The ϕ-calculus: an extension of the π-calculus

to hybrid systems 1

William C. Rounds 2 Hosung Song

CSE Division, EECS DepartmentUniversity of Michigan

Ann Arbor, MI 48109, USA

Abstract

We propose a simple method for integrating process-algebraic techniques – specif-ically, the π-calculus – with hybrid automaton-based techniques, so that one canuse the integrated theory to specify the semantics of programming languages forconcurrent and reconfigurable hybrid systems.

1 Introduction

Embedded systems are software systems which reside in a physical environment and mustreact with that environment in real time. The problem of designing such systems in a prin-cipled way is one which has become increasingly important as computational technology hasbeen integrated into physical systems. In this paper we begin to address this problem bydrawing on research traditions from computer science and control theory for the long-rangepurpose of making a mathematical model of embedded software systems. The theory of pro-cess algebras has been extensively developed within computer science, to the point wherecontrol of distributed processes is well-understood, even to the point where these processesare mobile (reconfigurable). Similarly, there is now a large body of work on the topic of hybridsystems: automaton-based techniques for specifying discrete control of continuous processes.Recently, this work has been extended to proposed programming languages for specifying

Email addresses: rounds@umich.edu (William C. Rounds), hosungs@eecs.umich.edu (HosungSong).1 Revised and extended version of a preliminary report appearing in Proceedings of the Interna-tional Workshop on Hybrid Systems, Computation, and Control, 2003.2 Research supported by US NSF Grant EHS-0233960.

Preprint submitted to Elsevier Science 30 July 2004

distributed control of hybrid systems [1],[12]. Our work is in this latter direction: the ϕ-calculus is a hybrid extension of Milner’s π-calculus [20] which allows processes to interactwith continuous environments. We choose the π-calculus to extend to the hybrid settingbecause it has already been shown to be a rich language in which many interesting discreteconcurrent phenomena can be expressed: a language for, and theory of, communicating pro-cesses which can reconfigure themselves; a language in which distributed objects and classescan be defined; and a language and theory capable not only of expressing communication,but arbitrary computation, in that the λ-calculus of Church can be translated into it. This allsuggests that successful hybrid versions of the π-calculus and other process calculi will havenovel and elegant ways of expressing hybrid systems – possibilities for distributed controlwhich would be awkward, if not impossible, to express in current formalisms.

The key idea in the present paper involves adding an explicit formal model of the activecontinuous (physical) environment to an algebraic process description, and adding “envi-ronmental actions” (ρ-actions) to processes which allow them to explicitly manipulate theirenvironment. We define an embedded (hybrid) system as a pair (E, P ), where E is an envi-ronment and P is a hybrid process expression. An embedded system evolves (i) by meansof ordinary actions of the π-calculus, which change only the process expression, (ii) by flowactions, which change only the environment continuously, or (iii) by ρ-actions, which changeboth the environment and a process expression discretely.

The power of this idea can be seen by noting that Petri nets, in many of their flavors, arebut simple special cases of embedded systems, where (in the standard flavor) a process isa parallel composition of net transitions, and an environment is a marking of the places;firing a transition is a ρ-action. This example suggests that environments can be of arbitrarytypes, each possessing interesting ways of interacting with concurrent algebraically specifiedsystems of processes. Mathematically speaking, basic actions of a hybrid process are (possiblynondeterministic) actions of two monoids on a cartesian product of sets, with constraintsrestricting arbitrarily free combinations of actions. In the ϕ-calculus, the two monoids are themonoid consisting of real time segments, constrained (as in hybrid automata) by differentialequations and flow regions, and the monoid of strings of ρ and π-action names, constrainedby process expressions. We have used structural operational semantics to specify both time-transitions and discrete actions of an embedded system. In this sense, we have a compositionalsemantics for our system, because structural operational semantics defines the transitions ofany system in terms of the transitions of its components.

2 Plan of paper

We begin by reviewing previous work on hybrid systems, and some work on process-algebraicsystems with timed behavior. Most of this review is concentrated on hybrid systems work

2

which is focused towards integration with programming. We do not focus on work on thecontrol theory side of hybrid systems having more to do with differential equations, and wealso do not consider work on programming languages with real-time behavior.

We start by introducing an extension of Milner’s CCS, as is done in [20]. This version,called CCS+, introduces environments in the form of simple stores. CCS+ programs interactwith their stores not by value-passing, as in [19], but by name-passing. The names passedare merely identifiers pointing to locations in storage. The state of the storage, which werename as the environment, is a finite valuation: a mapping from a finite subset of the setof environment names to (say) real values.

A process interacts with the environment by means of ordinary assignment statements, whichmay be guarded by predicates defined on the store. These assignment statements are exam-ples of environmental actions, or ρ-actions. They occur as action prefixes before processes.Recursive processes are treated using the replication construct originally introduced in theπ-calculus.

Having prepared the ground, we then show how to activate the environment. This involvesa new class of names, a “dotted name” x corresponding to a name x of a storage location.Values corresponding to the dotted names are C1[Rn] functions: continuously differentiablefunctions of n real variables. A valuation on the dotted names denotes a vector field in theobvious way. If all of the names involved have proper values, the environment may evolve overtime. We introduce a new class of transitions, called time-transitions, to specify evolutionof the environment. We also allow assignment statements for the dotted names; this allowsus to model the guards and reset actions of hybrid automata. At this stage we add a newcomponent to the environment: the invariant specification. This is a collection of constraintswhich must be satisfied by the current state in order for time-transitions to be allowed.Assignment statements are provided which update the invariant constraints. The languageobtained is called Hybrid CCS+ (HCCS+). It is a simple matter to extend HCCS+ to thefull ϕ-calculus. All we need to do is to allow both environment names and channel names tobe passed over channels.

Our main results concern bisimulation. We give strict but natural definitions of both strongand weak bisimulations on process expressions, and consider what it means to have bisim-ulation be a congruence. This question makes sense only if we interpret it correctly in thepresence of active environments. We define bisimulations on the process-algebraic side, with-out respect to environments, and then show that these bisimulations can be extended tohybrid bisimulations when a process is embedded in a flowing environment. To do this inthe case of weak bisimulations, we have to make a change in the way environmental flowsare defined.

In the penultimate section of the paper, we show by example how to translate Klavinsand Koditschek’s threaded Petri nets into the ϕ-calculus, using a ϕ-calculus version of their

3

robotic bucket brigade. This example shows mobility and recursion to good advantage. (Gen-eral details of the translation appear in an appendix.)

A final section gives conclusions and directions for more research.

3 Other work

There is already a body of research on the process-algebraic treatment of (some) hybridphenomena. Timed CSP [25], for example, is a well-known language in which an algebraicstructure theory of timed processes is presented, and made into a specification-oriented pro-gramming language allowing various parallel and sequential compositions of processes, to-gether with primitive timeout and interrupt operators on processes for altering real-time be-havior. One can view this language as incorporating timed automata into a process-algebraicframework, with the significant addition of recursive definition capabilities. Moreover, thelanguage has a fully compositional semantics based on the extension of “failures” [3] to thetimed case. Unfortunately, it is not clear how to extend the expressiveness of this languageto the hybrid case, where the continuous behavior of a system can follow control laws pre-scribed by arbitrary ordinary differential equations, not just (implicit) equations describingthe behavior of clocks.

Kosecka’s thesis [16] contains a proposal for structured programming which starts by as-suming a collection of basic low-level robot controllers (as, for example in Khatib [14] orRimon and Koditschek [22].) These controllers are composed into expressions using variousautomata-theoretic operations. This idea is essentially what we have in mind for composingprocesses in our setting, but crucially, the behavior of the continuous environment is notreally represented.

Ordinary hybrid automata as in Henzinger [11], on the other hand, explicitly represent thecontinuous environment by means of associating a controller (differential equation, differen-tial inclusion) with each state (control mode) of a finite automaton. Events trigger jumpsfrom one control mode to another. There is, moreover, a general “parallel composition” op-erator for combining these automata, but no syntax is presented for a language which wouldallow program expressions.

Another approach to timed and hybrid distributed system design is via the I-O automataof Lynch and Tuttle [18]. The original work has been extended in many ways, notably to aprocess-algebraic version [26] and to the hybrid case [17]. Moreover, I-O automata have beenused as the formal foundation for a distributed programming language [7]; this includes anextension to timed, but not hybrid versions. In this research vein, careful attention is paid toformal semantics, using a combination of techniques, including simulation notions. However,a structural operational semantics is lacking in this work.

4

Two languages which support both hybrid dynamics and algebraic process structuring areCharon [1] and Masaccio [12]. These languages are both outgrowths of earlier models forreactive discrete systems [2]. At this point they both lack a full name-passing capability, anda capacity for recursive instantiation, though they do support abstraction (variable hiding).There has been a proposal as well for hybrid CSP [13]. We plan to investigate this connectionmore thoroughly.

A very different approach to the problem of integrating a full programming language withcontinuous dynamical systems is taken by the language HybridCC [9]. This is a constraintprogramming language which extends earlier languages in the cc paradigm to the continu-ous setting. There are many similarities in this model to the ϕ-calculus, in that continuousconstraints can be “posted” to the store by parallel agents. These constraints include bothdifferential equations and “invariant regions”, a feature of hybrid automata. The store of Hy-bridCC is much like the environment in the ϕ-calculus. However, there is no explicit provisionfor mobile agents in this language, even though some mobile systems can be represented. Aprecise comparison is beyond the scope of this paper.

Klavins and Koditschek’s work on threaded Petri nets [15] is another starting point for ourresearch. This model of distributed hybrid systems uses the places of a Petri net to hold a setof continuous variables as tokens. This model has interesting applications to robotic assemblyproblems in factory settings. Moreover, it can be used for large-scale problems without stateexplosion, since the Petri net keeps interactions local. We translate this model explicitly intothe ϕ-calculus. We suspect that other Petri net models (timed Petri nets [8], hybrid Petrinets [5]) will be easily represented in our framework, but do not investigate this here.

4 CCS+

4.1 Syntax

We begin by introducing an extension to CCS which provides for passing parameters by nameinstead of by value. The names point to values in a separate storage, called the environment.The names are passed along channels from one process to another. There are facilities forcreating new channels (as in CCS) and also new storage names. We follow Milner’s presen-tation in [20], which uses abstractions and concretions at the cost of a more complex syntaxthan is found in [24], the standard reference on the π-calculus.

In the following grammar the names a, b, . . . are channel names drawn from a fixed set, andthe names x, y, . . . are environment names drawn from another disjoint set. The notation ~x

5

stands for an ordered set of environment names.

P ::= 0∣∣∣ S

∣∣∣ νxP∣∣∣ νaP

∣∣∣ (P | P )∣∣∣ !P (processes)

S ::= τ.P∣∣∣ [γ → ~x := e].P

∣∣∣ aF∣∣∣ aC

∣∣∣ (S + S) (sums)

C ::= (ν~y)〈 ~x 〉P where ~y ⊆ ~x (concretions)

F ::= (~x)P (abstractions)

A ::= F∣∣∣ C (agents).

In this grammar, γ is a predicate, defined in some standard syntax, over environment namesas ordinary variables, and e is a vector of arithmetic expressions, again defined in standardsyntax for expressions. The difference between this and a standard grammar for CCS liesin the constructs νxP and [γ → ~x := e].P . These are guarded assignment statements, orenvironmental actions, or (for short) ρ-actions.

Abstractions combine with concretions during reaction steps: the x names are passed fromone process to another at this time. In a concretion, we prefix ν~y to 〈 ~x 〉P to be able toexport local names to another process. The other process can cooperate with the process Pin private, using the local name that P is using.

The terms of CCS+ are subject to the usual relation of structural congruence; the smallestcongruence relation ≡ on process terms obeying the following conditions:

• If Pand Q are α-equivalent, then P ≡ Q.• The associative and commutative laws for +.• The same for |.• P | 0 ≡ P .• νx(P | Q) ≡ P | νxQ, provided x does not occur free in P .• νx0 ≡ 0; νxνyP ≡ νyνxP .• The same for (νa)(νb)P ; in fact for mixtures of νa and νx.• !P ≡ P | !P.

Example 4.1 Consider the definition

P ::= a〈x0, y0 〉b(z)c〈 z 〉.0

where P sends the names x0 and y0 together on channel a to some process Q, and receives aname z back on channel b. It then sends that name somewhere else on channel c. The processQ might be

Q ::= a(x, y)νz[z := x ∗ y].b〈 z 〉.0which receives the pair (x, y) of names, creates a local variable z, and stores the product ofx and y into it. Then it sends the name z back to P on channel b.

6

2

4.2 Semantics

The dynamics of CCS and the π-calculus is given by the reaction relation; but to prepare forthis, one needs the notion of commitments. In CCS+ we also have a changing environmentbecause of the assignment statements and creation of new environment names. We focus oncommitments, and define reactions in terms of them. Our first task is (following Milner) toextend the νx and | operations to include agents.

Definition 4.2 (Extended | and ν)) We define A | Q for A (agents) either abstractionsor concretions, and Q a process.

• For abstractions define ((~x)P ) | Q = (~x)(P | Q). Here we need to assume that ~x do notoccur free in Q, so we must change bound variables in (~x)P as necessary.• For concretions, define (ν~y〈 ~x 〉P ) | Q = ν~y〈 ~x 〉(P | Q). Here change any bound ys that

clash with a free y in Q.• Define νa(~x)P = (~x)νaP , and νx(~y)P = (~y)νxP , where we again change any bound

occurrence of x in the ys not to conflict with the x in νx. This handles abstractions.• For concretions, we put

νzν~y〈 ~x 〉P =

νz~y〈 ~x 〉P if z ∈ ~x;

ν~y〈 ~x 〉νzP otherwise

and

νaν~y〈 ~x 〉P = ν~y〈 ~x 〉νaP.

2

Definition 4.3 (Commitments) In the following, E is an environment: a map from afinite subset of the environment names to values in some prespecified set, which we can taketo be R. As usual, P is a process expression, and A is an agent. We will refer later to the

7

pair (E, P ) as an embedded system.

Guarded assignment: (E, ρ.P )ρ→ (E[~x← [[e]] ], P ) where ρ = [γ → ~x := e] and E |= γ.

Tau: (E, τ.P )τ→ (E, P );

Commitment to agent: (E, αA)α→ (E, A) where α ∈ {a, a}

Sum:(E, S)

α→ (E ′, A)

(E, S + T )α→ (E ′, A)

;

Parallel:(E, P )

α→ (E ′, A)

(E, (P | Q))α→ (E ′, (A | Q))

;

Fresh local environment name: (E, νzP )τ→ (E, P [z ← z0]) where z0 is fresh in E and P ;

Local channel:(E, P )

α→ (E ′, A)

(E, νaP )α→ (E ′, νaA)

where α /∈ {a, a};

Local environment name:(E, P )

α→ (E ′, A)

(E, νzP )α→ (E ′, νzA)

where α is not an assignment to z;

Reaction:(E, P )

a→ (E, ν~y〈~x〉.P ′) (E, Q)a→ (E, (~w).Q′)

(E, (P | Q)τ→ (E, ν~y(P ′ | Q′[~w ← ~x]))

where |~x| = |~w|;

Replication:(E, (P |!P ))

α→ (E ′, A)

(E, !P )α→ (E ′, A)

.

2

Example 4.4 Continuing with Example 4.1, we exhibit the commitments of (E, P | Q),where E is the environment having x0 = 10 and y0 = 2, and E ′ has also z0 = 20. We firstnotice

(E, P | Q)a→ (E, 〈x0, y0 〉.b(z)c〈 z 〉.0 | Q); and

(E, P | Q)a→ (E, P | (x, y).νz[z := x ∗ y].b〈 z 〉.0)

Hence by Reaction

(E, P | Q)τ→ (E, b(z)c〈 z 〉.0 | νz[z := x0 ∗ y0].b〈 z 〉.0)τ→ (E, b(z)c〈 z 〉.0 | [z0 := x0 ∗ y0].b〈 z0 〉.0)

[z0:=x0∗y0]→ (E ′, b(z)c〈 z 〉.0 | b〈 z0 〉.0)τ→ (E ′, c〈 z0 〉.0 | 0) ≡ (E ′, c〈 z0 〉).0.

2

There are in fact two sorts of reactions : the usual τ -reaction between two processes, and theassignment statement, between a process and the environment. In this situation the processcontrols the passive environment, but we will soon animate the environment itself. Before

8

we do this, though, we consider an important class of examples in CCS+:

Example 4.5 (Petri nets) Consider a Petri net N with place set P , and transition set{t1, . . . tk}. We consider markings m of the net where a place can contain any nonnegativeinteger, and where a transition can fire if all of its input places are positive. Firing is a vectoroperation which subtracts 1 from each input place and adds 1 to each output place. (Thisis again just for definiteness.) Let vt be the vector representing the difference of these twovectors: vt should be added to a marking m by transition t to achieve the new marking.Then for each transition t we describe a CCS+ process Qt which will manipulate markingsas environments:

Qt ::= [min(t) > 0→ m := m + vt].Qt

where min(t) is the subvector of the marking m which is indexed by the input places for thetransition t. The whole Petri net is then just the composition

Qt1 | . . . | Qtk

run in the environment of the initial marking. Here we use a common form of recursivedefinition (Q ::= P (Q)), which can be translated into the official syntax of CCS+ using themethod in [20, p. 95]. We quote this method further on in Section 6.

2

We note that name-passing is not needed in this example. This suggests that a more sophis-ticated form of Petri net might also be representable: a form where the tokens have uniquenames and where token-passing turns into name-passing. We return to this idea later on.

5 Adding time and flows

In this section the environment acquires its own dynamics. This is accomplished by havinga new class of names x, each dotted name corresponding to an undotted one.

An environment now has two valuations. The first maps a finite set of names to real values asbefore. The second maps a finite set of dotted names to arithmetic expressions over ordinarynames. Such a valuation represents a vector field, or ordinary differential equation. There isalso a third component: a finite set of predicates in ordinary and dotted names. This finiteset is called the set of invariant predicates. When the environment can flow according to itsvector field, the flow must remain in the intersection of all these invariant sets.

9

Example 5.1 Here is a sample environment:x : 1.5, y : 0

x : x− y − x3, y : x + y − y3

{{(x, y) | (x ≥ 0) ∧ (1 ≤√

x2 + y2 ≤√

2)}}

.

2

Definition 5.2 (Environments) An environment is a triple E = (q, f, i), where (i) q is avaluation from a finite subset V of X, the set of environment names, to R; (ii) f is a valuationfrom V ⊆ X to C1[RU ], the set of continuously differentiable functions from RU to R, whereU ⊇ V is again a finite set of names 3 . We say that f is closed in case U = V . (iii) i is afinite set of predicates on RV .

2

The syntax of processes must take into account guarded assignments involving dotted names.

Definition 5.3 (Guards and resets) A guarded assignment is an expression [γ → x :=e; x := e; ϕ], where (i) γ is a predicate expression in the variables X and X; (ii) x := e is anassignment as before; (iii) x := f is an assignment of a new function fto x (f is given as anarithmetic expression in the variables X and X); and (iv) ϕ is a new predicate to replacecertain predicates in the current invariant i. By convention, if we omit a guard, then it istaken to be the “always true” predicate, and if we omit any or all assignments, they aretaken to be “no-op” actions.

2

Example 5.4 Here is an example involving dotted variables. When a car’s velocity is posi-tive, a clock is initialized to 10, and then decreases to zero, after which the fuel is shut off.Letting x and x refer to the position and velocity of the car, q and q refer to the clock, andp and p to the gas, we may write

νq[x > 0→ q := 10; q := −1; {q > 0}].[q = 0→ p := 0].0.

Run in an environment where x > 0, the first statement creates the clock and sets its initialvalue and its rate of decrease. It also initializes the invariant predicate q > 0. The secondassignment shuts the gas off when the clock reaches 0. Notice that if we know the value ofthe current state x(t) then we will also know the value of the derivative of x: just evaluatethe function x(t), assuming x(t) = f(x(t)).

3 Instead of the usual Rn we use instead RU ; this amounts to naming the coordinates of a vectorrather than numbering them.

10

2

Two things are missing in the above example: we need to specify how the environmentchanges over time, and we need to specify the effects of interacting with the environment byexecuting guarded assignments. We start with the first of these.

Definition 5.5 (Flow transitions) We define the relation (E, P )t→ (E ′, P ), where t is

a non-negative real number, as follows. Suppose that a state q ∈ [V → R] and that thedifferential equation f ∈ [V → C1[RU ]] is closed, i.e., U = V . Then the flow ξ(t, q) of theequation will be defined in some time-interval J = [0, u) of R. Let E = (q, f, i), and E ′ =(ξ(t, q), f, i) where t ∈ [0, u), and suppose that (ξ(s, q), f(ξ(s, q))) satisfies all constraints ini for all s < t. We then have

(1) Null: (E, 0)t→ (E ′, 0).

(2) Tau: (E, τ.P )t→ (E ′, τ.P ).

(3) Input: (E, aF )t→ (E ′, aF ).

(4) Output: (E, aC)t→ (E ′, aC).

(5) Guarded assignment: (E, ρ.P )t→ (E ′, ρ.P ) where ρ is an assignment with guard γ, such

that γ(ξ(q, s)) fails to hold for all s < t.(6) Sum:

(E, S)t→ (E ′, S) (E, T )

t→ (E ′, T )

(E, S + T )t→ (E ′, S + T )

.

(7) Par:

(E, P )t→ (E ′, P ) (E, Q)

t→ (E ′, Q)

(E, P | Q)t→ (E ′, P | Q)

.

(8) Localization (a similar rule obtains for νxP ):

(E, P )t→ (E ′, P )

(E, νaP )t→ (E ′, νaP )

.

(9) Replication:

(E, P )t→ (E ′, P )

(E, !P )t→ (E ′, !P )

.

2

Rule (5) deserves some explanation. We assume a Newtonian global time, implicitly alsoassuming that this flows as long as possible. Rule (5) guarantees that in order for time tokeep flowing, a guarded assignment with a true guard must be executed immediately, forotherwise time would stop. Rules (6) and (7) ensure that even if the guarded statement isin one of the components of a sum or parallel composition, we still have this property of

11

“maximal progress”. Example 5.7 (below) shows what goes wrong without rules (5-7), butto understand it, we need to explain the effects of our new guarded assignment statements.

Definition 5.6 (Guarded assignment interaction) Let E = (q, f, i) and ρ be the as-

signment [γ → x := e; x := g; ϕ] If γ is true in E, then (E, ρ.P )ρ→ (E ′, P ), where

E ′ = (q[x← [[e]]], f [x← [[g]]], i′)

in which i′ = i \ {ϕ′ | dom(ϕ′) ∩ W 6= ∅} ∪ {ϕ}, where W is the set of free variables ofϕ. This updating of constraint sets with a new constraint reflects the idea that constraintsinvolving variables not in the domain of the new constraint should remain in force; but anyconstraints some of whose variables are among those of the new constraint are discarded.

2

Example 5.7 (Maximal progress) Why not let any sum evolve over time? Here’s anexample involving parallel composition. Consider

P | Q =[x : 0; x := 1; {x ≤ 3}

].b.0 |

[y := 0; y := 1; {y ≤ 5}

].c.0

Our intention is that, starting in the null environment, P and Q both initialize their part ofthe global environment, each contributing an invariant constraint, and then evolve simulta-neously in parallel over time, so that the composition P | Q cannot get past time 3 withoutblocking because of P ’s invariant. If we let any guarded assignment evolve over time, thenQ can put its y constraint into the invariant part of the environment and the process P | c.0can evolve until y = 5, not what we want. But with the Par and Sum flow transition rules,both processes have to use their local environment descriptions to update the actual globalenvironment before any time evolution can happen, so we get the desired simultaneity. Thephrase “maximal progress”, borrowed from Schneider’s book on timed CSP [25], refers toprogress of the environmental actions, not to progress of the flows.

2

Example 5.8 (Timeouts.) We define the timeout operator on processes given in Schneider[25, page 275]. Suppose d is a non-negative real constant. Paraphrasing Schneider:

The process Q1d. Q2 (read “Q1 timeout d Q2”) offers a time-sensitive choice between Q1

and Q2. If Q1 performs an (observable) action before d units of time have elapsed, thenthe choice is resolved for Q1 and Q2 is discarded. If Q1 performs no such action, then theprocess Q2 is enabled after d units of time and Q1 is discarded.

To achieve this behavior, the definition is simply:

Q1d. Q2

def= νx[x := 0; x := 1].(Q1 + [x ≥ d].Q2)

12

where x is not free in Q1 or Q2, and where Q1 is itself a sum, so that + obeys the syntacticrules.

Here we see a more subtle need for the maximal progress principle. When we are about to

execute Q1d. Q2 in a given environment, the local clock x needs to be initialized immediately

in the environment. Otherwise, a flow could proceed immediately for more than d time units.

2

6 The full ϕ-calculus

To encompass both hybrid CCS+ and the π-calculus, we need only allow channel names tooccur as passable names. This occasions some new productions in our grammar, namely forabstractions and concretions. We use a, b, . . . for channel names.

P ::= 0∣∣∣ S

∣∣∣ νxP∣∣∣ νaP

∣∣∣ (P | P )∣∣∣ !P (processes)

S ::= τ.P∣∣∣ [γ → ~x := e].P

∣∣∣ aF∣∣∣ aC

∣∣∣ (S + S) (sums)

C ::= ν~y〈 ~x 〉P∣∣∣ ν~b〈~a 〉P where ~b ⊆ ~a and ~y ⊆ ~x (concretions)

F ::= (~x)P∣∣∣ (~a)P (abstractions)

A ::= F∣∣∣ C (agents).

The definitions of A | Q, νaA, and νxA for the new agents A are straightforward adaptationsof Definition 4.2. The commitment rules remain the same, except for the reaction rule, whichnow extends to abstractions and concretions over channel names, the usual reaction rule forπ-calculus.

(E, P )a→ (E, ν~c〈~b〉.P ′) (E, Q)

a→ (E, (~d).Q′)

(E, P | Q)τ→ (E, ν~c(P ′ | Q′[~d← ~b]))

where |~b| = |~d|.

When would we use the full ϕ-calculus, instead of hybrid CCS+? The π-calculus allowsone to model mobility, in the sense that groups of cooperating processes can split up toform subgroups which then (in the manner of chemical reactions) form yet other groups ofprocesses. It is easy to imagine situations in which the decision to split up is caused by acondition obtaining in the environment. A simple example is a mobile phone disconnectingfrom one tower and reconnecting to another because of differences in signal strength. We

13

adapt the mobile phone example in Milner [20, section 8.2] to take account of the physicalenvironment.

Example 6.1 (Physical mobile phone) In this example a car is traveling in a circle,going in and out of range of either of two cell phone towers located along a diameter of thecircle. The car talks to one of the towers using a channel talk. When the signal strength fromthe other tower is greater than the signal from the current tower, the car sends a messagereq to a central control, via the first tower, requesting a communication channel on which tocontinue its conversation. (We assume the conversation continues indefinitely.)

The central control receives the request-to-switch message directly from the first tower viathe message creq, and thus indirectly from the car. It then issues the names of appropriatechannels for use by the other tower. These are passed back to the car via the first towerusing channel lose, and directly to the second tower using channel gain.

We start with the code for the towers:

Tower i = talk i.Tower i + req .creq .lose i(t, s).sw i〈 t, s 〉.Idtower i (i = 1, 2).

The second summand represents receiving a request-to-switch from the car, and forwardingit via creq to central control. The tower then waits on channel lose for the control to send itthe new pair of names for the car, which it forwards to the car on channel sw. The processIdtower represents the tower in idle state, waiting for a new pair of communication channelson channel gain:

Idtower i = gain i(t, s).Tower i.

The central control has two states. In each state it waits for the creq message, and then sendsout the same pair of channel names, back to the tower that sent the creq message on channellose, and to the currently idle tower on channel gain. So, the control in state 1 is given by

Control1 = creq .lose1〈 talk 2, sw 2 〉.gain2〈 talk 2, sw 2 〉.Control2.

The code for the control process in state 2 is obtained by swapping 1 with 2 in this definition.

Finally, we represent the car parametrically, as in Milner. It can talk on channel talk orrespond to a test on signal strength, send off a request, and eventually receive a new pairof channel names. (Note that the messages req and creq do not need to be subscripted.) Weuse the parametric names x1 and x2 to represent the squared distance from the car fromtower 1 and 2 respectively. Since signal strength is the inverse square of distance, the signalstrength comparison can be represented by comparing the (squared) distances. (In practice,the signal strength would be sensed directly.)

Car〈 talk , switch, x1, x2 〉 = talk .Car〈 talk , switch, x1, x2 〉+ [x1 ≥ x2].req.switch(t, s).Car(t, s, x2, x1)

14

where we reverse the x parameters to get the reverse test of signal strength for the car inthe other mode.

We next represent the continuous environment. For definiteness imagine the circle has radius100, and that the towers are at (−101, 0) and (101, 0). We make a small change in thedefinition of environment: we allow “output variables” to depend functionally on the currentstate. In this case x1 and x2 are output variables, and we use s1 and s2 to represent theposition of the car. Just to have a differential equation, we use the familiar harmonic oscillatorto describe circular motion:

E =

s1 : −100

s2 : 0

x1 : (s1 + 101)2 + s22

x2 : (s1 − 101)2 + s22

s1 : −s2

s2 : s1

This example uses some syntactic conventions on recursive processes deriving from CCS,including the Car process which is parametric on continuous names. It is worth quoting thetranslation, found in [20, section 9.5], of this kind of recursive description into the officialπ-calculus. The translation extends smoothly to recursions involving parametric continuousnames.

To encode the definition

A(~x)def= QA, where QA = · · ·A(〈 ~u 〉 · · ·A(〈~v 〉) · · ·

where the scope of the definition is some process

P = · · ·A〈 ~y 〉 · · ·A〈 ~z 〉 · · ·

(1) Invent a new name a to stand for A;(2) For any process R, denote by R the result of replacing every call A〈 ~w 〉 by a〈 ~w 〉;(3) Replace P and the accompanying definition of A by

P

def= νa(P |!a(~x).QA).

Finally, we assemble the whole system. It is (E, P ), where E is the above environment, andP is the process

Car〈 talk1, sw1, x1, x2 〉 | Tower 1 | Idtower 2 | Control1.

15

We may then localize all the free names by the appropriate ν operators in front of the Pexpression.

7 Bisimulations

In this section we look at two concepts of bisimulation occurring in the ϕ-calculus; strong andweak bisimulation. These bisimulations really should be called “structural bisimulations”,because they are defined only for process expressions. We prove an embedding result forstrong bisimulations: two (structurally) strongly bisimilar processes, when placed in thesame continuous environment, will allow the same flows. This result fails, though, for weakly(structurally) bisimilar processes. The reason is that enabled environmental actions may be“observable” after a sequence of invisible actions have taken place, and weak bisimulationis insensitive to sequences of internal actions. We show a way to revise the laws of flow totake this kind of weak maximal progress into account. This allows us to obtain the sameembedding result for weakly bisimilar processes.

7.1 Strong bisimulation

We follow Milner [20] in defining bisimulations for agents. Our agents can be formed byabstracting and concreting both continuous names and discrete names. So let Aϕ be the setof ϕ-calculus agents and let Pϕ be the set of processes. A binary relation S over Pϕ can beextended to a relation between abstractions of like arity and concretions of like arity using

F S G means that for all ~y, F 〈 ~y 〉 S G〈 ~y 〉.C S D means that C ≡ ν~z〈 ~y 〉.P and D ≡ ν~z〈 ~y 〉.Q such that P S Q.

Definition 7.1 A binary relation S over Pϕ is a strong simulation if whenever P S Q, andµ is either an α or ρ-action,

if Pµ→ A then there exists B such that Q

µ→ B and A S B.

(In this definition, we allow a ρ action to take place irrespective of its environment, treatingthis type of action as just a discrete transition.) If both S and its converse are strongsimulations then S is called a strong bisimulation. Two agents A and B are stronglybisimilar, written A ∼ B, if there is a strong bisimulation relating them.

2

Proposition 7.2 If P is strongly bisimilar to Q, then whenever (E, P )t→ (E ′, P ) we have

(E, Q)t→ (E ′, Q).

16

To prove this proposition, it is easiest to begin a lemma. In the statement, the notation(E, P )

ρ→ means that for some E ′, P ′, (E, P )ρ→ (E ′, P ′). (This just means that the guard of

ρ is true in E.)

Lemma 7.3 Consider an environment E = {x, f, i} with f closed, and let E ′ = {ξ(t, x), f, i},where the intermediate points in the the flow satisfy all i-constraints. Then for any process

P , we have (E, P )t→ (E ′, P ) if and only if there are no E ′′,ρ with (E ′′, P )

ρ→ at any timeless than t.

Proof. We proceed by induction on the structure of the process P . In the base case,when P is 0, the result is obvious. For sums, we look at each way to form a summand.When the guard in each case is not a ρ-transition, then the result follows from the flowtransition rule for each case and the inductive hypothesis. For the case of a ρ-transition,

if (E, P )t→ (E ′, P ) then the guarding predicate γ is not satisfied for any s < t, and so

the result follows; the converse is just as easy. We consider only one more case: when P

is P1 | P2. Then (E, P )t→ (E ′, P ) iff (E, P1)

t→ (E ′, P1) and (E, P2)t→ (E ′, P2), by the

Par flow transition rule. Assume (E, P )t→ (E ′, P ). The inductive hypothesis applies to

(E, P1) and (E, P2) so that E ′ = {ξ(t, x), f, i}, and there is no enabled guard for any ρ such

that (E ′′, Pi)ρ→. Since the Par commitment rule in Definition 4.3 is the only rule allowing

inference of a ρ-action for a parallel composition, the same holds for (E, P ). Conversely,

assume that E ′ = {ξ(t, x), f, i} and there are no E ′′, ρ with (E ′′, P )ρ→ at any time less than

t. Then (E, Pi)t→ (E ′, Pi) by inductive hypothesis, and consequently (E, P )

t→ (E ′, P ) bythe Par flow rule. This completes the inductive step for this case; the corresponding stepsfor P = νaP1 and νxP1 are easy. 2

Proof. (Proposition 7.2) Assume P is strongly bisimilar to Q. If (E, P )t→ (E ′, P ) then

by the lemma E ′ = {ξ(x, t), F, I}, and no ρ with Pρ→ has a true guard during time t. By

bisimilarity the same statement is true for Q, because Pρ→ iff Q

ρ→. By the lemma in the

converse direction, we have (E, Q)t→ (E ′, Q). 2

This proposition shows that strong bisimilarity has the expected properties of bisimulationseven when flow transitions are allowed. Furthermore, we have obvious congruences:

Proposition 7.4 If P ∼ Q then

• α.P + M ∼ α.Q + M , where M is any sum.• P | R ∼ Q | R.• νaP ∼ νaQ.

The proof is straightforward. 2

17

7.2 Weak bisimulation

We extend Milner’s definition of input and output experiments to the ϕ-calculus. The defi-nitions are mostly unchanged from the π-calculus, but we now must recognize that we haveenvironmental actions ρ, that environmental variables can be passed as messages, and thatthere is a new kind of τ -transition corresponding to the Env -commitment.

We begin by defining some notions for process and agent expressions only, and then liftingthem to embedded processes and agents. So, considering ϕ-process expressions only, definethe relation ⇒ to be the reflexive transitive closure of

τ→ ◦ ≡, where ≡ is structuralequivalence.

Definition 7.5 (Experiment) The relationa〈 ~y 〉→ over Pϕ is defined as follows:

Pa〈 ~y 〉→ P ′ iff, for some G, P

a→ G and G〈 ~y 〉 ≡ P ′.

An input experiment is an instance of the relationa〈 ~y 〉⇒ , defined as

Pa〈 ~y 〉⇒ P ′ iff P ⇒a〈 ~y 〉→⇒ P ′.

An output experiment is an instance of the relationa⇒, where

Pa⇒ ν~z〈 ~y 〉.P ′ iff, for some P ′′, P ⇒ a→ ν~z〈 ~y 〉.P ′′ and P ′′ ⇒ P ′;

Definition 7.6 An embedded experiment is the pair of endpoints of a sequence of commit-ments (where µ can be any of the actions in the above definition)

(E, P )τ→ (E, P1)

τ→ . . .τ→ (E, Pn)

µ→ (E ′, P ′).

The final µ-commitment in the sequence is a commitment that is possible for (E, Pn), andmay change the environment E.

We can now define (structural) weak simulation.

Definition 7.7 (Weak simulation) A binary relation R over Aϕ is a weak simulation if,whenever P R Q,

if P ⇒ P ′ then there is Q′ such that Q⇒ Q′ and P ′ R Q′;

if Pa〈 ~y 〉⇒ P ′ then there is Q′ such that Q

a〈 ~y 〉⇒ Q′ and P ′ R Q′;

if Pµ⇒ C, where µ is either a or e, then there is D such that Q

µ⇒ D and C R D.

If both R and its converse are weak simulations, R is a weak bisimulation.

18

Two processes P and Q are weakly bisimilar, written P ≈ Q, if there is some weak bisimu-lation relating them. (In this definition, of course, the experiments are not embedded.)

2

Unfortunately, Proposition 7.2 fails for weak bisimulations:

Example 7.8 Consider the processes

P = νa(a.[x := 1] | a) and Q = [x := 1].

These are weakly bisimilar, but the environment E =

x : 0

x : 1

, in the context of process

P , can flow for arbitrarily long periods before a reaction happens, while the same E in thecontext of the process Q is time-blocked because Q’s environmental action is enabled.

2

We do not need to revise the definition of weak bisimulation to avoid this difficulty. In-stead, we revise the time flow rules so that they regard sequences of internal τ -actions to beimmediate.

Definition 7.9 (Revised flow transitions) We redefine the relation (E, P )t→ (E ′, P ),

where t is a non-negative real number, as follows. Suppose that a state q ∈ [V → R] andthat the differential equation f ∈ [V → C1[RU ]] is closed, i.e., U = V . Then the flow ξ(t, q)of the equation will be defined in some time-interval J = [0, u) of R. Let E = (q, f, i),and E ′ = (ξ(t, q), f, i) where t ∈ [0, u), and suppose that (ξ(s, q), f(ξ(s, q))) satisfies allconstraints in i for all s < t. We then have

(1) Null: (E, 0)t→ (E ′, 0).

(2) Tau:

(E, P )t→ (E ′, P )

(E, τ.P )t→ (E ′, τ.P )

.

(3) Input: (E, aF )t→ (E ′, aF ).

(4) Output: (E, aC)t→ (E ′, aC).

(5) Guarded assignment: (E, ρ.P )t→ (E ′, ρ.P ) where ρ is an assignment with guard γ, such

that γ(ξ(q, s)) fails to hold for all s < t.(6) Sum:

(E, S)t→ (E ′, S) (E, T )

t→ (E ′, T )

(E, S + T )t→ (E ′, S + T )

.

19

(7) Strong Par:

(E, P )t→ (E ′, P ) (E, Q)

t→ (E ′, Q) P ¬ ↓τ(E, P | Q)

t→ (E ′, P | Q).

The notation P ¬ ↓τ means that there is no P ′ such that Pτ→ P ′.

(8) Weak Par:

(∀S)(P | Q τ→ S implies (E, S)t→ (E ′, S))

(E, P | Q)t→ (E ′, P | Q)

.

(9) Localization of channels:

(E, P )t→ (E ′, P )

(E, νaP )t→ (E ′, νaP )

.

(10) Localization of environment names:

(E, P [w/x])t→ (E ′, P [w/x])

(E, νxP )t→ (E ′, νxP )

where w is any name not free in P and not mentioned in E.(11) Replication:

(E, P )t→ (E ′, P )

(E, !P )t→ (E ′, !P )

.

2

The new version of the laws reveals a basic structure: In order for a flow (E, P )t→ (E ′, P ) to

take place, for every τ -commitment Pτ→ P ′ we must have (E, P ′)

t→ (E ′, P ′). By the “max-imal progress” principle, this has the effect in practice of making all of these commitmentseager: time cannot flow unless one of the enabled environmental actions at the end of a chainof τ -commitments available to a process in one of these forms actually takes place, whichentails that all τ -commitments in the chain take place as well. We should also note that rule

(8) is very complicated, as it requires a proof of (E, S)t→ (E ′, S) for every process S that

P | Q can τ -commit to. However, there are only finitely many of these, up to structuralcongruence.

Our context theorem for weak bisimulation relies on the following definitions.

Definition 7.10 (Live τ-experiment) A live τ -experiment is an embedded experiment

(E, P )τ→ (E, P1)

τ→ . . .τ→ (E, Pn)

ρ→ (E ′, P ′)

where ρ is an environmental action with a true guard in environment E. The length of thisexperiment is the number of τ -transitions in it, which may be 0.

2

20

Lemma 7.11 Suppose (E, P )t→ (E ′, P ). Then for any s < t, if (E, P )

s→ (E ′′, P ), then(E ′′, P ) has no live τ -experiments.

Proof. We first prove the following statement by induction on n.

For all environments E = {x, f, i} with f closed, and for any process P , if (E, P )t→ (E ′, P )

then E ′ = {ξ(t, x), f, i}, and there is no live τ -experiment of length n possible at any s < t.

The basis, when n = 0, repeats the proof of Proposition 7.3 in the “only if” direction. (Wecannot just quote this proposition as the flow rules have changed.)

Assume the claim for n = k, and assume by way of contradiction that it fails for n = k + 1.Then there is an s < t such that (E, P )

s→ (E ′′, P ) and (E(s), P ) admits a live τ -experimentof length k + 1. We consider how P can take an initial τ -step. First, P may be a sum,one of whose summands is τ.Q. Then (E ′′, Q) admits a live τ -experiment of length k, andfurther since flows must be inferred for sums by the Sum and Tau rules, it follows that

(E, Q)t→ (E ′, Q). This contradicts the inductive hypothesis.

Next, P may be a parallel composition Q | R. If this has a τ -commitment, then the weakPar rule is the only rule allowing the flow of P , and the antecedent of the rule guaranteesthat all S committed to by P will not admit any live τ -experiments of length k at any timeprior to t, by the inductive hypothesis. Again we have a contradiction.

Finally, P may be νxQ, and (E, P )τ→ (E, P [w/x]) where x is fresh for E and P . If

(E, νxQ)t→ (E ′, P ) then this flow must have been inferred by the local environment

rule. Therefore for any s < t, (E, P [w/x])s→ (E ′′, P [w/x]), and so at the s in question,

(E ′′, P [w/x]) does not admit a live experiment of length k, again a contradiction. This com-pletes the proof of the claim, and the lemma follows immediately. 2

The converse of Lemma 7.11 is the following.

Lemma 7.12 Assume the same hypotheses on the flow ξ(t, q). Suppose, for any E ′′ with(E, P )

s→ (E ′′, P ) for s < t, that the system (E ′′, P ) has no live τ -experiments. Then

(E, P )t→ (E ′, P ).

Proof. This proof is an induction on the structure of P , but is best presented as a proofby contradiction. We consider the shortest counterexample P , up to structural congruence.Clearly P is not 0, of the form a(x)Q, or a〈x 〉Q, as in these cases (E, P ) can flow for thefull amount t. If P is ρ.Q then because the guard of ρ cannot be enabled by hypothesis, weagain have that (E, P ) can flow for t seconds.

For the inductive step, if P is a sum S +T and (E, P ) cannot flow for t seconds, then by the

21

Sum flow rule one of (E, S) or (E, T ) cannot flow either, and S and T are smaller processes.If P is a parallel composition Q | R and (E, P ) cannot flow, we distinguish cases on whetherP ↓τ or not. If not, the reasoning for the sum case applies again. If so, then any process Sthat P | Q can τ -commit to is shorter than Q | R, so if (E, Q | R) cannot flow then (E, S)cannot flow either.

We omit the easy case P = νaQ and consider P = νxQ. If (E, P ) cannot flow then(E, Q[w/x]) cannot flow either, where w is fresh. Since Q[w/x] is shorter than P , the shortestcounterexample cannot be of the form νxQ. Finally if P is of the form !Q and (E, P ) cannotflow, then (E, Q) cannot either. Technically we are considering P to be the shortest repre-sentative of its structural congruence class, and so Q will therefore be a shorter congruenceclass representative, so that (E, P ) cannot be a counterexample either. This completes theproof. 2

Theorem 7.13 If two weakly bisimilar processes P and Q are placed in an environment E

which, with neither of these processes being present, could flow for time t, then (E, P )t→

(E ′, P ) if and only if (E, Q)t→ (E ′, Q).

Proof. Assume P ≈ Q. Suppose for some t, it is not the case that (E, P )t→ (E ′, P ). We

want to prove the same negative statement with P replaced by Q. By Lemma 7.12, theremust be an enabled τ experiment possible for some (E(s), P ), where s < t, Since P ≈ Q,the same enabled experiment is possible for (E(s), Q). which implies, by Lemma 7.11, that(E, Q) cannot flow for t seconds. This establishes one direction of the theorem; the conversedirection follows by interchanging the roles of P and Q. 2

Remark 7.14 From this result, we can see that weakly bisimilar processes will evolve overtime and over actions in the same way. Once a time-transition for the environment of twobisimilar process has completed, then the processes themselves can match each other’s dis-crete transitions to again bisimilar processes, and this can be repeated.

8 Representing threaded Petri nets in the ϕ-calculus

Threaded Petri nets [15](TPNs) merge hybrid system dynamics with Petri net concepts.They can be used to specify robotic assembly systems and to prove some useful propertiessuch as deadlock-freeness and liveness. In this section we show an informal example of aTPN and its translation to ϕ-calculus, looking at the “bucket brigade” from Klavins andKoditschek. Formal details of the general translation are in Appendix A.

The bucket brigade consists of three robots arranged in a straight line. The first robot picksup a part from a parts feeder, moves right, passes the part to the second robot, and returns

22

left for another part. The second robot moves right with the part, passes it to the thirdrobot, and returns left for another exchange. The third robot moves right and drops thepart in the output bin, then returns to meet the second robot. See Figure 1. In the threaded

Fig. 1. The bucket brigade.

Petri net representation of this scheme, tokens in a place are names of continuous variables.When a set of names is in a place, the place evolves continuously according to a predefinedcontroller, one controller for each place. The continuous variables are, in fact, partititionedamong (some of) the places. Further, when each transition’s input places are occupied by(evolving) names, its output places are empty. A transition fires when a certain predicateon its input names, called the goal predicate, becomes true. The transition redistributes(according to a prespecified function) the names in its input places bijectively to its outputplaces, which then invoke their respective controllers. The condition for firing is that foreach output place q which receives a variable from an input place p, the goal predicate for pmust entail the domain predicate for q. This condition, called the backchaining condition, isprearranged beforehand.

By referring to Figure 2, the reader can trace the action of the threaded Petri net for ourbucket brigade. The gray directed lines in the graph represent the movement of tokensrepresenting the robots and the parts in the brigade. The places (aside from the parts feederand the output buffer) hold the tokens (continuous names, links to the environment) we havedescribed.

We focus first on the brigade at the stage when robots 1 and 2 are approaching each otherin preparation for the transfer of the part to robot 2. The names in their places are given by

pick : {}, hold1 : {}, trans12 : {r1, p, r2}, wait3 : {r3}, hold2 : {}, hold3 : {}, drop : {}.

Fig. 2. Action of the bucket brigade net.

23

The new configuration (omitting places holding no variables) would be

wait1 : {r1}, hold2 : {p, r2}, wait3 : {r3}.

We now consider the net firing rule for this stage. For this we look at the place trans1,2,the input place to transition t2. Associated with this place is a controller ftrans12 which isa gradient system based on the Liapunov-style navigation function scheme of Rimon andKoditschek [22]. The purpose of the controller is to bring the robots into an appropriately“mated” configuration, requiring that they meet at almost zero velocity at the specifiedgoal. This closed loop dynamical system is thus endowed with a goal set Gftrans12

which canbe thought of as a predicate on the local state, i.e., the values of the continuous names(p, r1, r2). All trajectories in the basin of attraction of this controller must enter the goal set,which is arranged to be a subset of the domain of attraction Dfwait1

of the controller for theplace wait1 intersected with the domain Dfhold2

of the controller for hold2. Once a trajectoryenters the goal set, the transition t2 must fire, redistributing the variables as indicated inthe previous paragraph.

Using the idea of representing transitions of a Petri net by individual ϕ-processes as inExample 4.5, we see that the redistribution of the variables in the net can be modelled byenvironment name-passing between the processes. As an example, we sketch the process T2

representing the transition t2. Let ϕ2(p, r1, r2), γ2(p, r1, r2) be the predicates

(p, r1, r2) ∈ Dftrans12\ Gftrans12

, (p, r1, r2) ∈ Gftrans12,

respectively.

We also introduce names corresponding to each place in the net. In this example, we focuson trans12,wait1 , and hold2 . These names can be thought of as communication channelsbetween the processes represented by the transitions.

The process T2 can now be defined as

T2(p, r1, r2) ::= trans12(p, r1, r2) (receive variables along the channel trans12)

.[(p, r1, r2) := ftrans12(p, r1, r2); {ϕ2(p, r1, r2)}](force firing, hence activation later of T3 and T4;

activate controller for place trans12; ϕ2 is the invariant.)

.[γ2(p, r1, r2)].wait1〈 r1 〉.hold2〈 p, r2 〉 (wait until goal reached;

send variables along hold2 and wait1)

.T2〈 p, r1, r2 〉 (and repeat.)

The process T1 representing t1 has to be more complex since it receives variables from thetwo places wait2 and hold1, so has to execute two receive actions in parallel. First, though,

24

for the invariant, we let ϕ1(p, r1, r2) be the predicate

(p, r1) ∈ (Dhold1 \ Ghold1) ∨ r2 ∈ (Dwait2 \ Gwait2).

This represents the fact that we wish to keep running the controllers for wait2 and hold1 aslong as either one has not attained its goal set. (The Cartesian product of the two goal setsis predetermined to be contained in the domain of attraction of the controller ftrans12 .) Wealso let γ1(p, r1, r2) be the predicate

(p, r1) ∈ Ghold1 ∧ r2 ∈ Gwait2 .

We now need to deal with the problem of simulating the firing rule of transition t1 in thenet. The transition fires when all of its variable tokens are present in both of its input places,and the appropriate goal condition is satisfied. We simulate token-passing by name-passingduring reaction, so we have to treat the problem of exactly when t0 and t5 send their variablesto hold1, and wait2 and not to let t1 fire when not all of its input variables have been received.This requires us to anticipate a sequence of input actions which may occur in any order. Inthe example of t1, we need to anticipate that the action of receiving a pair of names fromhold1 may or may not precede the action of getting a name from wait2.

One solution to this problem is to introduce Boolean variables corresponding to each placein the net. Such variables can be realized using continuous variables having zero derivative,and which are initialized and reset to 0 or 1. (In fact, there is no reason not to allow Booleantypes in the environment.) Let us call these Boolean variables by the names Bhold1, Bwait2,and Btrans12 respectively. To delay the firing of t1 we introduce the guard

[Bhold1 = 1 ∧ Bwait2 = 1].

With this notation, we may describe the process corresponding to transition t1.

T1(p, r1, r2) ::= [(Bhold1 = 1) ∧ (Bwait2 = 1)]

.hold1(p, r1).wait2(r2)

(receive variables along places hold1 and wait2)

.[(p, r1) := fhold1(p, r1); r2 := fwait2(r2); {ϕ1(p, r1, r2)}](force firing, hence activation later of T2;

activate controllers for places hold1 and wait2; ϕ1 becomes the invariant.)

.[γ1(p, r1, r2)].trans12〈 p, r1, r2 〉 (wait for goals; send variables along trans12)

.[Bhold1 := 0].[Bwait2 := 0].[Btrans12 := 1] (reset Booleans)

.T1〈 p, r1, r2 〉 (and repeat.)

To have a uniform translation, the code for the process T2 should now be rewritten in thissame way.

25

Finally, we model the parts feeder using recursion and the ν operator. The feeder operatesby proximity; every time robot 1 is within some small ε of 0, the feeder produces a new part.

We call this recursive process PF . It is convenient to think as well of the “parts feeder”” inFigure 2 as an actual place with name pf .

PF ::= [r1 < ε].νpart(part.= 0; ˙part

.= 0].[Bpf := 1].pf 〈 part 〉.PF ).

The test r1 ≥ ε in this process becomes true when the first robot gets within ε distance of theparts feeder. This triggers a call of the localizing operator νpart . This in turn creates a freshpart name, using alpha-conversion to avoid clashes with part names in the environment whenthe “new” process “decays” at the Env commitment. Parts start with 0 velocity at position0. The name of the part is passed to the place pf which is an input place to transition t3.

The Petri net representing the whole bucket brigade is then represented by the parallelcomposition of all the processes representing the transitions, the parts feeder, and the partsdrop.

9 Conclusion

We hope to have shown the feasibility of using process-algebraic techniques in the design ofhybrid systems. However, much theoretical work remains to be done.

First, we need to have a deeper understanding of simulations and bisimulations. An obviousdirection is studying the analogue of bisimulations for environments. One paper we considerparticularly important is that of Haghverdi et al [10], as it uses the categorical concept ofopen map [21] to isolate a natural kind of bisimulation for hybrid dynamical systems. Davoren[6] relates logics, topology, and hybrid bisimulation. Both papers draw on the connectionsbetween the logical techniques used in computer science and the theory of dynamical systems.It remains to integrate the kinds of bisimulations found in the π-calculus with these moregeneral notions.

Given the difficulties associated with formal analysis of arbitrary hybrid systems, we feelthat much more attention should be paid to provably correct synthesis. It would be nice,for example, to give conditions on environments and environmental actions (guarantees thatflows will eventually reach the boundary of an invariant, for example), so that a “time-abstract” version of a process could be proven live (deadlock-free) by passing to its discreteversion using simulation. This (implicitly) is already the case in Klavins and Koditschek’sthreaded Petri nets. One can pass to the underlying net structure to prove liveness, becauseof the backchaining conditions assumed on the controllers in the net. (See Appendix A.)

In this paper we have not mentioned logics for reasoning about ϕ-calculus processes. In [23]

26

we have extended the spatial logic of Caires and Cardelli [4] to the ϕ-calculus. This logic is,however, rather top-heavy, and needs to be simplified if it is to be used as a workable toolfor synthesis purposes.

On the control theory side, we would like to see what kinds of systems can be modeledwith “superposition” environmental actions, in which state information is accumulated byaddition rather than replacement. Much work on coupled oscillators uses superposition tocombine individual oscillators, and it is possible that one could smooth out hybrid jumpsusing this kind of reset. Our formalism allows vector fields to be combined by additionand even multiplication, but we believe that adapting previous work to allow synthesis willrequire new kinds of investigations in continuous dynamical systems.

Acknowledgements. Thanks to Dan Koditschek for illuminating discussions on backchain-ing, Robin Milner and Glynn Winskel for kindly hosting W. Rounds during a sabbatical atCambridge in 2002-2003, and to the members of the EECS 498 logic class at Michigan fordeveloping CCS+. A full paper on this language is forthcoming.

References

[1] R. Alur, R. Grosu, I. Lee, and O. Sokolsky. Compositional refinement for hierarchical hybridsystems. In Maria Domenica Di Benedetto and Alberto Sangiovanni-Vincentelli, editors, HybridSystems, Computation, and Control, pages 33–48. Springer-Verlag, 2001. Volume 2034 ofLecture Notes in Computer Science.

[2] R. Alur and T. A. Henzinger. Reactive modules. Formal methods in System Design, 15:7–48,1999.

[3] S. D. Brookes, C. A. R. Hoare, and A. W. Roscoe. A theory of communicating sequentialprocesses. J. Assoc. Comput. Mach., 31(3):560–599, 1984.

[4] Luis Caires and Luca Cardelli. A spatial logic for concurrency (part I). Information andComputation, 186(2):194–235, November 2003.

[5] Rene David and Hassane Alla. On hybrid Petri nets. Discrete Event Dynamic Systems, 11:9–40,2001. Kluwer.

[6] J. M. Davoren. Topologies, continuity, and bisimulations. Theoretical Informatics andApplications, 33:357–381, 1999.

[7] Stephen J. Garland and Nancy A. Lynch. Using I/O automata for developing distributedsystems. In Gary T. Leavens and Murali Sitaraman, editors, Foundations of Component-BasedSystems, pages 285–312. Cambridge University Press, 2000.

[8] C. Ghezzi, P. Mandrioli, S. Morasca, and P. Mauro. A general way to put time into Petri nets.In Proceedings of 5th International Workshop on Software Specification, pages 60–67, 1989.

27

[9] V. Gupta, R. Jagadeesan, and V. A. Saraswat. Computing with continuous change. Science ofComputer Programming, 30:3–49, 1998.

[10] Esfandiar Haghverdi, Paulo Tabuada, and George J. Pappas. Unifying bisimulation relationsfor discrete and continuous systems. In Proceedings of the Mathematical Theory of Networksand Systems, Notre Dame, IN, August 2002.

[11] T. A. Henzinger. The theory of hybrid automata. In Proc. 11th Annual Symposium on Logicin Computer Science, pages 278–292, 1996.

[12] T. A. Henzinger, M. Minea, and V. Prabhu. Assume-guarantee reasoning for hierarchical hybridsystems. In Maria Domenica Di Benedetto and Alberto Sangiovanni-Vincentelli, editors, HybridSystems, Computation, and Control, pages 275–290. Springer-Verlag, 2001. Volume 2034 ofLecture Notes in Computer Science.

[13] He Jifeng. From CSP to hybrid systems. In A Classical Mind, Essays in Honour of C. A. R.Hoare, pages 171–189. Prentice-Hall international, 1994.

[14] O. Khatib. Real time obstacle avoidance for manipulators and mobile robots. InternationalJournal of Robotics Research, 5:90–99, 1986.

[15] Eric Klavins and Daniel Koditschek. A formalism for the composition of loosely coupled robotbehaviors. Technical report, University of Michigan CSE Tech Report CSE-TR-12-99, 1999.

[16] Jana Kosecka. A Framework for Modeling and Verifying Visually Guided Agents:Design,Analysis, and Experiments. PhD thesis, University of Pennsylvania, 1996.

[17] Nancy Lynch, Roberto Segala, and Frits Vaandrager. Hybrid I/O automata revisited. InMaria Domenica Di Benedetto and Alberto Sangiovanni-Vincentelli, editors, Hybrid Systems:Computation and Control. Fourth International Workshop, pages 403–417. Springer-Verlag,2001. Volume 2034 of Lecture Notes in Computer Science.

[18] Nancy Lynch and Mark Tuttle. Hierarchical correctness proofs for distributed algorithms. InProceedings of 6th Annual Symposium on Principles of Distributed Computing, pages 137–151,1987.

[19] Robin Milner. Communication and concurrency. Prentice-Hall, 1989.

[20] Robin Milner. Communicating and Mobile Systems: the π-calculus. Cambridge UniversityPress, 1999.

[21] M. Nielsen, A. Joyal, and G. Winskel. Bisimulation from open maps. Information andComputation, 127(2):164–185, 1996.

[22] Elon Rimon and D. E. Koditschek. Exact robot navigation using artificial potential fields.IEEE Transactions on Robotics and Automation, 8(5):501–518, Oct 1992.

[23] William C. Rounds. A spatial logic for the hybrid π-calculus. In Hybrid Systems, Computation,and Control 2004, pages 508–522. Springer-Verlag LNCS 2993, 2004.

28

[24] Davide Sangiorgi and David Walker. The π-Calculus: A Theory of Mobile Processes. CambridgeUniversity Press, 2001.

[25] Steve Schneider. Concurrent and real-time systems: the CSP approach. Wiley, 2000.

[26] Roberto Segala. A process-algebraic view of I-O automata. Technical report, MIT Tech MemoMIT/LCS/TR557, 1992.

29

A Formal translation of threaded Petri nets

For reference, we present in this appendix a summary of threaded Petri net definitions anda review of the control-theoretic ideas used in the constructions of goal sets and domainsof attraction for the various controllers exemplified above. It will then be clear how thetranslation of TPNs to the ϕ-calculus can be carried out in general.

We begin with generalized marked graphs. These are Petri nets with finite sets P of placesand T of transitions. We denote by •t and t• the set of input and output places respectivelyfor transition t. In a marked graph, each place is an input place to at most one transitionand an output place for at most one transition. Let p• be the unique, if any, transition forwhich p is the input place. Similarly •p is the unique transition feeding p.

Next, there is a finite set S of slots {s1, . . . , sn}; We have a function α : P → P(S), calledthe slot distribution function, which is such that (i) for each transition t, α(p)∩α(q) = ∅ forall p 6= q in •t; (ii) also for all p 6= q in t•; and (iii) for each transition t,

⋃p∈•t

α(p) =⋃

p∈t•α(p).

In the bucket brigade, we have shown neither the distribution function nor the set S of slots.We might put S = {fr , sr , tr , part}, standing for first robot, second robot, third robot, andpart respectively. Then, for example, α(trans12) = {fr, tr, part}. The slots can be thoughtof as the net equivalent of ϕ-calculus abstractions.

The distribution function has the property that if a slot s is in α(p) for p an input place of t,then there is a unique place q in t• with s in α(q). Thus we have implicitly defined a (partial)function δ : S × P → P , called the redistribution function of the net. (The transitions donot enter this definition, because any place is input to at most one transition; the functionδ(p, s) is undefined if p• is not defined.) By iterating the function δ(s, ·) for a fixed slot s,starting at a given place p, we get a finite or infinite sequence of places which is called athread for the net starting at p. A full thread starts at a place p for which •p is not defined,and is either infinite or terminates at a place p for which p• is not defined. Following a grayline in Figure 2 and enumerating the places passed gives a thread.

We assume a prespecified set V of variables for the net. In the bucket brigade, V = {p1, p2, . . . }∪{r1, r2, r3}. A marking for such a net is a pair (m, ρm), where m is a set of places (the markedplaces) and a bijective map ρm :

⋃p∈m({p} × α(p)) → V . For each slot s of a place p in m,

ρ(p, s) is the variable in that slot. The presence of a variable in a slot corresponds in theϕ-translation to having carried out a commitment via a reaction which has passed environ-ment variable names. In our example, the marking represented just before trans12 fires is

30

m = {trans12, wait3}, and ρm is

{(trans12, fr) 7→ r1; (trans12, sr) 7→ r2; (trans12, part) 7→ p; (wait3 , tr) 7→ r3}.

The continuous dynamics of a net is given locally. For each place p there is assumed adifferential equation x = Fp(x), x ∈ Rα(p). Here we use the slot names as abstract variables,corresponding to the fact that the differential equation which is actually in force when a placeis operating under a specific mode dynamics may vary, depending on which actual variablesoccupy the slots in a place. We assume that the solution f(x, t) of this equation has a stablefixed point (equilibrium point) x∗, where of course Fp(x

∗) = 0. We call x∗ the goal. The goalset of p is a (small) open set Gp containing the goal, and such that (∀t)(f(y, t) ∈ Gp) for ally ∈ Gp. The largest open set Dp with the same property is called the domain of attractionfor p. The collection {Fp | p ∈ P} is called a palette of controllers for the net.

The palette of controllers satisfies a backchaining condition, which we now explain. Roughly,the goal set of one controller in an input place to a transition is supposed to be a subsetof the domain of a controller of an output place for that transition. Because a transitioncan have several input and output places, this condition is more complicated. Let t be anytransition. Because we have a marked graph, the transition t is the unique one feeding anyof its output places. If q is an output place of t, denote by δ−1[α(q)] the set of slots s in anyinput places p to t such that δ(s, p) ∈ α(q). The backchaining condition for the net is then

(∀q ∈ t•) : πδ−1[α(q)](Gp1 × · · · × Gpn) ⊆ Dq

where πA is the projection of a set in RS onto RA for A ⊆ S, and {p1, . . . , pn} = •t.

Let x ∈ RV be a “state” of the net. A transition t is enabled with respect to marking (m, ρm)and x, if

(1) •t ⊆ m and t• ∩m = ∅;(2) (xρm(p,s1), . . . , xρm(p,sn)) ∈ Gp for every input place p to t, where {s1, . . . , sn} = α(p).

The follower marking for an enabled transition is the marking (n, ρn), where n = (m\• t)∪t•,and

ρn(r, s) =

ρm(r, s) for r /∈ t•;

ρn(r, s) = ρm(p, s) if r ∈ t• and δ(p, s) = r.

With this review (and slight reformulation) of TPNs, we can present our formal translation ofTPNs into the ϕ-calculus. We proceed on a transition-by-transition basis. Let t be a transitionwith •t = {p1, . . . , pn}, t• = {q1, . . . , qm} and overall slot set {s1, . . . , sl} =

⋃p∈•t α(p). Also

by t(α(p)) we mean an abstraction with name t over the environmental variables in α(p),using slot names as the bound variables of the abstraction. Let ξt(s1, . . . , sl), γt(s1, . . . , sl) be

31

the predicates ∨p∈•t

(α(p) ∈ Dp \ Gp),∧

p∈•tα(p) ∈ Gp,

respectively.

As in the examples of the last section, we introduce formal place names p1, . . . , pn, and thecorresponding Boolean variables Bp1, . . . , Bpn.

For the transition t we define a process Tt(s1, . . . , sl) as follows:

Tt(s1, . . . , sl) ::=

[∧p∈•t

(Bp = 1)]

.p1(α(p1)). . . . .pn(α(pn))(receive variables from all transitions feeding t)

.( [( ˙α(p1) := fp1(α(p1)); . . . ; ˙α(pn) := fpn(α(pn)); {ξ(s1, . . . , sl)}](force firing, hence activation later of controllers for output places of t;activate controllers for input places; set new invariant ξ).[γt(s1, . . . , sl)].q1〈α(q1) 〉. . . . qm〈α(qm) 〉 (wait for goals; send variables to follower transitions).[Bp1 := 0]. . . . .[Bpn := 0].[Bq1 := 1]. . . . .[Bqm := 1].Tt〈 s1, . . . , sl 〉 (and repeat.))

As in the bucket brigade, we just put all the transitions Tt in parallel combination to getthe ϕ-calculus process representing the net.

A word is in order about the adequacy of our translation. We should be concerned about pre-serving liveness and safety properties from the original TPN into the translated ϕ-calculusversion. We notice that establishing these properties, in the work of Klavins and Koditschek,is reduced to consideration of the discrete version of the net, without the continuous dy-namics. This discrete version is simply a Petri net which accumulates variable names in itsplaces, and fires when the appropriate variable names for a given transition have been accu-mulated into the input places for that transition. The reason that this reduction is possibleis the backchaining condition; a guarantee is provided that the goal set of a controller willbe contained in the domain set of a follower controller. It is not so easy, though, to see thata corresponding translation of the discrete version of a TPN into ϕ-calculus will preserveliveness and safety properties of the original net. This problem will be addressed in a futurepaper.

With respect to liveness, we note a minor problem with the TPN formalism itself. Once thegoal predicate of a controller has been attained, there is nothing in the TPN formalism whichforces a transition to actually fire. In contrast, this firing is forced in our translated versionvia the use of an appropriate invariant.

32

Finally, the parts feeder in Klavins and Koditschek’s bucket brigade example is an anomalouskind of “place” in which tokens can magically be created. It does not actually conform tothe TPN formalism. Our treatment of the parts feeder, by contrast, uses recursion and theν operator to generate this stream of part numbers.

33