ ¯ ¯
x˙ = Ax + B1 u + B2 w y = Cx + D1 u + D2 w v = E1 x + E2 u + E3 w + e4 0≤v⊥w≥0
,
then we say that the system is a continuous time linear complementarity system [van der Schaft and Schumacher, 1998, Heemels et al., 2001]. Here, A, B1 , B2 , C, D1 , D2 , E1 , E2 and E3 are matrices of appropriate dimensions, e4 is a constant vector and 0 ≤ v ⊥ w ≥ 0 denotes that the vectors v and w are orthogonal (i.e. 0 ≤ v, 0 ≤ w and v T w = 0). Discrete time models can be represented by recursive specifications of the form DT
:
(d0 ∨ . . . ∨ dn ) ≫ Timestep ⊙ DT,
with Timestep
:
£
¯ + ¤ {t} ∪ V t ¯ t =0 ≫
¯ ¯ t˙ = 1 ¯ ¯ t ≤ Ts ¯ V ¯ ¯ j∈J x˙j = 0
£ − ¤ t = Ts ≫ ǫ. ◮
Here, the set V = {xj | j ∈ J} denotes the set of all variables that are used in the re-initialization clauses d0 . . . dn , describing the discontinuous changes over time. Timestep denotes the progress of time with sample time Ts > 0, during which the variables xj are supposed to remain constant. Similar to the continuous case, if (and only if) V = {x, y, u}, and for all re-initializations (with i ∈ [0, n]) we find
di
=
¯ ¯ ¯ ¯ ¯ x, y, u ¯¯ ¯ ¯ ¯
x+ = Ai x− + Bi u− + fi y + = Ci x+ + Di u+ + gi y − = Ci x− + Di u− + gi (x+ , u+ ) ∈ Hi (x− , u− ) ∈ Hi
,
and say that DT is a discrete time piecewise affine system [E.D.Sontag, 1981, Heemels et al., 2001]. Analogously, if a system can be represented by a recursive specification of the form DT
:
¯ ¯ ¯ ¯ ¯ ¯ ¯ x, y ¯ u, v, w ¯¯ ¯ ¯ ¯ ¯
x+ = Ax− + B1 u− + B2 w− y + = Cx+ + D1 u+ + D2 w+ y − = Cx− + D1 u− + D2 w− v + = E1 x+ + E2 u+ + E3 w+ + e4 v − = E1 x− + E2 u− + E3 w− + e4 0 ≤ v + ⊥ w+ ≥ 0 0 ≤ v − ⊥ w− ≥ 0
≫ Timestep ⊙ DT,
we say that it is a discrete time linear complementarity system [van der Schaft and Schumacher, 1998, Heemels et al., 2001].
4.3 Control theory formalisms
91
A third type of discrete control formalism is discrete time mixed logical dynamical systems [Bemporad and Morari, 1999, Heemels et al., 2001]. Similarly to linear complementarity systems, these systems can be described using only one re-initialization clause. This time, however, the clause also contains variables that take value in the domain {0, 1}. A mixed logical dynamical system may use variables x ∈ Rl , y ∈ Rm and u ∈ Rn , and in addition, the variables z ∈ Rr and w ∈ {0, 1}s . It can be represented by a recursive specification of the form
DT
:
¯ ¯ ¯ ¯ ¯ x, y ¯ u, v, w ¯¯ ¯ ¯
x+ = Ax− + B1 u− + B2 w− + B3 z − y + = Cx+ + D1 u+ + D2 w+ + D3 z + y − = Cx− + D1 u− + D2 w− + D3 z − E1 x+ + E2 u+ + E3 w+ + E4 z + ≤ e5 E1 x− + E2 u− + E3 w− + E4 z − ≤ e5
≫ Timestep ⊙ DT.
In [Heemels et al., 2001], the relation between the discrete control formalisms described above is further worked out, and it turns out that most of them are equivalent under certain, from a physical point of view very reasonable, assumptions. The approach we have shown above, is known in control as the zero-order hold approach. This means that the models are based on the assumption that model variables remain constant between re-initializations. There are many other ways to model the behavior in between re-initializations, but that is a topic outside the scope of this thesis. But, as we mentioned already, there is also another natural way of dealing with discrete time models in HyPA, and that is by using a flow-clause parametrization with discrete time rather than continuous time. Simply assume a parametrization where time consists of the natural numbers only, i.e. that T = N, and where the differential equations are replaced by difference equations. Such models are often used in control science for computational reasons, but they have the defect that they do not model at all what happens in between the discrete steps. As we mentioned in the beginning of this paragraph, HyPA is primarily concerned with the notion of robust bisimilarity. However, as we will see in chapter 6, this notion is too strong for many kinds of analysis. Suppose we would adopt language equivalence, or even some weaker appropriate notion of equivalence. This would mean that we probably loose congruence of parallel composition, but it would also mean that we might be able to abstract away from a lot of computational behavior and rewrite certain HyPA processes into one of the above forms. Since a lot of control theory is developed for those forms, this might greatly improve the analysis possibilities of HyPA.
92
Chapter 4 Related Work
Part II
Modeling and Analysis of Hybrid Processes
93
Chapter 5
Modeling hybrid physical processes “Just because you can explain it doesn’t mean it’s not still a miracle” [“Small Gods”, Terry Pratchet]
96
Chapter 5 Modeling hybrid physical processes
When modeling a physical system, it is common practice to describe the components that constitute the system, using so-called constitutive relations on the physical variables that play a role in the system. The intersection of all these relations then forms a model of the system as a whole. The behavior of physical systems is usually assumed to be continuous and, therefore, the constitutive relations are often stated as differential algebraic equations. When part of the continuous behavior occurs very fast, however, as is for example the case when studying impact phenomena, it may be convenient to describe this behavior as being discontinuous. The constitutive relations that are used to describe the system, should in that case not only contain algebraic differential equations (for the large time-scale behavior), but also equations that describe the discontinuous behavior (for the behavior during impact). In this chapter, we describe the constitutive relations of many more-or-less standard components in physical modeling, using HyPA. Ultimately, this leads to a method for constructing hybrid models of physical systems in a structured, component-based way. As a vehicle for our thoughts, we use a graphical language named bond graphs [Paynter, 1961] to formalize our physical models, before engaging in the construction of constitutive relations for them. Bond graphs generalize all domains of physics, such as electronics, hydraulics, and mechanics, in one framework. Recently, they have been extended with elements that are suitable for describing discontinuous behavior [Mosterman, 1997, Mosterman et al., 1998, Breedveld, 1996, Str¨omberg, 1994]. The work presented in this chapter, can therefore also be considered an attempt to give a formal semantics to hybrid bond graphs. Our expectation is that after we have explained how to derive hybrid constitutive processes using hybrid bond graphs, it will also be easier to derive these processes directly, without using bond graphs as an intermediate step. Nevertheless, the construction of a bond graph sometimes gives additional insight in the workings of a system, and can facilitate analysis in many ways (see for example [Karnopp et al., 1990, van den Bosch and van der Klauw, 1994, Mukherjee and Karmakar, 2000, Breedveld and van Amerongen, 1994]). In general, different model representations have strengths in different kinds of analysis. In the next section, we give a short discussion on the modeling of physical systems through constitutive relations, using an example from mechanical engineering. Then, we briefly explain the traditional bond graph modeling method and discuss the need for abstraction from small time-scale behavior. In section 5.2, we show how the constitutive relations of the bond graph elements can be extended to include discontinuous behavior. In the last section of this chapter, we give modeling examples that show how hybrid bond graph models can be made of several physical systems, and how these bond graph models can be turned into constitutive hybrid processes describing the systems algebraically.
5.1 Modeling physical systems
5.1 5.1.1
97
Modeling physical systems Constitutive equations
In dynamic systems theory, a common approach to build a model of a physical system, is by decomposing the system into separate components, and capturing the physical properties of those components in so-called constitutive relations on the physical variables that play a role in the system under study. For example, in translational mechanics, traditionally five major variables play a role: energy E, momentum p, force F , displacement x and velocity v. All mechanical behavior, can be expressed in terms of interaction between these variables, and the way they change over time. A change in momentum corresponds to a force, leading to the constitutive differential equation F = p, ˙ where p˙ denotes the timederivative of p. A change in displacement corresponds to a velocity v = x, ˙ and a change in energy (i.e. power) is the product of force and velocity E˙ = F · v. These three relations play a role in every mechanical component, and are (implicitly or explicitly) part of the constitutive relations of every component. Three major mechanical components can be distinguished: masses, springs and dampers. A mass gives rise to a constitutive relation between momentum p and velocity v. A spring gives a constitutive relation between displacement x and force F . A damper gives a constitutive relation between force F and velocity v. Often, these relations are non-linear, but in idealized models we represent masses, springs and dampers using linear algebraic equations, that depend on the factors m, k and b respectively Mass
:
Spring
:
Damper
:
p=m·v
F =k·x
F =b·v
As an example of a non-linear relationship, one might consider damping effects like friction, in which a constant normal force FN counteracts the direction of movement v, Friction
:
F = sign(v) · FN
and stiction, in which an initial additional force FS is necessary to get an object to move. Stiction
:
F =
½
FS 0
; v=0 ; v= 6 0
A connection of mechanical components leads to an exchange of energy between these components, in such a way that the momentum of the components is preserved, or the displacement of the components is preserved, depending on the connection. If we have conservation of momentum, the change in displacement of
98
Chapter 5 Modeling hybrid physical processes
all components involved is equal. While if we have conservation of displacement, the change in momentum is equal. For n components, these types of connection are reflected in the following equations. The connection with conservation of momentum is described using E˙ 1 + . . . + E˙ n = 0 . p˙ 1 + . . . + p˙ n = 0 x˙ 1 = . . . = x˙ n
These equations turn out to hold, if and only if
F1 + . . . + F n = 0 . v1 = . . . = vn
Observe, that the equation for conservation of energy is redundant. Dually, conservation of displacement is described using: ˙ ˙ E1 + . . . + En = 0 , x˙ 1 + . . . + x˙ n = 0 p˙ 1 = . . . = p˙ n
which is equivalent to stating
v1 + . . . + vn = 0 . F1 = . . . = F n
In figure 5.1, a mass-spring-damper system is depicted with a force F acting on the mass. In that same figure, also a set of constitutive equations is given that describe this system mathematically. All forces and directions are defined to be positive in the upward direction. This has to be taken into account when writing down the relations for conservation of momentum and displacement. Note, that the constitutive equations that are shown, give all relations between all five major variables. And, although we already left out the equations for conservation of energy, there is still quite some redundancy in this set of equations. In this chapter, we will mainly concern ourselves with the construction of a set of constitutive relations for hybrid systems, not with the elimination of redundant variables in the resulting model. For other fields in physics, such as thermodynamics, electronics, and fluid dynamics, similar ways of deriving constitutive equations apply. Based on this observation, a unifying approach to dynamic systems modeling, called bond graphs, was developed by the late H.M. Paynter in [Paynter, 1961].
5.1.2
Bond graphs
The main observation behind bond graphs, is that the notions of force and velocity from mechanical systems, have analog notions in many other fields of physics, so
5.1 Modeling physical systems
F m
b
k Ground
99
F = F m + Fk + Fb v = v = v m k b p = m · v m m F = k · x k k F = b · v b b ˙ p ˙ = F , x ˙ = v , E = F · v m m m m m m m p˙k = Fk , x˙ k = vk , E˙ k = Fk · vk ˙ p˙b = Fb , x˙ b = vb , Eb = Fb · vb
Figure 5.1 Constitutive equations for a mass-spring-damper system
that we can generalize these notions and the laws that apply to them. In bond graph theory, the generalization of force is called effort (denoted e) and the generalization of velocity is called flow (denoted f ). For the generalized momentum, denoted p, we have the constitutive relation p˙ = e, and for the generalized displacement, denoted q, we have q˙ = f . In table 5.1 we have summarized the analogies between different fields in physics, and their bond graph generalizations. Energy E, is already a domain independent term, but, although this variable is fundamental in the physics behind bond graphs, it does not play an important role in bond graph modeling, because of the redundancy that was already pointed out in the previous section. In continuous models, the energy is completely determined by the other four variables through the so-called power relation E˙ = p˙ · q˙ = e · f .
Formally, a bondgraph is a directed graph, with nodes that represent basic physical components of a system (called elements), nodes that represent conservation laws (called junctions), and edges (called bonds) that represent the way in which components exchange energy and the direction in which energy flows. Elements have only one edge (either in-coming or out-going), while junctions have two or more edges associated to them. This models that elements always exchange energy with other elements through one or more junctions. Note, that we sometimes use the word component loosely to indicate a partial bondgraph with unconnected bonds. Such components may be connected by junctions to form a complete bondgraph. The semantics of a bondgraph is formed by assigning algebraic differential equations to each of the nodes and edges of the graph. These algebraic differential equations describe the behavior of the five fundamental variables E, p, q, e and f , for each of the physical components in the system. Elements have equations that model the storage of energy in the physical components they represent. These
100
Chapter 5 Modeling hybrid physical processes
Table 5.1 Bond graph variable analogies
effort e
flow f
trans. mech.: rot. mech.: electronics: hydraulics:
m force F [N] = [ kg sec2 ] torque τ [N m] voltage u [V] = [ NCm ] pressure P [ mN2 ] generalized momentum p
m velocity v [ sec ] ang. vel. ω [ rad sec ] C current i [A] = [ sec ] m3 volume-flow Q [ sec ] generalized displacement q
trans. mech.: rot. mech.: electronics: hydraulics:
momentum p [N sec] ang. mom. b [N m sec] flux link. λ [V sec] press. mom. pp [ Nmsec 2 ]
displacement x [m] angular Θ [rad] charge q [C] volume V [m3 ]
equations, in principle, contain only the five variables that are associated with the physical component. Sometimes, the functions that are used in these equations depend on other variables as well, but those other variables are not considered to be a part of the element. Junctions have equations that model conservation laws and the way in which energy is exchanged between elements. The equations of junctions contain a set of five variables for every of the bonds connected to them. The bonds identify the variables of the nodes they connect, and in addition have the equations that model the fundamental relation between these variables i.e. p˙ = e, q˙ = f and E˙ = p˙ · q. ˙ Next, we will discuss the equations of a number of elements and junctions that are often used.
Bondgraph elements The elements of a bond graph are described by giving a relation between p, q, e and f that models the way in which energy is stored in the element. Dissipation of energy is considered to be an irretrievable kind of storage. Because E is already determined by E˙ = p˙ · q˙ it does not play a role in the equations of bondgraph elements. We distinguish the following types of elements, based on certain properties of their constitutive relation. Note, that we use the same symbol (in small capital letters) for the function defining the constitutive relation, as for the graphical representation of an element in a bond graph. Also, the functions may depend on other variables of the system than the ones that are explicitly mentioned, as long as the given constraints are met.
5.1 Modeling physical systems
101
• A resistance (bond graph symbol r), is an element with a constitutive relation e = r(f ) such that the function r satisfies x · r(x) ≥ 0 for all x. Consequently, E˙ = e · f ≥ 0, which models that a resistance dissipates energy from the rest of the system. In practice, this usually means that energy is transferred irretrievably to the thermodynamic domain and stored there. In other words, it is turned into heat. • An inductance (bond graph symbol i), is an element with a constitutive relation f = i(p). This models an element that stores energy in the form of generalized momentum. For intrinsic stability of the element, it is usually assumed that the function i satisfies ∂i(p) ∂p > 0 (see [Breedveld and van Amerongen, 1994]). The intuition behind this is that an effort e leads to an ∂i(p) ∂ acceleration f˙ = ∂t i(p) = ∂i(p) ∂p p˙ = ∂p e in the same direction. • A capacitance (bond graph symbol c), is an element with a constitutive relation e = c(q). This models an element that stores energy in the form of generalized displacement. For intrinsic stability, it is usually assumed that the function c satisfies ∂c(q) ∂q > 0. • A flow-source (bond graph symbol sf ), is an element with a constitutive f relation f = sf , such that the function sf satisfies ∂s ∂p = 0. Recall, that the value of sf may depend on the value of variables other than p. A flow-source enforces a certain change in generalized displacement, and has an arbitrary effort at its disposition to achieve this. • An effort-source (bond graph symbol se ), is an element with a constitutive e relation e = se , such that the function se satisfies ∂s ∂q = 0. It enforces a certain change in generalized momentum, and has an arbitrary flow at its disposition to achieve this. In table 5.2, we have summarized the analogies between the bond graph elements above (except for the sources), and what they represent in different fields in physics. In this table, we have assumed that the elements are characterized by linear constitutive equations, and have also mentioned the (more or less) standard notations that are used in the different fields to denote variables and parameters. The linear equations are: Resistance
:
Inductance
:
Capacitance
:
e = r(f ) = R · f 1 f = i(p) = · p I 1 e = c(q) = ·q . C
In these equations, we have adopted the standard letters that are used in bond graph theory for the parameters of the linear equations. In the remainder of this chapter, we always use generic constitutive relations (denoted by small capital
102
Chapter 5 Modeling hybrid physical processes
Table 5.2 Bond graph element analogies
trans. mech.: rot. mech.: electronics: hydraulics:
inductance I
capacitance C
mass m [kg] inertia J [kg m2 ] inductor L [H] = [ V Asec ] kg fluid-inertia I [ m 4]
spring k1 [ m N] rot. spring k1 [ Nradm ] capacitor C [F ] = [ A Vsec ] 5 reservoir C [ mN ]
resistance R trans. mech.: rot. mech.: electronics: hydraulics:
damper b [ Nmsec ] rot. damper c [N m sec] resistor R [Ω] = [ V A] resistor R [ Nmsec 5 ]
letters) in the development of the theory, and linear constitutive equations (with the parameters as defined above) in the examples, unless otherwise specified. It is important to note, that not all five variables are involved in the constitutive relations of every element. The constitutive relations of a resistance only deal with e and f , not with p and q. Also, the constitutive relations of an inductance deal with p and f , not with q and e, and vice versa for the capacitance. The variables that do not occur in the definition of a specific element, are considered to be auxiliary variables for that elementt. As it turns out, in some cases, these auxiliary variables do not even have a physical interpretation. In this chapter, we adopt the assumption that if the variables p and q occur as auxiliary variables, then they cannot engage in discontinuous behavior. The consequences of this, will become clear section 5.1.3. As mentioned before, a bondgraph is a directed graph. Usually, the direction of a bond that connects elements and junctions is depicted by a half arrow. A bond always points in the so-called positive direction of power. In other words, if the flow and effort are both positive, the arrow points towards the element if it stores or dissipates energy (as is the case with inertia, capacitances and resistances), and away from the element if it supplies energy to the system (as is the case with sources of effort and flow). This is depicted in figure 5.2. It is important to verify that the choice of the directions of the bonds coincides with the choice of positive directions in the physical system. For example, to make a bond graph that represents the mechanical system pictured in figure 5.1, we have to take care that the positive direction of velocity (in this case upward) coincides with the positive direction of power in the bond graph. In case of a conflict, it is usually possible
5.1 Modeling physical systems
103
i
c
r
se
sf
Figure 5.2 Power directions for standard bond graph elements
to leave the power directions of figure 5.2 intact, and only change the direction of bonds between junctions. Junctions In all junctions, it is important that the connected elements are connected in an energy conserving way. This means that the total energy that is stored in the elements does not change. For a set C of connected elements and junctions (or more precisely, the set C of in-coming and out-going bonds), we obtain the equation: X X E˙ c =
c∈C
c∈C
ec · fc = 0 .
(5.1)
Furthermore, if the connection preserves generalized momentum, we obtain X
p˙ c =
X
ec = 0 ,
(5.2)
c∈C
c∈C
while, if it preserves generalized displacement, we have X
c∈C
q˙c =
X
fc = 0 .
(5.3)
c∈C
This gives us the basic constitutive equations for describing the way in which elements may exchange energy. A connection that is based on conservation of generalized displacement, is called a 0-junction. Therefore, in a 0-junction, we have the equations (5.1) and (5.3). Additionally, we have the equation ec = ec′ , for all c, c′ ∈ C,
(5.4)
expressing that effort on all connected components is equal. The 1-junction describes exchange of energy through exchange of generalized momentum. In a 1-junction, we have the equations (5.1) and (5.2), and additionally fc = fc′ , for all c, c′ ∈ C,
(5.5)
expressing that the flow through all connected components is equal. One may observe that preservation of energy (5.1) follows from the combination of the power
104
Chapter 5 Modeling hybrid physical processes
relation E˙ = p· ˙ q, ˙ equation (5.3) and equation (5.4), and also from the combination of the power relation, equation (5.2) and equation (5.5). In the description of physical system, preservation of energy is therefore, usually, considered implicit. In section 5.1.3, we will see that in hybrid systems it cannot be considered implicit anymore. When there are elements connected to a junction of which the power directions point outward, they have a negative effect on the exchange of generalized momentum or generalized position. The equations given above, are therefore for the case where all bond arrows point inwards, into the junction. Some possible configurations, and the associated constitutive equations, have been depicted in figure 5.3.
2
2
1 1
1 3 1
µ
e1 + e2 + e3 = 0 f1 = f2 = f3
¶
µ
3
−e1 + e2 − e3 = 0 f1 = f2 = f3
¶
Figure 5.3 Constitutive equations for junctions with different power di-
rections
To facilitate the creation of a set of constitutive relations for a bond graph model, each bond is usually given a unique number that is used as a subscript for all the variables associated with that bond. As an example, the mechanical system of figure 5.1 is turned into the bond graph of figure 5.4 as follows. Firstly, the position of the mass is defined relative to the position of the ground, while the position of the spring and damper refers to the amount with which they are stretched. The force F is connected to the mass, so their positions are equal. Secondly, we define a change of position in the upward direction to be positive. From figure 5.1, it is then clear, that a change in position of the mass, leads to an equal change in position of the force, the spring and the damper. This suggests a 1-junction between the bond graph elements representing these components. Thirdly, if we want the power directions of the bond graph elements to point in the directions given in figure 5.2, we need to define the direction of the force F , and the forces generated by the spring and the damper, to be positive in the upward direction. Lastly, because everything is modeled relative to the ground, it is not necessary to model the ground explicitly. We use linear constitutive relations for our components, and write the parameters that play a role in these linear relations near the bond
5.1 Modeling physical systems
105
graph elements, separated by a colon. Writing down the constitutive relations for i:m mass
se : F force
2
1
1 3
4
c : k1 spring
r:b damper
Figure 5.4 Bond graph for a mass-spring-damper system
this model, and renaming the variables appropriately, indeed gives us the set of equations in figure 5.1.
5.1.3
Time-scale abstraction
In subsections 5.1.1 and 5.1.2 we explained a general way of modeling continuous physical systems using a mass-spring-damper system as an example. In this subsection, we explain the need for time-scale abstraction and hybrid modeling. For that purpose, we study a different system, namely a collision between two bodies as depicted in figure 5.5.
m1
v1
v2
m2
Figure 5.5 Two colliding bodies
In classical physics, there is the assumption that energy can only be transported from one point in time and space to another, by a continuous trajectory. This is also called the principle of continuity of power and is attributed to the British physicist Oliver Heaviside [Heaviside, 1893]. A direct consequence of this principle, is that in the situation of figure 5.5, we cannot simply model the two colliding bodies as masses. The reason for this, is that the momentum of a mass determines its kinetic energy, which cannot change discontinuously. The model is inconsistent with respect to continuity of power. Indeed, if we wish to model the collision of bodies in a consistent way, we must model the way in which the energy is transferred more precisely. For example, we might model the bodies as masses
106
Chapter 5 Modeling hybrid physical processes
that are momentarily connected via a spring-damper system at impact, as shown in figure 5.6. This reflects the elastic effects and the dissipation of energy that occur during impact.
m1
m2
Figure 5.6 Power continuous model of two colliding bodies
However, for many modeling applications, the extension of a model to make it consistent with the principle of continuity of power is impractical. Due to its greater size, such a model may be harder to analyze, and more importantly, not all parameters may be known for the components involved in the extension. In the example of the impact between bodies, the elasticity of the bodies, and the precise damping factors may not be known. In such a situation, it may prove convenient to abstract from the exact behavior, and model it as a discontinuous change. Given the constitutive relations for continuous behavior, we can attempt to derive constitutive relations for discontinuous behavior. In these relations, we use x− to denote the value of x before the discontinuity, and x+ to denote the value of x afterwards. As a shorthand notation, we use x′ for (x+ − x− ). Preservation of energy, for example, can be expressed as Σc∈C (Ec+ − Ec− ) = Σc∈C Ec′ = 0 .
(5.6)
In general, discontinuous behavior is a result of a change in the connection structure between components. We are abstracting away from the precise behavior that happens during this change in structure. Note, that this behavior may include the dissipation of energy by the environment of the system. Due to a change in structure, some energy in the system may thus be lost. Therefore, if there is a change in connection structure, we use the following equation for the energy of connected components. Σc∈C Ec′ ≤ 0 .
(5.7)
For the derivation of the constitutive relations describing the discontinuous behavior of the components, we base ourselves on the descriptions of the continuous behavior. As it turns out, we can calculate the changes in stored energy, generalized displacement, and generalized momentum, for many of the components. However, if generalized displacement and generalized momentum occur as auxiliary variables, as mentioned in section 5.1.2, it is difficult to calculate changes, without
5.1 Modeling physical systems
107
knowledge of the exact amount of time that is abstracted away from. Therefore, in the derivations below, we have assumed that the change in these variables is negligible. The modeler needs to verify that this assumption is indeed justified, if the auxiliary variables have physical meaning! Further on, we will briefly discuss some examples of what can be done if this is not the case. • For a resistance, the variables p and q are both auxiliary. Indeed, we cannot conclude from the constitutive relation e = r(f ) that p′ = r(q ′ ). The changes in energy, generalized momentum and generalized position, depend on the precise behavior during the discontinuity. We therefore assume that resistances do not take part in the discontinuous behavior, and that E ′ = q ′ = p′ = 0. As a result, the only dissipation during discontinuous behavior, is in the changing connection structure. Note, that for example in the mechanical domain, this means that the position q does not change during discontinuous behavior. • For an inductance we have the continuous relation E˙ = p˙ · q˙ = p˙ · i(p). We R p+ integrate over the trajectory of p to find E ′ = p− i(x) dx for the change in stored energy as a function of the change in generalized momentum (see for example 5.4.2 in [e.a., 1993], for the substitution rule from differential calculus we used here). Furthermore, generalized displacement q is an auxiliary variable for an inductance. Therefore, we assume that q ′ = 0. • For a capacitance we find, dual to the inductance, that E ′ = and p′ = 0.
R q+ q−
c(x) dx
R p+ • For a flow-source, we find that E ′ = p− sf dp = sf · (p+ − p− ) = sf · p′ . Note, that these relations are similar to that of an inductance, apart from ′ f the fact that ∂s ∂p = 0. As with inductances, we assume that q = 0. • For an effort-source, we find that E ′ = tances, we assume that p′ = 0.
R q+ q−
se dq = se · q ′ . As with capaci-
R p+ Note, that for example the calculation of the integral E ′ = p− i(x) dx, is only valid if i does not depend on other variables than x. If it does, we need to assume, at least, that the change in these other variables is negligible during the discontinuous behavior. Something that, again, has to be verified by the modeler. For 0-junctions, we still have conservation of generalized displacement Σc∈C qc′ = 0 ,
(5.8)
while all changes in generalized momentum are equal p′c = p′c′ , for all c, c′ ∈ C .
(5.9)
108
Chapter 5 Modeling hybrid physical processes
For 1-junctions we have conservation of generalized momentum Σc∈C p′c = 0 ,
(5.10)
while all changes in generalized displacement are equal qc′ = qc′ ′ , for all c, c′ ∈ C .
(5.11)
Note, that it is not the case that E ′ = p′ · q ′ . Hence, the energy equation (5.6) can no longer be left implicit when describing junctions. Using the constitutive relations for discontinuous behavior that we found above, we can model the impact of bodies shown in figure 5.5 as a discontinuous behavior 1 of two masses. If we use the linear constitutive differential equation q˙ = f = m ·p for the colliding bodies, with p the momentum, m the mass, q the position of the bodies, and f the velocity, we obtain the discontinuous constitutive relations given below, for the behavior at time of impact. E1′
+
p′1 q1′
E2′ ≤ 0
+
p′2 = 0
=
E1′
=
E2′
=
q2′ = 0 Z p+ − 2 2 1 (p+ 1 1 ) − (p1 ) · p)dp = ( m1 2 · m1 p− 1 Z p+ + 2 2 (p2 )2 − (p− 1 2 ) ( · p)dp = m2 2 · m2 p− 2
As a last remark, we would like to discuss the assumption we made earlier, that certain variables do not change (or only negligibly) during the discontinuous behavior. Especially, to get a feeling of the implications of this assumption, we would like to study three examples, of situations in which this assumption does not hold. The first example, is that of a model of a discontinuous effort-source (think, for example, of a voltage source that can be switched on). In this model, the relation se changes during the discontinuity. Because of this, we cannot use the discontinuous constitutive relations derived above. The partial integral that is used there, is incorrect. However, if we add the assumption that the value of se stays + within the bounds s− e and se during the discontinuous behavior, we may still ap+ ′ proximate the discontinuous behavior using the equations E ′ ≥ min(s− e , se )q and ′ − + ′ E ≤ max(se , se )q . This shows, that the assumption that the continuous constitutive relation se does not change, can be omitted if we have other assumptions to guide the construction of the discontinuous constitutive relations. Incidentally, a discontinuous effort-source can also be modeled using the bond graph elements discussed in section 5.2.6. The second example, is that of an external force (or effort source), acting on one of the two colliding masses of figure 5.5. In such a case, the law of conservation of
5.2 Constitutive hybrid processes
109
momentum does not hold during the collision. Energy may be transferred from the effort source to the colliding masses. The change in the auxiliary variable p, associated with the effort source, models the way in which the change in momentum of the masses is influenced by the external force. Our assumption that auxiliary variables do not change (p′ = 0), implies in this case that we consider the influence of the external force to be negligible. However, if the force is relatively large, or the masses are relatively small, this assumption may not hold. In that case, simply dropping the requirement that p′ = 0, as we did in the previous example, leads to an arbitrary change in the velocity of the masses. This is clearly not desirable, which brings us to the conclusion that the intended time-scale abstraction cannot be justified. In other words, it is not possible to model the impact as a discontinuous behavior in a physically correct way. The third, and last, example, is that of an extremely low, or high, resistance. If the value of a resistance approaches infinity, it is unlikely that a change in connection structure between components will be fast enough to prevent the dissipation of some energy in this resistance. Also, if the value of a resistance is close to zero, the assumption that there is no change in the value of the auxiliary variable q, is likely to be flawed. If we still want to model the behavior of the system discontinuously, we can replace the equation E ′ = 0 by E ′ ≥ 0 and drop the requirement that p′ = 0, in case of a high resistance. In case of a low resistance, we can drop the requirement that q ′ = 0. Modeling a resistor in this more flexible way, has the same drawback as in the previous example on the high external force in a collision. There may be behaviors introduced in the model, that are not actually possible in the physical system. This needs to be verified by the modeler, to be sure. Similar situations arise when a mass or elasticity approaches zero, and hence the associated inductance i or capacitance c approaches infinity. In this chapter, we will not consider the constitutive relations that are needed for those special cases any further. In the next section, we will combine the constitutive relations for continuous and discontinuous behavior into so-called hybrid constitutive processes. We will also describe bond graph elements that can be used for modeling a change in connection structure [Mosterman et al., 1998, Breedveld, 1996, Str¨omberg, 1994].
5.2
Constitutive hybrid processes
As we saw previously, bond graphs have a semantics in the form of algebraic differential equations for each of the nodes and edges in the graph. For hybrid bond graphs, this semantics cannot be used anymore, because algebraic differential equations cannot be used to describe discontinuities. In this section, we give a hybrid description of every element of the bond graph formalism as a constitutive hybrid process in HyPA. We also give constitutive processes for the hybrid elements
110
Chapter 5 Modeling hybrid physical processes
defined in [Mosterman et al., 1998, Breedveld, 1996], that describe a changing connection structure between the elements of a bond graph. Lastly, we also discuss the constitutive processes of two kinds of junction from bond graph theory, that are used to model energy transfer between domains: the transformer and the gyrator. Definition 42 (Constitutive process) A constitutive process X, is a process of the following form: :
X
Ã
M i∈I
di ≫ ci
!
⊲ X ,
which furthermore has the property that ∀i∈I X ≈r ci ◮ X .
A constitutive process models a repetitive choice on the execution of discontinuities followed by continuous behavior. For most bond graph elements, there is only one possible discontinuous and one possible continuous behavior, which are repeated indefinitely. Only in the case of controlled junctions and switches there are more. The additional constraint on X models that re-initializations can be skipped if there is a solution of one of the flow-clauses from the current valuation of the variables. In fact, it is more straightforward to define a constitutive process as something of the form X
:
Ã
M i∈I
di ∨
£
true
¤
≫ ci
!
⊲ X ,
which is equivalent to definition 42. However, we feel that the form we have chosen is more intuitive when describing physical phenomena. Note, that in [Cuijpers et al., 2004a,b] a disrupt was used in the definition of constitutive process, rather than a left-disrupt, because the disrupt operator has a more straightforward semantics. As we already mentioned in section 3.1.1, the left-disrupt is mainly introduced for calculation purposes. The only reason to use a left-disrupt here, is to assure that we have a guarded recursive specification, which allows the use of RSP in our calculations. We conjecture, without proof, that there is no difference between using a disrupt or left-disrupt regarding the semantics of the process X. A complete system is modeled as a parallel composition of constitutive processes, i.e. S
:
X0 k . . . k X m .
Next, we show that parallel composition of constitutive processes can always be rewritten into the form of a constitutive process again. Theorem 26 If C and C′ are constitutive processes, then C k C′ can be written as a constitutive process.
5.2 Constitutive hybrid processes
111
Proof Firstly, we will verify that C k C′ can be written in the right form, by showing that it is a solution to the recursive specification C′′
M
:
i∈I,j∈I ′
d′′(i,j) ≫ c′′(i,j) ⊲ C′′ ,
with d′′(i,j) = (di ∼ (ci )jmp ) ∧ (d′j ∼ (c′j )jmp ) and c′′(i,j) = ci ∧ c′j . Clearly, C′′ has the form of a constitutive process again. We derive:
≈r
≈r
≈r
≈r ≈r
di ≫ ci ⊲ C
!
M
di ≫ ci ⊲ C
!
M
d′j
i∈I
≈r
Ã
⊕
⊕
Ã
≈r
M
⊕
M
⊕ ≈r
C k C′ Ã M
M i∈I
i∈I
j∈I ′
M i∈I
di ≫ ci ⊲ C
j∈I ′
M
d′j ≫ c′j ⊲ C k
i∈I,j∈I ′
M ¡
i∈I,j∈J
¡
M
j∈I ′
δ ⊕
M
i∈I,j∈I ′
M
d′′(i,j) ≫ c′′(i,j)
M
d′′(i,j) ≫ c′′(i,j)
i∈I,j∈J
M
d′j ≫ c′j ⊲ C′
k
j∈I ′
Ã
|
M i∈I
M
j∈I ′
di ≫ ci ⊲ C
d′j
M
di ≫ ci ⊲ C′
i∈I
¡
≫
c′j
⊲ C
′
!
¢
di ≫ ci ⊲ C | d′j ≫ c′j ⊲ C′ ¢
C k c′j ◮ C′ ⊕ C′ k ci ◮ C ⊕ ⊲ C | c′j ◮ C′ ⊕ ′ C | ci ◮ C C k C′ ⊕ C′ k C ⊕ ⊲ C | C′ ⊕ ′ C |C ¢ ¡ ⊲ C k C′
!
M
j∈I ′
′
d′j ≫ c′j ⊲ C′
di ≫ ci ⊲ C | d′j ≫ c′j ⊲ C′
d′′(i,j) ≫ c′′(i,j)
i∈I,j∈J
d′j ≫ c′j ⊲ C′
j∈I ′
di ≫ ci ⊲ C | d′j ≫ c′j ⊲ C′
M
i∈I,j∈J
!
M
⊲ C k
di ≫ ci ⊲ C k Ã
k
i∈I
δ ⊕
≫
c′j
¢
112
Chapter 5 Modeling hybrid physical processes
Secondly, we will show that C k C’ has the desired property, using the following derivation for every i and j. C k C’
≈r ≈r ≈r
≈r
≈r ≈r ≈r
≈r
M ¡
i∈I,j∈J
di ≫ ci ⊲ C | d′j ≫ c′j ⊲ C′
C | C’
¢
¡ ¢ (ci ◮ C) | c′j ◮ C’ ¡ ¢ (ci ⊲ C ⊕ C) | c′j ⊲ C’ ⊕ C’ ¡ ′ ¢ (ci ⊲ C) | cj ⊲ C’ ⊕ (C | C’) ¡ ¢ ¶ µ ¡ ¢ C k c′j ◮ C’ ⊕ (C k C’) ci ∧ c′j ⊲ (ci ◮ C) k C’ ¡ ¢ ci ∧ c′j ⊲ (C k C’) ⊕ (C k C’) c′′(i,j) ◮ (C k C’)
The first step in this derivation is a result from the first few steps in the previous derivation. The second step results from performing a number of these steps again in reverse order. Together, these two steps express that C and C’ can only perform flow-transitions and hence are forced to synchronize. ⊠ Another useful property of constitutive processes is that the parallel composition of a constitutive process with itself does not change the process. Theorem 27 If C is a constitutive process, then C k C ≈r C. Proof We prove this by showing that C k C is a solution of the guarded recursive specification that defines C.
≈r ≈r ⊕ ≈r ⊕
Ck C M
i∈I,j∈J
M
i∈I,j∈J
M i∈I
i∈I,j∈J
i∈I
((di ∼ (ci )jmp ) ∧ (dj ∼ (cj )jmp )) ≫ (ci ∧ cj ) ⊲ (C k C)
((di ∼ (ci )jmp ) ∧ (di ∼ (ci )jmp )) ≫ (ci ∧ ci ) ⊲ (C k C)
M
M
((di ∼ (ci )jmp ) ∧ (d′j ∼ (c′j )jmp )) ≫ (ci ∧ cj ) ⊲ (C k C)
((di ∼ (ci )jmp ) ∧ (dj ∼ (cj )jmp )) ≫ (ci ∧ cj ) ⊲ (C k C)
(di ∼ (ci )jmp ) ≫ ci ⊲ (C k C)
5.2 Constitutive hybrid processes
≈r
≈r
≈r ≈r ≈r ≈r ≈r ⊕ ≈r ≈r ≈r ≈r ≈r
M
i∈I,j∈J
113
(((di ∼ (ci )jmp ) ∧ (dj ∼ (cj )jmp )) ≫ (ci ∧ cj )
⊕ (di ∼ (ci )jmp ) ≫ ci ) ⊲ (C k C) M (((di ∼ (ci )jmp ) ∧ (dj ∼ (cj )jmp )) ≫ ((ci ∧ cj ) ⊕ ci )
i∈I,j∈J
⊕ (di ∼ (ci )jmp ) ≫ ci ) ⊲ (C k C) M ((di ∼ (ci )jmp ) ∧ (dj ∼ (cj )jmp )) ≫ ((ci ∧ cj ) ⊕ ci ) ⊲ (C k C)
i∈I,j∈J
M
i∈I,j∈J
M
i∈I,j∈J
M
i∈I,j∈J
M
i∈I,j∈J
M i∈I
i∈I,j∈J
M
i∈I,j∈J
M
i∈I,j∈J
i∈I
M i∈I
((di ∼ (ci )jmp ) ∧ (dj ∼ (cj )jmp )) ≫ (((ci ∧ cj ) ⊕ ci ) ⊲ ci ) ⊲ (C k C) ((di ∼ (ci )jmp ) ∧ (dj ∼ (cj )jmp )) ≫ ci ⊲ (C k C) ((di ∼ (ci )jmp ) ∧ (dj ∼ (cj )jmp )) ≫ ci ⊲ (C k C)
(di ∼ (ci )jmp ) ≫ ci ⊲ (C k C)
M
M
((di ∼ (ci )jmp ) ∧ (dj ∼ (cj )jmp )) ≫ ((ci ∧ cj ) ⊕ ci ) ⊲ (ci ◮ (C k C))
(((di ∼ (ci )jmp ) ∧ (dj ∼ (cj )jmp )) ≫ ci ⊕ (di ∼ (ci )jmp ) ≫ ci ) ⊲ (C k C) (((di ∼ (ci )jmp ) ∧ (dj ∼ (cj )jmp )) ∨ (di ∼ (ci )jmp )) ≫ ci ⊲ (C k C) (di ∼ (ci )jmp ) ≫ ci ⊲ (C k C)
(di ∼ (ci )jmp ) ≫ ci ⊲ (C k C) di ≫ ci ⊲ (C k C)
⊠ Studying the form of the constitutive process from a physical point of view, we see that it is not possible to execute several discontinuities consecutively without performing continuous behavior in between. This means that a physically feasible state must be reached after every discontinuity, and that no two consecutive discontinuities can occur. In principle, it is possible to allow singleton solutions to flow clauses in the semantics of HyPA. Singleton solutions are flows with the interval [0, 0] as domain. This means that multiple discontinuities can occur without the passage of time in between. However, the definition of the notion of singleton solution is difficult for differential equations, because the derivative operator is not defined on a function with the interval [0, 0] as domain. In the whole second
114
Chapter 5 Modeling hybrid physical processes
part of this thesis, we do not consider those solutions. In the analysis of Newton’s cradle in section 5.3.4, it becomes clear why this choice does not influence the behavior of our models severely.
5.2.1
Bond
The main variables that we describe in our constitutive processes are the stored energy E, the generalized momentum p, the effort e, the generalized displacement q, and the flow f of an element. The standard relations between those variables are reflected in the constitutive process for a bond, although often, we leave those relations implicit for brevity of the presentation. Note, that a bond does not restrict the behavior during discontinuities, which is reflected in the re-initialization clause [ Vm | true]. It does restrict the possibilities of jumps during flow behavior, in the variables it controls. This is reflected in the set Vi = {Ei , pi , qi , ei , fi } ⊆ Vm of variables, where the subscript i refers to the labeling of the bond in the bond graph.
Bondi
5.2.2
:
£
Vm
¯ ¯ E˙ i = ei · fi ¯ ¯ ¤ ¯ true ≫ ¯ p˙i = ei V i ¯ ¯ q˙i = fi
⊲ Bondi
Resistance
A resistance models dissipation of energy. As we mentioned in 5.1.3, however, during discontinuous behavior the dissipation of energy through resistors is assumed to be negligible. Hence, the energy of a resistance is not allowed to change discontinuously. Furthermore, also the generalized momentum and displacement are considered to be auxiliary variables, and are not allowed to change. The continuous behavior is described using the constitutive relation e = r(f ), for which we assume that x · r(x) ≥ 0 for every x. This ensures that a resistor models dissipation of energy E˙ ≥ 0. Resistancei (r)
5.2.3
¯ ¯ Ei′ = 0 ¯ ¯ ′ ¯ pi = 0 ≫ Vi ¯ ei = r(fi ) ¯ ′ ¯ qi = 0
:
⊲
Resistancei (r).
Vm
Inductance and capacitance
As was already explained in 5.1.3, the generalized position of an inductance is considered an auxiliary variable, and is not allowed to change during discontinu-
5.2 Constitutive hybrid processes
115
ous behavior. The generalized momentum of an inductance always has a physical interpretation, and may therefore change arbitrarily. The change in stored energy is determined by the momentum-integral over the constitutive relation. The continuous behavior of an inductance is described by the equation fi = i(pi ), where ∂i(pi ) ∂pi > 0. The modeler should verify that the value of qi does not change significantly during discontinuous behavior, and that i(pi ) does not change as a result of changes in other variables than pi . ¯ # ! R p+ ¯ ¯ ¯ Ei′ = p−i i(x)dx ≫ Vi ¯ fi = i(pi ) ¯ ¯ q′ = 0 i i
:
Ã"
⊲
Inductancei (i).
Inductancei (i)
Vm
A capacitance is the dual of an inductance, regarding generalized momentum and generalized displacement, and so we reason that its constitutive process must be: Capacitancei (c)
with
∂c(qi ) ∂qi
5.2.4
¯ # ! R q+ ¯ ¯ ¯ Ei′ = q−i c(x)dx ¯ Vi ei = c(qi ) ≫ ¯ ¯ p′ = 0 i i
:
Ã"
⊲
Capacitancei (c),
Vm
> 0.
Sources
For a flow source we have the constitutive relation f = sf , while for an effort source ∂se f we have e = se . For these relations, we require ∂s ∂p = 0 and ∂q = 0. The modeler should verify, that the auxiliary variables qi , for a flow source, and pi , for an effort source, do not change significantly during discontinuous behavior, and that sf and se do not change significantly as a result of changes in other variables than qi and pi . In particular, this means that we cannot model discontinuous sources, using the constitutive hybrid process below, since those would require significant changes in sf and se as a result of progress in time. In section 5.1.3, we discussed an alternative constitutive description that is fit for modeling discontinuous sources. Also, the controlled junctions in section 5.2.6 may be used for this. Flow-Sourcei (sf )
Effort-Sourcei (se )
⊲
µ·
¯ ¸ ¶ ¯ E ′ = sf · p′i ¯ Vm ¯¯ ′i ≫ Vi ¯ fi = sf qi = 0
Flow-Sourcei (sf )
:
µ·
¯ ¸ ¶ ¯ ¯ E ′ = se · qi′ Vm ¯¯ ′i ≫ Vi ¯ ei = se pi = 0
:
⊲
Effort-Sourcei (se ).
116
5.2.5
Chapter 5 Modeling hybrid physical processes
Junctions
As before, the 0-junction represents conservation of total energy and total generalized displacement at an equal change in generalized momentum. Dually, the 1-junction represents conservation of total energy and total generalized momentum at an equal change in generalized displacement. The discontinuous behavior is such that total generalized momentum and total generalized displacement are still preserved or changing equally, respectively, and that also the total energy in the system is preserved. Later, when we study junctions that display switching behavior, we will find examples of a junction in which energy is dissipated during discontinuous behavior. Bear in mind, that the positive direction of power, determines the sign of the contribution of variables to the summations, as in the explanation of junctions in section 5.1.2. This is also the case for the summation of energy. To emphasize this, we have used the notation ± in front of every variable that should be positive when the the power direction points inward and negative when outward. To denote the S variables that may not jump during continuous behavior, we define VC = c∈C Vc . 0-junctionC
: ⊲
1-junctionC
: ⊲
5.2.6
¯ P ′ ¯ ¯ Pc∈C ±E′c = 0 Vm ¯ ≫ c∈C ±qc = 0 ¯ ¯ ∀c,c′ ∈C p′c = p′ ′ c 0-junctionC ,
VC
¯ P ′ ¯ ¯ Pc∈C ±E′c = 0 ≫ Vm ¯ = 0 ±p VC c c∈C ¯ ¯ ∀c,c′ ∈C qc′ = q ′ ′ c 1-junctionC .
¯ P ¯ c∈C ±fc = 0 ¯ ¯ ∀c,c′ ∈C ec = ec′
¯ P ¯ ±e = 0 c c∈C ¯ ¯ ∀c,c′ ∈C fc = fc′
Controlled junctions and switches
In this section, we discuss several hybrid bond graph elements, as they were proposed earlier in literature. The controlled junctions are based on the work of [Mosterman et al., 1998, Breedveld, 1996]. The switching element, was proposed in [Str¨omberg, 1994]. As we will see further on, we can express the switch in terms of controlled junctions and 0-sources. When active, a controlled junction acts like the junction it is associated with. When inactive, it acts like a collection of 0-effort sources (i.e. effort sources with se = 0) or a collection of 0-flow sources, depending on the specific type of the controlled junction. The controlled junctions that are denoted by 0/E and 1/E act as an effort source when inactive, while the controlled junctions denoted by 0/F and 1/F act as a flow source. When active, 0/E and 0/F act as a 0-junction while 1/E and 1/F act as a 1-junction. The predicates Act and Inact, model when
5.2 Constitutive hybrid processes
117
a controlled junction is active or inactive, respectively. These are predicates over Vm only. We use Act− to denote the predicate Act where all variables x ∈ Vm are replaced by x− , and similarly for Inact− . As we explained in section 5.1.3, a change in connection structure between components may give rise to a dissipation of energy. Therefore, when switching from Act to Inact, or vice versa, we allow a decrease in the total energy of the system. The discontinuous behavior of the other variables during this decrease, is governed by either the equations for the discontinuous behavior of the associated junction or the equations for the 0-effort or flow-source. Since we are switching from one mode to another, both are possible. Note, that due to the sign convention, a decrease in energy in the system, is associated with a positive change in total energy in the junction. In the equations below, we use the same notation (±) as with junctions, to emphasize the dependence of signs on the power direction of the bonds. We obtain the following hybrid constitutive process for the (0/E)-junction. (0/E)C (Act,Inact)
:
⊕
⊕
⊕
⊕ ⊕ ⊲
− ¯ Act ¯ Act P ′ ¯ P ±E = 0 c c∈C ≫ Vm P VC ¯¯ ±fc = 0 ′ c∈C c∈C ±qc = 0 ¯ ∀c,c′ ∈C ec = ec′ ′ ′ ∀c,c′ ∈C pc = pc′ ¯ ¯ ¯ Inact− ¯ Inact ¯ ½ ′ ¯ ≫ Vm ¯ V = 0 E C c ¯ ∀c∈C ¯ ∀c∈C ec = 0 ¯ p′c = 0 ¯ ¯ Inact− ¯ ¯ P ¯ Act ′ ¯ ¯ P ±E ≥ 0 c Vm ¯ Pc∈C ≫ VC ¯¯ ±fc = 0 ′ c∈C ¯ c∈C ±qc = 0 ¯ ¯ ′ ∈C ec = ec′ ∀ c,c ′ ′ ¯ ∀c,c′ ∈C pc = p ′ c ¯ ¯ Act− ¯ P ¯ ′ ¯ ¯ Vm ¯ Pc∈C ±E′c ≥ 0 ≫ VC ¯ Inact ¯ ∀c∈C ec = 0 ¯ c∈C ±qc = 0 ¯ ′ ′ ¯ ∀c,c′ ∈C pc = p ′ c ¯ ¯ Act Inact− ¯ ½ P ¯ V ±Ec′ ≥ 0 ≫ ±f = 0 C c c∈C ¯ ∀c∈C ′ ¯ pc = 0 ∀c,c′ ∈C ec = ec′ ¯ ¯ Act− ¯ ¯ ¯ Inact ½ ′ Vm ¯ ±Ec ≥ 0 ≫ VC ¯¯ ¯ ∀c∈C ∀c∈C ec = 0 ¯ p′c = 0
¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯
(0/E)C (Act,Inact)
It is straightforward to construct the dual definitions for 1/E, 0/F and 1/F. Some of the re-initialization clauses that are used above, may be combined using the equivalence d ≫ x ⊕ d′ ≫ x ≈r (d ∨ d′ ) ≫ x. We presented the constitutive hybrid process in the disjunctive way, to put more emphasis on the structure of the process. A switch, acts like a 0-effort source when active, and as a 0-flow source when
118
Chapter 5 Modeling hybrid physical processes
inactive. As before, when switching modes, energy may be dissipated while the other variables behave according to the equations of one of the sources. Because the power bond of a switch is always pointing outward, the decrease in energy is associated with the constitutive equation (Ei+ − Ei− ) ≤ 0. The constitutive hybrid process of a switch has a similar structure as that of a controlled junction. Switchi (Act,Inact)
:
Vm
¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯
¯ ¯ Act− ¯ ¯ Ei′ = 0 ≫ Vi ¯ ′ ¯ pi = 0 ¯ Inact− ¯ Ei′ = 0 ≫ Vi ¯¯ qi′ = 0 ¯ Inact− ¯ ′ Ei ≤ 0 ≫ Vi ¯¯ p′i = 0 ¯ Act− ¯ ′ V Ei ≤ 0 ≫ i ¯¯ p′i = 0 ¯ Inact− ¯ ′ Ei ≤ 0 ≫ Vi ¯¯ ′ qi = 0 ¯ Act− ¯ Ei′ ≤ 0 ≫ Vi ¯¯ qi′ = 0
⊕
⊕
⊕
⊕
⊕
⊲
Switchi (Act,Inact)
Vm
Vm
Vm
Vm Vm
¯ ¯ Act ¯ ¯ ei = 0 Inact fi = 0
Act ei = 0
Inact fi = 0 Act ei = 0
Inact fi = 0
Note, that a switch can also be represented as a 0-effort source acting on a controlled 1/F-junction. Dually, representing a switch as a 0-flow source acting on a controlled 0/E-junction (with the switching predicates reversed), is also possible of course. We find that the three bond graphs depicted in figure 5.7 are equivalent, if we abstract from the variables associated with bonds 2 and 3. Switch:(Act,Inact)
1
Se : 0
Sf : 0
2
3
(1/F):(Act,Inact) 1
rest of the system
rest of the system
Figure 5.7 Three equivalent switches
(0/E):(Inact,Act) 1 rest of the system
5.2 Constitutive hybrid processes
119
Switch:(Act,Inact) 2 2
3 (1/F):(Act,Inact)
1 3
1
Figure 5.8 Two non-equivalent switches
The two bond graphs depicted in figure 5.8, perhaps surprisingly, are not equivalent. In the left bond graph, there is a situation where the total energy of bonds 2 and 3 may decrease, while the switch acts like a 0-effort source. Still, some energy may go from 2 to 3, or vice versa. Using calculations, we obtain the following subprocess:
Vm
¯ ¯ Act ¯ ¯ E2 + E3 = −E1′ ≥ 0 ≫ ¯ ′ ¯ q1 = q2′ = q3′ = 0
V{1,2,3}
¯ ¯ Inact ¯ ¯ f2 = f3 = 0
In the right bond graph, given that same situation, the energy of each of the bonds, separately, has to decrease, clearly indicating that the elements are disconnected. We find the subprocess:
Vm
¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯
Act ′ E2 ≥ 0 ≫ E3′ ≥ 0 q2′ = q3′ = 0
V{2,3}
¯ ¯ Inact ¯ ¯ f2 = f3 = 0
This example illustrates that controlled junctions make up a better model of the energy flows between connected and disconnected components. This makes that we have a slight preference for the use of controlled junctions over switching elements. However, the physical consequences of each have to be investigated in more detail still, so no fixed answer can be given yet to which is better. In the examples we give further on, we will only use the controlled junctions to model discontinuities in our systems. Remark: graph reduction For standard bond graph theory, there is a set of graph reduction rules, that lead to equivalent bond graphs (modulo elimination of variables associated with connections between junctions) [Mukherjee and Karmakar, 2000]. We conjecture, that those rules are still valid for the hybrid case, with the exception that special elements like resistors of value 0, and infinite resistances, inductances and capacitances, need special treatment due to the observations made at the end of section 5.1.3. For the formal derivation of bond graph reduction rules, we need a notion of abstraction from continuous variables in HyPA. Such a notion of abstraction is introduced in [van de Brand, 2004, van de
120
Chapter 5 Modeling hybrid physical processes
Brand et al., 2004], but the axiomatization is not fully developed yet. It is our hope that using this notion, also new rules for dealing with hybrid elements, like the informal rule of figure 5.7, can eventually be developed. Even without these abstraction rules we can derive, for example, that 1-junctionC = (1/E)C (true,false), which illustrates that a controlled junction behaves like an ordinary junction if it is always activated. This derivation, given below, is based on showing that (1/E)C (true,false) is a solution of guarded recursive definition of 1-junctionC .
≈r
⊕
⊕
⊕
⊕ ⊕ ⊲ ≈r ⊲ ≈r ⊲
(1/E)C (true,false) ¯ ¯ ¯ true − ¯ true ¯ P ′ ¯ ¯ P ±E = 0 c ¯ ≫ Vm ¯ Pc∈C ±e = 0 V c C ′ c∈C ¯ ¯ ±p = 0 c c∈C ¯ ¯ ′ ′ ∀c,c ∈C fc = fc ¯ ∀c,c′ ∈C qc′ = q ′ ′ c ¯ ¯ false − ¯ ¯ false ¯ ½ ′ ¯ Vm ¯ E = 0 V ≫ C ¯ c ¯ ∀c∈C ∀ e = 0 c∈C c ′ ¯ pc = 0 ¯ ¯ false − ¯ ¯ P ¯ true ′ ¯ ¯ P Vm ¯ Pc∈C ±E′c ≥ 0 ≫ ¯ V ±e = 0 C c c∈C ¯ ¯ = 0 ±p c c∈C ¯ ¯ ∀c,c′ ∈C fc = fc′ ¯ ∀c,c′ ∈C qc′ = q ′ ′ c ¯ ¯ true − ¯ P ¯ ′ ¯ ¯ false Vm ¯ Pc∈C ±E′c ≥ 0 ≫ ¯ V C ¯ ¯ ∀c∈C ec = 0 c∈C ±pc = 0 ¯ ¯ ∀c,c′ ∈C qc′ = q ′ ′ c ¯ ¯ ¯ false − ¯ true ¯ ¯ ½ P Vm ¯ VC ¯¯ ±Ec′ ≥ 0 ≫ c∈C ±ec = 0 ¯ ∀c∈C ′ ¯ ¯ ∀c,c′ ∈C fc = fc′ pc = 0 ¯ ¯ ¯ true − ¯ ¯ ½ false Vm ¯ ±Ec′ ≥ 0 ≫ VC ¯¯ ¯ ∀c∈C ∀c∈C ec = 0 ¯ p′c = 0 (1/E)C (true,false) ¯ P ′ ¯ ¯ Pc∈C ±E′c = 0 Vm ¯ = 0 ±p ≫ VC c c∈C ¯ ¯ ∀c,c′ ∈C qc′ = q ′ ′ c (1/E)C (true,false) ¯ P ′ ¯ ¯ Pc∈C ±E′c = 0 Vm ¯ ≫ c∈C ±pc = 0 ¯ ¯ ∀c,c′ ∈C qc′ = q ′ ′ c
(1/E)C (true,false)
VC
¯ P ¯ ±e = 0 c c∈C ¯ ¯ ∀c,c′ ∈C fc = fc′ ⊕ δ
¯ P ¯ c∈C ±ec = 0 ¯ ¯ ∀c,c′ ∈C fc = fc′
5.3 Examples
5.2.7
121
Transformers and gyrators
Two standard bond graph junctions that have not been discussed so far, are the transformer and the gyrator. They are used to model conversion between different physical domains. Examples are motors, levers, pumps etc. Transformers and gyrators always define a certain ratio m between the flow and effort on the one, and on the other side of the element. As before, the modeler should verify that this ratio does not change significantly during discontinuous behavior. The sign contribution on variables used in transformers and gyrators, depends on the positive direction of power. In the case of transformers and gyrators, all variables are negated when the direction of power of a certain bond is outward. Transf.{i,j} (m)
Gyrator{i,j} (m)
5.3
¯ ¯ ±Ei′ ± Ej′ = 0 ¯ ¯ ±p′i = m · ±p′j ≫ V{i,j} ¯ ¯ ±qj′ = m · ±qi′
¯ ¯ ±ei = m · ±ej ¯ ¯ ±fj = m · ±fi
¯ ¯ ±Ei′ ± Ej′ = 0 ¯ ′ ′ ¯ ±pi = m · ±qj ≫ V{i,j} ¯ ¯ ±p′j = m · ±qi′
¯ ¯ ±ei = m · ±fj ¯ ¯ ±ej = m · ±fi
:
⊲
Transf.{i,j} (m),
:
⊲
Gyrator{i,j} (m).
Vm
Vm
Examples
In this section, we will discuss several examples of hybrid modeling, and the resulting process algebraic descriptions. We start by revisiting the collision example of section 5.1.3, and subsequently apply the same principle in a model of an impact control unit as it is produced by Assembleon. Next, we study a model of an electrical circuit containing diodes, and show how, in this model, implicit switching takes place. Analysis of the model leads to a new model with less modes of operation than one might expect on first sight. Subsequently, we perform a deeper study of the phenomenon of implicit switching, using a model of Newton’s cradle. In all models we use linear constitutive equations for all components.
5.3.1
Collision
In this subsection, we revisit the example of a collision between two masses of section 5.1.3. The bond graph that is associated with the problem of collision, is depicted in figure 5.9. The controlled 1/E-junction is active, modeling the exchange of momentum between the two masses, when the position of the masses is equal, and either the
122
Chapter 5 Modeling hybrid physical processes
velocity of the left mass is greater than that of the right mass, or the velocities are equal and the acceleration of the left mass is greater than that of the right ∂i mass. The acceleration of an inductance can be expressed as f˙ = ∂p · p, ˙ and for 1 ˙ the linear masses we use in this model we find f = m · e. Ultimately, we obtain (q1 = q2 ∧ f1 > f2 ) ∨ (q1 = q2 ∧ f1 = f2 ∧ m11 · e1 ≥ m12 · e2 ) for the Act predicate. For the Inact predicate, modeling the case where the masses do not touch, we have (q1 < q2 ) ∨ (q1 = q2 ∧ f1 < f2 ) ∨ (q1 = q2 ∧ f1 = f2 ∧ m11 · e1 ≤ m12 · e2 ). 1
i : m1 mass
2 (1/E):(Act, Inact)
i : m2 mass
Act : (q1 = q2 ∧ f1 > f2 ) ∨ (q1 = q2 ∧ f1 = f2 ∧ m11 · e1 ≥ m12 · e2 ) Inact : (q1 < q2 ) ∨ (q1 = q2 ∧ f1 < f2 ) ∨ (q1 = q2 ∧ f1 = f2 ∧ m12 · e1 ≤ m12 · e2 ) Figure 5.9 Modified bond graph for a collision
From this bond graph, we construct the following parallel composition of constitutive processes. Collision
: k
Inductance1 (m1 ) k Bond1 k (1/E){1,2} (Act,Inact) Bond2 k Inductance2 (m2 )
Elimination of the parallel composition through algebraic reasoning (see chapter 3), gives us the following constitutive process for the whole system. For the sake of brevity, we have left the bond definitions implicit. Collision ≈r ¯ + − ¯ E ′ = (p1 )2 −(p1 )2 ¯ ¯ 1 2·m1 ¯ p1 = m1 · f1 ¯ + 2 − 2 ¯ ¯ E2′ = (p2 ) −(p2 ) ¯ p2 = m2 · f2 ¯ 2·m2 ¯ ¯ ′ ′ ¯ V e + e = 0 ⊕ ≫ Vm ¯ E1 + E2 = 0 1 2 {1,2} ¯ ¯ p′ + p′ = 0 ¯ f = f ¯ 1 2 1 2 ¯ ¯ q′ = q′ = 0 ¯ Act ¯ 1 2 ¯ − Act ¯ ¯ ¯ E1′ = E2′ = 0 ¯ p1 = m1 · f1 ¯ ′ ¯ ¯ p1 = p′2 = 0 ¯ p2 = m2 · f2 Vm ¯ ′ ¯ V ≫ ⊕ {1,2} ¯ q1 = q2′ = 0 ¯ e = e = 0 1 2 ¯ ¯ − ¯ Inact ¯ Inact ¯ − + ¯ E ′ = (p1 )2 −(p1 )2 ¯ ¯ 1 2·m1 ¯ p1 = m1 · f1 ¯ + 2 − 2 ¯ ¯ E2′ = (p2 ) −(p2 ) ¯ p2 = m2 · f2 ¯ 2·m2 ¯ ¯ E′ + E′ ≤ 0 ¯ V{1,2} ¯ e1 + e2 = 0 ⊕ ≫ Vm ¯ 1 2 ¯ p′ + p′ = 0 ¯ f1 = f2 ¯ 1 2 ¯ ¯ q′ = q′ = 0 ¯ Act ¯ 1 2 ¯ − Inact
5.3 Examples
Vm
123
¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯
− 2 2 (p+ 1 ) −(p1 ) 2·m1 (p+ )2 −(p− )2 E2′ = 2 2·m2 2 E1′ + E2′ ≤ 0 p′1 + p′2 = 0 q1′ = q2′ = 0 −
E1′ =
Act ⊲ Collision .
≫ V{1,2}
¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯
p1 = m1 · f1 p2 = m2 · f2 e1 = e2 = 0 Inact
In the next subsection, we will use the same principle of modeling collision, in a slightly more advanced model of the impact control module from section 3.2.
5.3.2
Impact control at Assembleon
In this subsection, we discuss an application of the collision model to a component mounter as it is produced by Assembleon and Philips CFT. Figure 5.10 shows a part of that component mounter, called the pick-and-place module. This module uses a sled, modeled as a simple mass ms , driven by a force F , to place components onto a printed circuit board (PCB), modeled as a mass mp . The mass of the PCB is connected with a spring-damper system (k, b) to reflect the flexibility of the board. From a hybrid point of view this model is interesting, because it abstracts from the precise impact mechanics. Instead, it models the impact of masses by using discontinuous versions of the laws of conservation of momentum and conservation of energy.
ms F mp b
k ground
Figure 5.10 Schematic Model of the Impact Process
The bond graph that is associated with the schematic model of figure 5.10 is given in figure 5.11. It is important to note, that this bond graph model is only valid, if
124
Chapter 5 Modeling hybrid physical processes
the influence of the external force, and the influence of the spring damper system on the impact behavior, are negligible. Otherwise, conservation of momentum during the collision is not guaranteed. The actual validation of that assumption, is outside the scope of this thesis. i : ms mass sled
1
2
1
se : F steering force
3
(1/E):(Act,Inact) 4
i : mp mass PCB
6
5
1
c : k1 stiffness PCB
7
r:b friction PCB Act Inact
: ∨ : ∨
(q1 (q1 (q1 (q1
= q5 ∧ f1 < f5 ) = q5 ∧ f1 = f5 ∧ m1s · (e1 + e3 ) ≤ > q5 ) ∨ (q1 = q5 ∧ f1 > f5 ) = q5 ∧ f1 = f5 ∧ m1s · (e1 + e3 ) ≥
1 mp
· (e5 − e4 ))
1 mp
· (e5 − e4 ))
Figure 5.11 Bond graph model for the impact module
Note, that the power directions in the bond graph suggest that the velocity of the masses and the positive direction of the force are all defined upward. In other words, the force vector in figure 5.10 is drawn in the negative direction. Furthermore, the switching conditions are slightly different from those in the previous section. We have to take the effort that is transported through the (1/E)-junction into account, because we need to calculate the difference in acceleration as it would have been if the junction were inactive. The resulting condition, admittedly, is rather complex. We feel it might be possible to model the switching conditions in an easier (and more structured) way, if we could model the physical intuition that a system always takes the route of the least resistance (the entropy principle). We conjecture that in bondgraph terms, this translates to a preference for the inactive state of a junction, since that state assumes the least structure in a system. In particular, the impact system seems to have a preference for the case where there is no connection between the masses. In (discrete) process algebra, preference can be modeled as a global operator that filters actions based on a partial ordering on those actions. Perhaps it is possible, as a topic of future research, to develop a similar operator
5.3 Examples
125
for HyPA models, that allows us to express a preference for certain values of model variables. Extending the constitutive hybrid processes of this chapter with a variable expressing generalized entropy based on the connection structure, could then solve our problems. Further research in this direction might lead to new insights on the switching behavior of bondgraphs, since it would only require one condition, saying when the preferred mode is not accessible, rather than two. After calculations that are similar to the ones used in the previous subsection, we obtain the following constitutive hybrid process for the impact module as a whole. Note, that this process has roughly the same structure as the one we found in the previous section.
Module ≈ ¯r ¯ ¯ ¯ p1 = ms · f1 (p+ )2 −(p− )2 ¯ E1′ = −E3′ = 1 2·ms 1 ¯ ¯ ¯ p5 = mp · f5 − 2 2 (p+ ) −(p ) ¯ ¯ ′ ′ 5 5 1 = = E E ¯ 4 ¯ 5 · e q = 2·m 6 6 p k ¯ ¯ ¯ E1′ + E5′ = E2′ = E6′ = E7′ = 0 ¯ e = F 2 ¯ ′ ¯ ′ ¯ p1 = −p3 ¯ e = b · f 7 7 Vm ¯ ′ ¯ V ≫ ⊕ ′ {1/7} ¯ p4 = p5 ¯ e − e = e = e 2 1 3 4 ¯ ′ ¯ ¯ p1 + p′5 = p′2 = p′6 = p′7 = 0 ¯ ¯ ′ ¯ = e5 + e6 + e7 ¯ q1 = q2′ = q3′ = q4′ ¯ f1 = f2 = f3 = f4 ¯ ′ ¯ ¯ q5 = q6′ = q7′ = 0 ¯ = f = f = f 5 6 7 ¯ ¯ ¯ Act− ¯ Act ¯ ¯ p1 = ms · f1 ¯ ¯ ¯ p5 = mp · f5 ¯ ¯ E1′ = E2′ = E3′ = E4′ = 0 1 ¯ ¯ · e q = 6 6 k ¯ ¯ E5′ = E6′ = E7′ = 0 ¯ ¯ ′ e = F 2 ¯ ¯ p1 = p′2 = p′3 = p′4 = 0 ¯ ¯ ′ e = b · f 7 7 ′ ′ ¯ Vm ¯ p5 = p6 = p7 = 0 ≫ V ⊕ {1/7} ¯ ¯ ′ e 2 − e1 = e3 = 0 ¯ ¯ q1 = q2′ = q3′ = q4′ = 0 ¯ e4 = e5 + e6 + e7 = 0 ¯ ′ ¯ ¯ q5 = q6′ = q7′ = 0 ¯ f1 = f2 = f3 ¯ − ¯ ¯ Inact ¯ f = f = f = f 4 5 6 7 ¯ ¯ Inact ¯ ¯ + − 2 2 ¯ p1 = mc · f1 ¯ (p ) −(p ) ¯ ¯ E1′ = −E3′ = 1 2·ms 1 ¯ p5 = mp · f5 ¯ − 2 2 (p+ ¯ ¯ ′ ′ 5 ) −(p5 ) 1 ¯ ¯ E4 = E5 = q = · e 2·m 6 6 p k ¯ ¯ ′ ′ ′ ′ ′ ¯ ¯ E1 + E5 ≤ E2 = E6 = E7 = 0 e = F 2 ¯ ¯ ′ ′ ¯ ¯ p1 = −p3 e = b · f 7 7 ¯ Vm ¯ ′ V{1/7} ¯ ⊕ ¯ p4 = p′5 ≫ e − e = e = e 2 1 3 4 ¯ ¯ ′ ¯ ¯ p1 + p′5 = p′2 = p′6 = p′7 = 0 ¯ = e5 + e6 + e7 ¯ ′ ¯ f1 = f2 = f3 = f4 ¯ q1 = q2′ = q3′ = q4′ = 0 ¯ ¯ ′ ′ ′ ¯ ¯ q = q = q = 0 = f = f = f 5 6 7 5 6 7 ¯ ¯ ¯ Act ¯ Inact−
126
⊲
Chapter 5 Modeling hybrid physical processes
¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯
− 2 2 (p+ 1 ) −(p1 ) 2·ms (p+ )2 −(p− )2 = 5 2·mp 5 ≤ E2′ = E6′ = E7′
′ ′ E4 = E5 ′ ′ E1 + E5 =0 ′ ′ p1 = −p3 Vm V{1/7} ≫ ′ ′ p4 = p5 ′ ′ ′ ′ ′ p1 + p5 = p2 = p6 = p7 = 0 q1′ = q2′ = q3′ = q4′ = 0 ′ ′ ′ q5 = q6 = q7 = 0 − Act Module . E1′ = −E3′ =
¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯
p1 = mc · f1 p5 = mp · f5 q6 = k1 · e6 e2 = F e7 = b · f7 e2 − e1 = e3 = 0 e4 = e5 + e6 + e7 = 0 f1 = f2 = f3 f4 = f5 = f6 = f7 Inact
In chapter 7, we return to this model, and analyse a control strategy for it.
5.3.3
An electrical circuit
In this section, we study the electrical circuit depicted in figure 5.12. The bond graph that is associated with this circuit, is depicted in figure 5.13. It is taken from [Mosterman, 1997], and uses controlled junctions to model the electrical switch and the diode. The state of the diode depends on the flow and effort in the bond, or bonds, connected to it. For the electrical switch, we use the predicate Closed to represent a closed switch, and the predicate Open to represent an open switch.
(Closed,Open) + R -
+ U −
+ L −
Figure 5.12 Electrical circuit with switch and diode
After calculation on the parallel composition of constitutive hybrid processes of the bond graph depicted in figure 5.13, it turns out that there are essentially six possible re-initializations, and four possible flow clauses. Furthermore, the switching predicates restrict the combination of those. We obtain the following
5.3 Examples
se : U voltage
127
1
(1/F):(Closed,Open) switch
3
(0/E):(e4 ≤ 0, f3 ≥ f4 ) diode
2
r:R resistor
4
i:L inductor
Figure 5.13 Bond graph model using controlled junctions
constitutive process for the whole circuit. Circuit
≈r ⊕
⊕
⊕
⊕
⊕
⊕
⊕
⊕
⊕
⊕
⊕
⊕
⊕
⊕
⊕
⊲
¯ ¤¢ £ ≫ c1 d1 ∧ Vm ¯ f3− ≥ f4− ∧ Closed− ¯ − ¤¢ ¡ £ − − ¯ f3 ≥ f4 ∧ Closed ≫ c2 d1 ∧ Vm ¯ ¤¢ ¡ £ ≫ c3 d3 ∧ Vm ¯ f3− ≥ f4− ∧ Closed− ¯ − ¡ £ ¤¢ − − d4 ∧ Vm ¯ f3 ≥ f4 ∧ Closed ≫ c4 ¯ − ¡ £ ¤¢ − − ¯ f3 ≥ f4 ∧ Open d1 ∧ Vm ≫ c1 ¯ − ¡ £ ¤¢ − − ¯ f3 ≥ f4 ∧ Open d1 ∧ Vm ≫ c2 ¯ ¤¢ ¡ £ ≫ c3 d4 ∧ Vm ¯ f3− ≥ f4− ∧ Open− ¯ − ¡ £ ¤¢ − − d1 ∧ Vm ¯ f3 ≥ f4 ∧ Open ≫ c4 ¯ − ¤¢ ¡ £ − ¯ e4 ≤ 0 ∧ Closed ≫ c1 d3 ∧ Vm ¯ − ¤¢ ¡ £ − ¯ e4 ≤ 0 ∧ Closed ≫ c2 d4 ∧ Vm ¯ ¤¢ ¡ £ − ≤ 0 ∧ Closed ≫ c3 d2 ∧ Vm ¯ e− 4 ¯ − ¤¢ ¡ £ − ≫ c4 d5 ∧ Vm ¯ e4 ≤ 0 ∧ Closed ¯ − ¤¢ ¡ £ − ¯ e4 ≤ 0 ∧ Open ≫ c1 d4 ∧ Vm ¯ − ¡ £ ¤¢ − ¯ e4 ≤ 0 ∧ Open d1 ∧ Vm ≫ c2 ¯ ¤¢ ¡ £ − ≤ 0 ∧ Open ≫ c3 d5 ∧ Vm ¯ e− 4 ¯ − ¢ ¤¢ ¡ £ − ≫ c4 d1 ∧ Vm ¯ e4 ≤ 0 ∧ Open ¡¡
Circuit
in which we use the following abbreviations, for which the bond definitions are left implicit:
d1
=
Vm
¯ ¯ E1′ = E2′ = E3′ = E4′ = 0 ¯ ′ ¯ p1 = p′2 = p′3 = p′4 = 0 ¯ ′ ¯ q1 = q2′ = q3′ = q4′ = 0
128
Chapter 5 Modeling hybrid physical processes
d2
d3
d4
d5
c1
c2
c3
c4
=
=
=
=
=
=
=
=
Vm Vm
Vm
¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯
¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯
E1′ = E2′ = E3′ = E4′ = 0 p′1 = p′2 = 0 p′3 = p′4 q1′ = q2′ = q3′ = q4′ = 0 − 2 2 (p+ 4 ) = (p4 ) E1′ = E2′ = 0
− 2 2 (p+ 4 ) −(p4 ) 2·L
E3′ = E4′ = ≤0 p′1 = p′2 = 0 p′3 = p′4 q1′ = q2′ = q3′ = q4′ = 0 E1′ = E2′ = 0
− 2 2 (p+ 4 ) −(p4 )
≤ E3 ≤ 0 E4′ = 2·L p′1 = p′2 = 0 p′3 = p′4 q1′ = q2′ = q3′ = q4′ = 0 E1′ = E2′ = E3′ = 0 + 2 − 2 (p ) −(p ) E4′ = 4 2·L 4 ≤ 0 ′ p1 = p′2 = 0 p′ = p′
¯ ¯ ¯ ¯ ¯ Vm ¯¯ ¯ ¯ 3 4 ¯ q′ = q′ = q′ = q′ = 0 1 2 3 4 ¯ ¯ e1 − e2 = e3 = e4 ¯ ¯ f1 = f2 = f3 = f4 ¯ ¯ e1 = U ¯ V{1/4} ¯ e = R · f 2 2 ¯ ¯ p4 = 1 · f4 ¯ L ¯ e4 ≤ 0 ∧ Closed ¯ ¯ e2 = e3 = e4 ¯ ¯ f1 = f2 = f3 = f4 = 0 ¯ V{1/4} ¯¯ e1 = U ¯ p4 = 0 ¯ ¯ e4 ≤ 0 ∧ Open ¯ ¯ e1 − e2 = e3 = e4 = 0 ¯ ¯ f1 = f2 = f3 ¯ ¯ e =U V{1/4} ¯¯ 1 · f2 ¯ e2 = R ¯ p4 = 1 · f4 ¯ L ¯ f3 ≥ f4 ∧ Closed ¯ ¯ e2 = e3 = e4 = 0 ¯ ¯ f1 = f2 = f3 = 0 ¯ ¯ V{1/4} ¯ e1 = U ¯ p4 = 1 · f4 ¯ L ¯ f4 ≤ 0 ∧ Open
It is arguable, whether our constitutive hybrid process for a controlled junction,
5.3 Examples
129
forms a good representation of a diode, because we do not expect a diode to dissipate energy during switching. Adapting the constitutive hybrid process of the diode, in such a way that no energy dissipation takes place, leads to a new definition of the re-initialization clauses d4 and d5 , which makes them coincide with d3 and d2 , respectively.
d3 = d4
d2 = d5
=
=
Vm Vm
¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯
E1′ = E2′ = 0
− 2 2 (p+ 4 ) −(p4 )
≤0 E3′ = E4′ = 2·L p′1 = p′2 = 0 p′3 = p′4 q1′ = q2′ = q3′ = q4′ = 0 E1′ = E2′ = E3′ = E4′ = 0 p′1 = p′2 = 0 p′3 = p′4 q1′ = q2′ = q3′ = q4′ = 0 − 2 2 (p+ 4 ) = (p4 )
The analysis in the remainder of this subsection, is independent of the choice to model a diode as a dissipating element during discontinuities, or not. Further study on the flow clauses, shows a peculiarity in the behavior of c2 . Using calculation on derivatives, we obtain e4 = p˙4 = 0. As it turns out, the only case where c2 does not deadlock, is when both the voltage over the diode, and the current through the diode are zero. Interestingly, the set of solutions of c2 is a subset of the set of solutions of c4 , indicating that the diode can be interpreted as both conducting and blocking. In other words, if c2 is reached, the process performs a kind of implicit switch to c4 . Also, the solutions of re-initialization clause d1 form a subset of the solutions of d4 , which in turn are a subset of the solutions of d5 . This is used in the following derivation, which shows the character of the implicit switching formally. In the first step, we use the special property of constitutive hybrid processes. In the second step, we use the distribution axiom of the disrupt. In the third step, we split and recombine the re-initialization clauses using the axioms for reinitialization and choice, and the fact that the solutions of d1 are a subset of those of d4 etc.. In the fourth step, we use derivation rule (11) and the fact that the solutions of c2 are a subset of those of c4 . We also use the distribution of the disrupt again. In the last step, we use the special property of constitutive hybrid processes again, and we recombine the re-initialization clauses as before. The
130
Chapter 5 Modeling hybrid physical processes
result is a smaller description of the circuit, with one mode less.
Circuit ≈r
≈r ⊕
⊕
⊕
⊕
⊕
⊕
⊕
⊕
⊕
⊕
⊕
⊕
⊕
⊕
⊕ ⊲
≈r ⊕
⊕
⊕
⊕
⊕
⊕
⊕
⊕
⊕
⊕
⊕
c4 ◮ Circuit ¯ ¤¢ ¡¡ £ ≫ c1 d1 ∧ Vm ¯ f3− ≥ f4− ∧ Closed− ¯ − ¤¢ ¡ £ − − ≫ c2 d1 ∧ Vm ¯ f3 ≥ f4 ∧ Closed ¯ − ¤¢ ¡ £ − − ¯ f3 ≥ f4 ∧ Closed ≫ c3 d3 ∧ Vm ¯ − ¤¢ ¡ £ − − ¯ f3 ≥ f4 ∧ Closed ≫ c4 d4 ∧ Vm ¯ ¤¢ ¡ £ ≫ c1 d1 ∧ Vm ¯ f3− ≥ f4− ∧ Open− ¯ ¤¢ ¡ £ ≫ c2 d1 ∧ Vm ¯ f3− ≥ f4− ∧ Open− ¯ − ¡ £ ¤¢ − − ¯ f3 ≥ f4 ∧ Open d4 ∧ Vm ≫ c3 ¯ − ¤¢ ¡ £ − − ¯ f3 ≥ f4 ∧ Open ≫ c4 d1 ∧ Vm ¯ − ¡ £ ¤¢ − ¯ V e4 ≤ 0 ∧ Closed d3 ∧ ≫ c1 m ¯ ¡ £ ¤¢ − ≤ 0 ∧ Closed d4 ∧ Vm ¯ e− ≫ c2 4 ¯ − ¤¢ ¡ £ − ¯ e4 ≤ 0 ∧ Closed ≫ c3 d2 ∧ Vm ¯ − ¤¢ ¡ £ − ¯ e4 ≤ 0 ∧ Closed ≫ c4 d5 ∧ Vm ¯ − ¤¢ ¡ £ − ¯ e4 ≤ 0 ∧ Open ≫ c1 d4 ∧ Vm ¯ ¤¢ ¡ £ − ≤ 0 ∧ Open ≫ c2 d1 ∧ Vm ¯ e− 4 ¯ − ¤¢ ¡ £ − ¯ e4 ≤ 0 ∧ Open ≫ c3 d5 ∧ Vm ¯ − ¢ ¤¢ ¡ £ − ¯ e ≤ 0 ∧ Open ≫ c4 d1 ∧ Vm 4
(c4 ◮ Circuit) ¯ ¤¢ ¡¡ £ ≫ c1 ⊲ c4 d1 ∧ Vm ¯ f3− ≥ f4− ∧ Closed− ¯ ¤¢ ¡ £ ≫ c2 ⊲ c4 d1 ∧ Vm ¯ f3− ≥ f4− ∧ Closed− ¯ ¡ £ ¤¢ d3 ∧ Vm ¯ f3− ≥ f4− ∧ Closed− ≫ c3 ⊲ c4 ¯ − ¤¢ ¡ £ − − ¯ f3 ≥ f4 ∧ Closed ≫ c4 ⊲ c4 d4 ∧ Vm ¯ − ¤¢ ¡ £ − − ¯ f3 ≥ f4 ∧ Open ≫ c1 ⊲ c4 d1 ∧ Vm ¯ − ¡ £ ¤¢ − − ¯ V f3 ≥ f4 ∧ Open d1 ∧ ≫ c2 ⊲ c4 m ¯ ¡ £ ¤¢ d4 ∧ Vm ¯ f3− ≥ f4− ∧ Open− ≫ c3 ⊲ c4 ¯ − ¤¢ ¡ £ − − ¯ f3 ≥ f4 ∧ Open ≫ c4 ⊲ c4 d1 ∧ Vm ¯ − ¤¢ ¡ £ − ¯ e4 ≤ 0 ∧ Closed ≫ c1 ⊲ c4 d3 ∧ Vm ¯ − ¤¢ ¡ £ − ¯ e4 ≤ 0 ∧ Closed ≫ c2 ⊲ c4 d4 ∧ Vm ¯ ¤¢ ¡ £ − ≤ 0 ∧ Closed ≫ c3 ⊲ c4 d2 ∧ Vm ¯ e− 4 ¯ − ¤¢ ¡ £ − ¯ e ≤ 0 ∧ Closed ≫ c4 ⊲ c4 d5 ∧ Vm 4
5.3 Examples
131
⊕
⊕
⊕
⊕ ⊲
≈r ⊕
⊕
⊕
⊕
⊕
⊕
⊕
⊕
⊕
⊕
⊕
⊕
⊕
⊕
⊕ ⊲
≈r ⊕
⊕
⊕
⊕
⊕
⊕
⊕
⊕
⊕
⊕
⊕
⊕
¯ − Vm ¯ e− 4 ≤ 0 ∧ Open ¯ − ¡ £ d1 ∧ Vm ¯ e4 ≤ 0 ∧ Open− ¯ ¡ £ − d5 ∧ Vm ¯ e− 4 ≤ 0 ∧ Open ¯ − ¡ £ d1 ∧ Vm ¯ e4 ≤ 0 ∧ Open−
¡
d4 ∧
£
¤¢
≫ c1 ⊲ c4
¤¢
≫ c3 ⊲ c4
¤¢
¤¢
≫ c2 ⊲ c4
≫ c4 ⊲ c4
¢
Circuit ¯ ¤¢ ¡¡ £ ≫ c1 ⊲ c4 d1 ∧ Vm ¯ f3− ≥ f4− ∧ Closed− ¯ − ¡ £ ¤¢ − − ¯ f3 ≥ f4 ∧ Closed d1 ∧ Vm ≫ (c2 ⊕ c4 ) ⊲ c4 ¯ − ¤¢ ¡ £ − − ¯ f3 ≥ f4 ∧ Closed ≫ c3 ⊲ c4 d3 ∧ Vm ¯ ¡ £ ¤¢ d4 ∧ Vm ¯ f3− ≥ f4− ∧ Closed− ≫ c4 ⊲ c4 ¯ − ¡ £ ¤¢ − − d1 ∧ Vm ¯ f3 ≥ f4 ∧ Open ≫ c1 ⊲ c4 ¯ − ¡ £ ¤¢ − − ¯ f3 ≥ f4 ∧ Open d1 ∧ Vm ≫ (c2 ⊕ c4 ) ⊲ c4 ¯ − ¤¢ ¡ £ − − ¯ f3 ≥ f4 ∧ Open ≫ c3 ⊲ c4 d4 ∧ Vm ¯ ¤¢ ¡ £ ≫ c4 ⊲ c4 d1 ∧ Vm ¯ f3− ≥ f4− ∧ Open− ¯ − ¡ £ ¤¢ − d3 ∧ Vm ¯ e4 ≤ 0 ∧ Closed ≫ c1 ⊲ c4 ¯ − ¤¢ ¡ £ − ¯ e4 ≤ 0 ∧ Closed ≫ (c2 ⊕ c4 ) ⊲ c4 d4 ∧ Vm ¯ − ¤¢ ¡ £ − ¯ e4 ≤ 0 ∧ Closed ≫ c3 ⊲ c4 d2 ∧ Vm ¯ ¡ £ ¤¢ − ≤ 0 ∧ Closed d5 ∧ Vm ¯ e− ≫ c4 ⊲ c4 4 ¯ − ¤¢ ¡ £ − ≫ c1 ⊲ c4 d4 ∧ Vm ¯ e4 ≤ 0 ∧ Open ¯ − ¤¢ ¡ £ − ¯ e4 ≤ 0 ∧ Open ≫ (c2 ⊕ c4 ) ⊲ c4 d1 ∧ Vm ¯ − ¤¢ ¡ £ − ¯ e4 ≤ 0 ∧ Open ≫ c3 ⊲ c4 d5 ∧ Vm ¯ ¡ £ ¢ ¤¢ d1 ∧ Vm ¯ e− ≤ 0 ∧ Open− ≫ c4 ⊲ c4 4
Circuit ¯ ¤¢ ¡¡ £ ≫ c1 d1 ∧ Vm ¯ f3− ≥ f4− ∧ Closed− ¯ − ¤¢ ¡ £ − − ≫ c4 d1 ∧ Vm ¯ f3 ≥ f4 ∧ Closed ¯ − ¤¢ ¡ £ − − ¯ f3 ≥ f4 ∧ Closed ≫ c3 d3 ∧ Vm ¯ − ¤¢ ¡ £ − − ¯ f3 ≥ f4 ∧ Closed ≫ c4 d4 ∧ Vm ¯ ¡ £ ¤¢ d1 ∧ Vm ¯ f3− ≥ f4− ∧ Open− ≫ c1 ¯ ¡ £ ¤¢ d1 ∧ Vm ¯ f3− ≥ f4− ∧ Open− ≫ c4 ¯ − ¡ £ ¤¢ − − ¯ f3 ≥ f4 ∧ Open d4 ∧ Vm ≫ c3 ¯ − ¤¢ ¡ £ − − ¯ f3 ≥ f4 ∧ Open ≫ c4 d1 ∧ Vm ¯ ¡ £ ¤¢ − ≤ 0 ∧ Closed d3 ∧ Vm ¯ e− ≫ c1 4 ¯ − ¤¢ ¡ £ − ≫ c4 d4 ∧ Vm ¯ e4 ≤ 0 ∧ Closed ¯ − ¤¢ ¡ £ − ¯ e4 ≤ 0 ∧ Closed ≫ c3 d2 ∧ Vm ¯ − ¤¢ ¡ £ − ¯ e4 ≤ 0 ∧ Closed ≫ c4 d5 ∧ Vm ¯ ¤¢ ¡ £ − ≤ 0 ∧ Open ≫ c1 d4 ∧ Vm ¯ e− 4
132
Chapter 5 Modeling hybrid physical processes
⊕
⊕
⊕
⊲
≈r ⊕
⊕
⊕
⊕
⊕
⊕
⊕
⊕
⊕
⊕
⊕
⊲
¯ ¤¢ − Vm ¯ e− ≫ c4 4 ≤ 0 ∧ Open ¯ − ¤¢ ¡ £ − ¯ e4 ≤ 0 ∧ Open ≫ c3 d5 ∧ Vm ¯ ¢ ¤¢ ¡ £ − ≤ 0 ∧ Open ≫ c4 d1 ∧ Vm ¯ e− 4 ¡
d1 ∧
£
(c4 ◮ Circuit) ¯ ¤¢ ¡¡ £ ≫ c1 d1 ∧ Vm ¯ f3− ≥ f4− ∧ Closed− ¯ − ¤¢ ¡ £ − − ≫ c3 d3 ∧ Vm ¯ f3 ≥ f4 ∧ Closed ¯ − ¡ £ ¤¢ − − ¯ f3 ≥ f4 ∧ Closed d4 ∧ Vm ≫ c4 ¯ − ¤¢ ¡ £ − − ¯ f3 ≥ f4 ∧ Open ≫ c1 d1 ∧ Vm ¯ ¡ £ ¤¢ d4 ∧ Vm ¯ f3− ≥ f4− ∧ Open− ≫ c3 ¯ − ¡ £ ¤¢ − − d1 ∧ Vm ¯ f3 ≥ f4 ∧ Open ≫ c4 ¯ − ¡ £ ¤¢ − ¯ e4 ≤ 0 ∧ Closed d3 ∧ Vm ≫ c1 ¯ − ¤¢ ¡ £ − ¯ e4 ≤ 0 ∧ Closed ≫ c3 d2 ∧ Vm ¯ ¤¢ ¡ £ − ≤ 0 ∧ Closed ≫ c4 d5 ∧ Vm ¯ e− 4 ¯ − ¤¢ ¡ £ − ≫ c1 d4 ∧ Vm ¯ e4 ≤ 0 ∧ Open ¯ − ¤¢ ¡ £ − ¯ e4 ≤ 0 ∧ Open ≫ c3 d5 ∧ Vm ¯ − ¢ ¤¢ ¡ £ − ¯ e ≤ 0 ∧ Open ≫ c4 d1 ∧ Vm 4
Circuit
From this description, it becomes clear that, when the switch is opened, this enforces that the diode starts conducting. If the current through the inductance is negative, the implicit switch from blocking to conducting, leads to an energy loss, such that after the discontinuity, the generalized momentum of the inductance, and the current through the inductance, are zero. This implicit switching, was also described, for example, in the work of [Mosterman, 1997]. In the next example, on Newton’s cradle, we will study another occurrence of implicit switching.
5.3.4
Newton’s cradle
Newton’s cradle, see figure 5.14, is a famous toy for physicists. It can be used to study conservation of momentum and energy in collisions. A standard way to model Newton’s cradle, see for example [van der Schaft and Schumacher, 2000b], is to model the collision between two masses, and then study what happens if multiple masses engage in these simple collisions interleavingly. As a result, there is a multiplicity of discontinuities when more than two masses collide. When we model it using constitutive hybrid process, however, it turns out that these discontinuities are all combined, and executed as one single discontinuity. In figure 5.15, we have depicted a bond graph model of Newton’s cradle, for an
5.3 Examples
133
Figure 5.14 Newton’s cradle
2
1/E 1
i : m1 ball 1
4
1
3n-4
1/E 3
i : m2 ball 2
1
1/E 3i
i : mi ball i
3n-2
1
1/E 3n-3
i : mn−1 ball n − 1
3n-1
i : mn ball n
Figure 5.15 Bond graph model of Newton’s cradle
arbitrary number of balls (n > 2). The switching conditions for the controlled junctions depend on the effort and flow of the colliding masses, as was the case for the simple collision of section 5.3.1. We find Act : (q3i = q3i+3 ∧f3i > f3i+3 )∨(q3i = 1 · e3i+2 ) and Inact : (q3i ≤ q3i+3 ) for the q3i+3 ∧ f3i = f3i+3 ∧ m1i · e3i+1 ≥ mi+1 collision between mass i and i + 1, with 1 < i < n. Similar conditions apply if i = 1 or i = n, but the numbering is slightly different for these border cases. The constitutive hybrid process, for the case where we have three balls, is given below. We have assumed there, that all balls have the same mass m.
134
Chapter 5 Modeling hybrid physical processes
Cradle
≈r
((A12 ∧ A45 ∧ daa ) ≫ caa ⊕ (A12 ∧ A45 ∧ das ) ≫ cai
⊕
(A12 ∧ A45 ∧ dsa ) ≫ cia ⊕ (A12 ∧ A45 ∧ dss ) ≫ cii
⊕
(A12 ∧ I45 ∧ das ) ≫ caa ⊕ (A12 ∧ I45 ∧ dai ) ≫ cai
⊕
(A12 ∧ I45 ∧ dss ) ≫ cia ⊕ (A12 ∧ I45 ∧ dsi ) ≫ cii
⊕
(I12 ∧ A45 ∧ dsa ) ≫ caa ⊕ (I12 ∧ A45 ∧ dss ) ≫ cai
⊕
(I12 ∧ A45 ∧ dia ) ≫ cia ⊕ (I12 ∧ A45 ∧ dis ) ≫ cii
⊕
(I12 ∧ I45 ∧ dss ) ≫ caa ⊕ (I12 ∧ I45 ∧ dsi ) ≫ cai
⊕
(I12 ∧ I45 ∧ dis ) ≫ cia ⊕ (I12 ∧ I45 ∧ dii ) ≫ cii )
Cradle
⊲
In this process definition, we used the following definitions for the clauses. Note, that especially in the flow-clauses, it was possible to simplify the switching conditions considerably. A12 A45 I12 I45
= = = =
£ £ Vm £ Vm £ Vm Vm
¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯
¤ − (q1− = q3− ∧ f1− > f3− ) ∨ (q1− = q3− ∧ f1− = f3− ∧ e− 1 ≥ e2 ) ¤ − − − − − − − − − − (q3 = q5 ¤∧ f3 > f5 ) ∨ (q3 = q5 ∧ f3 = f5 ∧ e4 ≥ e5 ) q1− ≤ q3− ¤ q3− ≤ q5−
daa
=
Vm
das
=
Vm
¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯
− 2 2 (p+ 1 ) −(p1 ) 2·m (p+ )2 −(p− )2 E3′ = 3 2·m 3 (p+ )2 −(p− )2 E5′ = 5 2·m 5 E1′ + E3′ + E5′ = 0 E1′ = −E2′ E4′ = −E5′ p′1 + p′3 + p′5 = 0 p′1 = −p′2 p′4 = −p′5 q1′ = q2′ = q3′ = q4′ =
E1′ =
E1′ =
q5′ = 0
− 2 2 (p+ 1 ) −(p1 )
2·m (p+ )2 −(p− )2 E3′ = 3 2·m 3 (p+ )2 −(p− )2 E5′ = 5 2·m 5 ′ E1 + E3′ + E5′ ≤ 0 E1′ = −E2′ E1′ + E3′ = E4′ p′1 + p′3 + p′5 = 0 p′1 = −p′2 p′4 = −p′5 q1′ = q2′ = q3′ = q4′ =
q5′ = 0
5.3 Examples
135
dsa
=
Vm
dss
=
Vm
dai
=
Vm
dsi
=
Vm
dia
=
Vm
¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯
− 2 2 (p+ 1 ) −(p1 ) 2·m (p+ )2 −(p− )2 E3′ = 3 2·m 3 (p+ )2 −(p− )2 E5′ = 5 2·m 5 ′ E1 + E3′ + E5′ ≤ 0 E2′ = E3′ + E5′ E4′ = −E5′ p′1 + p′3 + p′5 = 0 p′1 = −p′2 p′4 = −p′5 q1′ = q2′ = q3′ = q4′ =
E1′ =
E1′ =
q5′ = 0
− 2 2 (p+ 1 ) −(p1 )
2·m (p+ )2 −(p− )2 E3′ = 3 2·m 3 (p+ )2 −(p− )2 E5′ = 5 2·m 5 ′ E1 + E3′ + E5′ ≤ 0 E2′ = E3′ − E4′ ≤ −E1′ E4′ ≤ −E5′ p′1 + p′3 + p′5 = 0 p′1 = −p′2 p′4 = −p′5 q1′ = q2′ = q3′ = q4′ = q5′ (p+ )2 −(p− )2 E1′ = 1 2·m 1 (p+ )2 −(p− )2 E3′ = 3 2·m 3 E1′ + E3′ = E4′ = E5′ = E1′ = −E2′ p′1 + p′3 = p′4 = p′5 = 0 p′1 = −p′2 q1′ = q2′ = q3′ = q4′ = q5′
(p+ )2 −(p− )2 E1′ = 1 2·m 1 (p+ )2 −(p− )2 E3′ = 3 2·m 3 E1′ + E3′ ≤ E4′ = E5′ = E2′ = E3′ p′1 + p′3 = p′4 = p′5 = 0 p′2 = p′3 q1′ = q2′ = q3′ = q4′ = q5′ (p+ )2 −(p− )2 E3′ = 3 2·m 3 (p+ )2 −(p− )2 E5′ = 5 2·m 5 E1′ = E2′ = E3′ + E5′ = E4′ = −E5′ p′1 = p′2 = p′3 + p′5 = 0 p′4 = −p′5 q1′ = q2′ = q3′ = q4′ = q5′
=0
0
=0
0
=0
0
=0
136
Chapter 5 Modeling hybrid physical processes
dis
dii
caa
cai
cia
cii
=
=
=
=
=
=
Vm
¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯
− 2 2 (p+ 3 ) −(p3 ) 2·m (p+ )2 −(p− )2 E5′ = 5 2·m 5 E3′ + E5′ ≤ E1′ = E2′ = E3′ = E4′ p′3 + p′5 ≤ p′1 = p′2 = 0 p′3 = p′4 q1′ = q2′ = q3′ = q4′ = q5′
E3′ =
0
=0
E1′ = E2′ = E3′ = E4′ = E5′ = 0 Vm p′1 = p′2 = p′3 = p′4 = p′5 = 0 q1′ = q2′ = q3′ = q4′ = q5′ = 0 ¯ ¯ f1 = 1 · p1 m ¯ ¯ f3 = 1 · p3 m ¯ ¯ f5 = 1 · p5 m V{1/5} ¯¯ ¯ e1 = e2 = e3 = e4 = e5 = 0 ¯ f1 = f2 = f3 = f4 = f5 ¯ ¯ q1 = q3 = q5 ¯ ¯ f1 = 1 · p1 m ¯ ¯ f3 = 1 · p3 m ¯ ¯ f5 = 1 · p5 m ¯ V{1/5} ¯¯ e1 = e2 = e3 = 0 ¯ e4 = e5 = 0 ¯ ¯ f1 = f2 = f3 = f4 ¯ ¯ q 1 = q 3 ≤ q5 ¯ ¯ f1 = 1 · p1 m ¯ ¯ f3 = 1 · p3 m ¯ ¯ f5 = 1 · p5 m ¯ V{1/5} ¯¯ e1 = e2 = e3 = 0 ¯ e4 = e5 = 0 ¯ ¯ f2 = f3 = f4 = f5 ¯ ¯ q 1 ≤ q3 = q 5 ¯ ¯ f1 = 1 · p1 m ¯ 1 ¯ f3 = · p3 m ¯ ¯ f5 = 1 · p5 m ¯ ¯ V{1/5} ¯ e1 = e2 = e3 = 0 ¯ e4 = e5 = 0 ¯ ¯ f2 = f3 = f4 ¯ ¯ q 1 ≤ q3 ≤ q5
To simplify the above presentation, we abstract from the variables associated with bonds 2 and 4. As explained before, this cannot be done formally in HyPA yet, because the axiomatization of abstraction has not been fully developed. However, our intuition on elimination of variables is such, that we expect to find that the the switching conditions for the re-initialization clauses can be simplified, because the flow conditions are such that e1 = e2 = e3 = e4 = e5 = 0, except initially. We
5.3 Examples
137
find:
A12 A45 I12 I45
= = = =
£ £ Vm £ Vm £ Vm Vm
¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯
q1− q3− q1− q3−
¤ = q3− ∧ f1− ≥ f3− ¤ = q5− ∧¤ f3− ≥ f5− ≤ q3− ¤ ≤ q5−
Furthermore, for the other clauses we obtain
daa
=
dsa
dai
dia
=
=
=
dii = caa
cia
− 2 2 (p+ 1 ) −(p1 ) 2·m (p+ )2 −(p− )2 E3′ = 3 2·m 3 (p+ )2 −(p− )2 Vm E5′ = 5 2·m 5 E1′ + E3′ + E5′ = 0 p′1 + p′3 + p′5 = 0 q1′ = q3′ = q5′ = 0 (p+ )2 −(p− )2 E1′ = 1 2·m 1 (p+ )2 −(p− )2 E3′ = 3 2·m 3 (p+ )2 −(p− )2 Vm E5′ = 5 2·m 5 ′ E1 + E3′ + E5′ ≤ 0 p′1 + p′3 + p′5 = 0 q1′ = q3′ = q5′ = 0 (p+ )2 −(p− )2 E1′ = 1 2·m 1 (p+ )2 −(p− )2 E3′ = 3 2·m 3 Vm E1′ + E3′ = E5′ = 0 p′1 + p′3 = p′5 = 0 q1′ = q3′ = q5′ = 0 (p+ )2 −(p− )2 E3′ = 3 2·m 3 (p+ )2 −(p− )2 E5′ = 5 2·m 5 ′ Vm E1 = E3′ + E5′ = 0 p′1 = p′3 + p′5 = 0 q1′ = q3′ = q5′ = 0 E1′ = E3′ = E5′ = 0 p′1 = p′3 = p′5 = 0 Vm q1′¯ = q3′ = q5′ = 0 ¯ f1 = 1 · p1 m ¯ ¯ f3 = 1 · p3 m ¯ ¯ f5 = 1 · p5 m ¯ V{1/5} ¯ ¯ e1 = e3 = e5 =
¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯
= V{1/5} =
E1′ =
¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯
f1 q1 f1 f3 f5 e1 f3 q1
das
dss
dsi
dis
0 = f3 = f5 = q3 = q5 1 = m · p1 1 · p3 = m 1 = m · p5 = e3 = e5 = 0 = f5 ≤ q3 = q 5
= Vm
cai
cii
= Vm
= Vm
= Vm
¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯
V{1/5} =
V{1/5} =
− 2 2 (p+ 1 ) −(p1 ) 2·m (p+ )2 −(p− )2 E3′ = 3 2·m 3 (p+ )2 −(p− )2 E5′ = 5 2·m 5 E1′ + E3′ + E5′ ≤ 0 p′1 + p′3 + p′5 = 0 q1′ = q3′ = q5′ = 0 (p+ )2 −(p− )2 E1′ = 1 2·m 1 (p+ )2 −(p− )2 E3′ = 3 2·m 3 (p+ )2 −(p− )2 E5′ = 5 2·m 5 ′ E1 + E3′ + E5′ ≤ 0 p′1 + p′3 + p′5 = 0 q1′ = q3′ = q5′ = 0 (p+ )2 −(p− )2 E1′ = 1 2·m 1 (p+ )2 −(p− )2 E3′ = 3 2·m 3 E1′ + E3′ ≤= E5′ = p′1 + p′3 = p′5 = 0 q1′ = q3′ = q5′ = 0 (p+ )2 −(p− )2 E3′ = 3 2·m 3 (p+ )2 −(p− )2 E5′ = 5 2·m 5 ′ E3 + E5′ ≤ E1′ = 0 p′3 + p′5 ≤ p′1 = 0 q1′ = q3′ = q5′ = 0
E1′ =
¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯
f1 f3 f5 e1 f1 q1 f1 f3 f5 e1 q1
0
1 · p1 = m 1 = m · p3 1 · p5 = m = e3 = e5 = 0 = f3 = q 3 ≤ q5 1 = m 1 = m 1 = m = e3 ≤ q3
· p1 · p3 · p5 = e5 = 0 ≤ q5
138
Chapter 5 Modeling hybrid physical processes
To illustrate the way in which multiple discontinuities are collected into one single discontinuity, we study the case where, initially, all balls have the same position, and the most left ball has a velocity in the direction of the others. We discuss the completely elastic, as well as the completely inelastic collision of the balls. If the balls collide completely elastically, the first ball will transfer its momentum to the second, and the second will transfer it to the third. Internally, there seem to be two discontinuities involved. However, the ultimate solution is that the first ball comes to a stand still, while the third ball flies off with the initial velocity of the first. It is not hard to verify, that this is indeed one of the possible solutions of the subprocess (I12 ∧ A45 ∧ dss ) ≫ cai .
If the balls collide completely inelastically, the first ball gives half of its momentum to the second, which then has a higher velocity than the third, and thus shares its momentum with the third. After this, the first ball has a higher velocity than the second, and gives half of its momentum (a quarter of the initial momentum) to the second. This continues ad infinitum, but the sequence of events converges to the situation where all balls have one third of the original velocity. This convergence point, indeed, is one of the possible solutions of the subprocess (I12 ∧ A45 ∧ dsa ) ≫ caa .
5.4
Conclusions
When modeling a physical system, it is common practice to describe the components that constitute the system, using so-called constitutive relations on the physical variables that play a role in the system. In this chapter, we have described a method to find a hybrid process algebraic description of these constitutive relations, in case the physical system contains discontinuities as a result of abstraction from small time-scale behavior. This resulted in a structured approach for modeling a certain class of hybrid systems, which gives us more confidence that the models we obtain are in a sense conform reality. As a vehicle towards these so-called constitutive hybrid process descriptions, we assumed a hybrid bond graph model of the physical system under study. For every bond graph element, a constitutive hybrid process was derived, based on the possible behaviors of the continuous constitutive equations for that element. The parallel composition of the processes associated with the separate elements, leads to an algebraic description of the system as a whole. An alternative look at our work, is that we have developed a process algebraic semantics to hybrid bond graphs. We have shown the construction of constitutive hybrid processes, for several examples, in which collision of mechanical objects and the behavior of electrical switches and diodes played an important role. Analysis of these constitutive processes, amongst others, has clarified the consequences of implicit switching and of
5.4 Conclusions
139
the behavior of consecutive discontinuities in a bond graph model. Perhaps the most interesting observation in the construction of constitutive processes for bond graph elements, is that a change in connection structure, may lead to a dissipation of energy. The exact energy loss is not specified for the controlled junctions and switch elements, which sometimes results in a model with branching behavior. For example, this is the case in our collision model, where the elasticity of impact is undetermined. We argued that this kind of branching is reasonable, since it allows the modeler to reason about processes of which not all parameters are known. If elasticity of the impact were known, the collision dynamics could have been modeled explicitly, leading to a more detailed model, in which switching does occur between collision and free movement of the masses, but no discontinuous behavior takes place. Sometimes, more detailed models are even necessary. For example, if the influence of external forces on a collision cannot be neglected. In the analysis of hybrid bond graphs, it turned out to be convenient to eliminate variables that are associated with bonds between junctions, from a constitutive hybrid process. Also, in some cases, it would be appropriate to eliminate variables associated with certain source elements. In this thesis, we have treated the elimination of variables informally, because, at the moment, we do not have a formal treatment of such eliminations in HyPA. However, work on an elimination operator that is fit for the task is currently being carried out. There already is a formal semantics for it (see [van de Brand, 2004, van de Brand et al., 2004]) based on a similar kind of abstraction that is part of the hybrid χ language [van Beek et al., 2003], and a partial axiomatization. In chapter 7, we treat the elimination of variables in a subtly different way. We do not actually abstract away from them semantically, but we introduce a way of reasoning in a context which allows us to focus only on the variables we need for our calculation. In section 5.2.6, we mentioned that for standard bond graph theory there is a set of graph reduction rules, that lead to equivalent bond graphs modulo elimination of variables associated with connections between junctions [Mukherjee and Karmakar, 2000]. Based on what we already know about a possible elimination operator, we conjecture that those rules are still valid for the hybrid case, with the exception of special elements like resistors of value 0, and infinite resistances, inductances and capacitances. These elements need special treatment due to the observations made at the end of section 5.1.3. Awaiting a formal treatment of abstraction in HyPA, the development of new graph reduction rules for the hybrid case, is left as future work. One important aspect of bond graph theory, namely the causality analysis of a bond graph, has not been touched in this chapter. Causality analysis is a useful tool when we want to simulate the behavior of a system. Amongst others, it allows the user to transform the constitutive relations into so-called ordinary differential equations, which are differential equations of the form x˙ = f (x) and y = g(x). The solutions of such equations are easier to approximate computationally than
140
Chapter 5 Modeling hybrid physical processes
the solutions of the constitutive equations we discussed in this chapter. The basis of causality theory for bond graphs, lies in the assignment of an input or output status to the effort and flow variables in a graph. In hybrid bond graphs, a suitable distinction between input and output cannot always be made, because it can depend on the current connection structure which status is preferable for a certain variable. In HyPA, it should be possible to treat different connection structures, and the discontinuous behavior when switching between these structures separately. We hope therefore, that the constitutive hybrid process semantics that we have given in this chapter, can be helpful in the development of causality theory for hybrid bond graphs, and will lead to new insights in possible ways to simulate and analyze hybrid systems. For example, one might think of a tool that uses symbolic reasoning to transform a constitutive hybrid process into a hybrid automaton description of which the nodes contain only differential equations of the right form (the structure of which depends on the connection structure) and the transitions contain information about what the changes in status are for the different variables. Whether it is possible to find an algorithm that actually does this, is a topic for future research.
Chapter 6
Safety of hybrid processes “Mit ’n kindj waert ouch ’n angst gebaore. Ze zegke det die nooit meer euver geit. As se dao bie sjtil sjteis, Waers se bang, bang bie alles waat t’r duit” [“Hie sjtaon ich weer”, G´e Reinders]
142
Chapter 6 Safety of hybrid processes
Safety, put simply, means that a certain property, which is considered bad, does not hold at any time, during any of the possible executions of a system. The analysis of safety properties of a model of a system, is an important way to study correctness of a design or implementation. A famous example is that, when studying a design of a nuclear plant, one might want to verify that certain high temperatures in the plant (causing meltdown) never occur during normal execution of the system. Another example, is that when a certain resource is shared by two systems, but has limited capacity, then the systems may not use that resource at the same time. This is is often called ‘mutual exclusion’. Safety for actions and safety for predicates, are two special kinds of safety properties. We have safety for a certain action, if this action cannot be executed from any of the reachable states of a system, while safety for a predicate (or more precisely, a propositional predicate on the model variables), means that this predicate is never satisfied during any of the executions of the system. The high-temperature example and the mutualexclusion example can be expressed both as safety for an action, or as safety for a predicate, depending on the precise way in which the plant and the protocol are modeled. An important aspect of safety for actions and safety for predicates, is that they can be verified relatively easy if a so-called linear process description [Baeten and Weijland, 1990, Groote and Reniers, 2001, Usenko, 2002] is given of a system. In this chapter, we describe a method for the analysis of safety for actions and safety for predicates of hybrid systems, using hybrid process algebra. We restrict ourselves to linear process descriptions, which allows us to reduce the question of safety of a process to a number of questions on the safety of sub-processes. As a specific example of our safety analysis method, we analyze a variant of the well known Fischer’s protocol for mutual exclusion [Lamport, 1987]. Although, admittedly, not intrinsically hybrid, this protocol does allow us to show some of the strengths of our method. We explicitly carry out the transformation into a linear process description, and show some of the analysis on the sub-processes. In this way, we prove mutual exclusion for certain given initial conditions. The structure of this chapter is as follows. In section 6.1, we formalize the notions of safety for actions and safety for predicates, and explain how these can be stated as a process algebraic specification. Also, some additional axioms that are needed to do calculations on this specification are discussed. In section 6.2, we discuss a method for the analysis of safety properties of linear process descriptions in HyPA, and in section 6.3, this method is used for the analysis of our variant of Fischer’s protocol, under given initial conditions on the parameters of the protocol. In section 6.4, we discuss the results that we have found, and give recommendations for future research.
6.1 Specification of safety
6.1
143
Specification of safety
In the introduction to this chapter, we have already recognized two special kinds of safety properties. Safety properties in terms of actions, and safety properties in terms of predicates on the model variables. Safety in terms of actions means that certain ‘bad’ actions never happen, while safety in terms of predicates on the model variables means that certain ‘bad’ valuations never occur. In this section, we give a formal definition and a process algebraic specification of safety for actions and safety for predicates. This means, that we construct a process algebraic equation, in such a way that a hybrid transition system has a certain safety property if and only if the process term associated with this transition system, is a solution to that equation. In the next section, we use this specification as a starting point for our analysis. The predicates Pm that describe the aforementioned bad valuations, are taken from the set Pm of predicates on model variables (i.e. we do not use x, ˙ x− or x+ in these predicates). We write ν |=m Pm , for a valuation ν ∈ Val , to denote that ν satisfies Pm . We start out by formalizing the notions of safety for actions and safety for predicates on the semantic level, using the following three definitions. Definition 43 (Reachable set) Given a hybrid transition system, the set R(x) of reachable states from a state x, is defined as the smallest set such that: • x ∈ R(x); l
• If x′ ∈ R(x) and < x′ > → < x′′ > for some l, then x′′ ∈ R(x). Definition 44 (Safety for actions) A state x is safe for the actions in H ⊆ A, a,ν if for every x′ ∈ R(x) and every transition < x′ > 7→ < x′′ > we find a 6∈ H. A process term p is safe for the actions in H if, for every valuation ς ∈ Val , the state < p, ς > is safe for the actions in H. Definition 45 (Safety for predicates) A state x is safe for a predicate Pm ∈ Pm on the model variables Vm , if for every x′ ∈ R(x) we find, firstly, that for σ every transition < x′ > ; < x′′ > we have σ(t) 6|=m Pm for any t ∈ dom(σ), and a,ν secondly, that for every transition < x′ > 7→ < x′′ > we have ν 6|=m Pm . A process term p is safe for a predicate Pm if, for every valuation ς ∈ Val , the state < p, ς > is safe for Pm . Note, especially, that the definitions of safety we have given here, only look at what happens in the labels of the transition system. This is in line with our intuition that only the labels of a transition system are visible to the outside world. The semantics of HyPA is chosen in such a way that the valuation in an action label,
144
Chapter 6 Safety of hybrid processes
and the last valuation of a flow label, coincide with the valuation in the state that is reached. So we may still draw some conclusions about what happens in the states. However, the valuation in the initial state is not taken into account. Algebraically, we can analyze safety for actions, using the encapsulation operator. If and only if p is safe for H, then blocking all actions in H will have no effect. In other words, in this case p and the encapsulation of H over p are equivalent. Note, that in the specification below, we use the notion of bisimilarity (≈) rather than that of robust bisimilarity (≈r ). The difference between these was already explained in section 3.3, but we will come back to it further on. Theorem 28 (Specification of safety for actions) A process term p is safe for actions in H if and only if p ≈ ∂H (p). Proof
See appendix G.
⊠
Analogously to the encapsulation operator for actions, we define an encapsulation operator ∂Pm () for predicates Pm ∈ Pm on model variables, that will aid us in the algebraic specification of safety for predicates. The operational semantics of this operator is given in table 6.1. Note, that the predicate encapsulation operator only blocks the execution of transitions that have labels that violate the predicate. It does not block violating valuations in the state, and hence may for example allow termination in a state that violates the predicate. Table 6.1 Semantical rules for predicate encapsulation σ
< p, ν > ; < p′ , ν ′ >, ∀t∈dom(σ) σ(t) 6|=m Pm σ < ∂Pm (p) , ν > ; < ∂Pm (p′ ) , ν ′ > a,ν ′
< p, ν > 7→ < p′ , ν ′′ >, ν ′ 6|=m Pm a,ν ′
< ∂Pm (p) , ν > 7→ < ∂Pm (p′ ) , ν ′′ > < p, ν > X < ∂Pm (p) , ν > X
An axiomatization of predicate encapsulation, for robust bisimilarity, is given in table 6.2. We use a, c and d for arbitrary actions, flow clauses and re-initialization clauses, and use x and y as process variables. Pm denotes an arbitrary predicate on model variables. In the axiomatization, we assume that the parametrization of
6.1 Specification of safety
145
HyPA is expressive enough to allow certain constructs. In particular, we use the following notational conventions. − − • Pm denotes a re-initialization predicate such that (ν, ν ′ ) |=r Pm iff ν |=m Pm . − − For the re-initialization clause [Pm ] we therefore obtain (ν, ν ′ ) |=d [Pm ] iff ′ ν = ν ∧ ν |=m Pm .
• Pm is used also as a flow predicate such that σ |=f Pm iff σ(t) |=m Pm for every t ∈ dom(σ). For the flow clause (Pm ) we therefore obtain (ν, σ) |=c (Pm ) iff ν |=m Pm ∧ σ(t) |=m Pm for every t ∈ dom(σ). Table 6.2 Axiomatization of predicate encapsulation
∂Pm (d ≫ δ) ≈r ∂Pm (d ≫ ǫ) ≈r ∂Pm (d ≫ a) ≈r
∂Pm (d ≫ c) ∂Pm (x ⊕ y) ∂Pm (x ⊙ y) ∂Pm (x ⊲ y)
≈r ≈r ≈r ≈r
δ d ¤¢ ¡ ≫ ǫ£ − ≫a´ d ∼ ³ ¬P m d ≫ c ∧ ¬Pm ∂Pm (x) ⊕ ∂Pm (y) ∂Pm (x) ⊙ ∂Pm (y) ∂Pm (x) ⊲ ∂Pm (y)
Theorem 29 The axiomatization in table 6.2 is sound for robust bisimilarity. Proof Soundness of the axioms is proven in appendix H. That bisimilarity and robust bisimilarity are congruences for the predicate encapsulation operator, which is important for the actual use of the axiomatization, becomes immediately clear using the formats proposed in [Mousavi et al., 2004]. ⊠ Using predicate encapsulation, we can obtain a similar theorem on safety for predicates as we found on safety for actions. Theorem 30 (Specification of safety for predicates) A process term p is safe for a predicate Pm ∈ Pm on model variables, if and only if p ≈ ∂Pm (p). Proof
Similar to the proof of theorem 28.
⊠
Using the axiomatization, and the insight that p ≈ q if p ≈r q, we find trivially, that the processes δ and ǫ are always safe, because they cannot perform any transitions.
146
Chapter 6 Safety of hybrid processes
Furthermore, basic compositions ( ⊕ , ⊙ , ⊲ ) of safe processes are again safe. In particular, if the process terms p and q are safe for Pm , we find: p⊕ q p⊙ q p ⊲ q
≈ ∂Pm (p) ⊕ ∂Pm (q) ≈ ∂Pm (p ⊕ q) ≈ ∂Pm (p) ⊙ ∂Pm (q) ≈ ∂Pm (p ⊙ q) ≈ ∂Pm (p) ⊲ ∂Pm (q) ≈ ∂Pm (p ⊲ q)
Naturally, a similar result holds if p and q are safe for H. It has become clear already, that the analysis of safety involves the calculation of reachable states of a system. And, because the notion of robust bisimilarity that was used in chapter 3 is far too strong to allow efficient calculations on reachable states, we need to use the weaker notion of (initially stateless) bisimilarity. Next, we will axiomatize bisimilarity by adding axioms to those for robust bisimilarity, but with the remark that these added axioms are never to be used in the context of parallel composition (see section 3.3). We use the following two additional notations: • d! denotes a re-initialization clause such that (ν ′ , ν ′′ ) |=d d! if and only if there exists ν ∈ Val with (ν, ν ′ ) |=d d and ν ′ = ν ′′ . This models a boolean condition reflecting the reachable valuations of d, starting from an arbitrary valuation. As an example, for the re-initialization predicate Pr (x− , x+ ) ∈ Pr ¯ £ ¤! £ ¤ we have x ¯ Pr (x− , x+ ) = ∃y Pr (y, x+ ) . • D(c) denotes a re-initialization clause such that (ν, ν ′ ) |=d D(c) if and only if there exists σ ∈ F with dom(σ) = [0, t] and (ν, σ) |=c c and ν ′ = σ(t). This models a re-initialization reflecting the possible transitions of c. Recall, that consecutive transitions are also reflected, due to the assumption that the solution of flow-predicates is closed under concatenation. As an example, for an algebraic differential equation of the form x˙ = f (x, u) we have:
¯ x ¯¯ x˙ = f (x, u) D u ¯
¯ ¯ ¯ ¯ x ¯ ¯ = u ¯ ∃t,ξ,ν ¯ ¯ ¯
dom(ξ) = dom(ν) = [0, t] ′ − ′ ≤t ξ(t ) = x + ∀0≤t R t′ f (ξ(τ ), ν(τ ))dτ 0 u− = ν(0) ∧ u+ = ν(t) + x = ξ(t)
.
where ξ and ν are both piecewise continuous and piecewise differentiable. The axioms listed in table 6.3, reflect how, after a transition, only the valuations that are actually reachable are of importance to the equivalence of process terms. Theorem 31 The axioms given in table 6.3 are sound for (initially stateless) bisimilarity. Proof
This is proven in appendix I.
⊠
6.2 Algebraic safety analysis of linear hybrid processes
147
Table 6.3 Axioms for (initially stateless) bisimilarity
d ≫ a ⊙ x ≈ d ≫ a ⊙ d! ≫ x d ≫ c ⊲ x ≈ d ≫ c ⊲ (d ∼ D(c))! ≫ x
In the next section, we show how to use the axiomatization of bisimilarity for the analysis of safety properties of processes that do not contain parallel compositions or encapsulations. Such processes are called linear hybrid processes, or linear recursive specifications.
6.2
Algebraic safety analysis of linear hybrid processes
A linear recursive specification, is a recursive specification of the form
Xi
:
M
j∈J(i)
dj ≫ ǫ ⊕
M
j∈J ′ (i)
d′j
≫ aj ⊙ Xj ⊕
M
j∈J ′′ (i)
d′′j
≫ cj ⊲ Xj .
The solution of a linear recursive specification, is called a linear hybrid process. Clearly, linear hybrid processes do not contain parallel compositions, and are therefore suitable for the analysis of reachability properties like safety, using the equivalence notion of bisimilarity. For other uses of the linear form, see also [Groote and Sellink, 1996, Groote and Mateescu, 1999]. In principle, the techniques for rewriting closed process terms into basic terms can also be applied to rewrite recursive specifications into linear recursive specifications. Recently, an automatic transformation was provided in [van de Brand, 2004], for a certain class of recursive specifications, based on earlier work of [Usenko, 2002] for the process algebra µCRL. The problem we face in this section, is to show safety for actions or safety for predicates, for the process X0 in a linear recursive specification. In particular, we study the question whether X0 ≈ ∂Pm (X0 ), for a predicate Pm on model variables. The question whether X0 ≈ ∂H (X0 ), for a set of actions H, can be treated in a similar way. We perform the following calculation, using, amongst others, the axioms for (ini-
148
Chapter 6 Safety of hybrid processes
tially stateless) bisimilarity, and for predicate encapsulation, given in section 6.1. ∂Pm (Xi )
≈r
≈
≈r
≈r
L d ≫ǫ ⊕ L j∈J(i) j′ d ≫ aj ⊙ Xj ⊕ ∂Pm L j∈J ′ (i) j′′ j∈J ′′ (i) dj ≫ cj ⊲ Xj L j∈J(i) dj ≫ ǫ ⊕ L d′j ≫ aj ⊙ (d′j )! ≫ Xj ⊕ ′ ∂Pm ¡ ′′ ¢! L j∈J (i) ′′ d ≫ c ⊲ d ∼ D(c ) ≫ X j j j ′′ j j j∈J (i) L ≫ ǫ) ⊕ L j∈J(i) ∂Pm (d ¢ ¡ j′ ∂ d ≫ aj ⊙ (d′j )! ≫ Xj ⊕ P ′ j m j∈J (i) ´ ³ ¡ ′′ ¢! ′′ L dj ∼ D(cj ) ≫ Xj j∈J ′′ (i) ∂Pm dj ≫ cj ⊲ L ǫ ⊕ L j∈J(i) d¡j ≫ ¢ £ ¡ ¤¢ − ′ ¬Pm d ∼ ≫ aj ⊙ ∂Pm (d′j )! ≫ Xj ⊕ ′ j j∈J (i) ³ ´ ´ ³ ¡ ¢ ′′ L ¬Pm ⊲ ∂Pm d′′j ∼ D(cj ) ! ≫ Xj j∈J ′′ (i) dj ≫ cj ∧
From this calculation, we may easily deduce the following.
Theorem 32 The question whether Xi is safe for a predicate Pm , i.e. whether Xi ≈ ∂Pm (Xi ), reduces to the following questions about sub-processes of Xi . £ ¡ ¤¢ − • d′j ≫ aj ≈ d′j ∼ ¬Pm ≫ aj , for all j ∈ J ′ (i) and ¡ ¢ • (d′j )! ≫ Xj ≈ ∂Pm (d′j )! ≫ Xj , for all j ∈ J ′ (i), and, • d′′j ≫ cj ≈ d′′j ≫ (cj ∧ ¬Pm ), for all j ∈ J ′′ (i), and,
¡ ¢ • (d′′j ∼ D(cj ))! ≫ Xj ≈ ∂Pm (d′′j ∼ D(cj ))! ≫ Xj , for all j ∈ J ′′ (i).
Proof Substitution of these equivalences in the calculation above, easily gives the desired result Xi ≈ ∂Pm (Xi ). ⊠ Apparently, if we study safety of X0 , this depends only on the safety of the direct sub-processes of X0 , and on the safety of the Xj (with j ∈ J ′ (0) ∪ J ′′ (0)) under certain initial conditions. Naturally, in the process of checking safety of Xj , loops may occur in which the process is called again under different initial conditions. Gathering all initial conditions that may occur this way, leads to the following recursive definition for the conjoined conditions Ri . • R0 =
£
¤ true ;
• ∀j∈J ′ (i) (Ri ∼ d′j )! ⇒ Rj . • ∀j∈J ′′ (i) (Ri ∼ d′′j ∼ D(cj ))! ⇒ Rj .
6.3 Safety of a hybrid variant of Fischer’s protocol
149
If we now assume, for every i, that ¡¡ ¢ ¢ ¢ ¡ £ ¤¢ ¡ − • Ri ∼ d′j ≫ aj ≈ Ri ∼ d′j ∼ ¬Pm ≫ aj ≈ ∂Pm Ri ∼ d′j ≫ aj , for all j ∈ J ′ (i), and ¡ ¢ ¡ ¢ ¡¡ ¢ ¢ • Ri ∼ d′′j ≫ cj ≈ Ri ∼ d′′j ≫ (cj ∧ ¬Pm ) ≈ ∂Pm Ri ∼ d′′j ≫ cj , for all j ∈ J ′′ (i),
then we can derive the following equivalences: Ri ≫ Xi
≈
∂Pm (Ri ≫ Xi )
≈
L ǫ ⊕ L j∈J(i) R¡i ∼ dj ≫ ¤¢ £ − ′ ¬Pm R ∼ d ∼ i j j∈J ′ (i) ≫ aj⊙´ Rj ≫ Xj ⊕ ³ ¢ ¡ L ′′ Ri ∼ dj ≫ cj ∧ ¬Pm ⊲ Rj ≫ Xj j∈J ′′ (i) L ǫ ⊕ L j∈J(i) R¡i ∼ dj ≫ £ ¤¢ − ′ ¬Pm R ∼ d ∼ i j j∈J ′ (i) ≫ aj⊙´ ∂Pm (Rj ≫ Xj ) ⊕ ³ ¡ ¢ L ′′ Ri ∼ dj ≫ cj ∧ ¬Pm ⊲ ∂Pm (Rj ≫ Xj ) j∈J ′′ (i)
Obviously, Ri ≫ Xi and ∂Pm (Ri ≫ Xi ) are both solutions of the same guarded recursive specification with respect to bisimilarity. Hence, using the recursive specification principle (see appendix J and [Baeten and Weijland, 1990, Cuijpers and Reniers, 2004b]), that states that a solution of a guarded recursive specification is unique modulo (initially stateless)£ bisimilarity, we may conclude ¤ Ri ≫ Xi ≈ ∂Pm (Ri ≫ Xi ) and especially X0 ≈r true ≫ X0 ≈r R0 ≫ X0 ≈ ∂Pm (R0 ≫ X0 ) ≈r ∂Pm (X0 ). Hence, X0 is safe.
We have shown, that the question of safety for actions or safety for predicates of a recursion variable X¡0 in a linear depends only on the safety ¢ ¢ recursive ¡ specification, of the closed terms Ri ∼ d′j ≫ aj and Ri ∼ d′′j ≫ c with i ∈ I and j ∈ J ′ (i), or j ∈ J ′′ (i), respectively. Admittedly, the iteration leading to the initial conditions Ri is possibly infinite. One reason for this is the fact that the set I, from which the indices are chosen, can be infinite. Another reason may be that the set I is finite, but that every iteration in the definition of Ri introduces new possible initial conditions. Luckily, for the example of Fischer’s protocol that we study in the next section, the iteration terminates. Future research should, perhaps, concentrate on finding solutions for the possibly infinite computation. One possible direction, in case I is finite, is to use over-approximations of Ri , as is done in the method of predicate abstraction described in [Alur et al., 2002]. Another possible direction, in case I is infinite, is to use induction techniques to derive Ri algebraically.
6.3
Safety of a hybrid variant of Fischer’s protocol
A classical case study for safety analysis, is Fischer’s time based mutual exclusion protocol [Lamport, 1987]. The protocol, often studied using timed automata
150
Chapter 6 Safety of hybrid processes
[Larsen et al., 1995, Balarin, 1996, Alur et al., 2002], consists of a number of identical processes (up to their parameters) containing four modes each. The goal of the protocol is to ensure that no two processes enter a certain access mode at the same time. In this section, we will restrict ourselves to the case where there are only two participants. The case in which we have more participants, is expected to be safe under similar conditions, but more research is needed to further that claim. Although the classical protocol is not intrinsically hybrid, the variant we study in this section calls for a hybrid approach. In its original form, the protocol uses timing restrictions on both processes to guarantee safety. Our goal is to study in which way the safety of the protocol is affected, by a difference in speed between the clocks of the two processes. In particular, we study a relative error between the clocks. This introduces a dependency between the clocks, that makes the problem hybrid in nature. The clocks that are used in our variant of the protocol can run with arbitrary speed, assuming that there is a bounded relative error between the speeds with which they run.
turn
−
Idle
=0
turn + = 0
Access
turn − = 0 x+ i =0
x− i ≥d turn − 6= i
x− i ≥d turn − = i
Request x˙ i ≥ 0 xi ≤ D
x+ i =0 turn + = i
Check x˙ i ≥ 0
Figure 6.1 One process in Fischer’s protocol
In figure 6.1 we have depicted a hybrid automaton, modeling one of the participating processes. Below, we give the associated recursive specification in HyPA. In our version of the protocol, we require only that clocks (modeled by the xi variables) are increasing (x˙ i ≥ 0) and that there is at most a proportional error e ≥ 1 in the derivatives of the clocks of each of the processes. The protocol is parameterized by the constant bounds d and D on clocks, and by the constant proportional error e. The idea of a relative error, is modeled as a separate constraint C, and turns out to be sufficient to guarantee safety of the protocol if the
6.3 Safety of a hybrid variant of Fischer’s protocol
parameters satisfy d > e · D > 0. C
:
151
x˙ 1 ≤ e x˙ 2 x˙ 2 ≤ e x˙ 1
Note, that we find C ≈ δ if e < 1, therefore, we assume e ≥ 1 in the remainder of this section. The variable turn, is shared by all participating processes, and is used to communicate which process wants to access the resource. The variable loc i , is used in the process algebraic description of the protocol, to refer to the name of the associated node of the hybrid automaton. Both turn and loc i are discrete variables, and we assume that all solutions to flow-predicates keep these variables constant. The ι actions, are used in the process algebraic description to represent transitions in the hybrid automaton. These actions are assumed not to synchronize. We model this by leaving (ι γ ι) undefined. Idlei
Requesti
Checki
Accessi
:
:
:
:
¯ turn ¯¯ loc i = loc i ¯ Idle ¯ ¯ loc i = ¯ x i ¯ Request ¯ turn ¯ loc i ¯¯ x˙ i ≥ 0 xi ≤ D xi turn loc i
◮
⊕ ◮ ¯ ¯ x− ≥ d ¯ i − loc i ¯ turn = i ≫ ι ⊙ Accessi ¯ ¯ loc + = Access i ¯ · ¸ ¯ turn + = 0 turn loc i = ¯ ≫ ι ⊙ Idlei ◮ + ¯ loc i Access loc i = Idle
¯ ¯ loc i = ¯ ¯ Check ¯ ¯ x˙ i ≥ 0
¯ turn ¯¯ loc i ¯
¯ ¯ turn − = 0 ¯ + ¯ x =0 ≫ ι ⊙ Requesti ¯ i+ ¯ loc = Request i ¯ + ¯ xi = 0 xi ¯ + ≫ ι ⊙ Checki loc i ¯¯ turn = i turn ¯ loc + = Check i ¯ − ¯ xi ≥ d ¯ loc i ¯¯ turn − 6= i ≫ ι ⊙ Idlei ¯ loc + = Idle i
xi ◮ loc i
Our verification goal, is to show that loc 1 and loc 2 are never set to ‘Access’ at the same time, during the execution of the protocol. We can show that the protocol is safe, if the parameters satisfy d > e · D > 0, and if we have the following initial condition: init
=
turn − = 0 − loc 1 = Idle . loc − 2 = Idle
Formally, we have to prove for the process term S
:
init ≫ (Idle1 k Idle2 k C)
that it is safe for the predicate Pm = (loc 1 = loc 2 = Access). I.e. that S ≈ ∂Pm (S).
Notice, that the initial condition is a global condition, i.e. one condition on all initial processes. The reason for this, is that we are modeling a number of parallel
152
Chapter 6 Safety of hybrid processes
hybrid automata, for which the initial conditions are£ synchronized. If each process ¤ would be initialized separately, according to initi = turn − = 0 ∧ loc − i = Idle , it turns out that a deadlock may occur if one of the processes immediately performs actions leading to the check mode because then turn is set to i. In that case, one process must delay, while the other cannot because the initial condition is not satisfied. Next, we show some of the results, of applying the method of safety analysis presented in the previous section, to our variant of Fischer’s protocol. Obviously, the definition of S is not a linear process definition. However, using the rewriting techniques described in [Cuijpers and Reniers, 2004b, Usenko, 2002], we can rewrite it into the linear recursive specification given in appendix K, for which we have
S
≈r
init ≫ Xi,i .
In the linearization, there are 16 recursion variables involved. There is one variable for each pair of recursion variables of the original two processes. We use the letter X for the variables in the linearization, and label them using pairs of abbreviated location names ((i, i) for (Idle,Idle), (i, r) for (Idle,Request), etc.). As an example, we find the following definition for the variable Xc,r , which will turn out represent a decision in the protocol.
Xc,r
:
⊕
⊕
⊕
turn loc 1 loc 2 x1 x2
¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯
¯ ¯ ¯ loc 1 ¯¯ ¯ ¯ ¯ ¯ loc 1 ¯¯ ¯ ¯ ¯ x2 ¯ loc 2 ¯¯ turn ¯
loc 1 = Check loc 2 = Request 0 ≤ x˙ 1 ≤ e x˙ 2 ⊲ Xc,r 0 ≤ x˙ 2 ≤ e x˙ 1 x2 ≤ D x− 1 ≥ d − turn 6= 1 ≫ ι ⊙ Xi,r loc + 1 = Idle − x1 ≥ d ≫ ι ⊙ Xa,r turn − = 1 = Access loc + 1 x+ 2 = 0 ≫ ι ⊙ Xc,c turn + = 2 + loc 2 = Check
As an example of the calculations involved in the safety analysis of the 16 recursion
6.3 Safety of a hybrid variant of Fischer’s protocol
153
variables, we show the calculation of the re-initialization clause d′′c,r ∼ D(cc,r ). d′′c,r ∼ D(cc,r ) =
=
=
turn loc 1 loc 2 x1 x2
¯ turn ¯¯ loc 1 ¯¯ loc 2 ¯¯ ¯ x1 ¯ ¯ x2 ¯ ¯ loc − = Check 1 ¯ ¯ loc − = Request 2 ¯ Rt + ¯ x1 = x− ¯ 1 + R0 v1 (τ )dτ x1 ¯ t + − ¯ x2 = x2 + 0 v2 (τ )dτ x2 ¯ ∀τ 0 ≤ v1 (τ ) ≤ e v2 (τ ) ¯ ∃t,v1 ,v2 ¯ ∀τ 0 ≤ v2 (τ ) ≤ e v1 (τ ) ¯ ¯ R t′ ¯ ∀t′ ≤t x− 2 + 0 v2 (τ )dτ ≤ D ¯ ¯ loc − 1 = Check ¯ − ¯ loc 2 = Request ¯ − ¯ 0 ≤ (x+ ) − x 1 1 ¯ x1 ¯ − + − + ) − x ) ≤ e(x − x (x 2 2 1 1 x2 ¯¯ − + (x2 − x2 ) ¯ 0≤ ¯ (x+ − x− ) ≤ e(x+ − x− ) 1 1 2 2 ¯ ¯ x+ ≤ D 2
D
=
¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯
loc 1 = Check loc 2 = Request 0 ≤ x˙ 1 ≤ e x˙ 2 0 ≤ x˙ 2 ≤ e x˙ 1 x2 ≤ D loc 1 = Check loc 2 = Request 0 ≤ x˙ 1 ≤ e x˙ 2 0 ≤ x˙ 2 ≤ e x˙ 1 x2 ≤ D
£ ¤ true ∼ D
Calculation of Ri in this way, is straightforward for Fischer’s protocol. Admittedly, this calculation is performed in a rather ad hoc manner. The calculation of (Ri ∼ D(ci ))! , and similar terms, turns out to be hard to automate in practice, and more research is needed to find out for which classes of flow-clauses and re-initialization clauses these calculations are at all possible. Some work in this direction is done, for example, in [Alur et al., 2002], showing results on the calculation of (Ri ∼ D(ci ))! for linear differential equations ci and polyhedral initial conditions Ri . For our variant of Fischer’s protocol, we ultimately find the following Ri , where i is taken over the aforementioned pairs. Those re-initializations that are not mentioned here, can be easily obtained using symmetry of the protocol. Ri,i
=
Rr,i
=
Rr,r
=
£
− turn − = 0 ∧ loc − 1 = Idle ∧ loc 2 = Idle
¤
¤ − − turn − = 0 ∧ loc − 1 = Request ∧ loc 2 = Idle ∧ x1 ≥ 0 − ∧ ¶ turn − = 0 ∧ loc − 1 = Request ¶ µ ∧ −loc 2 = Request µ − ≤ e · D x2 ≤ e · x− 0 ≤ x1 ≤ D 1 ∨ − − − 0 ≤ x2 ≤ D x1 ≤ e · x2 ≤ e · D £
154
Chapter 6 Safety of hybrid processes
Rc,i
=
Rc,r
=
Rc,c
=
Ra,c
=
Ra,i
=
Ra,r
=
£
− − turn − = 1 ∧ loc − 1 = Check ∧ loc 2 = Idle ∧ x1 ≥ 0
¤
− − − turn − = 1 ∧ loc − 1 = Check ∧ loc 2 = Request ∧ 0 ≤ x1 ≤ e · x2 ≤ e · D − − loc 1 = Check ∧ loc 2 = Check ∧ − turn − = 2 ∧ turn = 1 ∧ − − 0 ≤ x− ∨ 0 ≤ x− 1 ≤ e · x2 + D 1 ≤ e · x2 − − 0 ≤ x− 0 ≤ x− 2 ≤ e · x1 2 ≤ e · x1 + D ¸ · − − − turn = 1 ∧ loc 1 = Access ∧ loc 2 = Check ∧ − − − d ≤ x− 1 ≤ e · x2 ∧ d ≤ x2 ≤ e · x1 + D £ ¤ − turn − = 1 ∧ loc − 1 = Access ∧ loc 2 = Idle £ ¤ false Ra,a =
£
¤
£ ¤ Note, that Ra,a = false , is crucial to the safety of the protocol. It signifies that the unwanted recursion variable Xa,a , in which both parties access the resource at the same time, £ ¤ is unreachable. A prerequisite for this, turns out to be that Ra,r = false , because a transition from Xa,r to Xa,c would set the turn variable to 2 and allow a transition from Xa,c to Xa,a after £ some ¤time. This sequence of transitions would always be enabled unless Ra,r = false . In turn, we therefore need that from Xc,r to Xa,r , is blocked. In other words, to obtain £ the transition ¤ Ra,a = false , we indirectly need that Rc,r ∼
d′a,r
=
=
turn − = 1 − loc 1 = Check ∼ loc − 2 = Request − − 0 ≤ x1 ≤ e · x2 ≤ e · D turn − = 1 + loc − 1 = Check ∧ loc 1 = Access loc − 2 = Request − d ≤ x− 1 ≤ e · x2 ≤ e · D
loc 2
¯ − ¯ x1 ≥ d ¯ − ¯ turn = 1 ¯ ¯ loc + = Access 1
£ ¤ = false
This is only true, because of our initial assumption that d > e · D.
Lastly, we have¡ to verify¢ safety for the predicate Pm = (loc 1 = loc¡ 2 = Access), for ¢ the processes, Ri ∼ d′j ≫ aj , with i ∈ I and j ∈ J ′ (i), and Ri ∼ d′′j ≫ cj , with i ∈ I and j ∈ J ′′ (i). This is straightforward £ ¤to do, and in fact, can be concluded already from the fact that Ra,a = f alse . We may finally conclude that Fischer’s protocol is indeed safe, if initially d > e · D > 0.
6.4
Conclusive remarks
In this chapter, we have shown how the hybrid process algebra HyPA can be used for the analysis of safety properties of hybrid systems. More precisely, we have shown how the question of safety for actions and safety for predicates on
6.4 Conclusive remarks
155
model variables can be broken into (hopefully simpler) questions, regarding flow clauses and re-initialization clauses. We have reduced the problem of action and predicate safety of processes to smaller questions that cannot be answered using process algebra, but must be answered using the theories for describing flows and re-initializations. As an example, we have analyzed a variant of Fischer’s protocol, in which the only restriction on the internal clocks is that they are monotone, and that their rates do not differ by more than a given factor. Admittedly, similar analysis of this protocol has been shown before, but not with those specific constraints, that in our opinion give new insights in the way the protocol works. Hybrid process algebra, provides us with the opportunity to model dependence between the continuous variables of parallel processes, which is used in the analysis of Fischer’s protocol when we restrict the relative error between clocks. Our recommendations for future research can roughly be divided into three directions. The first direction is research on the process algebra HyPA itself. In particular, the two phase analysis strategy that is used in this chapter, in which first a process definition is turned into a linear process definition using one equivalence, and then further analysis is carried out using a weaker equivalence, deserves more attention. The second direction, is with respect to safety properties. The method we have shown in this chapter, relies on an iteration that possibly does not terminate, and relies on the ability to analyze flow-clauses and re-initialization clauses. Perhaps, the method can be combined with methods like predicate abstraction [Alur et al., 2002], in order to guarantee termination and make automated calculation on clauses possible. Even then, calculation on reachable sets (for our method captured in the formulas (Ri ∼ d′j )! and (Ri ∼ d′′j ∼ D(cj ))! ), is often difficult. For simple linear differential equations, one needs assumptions on the initial conditions in order to be able to perform calculations automatically (see [Alur et al., 2002]). For more difficult flow-clauses, the calculation becomes impossible all together. In the example we have shown in this chapter, symbolic reasoning solved the problem for us, for a large part. However, this is only an option in manual analysis, or when process algebraic tools can be coupled to tools like Mathematica, in which symbolic reasoning is possible. An advantage of symbolic reasoning, is that also induction on the indices may be used, to exploit a possible structure in Ri . The third direction, is to consider other kinds of analysis problems as well. More complicated safety properties, but also fairness properties of systems (a certain desired property is eventually fulfilled) and analysis problems from the field of control theory, like for example stability, come to mind. Process algebraic specification of these analysis problems, would then be the first start. Admittedly, we expect the specification of fairness properties to be more difficult than the specification of safety, because, in general, eventuality of an event is hard to express in process algebra.
156
Chapter 6 Safety of hybrid processes
Chapter 7
Modeling and control of a component mounter “Wetenschappelijke waarheden hebben mooie verhalen nodig om mensen aan ze te binden” [“De stelling van de papegaai”, Denis Guedj]
158
Chapter 7 Modeling and control of a component mounter
In this chapter, we analyse a control strategy for the pick-and-place module of the Assembleon component mounting device described in section 5.3.2. The objective of this control strategy, that was designed by Philips CFT, is to bring a component to a PCB as quickly as possible, and press it onto the PCB with sufficient force to make it stick. This all should be done without damaging the component. The focus of our analysis is to show under which conditions safety of the controller can be guaranteed. In other words, we aim to find conditions under which it is certain that the component is not damaged. In section 7.1, we discuss a number of theorems regarding calculation on processes that are placed in a physical context. These theorems will prove useful in the remainder of the chapter. In section 7.2, we revisit the model of the component mounter, and extend it with an actuator that allows for discontinuous changes in the force that is applied to the sled. In section 7.3, we discuss the control strategy of Philips CFT, and model it as a process to be placed in parallel with the model of the component mounter. We make a distinction between control with perfect impact detection and control with imperfect impact detection. In section 7.4, we discuss the safety criteria that should be met by the controlled system, and formalize them as a process algebraic specification. Finally, in section 7.5 we divide the whole process into a number of subprocesses that are executed sequentially, and we analyse under what conditions those subprocesses satisfy the safety specification. First we analyse the subprocesses that are involved in the control strategy with perfect impact detection, and then we extend the analysis with an additional processes modeling the delay that results from imperfect detection. Conclusions and recommendations regarding the pick-and-place module as a whole can be found in section 7.6.
7.1
Preliminaries about process algebraic reasoning in a physical context
In this chapter, we will frequently make use of calculations on processes that are placed in parallel to a constitutive process. In short, we will say that it is placed in a physical context. When we model a process in a physical context, we may use a number of distribution laws that do not hold for parallel composition in general. Let Context be a constitutive hybrid process (see definition 42), and x an open HyPA term, then we find: (x ⊕ y) k Context (d ≫ a ⊙ x) k Context (d ≫ c ⊲ x) k Context
≈r ≈r ≈r
(x k Context) ⊕ (y k Context) d ≫ a ⊙ (x k Context) (d ≫ c k Context) ⊲ (x k Context)
7.1 Preliminaries about process algebraic reasoning in a physical context
159
The first two of these equivalences are relatively easy to prove, if we realize that Context k x ≈r δ for all x, because a Context cannot perform any actions. The third equivalence is not so straightforward. It is based on the observation that both terms are solutions of X in the following recursive specification (assuming that x does not contain X or Y ). X Y
≈r ≈r
M i∈I
M i∈I
((d ∼ cjmp ) ∧ (di ∼ (ci )jmp )) ≫ (c ∧ ci ) ⊲ Y (cjmp ∧ (di ∼ (ci )jmp )) ≫ (c ∧ ci ) ⊲ Y ⊕ (x k Context)
For the right-hand term this is easy to verify, taking Y ≈r (c k Context) ◮ (x k Context). For the left-hand term, we find the following derivation, in which we take Y ≈r c ◮ x k Context. X
≈r ≈r
≈r
≈r ≈r ≈r Y
≈r ≈r
≈r ≈r ⊕
≈r ≈r
(d ≫ c ⊲ x) k Context
x k ci ◮ Context ⊕ Context k c ◮ x ⊕ ((d ∼ cjmp ) ∧ (di ∼ (ci )jmp )) ≫ (c ∧ ci ) ⊲ x | ci ◮ Context ⊕ i∈I Context | c ◮ x x k Context ⊕ M Context k c ◮ x ⊕ ((d ∼ cjmp ) ∧ (di ∼ (ci )jmp )) ≫ (c ∧ ci ) ⊲ x | Context ⊕ i∈I Context | c ◮ x c ◮ x k Context ⊕ M ((d ∼ cjmp ) ∧ (di ∼ (ci )jmp )) ≫ (c ∧ ci ) ⊲ Context k c ◮ x ⊕ i∈I Context | c ◮ x M ((d ∼ cjmp ) ∧ (di ∼ (ci )jmp )) ≫ (c ∧ ci ) ⊲ (c ◮ x k Context)
M
i∈I
M i∈I
((d ∼ cjmp ) ∧ (di ∼ (ci )jmp )) ≫ (c ∧ ci ) ⊲ Y
c ◮ x k Context
(c ⊲ x ⊕ x) k Context
(c ⊲ x k Context) ⊕ (x k Context)
x k ci ◮ Context ⊕ M Context k c ◮ x ⊕ ((cjmp ) ∧ (di ∼ (ci )jmp )) ≫ (c ∧ ci ) ⊲ x | ci ◮ Context ⊕ i∈I Context | c ◮ x
(x k Context) M ((cjmp ) ∧ (di ∼ (ci )jmp )) ≫ (c ∧ ci ) ⊲ (c ◮ x k Context) ⊕ (x k Context) i∈I
M i∈I
((cjmp ) ∧ (di ∼ (ci )jmp )) ≫ (c ∧ ci ) ⊲ Y ⊕ (x k Context)
160
Chapter 7 Modeling and control of a component mounter
When studying safety properties, we have the following distribution laws for encapsulation of actions H and predicates Pm . ∂H (x k Context) ∂Pm (x k Context)
≈r ≈r
∂H (x) k Context ∂Pm (x ⊙ Context) k Context
The first of the two expresses that a context does not contain any actions, and is therefore not influenced by the encapsulation. This law is witnessed by the following robust bisimulation relation, where I is the identity relation: R
=
{< ∂H (x k Context) , ν >, < ∂H (x) k Context, ν > p x ∈ T (Vr ), ν ∈ Val }
∪
{< ∂H (x k (ci ◮ Context)) , ν >, < ∂H (x) k (cj ◮ Context), ν >
∪
I
p x ∈ T (Vr ), ν ∈ Val , i, j ∈ I}
The second law expresses the intuition that every transition of the context must synchronize with some transition of x. The only exception to this is when x terminates. Indeed, the second law is especially useful if x is non-terminating. In that case we have x ≈r x ⊙ δ, and thus ∂Pm (x k Context) ≈r ∂Pm (x) k Context. The second law is witnessed by the following robust bisimulation relation: R
=
{< ∂Pm (x k Context) , ν >, < ∂Pm (x ⊙ Context) k Context, ν > p x ∈ T (Vr ), ν ∈ Val }
∪
{< ∂Pm (x k (ci ◮ Context)) , ν >, < ∂Pm (x ⊙ Context) k (ci ◮ Context), ν >
∪
{< ∂Pm (ci ◮ Context) , ν >, < ∂Pm (cj ◮ Context) k (ck ◮ Context), ν >
p x ∈ T (Vr ), i ∈ I, ν ∈ Val }
p x ∈ T (Vr ), i, j, k ∈ I, ν ∈ Val }.
So we may add this law to our list of axioms. Indeed, we use the property that Context ≈r ci ◮ Context in the verification of these laws.
When we want to reason about (initially stateless) bisimilarity in a physical context, the following definition and the following theorems turn out to be useful. They express conditions under which processes do not interfere through interleaving actions, which makes that (initially stateless) bisimilarity is a congruence for parallel composition. Definition 46 (Freedom of interference) A state < p, ς > is interference free, l
if for every transition < p, ς > → < p′ , ς ′ > we find that: • l = (a, ς ′′ ) implies ς = ς ′ = ς ′′ , and • < p′ , σ ′ > is interference free.
7.1 Preliminaries about process algebraic reasoning in a physical context
161
A process p is interference free if < p, ς > is interference free for every ς ∈ Val . Theorem 33 If a process p is described using the following signature F
::=
d≫ǫp
£
Pr
¤
≫ap
£
¯ ¯ ¤ V ¯ Pr ≫ V ′ ¯ Pf
F ⊙ F pF ◮ F pF ⊲ F pF ⊕ F pF kF pF k F pF |F
then it is interference free. Proof
See appendix L
⊠
Corollary 3 All hybrid constitutive processes are interference free. Theorem 34 If p is interference free and p ≈ p′ then p′ is interference free. Proof
See appendix L
⊠
Theorem 35 Let x and y be interference free, then x ≈ x′ and y ≈ y ′ implies x k y ≈ x′ k y ′ . Proof
See appendix L
⊠
When we reason in a physical context, we often encounter equations of the sort x k Context
≈
y k Context .
As an abbreviation of this, we will usually write Context
±
x ≈ y.
Indeed, this gives us a new notion of equivalence since parallel composition is commutative and associative and Context k Context ≈r Context. Furthermore, this equivalence is a congruence for parallel composition, because a physical context is interference free. The distribution laws we gave earlier are helpful in reasoning about this new notion of equivalence. Note, that the combination of contexts leads to a strengthening of our new equivalence. Using the rules given above, it is easy to derive that Context
±
x ≈ y.
implies Context k Context′
±
x ≈ y.
162
Chapter 7 Modeling and control of a component mounter
for all physical contexts Context and Context′ . Because every physical context is interference free, we can easily derive the following equivalences (see section 6.1) if x is interference free (using the observation that d?! = d? ). Context ± (d? ≫ a ⊙ x) ≈ (d? ≫ a ⊙ d? ≫ x) (d ≫ c ⊲ x) ≈ (d ≫ c ⊲ (d ∼ D(c))! ≫ x) Furthermore, we can use the distribution of contexts over encapsulation to obtain a notion of safety in a particular context. We say that X is safe for Pm in a physical context when Context ± ∂Pm (X) ≈ X ⊙ ¬Pm . Indeed, if X is non-terminating, it suffices to prove Context
± ∂Pm (X) ≈ X .
As a last remark, we give two new axioms for the analysis of safety properties. They are not directly related to calculations in context, although they may (of course) be used as such. In fact, they are generalizations of the earlier axioms regarding (initially stateless) bisimilarity. The axioms express the intuition, that if a process y is preceded by a safe process x, then y is started from a safe state. £
− ¬Pm
¤
≫ ∂Pm (x) ⊙ y ∂Pm (x) ⊲ y
£ ¤ £ ¤ − − ¬Pm ≈ ≫£ ∂Pm (x)¤ ⊙ ¬Pm ≫y − ≫y ≈ ∂Pm (x) ⊲ ¬Pm
Soundness of the first of these axioms may be verified by studying the witnessing relation S
=
− − − {(< [¬Pm ] ≫ ∂Pm (x) ⊙ y, ν >, < [¬Pm ] ≫ ∂Pm (x) ⊙ [¬Pm ] ≫ y >)
∪
− {(< ∂Pm (x) ⊙ y, ν >, < ∂Pm (x) ⊙ [¬Pm ] ≫ y >) p ν |= ¬Pm , x, y ∈ T (Vr )}
∪
p ν ∈ Val , x, y ∈ T (Vr )}
I ,
while soundness of the second axiom follows from the witnessing relation S
= ∪
∪
− ] ≫ y >) p ν ∈ Val , x, y ∈ T (Vr )} {(< ∂Pm (x) ⊲ y, ν >, < ∂Pm (x) ⊲ [¬Pm
− {(< ∂Pm (x) ◮ y, ν >, < ∂Pm (x) ◮ [¬Pm ] ≫ y >) p ν |= ¬Pm , x, y ∈ T (Vr )}
I .
7.2 The pick-and-place module
163
Note, that the initial re-initialization is necessary for the axiom on sequential composition, because otherwise it would not hold for x ≈r ǫ, and other processes that terminate immediately. Incidentally, using that same initial re-initialization we can derive a similar law for the disrupt. £
7.2
− ¬Pm
¤
≫ ∂Pm (x) ◮ y
≈
£
− ¬Pm
¤
≫ ∂Pm (x) ◮
£
− ¬Pm
¤
≫y.
The pick-and-place module
In this section, we discuss our model of the pick-and-place module, and simplify our original description to one that is more useful for the analysis in the remainder of this chapter. In [Mateboer, 1999], a model of the pick-and-place module is used that contains continuous equations for the collision mechanics. Simulations are performed, to see how changes in the characteristics of the PCB influence the performance of the controller. One of the conclusions of that report is that, if the characteristics of the collision mechanics are dominant over the characteristics of the PCB (an assumption that is reasonable in practice), then the impact behavior has ended before it is detected. This relatively fast impact behavior, is the first reason why we abstract away from the precise impact mechanics in our model, replacing it by discontinuous behavior as described in section 5.3.2. The second reason is that the parameters of the collision may vary wildly as different components and PCB’s are used. Abstraction from the precise mechanics, means that we are robust against those variations. In this chapter, we use the same bondgraph model as in section 5.3.2. However, we change the force-actuator (i.e. the effort-source) slightly, because the control strategy that we intend to use makes use of an instantaneous change in the applied force. For reference, we have repeated the schematic model description in figure 7.1. This section starts out with a subsection on changing the model of the force actuator. Then follows a subsection in which we go from a representation using parallel processes to a representation using a switching process in a physical context. Representing the physical context separately makes reasoning about the switching behavior easier because we can abstract away from uninteresting (but necessary) definitions that would otherwise show up separately in every flow and re-initialization clause.
164
Chapter 7 Modeling and control of a component mounter
ms F mp bp
kp ground
Figure 7.1 Schematic Model of the Impact Process
7.2.1
Adapting the actuator model
Adapting the actuator model can be done in roughly two ways, which are also discussed briefly at the end of section 5.1.3. The first is by extending the bond-graph model, building in a switch between different continuous actuators. The second is by changing the constitutive hybrid process that models the force actuator. We have chosen the last option, because it keeps the discrete state-space of the model concise, which makes manual analysis of the whole process easier. In the constitutive hybrid process that describes the new actuator, we have assumed that there is no overshoot when the force discontinuously changes from one setpoint to another.
D.Effort-Sourcei (sde ) : Vm
¯ ¯ min(s− , s+ ) · q ′ ≤ Ei′ de de ¯ ¯ + − ¯ max(s , s ) · q ′ ≥ Ei′ ≫ Vi ¯ ei = sde de de ¯ ′ ¯ p =0
⊲ D.Effort-Sourcei (sde ).
Note, that we use the notional conventions from bond graph theory in this definition of the new actuator model. This is done for compatibility with chapter 5. Throughout the remainder of this chapter, we use the notational conventions of mechanical systems theory (see table table 5.1), because the impact-control problem originates from that field. In figure 7.2, we have repeated the bond graph model of section 5.3.2. Note, that we have replaced the index for bond 1 (associated with the sled) with an s and the index for bond 5 (associated with the PCB) with a p. This makes many of the equations better readable.
7.2 The pick-and-place module
i : ms mass sled
165
s
2
1
sde : F steering force
3
(1/E):(Act,Inact)
i : mp mass PCB
4
p
6
1
c : k1 stiffness PCB
7
r:b friction PCB Act
: ∨ : ∨
Inact
(xs (xs (xs (xs
= xp ∧ vs < vp ) = xp ∧ vs = vp ∧ m1s · (Fs + F3 ) ≤ > xp ) ∨ (xs = xp ∧ vs > vp ) = xp ∧ vs = vp ∧ m1s · (Fs + F3 ) ≥
1 mp
· (Fp − F4 ))
1 mp
· (Fp − F4 ))
Figure 7.2 Bond graph model for the impact module
Calculations similar to those in section 5.3.2 lead to the process Module
≈r
(d1 ≫ c1 ⊕ d2 ≫ c2 ⊕ d3 ≫ c1 ⊕ d3 ≫ c2 ) ⊲ Module,
where
d1
d2
≡
≡
Vm
Vm
¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯
2 − 2 (p+ s ) −(ps ) 2·ms (p+ )2 −(p− )2 E4′ = E5′ = 5 2·mp 5 Es′ + E5′ = E2′ = E6′ = E7′ p′s = −p′3 p′4 = p′5 p′s + p′5 = p′2 = p′6 = p′7 = x′s = x′2 = x′3 = x′4 = 0 x′5 = x′6 = x′7 = 0 −
Es′ = −E3′ =
=0 0
Act Es′ = E2′ = E3′ = E4′ = Ep′ = E6′ = E7′ = 0 ′ ′ ′ ′ ′ ′ ′ ps = p2 = p3 = p4 = pp = p6 = p7 = 0 x′s = x′2 = x′3 = x′4 = x′p = x′6 = x′7 = 0 − Inact
166
Chapter 7 Modeling and control of a component mounter
d3
c1
c2
≡
≡
≡
Vm
Vps
Vps
and Vps = V{s,2,3,4,p,6,7} .
¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯
2 − 2 (p+ s ) −(ps ) 2·ms (p+ )2 −(p− )2 E4′ = Ep′ = p 2·mp p Es′ + Ep′ ≤ E2′ = E6′ = E7′ = 0 p′s = −p′3 p′4 = p′p p′s + p′p = p′2 = p′6 = p′7 = 0 x′s = x′2 = x′3 = x′4 = x′p = x′6 = −
Es′ = −E3′ =
Inact
′ x7 = 0
ps = ms · vs pp = mp · vp x6 = k1 · F6 F2 = F F7 = b · v7 F 2 − Fs = F 3 = F 4 = F p + F 6 + F 7 vs = v2 = v3 = v4 = vp = v6 = v7 Act ps = ms · vs pp = mp · vp 1 x6 = k · F6 F2 = F F7 = b · v7 F 2 − Fs = F 3 = 0 F4 = Fp + F6 + F7 = 0 vs = v2 = v3 v4 = vp = v6 = v7 Inact
A quick comparison shows that this model is syntactically equal to the model in section 5.3.2. This means that the change in actuator has had no influence on the model at all. As it turns out, the difference between the actuators is canceled out by the fact that the actuators act on a mass, which does not allow changes in position. Because of this, neither can provide energy during discontinuous changes.
7.2.2
Switching in a physical context
Since Module is a hybrid constitutive process, it can also be considered a physical context in the sense of section 7.1. However, for the calculations in the remainder of this chapter, it turns out to be convenient if we represent the Module process as a parallel composition of a Switching process and a Context process in which no switching takes place. We define Vstate
=
Vswitch
=
{Ep , pp , xp , E2 , p2 , x2 , E3 , p3 , x3 , E4 , p4 , x4 , Es , ps , xs , E6 , p6 , x6 , E7 , p7 , x7 }
{Es , ps , xs , Ep , pp , xp } ⊆ Vstate
7.2 The pick-and-place module
167
and find: Module ≈r Switching k Context
with ¯ ¯ Es′ + Ep′ ≤ 0 ¯ ¯ (p+ )2 −(p− )2 ¯ Es′ = −E3′ = s 2·ms s ¯ (p+ )2 −(p− )2 ¯ ¯ E ′ = Ep′ = p 2·mp p Context : Vstate ¯ ′4 ¯ ps = −p′3 ¯ ′ ¯ p4 = p′p ¯ ′ ¯ ps + p′p = 0 ¯ ¯ p = m · s vs ¯ s ¯ p = m p p · vp ¯ 1 ¯ · F6 x = 6 k ¯ ¯ F2 = F Vstate ¯¯ ¯ F7 = b · v7 ¯ F 2 − Fs = F 3 = F 4 = F p + F 6 + F 7 ¯ ¯ vs = v2 = v3 ¯ ¯ v4 = vp = v6 = v7
Switching : ⊕
µ·
⊕
¡£
⊕
¡£
¯ Vswitch ¯
¯ Vswitch ¯
⊲ Switching .
≫
⊲ Context
¯ ¯ ¸ ¶ ¯ vp = vs ¯ Es′ + Ep′ = 0 £ ¤ ¯ Vswitch ¯ ∨ true ≫ Vswitch ¯¯ Act− Act ¯ ¯ Fs = F ¸ ¶ ′ ′ ¯ £ ¤ ps = pp = 0 Vswitch ¯¯ Fp = −F6 − F7 ∨ true ≫ − Inact ¯ Inact ¯ ¯ ¤ £ ¤¢ Vswitch ¯ vs = vp Inact− ∨ true ≫ ¯ ¯ Act ¯ Fs = F ¯ ¤ £ ¤¢ ¯ Fp = −F6 − F7 Act− ∨ true V ≫ switch ¯ ¯ Inact
µµ·
¯ ¯ Vswitch ¯¯
To simplify the model further, we use bisimilarity rather than robust bisimilarity. Furthermore, we assume an initial state that already satisfies the equations of the context flow-clause. We call a state physically consistent if it satisfies the predicate: ps = ms · vs pp = mp · vp 1 x6 = k · F6 F2 = F . consistent = F7 = b · v7 F2 − F s = F3 = F4 = Fp + F6 + F7 vs = v 2 = v3 v4 = vp = v6 = v7
168
Chapter 7 Modeling and control of a component mounter
It is easy to see, that physical consistency is an invariant of the system, because it is enforced by the context. If we now assume that the initial state of our process is physically consistent, then we can simplify the Context-process further, by introducing a collision coefficient ξ in the re-initialization clauses [Leijendeckers et al., 2002].
£
consistent −
¤
≫ Context ≈ Context′
′ Context : Vstate ≫ Vstate
¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯
consistent − − 2 ((ms −ξmp )p− s +(1+ξ)ms pp ) Es+ = 2ms (ms +mp )2 − 2 ((mp −ξms )p− + p +(1+ξ)mp ps ) Ep = 2mp (ms +mp )2 (p′s = p′p = 0) ∨ ∃ξ∈[0,1] ms −ξ·mp − (1+ξ)·ms − p+ s = ms +mp ps + ms +mp pp p+ = mp −ξ·ms p− + (1+ξ)·mp p− p
Es′ = −E3′ E4′ = Ep′ p′s = −p′3 ′ p′4 = pp ¯ ¯ consistent ⊲ Context′
ms +mp
p
ms +mp
s
From these equations, it can easily be observed that discontinuities in Vstate can only take place if the value of variables in Vswitch is altered. In our calculations, this means that we may assume synchronization between the re-initializations of the Switching process with Context and Context′ . Further calculations on the Switching process show that the assumption of initial physical consistency makes that some re-initializations of the Switching process do not alter the valuation of the model variables at all.
£
consistent −
Vswitch
≫ Module ≈ Switching′ k Context′
¯ ¯ ¯ ¤ £ ¤¢ Vswitch ¯ Inact− ∨ true ≫ Vswitch ¯¯ ¯ ¯ Fs = F ¯ ¯ ¤ £ ¤¢ ¯ Fp = −F6 − F7 ¯ Act− ∨ true V ≫ switch ¯ ¯ Inact
Switching′ : ¡£
¤
µ
¡£
vs = vp ⊕ Act ⊲ Switching′
Subsequently, calculation on Act and Inact gives us the following alternative description of the switching process. Note, that when we start a re-initialization with vs = vp , then from the context we can conclude that there will be no change
7.3 Control strategy
169
in ps and pp . £
consistent −
≫ Module ≈ Switching′′ k Context′
¤
¯ − ¤ − Vswitch ¯ xs = xp Switching : ≫ Vswitch ¯ ¯ ¯ ¯ − ¯ £ ¤ £ ¤ Vswitch ¯¯ ( Vswitch ¯ xs = x− ∨ true ) ≫ p ¯ ¯ ′′
Ã
£
⊲ Switching′′
¯ ¯ x =x p ¯ s ¯ F ≤ − F6 +F7 ⊕ ¯ ms mp Fs = F Fp = −(F6 + F7 ) xs ≥ xp xs = xp ⇒ vs ≥ vp
This is as far as we can simplify the description of the pick-and-place module for the time being.
7.3
Control strategy
In this section, we discuss the control strategy that is applied to the pick-and-place module. We base our discussion on the control strategy as it was first suggested by Philips CFT [Mateboer, 1999]. The control strategy that is described in [Mateboer, 1999], consists of two phases. In the first phase, the sled is brought down with a constant velocity. In the second phase, the sled is pushed onto the PCB with a constant force, by bringing the force-actuator into saturation. The controller switches from the first phase to the second when an impact is detected. Impact detection is modeled by a separate process that measures the difference between the position of the sled and the position of the PCB. The sensor and the controller communicate over a discrete channel according to impact? γ impact! = impact. Strategy
:
Sensor
:
vs = −vseek ◮ impact? ⊙ F = −Fsat ¤ £ − xs > xp ◮ xs = x− ≫ impact! p
Note, that this strategy does not give a proper specification for a controller, because in practice we have no direct control over the velocity of the sled. We can only steer the force. However, an advantage of modeling the control strategy in the above way, is that it is very straightforward, and that the control goal is immediately clear from it. An already better specification for a controller, is where we use a negative feedback factor −K in the first phase, to give a relation between the measured error in the velocity of the sled and the actuator force. Furthermore, following a suggestion from [Mateboer, 1999] that the force-actuator has limited power, we make sure
170
Chapter 7 Modeling and control of a component mounter
that the force is always directed downwards and does not become higher than the saturation limit of the actuator. Feedback
feedback
feedback ◮ impact? ⊙ F = −Fsat
:
=
−Fsat ≤ F = −K · (vs + vseek ) ≤ Fsat ∨ −Fsat ≥ −K · (vs + vseek ) ∧ F = −Fsat ∨ −K · (vs + vseek ) ≥ Fsat ∧ F = 0
Still, the control strategy is only implementable if we indeed have a sensor that measures the distance between sled and PCB. For cost reasons, this sensor is not available on the pick-and-place unit build by Assembleon. We therefore have to make do with a velocity sensor only. This is possible, because the velocity of the sled makes a relatively big change at impact. The drawback of using a velocity sensor for impact detection, is that the detection is never immediate. We need to allow some time tdetect between impact and detection. In order to make the model of the sensor more realistic, we also include a detection margin (with vdetect > 0) on the velocity.
ImperfectSensor
margin
:
=
margin ◮ vs , clck
¯ ¯ margin − ¯ ¯ ¬margin + ≫ ¯ ¯ clck + = 0 ◮
¯ ¯ clck ˙ =1 ¯ v , clck s ¯ clck ≤ tdetect ¤ £ 0 < clck − ≤ tdetect ≫ impact!
(−vseek − vdetect ≤ vs ≤ −vseek + vdetect )
Note, that ImperfectSensor is an interference free process, because the re-initialization on the impact! action has the function of a condition. Incidentally, this condition is such that it only guarantees that the preceding flow-clause executes at least one transition. This is expressed by the following equivalence:
ImperfectSensor
≈
margin ◮ vs , clck vs , clck
¯ ¯ clck ˙ =1 ¯ ¯ clck ≤ tdetect
¯ ¯ margin − ¯ + ¯ ¬margin ≫ ¯ ¯ clck + = 0 ⊲ impact!
If impact detection is perfect, we can show that the control strategy is bisimilar to the specification of the feedback controller, when initially vs = −vseek . More
7.4 Safety requirements
171
formally, we can show that ·
≈ ·
vs− = −vseek consistent −
¸
≫ (Module k Strategy k Sensor)
vs− = −vseek consistent −
¸
≫ (Module k Feedback k Sensor)
This is done using the insight that all involved processes are free of interference. They can all be rewritten into the form given in section 7.1. Furthermore, we F seek have initially that v˙s = m = vs +v = 0, from which we conclude that the initial ms s phases of both controllers have the same reachable sets. With imperfect impact detection, there is a difference between the control strategy and the specification as a feedback controller. This is due to the earlier observation that vs cannot be directly controlled. With imperfect impact detection, this leads to a deadlock in the control strategy, while it does not in the feedback controller. In particular we find that: ·
≈ ·
vs− = −vseek consistent −
¸
vs− = −vseek consistent −
¸
≫ (Module k Strategy k ImperfectSensor) ³ ´ ≫ Module k vs = −vseek ◮ δ
In practice, it can usually not be guaranteed that initially exactly vs = −vseek . It is more reasonable to assume that vs has been brought within the detection range before our impact controller is activated. Furthermore, for the impact detection to work correctly, it is important that the PCB is initially at rest xp = vp = 0. In the remainder of this chapter, we use the following two definitions for our system as a whole. The first describes a system with perfect impact detection, while the second describes a system with imperfect impact detection. PerfectSystem
:
ImperfectSystem
:
7.4
− x− p = vp = 0 ≫ (Module k Feedback k Sensor) margin − consistent − − xp = vp− = 0 ≫ (Module k Feedback k ImperfectSensor) margin consistent
Safety requirements
In [Mateboer, 1999] it is assumed that the placed component will be damaged when there is too great a force (Fmax ) acting on it. Using that assumption, a maximum
172
Chapter 7 Modeling and control of a component mounter
impact velocity vmax = √Fkmax is calculated (where ki is the internal elasticity of i ·ms the component), at which the component can be brought down on the PCB. In our model, we have abstracted from the internal forces on the component, but we can still think about safety of the collision by assuming that there is a maximum impact velocity. This is reflected in the condition S = xs = xp ⇒ vs − vp ≥ −vmax . Following the outline for safety analysis introduced in chapter 6, the analysis in the remainder of this chapter is aimed at finding parameter values for K, Fsat , tdetect and vdetect such that ∂¬S (ImperfectSystem) ≈ ImperfectSystem . To simplify things, we start out by finding parameter values for Fsat and vdetect such that ∂¬S (PerfectSystem) ≈ PerfectSystem .
As it turns out, the results on PerfectSystem can be easily transferred to ImperfectSystem, using a simple calculation on how they are both composed. This is demonstrated in the next section. In the remainder of this chapter, we only study damage that results directly from impact. Damage can also occur, for example, after an inelastic impact when Fsat > Fmax . The study of this and other kinds of damage is left as a topic for future research.
7.5
Analysis
In this section, we analyse the safety of the pick-and-place module with perfect and with imperfect impact detection. A first elimination of the parallel composition between Module, Sensor and Feedback gives us. Context′ ±
≈r ≈
≈r ≈
PerfectSystem − xp = vp− = 0 ≫ (Module k Feedback k Sensor) margin − − consistent · − ¸ µ · − ¸ ¶ xp = vp− = 0 xs = x− p ′ ≫ Seek ◮ ≫ impact ⊙ Bounce margin − consistent − ImperfectSystem − xp = vp− = 0 margin ≫ (Module k Feedback k ImperfectSensor) consistent ¸ · − xp = vp− = 0 ≫ (Seek ◮ Detect ⊲ impact ⊙ Bounce) margin −
7.5 Analysis
173
with Seek Seek
′
: :
Detect
:
Bounce
:
margin Switching′′ k feedback margin Switching′′ k feedback
k xs > xp ¯ ¯ margin − ¯ ′′ + Switching k vs , clck ¯¯ ¬margin ≫ ¯ clck + = 0 Switching′′ k F = −Fsat .
vs , clck
¯ ˙ =1 ¯ clck ¯ ¯ clck ≤ tdetect ¯ ¯ feedback
In each of the subsections of this section, we analyse the safety of one of the subprocesses in these representations. First, we analyse the Seek (and Seek′ ) process and show that the initial condition is an invariant for it. This makes the Seek process safe, under the right assumptions on vseek and vdetect . Then we analyse the Bounce process, and show that it is possibly unsafe if there are elastic collisions possible. For inelastic collisions we find initial conditions under which the Bounce process turns into a process called Press. The Press process models that the sled and PCB of the pick-and-place module stick together, and is trivially safe since no collisions can occur. This already gives us conditions for safety with perfect impact detection. Lastly we analyse the Detect process, and reason about conditions on K, Fsat and tdetect under which Detect is safe and keeps the right initial conditions for the Bounce process invariant. This leads to safety of the controlled system with imperfect impact detection. In the final subsection we formalize the conclusions about the safety of the two systems based on the safety of the subsystems, and give some further conclusions and recommendations regarding the pick-and-place module. Note, that throughout the calculations various assumptions are made on the constants vseek , vdetect , K, Fsat and tdetect . These assumptions are always explicitly introduced by writing assumption : the assumption, and are assumed to be cumulative, meaning that once they are introduced they hold for the remainder of the chapter. This allows us to use the results of one section in later sections, without repeating the assumptions that are needed for them. However, usually the impact of the assumptions is local, which means that an assumption will not be reused in isolation without repeating it.
7.5.1
Seek
In this section, we study the process ·
− x− p = vp = 0 margin −
¸
≫ Seek ,
174
Chapter 7 Modeling and control of a component mounter
in the physical context Context′ . Elimination of the parallel composition in Seek gives us
Seek
≈
£ ¯ − Vswitch ¯ x− s = xp £ ( Vswitch Vswitch
¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯
− x− s = xp
¤
¤ Vswitch ≫ ∨
£
true
Fs = F Fp = −(F6 + F7 ) xs ≥ xp xs = xp ⇒ vs ≥ vp margin feedback
¤
¯ ¯ xs = xp ¯ F ¯ m ≤ − F6m+F7 ¯ s p ¯ margin ¯ ¯ feedback
)≫ ⊲ Seek ,
⊕
and placing the process in its physical context leads to the following result regarding the re-initializations Context′ ± Seek ≈ ¯ − ¯ xs = x− p ¯ ¡ ′ ¢ (1+ξ)·m m −ξ·m ′ + p − s p − ¯ Vswitch ¯ vs = vp = 0 ∨ ∃ξ∈[0,1] vs = ms +mp vs + ms +mp vp ≫ ¯ margin + ¯ ¯ feedback + ¯ ¯ xs = xp ¯ F F +F 6 7 ¯ m ≤− m ¯ s p ⊕ Vswitch ¯ margin ¯ ¯ feedback ¯ ¯ x− = x− p ¯ s′ ¯ (vs = vp′ = 0)∨ · ¸ ¯ margin − ms −ξ·mp − (1+ξ)·mp − + ≫ Vswitch ¯ ∃ξ∈[0,1] vs = ms +mp vs + ms +mp vp ∨ − ¯ feedback ¯ margin + ¯ ¯ feedback + ¯ ¯ Fs = F ¯ ¯ Fp = −(F6 + F7 ) ¯ ¯ x ≥ x s p ¯ ⊲ Seek . V switch ¯ xs = xp ⇒ vs ≥ vp ¯ ¯ margin ¯ ¯ feedback
Here, we also make use of the observation that the variables in Vstate can not change without changing some variables in Vswitch . Otherwise the conditions on feedback would not transfer directly to the re-initialization clauses.
7.5 Analysis
175
For the given initial conditions, we find
Context′ ±
¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯
Vswitch
Vswitch Vswitch
·
¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯
¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯
− x− p = vp = 0 margin − − x− p = vp = 0 margin − − x− s = xp ′ ′ (vs = vp = 0)∨ ∃ξ∈[0,1] vs+ = margin + feedback + − x− p = vp = 0 margin − − x− s = xp ′ ′ (vs = vp = 0)∨ ∃ξ∈[0,1] vs+ = margin + feedback +
¸
≫ Seek ≈
ms −ξ·mp − vs ms +mp
≫ Vswitch
ms −ξ·mp − vs ms +mp
Fs = F Fp = −(F6 + F7 ) xs ≥ xp xs = xp ⇒ vs ≥ vp margin feedback
¯ ¯ xs = xp ¯ F ¯ m ≤ − F6m+F7 ¯ s p ¯ margin ¯ ¯ feedback
⊕
− − x = v = 0 p p ∨ margin − ≫ feedback −
⊲ Seek .
The sensitivity of the detection of the impact, relies on vdetect . If this detection m margin is small enough, more precisely if vdetect ≤ mps vseek , then we obtain the
implication (vs+ =
ms −ξ·mp − ms +mp vs )
⇒ margin + .
assumption : vdetect ≤
mp vseek ms
Under this assumption, parts of the re-initialization clauses cancel out, and we
176
Chapter 7 Modeling and control of a component mounter
find that the whole process simplifies to ′
Context ±
·
− x− p = vp = 0 margin −
£ − − xs = x− p = vp £
− x− p = vp
¸
≫ Seek ≈ ¯ ¯ xs = xp ¯ F F +F ¯ m ≤ − 6m 7 ¯ s p ⊕ ¯ margin ¯ ¯ feedback Fs = F Fp = −(F6 + F7 ) xs ≥ xp ⊲ Seek . xs = xp ⇒ vs ≥ vp margin feedback
¤ =0 ≫ Vswitch
¤ Vswitch =0 ≫
¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯
If furthermore vseek > vdetect > 0, then vs− 6= 0 while vp− = 0. assumption : vseek > vdetect > 0
Filling in some of the differential equations from the context gives us x˙ s = vs and p˙s = vp in the first flow clause. This contradicts with the equation xs = xp , leading to deadlock. Context′ ± ·
⊕
≈
¸
≫ Seek ¯ ¯ xs = xp ¯ − ¯ x˙ s = vs ∧ vs (0) 6= 0 xs = x− ¯ = 0 p ¯ p˙ s = vp ∧ vp (0) = 0 − vp = 0 ¯ F ≫ V F +F switch 6 7 ¯ ≤ − ms mp vs− 6= 0 ¯ ¯ margin ¯ ¯ feedback ¯ ¯ Fs = F ¯ ¯ Fp = −(F6 + F7 ) ¯ ¯ £ − ¤ x ≥ x p ⊲ Seek xp = vp− = 0 ≫ Vswitch ¯¯ s x = x ⇒ v ≥ v s p s p ¯ ¯ margin ¯ ¯ feedback ¯ ¯ Fs = F ¯ ¯ Fp = −(F6 + F7 ) ¯ ¯ £ − ¤ x ≥ x s p − ¯ V xp = vp = 0 ≫ switch ¯ ⊲ Seek . x s = xp ⇒ vs ≥ vp ¯ ¯ margin ¯ ¯ feedback
≈
− x− p = vp = 0 margin
Finally, solving some of the differential equations in the context gives us for the
7.5 Analysis
177
remaining flow clause: Context′ ± ¯ ¯ ¯ ¯ ¯ ¯ Vswitch ¯¯ ¯ ¯ ¯ ¯
·
− x− p = vp = 0 margin −
¸
≫ Seek ≈
vs ≥ −vseek ⇒ Fs = ms v˙ s ≤ 0 vs ≤ −vseek ⇒ Fs = ms v˙ s ≥ 0 xp = vp = Fp = 0 ⊲ Seek . xs ≥ 0 margin feedback
¢ ¡ − − is an From which we learn that the initial condition x− p = vp = 0 ∧ margin invariant of the system. In other words Context′ ± ¯ ¯ ¯ ¯ ¯ ¯ V switch ¯¯ ¯ ¯ ¯ ¯
·
− x− p = vp = 0 margin −
¸
≫ Seek ≈
vs ≥ −vseek ⇒ Fs = ms v˙ s ≤ 0 vs ≤ −vseek ⇒ Fs = ms v˙ s ≥ 0 ¸ · − xp = vp− = 0 xp = vp = Fp = 0 ≫ Seek . ⊲ margin − xs ≥ 0 margin feedback
Distribution of the context gives us
¸ − x− p = vp = 0 ≫ Seek k Context′ ≈ − margin ¯ ¯ vs ≥ −vseek ⇒ Fs = ms v˙ s ≤ 0 ¯ ¯ vs ≤ −vseek ⇒ Fs = ms v˙ s ≥ 0 ¯ ¯ x = vp = Fp = 0 Vswitch ¯¯ p ¯ xs ≥ 0 ¯ margin ¯ ¯ feedback ¸ ¶ µ· − xp = vp− = 0 ′ ≫ Seek k Context . ⊲ margin −
·
′ k Context
and using RSP we find Context′ ±
·
− x− p = vp = 0 margin −
¸
≫ Seek
≈
Vswitch
¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯
vs ≥ −vseek ⇒ Fs = ms v˙ s ≤ 0 vs ≤ −vseek ⇒ Fs = ms v˙ s ≥ 0 xp = vp = Fp = 0 xs ≥ 0 margin feedback
Clearly, if vmax − vseek ≥ vdetect , then vs − vp = vs ≥ −vseek − vdetect ≥ −vmax . assumption : vmax − vseek ≥ vdetect
178
Chapter 7 Modeling and control of a component mounter
We use this assumption to find Context′ ± ¸ ¶ − x− p = vp = 0 ≫ Seek − margin ¯ ¯ vs ≥ −vseek ⇒ Fs = ms v˙ s ≤ 0 ¯ ¯ vs ≤ −vseek ⇒ Fs = ms v˙ s ≥ 0 ¯ ¯ x = vp = Fp = 0 Vswitch ¯¯ p ∂¬S ¯ xs ≥ 0 ¯ margin ¯ ¯ feedback ¯ ¯ v ≥ −vseek ⇒ Fs = ms v˙ s ≤ 0 s ¯ ¯ vs ≤ −vseek ⇒ Fs = ms v˙ s ≥ 0 ¯ ¯ xp = vp = Fp = 0 ¯ V switch ¯ x ≥ 0 s ¯ ¯ margin ¯ ¯ feedback · − ¸ xp = vp− = 0 ≫ Seek, margin − ∂¬S
≈
≈
≈
µ·
from which we may conclude safety of context. Furthermore, the derivation
·
− x− p = vp = 0 margin −
¸
≫ Seek in its physical
Context′ ±
≈ ≈ ≈ ≈
≈
′ ∂¬S (Seek ) ´ ³ ∂¬S Seek k xs > xp ´ ³ ∂¬S Seek ⊙ xs > xp k xs > xp ∂¬S (Seek) k xs > xp Seek k xs > xp
Seek′
shows safety of Seek′ in its physical context using the observation that Seek does not terminate.
7.5.2
Bounce
In the previous subsection, we have seen that the Seek process is safe. Assuming that the Detect process can also be proven safe (which is done in the next subsection, although we use a subtly different physical context Context′′ there), we may use the axioms that were given at the end of section 7.1 to show that S is an
7.5 Analysis
179
initial condition for the Bounce process.
Context′ ±
≈ ≈ ≈ ≈
(Seek ◮ Detect) ⊲ impact ⊙ Bounce ∂¬S (Seek ◮ Detect) ⊲ impact £ − ¤ ⊙ Bounce S ≫ £impact¤ ⊙ Bounce ∂¬S (Seek ◮ Detect) ⊲ − ≫ Bounce ∂¬S (Seek ◮ Detect) ⊲ impact£ ⊙ S ¤ − (Seek ◮ Detect) ⊲ impact ⊙ S ≫ Bounce
A similar reasoning obviously holds for the PerfectSystem, so that we can restrict ourselves in this subsection to the study of the process:
£
S−
¤
≫ Bounce
in its physical context Context′ . Elimination of the parallel composition in the Bounce process leads to
£ − ¤ S ≫ Bounce ≈ Context′ ± ¯ − ¸ · ¯ xs = x− p Vswitch ¯ − Vswitch ≫ ¯ S µ·
Vswitch
⊲ Bounce
¯ − ¸ ¯ xs = x− £ p ¯ − ∨ S− ¯ S
¯ ¯ xs = xp ¯ ¯ F = −Fsat ⊕ ¯ Fsat F +F 6 7 ¯ ≥ ms mp ¯ ¯ Fs = F = −Fsat ¯ ¶ ¯ Fp = −(F6 + F7 ) ¤ ¯ V ≫ switch ¯ ¯ xs ≥ xp ¯ xs = xp ⇒ vs ≥ vp
Now, it is possible to solve the differential equations in the context, but the type of solution depends on whether the roots b2 − 4k(ms + mp ) and b2 − 4kmp of two crucial differential equations are positive or negative. The typical parameter values that are used in [Mateboer, 1999] suggest that both are negative. assumption : b2 − 4kmp < 0
180
Chapter 7 Modeling and control of a component mounter
Solving the differential equations then gives us the following process £ − ¤ S ≫ Bounce ≈ Context′ ± ¯ − µ· ¸ ¯ xs = x− p Vswitch ¯¯ − ≫ S ¯ ¯ xs (t) = xp (t) = − Fsat + Csp (0) e−θsp t k ωsp ¯ ¯ sin (ωsp t + φsp (0)) √ ¯ ¯ 2 +ω 2 Csp (0) θsp sp −θsp t ¯ e vs (t) = vp (t) = − ¯ ω sp ´´ ³ ³ ¯ ω sp ¯ sin ω t + φ (0) − arctan sp sp θ ¯ sp ⊕ Vswitch ¯ 2 2 +ω C (0) θ ( sp sp ) −θsp t sp ¯ Fs (t) = ms e ¯ ωsp ³ ³ ´´ ¯ ωsp ¯ sin ωsp t + φsp (0) − 2 arctan θsp ¯ ¯ bvp (t)+kxp (t) Fsat ¯ ≤ mp ms ¯ m ¯ F (t) = p F (t) p ms s ¯ − µ· ¶ ¸ ¯ x = x− ¤ £ p Vswitch ¯¯ s− ≫ ∨ S− S ¯ sat 2 ¯ xs (t) = − F2m t + vs (0)t + xs (0) s ¯ ¯ vs (t) = − Fsat t + vs (0) m ¯ s ¯ F (t) = F = −F s sat ¯ ¯ C (0) −θ t p p sin (ωp t + φp (0)) ¯ xp (t) = ωp e ¯ √ 2 2 ¯ θ +ω C (0) p p p ¯ vp (t) = − e−θp t ωp ¯ ´´ ³ ³ V ¯ ω switch p sin ωp t + φp (0) − arctan θp ¯ ¯ 2 2 ¯ C (0) θ +ω ( ) p −θp t p p ¯ Fp (t) = mp e ω ¯ p ³ ³ ´´ ¯ ω ¯ sin ωp t + φp (0) − 2 arctan θpp ¯ ¯ ¯ xs ≥ xp ¯ xs = xp ⇒ vs ≥ vp ⊲ Bounce ,
in which we use the following abbreviations: ωsp θsp
= =
Csp
=
φsp
=
√
4k(ms +mp )−b2 2(ms +mp ) b 2(ms +mq p) (F +kx )F sgn(vp ) vp2 − satkmp p p ³ ´ (Fsat +kxp )ωsp arcsin kCsp
ωp θp
= =
Cp
=
φp
=
√
4kmp −b2 2mp b 2mp q
x F
p p sgn(vp ) vp2 − m p ³ ´ xp ωp arcsin Cp .
One may verify, that Csp and Cp are always real valued under the assumption of negative roots. In figures 7.3 and 7.4 typical trajectories of the sled and PCB are depicted in the connected mode (corresponding to the first flow-clause) and disconnected mode (corresponding to the second flow-clause), respectively. Note, that they have been
7.5 Analysis
181
depicted over a different time interval, because the disconnected trajectory is only relevant between (partly elastic) collisions, while we have chosen the parameters such that after an inelastic collision the sled and PCB typically do not disconnect anymore. This sticking-phenomenon is studied in more detail further on in this section. Note, that because generally the sled is heavier than the PCB, the sled will still have a downward velocity after the first impact. This is why there is no up-going part in the second trajectory.
displacement 0.01
0.02
0.03
0.04
time
-0.00002 -0.00004 -0.00006 -0.00008 -0.0001 -0.00012 -0.00014
Figure 7.3 Typical trajectory of a connected PCB and sled
displacement 0.0002
0.0004
0.0006
0.0008
time
-0.00001
-0.00002
-0.00003
-0.00004
Figure 7.4 Typical trajectory of a disconnected PCB and sled between
bounces From the previous section, we may conclude that the difference in velocity between sled and PCB at the first impact is certain to be within safety margins. However, if we study the disconnected trajectory after impact, we see that the difference in velocity between PCB and sled may increase if the sled is heavier than the
182
Chapter 7 Modeling and control of a component mounter
mass (which is a reasonable assumption), or if the force on the PCB gives it enough acceleration between collisions (which also turns out to be a possibility for reasonable parameter values). To illustrate what happens if the sled is heavier than the mass, we put ξ = 1, Fsat = 0 and ms = 2mp . After an initial velocity before (1+ξ)ms − 1 − 1 − + s −ξmp − collision of vs− , we find vs+ = m ms +mp vs = 3 vs and vp = ms +mp vs = 1 3 vs . Using vs = −vseek as initial value, simulation gives us the trajectory depicted in figure 7.5 and the ratio between vs and vseek depicted in figure 7.6. This ratio is about 120% at the moment of the second collision, which means that there must be a difference of at least 20% between vseek and vmax in order to be safe.
displacement 0.0002 0.0004 0.0006 0.0008 0.001 0.0012
time
-0.00001
-0.00002
-0.00003
-0.00004
Figure 7.5 Trajectory of a disconnected PCB and sled, without pressing
velocity ratio 1
0.5
0.0002 0.0004 0.0006 0.0008 0.001 0.0012
time
-0.5
-1
Figure 7.6 Ratio between PCB velocity and initial velocity, without
pressing A slight variation in parameter values, and a more realistic value for Fsat , are used to illustrate the influence of the pressing force on safety of the second collision.
7.5 Analysis
183
Simulations for this case are depicted in figures 7.7 and 7.8. Although the ratio between vs and vseek is only 105% for this case, it still means that the second impact is possibly unsafe.
displacement 0.0001 0.0002 0.0003 0.0004 0.0005 0.0006
time
-6
-5´10
-0.00001 -0.000015 -0.00002 -0.000025 -0.00003
Figure 7.7 Trajectory of a disconnected PCB and sled, with pressing
velocity ratio 1
0.5
0.0001
0.0002
0.0003
0.0004
0.0005
0.0006
time
-0.5
-1
Figure 7.8 Ratio between PCB velocity and initial velocity, with pressing
We have not been able, to derive an analytic value for a safe margin between vseek and vmax . However, because the problem seems to be caused by the fact that after the first bounce a second bounce is possible, we have taken up the task of finding conditions for safety under the assumption that all collisions are inelastic. assumption : all collisions are inelastic Whether this assumption is reasonable in practice, or can be made reasonable by redesigning for example the mechanics in the tip of the sled, is a subject for future research.
184
Chapter 7 Modeling and control of a component mounter
7.5.3
Inelastic bounce
The assumption of inelastic collisions can be modeled by placing the existing model in the following physical context. ¯ ¯ ¡£ ¤ £ ¤¢ Vstate ¯ vs+ = vp+ ∨ true Inelastic : ≫ Vstate ¯ true ⊲ Inelastic
This context simply models that discontinuous changes in the velocity will always result in an equal velocity of sled and PCB. Calculation on the combined contexts gives us: Context′ k Inelastic ≈r
Vstate
Vstate
¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯
consistent − m2 (p− +p− )2 Es+ = 2mss (ms s +mpp )2 + m2 (p− +p− )2 Ep = 2mpp (ms s +mp p )2 (p′s = p′p = 0) ∨ − − ms p+ s = ms +mp (ps + pp ) m − p p+ = (p− s + pp ) p ms +mp ′ ′ Es = −E3 E4′ = Ep′ p′s = −p′3 p′4 = p′p consistent ⊲ (Context′ k Inelastic)
≫
We are interested in the case where, after the initial collision, the sled and PCB do not disconnect anymore. From the flow-clauses we may derive that the condition for connection is Fsat F6 + F7 ≤ . mp ms
Next, we investigate when this condition becomes invariant. Filling in the solutions of the differential equations gives us q Csp (0) −θsp t ³ 2 + ω2 e ksin (ωsp t + φsp (0)) − b θsp sp ωsp ¶ ¶¶¶ µ µ µ mp ωsp + 1 Fsat , ≤ sin ωsp t + φsp (0) − arctan θsp ms
and with some trigonometrics (using Mathematica): µq ¶ Csp (0) −θsp t k − bθsp 2 + (k − bθ )2 sin(ω t + φ (0) + arctan( e ) − π) b2 ωsp sp sp sp ωsp bωsp µ ¶ mp ≤ + 1 Fsat . ms
Clearly, this holds for all t > 0 if |Csp (0)| ωsp
q
2 b2 ωsp
+ (k − bθsp
)2
≤
µ
¶ mp + 1 Fsat ms
7.5 Analysis
and
q
185
2 + (k − bθ )2 = k, so we may also write b2 ωsp sp
|Csp (0)| ≤
(ms + mp )ωsp Fsat ms k
The definition of Csp (0) gives us s ¯ ¯ ¯ ¯ (Fsat + kxp (0))Fp (0) ¯ (ms + mp )ωsp ¯ 2 Fsat . ¯sgn(vp (0)) vp (0) − ¯≤ ¯ ¯ kmp ms k
And because both sides are positive vp (0)2 −
We have Fp = − vp (0)2 +
2 (ms + mp )2 ωsp (Fsat + kxp (0))Fp (0) 2 . Fsat ≤ kmp m2s k2
mp (Fsat +kxp +bvp ) ms +mp
and ωsp =
√
4(ms +mp )k−b2 , 2(ms +mp )
which leads to
(Fsat + kxp (0))(Fsat + kxp (0) + bvp (0)) 4k(ms + mp ) − b2 2 Fsat ≤ 0 . − kmp 4m2s k2
The righthand side of this equation is a parabola in Fsat , with an extremum for Fsat = Fext = −
2km2s (bvp (0) + 2kxp (0)) s + mp ) − 4kmp (mp + 2ms )
b2 (m
and poles at Fsat
=
Fpoles
=
Fext ± Fpoles 4kms (ms + mp ) ωsp · b2 (ms + mp ) − 4kmp (mp + 2ms ) p mp (mp + 2ms )vp (0)2 + b(mp + ms )vp (0)xp (0) + k(mp + ms )xp (0)2
The condition holds in the extremum if either
mp (mp + 2ms )vp (0)2 + b(mp + ms )vp (0)xp (0) + k(mp + ms )xp (0)2 ≤ 0
or 4kmp (mp + 2ms ) − b2 (mp + ms ) ≥ 0
but not both (unless one equals zero). The poles are real-valued if mp (mp + 2ms )vp (0)2 + b(mp + ms )vp (0)xp (0) + k(mp + ms )xp (0)2 ≥ 0 .
Because we assumed earlier that 4kmp − b2 > 0, we also find 4kmp (mp + 2ms ) − b2 (mp + ms ) > (4kmp − b2 )(mp + ms ) > 0. Furthermore, by treating mp (mp + 2ms )vp (0)2 + b(mp + ms )vp (0)xp (0) + k(mp + ms )xp (0)2 ≤ 0 as a parabola in vp (0)
186
Chapter 7 Modeling and control of a component mounter
we find that this condition only holds if 4kmp (mp + 2ms ) − b2 (mp + ms ) ≤ 0 or if vp (0) = xp (0) = 0. Finally, we may define the stick-force as
Fstick
=
−2km2s (bvp + 2kxp ) + s + mp ) − 4kmp (mp + 2ms ) p 4kms (ms + mp )ωsp mp (mp + 2ms )vp2 + b(mp + ms )vp xp + k(mp + ms )x2p b2 (ms + mp ) − 4kmp (mp + 2ms ) b2 (m
and conclude that under the condition Fsat ≥ Fstick the sled will not disconnect from the PCB. In other words, no mode switching will occur anymore. More strongly, as soon as the above condition is satisfied, it also becomes invariant itself. Furthermore, we may use the fact that impacts are inelastic to show that the only impact leading to the disconnected mode takes place at precisely the equilibrium point xp = xs = − Fksat . We obtain the following representation of our system:
£ − ¤ S Context′ k Inelastic ± ≫ Bounce ≈ ¯ − ¯ xs = x− p ¯ Vswitch ¯ S − ≫ ¯ ¯ Fsat < F + stick ¯ ¯ xs (t) = xp (t) = − Fsat + Csp (0) e−θsp t k ωsp ¯ ¯ sin (ω t + φ (0)) sp sp ¯ √ ¯ 2 2 Csp (0) θsp +ωsp −θ t ¯ vs (t) = vp (t) = − sp e ¯ ωsp ³ ³ ´´ ¯ ω sp ¯ sin ωsp t + φsp (0) − arctan θsp ¯ V ⊕ ¯ switch 2 2 C (0) θ +ω ( ) sp −θsp t sp sp ¯ F (t) = m e s s ¯ ω sp ³ ³ ´´ ¯ ωsp ¯ sin ωsp t + φsp (0) − 2 arctan θsp ¯ ¯ bvp (t)+kxp (t) F sat ¯ ≤ mp ms ¯ ¯ F (t) = mp F (t) s p ms ¯ − Fsat ¯ xs = x− · − ¸ − p = − k ¯ ∨ xs− > xp ≫ Vswitch ¯ vs+ = vp+ = 0 ¯ − S ¯ S
7.5 Analysis
187
Vswitch
¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯
sat 2 xs (t) = − F2m t + vs (0)t + xs (0) s Fsat vs (t) = − ms t + vs (0) Fs (t) = F = −Fsat C (0) xp (t) = ωp p e−θp t sin (ωp t + φp (0)) √ 2 2 +ωp −θ t Cp (0) θp vp (t) = − e p ωp ³ ³ ´´ ω sin ωp t + φp (0) − arctan θpp 2 2 +ωp Cp (0)(θp ) −θp t Fp (t) = mp e ωp ³ ³ ´´ ω sin ωp t + φp (0) − 2 arctan θpp
xs ≥ xp xs = xp ⇒ vs ≥ vp ⊲ Bounce ⊕ Press
with
Press : · Vswitch
¯ − ¸ ¯ xs = x− p ¯ − ≫ ¯ S ¯ ¯ xs (t) = xp (t) = − Fsat + Csp (0) e−θsp t sin (ωsp t + φsp (0)) ¯ k √ 2ωsp 2 ¯ +ωsp −θ t ¯ v (t) = v (t) = − Csp (0) θsp e sp ¯ s ωsp ³ p ³ ´´ ¯ ωsp ¯ sin ωsp t + φsp (0) − arctan θsp ¯ ¯ 2 2 Csp (0)(θsp +ωsp Vswitch ¯ ) −θsp t e ¯ Fs (t) = ms ω sp ´´ ³ ³ ¯ ωsp ¯ sin ω t + φ (0) − 2 arctan sp sp ¯ θsp ¯ ¯ Fp (t) = mp Fs (t) ms ¯ ¯ Fsat ≥ Fstick (t)
When xp = xs = − Fksat and vs = vp = 0, all derivatives are zero for both flowclauses. So, the part of the solution of the second flow-clause is known. Using derivation rule (10) we may split off this solution. Some additional calculations
188
Chapter 7 Modeling and control of a component mounter
then lead to:
£ − ¤ S Context′ k Inelastic ± ≫ Bounce ≈ ¯ − − ¯ xs = xp ¯ ≫ Vswitch ¯ S − ¯ ¯ Fsat < F + stick ¯ Csp (0) −θsp t Fsat ¯ ¯ xs (t) = xp (t) = − k + ωsp e ¯ sin (ωsp t + φsp (0)) √ ¯ ¯ 2 +ω 2 Csp (0) θsp sp −θsp t ¯ e vs (t) = vp (t) = − ¯ ωsp ´´ ³ ³ ¯ ω sp ¯ sin ω t + φ (0) − arctan sp sp θ ¯ sp V ⊕ ¯ switch 2 2 Csp (0)(θsp +ωsp ) −θsp t ¯ F (t) = m e s s ¯ ωsp ³ ³ ´´ ¯ ωsp ¯ sin ωsp t + φsp (0) − 2 arctan θsp ¯ ¯ bv (t)+kx (t) Fsat p p ¯ ≤ m m ¯ p s ¯ F (t) = mp F (t) p s ms ¯ − Fsat ¯ xs = x− p = − k ¯ + Vswitch ¯ vs = vp+ = 0 ≫ ¯ − ¯ S ¯ ¯ xp (t) = xs (t) = − Fsat k ¯ ¯ Vswitch ¯ vp (t) = vs (t) = 0 ⊕ ¯ Fp (t) = Fs (t) = 0 ¸¶ µ· − xs > x− p ≫ − S ¯ sat 2 ¯ xs (t) = − F2m t + vs (0)t + xs (0) s ¯ ¯ vs (t) = − Fsat t + vs (0) ms ¯ ¯ Fs (t) = F = −Fsat ¯ ¯ Cp (0) −θp t e sin (ω t + φ (0)) x (t) = ¯ p p p ωp ¯ √ 2 2 ¯ +ωp −θ t Cp (0) θp p ¯ e v (t) = − p ωp ¯ ³ ³ ´´ Vswitch ¯ ωp sin ω t + φ (0) − arctan ¯ p p θp ¯ 2 2 ¯ Cp (0)(θp +ωp ) −θp t ¯ F (t) = m e p ωp ¯ p ³ ³ ´´ ¯ ωp ¯ sin ω t + φ (0) − 2 arctan p p θp ¯ ¯ xs ≥ xp ¯ ¯ xs = xp ⇒ vs ≥ vp ⊲ Bounce ⊕ Press.
Reversely, we observe that the same solution is also a solution of the first flow-
7.5 Analysis
189
clause, which means we can merge the two and obtain: £ − ¤ S ≫ Bounce ≈ Context′ k Inelastic ± ¯ − ¯ xs = x− p ¯ Vswitch ¯ S − ≫ ¯ ¯ Fsat < F + stick ¯ Csp (0) −θsp t Fsat ¯ ¯ xs (t) = xp (t) = − k + ωsp e ¯ sin (ωsp t + φsp (0)) √ ¯ ¯ 2 +ω 2 Csp (0) θsp sp −θsp t ¯ e vs (t) = vp (t) = − ¯ ω sp ´´ ³ ³ ¯ ω sp ¯ sin ω t + φ (0) − arctan sp sp θ ¯ sp ⊕ Vswitch ¯ 2 2 C (0) θ +ω ( sp sp sp ) −θsp t ¯ Fs (t) = ms e ¯ ωsp ³ ³ ´´ ¯ ωsp ¯ sin ωsp t + φsp (0) − 2 arctan θsp ¯ ¯ bvp (t)+kxp (t) Fsat ¯ ≤ mp ms ¯ m ¯ F (t) = p F (t) p ms s · − ¸ xs > x− p ≫ − S ¯ sat 2 ¯ xs (t) = − F2m t + vs (0)t + xs (0) s ¯ ¯ vs (t) = − Fsat t + vs (0) m ¯ s ¯ F (t) = F = −F s sat ¯ ¯ C (0) −θ t p p sin (ωp t + φp (0)) ¯ xp (t) = ωp e ¯ √ 2 2 ¯ θ +ω C (0) p p p −θ t ¯ vp (t) = − e p ω p ¯ ´´ ³ ³ V ¯ ω switch p sin ωp t + φp (0) − arctan θp ¯ ¯ 2 2 ¯ +ω C (0) θ ) ( p p p −θp t ¯ Fp (t) = mp e ω ¯ p ³ ³ ´´ ¯ ω ¯ sin ωp t + φp (0) − 2 arctan θpp ¯ ¯ ¯ xs ≥ xp ¯ xs = xp ⇒ vs ≥ vp ⊲ Bounce ⊕ Press + To illustrate what happens if Fsat < Fstick , a simulation has been carried out. If − − − initially xs = xp = vp = 0 and 0 > vs− > −vmax (i.e. if the initial impact is immediately detected), we find
Fsat
0
is a topology on X, with Bǫ (A) = {y p ∃x∈A d(x, y) < ǫ}. This topology is called the natural topology of d. The open sets in the natural topology of a metric, are thus formed by the union of so-called ǫ-balls, i.e. regions of points that are less than a distance ǫ away from a central point. Metrics provide an intuitive way to define topologies, but not all topologies can be defined by metrics! Still, in some of our more complex proofs (see for example theorem 12) we need the assumption that our topologies are metric in our proofs. Fortunately, this is not a severe restriction in the context of hybrid systems modeling. A core notion in topological theory is that of a limit. A limit point of a sequence, is a point that is approximated by that sequence. In other words, if the sequence proceeds, it gets ever nearer to its limit point. A generalization of the notion of sequence, is that of a so-called net. Definition 49 (Directed set) A pair < D, ≤ > with ≤⊆ D × D is a directed pair if • x ≤ x, for all x ∈ D, • x ≤ y ∧ y ≤ z ⇒ x ≤ z, for all x, y, z ∈ D, and • ∃z x ≤ z ∧ y ≤ z, for all x, y ∈ D. The set D is also called a directed set in this case. Definition 50 (Nets and sequences) Let < X, T > be a topological space and < D, ≤ > be a directed pair, then a function n ∈ D → X is called a net on < X, T >. A sequence on < X, T > is a special kind of net, where D = N. In topology, two types of limits are used. If a sequence approximates one point, we say it converges, while if it approximates a number of points alternatingly we say it clusters. In this thesis, the cluster points of sequences turn out to be of great importance, because the switching behavior of hybrid systems leads to alternating in sequences that do not always converge.
215
Definition 51 (Convergence and cluster points) Let n ∈ D → X be a net or sequence on a topological space < X, T >. A point x ∈ X is a convergence point of n if ∀x∈U ∈T ∃d∈D ∀d′ ≥d n(d′ ) ∈ U .
This is also denoted n → x. A point x ∈ X is a cluster point of n if
∀x∈U ∈T ∀d∈D ∃d′ ≥d n(d′ ) ∈ U . This is also denoted n ⊸ x. Note, that n → x implies n ⊸ x. Intuitively, for a sequence n, we have n ⊸ x if there exists a subsequence n′ of n such that n′ → x. This is made more precise in [Eisenberg, 1974, Dugundji, 1966]. A function (or mapping) that preserves convergence points (and therefore also cluster points), is called continuous. Definition 52 (Continuity) Let < X, T > and < X ′ , T ′ > be two topological spaces. A function f ∈ X → X ′ is continuous around a point x′ ∈ X ′ if for every open set U ′ ∈ T ′ with x′ ∈ U ′ the set f −1 (U ′ ) = {x ∈ X p f (x) ∈ U ′ } is open in T . Theorem 37 (Preservation of convergence) A function f ∈ X → X ′ is continuous if and only if n → x implies f (n) → f (x) for every net n. Sometimes, this theorem is used as an alternative definition of continuity. In certain topologies, there may be points that cannot be distinguished by convergence. For many purposes, it is convenient if such topologies are excluded. Topologies in which all points can be distinguished by convergence are called Hausdorff. Definition 53 (Hausdorff ) A topological space < X, T > is a Hausdorff space iff for every net n we find that n → x ∧ n → y ⇒ x = y. Because metrics are defined in such a way that there is always a positive distance between different points, all metric spaces are Hausdorff. Theorem 38 Any topological space with a metric topology is Hausdorff. Without going into details, we would like to mention here that for some topological spaces it suffices to study only sequences. That is, if two points cannot be distinguished using sequences in those spaces, they can also not be distinguished using nets. Such spaces are called first countable. Indeed, all metric spaces are first countable, which allows us to talk about sequences rather than nets in this thesis. Details about first countability can be found in [Eisenberg, 1974, Dugundji, 1966, Berge, 1963]. The discrete topology on a space is the topology that considers all points to be distinct from each other. No point is near to any other, and therefore any sequence with a convergence point must be constant in that point from a certain point onwards. This leads to the following theorems.
216
Appendix A Definitions and theorems from topology
Theorem 39 (Discrete topology) Let < X, T > be a topological space with the discrete topology, i.e. with T = P(X). This space is a Hausdorff space, which furthermore has the properties that • for every net n on < X, T > we find that n → x implies there is a d with n(d′ ) = x for d′ ≥ d, • every function f ∈ X → Y is continuous in every point. The indiscrete topology on a space is the topology that considers all points to be near to every other. Therefore, any sequence converges to any other point. Theorem 40 (Indiscrete topology) Let < Y, T > be a topological space with the indiscrete topology, i.e. with T = {∅, Y }. This space is not a Hausdorff space (unless Y = ∅), but it has the following properties: • for every net n on < X, T > and every x ∈ X we find that n → x, • every surjective function f ∈ X → Y is continuous. The notion of compactness describes that there are no sequences that get ‘far away’. In other words, every sequence has a cluster point in the set. Definition 54 (Compactness) Let < X, T > be a topological space. A set X ′ ⊆ X is a compact subset of X if every net n ∈ D → X ′ has a cluster point n ⊸ x ∈ X ′. If convergence points are unique, then compactness implies closedness. Theorem 41 Let < X, T > be a topological space with a Hausdorff topology, then every compact subset X ′ ⊆ X is closed. It is the intuition of many mathematicians that work in the field of topology, that compactness is the topological counterpart of finiteness [Eisenberg, 1974]. The precise formalization of this intuition is outside the scope of this thesis, but a nice illustration is the observation that finiteness and compactness coincide for the discrete topology. Theorem 42 (Discrete topology) Let < X, T > be a topological space with the discrete topology, then a subset X ′ ⊆ X is compact if and only if it is finite. In chapter 2 some more theorems from topology are used. However, those theorems are often not as standard as the ones above. We refer to them when needed, including chapter and paragraph numbers of the book in which they can be found.
Appendix B
Robust bisimulation coincides with stateless bisimulation In the proof of theorem 22, we claimed that the notion of robust bisimilarity coincides with the notion of bisimilarity used in [Cuijpers and Reniers, 2003a, Mousavi et al., 2004]. In this appendix, we substantiate that claim. Firstly, the notion of bisimilarity on process terms from [Cuijpers and Reniers, 2003a, Mousavi et al., 2004], is defined as follows: Definition 55 (Stateless Bisimilarity) A relation R ⊆ T (Vr ) × T (Vr ) on process terms, is a stateless bisimulation relation if for all p, q ∈ T (Vr ) such that p R q, and for all valuations ν, ν ′ ∈ Val and labels l ∈ A ∪ Σ, we find • < p, ν > X implies < q, ν > X; • < q, ν > X implies < p, ν > X; l
l
l
l
• for every p′ with < p, ν > → < p′ , ν ′ > there exists q ′ s.t. < q, ν > → < q ′ , ν ′ > and p′ R q ′ ; • for every q ′ with < q, ν > → < q ′ , ν ′ > there exists p′ s.t. < p, ν > → < p′ , ν ′ > and p′ R q ′ . Two process terms x and y are stateless bisimilar, denoted x -s y, if there exists a stateless bisimulation relation that relates them. Now we will show that the two notions coincide. But, before we do so, we need to pose a lemma that states that transitions that are labelled with a certain valuation, end in a state with that same valuation.
218
Appendix B Robust bisimulation coincides with stateless bisimulation
Lemma 5 (Labeling) A transition labelled with a valuation, leads to a state with that same valuation: a,ν ′
• If < x, ν > 7→ < y, ν ′′ > then ν ′ = ν ′′ ; σ
• If < x, ν > ; < y, ν ′ > and dom(σ) = [0, t] then ν ′ = σ(t). Proof This is obvious from the semantics of HyPA. It trivially holds for atomic processes, and all semantical rules of the operators of HyPA preserve this connection between labeling and state. ⊠
Theorem 43 For all process terms p, q ∈ T (Vr ), we find p - q iff p -s q. Proof We start by showing that -s ⊆-. In order to do this, suppose that two process terms p and q are stateless bisimilar (p -s q), and that R is a relation that witnesses this equivalence. Then we define a relation S = {((x, ν), (y, ν)) p xRy, ν ∈ Val }. It is straightforward to verify that this a bisimulation relation in the sense of this paper, and furthermore, if (x, ν)S(y, ν ′ ), then ν = ν ′ and hence ι(ν) = ι(ν ′ ) for every interference ι. Finally, we observe that (x, ν ′′ )S(y, ν ′′ ) for every ν ′′ ∈ Val , and particularly for every ι(ν). Hence S is robust, and witnesses p - q. Now, we will show that -⊆-s . Suppose that we have process terms p and q that are robustly bisimilar (p - q), and that S is a robust bisimulation relation that witnesses this. Then, we construct the relation R = {(x, y) p ∀ν (x, ν)S(y, ν)}. Clearly, pRq, since we have (p, ν)S(q, ν) for every ν. The case for termination, is also straightforward. Finally, suppose that xRy, and there exists a transition l < x, ν > → < x′ , ν ′ >. Then, by definition of R we know (x, ν)S(y, ν), and because l
S is a bisimulation relation we find that there is a transition < y, ν > → < y ′ , ν ′′ >. Using lemma 5, we find that ν ′ = ν ′′ , and hence that (x′ , ν ′ )S(y ′ , ν ′ ). Using this, we can construct for every µ an interference ι such that ι(ν ′ ) = µ, and using robustness we conclude that (x′ , µ)S(y ′ , µ). From this it follows that x′ Ry ′ , which proves that R is a stateless bisimulation relation, witnessing p -s q. ⊠
Appendix C
Soundness of the axiomatization of robust bisimulation In this section, we summarize the proofs for soundness of the axiomatization and of the derivation rules, as given in [Cuijpers and Reniers, 2003a]. The complete proofs are very long, but rather straightforward, and are given in [Cuijpers and Reniers, 2003a] for a notion of stateless bisimilarity, that has been proven to coincide with robust bisimilarity in appendix B. In this section, we will confine ourselves to give only the witnessing robust bisimulation relations for some of the more difficult derivation rules and axioms. Two of the axioms are worked out in more detail. Soundness of derivation rules (1), (2) and (3) follows directly from the fact that robust bisimilarity is an equivalence relation. That bisimilarity is an equivalence is a standard result [van Glabbeek, 2001], and that robustness does not change this, is easy to verify. Derivation rules (4) and (5) are sound, because (according to theorem 21) robust bisimilarity is a congruence for all the operators of HyPA. Soundness of derivation rules (6) and (7) is straightforward from the operational semantics of re-initialization clauses and flow-clauses, while soundness of derivation rule (8) follows from soundness of all the axioms separately, and from the fact that the semantics of a recursive definition indeed reflect a solution of the recursive equation. Soundness of derivation rule (10), is witnessed by a relation R such that (d ≫ c, ν) R (d ≫ c′ ⊲ c, ν) ∧ (c, ν) R (c′ ◮ c, ν) ∧ (x, ν) R (x, ν), for all ν ∈ Val , x ∈ T (Vr ) and all c, c′ ∈ C that satisfy the assumption that (µ, σ) |= c′ implies (µ, σ) |= c and, (µ, µ′ ) |= d and (µ′ , σ) |= c implies (µ′ , σ) |= c′ . To verify that this is indeed a robust bisimulation relation, is straightforward. Soundness of derivation rule (11) is witnessed by the relation R such that
220
Appendix C Soundness of the axiomatization of robust bisimulation
(c, ν) R ((c′ ⊕ c′′ ) ⊲ c, ν) ∧ (c, ν) R (c′ ◮ c, ν) ∧ (c, ν) R (c′′ ◮ c, ν) ∧ (x, ν) R (x, ν) for all ν ∈ Val , x ∈ T (Vr ) and all c, c′ , c′′ ∈ C satisfying the assumption that (µ, σ) |= c if and only if (µ, σ) |= c′ or (µ, σ) |= c′′ . Again, it is straightforward to verify that this is a robust bisimulation relation. As examples of soundness proofs of the axioms, we have selected a few axioms that we study in more detail. The witnessing relations for all the others, and the proofs that these relations are indeed bisimulation relations, can be found in [Cuijpers and Reniers, 2003a] for the notion of stateless bisimilarity. The translation to robust bisimilarity is straightforward using the results of appendix B. The first axiom we give a witness relation for, regards distribution of disrupt over sequential composition. It is the only axiom that was not mentioned in [Cuijpers and Reniers, 2003a]. The axiom (x ⊙ δ ⊲ y) ⊙ z ≈ x ⊙ δ ⊲ y ⊙ z is witnessed by the relation R such that ((x ⊙ δ ⊲ y) ⊙ z, ν) R (x ⊙ δ ⊲ y ⊙ z, ν), ((x ⊙ δ ◮ y) ⊙ z, ν) R (x ⊙ δ ◮ y ⊙ z, ν) and (x, ν) R (x, ν) for all x, y, z ∈ T (Vr ) and ν ∈ Val . That this is indeed a robust bisimulation relation is straightforward to verify. The axiom d ≫ ǫ | d′ ≫ ǫ ≈ (d? ∧d′? ) ≫ ǫ is witnessed by the relation R such that (d ≫ ǫ | d′ ≫ ǫ, ν) R ((d? ∧ d′? ) ≫ ǫ, ν), for all ν ∈ Val and d, d′ ∈ D. Since this is one of the more difficult axioms, we show the full proof here. Clearly, we only need to verify bisimilarity for the cases of (d ≫ ǫ | d′ ≫ ǫ, ν) R ((d? ∧ d′? ) ≫ ǫ, ν) for termination. Furthermore, it is obvious from the construction of R that it is a robust relation. 1. < d ≫ ǫ | d′ ≫ ǫ, ν > X, for which we need the hypothesis (a) ∃ν ′ (ν, ν ′ ) |= d ∧ ∃ν ′′ (ν, ν ′′ ) |= d′ From which we conclude that (ν, ν) |= d? and (ν, ν) |= d′? , hence < (d? ∧ d′? ) ≫ ǫ, ν > X. 2. < (d? ∧ d′? ) ≫ ǫ, ν > X, for which we need the hypothesis (a) ∃ν ′ (ν, ν ′ ) |= (d? ∧ d′? ), which comes down to the hypothesis
i. ν = ν ′ ∧ ∃υ (ν, υ) |= d ∧ ∃υ′ (ν, υ ′ ) |= d′ From which we easily conclude < d ≫ ǫ, ν > X and < d′ ≫ ǫ, ν > X, hence < d ≫ ǫ | d′ ≫ ǫ, ν > X.
The axiom d ≫ c ⊲ x | d′ ≫ c′ ⊲ y ≈ ((d ∼ cjmp ) ∧ (d′ ∼ c′jmp )) ≫ (c ∧ c′ ) ⊲ ¡ ¢ x k c′ ◮ y ⊕ y k c ◮ x ⊕ x | c′ ◮ y ⊕ y | c ◮ x is witnessed by the relation R such that (d ≫ c ⊲ x | d′ ≫ c′ ⊲ y, ν) R (N ≫ c∧c′ ⊲ M, ν) ∧ (c ◮ x k c′ ◮ y, ν) R (c ∧ c′ ◮ M, ν) ∧ (x k y, ν) R (y k x, ν) ∧ (x, ν) R (x, ν), for all ν ∈ Val , c, c′ ∈ C, d, d′ ∈ D and x, y ∈ T (Vr ), in which we use abbreviations M = x k c′ ◮ y ⊕ y k c ◮ x ⊕ x | c′ ◮ y ⊕ y | c ◮ x and N = ((d ∼ cjmp ) ∧ (d′ ∼ c′jmp )). The proof that this is a bisimulation relation, is rather complicated, and therefore we give it below. That it is a robust relation, follows straightforwardly from the construction.
221
In the proof below, we make use of the following two lemmas, which are proven in [Cuijpers and Reniers, 2003a]. These lemmas express that the initial jumps that a flow-clause can make, are closed under concatenation, and that it is not necessary (yet still possible) to jump if there is a solution that starts from the current valuation. This is vital, since the axiom expresses that any number of reinitializations cjmp may be performed before actually executing a flow transition. Incidentally, these lemmas are also needed for the proof of the axiom cjmp ≫ c ≈ c, in which they are used in a similar way as in the proof below. Lemma 6 If (ν, σ ′ ) |= c and (σ ′ (0), σ) |= c then (ν, σ) |= c. Lemma 7 If (ν, σ) |= c then (σ(0), σ) |= c. The validity of these lemmas does not depend on the choice of parameters of HyPA, but follows directly from the operational semantics. For (x, ν) R (x, ν), the proof that R is a bisimulation relation is trivial. For (x k y, ν) R (y k x, ν), the proof is also straightforward. For (d ≫ c ⊲ x | d′ ≫ c′ ⊲ y, ν) R (N ≫ c ∧ c′ ⊲ M, ν), we find the following cases. 1. < d ≫ c ⊲ x | d′ ≫ c′ ⊲ y, ν > X, for which we need the hypothesis (a) < d ≫ c ⊲ x, ν > X ∧ < d′ ≫ c′ ⊲ y, ν > X, which leads to the hypothesis i. ∃ν ′ (ν, ν ′ ) |= d ∧ < c ⊲ x, ν ′ > X, for which we need the hypothesis A. < c, ν ′ > X, which cannot be satisfied. 2. < N ≫ c ∧ c′ ⊲ M, ν > X, cannot be satisfied for similar reasons as in the previous case. l
3. < d ≫ c ⊲ x | d′ ≫ c′ ⊲ y, ν > → < p, ν ′′′ >, leading to one of the hypotheses l
(a) ∃p′ l ∈ A ∧ < d ≫ c ⊲ x, ν > 7→ < p′ , ν ′′′ >, which can clearly not be satisfied since flow-clauses cannot execute action transitions. l
(b) ∃p′ ,p′′ l ∈ Σ ∧ dom(l) = [[0, t] ∧ p = p′ k p′′ ∧ < d ≫ c ⊲ x, ν > ; l
< p′ , ν ′′′ > ∧ < d′ ≫ c′ ⊲ y, ν > ; < p′′ , ν ′′′ >, for which we need the hypothesis l
i. ∃ν ′ (ν, ν ′ ) |= d ∧ < c ⊲ x, ν ′ > ; < p′ , ν ′′′ > ∧ ∃ν ′′ (ν, ν ′′ ) |= l
d′ ∧ < c′ ⊲ y, ν ′′ > ; < p′′ , ν ′′′ >, leading to the hypothesis l
A. ∃r′ p′ = r′ ◮ x ∧ < c, ν ′ > ; < r′ , ν ′′′ > ∧ ∃r′′ p′′ = r′′ ◮ l y ∧ < c′ , ν ′′ > ; < r′′ , ν ′′′ >, for which we need the hypothesis
222
Appendix C Soundness of the axiomatization of robust bisimulation
• (ν ′ , l) |= c ∧ r′ = c ∧ (ν ′′ , l) |= c′ ∧ r′′ = c′ ∧ ν ′′′ = l(t). Using lemma 7 we find that (l(0), l) |= (c ∧ c′ ). Furthermore, we may conclude that (ν, l(0)) |= N and p = c ◮ x k c′ ◮ y, l
to finally find < N ≫ c ∧ c′ ⊲ M, ν > → < (c ∧ c′ ) ◮ M, ν ′′′ > and (p, ν ′′′ ) R (c ∧ c′ ◮ M, ν ′′′ ). l
4. < N ≫ (c ∧ c′ ) ⊲ M, ν > → < p, ν ′′ >, leading to the hypothesis l
(a) ∃ν ′ (ν, ν ′ ) |= N ∧ < (c ∧ c′ ) ⊲ M, ν ′ > → < p, ν ′′ >, for which we need the hypothesis l
i. ∃r p = r ◮ M ∧ < (c ∧ c′ ), ν ′ > → < r, ν ′′ > ∧ ∃ν1 ,σ1 (ν, ν1 ) |= d ∧ (ν1 , σ1 ) |= c ∧ ∃ν2 ,σ2 (ν, ν2 ) |= d′ ∧ (ν2 , σ2 ) |= c′ ∧ ν ′ = σ1 (0) = σ2 (0), and finally we need the hypothesis A. l ∈ Σ ∧ r = (c ∧ c′ ) ∧ (ν ′ , l) |= (c ∧ c′ ) ∧ ν ′′ = l(t). From this we may conclude that p = (c ∧ c′ ) ◮ M , but furthermore we can use lemma 6, together with the facts that (ν1 , σ1 ) |= c and (ν ′ , l) |= c and ν ′ = σ1 (0) to find (ν1 , l) |= c and similarly (ν2 , l) |= c′ . This leads to the observations that l
l
< d ≫ c ⊲ x > ; < c ◮ x, ν ′′ > and < d′ ≫ c′ ⊲ y > ; l < c′ ◮ y, ν ′′ >, and finally < d ≫ c ⊲ x | d′ ≫ c′ ⊲ y, ν > → ′′ ′′ ′′ < c ◮ x k c ◮ y, ν > and (c ◮ x k c ◮ y, ν ) R (p, ν ).
For (c ◮ x k c′ ◮ y, ν) R (c ∧ c′ ◮ M, ν), we find the following cases. 1. < c ◮ x k c′ ◮ y, ν > X, for which we need the hypothesis (a) < c ◮ x, ν > X ∧ < c′ ◮ y, ν > X, for which we need the hypothesis
i. < x, ν > X ∧ < y, ν > X From which we may conclude < x | y, ν > X hence < M, ν > X and < (c ∧ c′ ) ◮ M, ν > X.
2. < c∧c′ ◮ M, ν > X, for which we need the hypothesis < M, ν > X and hence one of the following hypotheses (a) < x k c′ ◮ y, ν > X, which cannot occur.
(b) < y k c ◮ x, ν > X, which cannot occur.
(c) < x | c′ ◮ y, ν > X, for which we need the hypothesis
i. < x > X ∧ < c′ ◮ y, ν > X. From this we may conclude that < c ◮ x, ν > X and hence < c ◮ x k c′ ◮ y, ν > X.
(d) < y | c ◮ x, ν > X, is similar to the previous case. l
3. < c ◮ x k c′ ◮ y, ν > → < p, ν ′ >, for which we need one of the following hypotheses:
223
a,µ
(a) ∃a,a′ ,p′ ,p′′ l = (aγa′ , µ) ∧ p = p′ k p′′ ∧ < c ◮ x, ν > 7→ < p′ , ν ′ > ∧ a′ ,µ
< c′ ◮ y, ν > 7→ < p′′ , ν ′ >, which leads to the hypothesis a′ ,µ
a,µ
i. < x, ν > 7→ < p′ , ν ′ > ∧ < y, ν > 7→ < p′′ , ν ′ >, from which we conclude < x | c′ ◮ y, ν > l
aγa′ ,µ
7→
< p′ k p′′ , ν ′ >, and
hence < (c ∧ c′ ) ◮ M, ν > → < p, ν ′ > with (p, ν ′ ) R (p, ν ′ ). l
(b) ∃p′ l ∈ A ∧ p = p′ k c′ ◮ y ∧ < c ◮ x > 7→ < p′ , ν ′ >, for which we need the hypothesis l
i. < x, ν > 7→ < p′ , ν ′ > l from which we conclude that < x k c′ ◮ y, ν > → < p′ k c′ ◮ l
y, ν ′ > and hence < (c∧c′ ) ◮ M, ν > → < p, ν ′ > with (p, ν ′ ) R (p, ν ′ ). l
(c) ∃p′ l ∈ A ∧ p = c ◮ x k p′ ∧ < c′ ◮ y > 7→ < p′ , ν ′ >, which is similar to the previous case. l
(d) ∃p′ ,p′′ ,t l ∈ Σ ∧ dom(l) = [[0, t] ∧ p = p′ k p′′ ∧ < c ◮ x, ν > ; l
< p′ , ν ′ > ∧ < c′ ◮ y, ν > ; < p′′ , ν ′ >, for which we need one of the following hypotheses: l
i. ∃r′ p′ = r′ ◮ x ∧ < c, ν > ; < r′ , ν ′ > ∧ ∃r′′ p′′ = r′′ ◮ l y ∧ < c′ , ν > ; < r′′ , ν ′ >, for which we need the hypothesis A. r′ = c ∧ r′′ = c′ ∧ (ν, l) |= c ∧ (ν, l) |= c′ ∧ ν ′ = l(t) From this we conclude that p = c ◮ x k c′ ◮ y and < (c∧c′ ) ◮ l
M, ν > → < c ∧ c′ ◮ M, ν ′ >, with (p, ν ′ ) R ((c ∧ c′ ) ◮ M, ν ′ ). l
l
ii. ∃r′ p′ = r′ ◮ x ∧ < c, ν > ; < r′ , ν ′ > ∧ < y, ν > ; < p′′ , ν ′ >, for which we need the hypothesis A. r′ = c. Now, we conclude that p = c ◮ x k p′′ , and that < y | c ◮ l
l
x, ν > → < p′′ k c ◮ x, ν ′ >. Hence < (c ∧ c′ ) ◮ M, ν > → < p′′ k c ◮ x, ν ′ > with (p′′ k c ◮ x, ν ′ ) R (p, ν ′ ). l
l
iii. < x, ν > ; < p′ , ν ′ > ∧ ∃r′′ p′′ = r′′ ◮ y ∧ < c′ , ν > ; < r′′ , ν ′ >, for which we need the hypothesis A. r′′ = c′ . Now, we conclude that p = p′ k c′ ◮ y, and that < x | c′ ◮ l
l
y, ν > → < p, ν ′ >. Hence, < (c ∧ c′ ) ◮ M, ν > → < p, ν ′ > with p R p. l
l
iv. < x, ν > ; < p′ , ν ′ > ∧ < y, ν > ; < p′′ , ν ′ > l From which it follows directly that < x | c′ ◮ y > → < p, ν ′ > l
Hence, < (c ∧ c′ ) ◮ M, ν > → < p, ν ′ > with (p, ν ′ ) R (p, ν ′ ).
224
Appendix C Soundness of the axiomatization of robust bisimulation
l
(e) l ∈ Σ ∧ < c ◮ x, ν > ; < p, ν ′ > ∧ < c′ ◮ y, ν > X, for which we need the hypothesis i. < y, ν > X. l From this we may conclude < y | c ◮ x > → < p, ν ′ >. Hence, l
< (c ∧ c′ ) ◮ M, ν > → < p, ν ′ > with (p, ν ′ ) R (p, ν ′ ). l
(f) l ∈ Σ ∧ < c ◮ x, ν > X ∧ < c′ ◮ y, ν > ; < p, ν ′ >, for which we need the hypothesis i. < x, ν > X. l From this we may conclude < x | c′ ◮ y > → < p, ν ′ >. Hence, l
< (c ∧ c′ ) ◮ M, ν > → < p, ν ′ > with (p, ν ′ ) R (p, ν ′ ). l
4. < c ∧ c′ ◮ M, ν > → < p, ν ′ >, which needs one of the following hypotheses: l
(a) ∃r p = r ◮ M ∧ < (c ∧ c′ ), ν > → < r, ν ′ >, for which we need the hypothesis i. ∃t l ∈ Σ ∧ dom(l) = [[0, t] ∧ r = (c ∧ c′ ) ∧ ν ′ = l(t) ∧ (ν, l) |= c ∧ (ν, l) |= c′ . From this we may readily conclude that p = (c ∧ c′ ) ◮ M and σ < c ◮ x, ν > ; < c ◮ x, ν ′ >. Consequently, we find < c ◮ l x k c′ ◮ y, ν > → < c ◮ x k c′ ◮ y, ν ′ > with (c ◮ x k c′ ◮ ′ ′ y, ν ) R (p, ν ). l
(b) < M, ν > → < p, ν ′ >, which comes down to one of the hypotheses: l
i. < x k c′ ◮ y, ν > → < p, ν ′ >, for this we need the hypothesis l
A. ∃r l ∈ A ∧ p = r k c′ ◮ y ∧ < x, ν > 7→ < r, ν ′ >. l
From which we conclude < c ◮ x > 7→ < r, ν ′ > and finally l < c ◮ x k c′ ◮ y, ν > → < p, ν ′ > with (p, ν ′ ) R (p, ν ′ ). l
ii. < y k c ◮ x, ν > → < p, ν ′ >, for this we need the hypothesis l
A. ∃r l ∈ A ∧ p = r k c ◮ x ∧ < y, ν > 7→ < r, ν ′ >. l
From which we conclude < c ◮ y > 7→ < r, ν ′ > and finally l < c ◮ x k c′ ◮ y, ν > → < c ◮ x k r, ν ′ > with (p, ν ′ ) R (c ◮ ′ x k r, ν ). l
iii. < x | c′ ◮ y, ν > → < p, ν ′ >, for which we need one of the hypotheses a,µ
A. ∃a,a′ ,p′ ,p′′ ,µ l = (aγa′ , µ) ∧ p = p′ k p′′ ∧ < x, ν > 7→ < p′ , ν ′ > ∧ ′
a ,µ
< c′ ◮ y, ν > 7→ < p′′ , ν ′ >, which leads to the hypothesis
225
a′ ,µ
• < y, ν > 7→ < p′′ , ν ′ > l From which we readily conclude < c ◮ x k c′ ◮ y, ν > → ′ ′ ′ < p, ν > with (p, ν ) R (p, ν ). l
B. ∃p′ ,p′′ l ∈ Σ ∧ p = p′ k p′′ ∧ < x, ν > ; < p′ , ν ′ > ∧ < c′ ◮ l
y, ν > ; < p′′ , ν ′ >, which leads to one of the hypotheses l
• ∃r p′′ = r ◮ y ∧ < c′ ◮ y, ν > ; < r, ν ′ >, then we need the hypothesis – r = c′ From which we conclude that p = p′ k c′ ◮ y and < c ◮ l
x k c′ ◮ y, ν > → < p, ν ′ > with (p, ν ′ ) R (p, ν ′ ). l
• < y, ν > ; < p′′ , ν ′ > l From which we readily conclude < c ◮ x k c′ ◮ y, ν > → < p, ν ′ > with (p, ν ′ ) R (p, ν ′ ). l
iv. < y | c ◮ x, ν > → < p, ν ′ >, for which we need one of the hypotheses a,µ
A. ∃a,a′ ,p′ ,p′′ ,µ l = (aγa′ , µ) p = p′ k p′′ ∧ < y, ν > 7→ < p′ , ν ′ > ∧ ′
a ,µ
< c ◮ x, ν > 7→ < p′′ , ν ′ >, which leads to the hypothesis a′ ,µ
• < x, ν > 7→ < p′′ , ν ′ > l From which we readily conclude < c ◮ x k c′ ◮ y, ν > → < p′′ k p′ , ν ′ > with (p, ν ′ ) R (p′′ k p′ , ν ′ ). l
B. ∃p′ ,p′′ l ∈ Σ ∧ p = p′ k p′′ ∧ < y, ν > ; < p′ , ν ′ > ∧ < c′ ◮ l
x, ν > ; < p′′ , ν ′ >, which leads to one of the hypotheses l
• ∃r p′′ = r ◮ x ∧ < c ◮ x, ν > ; < r, ν ′ >, then we need the hypothesis – r=c From which we conclude that p = p′ k c ◮ x and < c ◮ l
x k c′ ◮ y, ν > → < c ◮ x k p′ , ν ′ > with (p, ν ′ ) R (c ◮ x k p′ , ν ′ ). l
• < x, ν > ; < p′′ , ν ′ > l From which we readily conclude < c ◮ x k c′ ◮ y, ν > → < p′′ k p′ , ν ′ > with (p, ν ′ ) R (p′′ k p′ , ν ′ ).
226
Appendix C Soundness of the axiomatization of robust bisimulation
Appendix D
The recursive specification principle for robust bisimulation The recursive specification principle RSP states that a guarded recursive specification has at most one solution. Formally, the rule is stated as follows: S |= E, S ′ |= E, E guarded
X ∈ Vr ,
S(X) ≈r S ′ (X)
where, S |= E denotes that the interpretation S ∈ Vr → T (Vr ) of recursion variables is a solution of a guarded recursive specification E. The proof of this, usually goes via another principle, called the approximation induction principle AIP [Bergstra and Klop, 1986], which makes use of a family of projection operators πn . AIP states that if every finite projection of two processes is bisimilar, then the two processes are bisimilar. For the kind of semantical model we use, AIP is restricted in the sense that one of the compared processes should have bounded non-determinism. This is usually referred to as the restricted approximation induction principle AIP− . In this section, we introduce the family of projection operators, and formalize the notion of bounded non-determinism. Then we pose the approximation induction principle, and prove it sound. After that, we show the existence of a bounded solution for guarded recursive specifications, and prove a projection property for guarded process terms. Finally, this allows us to prove soundness of RSP using AIP− . Projection has the following operational semantics: < p, ν > X < πn (p), ν > X
l
,
< p, ν > → < p′ , ν ′ > l
< πn+1 (p), ν > → < πn (p′ ), ν ′ >
.
228
Appendix D The recursive specification principle for robust bisimulation
Without proof, we claim that robust bisimilarity is a congruence for projection. Bounded non-determinism B(p) is defined as follows. Definition 56 (Bounded non-determinism) Bounded non-determinism is recursively defined as: • Every state has bounded non-determinism in 0 steps. • A state (p, ν) has bounded non-determinism in n + 1 steps, if for every l l
the set R = {(p′ , ν ′ ) p < p, ν > → < p′ , ν ′ >} is finite, and all elements (p′ , ν ′ ) ∈ R have bounded non-determinism in n steps themselves.
• A state (p, ν) has bounded non-determinism (denoted B(p, ν)) if it has bounded non-determinism for any arbitrary number of steps. • A process p has bounded non-determinism (denoted B(p)) if for every valuation ν ∈ Val we find that (p, ν) has bounded non-determinism. These definitions allow us to state the restricted approximation induction principle AIP− : ∀n πn (p) ≈r πn (q) ∧ B(q) AIP− p ≈r q Next, we prove that this principle is sound.
Theorem 44 AIP− is sound for the semantics of HyPA. Proof To prove this principle sound, suppose that R is the union of all robust bisimulation relations. In particular, it contains the robust bisimulation relations witnessing πn (p) - πn (q). Note, that R is an equivalence relation on states. We now construct the following relation S = {((x, ν), (y, µ)) p ∀n (πn (x), ν)R(πn (y), µ), B(y, ν)}, and show that this is a robust bisimulation relation witnessing p - q. It is obvious that for all ν and all n we have (πn (p), ν)R(πn (q), ν), therefore we know (p, ν)S(q, ν). So, if S is a robust bisimulation relation, then it is a witness. In order to verify that S is a bisimulation relation, assume (x, ν)S(y, µ) and study the following cases: 1. < x, ν > X. Using the semantics of projection, we find < πn (x), ν > X for all n, and using the definition of S we get (πn (x), ν)R(πn (y), µ). From which we conclude, using the fact that R is a bisimulation relation, that < πn (y), µ > X, and using the semantics of projection we finally find < y, µ > X. 2. < y, µ > X. Similar to the previous case.
229
l
3. < x, ν > → < x′ , ν ′ >. We handle this case along the lines of [Baeten and Weijland, 1990]. Using the semantics of the projection operator, we find: l
< πn+1 (x), ν > → < πn (x′ ), ν ′ >, for any n. Furthermore, using the definition of S, we find for every n that (πn+1 (x), ν)R(πn+1 (y), µ). Now, we create l
a sequence Qn = {(y ′ , µ′ ) p < y, µ > → < y ′ , µ′ >, (πn (x′ ), ν ′ )R(πn (y ′ ), µ′ )}, and using the definition of projection and the fact that R is a bisimulation relation, we conclude that this sequence is non-empty for every n. Furthermore, it is decreasing (Qn ⊇ Qn+1 ) because in general we have πn+1 (x) - πn+1 (y) ⇒ πn (x) - πn (y) and R contains all bisimulation relations that witness this. Lastly, every Qn is finite, because y has bounded non-determinism. Therefore, the sequence Qn eventually becomes constant. In other words, there exists (y ′′ , µ′′ ) such that for all n we have (y ′′ , µ′′ ) ∈ Qn . Hence, by definition of Qn , we have for all n that (πn (x′ ), ν ′ )R(πn (y ′′ ), µ′′ ). Now, using the definition of S and the fact that (y ′′ , µ′′ ) has bounded nondeterminism because it is reachable from (y, µ), we finally conclude that (x′ , ν ′ )S(y ′′ , µ′′ ). l
4. < y, µ > → < y ′ , µ′ >. This case is also handled along the lines of [Baeten and Weijland, 1990]. Similarly to the previous case, we create a sequence l
Qn = {(x′ , ν ′ ) p < x, ν > → < x′ , ν ′ >, (πn (x′ ), ν)R(πn (y ′ ), µ′ )}, and may conclude that this sequence is decreasing, and non-empty for every n. However, Qn is not necessarily finite. Nevertheless, for every n and every (xn , νn ) ∈ l
Qn there exists, using the previous case, a (yn , µn ) such that < y, µ > → < yn , µn > and (xn , νn )S(yn , µn ). Using bounded non-determinism of y, one of these elements occurs infinitely often. In other words, there is a k such that for every n there is an m ≥ n with (yk , µk ) ≡ (ym , µm ). Now, because xk Syk , we may conclude πn (xk )Rπn (yk ). Because R contains the identity relation, we find πn (yk )Rπn (ym ). Because R is symmetric, we find πn (ym )Rπn (xm ) and because Qm ⊆ Qn we find πn (xm )Rπn (y ′ ). With transitivity of R we conclude πn (xk )Rπn (y ′ ) and finally xk Sy ′ , which concludes the case.
In order to verify that S is robust, assume that (x, ν)S(y, µ). By definition of S we find that (πn (x), ν)R(πn (y), µ) for every n. Since R is robust, we may conclude for every interference ι and every n that (πn (x), ι(ν))R(πn (y), ι(µ)), and hence (x, ι(ν))S(y, ι(µ)). Therefore, S is also robust. ⊠ Before we can use AIP− to prove RSP, we need to study bounded non-determinism and projections of guarded recursive specifications in more detail. We need to show existence of a bounded non-deterministic solution for each guarded recursive specification, and we need an axiomatization for projection with respect to guarded process terms. Theorem 45 (Bounded non-determinism) Each guarded recursive specification E has a bounded non-deterministic solution.
230
Appendix D The recursive specification principle for robust bisimulation
Proof This theorem is a strengthening of the recursive definition principle RDP, that states that every recursive specification has a solution. RDP is easily proven sound, using the fact that the semantics of HyPA actually gives one such solution. Let E be a guarded recursive specification. For the sake of convenience, assume that if X : p ∈ E, then p is already rewritten into aLguarded furthermore assume¢ that this term is of the form ¡ process term, and ′ d ≫ a ⊙ q ⊕ d ≫ cj ⊲ qj′ ⊕ d′′j ≫ ǫ , where J is a finite set and qj j j j j j∈J ′ and qj are arbitrary process terms of HyPA. In this case, we can show that the solution defined by the semantics of HyPA, if we treat possibly occurring recursion variables as constants, has bounded non-determinism. Let S ∈ Vr → T (Vr ) be the identity. I.e. the solution of E formed by the semantics of HyPA. By definition, every process, hence also every S(X), with X ∈ Vr , has bounded non-determinism in 0 steps. If we then assume the induction hypothesis that every S(X) has bounded non-determinism in n steps, we only need to prove that bounded non-determinism in n + 1 steps follows. By definition of the semantics of HyPA, we know for l l S(X) = X ≈r p , that < X, ν > → < p′ , ν > if and only if < p, ν > → < p′ , ν >. Using the specific form of p, and the semantics of HyPA, we know that there is only a finite number of these transitions, and that p′ is either qj or qj′ , for some j. Furthermore, the semantics of all process operators of HyPA is such that they lead to bounded non-deterministic compositions if the composed processes are bounded non-deterministic. So, even if qj and qj′ contain recursion variables, they are bounded non-deterministic in n steps, from which we may conclude that p, and hence S(X), is bounded non-deterministic in n + 1 steps. With induction, this concludes the proof, for the case where E is already rewritten as suggested above. For the case that the definitions in E still need to be rewritten, we may conclude only that there exists a bounded non-deterministic solution. It may not necessarily be the case that the solution defined by the semantics has this property. ⊠ We claim, without proof, that the following axioms are sound for projection: πn (ǫ) π0 (a) πn+1 (a ⊙ x) πn (x ⊕ y) πn (x ⊙ y) πn (x ⊲ y) πn (x k y) πn (x | y)
≈r ≈r ≈r ≈r ≈r ≈r ≈r ≈r
ǫ δ a ⊙ πn (x) πn (x) ⊕ πn (y) πn (πn (x) ⊙ y) πn (πn (x) ⊲ y) πn (πn (x) k y) πn (x | πn (y))
π0 (c) πn+1 (c ⊲ x) πn (d ≫ x) πn (x ⊙ y) πn (x ⊲ y) πn (x k y) πn (πm (x))
≈r ≈r ≈r ≈r ≈r ≈r ≈r
δ π1 (c) ⊲ πn (c ◮ x) d ≫ πn (x) πn (x ⊙ πn (y)) πn (x ⊲ πn (y)) πn (x k πn (y)) πmin(n,m) (x)
This brings us to the following two theorems. Theorem 46 (Projection push) Define the interpretation Πn ∈ Vr → T (Vr ) of recursion variables, such that Πn (X) = πn (X) for all X ∈ Vr . Then, for
231
p ∈ T (Vr ), the following equivalences are derivable: πn (p) ≈r πn (Πn (p)), where Πn (p) denotes the application of Πn to all the variables of p. Proof It is straightforward from the axiomatization of projection, that any subterm p′ of a process πn (p) may be replaced by πn (p′ ), and if a subterm p′ of πn (p) is of the form πn (p′′ ), then it may be replaced by p′′ . ⊠
Theorem 47 (Guarded projection push) Define the interpretation Πn ∈ Vr → T (Vr ) as before, and let S be an arbitrary interpretation of recursion variables. Then, we can derive the following equivalences for guarded process terms p: π0 (p) ≈r π0 (S(p)), Proof
πn+1 (p) ≈r πn+1 (Πn (p)).
Without loss of generality, assume that p is of the form M ¡ ¢ dj ≫ aj ⊙ qj ⊕ d′j ≫ cj ⊲ qj′ ⊕ d′′j ≫ ǫ , j∈J
with J finite, and qj and qj′ arbitrary HyPA terms, possibly containing recursion variables. We use the axiomatization of projection to derive. ³L ¢´ ¡ ′′ ′ ′ π0 (p) ≈r π0 ≫ ǫ ⊕ d ≫ c ⊲ q d ≫ a ⊙ q ⊕ d j j j j j j j ´ ³Lj∈J ′′ d ≫ǫ ≈r π0 ³Lj∈J ¡ j ¢´ ′′ ′ ′ ≈r π0 ≫ ǫ ) ⊕ d ≫ c ⊲ S(q d ≫ a ⊙ S(q ) ⊕ d j j j j j j j j∈J ≈r π0 (S(p)). More elaborately, we also use the projection push to find: ≈r ≈r ≈r ≈r ≈r
πn+1 (p) ³L πn+1 (dj ³Lj∈J (dj πn+1 ³Lj∈J πn+1 (dj ³Lj∈J πn+1 j∈J (dj πn+1 (Πn (p)) .
´ ≫ aj ⊙ qj ⊕ d′j ≫ cj ⊲ qj′ ⊕ d′′j ≫ ǫ)
´ ≫ aj ⊙ πn (qj ) ⊕ d′j ≫ cj ⊲ πn (qj′ ) ⊕ d′′j ≫ ǫ)
´ ≫ aj ⊙ πn (Πn (qj )) ⊕ d′j ≫ cj ⊲ πn (Πn (qj′ )) ⊕ d′′j ≫ ǫ) ´ ≫ aj ⊙ Πn (qj ) ⊕ d′j ≫ cj ⊲ Πn (qj′ ) ⊕ d′′j ≫ ǫ)
This concludes the proof.
⊠
Now, using the guarded projection push theorem, the theorem on bounded nondeterminism of guarded recursive specifications, and AIP− , it is easy to derive soundness of RSP.
232
Appendix D The recursive specification principle for robust bisimulation
Theorem 48 The recursive specification principle is sound. Proof For convenience assume that X : p ∈ E implies that p is already rewritten into a guarded term. Using the theorem on bounded non-determinism, we know that there exists a solution S of E that has bounded non-determinism, i.e. B(S(X)) for every X ∈ Vr . Suppose that S ′ is an arbitrary other solution for E. We will show by induction on n that for every X ∈ Vr we have πn (S(X)) ≈r πn (S ′ (X)). From that we then may conclude S(X) ≈r S ′ (X) using AIP− . Note, that if we have two arbitrary solutions of E, that we may conclude them equal by showing that both are equal to S. The base case, where n = 0, is derived using congruence (derivation rule (4)) and the first part of the guarded projection theorem: π0 (S(X)) ≈r π0 (S(p)) ≈r π0 (p) ≈r π0 (S ′ (p)) ≈r π0 (S ′ (X)). Using the second part of the guarded projection theorem, and the induction hypothesis that πn (S(X)) ≈r πn (S ′ (X)) we find firstly, using congruence again, that S(Πn (p)) ≈r S ′ (Πn (p)), and using this we derive: πn+1 (S(X))
≈r ≈r ≈r
πn+1 (S(p)) ≈r S(πn+1 (p)) ≈r S(πn+1 (Πn (p))) πn+1 (S(Πn (p))) ≈r πn+1 (S ′ (Πn (p))) ≈r S ′ (πn+1 (Πn (p))) S ′ (πn+1 (p)) ≈r πn+1 (S ′ (p)) ≈r πn+1 (S ′ (X)). ⊠
Appendix E
Conservativity of HyPA with respect to ACP E.1
ACP ⊢ p ≈ q implies HyPA ⊢ p ≈r q
The following paragraphs contain, for each axiom of ACP, a derivation in HyPA. Together with the observation that the derivation rules of ACP are contained in those of HyPA we find that ACP ⊢ p ≈ q implies HyPA ⊢ p ≈r q. Note, that in the axioms of ACP, every action a may be replaced by deadlock δ. In HyPA this is not the case. Therefore, we have two versions for some of the axioms on communication and encapsulation. The axiom: x ⊕ y ≈ y ⊕ x Trivial. The axiom: (x ⊕ y) ⊕ z ≈ x ⊕ (y ⊕ z) Trivial. The axiom: x ⊕ x ≈ x x ⊕ x ≈r ≈r
≈r
≈r
≈r
¯ ¤ true ¯ ≫ x ⊕ x ¯ ¯ £ ¤ £ ¤ true ¯ ≫ x ⊕ true ¯ ≫ x ¯ ¯ £ ¤£ ¤ true ¯ ∨ true ¯ ≫ x ¯ £ ¤ true ¯ ≫ x £
x
The axiom: (x ⊕ y) ⊙ z ≈ x ⊙ z ⊕ y ⊙ z
Trivial.
The axiom: (x ⊙ y) ⊙ z ≈ x ⊙ (y ⊙ z) Trivial.
234
Appendix E Conservativity of HyPA with respect to ACP
The axiom: x ⊕ δ ≈ x x⊕ δ
≈r ≈r
≈r
≈r
≈r
£ x⊕ £ true £ true £ true
x
The axiom: δ ⊙ x ≈ δ
δ ⊙ x ≈r ≈r
≈r
≈r
¯ ¤ false ¯ ≫ x ¯ ¯ ¤ £ ¤ ¯ ≫ x ⊕ false ¯ ≫ x ¯ ¯ ¤£ ¤ ¯ ∨ false ¯ ≫ x ¯ ¤ ¯ ≫ x
¯ £ ¤ ( false ¯ ≫ ǫ) ⊙ x £ ¤? false ≫x £ ¤ false ≫ x δ
The axiom: a | b ≈ aγb, if aγb defined x ⊕ δ ≈ x. a| b
≈r ≈r ≈r
≈r
≈r
≈r ≈r
≈r ≈r
a ⊙ ǫ|b a ⊙ ǫ|b ⊙ ǫ ¯ £ ¤ true ¯ ≫ a ⊙ ǫ | b ⊙ ǫ ¯ ¯ £ ¤ £ ¤ true ¯ ≫ a ⊙ ǫ | true ¯ ≫ b ⊙ ǫ ¯ ¯ £ ¤£ ¤ true ¯ ) ≫ (aγb) ⊙ (ǫ k ǫ) ( true ¯ ∧ ¯ £ ¤ true ¯ ≫ (aγb) ⊙ (ǫ k ǫ)
(aγb) ⊙ (ǫ k ǫ)
(aγb) ⊙ ǫ aγb
The axiom: a | b ≈ δ, if aγb undefined a| b
≈r ≈r ≈r
≈r ≈r
In this proof, we use the derivation of
a ⊙ ǫ|b a ⊙ ǫ|b ⊙ ǫ ¯ £ ¤ true ¯ ≫ a ⊙ ǫ | b ⊙ ǫ ¯ ¯ £ ¤ £ ¤ true ¯ ≫ a ⊙ ǫ | true ¯ ≫ b ⊙ ǫ δ
E.1 ACP ⊢ p ≈ q implies HyPA ⊢ p ≈r q
235
If we replace a or b by δ we trivially find a | δ ≈ δ | b ≈ δ. The axiom: x k y ≈ x k y ⊕ y k x ⊕ x | y
Trivial.
The axiom: a k x ≈ a ⊙ x a k x ≈r
(a ⊙ ǫ) k x
≈r ≈r
a ⊙ (ǫ k x) a⊙ x
If we replace a by δ we trivially find δ k x = δ. The axiom: a ⊙ x k y ≈ a ⊙ (x k y) Trivial. Furthermore, if we replace a by δ, we easily find the following derivation. δ ⊙ xk y
≈r ≈r
≈r
The axiom: (x ⊕ y) k z ≈ x k z ⊕ y k z
δk y δ δ ⊙ (x k y) Trivial.
The axiom: a ⊙ x | b ≈ (a | b) ⊙ x The proof of this has four cases. If aγb is defined, we obtain the following proof, in which we use a | b = aγb. a ⊙ x| b
≈r ≈r ≈r
≈r
≈r
a ⊙ x| b ⊙ ǫ ¯ £ ¤ true ¯ ≫ a ⊙ x | b ⊙ ǫ ¯ ¯ £ ¤ £ ¤ true ¯ ≫ a ⊙ x | true ¯ ≫ b ⊙ ǫ ¯ ¯ £ ¤£ ¤ true ¯ ) ≫ (aγb) ⊙ (x k ǫ) ( true ¯ ∧ ¯ £ ¤ true ¯ ≫ (aγb) ⊙ (x k ǫ)
≈r ≈r
(aγb) ⊙ (x k ǫ) (aγb) ⊙ (x k ǫ ⊕ ǫ k x ⊕ x k ǫ)
≈r ≈r ≈r
(aγb) ⊙ (ǫ k x) (aγb) ⊙ x (a | b) ⊙ x
≈r ≈r
(aγb) ⊙ (ǫ k x ⊕ x k ǫ ⊕ x k ǫ) (aγb) ⊙ (ǫ k x ⊕ x k ǫ ⊕ ǫ k x)
236
Appendix E Conservativity of HyPA with respect to ACP
If aγb is undefined, we obtain the following proof, in which we use a | b = δ. a ⊙ x| b
≈r
≈r
≈r
≈r ≈r ≈r
a ⊙ x| b ⊙ ǫ ¯ £ ¤ true ¯ ≫ a ⊙ x | b ⊙ ǫ ¯ ¯ ¤ ¤ £ £ true ¯ ≫ a ⊙ x | true ¯ ≫ b ⊙ ǫ δ δ ⊙ x (a | b) ⊙ x
If a is replaced by deadlock, we find δ ⊙ x| b
≈r ≈r
≈r ≈r
δ|b δ δ ⊙ x (δ | b) ⊙ x
And similarly if b is replaced by deadlock (using commutativity). The axiom: a | b ⊙ x ≈ (a | b) ⊙ x The proof of this has four cases. If aγb is defined, we obtain the following proof, in which we use a | b = aγb. a | b ⊙ x ≈r ≈r ≈r
≈r
≈r
≈r ≈r
≈r
a ⊙ ǫ|b ⊙ x ¯ ¤ £ a ⊙ ǫ | true ¯ ≫ b ⊙ x ¯ ¯ £ ¤ £ ¤ true ¯ ≫ a ⊙ ǫ | true ¯ ≫ b ⊙ x ¯ ¯ ¤ ¤£ £ true ¯ ) ≫ (aγb) ⊙ (ǫ k x) ( true ¯ ∧ ¯ £ ¤ true ¯ ≫ (aγb) ⊙ (ǫ k x) (aγb) ⊙ (ǫ k x) (aγb) ⊙ x
(a | b) ⊙ x
If aγb is undefined, we obtain the following proof, in which we use a | b = δ. a | b ⊙ x ≈r ≈r
≈r
≈r ≈r ≈r
a ⊙ ǫ|b ⊙ x ¯ £ ¤ a ⊙ ǫ | true ¯ ≫ b ⊙ x ¯ ¯ £ ¤ £ ¤ true ¯ ≫ a ⊙ ǫ | true ¯ ≫ b ⊙ x
δ δ ⊙ x (a | b) ⊙ x
E.1 ACP ⊢ p ≈ q implies HyPA ⊢ p ≈r q
237
If a is replaced by deadlock we find δ | b ⊙ x ≈r
δ
≈r ≈r
δ ⊙ x (a | b) ⊙ x
And similarly if b is replaced by deadlock (using δ ⊙ x ≈ δ and commutativity). The axiom: a ⊙ x | b ⊙ y ≈ (a | b) ⊙ (x k y) The proof of this has four cases. If aγb is defined, we obtain the following proof, in which we use a | b = aγb. ¯ £ ¤ a ⊙ x | b ⊙ y ≈r a ⊙ x | true ¯ ≫ b ⊙ y ¯ ¯ £ ¤ £ ¤ true ¯ ≫ a ⊙ x | true ¯ ≫ b ⊙ y ≈r ¯ ¯ £ ¤£ ¤ true ¯ ) ≫ (aγb) ⊙ (x k y) ≈r ( true ¯ ∧ ¯ £ ¤ true ¯ ≫ (aγb) ⊙ (x k y) ≈r ≈r ≈r
(aγb) ⊙ (x k y) (a | b) ⊙ (x k y)
If aγb is undefined, we obtain the following proof, in which we use a | b = δ. ¯ £ ¤ a ⊙ x | b ⊙ y ≈r a ⊙ x | true ¯ ≫ b ⊙ y ¯ ¯ £ ¤ £ ¤ true ¯ ≫ a ⊙ x | true ¯ ≫ b ⊙ y ≈r ≈r
≈r ≈r
δ
δ ⊙ (x k y) (a | b) ⊙ (x k y)
If a is replaced by deadlock we find δ ⊙ x| b ⊙ y
≈r ≈r ≈r
≈r
δ|b ⊙ y
δ δ ⊙ (x k y)
(δ | b) ⊙ (x k y)
And similarly if b is replaced by deadlock (using commutativity). The axiom: (x ⊕ y) | z ≈ x | z ⊕ y | z
Trivial
238
Appendix E Conservativity of HyPA with respect to ACP
The axiom: x | (y ⊕ z) ≈ x | y ⊕ x | z x | (y ⊕ z) ≈r
≈r ≈r
≈r
The axiom: ∂H (a) ≈ a, if a 6∈ H
(y ⊕ z) | x
y|x ⊕ z|x x| y ⊕ z| x
x| y ⊕ x| z
Trivial.
The axiom: ∂H (a) ≈ δ, if a ∈ H Trivial, except when a is replaced by deadlock. Then we find the following derivation. ∂H (δ)
≈r ≈r ≈r
∂H (false ≫ x) false ≫ ∂H (x) δ
The axiom: ∂H (x ⊕ y) ≈ ∂H (x) ⊕ ∂H (y) Trivial.
The axiom: ∂H (x ⊙ y) ≈ ∂H (x) ⊙ ∂H (y) Trivial.
E.2
HyPA ⊢ p ≈r q implies ACP ⊢ p ≈ q
In this section, we will prove the converse case. This is done using the semantical model of HyPA and ACP. We show, that if two closed ACP terms p and q are bisimilar in HyPA (which we may assume using soundness of the derivation HyPA ⊢ p ≈r q), then they are bisimilar in ACP. Then, we use completeness of the axiomatization of ACP, to conclude that there must be a derivation in ACP to show this bisimilarity. Throughout this section, we use the notation x ∈ ACP for ‘x is a closed ACP term’, and similarly for HyPA.
E.2 HyPA ⊢ p ≈r q implies ACP ⊢ p ≈ q
239
The operational semantics of ACP, is given by the following rules. a
a
< x > _ACP < x′ >
< x > _ACP X
a
a
a
< x ⊕ y > _ACP < x′ > a < y ⊕ x > _ACP < x′ >
< a > _ACP X
a
< x ⊕ y > _ACP X a < y ⊕ x > _ACP X a
< x > _ACP < x′ >
< x > _ACP X
a
a
< x ⊙ y > _ACP < x′ ⊙ y >
< x ⊙ y > _ACP < y > a
a
< x > _ACP < x′ >
< x > _ACP X
a
a
< x k y > _ACP < x′ k y > a < y k x > _ACP < y k x′ > a < x k y > _ACP < x′ k y >
< x k y > _ACP < y > a < y k x > _ACP < y > a < x k y > _ACP < y >
a′
a′′
< x > _ACP < x′ >, < y > _ACP < y ′ >, a = a′ γa′′ a
< x k y > _ACP < x′ k y ′ > a < x | y > _ACP < x′ k y ′ > a′
a′′
< x > _ACP X, < y > _ACP < y ′ >, a = a′ γa′′ a
< x k y > _ACP < y ′ > a < y k x > _ACP < y ′ > a < x | y > _ACP < y ′ > a′
a′′
< x > _ACP X, < y > _ACP X, a = a′ γa′′ a
< x k y > _ACP X a < x | y > _ACP X a
< x > _ACP < x′ >, a 6∈ H a
< ∂H (x) > _ACP < ∂H (x′ ) >
a
< x > _ACP X, a 6∈ H a
< ∂H (x) > _ACP X
Note, that the empty process ǫ is not an ACP term. In stead, ACP has a transition a predicate denoted as < p > _ACP X. The notion of bisimulation for ACP terms is therefore defined as follows. Definition 57 (ACP-Bisimulation) A relation R ⊆ P × P on process terms of ACP, is an ACP-bisimulation relation if for all p, q ∈ P such that p R q, we find a
a
• < p > _ACP < p′ > implies there exists q ′ s.t. < q > _ACP < q ′ > and p′ R q ′ ;
240
Appendix E Conservativity of HyPA with respect to ACP
a
a
• < q > _ACP < q ′ > implies there exists p′ s.t. < p > _ACP < p′ > and p′ R q ′ ; a
a
a
a
• < p > _ACP X implies there exists q ′ s.t. < q > _ACP X; • < q > _ACP X implies there exists p′ s.t. < p > _ACP X. Two process terms x and y are ACP-bisimilar, denoted x -ACP y, if there exists an ACP-bisimulation relation that relates them. Now we will prove the following theorem, relating ACP-bisimulation with bisimulation as defined for HyPA. Theorem 49 For closed ACP terms p and q we find that if p - q then p -ACP q. Clearly, using soundness of HyPA and completeness of ACP, we can derive from this theorem that HyPA ⊢ p ≈r q ⇒ p - q ⇒ p -ACP q ⇒ ACP ⊢ p ≈ q. The following four lemmas are used to prove this theorem. Lemma 8 a
If x ∈ ACP and < x > _ACP X then there exists y ′ - ǫ (with y ′ ∈ HyPA) such a,ν that < x, ν > → < y ′ , ν > for every ν ∈ Val . Proof This proof uses induction on the structure of x. Since x ∈ ACP, we find the following cases. a
1. x = δ, which contradicts with the assumption < x > _ACP X. a,ν
2. x = a. From which we conclude using the semantics of HyPA that < x, ν > → < ǫ, ν > for every ν ∈ Val . 3. x = x′ ⊕ x′′ ∧ x′ , x′′ ∈ ACP, for which we find the one of the hypotheses, using the semantics of ACP. a
(a) < x′ > _ACP X With induction, we conclude for x′ that there exists y ′ - ǫ such that a,ν a,ν < x′ , ν > → < y ′ , ν > for every ν ∈ Val , hence also < x, ν > → < y ′ , ν >, using the semantics of HyPA. a
(b) < x′′ > _ACP X, similar to the previous case. a
4. x = x′ ⊙ x′′ , which contradicts with the assumption < x > _ACP X. 5. x = x′ k x′′ ∧ x′ , x′′ ∈ ACP, for which we find the following hypothesis, using the semantics of ACP.
E.2 HyPA ⊢ p ≈r q implies ACP ⊢ p ≈ q
241
a′
a′′
(a) ∃a′ ,a′′ a = a′ γa′′ ∧ < x′ > _ACP X ∧ < x′′ > _ACP X With induction, we conclude for x′ and x′′ , that there exists z - z ′ a′ ,ν
a′′ ,ν
ǫ such that < x′ , ν > → < z, ν > and < x′′ , ν > → < z ′ , ν > for every ν ∈ Val . Using the semantics of HyPA, we then find that a,ν < x, ν > → < z k z ′ , ν > and using congruence for the parallel composition, together with the derivable, hence sound, theorem ǫ k ǫ ≈r ǫ, we obtain z k z ′ ≈r ǫ. a
6. x = x′ k x′′ , which contradicts with the assumption < x > _ACP X. 7. x = x′ | x′′ ∧ x′ , x′′ ∈ ACP, similar to the proof of x = x′ k x′′ . 8. x = ∂H (x′ ) ∧ x′ ∈ ACP, for which we find the following hypothesis, using the semantics of ACP. a
(a) a 6∈ H ∧ < x′ > _ACP X. With induction, we conclude for x′ , that a,ν there exists y ′ - ǫ such that < x′ , ν > → < y ′ , ν > for every ν ∈ Val , a,ν hence also < ∂H (x) , ν > → < ∂H (y ′ ) , ν > and with congruence and the sound axiom ∂ǫ (≈r ) ǫ we find ∂H (y ′ ) - ǫ. ⊠
Lemma 9 a
If x ∈ ACP and < x > _ACP < y > then there exists y ′ - y (with y ′ ∈ HyPA) a,ν such that < x, ν > → < y ′ , ν > for every ν ∈ Val . Proof This proof uses induction on the structure of x. Since x ∈ ACP, we find the following cases. a
1. x = δ, which contradicts with the assumption < x > _ACP < x′ >. a
2. x = a, which contradicts with the assumption < x > _ACP < x′ >. 3. x = x′ ⊕ x′′ ∧ x′ , x′′ ∈ ACP, for which we find the one of the following hypotheses, using the semantics of ACP. a
(a) < x′ > _ACP < y > With induction, we conclude for x′ , that there exists y ′ - y such a,ν a,ν that < x′ , ν > → < y ′ , ν > for every ν ∈ Val , hence also < x, ν > → ′ < y , ν >, using the semantics of HyPA. a
(b) < x′′ > _ACP < y >, similar to the previous case. 4. x = x′ ⊙ x′′ ∧ x′ , x′′ ∈ ACP, for which we find the one of the following hypotheses, using the semantics of ACP.
242
Appendix E Conservativity of HyPA with respect to ACP
a
(a) ∃z y = z ⊙ x′′ ∧ < x′ > _ACP < z > With induction, we conclude for x′ , that there exists a z ′ - z such that a,ν a,ν < x′ , ν > → < z ′ , ν > for every ν ∈ Val , hence we find < x, ν > → ′ ′′ ′ ′′ < z ⊙ x , ν > using the semantics of HyPA, and z ⊙ x - y using congruence of the sequential composition. a
(b) x′′ = y ∧ < x′ > _ACP X. Using the previous lemma, we may a,ν conclude that there exists z - ǫ such that < x′ , ν > → < z, ν > for all a,ν ν ∈ Val . Then, using the semantics of HyPA we find < x, ν > → < z ⊙ ′′ x , ν >. Congruence for the sequential composition, and soundness of the axiom ǫ ⊙ x ≈r x then give use z ⊙ x′′ - y. 5. x = x′ k x′′ ∧ x, x′′ ∈ ACP, for which we find one of the following hypotheses, using the semantics of ACP. a
(a) ∃z y = z k x′′ ∧ < x′ > _ACP < z > With induction, we conclude for x′ , that there exists z ′ - z such that a,ν < x′ , ν > → < z ′ , ν > for all ν ∈ Val , and using the semantics of HyPA a,ν we conclude < x, ν > → < z ′ k x′′ , ν >. Congruence for the parallel composition then gives us z ′ k x′′ - y. a
(b) ∃z y = x′ k z ∧ < x′′ > _ACP < z >, similar to the previous case. a′
a′′
(c) ∃a′ ,a′′ ,z,z′ y = z k z ′ ∧ a = a′ γa′′ ∧ < x′ > _ACP < z > ∧ < x′′ > _ACP < z ′ > With induction to the structure of x′ and x′′ we find w - z a′ ,ν
a′′ ,ν
and w′ - z ′ such that < x′ , ν > → < w, ν > and < x′′ , ν > → a,ν < w′ , ν >. Using the semantics of HyPA we then conclude < x, ν > → ′ ′ < w k w , ν > and congruence for the parallel composition gives w k w y. 6. x = x′ k x′′ , a subcase of x = x′ k x′′ . 7. x = x′ | x′′ , a subcase of x = x′ k x′′ . 8. x = ∂H (x′ ) ∧ x′ ∈ ACP, for which we find the following hypothesis, using the semantics of ACP. a
(a) ∃z y = ∂H (z) ∧ a 6∈ H ∧ < x′ > _ACP < z >. With induction, we a,ν conclude for x′ , that there exists z ′ - z such that < x′ , ν > → < z ′ , ν > a,ν for every ν ∈ Val , hence also < ∂H (x) , ν > → < ∂H (z ′ ) , ν > and with congruence we find y - ∂H (z ′ ). ⊠
Lemma 10 If x ∈ ACP then there is no ν such that < x, ν > X.
E.2 HyPA ⊢ p ≈r q implies ACP ⊢ p ≈ q
243
Proof Obvious. For immediate termination in HyPA, there must be a ǫ subterm of x. No other constants or operators introduce termination. ⊠ a,ν
Lemma 11 If x ∈ ACP and there is a ν such that < x, ν > → < y, ν >, (with a y ∈ HyPA) then either y - ǫ and < x > _ X, or there exists y ′ ∈ ACP such that a y - y ′ and < x > _ < y ′ >. Proof This proof uses induction on the structure of x. For x ∈ ACP, we find the following cases. a,ν
1. x = δ, which contradicts with the assumption that < x, ν > → < y, ν > for some ν ∈ Val . 2. x = a, for which we find trivially y = ǫ, and using the semantics of ACP a < x > _ X. 3. x = x′ ⊕ x′′ ∧ x′ , x′′ ∈ ACP, for which we find one of the following hypotheses, using the semantics of HyPA. a,ν
(a) < x′ , ν > → < y, ν > With induction, we find for x′ , one of the two following hypotheses a
i. y - ǫ ∧ < x′ > _ X From which we conclude, using the semantics a of ACP, that < x > _ X. a
ii. ∃y′ y ′ ∈ ACP ∧ y - y ′ ∧ < x′ > _ < y ′ > From which we conclude, a using the semantics of ACP, that < x > _ < y ′ >. a,ν
(b) < x′′ , ν > → < y, ν >, similar to the previous case. 4. x = x′ ⊙ x′′ ∧ x′ , x′′ ∈ ACP, for which we find on of the following hypotheses, using the semantics of HyPA. a,ν
(a) < x′ , ν > X ∧ < x′′ , ν > → < y, ν >, which according to lemma 5 contradicts with the assumption that x′ ∈ ACP . a,ν
(b) y = z ⊙ x′′ ∧ < x′ , ν > → < z, ν > With induction, we find for x′ , one of the two following hypotheses a
i. z - ǫ ∧ < x′ > _ X From which we conclude, using the semantics a of ACP, that < x > _ Xx′′ , and using congruence of sequential composition together with the sound axiom ǫ ⊙ x′′ ≈r x′′ , that y - x′′ . a
ii. ∃z′ z ′ ∈ ACP ∧ z - z ′ ∧ < x′ > _ < z ′ > From which we conclude, a using the semantics of ACP, that < x > _ < z ′ ⊙ x′′ >, and using congruence of the sequential composition that y - z ′ ⊙ x′′ .
244
Appendix E Conservativity of HyPA with respect to ACP
5. x = x′ k x′′ ∧ x′ , x′′ ∈ ACP, for which we find one of the following hypotheses, using the semantics of HyPA. a,ν
(a) ∃z y = z k x′′ ∧ < x′ , ν > → < z, ν >. With induction, we find for x′ , one of the two following hypotheses a
a
i. z - ǫ ∧ < x′ > _ X From which we conclude that < x > _ < x′′ > and using equational reasoning y - x′′ . a
ii. ∃z′ z ′ ∈ ACP ∧ z - z ′ ∧ < x′ > _ < z ′ > From which we conclude a that < x > _ < z ′ k x′′ > and using congruence y - z ′ k x′′ . a,ν
(b) ∃z y = x′ k z ∧ < x′′ , ν > → < z, ν >, which is similar to the previous case. a′ ,ν
(c) ∃a′ ,a′′ ,z,z′ y = z k z ′ ∧ a = a′ γa′′ ∧ < x′ , ν > → ′′
a′′ ,ν
′
′
< z, ν > ∧
< x , ν > → < z , ν > With induction, we find for x , one of the four following hypotheses a′
a′′
i. z - ǫ ∧ < x′ > _ X ∧ z ′ - ǫ ∧ < x′′ > _ X From which we a conclude using the semantics of ACP that < x > _ X, and using equational reasoning that y - ǫ. a′
a′′
ii. z - ǫ ∧ < x′ > _ X ∧ ∃w′ w′ ∈ ACP ∧ z ′ - w′ ∧ < x′′ > _ < w′ > From which we conclude using the semantics of ACP that a < x > _ < w′ > and using congruence and (sound) equational reasoning that y - w′ . a′
a′′
iii. ∃w w ∈ ACP ∧ z - w ∧ < x′ > _ < w > ∧ z ′ - ǫ ∧ < x′′ > _ X Similar to the previous case. a′
iv. ∃w,w′ w, w′ ∈ ACP ∧ z - w ∧ < x′ > _ < w > ∧ z ′ - w′ ∧ a′′
< x′′ > _ < w′ > From which we conclude using the semantics of a ACP that < x > _ < w k w′ > and using congruence y - w k w′ .
6. x = x′ k x′′ , which is a subcase of x = x′ k x′′ . 7. x = x′ | x′′ , which is a subcase of x = x′ k x′′ . 8. x = ∂H (x′ ) ∧ x′ ∈ ACP, for which we find one of the following hypotheses, using the semantics of HyPA. a,ν
(a) ∃z y = ∂H (z) ∧ a 6∈ H ∧ < x′ , ν > → < z, ν > With induction, we find for x′ , one of the two following hypotheses a
i. z - ǫ ∧ < x′ > _ X From which we conclude, using the semantics a of ACP, that < x > _ X.
E.2 HyPA ⊢ p ≈r q implies ACP ⊢ p ≈ q
245
a
ii. ∃z′ z ′ ∈ ACP ∧ z - z ′ ∧ < x′ > _ < z ′ > From which we conclude, a using the semantics of ACP, that < x > _ < ∂z′ ( )> and using congruence y - ∂H (z ′ ). ⊠ Using these four lemmas, we can prove the main theorem by showing that - is an ACP-bisimulation relation. Corollary 4 -, restricted to closed ACP terms, is an ACP-bisimulation relation. Proof
Suppose p - q, and p, q ∈ ACP. a
• If < p > _ACP < p′ >, then we use the lemma 4 to find y - p′ such that a,ν < p, ν > → < y, ν > for every ν. Since - is a bisimulation relation, there a,ν ′ exists y - y such that < q, ν > → < y ′ , ν >. Using lemma 5, and the ′ observation that p ∈ ACP, we find that not < p′ , ν > X. Now, we can use a lemma 6 to find there exists a q ′ - y ′ such that < q > _ACP < q ′ >. Lastly, - is an equivalence relation, from which we conclude p′ - q ′ . a
• If < q > _ACP < q ′ >, the reasoning is similar to the previous case. a
a,ν
• If < p > _ACP X, then we use lemma 3 to find y - ǫ such that < p, ν > → < y, ν > for every ν. Since - is a bisimulation relation, there exists y ′ - y a,ν such that < q, ν > → < y ′ , ν >. Now, using lemma 6 we may conclude that either, there exists z ∈ ACP such that z - y ′ (which cannot be, since then z - ǫ and < z, ν > X, contradicting lemma 4), or y ′ - ǫ (which is true) and a < q > _ACP X. a
• If < q > _ACP X, the reasoning is similar to the previous case. ⊠
246
Appendix E Conservativity of HyPA with respect to ACP
Appendix F
Details of the elimination of parallel composition In this appendix, we prove that every closed HyPA term is derivably equal to a basic term. Thereto, let p be an arbitrary closed HyPA term. For the first step of this proof, assume that all occurrences of δ, ǫ, atomic actions a and flow clauses c are underlined. We use the notation p for the underlined version of p. On this underlined version of p we apply the rewrite system consisting of the following four rewrite rules: £ ¤ δ ֒→ £ false ¤ ≫ ǫ, ǫ ֒→ £ true ¤ ≫ ǫ, £ ¤ a ֒→ £ true ¤ ≫ a ⊙ £ true ¤ ≫ ǫ, true ≫ c ⊲ false ≫ ǫ. c ֒→ First, observe that this term rewrite system is strongly normalizing as in each rewrite step the number of underlined symbols decreases. Second, all four rewrite rules are derivable using the axioms of HyPA (neglecting the underlining): £ ¤ δ ≈r £ false ¤ ≫ ǫ, ǫ ≈r true ≫£ ǫ, ¤ £ ¤ £ ¤ a ≈r a ⊙ ǫ ≈r £ true ¤ ≫ a ⊙ ǫ ≈r £ true ¤ ≫ a ⊙ £ true ¤ ≫ ǫ, c ≈r c ⊲ δ ≈r true ≫ c ⊲ δ ≈r true ≫ c ⊲ false ≫ ǫ.
Finally, the normal forms of underlined versions of closed HyPA terms are necessarily of the form N′
::= d ≫ ǫ p d ≫ a ⊙ N ′ p d ≫ c ⊲ N ′ p N ′ ⊕ N ′ p d ≫ N′ p N′ ⊙ N′ p N′ ◮ N′ p N′ ⊲ N′ p N ′ k N ′ p N ′ k N ′ p N ′ | N ′ p ∂H (N ′ ) .
Observe that basic terms are also of this form. Thus we have achieved that for any closed HyPA term there exists an N ′ term that is derivably equal. In the
248
Appendix F Details of the elimination of parallel composition
remainder of this appendix, we show that for any N ′ term there exists a basic term that is derivably equal.
F.1
The rewrite system
Next, we give a rewrite system that is constructed for the task of rewriting N ′ terms into basic terms. (1) (2)
d ≫ d′ ≫ x d ≫ (x ⊕ y)
(3) (4) (5) (6)
(d ≫ (d ≫ (d ≫ (x ⊕
(d ∼ d′ ) ≫ x d≫x ⊕ d≫y
֒→ ֒→
ǫ) ⊙ x a ⊙ x) ⊙ y c ⊲ x) ⊙ y y) ⊙ z
d? ≫ x d ≫ a ⊙ (x ⊙ y) d≫c ⊲ x ⊙ y x⊙ z ⊕ y ⊙ z
֒→ ֒→ ֒→ ֒→
(7) (8) (9) (10) (11)
x ◮ y (d ≫ ǫ) ⊲ x (d ≫ a ⊙ x) ⊲ y (d ≫ c ⊲ x) ⊲ y (x ⊕ y) ⊲ z
(12) (13) (14) (15) (16)
∂H (d ≫ ∂H (d ≫ ∂H (d ≫ ∂H (d ≫ ∂H (x ⊕
(17) (18) (19) (20) (21)
xk y d≫ǫk x d≫ a ⊙ xk y d≫ c ⊲ xk y (x ⊕ y) k z
(22) (23) (24) (25) (26) (27) (28) (29) (30) (31) (32) (33)
(x ⊕ y) | z x | (y ⊕ z) d ≫ ǫ | d′ ≫ ǫ d ≫ ǫ | d′ ≫ a ⊙ x d ≫ a ⊙ x | d′ ≫ ǫ d ≫ ǫ | d′ ≫ c ⊲ x d ≫ c ⊲ x | d′ ≫ ǫ d ≫ a ⊙ x | d′ ≫ a ′ ⊙ y d ≫ a ⊙ x | d′ ≫ a ′ ⊙ y d ≫ a ⊙ x | d′ ≫ c ⊲ y d ≫ c ⊲ x | d′ ≫ a ⊙ y d ≫ c ⊲ x | d′ ≫ c′ ⊲ y
ǫ) a ⊙ x) a ⊙ x) c ⊲ x) y)
֒→ ֒→ ֒→ ֒→ ֒→ ֒→ ֒→ ֒→ ֒→ ֒→
֒→ ֒→ ֒→ ֒→ ֒→
x ⊲ d≫ d≫ d≫ x ⊲
y ⊕ y ǫ a ⊙ (x ◮ y) c ⊲ (x ◮ y) z ⊕ y ⊲ z
d≫ǫ d £ ≫ a ⊙¤ ∂H (x) if a 6∈ H false ≫ ǫ if a ∈ H d ≫ c ⊲ ∂H (x) ∂H (x) ⊕ ∂H (y) x £ k y ⊕¤ y k x ⊕ x | y false ≫ ǫ d ≫ a ⊙¤ (x k y) £ false ≫ ǫ xk z ⊕ yk z x| z ⊕ y| z x| y ⊕ x| z ? ′? (d £ ∧ d ¤) ≫ ǫ £ false ¤ ≫ ǫ false ≫ ǫ (d? ∼ d′ ) ≫ c ⊲ x (d′? ∼ d) ≫ c ⊲ x ′ ′ k y) if (aγa′ ) defined £(d ∧ d ) ≫ ¤ (aγa ) ⊙ (x ′ £ false ¤ ≫ ǫ if (aγa ) undefined £ false ¤ ≫ ǫ false ≫ ǫ ′ ((d¡£∼ cjmp ) ¤∧ (d′ ∼ c′jmp £ )) ≫ (c ¤ ∧ c )¢ ⊲ ′ x k ¡£ true ¤ ≫ c ⊲ £ false ¤ ≫ ǫ¢ ◮ y ⊕ yk ¡£ true ¤ ≫ ′c ⊲ £ false ¤ ≫ ǫ¢ ◮ x ⊕ x| ¡£ true ¤ ≫ c ⊲ £ false ¤ ≫ ǫ¢ ◮ y ⊕ true ≫ c ⊲ false ≫ ǫ ◮ x y|
֒→ ֒→ ֒→ ֒→ ֒→ ֒→ ֒→ ֒→ ֒→ ֒→ ֒→ ֒→
F.2 Soundness of the rewrite system
249
In the following section we show that this rewrite system only allows to rewrite N ′ terms into derivably equal N ′ terms (soundness of the rewrite system, see appendix F.2), that the rewrite system is strongly normalizing (see appendix F.3), and that every normal form of an N ′ term is necessarily a basic term (see appendix F.4).
F.2
Soundness of the rewrite system
In this subsection we show that for each rewrite rule s ֒→ t of the rewrite system introduced in appendix F.1, we have HyPA ⊢ s = t. For the rewrite rules (1), (2), (3), (6), (7), (11), (16), (17), (21), (22), (23), (24), (27), and (29), this follows directly from the axioms as for each of these rewrite rules there is an axiom that states that the left-hand and right-hand sides are derivably equal. For the rewrite rules from £ (25), ¤(30), and (32) this is £ obtained ¤ false true the axioms and application of δ ≈ ≫ ǫ and/or c ≈ ≫ c ⊲ r r £ ¤ false ≫ ǫ. Both these equalities have been proven in first step of the elimination result in this appendix. For the rewrite rules (26), (28), (31), and (33) this follows from the soundness of other rewrite rules and the axiom x | y ≈r y | x. For the other rewrite rules the derivations are shown below: (4) (5) (8) (9) (10) (12) (13,14)
(15) (18) (19) (20)
F.3
(d ≫ a ⊙ x) ⊙ y ≈r ((d ≫ a) ⊙ x) ⊙ y ≈r (d ≫ a) ⊙ (x ⊙ y) ≈r d ≫ a ⊙ (x ⊙ y) (d ≫ c ⊲ x) ⊙ y ≈r ((d ≫ c) ⊲ x) ⊙ y ≈r ((d ≫ c) ⊙ δ ⊲ x) ⊙ y ≈r (d ≫ c) ⊙ δ ⊲ x ⊙ y ≈r (d ≫ c) ⊲ x ⊙ y ≈r d ≫ c ⊲ x ⊙ y (d ≫ ǫ) ⊲ x ≈r d ≫ ǫ ⊲ x ≈r d ≫ ǫ (d ≫ a ⊙ x) ⊲ y ≈r d ≫ a ⊙ x ⊲ y ≈r d ≫ a ⊙ (x ◮ y) (d ≫ c ⊲ x) ⊲ y ≈r d ≫ (c ⊲ x) ⊲ y ≈r d ≫ c ⊲ (x ◮ y) ∂H (d ≫ ǫ) ≈r d ≫ ∂H (ǫ) ≈r d ≫ ǫ ∂H (d ≫ a ⊙ x) ≈r d ≫ ∂H (a ⊙ x) ≈r d ≫ ∂H (a) ⊙ ∂H (x) ( d ≫ a ⊙ ∂H (x) if a 6∈ H h i ≈r d ≫ δ ⊙ ∂H (x) ≈r d ≫ δ ≈r δ ≈r false ≫ ǫ if a ∈ H ∂H (d ≫ c ⊲ x) ≈r¡d ≫ ∂¢H (c ⊲ x) ≈r d ≫ c£ ⊲ ∂H (x) ¤ d ≫ ǫ k x ≈r d ≫ ǫ k ¡x ≈r d ≫ δ¢ ≈r δ ≈r false ≫ ǫ d ≫ a ⊙ x k y ≈r d ≫ ¡a ⊙ x k y ¢ ≈r d ≫ a ⊙ (x k y)£ ¤ d ≫ c ⊲ x k y ≈r d ≫ c ⊲ x k y ≈r d ≫ δ ≈r δ ≈r false ≫ ǫ
The rewrite system is strongly normalizing
That the above rewrite system is strongly normalizing can be demonstrated using semantical labelling in combination with the recursive path ordering technique as (among others) described in [Baeten and Verhoef, 1995]. We define the following ranking-norm on N ′ terms: • ⌊ǫ⌋ = ⌊a⌋ = 0;
250
Appendix F Details of the elimination of parallel composition
• ⌊c⌋ = 1; • ⌊d ≫ x⌋ = ⌊∂H (x)⌋ = ⌊x⌋ + 1; • ⌊x ⊕ y⌋ = ⌊x ⊙ y⌋ = ⌊x ◮ y⌋ = ⌊x ⊲ y⌋ = ⌊x k y⌋ = ⌊x k y⌋ = ⌊x | y⌋ = ⌊x⌋ + ⌊y⌋. Now, we label the operators d ≫ , ⊙ , ◮ , ⊲ , k , k , and | with the norm of the term they are the leading symbols of. I.e. we write x ⊙⌊x⌋+⌊y⌋ y in stead of x ⊙ y. Then, we define the following (well-founded) ordering on labelled operators. (Note that we still treat d ≫ x as a unary operator.) • ǫ, a (for a ∈ A) and ⊕ are smaller than all other operators; • d ≫n < d′ ≫n+1 for all n, d, d′ ; • d ≫n < ⊙0 for all n; • ⊙n < ⊲n < ◮n < ⊙n+1 for all n; • ǫ < ∂H (); • ◮n < ∂H () for all n; • ◮n < k 0 for all n; • k n < |n < kn < k n+1 for all n. It is straightforward, but cumbersome, to show for each of the rules that they are strictly decreasing with respect to the recursive path ordering based on 7→ < r, µ′ >, then we may use the fact that S is a bisimulation relation to conclude that there exists (r′ , µ′′ ) such that a,µ < q ′ , ν ′ > 7→ < r′′ , µ′′ >. Finally, from the fact that ∂H (p) is safe, we conclude that a 6∈ H. So, every transition from reachable states from p is safe, and hence p is safe. Now, consider the reverse case, which we prove in more detail. Let p be a process term that is safe for actions in H. Then we define the following relation S = {(< q, ν >, < ∂H (q) , ν >) p ∃ν ′ < q, ν > ∈ R(p, ν ′ )}, and show that it is a bisimulation relation that witnesses p ≈ ∂H (p). Obviously, it is a witness relation, since < p, ν > ∈ R(< p, ν >) for all ν and hence < p, ν >S< ∂H (p) , ν >. Now, to show that it is a bisimulation relation, assume that < x, ν >S< ∂H (x) , ν > and consider the following cases: • < x, ν > X Using the definition of encapsulation we find < ∂H (x) , ν > X. • < ∂H (x) , ν > X For this, we need to assume < x, ν > X, according to the semantics of encapsulation.
252
Appendix G Specification of safety: proof
a,µ
• < x, ν > 7→ < x′ , µ′ > Using the fact that < x, ν > ∈ R(< p, ξ >) for some ξ, and using the fact that p is safe for actions in H, we conclude that a 6∈ H. Then, using the semantics a,µ of encapsulation of actions, we conclude < ∂H (x) , ν > 7→ < ∂H (x′ ) , µ′ >. ′ ′ ′ ′ with < x , µ >S< ∂H (x ) , µ >. a,µ
• < ∂H (x) , ν ′ > 7→ < y, µ′ > a,µ From the semantics of encapsulation it follows that for < ∂H (x) , ν > 7→ a,µ < y, µ′ > we need that y is of the form ∂H (x′ ) and that < x, ν > 7→ < x′ , µ′ >. ′ ′ Finally, because < x , µ > is reachable from < x, µ > and hence is reachable from < p, ξ > for some ξ, we may conclude < x′ , µ′ >S< ∂x′ (µ′ ) >. σ
• < x, ν > ; < x′ , µ > σ Using the semantics of encapsulation of actions, we conclude < ∂H (x) , ν > ; < ∂H (x′ ) , µ > with < x′ , µ′ >S< ∂H (x′ ) , µ′ >. σ
• < ∂H (x) , ν ′ > 7→ < y, µ′ > σ From the semantics of encapsulation it follows that for < ∂H (x) , ν > 7→ σ < y, µ′ > we need that y is of the form ∂H (x′ ) and that < x, ν > 7→ < x′ , µ′ >. Finally, because < x′ , µ′ > is reachable from < x, µ > and hence is reachable from < p, ξ > for some ξ, we may conclude < x′ , µ′ >S< ∂x′ (µ′ ) >. ⊠
Appendix H
Soundness of axioms for predicate encapsulation H.1
∂Pm (d ≫ δ) ≈r δ
Trivial.
H.2
∂Pm (d ≫ ǫ) ≈r d ≫ ǫ
Trivial.
H.3
∂Pm (d ≫ a) ≈r (d ∼ [¬Pm− ]) ≫ a
− The axiom ∂Pm (d ≫ a) ≈r (d ∼ [¬Pm ]) ≫ a is, for given Pm ∈ Pm , d ∈ D and − a ∈ A, witnessed by the relation S = {(< ∂Pm (d ≫ a) , ν >, < (d ∼ [¬Pm ]) ≫ a, ν >) p ν ∈ Val } ∪ {(< ∂Pm (ǫ) , ν >, < ǫ, ν >) p ν ∈ Val }. That this is indeed a witnessing relation is obvious, and also that it is robust is straightforward to verify. That it is a bisimulation relation follows from the following cases. Assume that < p, ν >S< q, ν >. From the definition, it follows that either p = − ∂Pm (d ≫ a) and q = d ∼ [¬Pm ] ≫ a, or p = ∂Pm (ǫ) and q = ǫ. Since the proofs for the second case is trivial, we will only discuss the first. Because actions cannot terminate, nor can they perform flow transitions, we find − that ∂Pm (d ≫ a) and (d ∼ [¬Pm ]) ≫ a can both not terminate or perform flow transitions. We therefore only need to consider the following cases. a,µ
• < ∂Pm (d ≫ a) , ν > 7→ < p′ , µ′ > For this, according to the semantics of HyPA, we need the assumption that µ |=m ¬Pm , that p′ = ∂Pm (ǫ) and that (ν, µ) |=d d. Hence, (ν, µ) |=d (d ∼
254
Appendix H Soundness of axioms for predicate encapsulation
a,µ
− − ¬Pm ), from which we conclude that < (d ∼ [¬Pm ]) ≫ a, ν > 7→ < ǫ, µ′ > ′ ′ with < ∂Pm (ǫ) , µ >S< ǫ, µ >.
a,µ
− • < (d ∼ [¬Pm ]) ≫ a, ν > 7→ < p′ , µ′ > For this, according to the semantics of HyPA, we need the assumption that − ]. From this there exists ν ′ such that (ν, ν ′ ) |=d d and (ν ′ , µ) |=d [¬Pm ′ we conclude that ν = µ and hence µ |=m ¬Pm . Finally, we find that a,µ < ∂Pm (d ≫ a) , ν > 7→ < ∂Pm (ǫ) , µ′ > ′ with < ∂Pm (ǫ) , µ >S< ǫ, µ′ >.
H.4
∂Pm (d ≫ c) ≈r d ≫ (c ∧ (¬Pm ))
The axiom ∂Pm (d ≫ c) ≈r d ≫ (c ∧ (¬Pm )) is, for given Pm ∈ Pm , d ∈ D and c ∈ C, witnessed by the relation S = {(< ∂Pm (d ≫ c) , ν >, < d ≫ (c ∧ (¬Pm )) , ν >) p ν ∈ Val } ∪ {(< ∂Pm (c) , ν >, < c ∧ (¬Pm ) , ν >) p ν ∈ Val }. That this is indeed a witnessing relation is obvious, and also that it is robust is straightforward to verify. That it is a bisimulation relation follows from the following cases. Assume that < p, ν >S< q, ν >. From the definition, it follows that either p = ∂Pm (d ≫ c) and q = d ≫ (c ∧ (¬Pm )), or p = ∂Pm (c) and q = c ∧ (¬Pm ). Since the proofs for these cases are similar, we will only discuss the first. Because flow clauses cannot terminate, nor perform actions transitions, ∂Pm (d ≫ c) and d ≫ (c ∧ (¬Pm )) cannot terminate, nor perform action transitions. We, therefore, only need to study the following cases. σ
• < ∂Pm (d ≫ c) , ν > ; < p′ , µ′ > From the semantics of predicate encapsulation, we obtain that for every τ ∈ dom(σ) we have σ(τ ) |=m ¬Pm , and hence σ |=f ¬Pm . Furthermore, for the above transition, we need the assumption that there exists ν ′ ∈ Val with (ν, ν ′ ) |=d d and (ν ′ , σ) |=c c. From all this we conclude that (ν ′ , σ) |=d σ [¬Pm ], and hence < d ≫ (c ∧ (¬Pm )), ν > ; < (c ∧ (¬Pm )), µ′ >. Finally, ′ by definition of S, we have < ∂Pm (c) , µ >S< (c ∧ (¬Pm )), µ′ >. σ
• < d ≫ (c ∧ (¬Pm )), ν > ; < p′ , µ′ > For this, we need the assumption that there exists ν ′ ∈ Val with (ν, ν ′ ) |=d d and (ν ′ , σ) |=c c and (ν ′ , σ) |=c (¬Pm ). Also, we need that µ′ = σ(t), with dom(σ) = [0, t]. From all this, we may directly conclude that σ < ∂Pm (d ≫ c) , ν > ; < ∂Pm (c) , µ′ >. Finally, by definition of S, we have < ∂Pm (c) , µ′ >S< (c ∧ (¬Pm )), µ′ >.
H.5 ∂Pm (x ⊕ y) ≈r ∂Pm (x) ⊕ ∂Pm (y)
H.5
255
∂Pm (x ⊕ y) ≈r ∂Pm (x) ⊕ ∂Pm (y)
Similar to the proof of axiom ∂H (x ⊕ y) ≈r ∂H (x) ⊕ ∂H (y) in [Cuijpers and Reniers, 2004b].
H.6
∂Pm (x ⊙ y) ≈r ∂Pm (x) ⊙ ∂Pm (y)
Similar to the proof of axiom ∂H (x ⊙ y) ≈r ∂H (x) ⊙ ∂H (y) in [Cuijpers and Reniers, 2004b].
H.7
∂Pm (x ⊲ y) ≈r ∂Pm (x) ⊲ ∂Pm (y)
Similar to the proof of axiom ∂H (x ⊲ y) ≈r ∂H (x) ⊲ ∂H (y) in [Cuijpers and Reniers, 2004b].
256
Appendix H Soundness of axioms for predicate encapsulation
Appendix I
Soundness of axioms for (initially stateless) bisimilarity I.1
d ≫ a ⊙ x ≈ d ≫ a ⊙ d! ≫ x
The axiom d ≫ a ⊙ x ≈ d ≫ a ⊙ d! ≫ x, for a given re-initialization clause d and action a ∈ A, is witnessed by the bisimulation relation S = {(< d ≫ a ⊙ x, ν >, < d ≫ a ⊙ d! ≫ x >) p x ∈ T (Vr ), ν ∈ Val }∪{(< ǫ ⊙ x, ν >, < ǫ ⊙ d! ≫ x, ν >) p x ∈ T (Vr ), ν ∈ Val , (ν, ν) |=d d! } ∪ {(< x, ν >, < x, ν >) p x ∈ T (Vr ), ν ∈ Val }. Obviously, this is a witnessing relation. We will now prove that it is also a bisimulation relation. Assume that < p, ν >S< q, ν ′ >. Obviously, ν = ν ′ . Furthermore, the case where p = q, and the case where p = ǫ ⊙ x and q = ǫ ⊙ d! ≫ x with (ν, ν) |=d d! , are straightforward. We focus on the case where p = d ≫ a ⊙ x and q = d ≫ a ⊙ d! ≫ x. • < d ≫ a ⊙ x, ν > X This cannot be the case, since (using the semantics of sequential composition and re-initialization) we would need the assumption < a, ν > X, which is false. • < d ≫ a ⊙ d! ≫ x, ν > X Similarly, this can also not be the case. a,µ
• < d ≫ a ⊙ x, ν > 7→ < x′ , µ′ > From the semantics of sequential composition and re-initialization it follows that x′ = ǫ ⊙ x and that (ν, µ′ ) |=d d. Hence, we have that (µ′ , µ′ ) |=d d! , from which we conclude that (ǫ ⊙ x, µ′ )S(ǫ ⊙ d! ≫ x, µ′ ). Furthermore, from
258
Appendix I Soundness of axioms for (initially stateless) bisimilarity
a,µ
the semantics it also follows that < d ≫ a ⊙ d! ≫ x, ν > 7→ < ǫ ⊙ d! ≫ x, µ′ >. a,µ
• < d ≫ a ⊙ d! ≫ x, ν ′ > 7→ < x′ , µ′ > Similar to the previous case. σ
• < d ≫ a ⊙ x, ν > ; < x′ , µ′ > This cannot be the case, since it would require a flow transition from a. σ
• < d ≫ a ⊙ d! ≫ x, ν ′ > ; < x′ , µ′ > Similarly, this cannot be the case.
I.2
d ≫ c ⊲ x ≈ d ≫ c ⊲ (d ∼ D(c))! ≫ x
The axiom d ≫ c ⊲ x ≈ d ≫ c ⊲ (d ∼ D(c))! ≫ x, for a given re-initialization clause d ∈ D and flow clause c ∈ C, is witnessed by the bisimulation relation S = {(< d ≫ c ⊲ x, ν >, < d ≫ c ⊲ (d ∼ D(c))! ≫ x, ν >) p x ∈ T (Vr ), ν ∈ Val } ∪ {(< c ◮ x, ν >, < c ◮ (d ∼ D(c))! ≫ x, ν >) p x ∈ T (Vr ), ν ∈ Val , (ν, ν) |=d (d ∼ D(c))! } ∪ {(< x, ν >, < x, ν >) p x ∈ T (Vr ), ν ∈ Val }. Obviously, this is a witnessing relation. We will now prove that it is also a bisimulation relation. In this proof, we need the assumption that the solutions of flow clauses are closed under concatenation. Concretely, this means that if (ν, σ) |=c c and (σ(t), σ ′ ) |=c c, with dom(σ) = [0, t] then (ν, σ ◦ σ ′ ) |=c c, with ◦ the concatenation operator on flows. As a result, we find for the associated re-initializations that D(c) ∼ D(c) = D(c). In the proof, we also use the axiom on reachability that (d ∼ d′ )! = (d! ∼ d′ )! . Assume that < p, ν >S< q, ν ′ >. Obviously, ν = ν ′ . Furthermore, the case where p = q is trivial. We focus firstly on the case where p = d ≫ c ⊲ x and q = d ≫ c ⊲ (d ∼ D(c))! ≫ x. • < d ≫ c ⊲ x, ν > X This cannot be the case, since (using the semantics of left-disrupt and reinitialization) we would need the assumption < c, ν > X, which is false. • < d ≫ c ⊲ (d ∼ D(c))! ≫ x, ν > X Similarly, this can also not be the case. a,µ
• < d ≫ c ⊲ x, ν > 7→ < x′ , µ′ > This cannot be the case, since it would require an action transition from c. a,µ
• < d ≫ c ⊲ (d ∼ D(c))! ≫ x, ν ′ > 7→ < x′ , µ′ > Similarly, this cannot be the case. σ
• < d ≫ c ⊲ x, ν > ; < x′ , µ′ > From the semantics of the left-disrupt and re-initialization it follows that x′ = c ◮ x and that there exists µ such that (ν, µ) |=d d and (µ, σ) |=c c.
I.2 d ≫ c ⊲ x ≈ d ≫ c ⊲ (d ∼ D(c))! ≫ x
259
Hence, we have that (ν, σ(t′ )) |=d (d ∼ D(c))! for every t′ ∈ [0, t] = dom(σ). In particular, we have (ν, µ′ ) |=d (d ∼ D(c))! , because µ′ = σ(t). This leads to the conclusion that < c ◮ x, µ′ >S< c ◮ (d ∼ D(c))! ≫ x, µ′ >. Furthermore, from the semantics it also follows that < d ≫ c ⊲ (d ∼ σ D(c))! ≫ x, ν > ; < c ◮ (d ∼ D(c))! ≫ x, µ′ >. σ
• < d ≫ c ⊲ (d ∼ D(c))! ≫ x, ν ′ > ; < x′ , µ′ > Similar to the previous case. For the case where p = c ◮ x and q = c ◮ (d ∼ D(c))! ≫ x, and (ν, ν) |=d (d ∼ D(c))! we find: • < c ◮ x, ν > X For which, according to the semantics, we need the assumption that < x, ν > X. From the fact that (ν, ν) |=d (d ∼ D(c)! ) we then derive that also < (d ∼ D(c))! ≫ x, ν > X and hence < c ◮ (d ∼ D(c))! ≫ x, ν > X. • < c ◮ (d ∼ D(c)! ) ≫ x, ν > X For which, according to the semantics, we need the assumption that < x, ν > X, and hence < c ◮ x, ν > X. a,µ
• < c ◮ x, ν > 7→ < x′ , µ′ > For which, according to the semantics, we need the assumption that a,µ < x, ν > 7→ < x′ , µ >, since c cannot perform any action transitions. From the fact that (ν, ν) |=d (d ∼ D(c))! we then derive that also < (d ∼ D(c))! ≫ a,µ a,µ x, ν > 7→ < x′ , µ > and ultimately < c ◮ (d ∼ D(c))! ≫ x, ν > 7→ ′ ′ ′ < x , µ >. By definition, we have < x , µ >S< x , µ >. a,µ
• < c ◮ (d ∼ D(c))! ≫ x, ν > 7→ < x′ , µ > For which, according to the semantics, we need the assumption that a,µ < x, ν > 7→ < x′ , µ > and (ν, ν) |=d (d ∼ D(c))! . Obviously, we may cona,µ clude that < c ◮ x, ν > 7→ < x′ , µ > and we find < x′ , µ >S< x′ , µ >. σ
• < c ◮ x, ν > ; < x′ , µ′ > According to the semantics, we can distinguish two possible assumptions. σ
– < x, ν > ; < x′ , µ′ > From which we conclude, using the assumption (ν, ν) |=d (d ∼ D(c))! , σ that < c ◮ (d ∼ D(c))! ≫ x, ν > ; < x′ , µ′ > and we find < x′ , µ >S< x′ , µ >. σ
– < c, ν > ; < c, µ′ > and x′ = c ◮ x From which we conclude that (ν, σ) |=c c. Hence, using µ′ = σ(t), with dom(σ) = [0, t], we find (ν, µ′ ) |=d (d ∼ D(c))! ∼ D(c). Using the assumption that flow clauses are closed under concatenation of flows, we find that ((d ∼ D(c))! ∼ D(c))! = (d ∼ D(c) ∼ D(c))! = (d ∼
260
Appendix I Soundness of axioms for (initially stateless) bisimilarity
D(c))! , from which we conclude that (µ′ , µ′ ) |=d (d ∼ D(c))! and hence (c ◮ x, µ′ )S(c ◮ (d ∼ D(c))! ≫ x, µ′ ). Finally, from the semantics, and the assumption that (ν, σ) |=c c, we may conclude that < c ◮ (d ∼ σ D(c))! ≫ x, ν > ; < c ◮ (d ∼ D(c))! ≫ x, µ′ >. σ
• < c ◮ (d ∼ D(c))! ≫ x, ν > ; < x′ , µ > According to the semantics, we can distinguish two possible assumptions. σ
– < (d ∼ D(c))! ≫ x, ν > ; < x′ , µ′ > σ From which we conclude directly < x, ν > ; < x′ , µ′ > and hence σ < c ◮ x, ν > ; < x′ , µ >, with < x′ , µ >S< x′ , µ >. σ
– < c, ν > ; < c, µ′ > and x′ = c ◮ (d ∼ D(c))! ≫ x σ From which we conclude directly that < c ◮ x, ν > ; < c ◮ x, µ′ >. Furthermore, using the concatenation closure of flow clauses, as before, we conclude that (µ′ , µ′ ) |=d ((d ∼ D(c))! ∼ D(c))! = (d ∼ D(c) ∼ D(c))! = (d ∼ D(c))! , from which we ultimately conclude < c ◮ x, µ′ >S< c ◮ (d ∼ D(c))! ≫ x, µ′ >.
Appendix J
RSP for (initially stateless) bisimilarity When reasoning about recursion, it is often useful to have a principle that claims that a solution of a certain recursive specification exists, and is unique modulo the notion of equivalence that we are interested in. That a solution exists modulo (initially stateless) bisimilarity, follows directly from the operational semantics of HyPA, but it is not immediately clear that that particular solution is the only process term satisfying the recursive equations. In appendix D, existence and uniqueness of solutions of so-called guarded recursive specifications was shown for the notion of robust bisimilarity. In this appendix, we adapt the proof of appendix D for initially stateless bisimilarity. The changes we need to make are only minor, so that we can restrict ourselves to the outline of the proof here. We start out by formalizing what a solution of a recursive specification is. Definition 58 (Solution) Let E be a recursive specification. An interpretation S ∈ Vr → T (Vr ) of recursion variables as process terms, is a solution of E (denoted S |= E) if for every recursive definition X ≈ p ∈ E we have S(X) - S(p), where S(p) denotes the process term induced by application of S to the variables of p. In particular, S(X) is called a solution of X ≈ p ∈ E. The recursive specification principle RSP, which is quite standard in process algebra [Bergstra and Klop, 1986], states that so called guarded recursive specifications have at most one solution. For HyPA, guardedness of a recursive specification is defined as follows. Definition 59 (Guardedness) A process term p is guarded if all occurrences of recursion variables in p, are in the scope of an action prefix a ⊙ or a flow prefix c ⊲ . A recursive specification E is guarded if for each recursive definition X ≈ p ∈ E, p can be rewritten into a guarded process term using the axiomatization of HyPA.
262
Appendix J RSP for (initially stateless) bisimilarity
This leads to the principle given in table J.1. Table J.1 Recursive Specification Principle
S |= E, S ′ |= E, E guarded X ∈ Vr S(X) ≈ S ′ (X)
The proof of this, usually goes via another principle, called the approximation induction principle AIP [Bergstra and Klop, 1986], which makes use of a family of projection operators πn . AIP states that if every finite projection of two processes is bisimilar, then the two processes are bisimilar. For the kind of semantical model we use, AIP is restricted in the sense that one of the compared processes should have bounded non-determinism. This is usually referred to as the restricted approximation induction principle AIP− . In this section, we introduce the family of projection operators, and formalize the notion of bounded non-determinism. Then we formally pose the approximation induction principle. After that, we show the existence of a bounded solution for guarded recursive specifications, and prove a projection property for guarded process terms. Finally, this allows us to prove soundness of RSP using AIP− . Projection has the operational semantics stated in table J.2. Table J.2 Operational semantics of projection
< p, ν > X , < πn (p), ν > X
l
< p, ν > → < p′ , ν ′ > l
< πn+1 (p), ν > → < πn (p′ ), ν ′ >
.
Based on the formats introduced in [Mousavi et al., 2004], we claim that initially stateless bisimilarity is a congruence for projection. Bounded non-determinism B(p) is defined as follows. Definition 60 (Bounded non-determinism) Bounded non-determinism is recursively defined as: • Every state has bounded non-determinism in 0 steps. • A state < p, ν > has bounded non-determinism in n + 1 steps, if for every l l the set R = {< p′ , ν ′ > p < p, ν > → < p′ , ν ′ >} is finite, and all elements < p′ , ν ′ > ∈ R have bounded non-determinism in n steps themselves.
263
• A state < p, ν > has bounded non-determinism (denoted B(< p, ν >)) if it has bounded non-determinism for any arbitrary number of steps. • A process term p has bounded non-determinism (denoted B(p)) if for every valuation ν ∈ Val we find that < p, ν > has bounded non-determinism. These definitions allow us to state the restricted approximation induction principle AIP− , given in table J.3. Next, we prove that this principle is sound. Table J.3 Restricted approximation induction principle
∀n πn (p) ≈ πn (q) ∧ B(q) p≈q
AIP−
Theorem 51 AIP− is sound for the semantics of HyPA, modulo initially stateless bisimilarity. Proof To prove this principle sound, suppose that R is the union of all bisimulation relations. In particular, it contains the bisimulation relations witnessing πn (p) - πn (q). Note, that R is an equivalence relation on states. We now construct the following relation S = {(< x, ν >, < y, µ >) p ∀n < πn (x), ν >R< πn (y), µ >, B(< y, ν >)}. The proof that this is indeed a witnessing bisimulation relation, follows the same lines as the proof for robust bisimulation in [Cuijpers and Reniers, 2004b]. ⊠ Before we can use AIP− to prove RSP, we need to study bounded non-determinism and projections of guarded recursive specifications in more detail. We need to show existence of a bounded non-deterministic solution for each guarded recursive specification, and we need an axiomatization for projection with respect to guarded process terms. Theorem 52 (Bounded non-determinism) Each guarded recursive specification E has a bounded non-deterministic solution. Proof In [Cuijpers and Reniers, 2004b], this was shown for robust bisimilarity. The same solution is also a solution for the guarded recursive specification E under (initially stateless) bisimilarity. Hence, the theorem also holds for this weaker equivalence. ⊠
264
Appendix J RSP for (initially stateless) bisimilarity
Theorem 53 (Guarded projection push) Define the interpretation Πn ∈ Vr → T (Vr ) as before, and let S be an arbitrary interpretation of recursion variables. Then, we find the following axioms for guarded process terms p: π0 (p) ≈r π0 (S(p)), Proof
πn+1 (p) ≈r πn+1 (Πn (p)).
See [Cuijpers and Reniers, 2004b].
⊠
Corollary 5 Define the interpretation Πn ∈ Vr → T (Vr ) as before, and let S be an arbitrary interpretation of recursion variables. Then the axioms π0 (p) ≈ π0 (S(p)), and πn+1 (p) ≈ πn+1 (Πn (p)) are sound. Now, using corollary 5, the theorem on bounded non-determinism of guarded recursive specifications, and AIP− , it is easy to derive soundness of RSP. Theorem 54 The recursive specification principle is sound. Proof For convenience assume that X ≈ p ∈ E implies that p is already rewritten into a guarded process term. Using the theorem on bounded nondeterminism, we know that there exists a solution S of E that has bounded nondeterminism, i.e. B(S(X)) for every X ∈ Vr . Suppose that S ′ is an arbitrary other solution for E. We will show by induction on n that for every X ∈ Vr we have πn (S(X)) ≈ πn (S ′ (X)). From that we then may conclude S(X) ≈ S ′ (X) using AIP− . Note, that if we have two arbitrary solutions of E, that we may conclude them equal by showing that both are equal to S. The base case, where n = 0, is derived using congruence (derivation rule (4)) and the first part of corollary 5: π0 (S(X)) ≈ π0 (S(p)) ≈ π0 (p) ≈ π0 (S ′ (p)) ≈ π0 (S ′ (X)). Using the second part of corollary 5, and the induction hypothesis that πn (S(X)) ≈ πn (S ′ (X)) we find firstly, using congruence again, that S(Πn (p)) ≈ S ′ (Πn (p)), and using this we derive: πn+1 (S(X))
≈ πn+1 (S(p)) ≈ S(πn+1 (p)) ≈ S(πn+1 (Πn (p))) ≈ πn+1 (S(Πn (p))) ≈ πn+1 (S ′ (Πn (p))) ≈ S ′ (πn+1 (Πn (p))) ≈ S ′ (πn+1 (p)) ≈ πn+1 (S ′ (p)) ≈ πn+1 (S ′ (X)). ⊠
Appendix K
Linearization of Fischers protocol In this section, we give the linearization of the process S : init ≫ (Idle1 k Idle2 k C). We find that S ≈r init ≫ Xi,i with:
Xi,i
Xi,r
:
:
⊕
¯ ¯ x˙ 1 ≤ e x˙ 2 ¯ turn ¯¯ x˙ 2 ≤ e x˙ 1 ⊲ Xi,i ⊕ ¯ loc 1 ¯ loc 1 = Idle ¯ loc 2 = Idle ¯ ¯ turn − = 0 ¯ + x1 ¯ x1 = 0 ¯ ≫ ι ⊙ Xr,i ⊕ loc 1 ¯ loc + 1 = ¯ ¯ Request ¯ ¯ x˙ 1 ≤ e x˙ 2 ¯ ¯ turn ¯ x˙ 2 ≤ e x˙ 1 ¯ loc loc = Idle 1 ¯ 1 ⊲ Xi,r ¯ loc loc = Request 2 2 ¯ ¯ ¯ x˙ 2 ≥ 0 x2 ¯ x2 ≤ D ¯ ¯ turn − = 0 ¯ + x1 ¯ xi = 0 ≫ ι ⊙ Xr,r ⊕ ¯ loc 1 ¯ loc + = 1 ¯ ¯ Request
x2 loc 2
x2 loc 2 turn
¯ ¯ turn − = 0 ¯ + ¯ x2 = 0 ¯ ¯ loc + = 2 ¯ ¯ Request
¯ + ¯ x2 = 0 ¯ ¯ turn + = 2 ¯ ¯ loc + = 2 ¯ ¯ Check
≫ ι ⊙ Xi,r
≫ ι ⊙ Xi,c
266
Xi,c
Appendix K Linearization of Fischers protocol
:
⊕
⊕
Xi,a
:
⊕
Xr,i
:
⊕
Xr,r
:
⊕
¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯
x˙ 1 ≤ e x˙ 2 x˙ 2 ≤ e x˙ 1 loc 1 = Idle ⊲ Xi,c loc 2 = Check x˙ 2 ≥ 0 ¯ ¯ turn − = 0 ¯ + x1 ¯¯ x1 = 0 ≫ ι ⊙ Xr,c ⊕ + ¯ loc 1 ¯ loc 1 = ¯ Request ¯ − ¯ x2 ≥ d ¯ ¯ turn − = 2 ≫ ι ⊙ Xi,a loc 2 ¯¯ + ¯ loc 2 = ¯ Access ¯ ¯ x˙ ≤ e x˙ 2 turn ¯¯ 1 x˙ ≤ e x˙ 1 loc 1 ¯¯ 2 ⊲ Xi,a loc = Idle 1 ¯ loc 2 ¯ loc 2 = Access ¯ ¯ turn − = 0 ¯ x1 ¯¯ x+ i = 0 ≫ ι ⊙ Xr,a ⊕ loc 1 ¯¯ loc + 1 = ¯ Request ¯ ¯ x˙ 1 ≤ e x˙ 2 ¯ ¯ turn ¯ x˙ 2 ≤ e x˙ 1 loc 1 ¯¯ loc 1 = Request ⊲ Xr,i loc 2 ¯¯ loc 2 = Idle ¯ x1 ¯ x˙ 1 ≥ 0 ¯ x1 ≤ D ¯ + ¯ x1 = 0 ¯ x1 + ¯ turn = 1 ≫ ι ⊙ Xc,i ⊕ loc 1 ¯¯ + = loc 1 turn ¯¯ Check ¯ ¯ x˙ 1 ≤ e x˙ 2 ¯ ¯ x˙ ≤ e x˙ 1 turn ¯¯ 2 loc = Request 1 loc 1 ¯¯ loc 2 = Request ¯ ⊲ Xr,r loc 2 ¯ x ˙ ≥ 0 1 ¯ x1 ¯ x1 ≤ D ¯ x2 ¯ x˙ 2 ≥ 0 ¯ ¯ x2 ≤ D ¯ + ¯ x1 = 0 ¯ x1 + ¯ turn = 1 ≫ ι ⊙ Xr,c ⊕ loc 1 ¯¯ + loc = 1 turn ¯¯ Check turn loc 1 loc 2 x2
loc 2
¯ − ¯ x2 ≥ d ¯ ¯ turn − 6= 2 ¯ ¯ loc + = 2 ¯ ¯ Idle
≫ ι ⊙ Xi,i
¯ ¯ turn + = 0 turn ¯¯ + ≫ ι ⊙ Xi,i loc 2 = loc 2 ¯¯ Idle
x2 loc 2
¯ ¯ turn − = 0 ¯ + ¯ x2 = 0 ¯ ¯ loc + = 2 ¯ ¯ Request
¯ + ¯ x2 = 0 ¯ x2 ¯ turn + = 2 loc 2 ¯¯ loc + 2 = turn ¯¯ Check
≫ ι ⊙ Xr,r
≫ ι ⊙ Xr,c
267
Xr,c
:
⊕
⊕
Xr,a
:
⊕
Xc,i
:
⊕
⊕
¯ ¯ x˙ 1 ≤ e x˙ 2 ¯ turn ¯¯ x˙ 2 ≤ e x˙ 1 ¯ loc 1 ¯ loc 1 = Request loc 2 ¯¯ loc 2 = Check ⊲ Xr,c ¯ x˙ 1 ≥ 0 x1 ¯ ¯ x1 ≤ D x2 ¯ ¯ x˙ 2 ≥ 0 ¯ − ¯ + ¯ x2 ≥ d ¯ x1 = 0 ¯ ¯ x1 − + ¯ ¯ turn = 1 6= 2 ≫ ι ⊙ Xr,i ≫ ι ⊙ Xc,c ⊕ loc 2 ¯ turn loc 1 ¯¯ + ¯ loc + = = loc 2 1 ¯ turn ¯¯ ¯ Idle Check ¯ − ¯ x2 ≥ d ¯ − ¯ turn = 2 ≫ ι ⊙ Xr,a loc 2 ¯¯ + ¯ loc 2 = ¯ Access ¯ ¯ x˙ 1 ≤ e x˙ 2 ¯ turn ¯¯ x˙ 2 ≤ e x˙ 1 ¯ loc 1 ¯ loc 1 = Request ⊲ Xr,a loc 2 ¯¯ loc 2 = Access ¯ x˙ 1 ≥ 0 x1 ¯ ¯ x1 ≤ D ¯ + ¯ x1 = 0 ¯ ¯ ¯ turn + = 0 x1 ¯ ¯ turn + = 1 turn + ¯ ¯ ≫ ι ⊙ Xr,i loc 1 ¯ loc 2 = ≫ ι ⊙ Xc,a ⊕ loc 2 ¯¯ loc + 1 = turn ¯¯ Idle Check ¯ ¯ x˙ 1 ≤ e x˙ 2 turn ¯¯ x˙ 2 ≤ e x˙ 1 ¯ loc 1 ¯ loc = Check ⊲ Xc,i 1 ¯ loc 2 ¯ loc = Idle 2 ¯ x1 ¯ x˙ 1 ≥ 0 ¯ − ¯ − ¯ x1 ≥ d ¯ x1 ≥ d ¯ ¯ − − ¯ ¯ turn 6= 1 =1 ≫ ι ⊙ Xa,i ≫ ι ⊙ Xi,i ⊕ loc 1 ¯ turn loc 1 ¯¯ + ¯ loc + = = loc 1 1 ¯ ¯ ¯ Access ¯ Idle ¯ ¯ turn − = 0 ¯ + x2 ¯¯ x2 = 0 ≫ ι ⊙ Xc,r loc 2 ¯¯ loc + = 2 ¯ Request
268
Xc,r
Appendix K Linearization of Fischers protocol
:
⊕
⊕
Xc,c
:
⊕
⊕
Xc,a
:
⊕
⊕
¯ ¯ x˙ 1 ≤ e x˙ 2 ¯ turn ¯¯ x˙ 2 ≤ e x˙ 1 ¯ loc 1 ¯ loc 1 = Check loc 2 ¯¯ loc 2 = Request ⊲ Xc,r ¯ x˙ 1 ≥ 0 x1 ¯ ¯ x˙ 2 ≥ 0 x2 ¯ ¯ x2 ≤ D ¯ − ¯ x1 ≥ d ¯ − ¯ turn 6= 1 ≫ ι ⊙ Xi,r ⊕ loc 1 ¯¯ + ¯ loc 1 = ¯ Idle ¯ + ¯ x2 = 0 ¯ x2 + ¯ turn = 2 ≫ ι ⊙ Xc,c loc 2 ¯¯ loc + 2 = turn ¯¯ Check ¯ ¯ x˙ ≤ e x˙ 2 turn ¯¯ 1 x˙ 2 ≤ e x˙ 1 ¯ loc 1 ¯ loc = Check 1 ⊲ Xc,c loc 2 ¯¯ loc 2 = Check ¯ x1 ¯ x˙ 1 ≥ 0 ¯ x2 ¯ x˙ 2 ≥ 0 ¯ − ¯ x1 ≥ d ¯ ¯ turn − 6= 1 ≫ ι ⊙ Xi,c ⊕ loc 1 ¯¯ + ¯ loc 1 = ¯ Idle ¯ − ¯ x2 ≥ d ¯ ¯ turn − 6= 2 ≫ ι ⊙ Xc,i ⊕ loc 2 ¯¯ + ¯ loc 2 = ¯ Idle ¯ ¯ x˙ ≤ e x˙ 2 turn ¯¯ 1 x˙ 2 ≤ e x˙ 1 ¯ loc 1 ¯ loc = Check 1 ⊲ Xc,a ¯ loc 2 ¯ loc = Access 2 ¯ x1 ¯ x˙ 1 ≥ 0 ¯ − ¯ x1 ≥ d ¯ − ¯ turn 6= 1 ≫ ι ⊙ Xi,a ⊕ loc 1 ¯¯ + ¯ loc 1 = ¯ Idle ¯ ¯ turn + = 0 turn ¯¯ + ≫ ι ⊙ Xc,i loc 2 = loc 2 ¯¯ Idle
¯ − ¯ x1 ≥ d ¯ ¯ turn − = 1 ¯ ¯ loc + = 1 ¯ ¯ Access
¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯
loc 1
loc 1
loc 2
loc 1
≫ ι ⊙ Xa,r
x− 1 ≥ d turn − = 1 ≫ ι ⊙ Xa,c loc + 1 = Access x− 2 ≥ d turn − = 2 ≫ ι ⊙ Xc,a loc + 2 = Access
¯ − ¯ x1 ≥ d ¯ ¯ turn − = 1 ¯ ¯ loc + = 1 ¯ ¯ Access
≫ ι ⊙ Xa,a
269
Xa,i
:
⊕
Xa,r
:
⊕
Xa,c
:
⊕
⊕
Xa,a
:
⊕
¯ ¯ x˙ ≤ e x˙ 2 turn ¯¯ 1 x˙ 2 ≤ e x˙ 1 ¯ loc ⊲ Xa,i 1 ¯ loc = Access 1 loc 2 ¯¯ loc 2 = Idle ¯ ¯ turn + = 0 ¯ turn + ¯ loc = ≫ ι ⊙ Xi,i ⊕ 1 loc 1 ¯¯ Idle ¯ ¯ x˙ 1 ≤ e x˙ 2 ¯ turn ¯¯ x˙ 2 ≤ e x˙ 1 ¯ loc 1 ¯ loc 1 = Access loc ¯ loc = Request ⊲ Xa,r 2 2 ¯ ¯ x˙ 2 ≥ 0 x2 ¯ ¯ x2 ≤ D ¯ ¯ turn + = 0 ¯ turn ¯ loc + = ≫ ι ⊙ Xi,r ⊕ 1 loc 1 ¯¯ Idle ¯ ¯ x˙ 1 ≤ e x˙ 2 ¯ turn ¯ x˙ 2 ≤ e x˙ 1 ¯ loc 1 ¯ loc = Access ⊲ Xa,c 1 ¯ loc 2 ¯ loc = Check 2 ¯ x2 ¯ x˙ 2 ≥ 0
¯ ¯ turn + = 0 ¯ turn ¯ loc + = ≫ ι ⊙ Xi,c ⊕ 1 loc 1 ¯¯ Idle ¯ − ¯ x2 ≥ d ¯ − ¯ =2 loc 2 ¯ turn ≫ ι ⊙ Xa,a ¯ loc + = 2 ¯ ¯ Access ¯ ¯ x˙ ≤ e x˙ 2 turn ¯¯ 1 loc ¯ x˙ 2 ≤ e x˙ 1 ⊲ Xa,a 1 ¯ loc = Access 1 loc 2 ¯¯ loc 2 = Access ¯ ¯ turn + = 0 ¯ turn + ¯ loc = ≫ ι ⊙ Xi,a ⊕ 1 loc 1 ¯¯ Idle
x2 loc 2
¯ ¯ turn − = 0 ¯ + ¯ x2 = 0 ¯ ¯ loc + = 2 ¯ ¯ Request
≫ ι ⊙ Xa,r
¯ + ¯ x2 = 0 ¯ ¯ turn + = 2 ¯ ¯ loc + = 2 ¯ ¯ Check
¯ − ¯ x2 ≥ d ¯ ¯ turn − 6= 2 ¯ ¯ loc + = 2 ¯ ¯ Idle
x2 loc 2 turn
loc 2
≫ ι ⊙ Xa,c
≫ ι ⊙ Xa,i
¯ ¯ turn + = 0 ¯ turn + ¯ loc = ≫ ι ⊙ Xa,i 1 loc 1 ¯¯ Idle
270
Appendix K Linearization of Fischers protocol
Appendix L
Congruence of (initially stateless) bisimilarity In this appendix, we prove congruence of bisimilarity for parallel composition of interference free processes. Freedom of interference is defined as follows. Definition 61 (Freedom of interference) A state < p, ς > is interference free, l
if for every transition < p, ς > → < p′ , ς ′ > we find that: • l = (a, ς ′′ ) implies ς = ς ′ = ς ′′ , and • < p′ , σ ′ > is interference free. A process p is interference free if < p, ς > is interference free for every ς ∈ Val . It is straightforward to verify, that if the only re-initializations that are used on actions have an empty set of jump-variables (i.e. represent conditions) then a process is interference free. Theorem 55 If a process p is described using the following signature F
::=
d≫ǫp
£
Pr
¤
≫ap
£
¯ ¯ ¤ V ¯ Pr ≫ V ′ ¯ Pf
F ⊙ F pF ◮ F pF ⊲ F pF ⊕ F pF kF pF k F pF |F
then it is interference free. Proof The proof is straightforward using induction on the structure of p. For the base cases, we clearly find the following: • d ≫ ǫ is interference free, because there are no semantic rules that generate transitions for it.
272
Appendix L Congruence of (initially stateless) bisimilarity
¯ ¯ ¤ V ¯ Pr ≫ V ′ ¯ Pf is interference free because the only semantic ¯ rules that generate transitions for it, generate flow transitions to V ′ ¯ Pf , which in turn is interference free because of a similar argument.
•
£
•
£
¤ £ ¤ Pr ≫ a is interference free, because (ν, ν ′ ) |= Pr implies ν = ν ′ . Hence the action transitions that are generated by the semantical rules are £ ¤ a,ν all of the form < Pr ≫ a, ν > → < ǫ, ν >.
It is easy to verify that the operators ⊙ , ◮ , ⊲ , ⊕ , etc. do not change the valuation of the data. Therefore, compositions of interference free processes lead to interference free processes. This concludes the proof. ⊠
Furthermore, freedom of interference is preserved under (initially stateless) bisimilarity. Theorem 56 If p is interference free and p - p′ then p′ is interference free. Proof Let R be the bisimulation relation witnessing p - p′ . Furthermore, assume that < x, ν >R< y, ν >, and that x is interference free. By definition of l bisimulation, we find that for any transition < y, ν > → < y ′ , ν ′ > there exists x′ l with < x, ν > → < x′ , ν ′ > and < x′ , ν ′ >R< y ′ , ν ′ >. Furthermore, by definition of freedom of interference, we have that x′ is interference free, and that l = (a, ν ′′ ) implies ν = ν ′ = ν ′′ . With induction, we may conclude that y is interference free. Lastly, because < p, ν >R< p′ , ν ′ > and p is interference free, we conclude that p′ is interference free. ⊠ Finally, if we assume that a process is interference free, then the following set of deduction rules leads to a transition system that is bisimilar to the one created using the deduction rules of HyPA. This is easily verified by observing that only the action transitions have been changed, such that they do not change the value of variables anymore.
< ǫ, ν > X
a,ν
< a, ν > 7→ < ǫ, ν >
[(ν, ν ′ ) |=r d] < x, ν ′ > X < d ≫ x, ν > X
[(ν, σ) |=f c] [dom(σ) = [0, t]] σ < c, ν > ; < c, σ(t) > σ
[(ν, ν ′ ) |=r d] < x, ν ′ > ; < y, ν ′′ > σ < d ≫ x, ν > ; < y, ν ′′ > a,ν
[(ν, ν ′ ) |=r d] < x, ν > 7→ < y, ν > a,ν < d ≫ x, ν > 7→ < y, ν >
273
σ
< x0 , ν > ; < y, ν ′ > σ < x0 ⊕ x1 , ν > ; < y, ν ′ > σ < x1 ⊕ x0 , ν > ; < y, ν ′ >
< x0 , ν > X < x0 ⊕ x1 , ν > X < x1 ⊕ x0 , ν > X
a,ν
< x0 , ν > 7→ < y, ν > a,ν < x0 ⊕ x1 , ν > 7→ < y, ν > a,ν < x1 ⊕ x0 , ν > 7→ < y, ν > σ
< x0 , ν > ; < y, ν ′ > σ < x0 ⊙ x1 , ν > ; < y ⊙ x1 , ν ′ >
< x0 , ν > X < y0 , ν > X < x0 ⊙ y0 , ν > X
a,ν
< x0 , ν > 7→ < y, ν > a,ν < x0 ⊙ x1 , ν > 7→ < y ⊙ x1 , ν > σ
< x0 , ν > X < x1 , ν > ; < y, ν ′ > σ < x0 ⊙ x1 , ν > ; < y, ν ′ >
a,ν
< x0 , ν > X < x1 , ν > → 7 < y, ν > a,ν < x0 ⊙ x1 , ν > 7→ < y, ν > σ
< x0 , ν > ; < y, ν ′ > σ < x0 ◮ x1 , ν > ; < y ◮ x1 , ν ′ > σ < x0 ⊲ x1 , ν > ; < y ◮ x1 , ν ′ >
< x0 , ν > X < x0 ◮ x1 , ν > X < x0 ⊲ x1 , ν > X a,ν
< x0 , ν > → 7 < y, ν > a,ν < x0 ◮ x1 , ν > → 7 < y ◮ x1 , ν > a,ν < x0 ⊲ x1 , ν > 7→ < y ◮ x1 , ν > σ
< x1 , ν > ; < y, ν ′ > σ < x0 ◮ x1 , ν > ; < y, ν ′ >
< x0 , ν > X < x1 , ν > X < x0 k x1 , ν > X< x0 | x1 , ν > X
σ
< x0 , ν > ; < y, ν ′ > < x1 , ν > X σ < x0 k x1 , ν > ; < y, ν ′ > σ < x1 k x0 , ν > ; < y, ν ′ > σ < x0 | x1 , ν > ; < y, ν ′ > σ < x1 | x0 , ν > ; < y, ν ′ >
< x1 , ν > X < x0 ◮ x1 , ν > X
a,ν
< x1 , ν > 7→ < y, ν > a,ν < x0 ◮ x1 , ν > 7→ < y, ν > < x0 , ν > < x1 , ν > < x0 k x1 , ν > < x0 | x1 , ν >
σ
; σ ; σ ; σ ;
< y0 , ν ′ > < y1 , ν ′ > < y0 k y 1 , ν ′ > < y0 k y 1 , ν ′ >
a,ν
< x0 , ν > 7→ a,ν < x0 k x1 , ν > 7→ a,ν < x1 k x0 , ν > 7→ a,ν < x0 k x1 , ν > 7→
< y, ν > < y k x1 , ν > < x1 k y, ν > < y k x1 , ν >
274
Appendix L Congruence of (initially stateless) bisimilarity
a,ν
< x0 , ν > 7→ < y0 , ν >
a′,ν
< x1 , ν > 7→ < y1 , ν > [a′′ = a γ a′ ] a′′,ν
< x0 k x1 , ν > 7→ < y0 k y1 , ν > a′′,ν
< x0 | x1 , ν > 7→ < y0 k y1 , ν > a,ν
< x, ν > 7→ < y, ν > [a ∈ / H] a,ν < ∂H (x) , ν > 7→ < ∂H (y) , ν > σ
< x, ν > ; < y, ν ′ > σ < ∂H (x) , ν > ; < ∂H (y) , ν ′ >
< x, ν > X < ∂H (x) , ν > X
For this set of deduction rules, congruence of (initially stateless) bisimilarity for parallel composition is easily verified using the format of [Mousavi et al., 2004]. Theorem 57 Let x and y be interference free, then x ≈ x′ and y ≈ y ′ implies x k y ≈ x′ k y ′ , and similarly for k and | . Proof Recall that x and y are interference free. Because interference freedom is preserved by bisimilarity, we find that x′ and y ′ are also interference free. For interference free processes, we may use the deduction rules that are stated above, on which the congruence format of [Mousavi et al., 2004] applies for (initially stateless) bisimilarity. This concludes the proof. ⊠
Samenvatting De toenemende toepassing van software in allerlei verschillende systemen, zoals bijvoorbeeld de computer gestuurde regeling van een automotor of de centrale verwerking van meetgegevens in een chemische fabriek, zorgt voor een nieuwe uitdaging in het ontwerp van zulke systemen. Voor het goed werken van zulke systemen, die we hybride systemen noemen, is het namelijk van belang dat het software ontwerp en het mechanische, elektrotechnische of chemische ontwerp van het systeem (kortweg het fysische ontwerp) op elkaar zijn afgestemd. Een groot probleem hierbij is het verschil in abstractie niveau dat de ontwerpers van software en de ontwerpers van fysische systemen hanteren. Een elektrotechnicus zal bijvoorbeeld nadenken over de elektrische stromen en ladingen in een microprocessor, terwijl een informaticus die stromen en ladingen interpreteert als gegevens in een database. Dit verschil in abstractie niveau manifesteert zich niet alleen in het verschil in denkwijze maar ook in de verschillende soorten wiskundige modellen die door ontwerpers van software en ontwerpers van fysische systemen worden gebruikt. In dit proefschrift wordt een wiskundig formalisme ontwikkeld, waarin zowel de wiskundige modellen die ontwerpers van software gebruiken kunnen worden uitgedrukt, alsook de wiskundige modellen die de ontwerpers van fysische systemen gebruiken. Belangrijker is nog, dat ook gecombineerde modellen kunnen worden beschreven en geanalyseerd. Deze gecombineerde modellen worden hybride modellen of hybride processen genoemd. Het wiskundige formalisme heet hybride proces algebra (kortweg HyPA). Dit proefschrift bestaat uit twee delen. In het eerste deel worden de details uiteengezet die van belang zijn bij het ontwikkelen van een nieuw wiskundig formalisme. Verder wordt met wiskundige bewijzen onderbouwd dat het formalisme inderdaad een uitbreiding is van zowel de formalismen die door ontwerpers van software worden gebruikt als van de formalismen die door ontwerpers van fysische systemen worden gebruikt. In het tweede deel wordt dieper ingegaan op de manier waarop hybride modellen kunnen worden opgebouwd en op verschillende vormen waarin hybride modellen kunnen worden gerepresenteerd. Een belangrijke rol hierin spelen de zogenaamde constitutieve hybride processen, die een general-
276
Appendix L Congruence of (initially stateless) bisimilarity
isatie vormen van de constitutieve vergelijkingen die door ontwerpers van fysische systemen worden gebruikt in hun modellen. Verder wordt er gebruik gemaakt van lineaire hybride processen, die een generalisatie vormen van de lineaire processen die in de informatica worden gebruikt voor de analyse van software systemen. Als laatste worden er in deel twee van dit proefschrift een tweetal case-studies uitgevoerd waarin de analyse van zogenaamde safety eigenschappen van hybride processen centraal staat. Safety eigenschappen beschrijven mogelijk ongewenst gedrag van een systeem, waarvan door middel van analyse bewezen moet worden dat het in een voorgesteld ontwerp niet voor komt. Voor een variant van het uit de literatuur bekende Fischer’s protocol, wordt bewezen dat twee aan het protocol deelnemende processen nooit tegelijkertijd zullen proberen een bepaalde bron te benutten. Voor een model van een plaatsings-robot van elektronische componenten, zoals die door Assembleon worden gebouwd, wordt bewezen dat er nooit zoveel kracht op de geplaatste componenten wordt uitgeoefend dat ze zouden kunnen breken.
Curriculum Vitae Pieter Cuijpers was born on the 4th of July 1967 in Helden-Dorp. In 1994 he graduated from the atheneum of the Bouwens van der Boije-College in HeldenPanningen. From 1994 till 2000 he studied Information Technology at the department of Electrical Engineering of the Technische Universiteit Eindhoven in Eindhoven. His masters thesis is titled ‘A Comparison of Tableau Algorithms’ and focusses on automata theory and the verification of temporal logic formulas. Subsequently, he worked as a PhD-student, first at the Eindhoven Embedded Systems Institute and later at the department of Computing Science of the Technische Universiteit Eindhoven. The research project in which this took place was called ‘Analysis and synthesis of embedded systems with discrete and continuous control’, was funded by PROGESS-STW, and lead amongst others to several publications at international conferences and in journals, and to this thesis. Pieter lives in Eindhoven with his wife Ingrid and his daughter Marieke.
Titles in the IPA Dissertation Series J.O. Blanco. The State Operator in Process Algebra. Faculty of Mathematics and Computing Science, TUE. 1996-01 A.M. Geerling. Transformational Development of Data-Parallel Algorithms. Faculty of Mathematics and Computer Science, KUN. 1996-02
D.R. Dams. Abstract Interpretation and Partition Refinement for Model Checking. Faculty of Mathematics and Computing Science, TUE. 1996-13 M.M. Bonsangue. Topological Dualities in Semantics. Faculty of Mathematics and Computer Science, VUA. 1996-14
P.M. Achten. Interactive Functional Programs: Models, Methods, and Implementation. Faculty of Mathematics and Computer Science, KUN. 1996-03
B.L.E. de Fluiter. Algorithms for Graphs of Small Treewidth. Faculty of Mathematics and Computer Science, UU. 1997-01
M.G.A. Verhoeven. Parallel Local Search. Faculty of Mathematics and Computing Science, TUE. 1996-04
W.T.M. Kars. Process-algebraic Transformations in Context. Faculty of Computer Science, UT. 1997-02
M.H.G.K. Kesseler. The Implementation of Functional Languages on Parallel Machines with Distrib. Memory. Faculty of Mathematics and Computer Science, KUN. 1996-05
P.F. Hoogendijk. A Generic Theory of Data Types. Faculty of Mathematics and Computing Science, TUE. 1997-03
D. Alstein. Distributed Algorithms for Hard Real-Time Systems. Faculty of Mathematics and Computing Science, TUE. 1996-06 J.H. Hoepman. Communication, Synchronization, and Fault-Tolerance. Faculty of Mathematics and Computer Science, UvA. 1996-07 H. Doornbos. Reductivity Arguments and Program Construction. Faculty of Mathematics and Computing Science, TUE. 1996-08
T.D.L. Laan. The Evolution of Type Theory in Logic and Mathematics. Faculty of Mathematics and Computing Science, TUE. 1997-04 C.J. Bloo. Preservation of Termination for Explicit Substitution. Faculty of Mathematics and Computing Science, TUE. 1997-05 J.J. Vereijken. Discrete-Time Process Algebra. Faculty of Mathematics and Computing Science, TUE. 1997-06
D. Turi. Functorial Operational Semantics and its Denotational Dual. Faculty of Mathematics and Computer Science, VUA. 1996-09
F.A.M. van den Beuken. A Functional Approach to Syntax and Typing. Faculty of Mathematics and Informatics, KUN. 1997-07
A.M.G. Peeters. Single-Rail Handshake Circuits. Faculty of Mathematics and Computing Science, TUE. 1996-10
A.W. Heerink. Ins and Outs in Refusal Testing. Faculty of Computer Science, UT. 1998-01
N.W.A. Arends. A Systems Engineering Specification Formalism. Faculty of Mechanical Engineering, TUE. 1996-11 P. Severi de Santiago. Normalisation in Lambda Calculus and its Relation to Type Inference. Faculty of Mathematics and Computing Science, TUE. 1996-12
G. Naumoski and W. Alberts. A Discrete-Event Simulator for Systems Engineering. Faculty of Mechanical Engineering, TUE. 1998-02 J. Verriet. Scheduling with Communication for Multiprocessor Computation. Faculty
of Mathematics and Computer Science, UU. 1998-03
G. F´ abi´ an. A Language and Simulator for Hybrid Systems. Faculty of Mechanical Engineering, TUE. 1999-11
J.S.H. van Gageldonk. An Asynchronous Low-Power 80C51 Microcontroller. Faculty of Mathematics and Computing Science, TUE. 1998-04
J. Zwanenburg. Object-Oriented Concepts and Proof Rules. Faculty of Mathematics and Computing Science, TUE. 1999-12
A.A. Basten. In Terms of Nets: System Design with Petri Nets and Process Algebra. Faculty of Mathematics and Computing Science, TUE. 1998-05
R.S. Venema. Aspects of an Integrated Neural Prediction System. Faculty of Mathematics and Natural Sciences, RUG. 1999-13
E. Voermans. Inductive Datatypes with Laws and Subtyping – A Relational Model. Faculty of Mathematics and Computing Science, TUE. 1999-01
J. Saraiva. A Purely Functional Implementation of Attribute Grammars. Faculty of Mathematics and Computer Science, UU. 1999-14
H. ter Doest. Towards Probabilistic Unification-based Parsing. Faculty of Computer Science, UT. 1999-02 J.P.L. Segers. Algorithms for the Simulation of Surface Processes. Faculty of Mathematics and Computing Science, TUE. 1999-03 C.H.M. van Kemenade. Recombinative Evolutionary Search. Faculty of Mathematics and Natural Sciences, UL. 1999-04 E.I. Barakova. Learning Reliability: a Study on Indecisiveness in Sample Selection. Faculty of Mathematics and Natural Sciences, RUG. 1999-05 M.P. Bodlaender. Scheduler Optimization in Real-Time Distributed Databases. Faculty of Mathematics and Computing Science, TUE. 1999-06 M.A. Reniers. Message Sequence Chart: Syntax and Semantics. Faculty of Mathematics and Computing Science, TUE. 1999-07 J.P. Warners. Nonlinear approaches to satisfiability problems. Faculty of Mathematics and Computing Science, TUE. 1999-08
R. Schiefer. Viper, A Visualisation Tool for Parallel Program Construction. Faculty of Mathematics and Computing Science, TUE. 1999-15 K.M.M. de Leeuw. Cryptology and Statecraft in the Dutch Republic. Faculty of Mathematics and Computer Science, UvA. 2000-01 T.E.J. Vos. UNITY in Diversity. A stratified approach to the verification of distributed algorithms. Faculty of Mathematics and Computer Science, UU. 2000-02 W. Mallon. Theories and Tools for the Design of Delay-Insensitive Communicating Processes. Faculty of Mathematics and Natural Sciences, RUG. 2000-03 W.O.D. Griffioen. Studies in Computer Aided Verification of Protocols. Faculty of Science, KUN. 2000-04 P.H.F.M. Verhoeven. The Design of the MathSpad Editor. Faculty of Mathematics and Computing Science, TUE. 2000-05
J.M.T. Romijn. Analysing Industrial Protocols with Formal Methods. Faculty of Computer Science, UT. 1999-09
J. Fey. Design of a Fruit Juice Blending and Packaging Plant. Faculty of Mechanical Engineering, TUE. 2000-06
P.R. D’Argenio. Algebras and Automata for Timed and Stochastic Systems. Faculty of Computer Science, UT. 1999-10
M. Franssen. Cocktail: A Tool for Deriving Correct Programs. Faculty of Mathematics and Computing Science, TUE. 2000-07
P.A. Olivier. A Framework for Debugging Heterogeneous Applications. Faculty of Natural Sciences, Mathematics and Computer Science, UvA. 2000-08
D. Chkliaev. Mechanical verification of concurrency control and recovery protocols. Faculty of Mathematics and Computing Science, TU/e. 2001-11
E. Saaman. Another Formal Specification Language. Faculty of Mathematics and Natural Sciences, RUG. 2000-10
M.D. Oostdijk. Generation and presentation of formal mathematical documents. Faculty of Mathematics and Computing Science, TU/e. 2001-12
M. Jelasity. The Shape of Evolutionary Search Discovering and Representing Search Space Structure. Faculty of Mathematics and Natural Sciences, UL. 2001-01 R. Ahn. Agents, Objects and Events a computational approach to knowledge, observation and communication. Faculty of Mathematics and Computing Science, TU/e. 2001-02 M. Huisman. Reasoning about Java programs in higher order logic using PVS and Isabelle. Faculty of Science, KUN. 2001-03 I.M.M.J. Reymen. Improving Design Processes through Structured Reflection. Faculty of Mathematics and Computing Science, TU/e. 2001-04 S.C.C. Blom. Term Graph Rewriting: syntax and semantics. Faculty of Sciences, Division of Mathematics and Computer Science, VUA. 2001-05 R. van Liere. Studies in Interactive Visualization. Faculty of Natural Sciences, Mathematics and Computer Science, UvA. 2001-06 A.G. Engels. Languages for Analysis and Testing of Event Sequences. Faculty of Mathematics and Computing Science, TU/e. 200107
A.T. Hofkamp. Reactive machine control: A simulation approach using χ. Faculty of Mechanical Engineering, TU/e. 2001-13 D. Boˇ snaˇ cki. Enhancing state space reduction techniques for model checking. Faculty of Mathematics and Computing Science, TU/e. 2001-14 M.C. van Wezel. Neural Networks for Intelligent Data Analysis: theoretical and experimental aspects. Faculty of Mathematics and Natural Sciences, UL. 2002-01 V. Bos and J.J.T. Kleijn. Formal Specification and Analysis of Industrial Systems. Faculty of Mathematics and Computer Science and Faculty of Mechanical Engineering, TU/e. 2002-02 T. Kuipers. Techniques for Understanding Legacy Software Systems. Faculty of Natural Sciences, Mathematics and Computer Science, UvA. 2002-03 S.P. Luttik. Choice Quantification in Process Algebra. Faculty of Natural Sciences, Mathematics, and Computer Science, UvA. 2002-04
J. Hage. Structural Aspects of Switching Classes. Faculty of Mathematics and Natural Sciences, UL. 2001-08
R.J. Willemen. School Timetable Construction: Algorithms and Complexity. Faculty of Mathematics and Computer Science, TU/e. 2002-05
M.H. Lamers. Neural Networks for Analysis of Data in Environmental Epidemiology: A Case-study into Acute Effects of Air Pollution Episodes. Faculty of Mathematics and Natural Sciences, UL. 2001-09
M.I.A. Stoelinga. Alea Jacta Est: Verification of Probabilistic, Real-time and Parametric Systems. Faculty of Science, Mathematics and Computer Science, KUN. 2002-06
T.C. Ruys. Towards Effective Model Checking. Faculty of Computer Science, UT. 200110
N. van Vugt. Models of Molecular Computing. Faculty of Mathematics and Natural Sciences, UL. 2002-07
A. Fehnker. Citius, Vilius, Melius: Guiding and Cost-Optimality in Model Checking of Timed and Hybrid Systems. Faculty of Science, Mathematics and Computer Science, KUN. 2002-08 R. van Stee. On-line Scheduling and Bin Packing. Faculty of Mathematics and Natural Sciences, UL. 2002-09 D. Tauritz. Adaptive Information Filtering: Concepts and Algorithms. Faculty of Mathematics and Natural Sciences, UL. 2002-10 M.B. van der Zwaag. Models and Logics for Process Algebra. Faculty of Natural Sciences, Mathematics, and Computer Science, UvA. 2002-11 J.I. den Hartog. Probabilistic Extensions of Semantical Models. Faculty of Sciences, Division of Mathematics and Computer Science, VUA. 2002-12 L. Moonen. Exploring Software Systems. Faculty of Natural Sciences, Mathematics, and Computer Science, UvA. 2002-13 J.I. van Hemert. Applying Evolutionary Computation to Constraint Satisfaction and Data Mining. Faculty of Mathematics and Natural Sciences, UL. 2002-14 S. Andova. Probabilistic Process Algebra. Faculty of Mathematics and Computer Science, TU/e. 2002-15 Y.S. Usenko. Linearization in µCRL. Faculty of Mathematics and Computer Science, TU/e. 2002-16 J.J.D. Aerts. Random Redundant Storage for Video on Demand. Faculty of Mathematics and Computer Science, TU/e. 2003-01
of Natural Sciences, Mathematics, and Computer Science, UvA. 2003-03 S.M. Bohte. Spiking Neural Networks. Faculty of Mathematics and Natural Sciences, UL. 2003-04 T.A.C. Willemse. Semantics and Verification in Process Algebras with Data and Timing. Faculty of Mathematics and Computer Science, TU/e. 2003-05 S.V. Nedea. Analysis and Simulations of Catalytic Reactions. Faculty of Mathematics and Computer Science, TU/e. 2003-06 M.E.M. Lijding. Real-time Scheduling of Tertiary Storage. Faculty of Electrical Engineering, Mathematics & Computer Science, UT. 2003-07 H.P. Benz. Casual Multimedia Process Annotation – CoMPAs. Faculty of Electrical Engineering, Mathematics & Computer Science, UT. 2003-08 D. Distefano. On Modelchecking the Dynamics of Object-based Software: a Foundational Approach. Faculty of Electrical Engineering, Mathematics & Computer Science, UT. 2003-09 M.H. ter Beek. Team Automata – A Formal Approach to the Modeling of Collaboration Between System Components. Faculty of Mathematics and Natural Sciences, UL. 200310 D.J.P. Leijen. The λ Abroad – A Functional Approach to Software Components. Faculty of Mathematics and Computer Science, UU. 2003-11 W.P.A.J. Michiels. Performance Ratios for the Differencing Method. Faculty of Mathematics and Computer Science, TU/e. 2004-01
M. de Jonge. To Reuse or To Be Reused: Techniques for component composition and construction. Faculty of Natural Sciences, Mathematics, and Computer Science, UvA. 2003-02
G.I. Jojgov. Incomplete Proofs and Terms and Their Use in Interactive Theorem Proving. Faculty of Mathematics and Computer Science, TU/e. 2004-02
J.M.W. Visser. Generic Traversal over Typed Source Code Representations. Faculty
P. Frisco. Theory of Molecular Computing – Splicing and Membrane systems. Faculty of
Mathematics and Natural Sciences, UL. 200403 S. Maneth. Models of Tree Translation. Faculty of Mathematics and Natural Sciences, UL. 2004-04 Y. Qian. Data Synchronization and Browsing for Home Environments. Faculty of Mathematics and Computer Science and Faculty of Industrial Design, TU/e. 2004-05 F. Bartels. On Generalised Coinduction and Probabilistic Specification Formats. Faculty of Sciences, Division of Mathematics and Computer Science, VUA. 2004-06 L. Cruz-Filipe. Constructive Real Analysis: a Type-Theoretical Formalization and Applications. Faculty of Science, Mathematics and Computer Science, KUN. 2004-07 E.H. Gerding. Autonomous Agents in Bargaining Games: An Evolutionary Investigation of Fundamentals, Strategies, and Business Applications. Faculty of Technology Management, TU/e. 2004-08 N. Goga. Control and Selection Techniques for the Automated Testing of Reactive Systems. Faculty of Mathematics and Computer Science, TU/e. 2004-09
I.C.M. Flinsenberg. Route Planning Algorithms for Car Navigation. Faculty of Mathematics and Computer Science, TU/e. 2004-12 R.J. Bril. Real-time Scheduling for Media Processing Using Conditionally Guaranteed Budgets. Faculty of Mathematics and Computer Science, TU/e. 2004-13 J. Pang. Formal Verification of Distributed Systems. Faculty of Sciences, Division of Mathematics and Computer Science, VUA. 2004-14 F. Alkemade. Evolutionary Agent-Based Economics. Faculty of Technology Management, TU/e. 2004-15 E.O. Dijk. Indoor Ultrasonic Position Estimation Using a Single Base Station. Faculty of Mathematics and Computer Science, TU/e. 2004-16 S.M. Orzan. On Distributed Verification and Verified Distribution. Faculty of Sciences, Division of Mathematics and Computer Science, VUA. 2004-17 M.M. Schrage. Proxima - A Presentationoriented Editor for Structured Documents. Faculty of Mathematics and Computer Science, UU. 2004-18
M. Niqui. Formalising Exact Arithmetic: Representations, Algorithms and Proofs. Faculty of Science, Mathematics and Computer Science, RU. 2004-10
E. Eskenazi and A. Fyukov. Quantitative Prediction of Quality Attributes for Component-Based Software Architectures. Faculty of Mathematics and Computer Science, TU/e. 2004-19
A. L¨ oh. Exploring Generic Haskell. Faculty of Mathematics and Computer Science, UU. 2004-11
P.J.L. Cuijpers. Hybrid Process Algebra. Faculty of Mathematics and Computer Science, TU/e. 2004-20
