arX

iv:1

609.

0009

1v2

[cs.

LO]

8 S

ep 2

016

Approximate Bisimulation and Discretization of HybridCSP⋆ ⋆⋆

Gaogao Yan, Li Jiao, Yangjia Li, Shuling Wang and Naijun Zhan

State Key Lab. of Comput. Sci., Institute of Software, Chinese Academy of Sciences{yangg,ljiao,yangjia,wangsl,znj}@ios.ac.cn

Abstract. Hybrid Communicating Sequential Processes (HCSP) is a powerfulformal modeling language for hybrid systems, which is an extension of CSPby introducing differential equations for modeling continuous evolution and in-terrupts for modeling interaction between continuous and discrete dynamics. Inthis paper, we investigate the semantic foundation for HCSPfrom an operationalpoint of view by proposing the notion of approximate bisimulation, which pro-vides an appropriate criterion to characterize the equivalence between HCSP pro-cesses with continuous and discrete behaviour. We give an algorithm to determinewhether two HCSP processes are approximately bisimilar. Inaddition, based onwhich, we propose an approach on how to discretize HCSP, i.e., given an HCSPprocessA, we construct another HCSP processB which does not contain anycontinuous dynamics such thatA andB are approximately bisimilar with givenprecisions. This provides a rigorous way to transform a verified control model toa correct program model, which fills the gap in the design of embedded systems.

Keywords: HCSP, approximately bisimilar, hybrid systems, discretization

1 Introduction

Embedded Systems (ESs) make use of computer units to controlphysical processes sothat the behavior of the controlled processes meets expected requirements. They havebecome ubiquitous in our daily life, e.g., automotive, aerospace, consumer electronics,communications, medical, manufacturing and so on. ESs are used to carry out highlycomplex and often critical functions such as to monitor and control industrial plants,complex transportation equipments, communication infrastructure, etc. The develop-ment process of ESs is widely recognized as a highly complex and challenging task.Model-Based Engineering (MBE) is considered as an effective way of developing cor-rect complex ESs, and has been successfully applied in industry [16,21]. In the frame-work of MBE, a model of the system to be developed is defined at the beginning; thenextensive analysis and verification are conducted based on the model so that errors canbe detected and corrected at early stages of design of the system. Afterwards, model

⋆ This work is supported partly by “973 Program” under grant No. 2014CB340701, byNSFC under grants 91418204 and 61502467, by CDZ project CAP (GZ 1023), and by theCAS/SAFEA International Partnership Program for CreativeResearch Teams.

⋆⋆ The corresponding authors: Shuling Wang (wangsl@ios.ac.cn) and Naijun Zhan(znj@ios.ac.cn).

transformation techniques are applied to transform abstract formal models into moreconcrete models, even into source code.

To improve the efficiency and reliability of MBE, it is absolutely necessary to au-tomate the system design process as much as possible. This requires that all modelsat different abstraction levels have a precise mathematical semantics. Transformationbetween models at different abstraction levels should preserve semantics, which can bedone automatically with tool support.

Thus, the first challenge in model-based formal design of ESsis to have a powerfulmodelling language which can model all kinds of features of ESs such as communica-tion, synchronization, concurrency, continuous and discrete dynamics and their interac-tion, real-time, and so on, in an easy way. To address this issue, Hybrid CommunicatingSequential Processes (HCSP) was proposed in [14,36], whichis an extension of CSPby introducing differential equations for modeling continuous evolutions and interruptsfor modeling interaction between continuous and discrete dynamics. Comparing withother formalisms, e.g., hybrid automata [17], hybrid programs [24], etc., HCSP is moreexpressive and much easier to be used, as it provides a rich set of constructors. Throughwhich a complicated ES with different behaviours can be easily modeled in a compo-sitional way. The semantic foundation of HCSP has been investigated in the literature,e.g., in He’s original work on HCSP [14], an algebraic semantics of HCSP was given bydefining a set of algebraic laws for the constructors of HCSP.Subsequently, a DC-basedsemantics for HCSP was presented in [36] due to Zhouet al. These two original for-mal semantics of HCSP are very restrictive and incomplete, for example, it is unclearwhether the set of algebraic rules defined in [14] is complete, and super-dense com-putation and recursion are not well handled in [36]. In [22,33,13,35,8], the axiomatic,operational, and the DC-based and UTP-based denotational semantics for HCSP areproposed, and the relations among them are discussed. However, regarding operationalsemantics, just a set of transition rules was proposed in [35]. It is unclear in what sensetwo HCSP processes are equivalent from an operational pointof view, which is thecornerstone of operational semantics, also the basis of refinement theory for a processalgebra. So, it absolutely deserves to investigate the semantic foundation of HCSP froman operational point of view.

Another challenge in the model-based formal design of ESs ishow to transformhigher level abstract models (control models) to lower level program models (algo-rithm models), even to C code, seamlessly in a rigorous way. Although huge volume ofmodel-based development approaches targeting embedded systems has been proposedand used in industry and academia, e.g., Simulink/Stateflow[1,2], SCADE [9], Model-ica [31], SysML [3], MARTE [28], Ptolemy [10], hybrid automata [17], CHARON [5],HCSP [14,36], Differential Dynamic Logic [24], and Hybrid Hoare Logic [22], the gapbetween higher-level control models and lower-level algorithm models still remains.

Approximate bisimulation [12] is a popular method for analyzing and verifyingcomplex hybrid systems. Instead of requiring observational behaviors of two systemsto be exactly identical, it allows errors but requires the “distance” between two sys-tems remain bounded by some precisions. In [11], with the useof simulation functions,a characterization of approximate simulation relations between hybrid systems is de-veloped. A new approximate bisimulation relation with two parameters as precisions,

which is very similar to the notion defined in this paper, is introduced in [18]. Forcontrol systems with inputs, the method for constructing a symbolic model which is ap-proximately bisimilar with the original continuous systemis studied in [26]. Moreover,[23] discusses the problem for building an approximately bisimilar symbolic model ofa digital control system. Also, there are some works on building symbolic models fornetworks of control systems [27]. But for all the above works, either discrete dynamicsis not considered, or it is assumed to be atomic actions independent of the continuousvariables. In [15,32,20], the abstraction of hybrid automata is considered, but it is onlyguaranteed that the abstract system is an approximate simulation of the original system.In [25], a discretization of hybrid programs is presented for a proof-theoretical purpose,i.e., it aims to have a sound and complete axiomatization relative to properties of dis-crete programs. Differently from all the above works, we aimto have a discretizationof HCSP, for which discrete and continuous dynamics, communications, and so on,are entangled with each other tightly, to guarantee that thediscretized process has theapproximate equivalence with the original process.

The main contributions of this paper include:

– First of all, we propose the notion of approximate bisimulation, which provides acriterion to characterize in what sense two HCSP processes with differential kindsof behaviours are equivalent from an operational point of view. Based on which, arefinement theory for HCSP could be developed.

– Then, we show that whether two HCSP processes are approximately bisimilar ornot is decidable if all ordinary differential equations (ODEs) occurring in them sat-isfy globally asymptotical stability (GAS) condition (thedefinition will be givenlater). This is achieved by proposing an algorithm to compute an approximatebisimulation relation for the two HCSP processes.

– Most importantly, we present how to discretize an HCSP process (a control model)by a discrete HCSP process (an algorithm model), and prove they are approximatelybisimilar, if the original HCSP process satisfies the GAS condition and is robustlysafe with respect to some given precisions.

The rest of this paper is organized as follows: In Sec. 2, we introduce some prelim-inary notions on dynamical systems. Sec. 3 defines transition systems and the approx-imate bisimulation relation between transition systems. The syntax and the transitionsemantics of HCSP, and the approximately bisimilar of HCSP processes are presentedin Sec. 4. The discretization of HCSP is presented in Sec. 5. Throughout the paper, andin Sec. 6, a case study on the water tank system [4] is shown to illustrate our method. Atthe end, Sec. 7 concludes the paper and discusses the future work. For space limitation,the proofs for all the lemmas and theorems are omitted, but can be found in [34].

2 Preliminary

In this section, we briefly review some notions in dynamical systems, that can be foundat [19,29]. In what follows,N,R, R+,R+

0 denote the natural, real, positive and nonneg-ative real numbers, respectively. Given a vectorx ∈ R

n, ‖x‖ denotes the infinity normof x ∈ R

n, i.e.,‖x‖ = max{|x1|, |x2|, ..., |xn|}. A continuous functionγ : R+0 → R

+0 ,

is said in classK if it is strictly increasing andγ(0) = 0; γ is said in classK∞ if γ ∈ Kandγ(r) → ∞ asr → ∞. A continuous functionβ : R+

0 × R+0 → R

+0 is said in class

KL if for each fixeds, the mapβ(r, s) ∈ K∞ with respect tor and, for each fixedr,β(r, s) is decreasing with respect tos andβ(r, s) → 0 ass → ∞.

A dynamical system is of the following form

x = f(x), x(t0) = x0 (1)

wherex ∈ Rn is the state andx(t0) = x0 is theinitial condition.

Supposea < t0 < b. A functionX(.) : (a, b) → Rn is said to be atrajectory

(solution) of (1) on(a, b), if X(t0) = x0 andX(t) = f(X(t)) for all t ≥ t0. In orderto ensure the existence and uniqueness of trajectories, we assumef satisfying the localLipschitz condition, i.e., for every compact setS ⊂ R

n, there exists a constantL > 0s.t.‖f(x) − f(y)‖ ≤ L‖x − y‖, for all x,y ∈ S. Then, we writeX(t,x0) to denotethe point reached at timet ∈ (a, b) from initial conditionx0, which should be uniquelydetermined. In addition, we assume (1) isforward complete[7], i.e., it is solvable on anopen interval(a,+∞). An equilibrium point of (1) is a pointx ∈ R

n s.t.f(x) = 0.

Definition 1. A dynamical system of form (1) is said to beglobally asymptotically sta-ble (GAS) if there exists a pointx0 and a functionβ of classKL s.t.

∀x ∈ Rn ∀t ≥ 0.‖X(t,x)− x0‖ ≤ β(‖x− x0‖, t).

It is easy to see that the pointx0 is actually the unique equilibrium point of the system.When this point is previously known or can be easily computed, one can prove thesystem to be GAS by constructing a corresponding Lyapunov function. However,x0

cannot be found sometimes, for example, when the dynamicsf of the system dependson external inputs and thus is not completely known. The concept ofδ-GAS would beuseful in this case.

Definition 2. A dynamical system of (1) is said to be incrementally globally asymptot-ically stable (δ-GAS) if it is forward complete and there is aKL functionβ s.t.

∀x ∈ Rn ∀y ∈ R

n ∀t ≥ 0.‖X(t,x)−X(t,y)‖ ≤ β(‖x− y‖, t).

In [6], the relationship betweenGAS andδ-GAS was established, restated by thefollowing proposition.

Proposition 1. – If (1) is δ-GAS, then it isGAS.– If there exist two strictly positive realsM and ε, and a differentiable functionV (x,y) with α1(‖x − y‖) ≤ V (x,y) ≤ α2(‖x − y‖) for someα1, α2 and ρ

of classK∞, s.t.

∀x,y ∈ Rn.

(‖x− y‖ ≤ ε ∧ ‖x‖ ≥ M ∧ ‖y‖ ≥ M

⇒ ∂V∂x

f(x) + ∂V∂y

f(y) ≤ −ρ(‖x− y‖)

),

then the system (1) isδ-GAS.

A function V (x,y) satisfying the condition in Proposition 1 is called aδ-GAS

Lyapunov functionof (1). Proposition 1 tells us that (1) isδ-GAS if and only if it admitsa δ-GAS Lyapunov function. In general, checking the inequality in Def. 2 is difficult,one may constructδ-GAS Lyapunov functions as an alternative.

3 Transition systems and approximate bisimulation

In the following, the set of actions, denoted byAct, is assumed to consist of a set ofdiscrete actions which take no time (written asE),R+

0 the set of delay actions which justtake time delay, and a special internal actionτ . Actions are ranged overl1, . . . , ln, . . ..

Definition 3 (Transition system).A labeled transition system with observations is atupleT = 〈Q,L,→, Q0, Y,H〉, whereQ is a set of states,L ⊆ Act is a set of labels,Q0 ⊆ Q is a set of initial states,Y is a set of observations, andH is an observationfunctionH : Q → Y , →⊆ Q × L×Q is a transition relation, satisfying

1, identity: q 0−→ q always holds;

2, delay determinism: if qd

−→ q′ andqd

−→ q′′, thenq′ = q′′; and

3, delay additivity: if qd1−→ q′ andq′

d2−→ q′′ thenqd1+d2−→ q′′, whered, d1, d2 ∈ R

+0 .

A transition systemT is said to besymbolicif Q andL ∩ E are finite, andL ∩ R+0

is bounded, andmetric if the output setY is equipped with a metricd : Y × Y → R+0 .

In this paper, we regardY as being equipped with the metricd(y1,y2) = ‖y1 − y2‖.A state trajectoryof a transition systemT is a (possibly infinite) sequence of tran-

sitionsq0 l0

−→ q1 l1

−→ · · ·li−1

−−→ qi li

−→ · · · , denoted by{qi li

−→ qi+1}i∈N, s.t.q0 ∈ Q0

and for anyi, qi li

−→ qi+1. An observation trajectoryis a (possibly infinite) sequence

y0 l0

−→ y1 l1

−→ · · ·li−1

−−→ yi li

−→ · · · , denoted by{yi li

−→ yi+1}i∈N, and it is accepted byT if there exists a corresponding state trajectory ofT s.t.yi = H(qi) for any i ∈ N.The set of observation trajectories accepted byT is called thelanguageof T , and isdenoted byL(T ). The reachable set ofT is a subset ofY defined by

Reach(T ) = {y ∈ Y |∃{yi li

−→ yi+1}i∈N ∈ L(T ), ∃j ∈ N,yj = y}.

We can verify the safety property ofT by computingReach(T )∩YU , in whichYU ⊆ Y

is the set of unsafe observations. If it is empty, thenT is safe, otherwise,unsafe.For a maximum sequence ofτ actionsqi τ

−→ qi+1 τ−→ · · ·

τ−→ qi+k, we remove

the intermediate states and define theτ -compressedtransitionqiτ։ qi+k instead. For

unification, for a non-τ transitionqi li

−→ qi+1 whereli 6= τ , we defineqili

։ qi+1. Inwhat follows, we will denote〈Q,L,։, Q0, Y,H〉 the resulting labeled transition sys-tem from〈Q,L,→, Q0, Y,H〉 by replacing each label transition with itsτ -compressed

version. As a common convention in process algebra, we usepl

==⇒ p′ to denote the

closure ofτ transitions, i.e.,p(τ։){0,1}

l։ (

τ։){0,1}p′, for anyl ∈ L in the sequel.

Givenl1, l2 ∈ L ∪ {τ}, we define thedistance dis(l1, l2) between them as follows:

dis(l1, l2)def=

0 if both l1 andl2 are inE or areτ|d− d′| if l1 = d andl2 = d′ are both delay actions, i.e.,d, d′ ∈ R

+0

∞ Otherwise

Definition 4 (Approximate bisimulation). Let Ti = 〈Qi, Li,։i, Q0i , Yi, Hi〉, (i =

1, 2) be two metric transition systems with the same output setY and metricd. Leth

andε be the time and value precision respectively. A relationBh,ε ⊆ Q1×Q2 is called a(h, ε)-approximate bisimulation relation betweenT1 andT2, if for all (q1,q2) ∈ Bh,ε,1.d(H1(q1), H2(q2)) ≤ ε,

2. ∀q1l։1 q′

1, ∃q2l′

==⇒2 q′2 s.t. dis(l, l′) ≤ h and (q′

1,q′2) ∈ Bh,ε, for l ∈ L1 and

l′ ∈ L2

3. ∀q2l։2 q′

2, ∃q1l′

==⇒1 q′1 s.t. dis(l, l′) ≤ h and (q′

1,q′2) ∈ Bh,ε, for l ∈ L2 and

l′ ∈ L1.

Definition 5. T1 andT2 are approximately bisimilar with the precisionh and ε (de-notedT1

∼=h,ε T2), if there exists a(h, ε)-approximate bisimulation relationBh,ε be-tweenT1 andT2 s.t. for all q1 ∈ Q0

1, there existsq2 ∈ Q02 s.t. (q1,q2) ∈ Bh,ε, and

vice versa.

The following result ensures that the set of(h, ε)-approximate bisimulation rela-tions has a maximal element.

Lemma 1. Let{Bih,ε}i∈I be a family of(h, ε)-approximate bisimulation relations be-

tweenT1 and T2. Then,⋃

i∈I Bih,ε is a (h, ε)-approximate bisimulation relation be-

tweenT1 andT2.

By Lemma 1, given the precision parametersh andε, let {Bih,ε}i∈I be the set of all

(h, ε)-approximate bisimulation relations betweenT1 andT2, then the maximal(h, ε)-approximate bisimulation relation betweenT1 andT2 is defined byBmax

h,ε =⋃i∈I

Bih,ε.

For two transition systems that are approximately bisimilar, the reachable sets have thefollowing relationship:

Theorem 1. If T1∼=h,ε T2, then Reach(T1) ⊆ N(Reach(T2), ε), whereN(Y, ε) de-

notes theε neighborhood ofY , i.e.{x | ∃y.y ∈ Y ∧ ‖x− y‖ < ε}.

Thus, if the distance betweenReach(T2) and the unsafe setYU is greater thanε, then theintersection ofReach(T1) andYU is empty and henceT1 is safe, wheneverT1

∼=h,ε T2.

4 Hybrid CSP (HCSP)

In this section, we present a brief introduction to HCSP and define the transition systemof HCSP from an operational point of view. An example is givenfor better understand-ing. Finally, we investigate the approximate bisimilarityfor HCSP processes.

4.1 HCSP

Hybrid Communicating Sequential Process (HCSP) is a formallanguage for describinghybrid systems, which extends CSP by introducing differential equations for modellingcontinuous evolutions and interrupts for modeling the arbitrary interaction between con-tinuous evolutions and discrete jumps. The syntax of HCSP can be described as follows:

P ::= skip | x := e | wait d | ch?x | ch!e | P ;Q | B → P | P ⊓Q | P ∗

| 8i∈I ioi → Pi | 〈F (s, s) = 0&B〉 | 〈F (s, s) = 0&B〉 � 8i∈I(ioi → Qi)S ::= P | S‖S

wherex, s for variables and vectors of variables, respectively,B ande are boolean andarithmetic expressions,d is a non-negative real constant,ch is the channel name,ioistands for a communication event, i.e., eitherchi?x or chi!e, P,Q,Qi are sequentialprocess terms, andS stands for an HCSP process term. Given an HCSP processS, wedefineVar(S) for the set of variables inS, andΣ(S) the set of channels occurring inS,respectively. The informal meanings of the individual constructors are as follows:

– skip,x := e, wait d, ch?x, ch!e, P ;Q, P ⊓ Q, and8i∈I ioi → Pi are defined asusual.B → P behaves asP if B is true, otherwise terminates.

– For repetitionP ∗, P executes for an arbitrary finite number of times. We assumean oraclenum, s.t. for a givenP ∗ in the context processS, num(P ∗, S) returns theupper bound of the number of times thatP is repeated in the context.

– 〈F (s, s) = 0&B〉 is the continuous evolution statement. It forces the vectors ofreal variables to obey the differential equationsF as long asB, which defines thedomain ofs, holds, and terminates whenB turns false. Without loss of generality,we assume that the set ofB is open, thus the escaping point will be at the boundaryof B. The communication interrupt〈F (s, s) = 0&B〉 � 8i∈I(ioi → Qi) behaveslike 〈F (s, s) = 0&B〉, except that the continuous evolution is preempted as soon asone of the communicationsioi takes place, which is followed by the respectiveQi.These two statements are the main extension of HCSP for describing continuousbehavior.

– S1‖S2 behaves as ifS1 andS2 run independently except that all communicationsalong the common channels connectingS1 andS2 are to be synchronized.S1 andS2 in parallel can neither share variables, nor input or outputchannels.

For better understanding of the HCSP syntax, we model the water tank system [4],for which two componentsWatertankandController, are composed in parallel. TheHCSP model of the system is given byWTSas follows:

WTSdef= Watertank‖Controller

Watertankdef= v := v0; d := d0;

(v = 1→ 〈d = Qmax − πr2√2gd〉 D (wl!d→ cv?v);

v = 0→ 〈d = −πr2√2gd〉 D (wl!d→ cv?v))∗

Controllerdef= y := v0;x := d0; (wait p;wl?x;x ≥ ub→ y := 0;

x ≤ lb→ y := 1; cv!y)∗

whereQmax, π, r andg are system parameters,v is the control variable which takes1or 0, depending on whether the valve is open or not,d is the water level of theWatertankand its dynamics depends on the value ofv. v0 andd0 are the initial values of controllervariable and water level, respectively. Two channels,wl andcv, are used to transfer thewater level (d in Watertank) and control variable (y in Controller) betweenWatertank

andController, respectively. The control value is computed by theController with aperiod ofp. When the water level is less than or equal tolb, the control value is as-signed to1, and when the water level is greater than or equal toub, the control valueis assigned to0, otherwise, it keeps unchanged. Basically, based on the current valueof v, WatertankandController run independently forp time, thenWatertanksends thecurrent water level toController, according to which a new value of the control variableis generated and sent back toWatertank, after that, a new period repeats.

4.2 Transition system of HCSP

Given an HCSP processS, we can derive a transition systemT (S) = 〈Q,L,→, Q0, Y,H〉fromS by the following procedure:

– the set of statesQ = (subp(S) ∪ {ǫ}) × V (S), wheresubp(S) is the set ofsub-processes ofS, e.g.,subp(S) = {S,wait d,B → P} ∪ subp(P ) for S ::=wait d;B → P , ǫ is introduced to represent the terminal process, meaning that theprocess has terminated, andV (S) = {v|v ∈ Var(S) → Val} is the set of eval-uations of the variables inS, with Val representing the value space of variables.Without confusion in the context, we often call an evaluation v a (process) state.Given a stateq ∈ Q, we will usefst(q) andsnd(q) to return the first and secondcomponent ofq, respectively.

– The label setL corresponds to the actions of HCSP, defined asL = R+0 ∪ Σ(S) �

{?, !} � R ∪ {τ}, whered ∈ R+0 stands for the time progress,ch?c, ch!c ∈ Σ(S) �

{?, !} � R means that an input along channelch with valuec being received, anoutput alongch with value c being sent, respectively. Besides, the silent actionτ represents a discrete non-communication action of HCSP, such as assignment,evaluation of boolean expressions, and so on.

– Q0 = {(S, v)|v ∈ V (S)}, representing thatS has not started to execute, andv isthe initial process state ofS.

– Y = Val, represents the set of value vectors corresponding toVar(S).– Given q ∈ Q, H(q) = vec(snd(q)), where functionvec returns the value vector

corresponding to the process state ofq.– → is the transition relation ofS, which is given next.

Sequential processesA transition relation of a sequential HCSP process takes theform

(P, v)l−→ (P ′, v′), indicating that starting from statev, P executes toP ′ by performing

action l, with the resulting statev′. Here we present the transition rules for continu-ous evolution as an illustration. Readers are referred to [35] for the full details of thetransition semantics, for both sequential and parallel HCSP processes.

∀d > 0.∃S(.) : [0, d]→ Rn.(S(0) = v(s) ∧ (∀p ∈ [0, d).(F (S(p), S(p)) = 0∧v[s 7→ S(p)](B) = true)))

(〈F (s, s) = 0&B〉, v)d−→ (〈F (s, s) = 0&B〉, v[s 7→ S(d)])

v(B) = false

(〈F (s, s) = 0&B〉, v)τ−→ (ǫ, v)

For 〈F (s, s) = 0&B〉, for anyd ≥ 0, it evolves ford time units according toFif B evaluates to true within this period (the right end exclusive). In the rule,S(·) :[0, d] → R

n defines the trajectory of the ODEF with initial valuev(s). Otherwise, byperforming aτ action, the continuous evolution terminates ifB evaluates to false.

Parallel composition Given two sequential processesP1, P2 and their transition sys-temsT (P1) = 〈Q1, L1,→1, Q

01, Y1, H1〉 andT (P2) = 〈Q2, L2,→2, Q

02, Y2, H2〉, we

can define the transition system ofP1‖P2 asT (P1‖P2) = 〈Q,L,→, Q, Y,H〉, where:

– Q = ((subp(P1)∪ {ǫ})‖(subp(P2)∪ {ǫ}))×{v1 ⊎ v2|v1 ∈ V (P1), v2 ∈ V (P2)},where given two sets of processesPS1 andPS2,PS1‖PS2 is defined as{α‖β|α ∈PS1 ∧ β ∈ PS2}; v1 ⊎ v2 represents the disjoint union, i.e.v1 ⊎ v2(x) is v1(x) ifx ∈ Var(P1), otherwisev2(x).

– L = L1 ∪ L2.– Q0 = {(P1‖P2, v

01 ⊎ v02)|(Pi, v

0i ) ∈ Q0

i for i = 1, 2}.– Y = Y1 × Y2, the observation space of the parallel composition is obviously the

Cartesian product ofY1 andY2.– H(q) = H1(q) × H2(q), the observation function is the Cartesian product of the

two component observation functions correspondingly.– → is defined based on the parallel composition of transitions of L1 andL2.

Suppose two transitions(P1, u)α−→ (P ′

1, u′) and(P2, v)

β−→ (P ′

2, v′) occur forP1

andP2, respectively. The rule for synchronization is given below:

α = chi?c ∧ β = chi!e ∧ c = e

(P1‖P2, u ⊎ v)τ−→ (P ′

1‖P′2, u

′ ⊎ v′)

4.3 Approximate bisimulation between HCSP processes

Let P1 andP2 be two HCSP processes, andh, ε the time and value precisions. Letv0be an arbitrary initial state.P1 andP2 are(h, ε)-approximately bisimilar, denoted byP1

∼=h,ε P2, if T (P1) ∼=h,ε T (P2), in whichT (P1) andT (P2) are theτ -compressedtransition systems ofP1 andP2 with the same initial statev0, respectively.

In Algorithm 1, we consider the(h, ε)-approximate bisimilation betweenP1 andP2 for which all the ODEs occurring inP1 andP2 areGAS. Suppose the set of ODEsoccurring inPi is {F i

1, · · · , Fiki}, and the equilibrium points for them arexi

1, · · · , xiki

for i = 1, 2 respectively. As a result, for each ODE, there must exist a sufficiently largetime, calledequilibrium time, s.t. after the time, the distance between the trajectoryand the equilibrium point is less thanε. We denote the equilibrium time for eachF i

j

for j = 1, · · · , ki by T ij , respectively. Furthermore, in order to record the execution

time of ODEs, for each ODEF ij , we introduce an auxiliary time variabletij and add

tij := 0; tij = 1 toF ij correspondingly.

Algorithm 1 decides whetherP1 andP2 are(h, ε)-approximately bisimilar. WhenP1

∼=h,ε P2, it returnstrue, otherwise, it returnsfalse. Letd be the discretized time step.The algorithm is then taken in two steps. The first step (lines1-6) constructs the tran-sition systems forP1 andP2 with time stepd. Form = 1, 2, T (Pm).Q andT (Pm).T

Algorithm 1 Deciding approximately bisimilar between two HCSP processesInput: ProcessesP1, P2, the initial statev0, the time stepd, and precisionsh andε;Initialization:

T (Pm).Q0 = {(Pm, v0)}, T (Pm).T 0 = ∅ for m = 1, 2; i = 0;1: repeat

2: T (Pm).T i+1 = T (Pm).T i ∪ {q l։ q′|∀q ∈ T (Pm).Qi, if (∃l ∈ {d, τ} ∪

Σ(Pm) � {?, !} � R.ql։ q′) or (∃l = d′.l < d ∧ q

l։ q′ ∧ not (q

d′′

։

) for anyd′′ in (d′, d]) andsnd(q′)(tmj ) < Tmj };

3: T (Pm).Qi+1 = T (Pm).Qi ∪ postState(T (Pm).T i+1);4: i← i+ 1;5: until T (Pm).T i = T (Pm).T i−1

6: T (Pm).Q = T (Pm).Qi;T (Pm).T = T (Pm).T i;7: B0

h,ε = {(q1, q2) ∈ T (P1).Q× T (P2).Q|d(H1(q1),H2(q2)) ≤ ε}; i = 0;8: repeat

9: Bi+1

h,ε ← {(q1, q2) ∈ Bih,ε|∀q1

l։1 q′1 ∈ T (P1).T , ∃q2 l′

==⇒2 q′2 ∈ T (P2).T s.t.

(q′1, q′2) ∈ Bi

h,ε anddis(l, l′) ≤ h, and∀q2l։2 q′2 ∈ T (P2).T , ∃q1 l′

==⇒1 q′1 ∈ T (P1).Ts.t.(q′1, q

′2) ∈ Bi

h,ε anddis(l, l′) ≤ h};10: i← i+ 1;11: until Bi

h,ε = Bi−1

h,ε

12: Bh,ε = Bih,ε;

13: if ((P1, v0), (P2, v0)) ∈ Bh,ε then14: returntrue;15: else16: returnfalse;17: end if

represent the reachable set of states and transitions ofPm, respectively, which are ini-tialized as empty sets and then constructed iteratively. Ateach stepi, a new transitioncan be ad time progress, aτ event, or a communication event. Besides, a transition canbe a time progress less thand, which might be caused by the occurrence of a boundaryinterrupt or a communication interrupt during a continuousevolution. The new transi-tion will be added only when the running time for each ODEFm

j , denoted bytmj , is lessthan the corresponding equilibrium time. Therefore, for either processPm, wheneversome ODE runs beyond its equilibrium time, the set of reachable transitions reaches afixpoint by allowing precisionε and will not be extended any more. The set of reachablestates can be obtained by collecting the post states of reachable transitions. Based onDef. 4, the second step (lines 7-17) decides whether the transition systems forP1 andP2 are approximately bisimilar with the given precisions.

The first part (lines 1-6) of the algorithm computes the transitions of processes. Foreach processPm, its complexity isO(|T (Pm).T |), which isO(⌈Tm

d⌉+Nm), whereTm

represents the execution time ofPm till termination or reaching the equilibrium time ofsome ODE, andNm the number of atomic statements ofPm. The second part (lines 7-17) checks forP1 andP2 each pair of the states whose distance is withinε by traversingthe outgoing transitions, to see if they are truly approximate bisimilar, till the fixpoint

Bh,ε is reached. We can compute the time complexity to beO(Q21Q

22T1T2), whereQm

andTm representO(|T (Pm).Q|) andO(|T (Pm).T |) for m = 1, 2 respectively.

Theorem 2 (Correctness).Algorithm 1 terminates, and for anyv0, P1∼=h,ε P2 iff

((P1, v0), (P2, v0)) ∈ Bh,ε.

5 Discretization of HCSP

In this section, we consider the discretization of HCSP processes, by which the con-tinuous dynamics is represented by discrete approximation. LetP be an HCSP processand(h, ε) be the precisions, our goal is to construct a discrete processD fromP , s.t.Pis (h, ε)-bisimilar withD, i.e.,P ∼=h,ε D holds.

5.1 Discretization of Continuous Dynamics

Since most differential equations do not have explicit solutions, the discretization of thedynamics is normally given by discrete approximation. Consider the ODEx = f(x)with the initial valuex0 ∈ R

n, and assumeX(t, x0) is the trajectory of the initial valueproblem along the time interval[t0,∞). In the following discretization, assumeh andξ represent the time step size and the precision of the discretization, respectively. Ourstrategy is as follows:

– First, from the fact thatx = f(x) is GAS, there must exist a sufficiently largeTs.t.‖X(t, x0) − x‖ < ξ holds whent > T , wherex is an equilibrium point. As aresult, after timeT , the value ofx can be approximated by the equilibrium pointx

and the distance between the actual value ofx andx is always withinξ.– Then, for the bounded time interval[t0, T ], we apply Euler method to discretize the

continuous dynamics.

There are a range of different discretization methods for ODEs [30] and the Eulermethod is an effective one among them. According to the Eulermethod, the ODEx =f(x) is discretized as

(x := x+ hf(x);wait h)N

A sequence of approximate solutions{xi} at time stamps{hi} for i = 1, 2, · · · , Nwith N = ⌈T−t0

h⌉ are obtained, satisfying (definex0 = x0):

hi = t0 + i ∗ h xi = xi−1 + hf(xi−1).

‖X(hi, x0) − xi‖ represents the discretization error at timehi. To estimate the globalerror of the approximation, by Theorem3 in [25], we can prove the following theorem:

Theorem 3 (Global error with an initial error). LetX(t, x0) be a solution on[t0, T ]of the initial value problemx = f(x),x(t0) = x0, andL the Lipschitz constant s.t.for any compact setS of Rn, ‖f(y1) − f(y2)‖ ≤ L‖y1 − y2‖ for all y1,y2 ∈ S. Letx0 ∈ R

n satisfy‖x0−x0‖ ≤ ξ1. Then there exists anh0 > 0, s.t. for allh satisfying0 <

h ≤ h0, and for alln satisfyingnh ≤ (T − t0), the sequencexn = xn−1 + hf(xn−1)satisfies:

‖X(nh, x0)− xn‖ ≤ e(T−t0)Lξ1 +h

2max

ζ∈[t0,T ]‖X ′′(ζ, x0)‖

eL(T−t0) − 1

L

By Theorem 3 and the property of GAS, we can prove the following main theorem.

Theorem 4 (Approximation of an ODE).LetX(t, x0) be a solution on[t0,∞] of theinitial value problemx = f(x),x(t0) = x0, andL the Lipschitz constant. Assumex = f(x) is GAS with the equilibrium pointx. Then for any precisionξ > 0, thereexisth > 0, T > 0 and ξ1 > 0 s.t. x = f(x),x(t0) = x0 and x := x0; (x :=x+hf(x);waith)N ;x := x; stop withN = ⌈T−t0

h⌉ are(h, ξ)-approximately bisimilar,

in which‖x0 − x0‖ < ξ1 holds, i.e., there is an error between the initial values.

5.2 Discretization of HCSP

We continue to consider the discretization of HCSP processes, among which any arbi-trary number of ODEs, the discrete dynamics, and communications are involved. Be-low, given an HCSP processP , we useDh,ε(P ) to represent the discretized process ofP , with parametersh andε to denote the step size and the precision (i.e. the maximal“distance” between states inP andDh,ε(P )), respectively.

Before giving the discretization of HCSP processes, we needto introduce the notionof readiness variables. In order to express the readiness information of communicationevents, for each channelch, we introduce two boolean variablesch? andch!, to repre-sent whether the input and output events alongch are ready to occur. We will see thatin the discretization, the readiness information of partner events is necessary to specifythe behavior of communication interrupt.

Table 1 lists the definition ofDh,ε(P ). For each rule, the original process is listedabove the line, while the discretized process is defined below the line. For skip, x := e

and waitd, they are kept unchanged in the discretization. For inputch?x, it is discretizedas itself, and furthermore, beforech?x occurs,ch? is assigned to 1 to represent thatch?x becomes ready, and in contrary, afterch?x occurs,ch? is reset to 0. The outputch!e is handled similarly. The compound constructs,P ;Q, P ⊓ Q, P ∗ andP‖Q arediscretized inductively according to their structure. ForB → P ,B is still approximatedto B andP is discretized inductively. For external choice8i∈I ioi → Pi, the readinessvariablesioi for all i ∈ I are set to 1 at first, and after the choice is taken, all of them arereset to 0 and the corresponding process is discretized. Notice that becauseI is finite,the∀ operator is defined as an abbreviation of the conjunction over I.

Given a boolean expressionB and a precisionε, we defineN(B, ε) to be a booleanexpression which holds in theε-neighbourhood ofB. For instance, ifB is x > 2, thenN(B, ε) is x > 2 − ε. For a continuous evolution〈x = f(x)&B〉, under the premisethat x = f(x) is GAS, there must exists timeT such that when the time is larger thanT , the distance between the actual state ofx and the equilibrium point, denoted byx,is less thanε. Then according to Theorem 3,〈x = f(x)&B〉 is discretized as follows:First, it is a repetition of the assignment tox according to the Euler method for at most

skipskip

x := ex := e

wait dwait d

ch?xch? := 1; ch?x; ch? := 0

ch!ech! := 1; ch!e; ch! := 0

P ;QDh,ε(P );Dh,ε(Q)

B → PB → Dh,ε(P )

P ⊓QDh,ε(P ) ⊓ Dh,ε(Q)

8i∈Iioi → Pi

∀i ∈ I.ioi := 1; 8i∈Iioi → (∀i ∈ I.ioi := 0;Dh,ε(Pi))

〈x = f(x)&B〉(N(B, ε)→ (x := x+ hf(x);wait h))⌈

Th⌉;N(B, ε)→ (x := x; stop)

〈x = f(x)&B〉� 8i∈I(ioi → Qi)

∀i ∈ I.ioi := 1; (N(B, ε)→ ∀i ∈ I.ioi ∧ ¬ioi → (x := x+ hf(x);wait h))⌈Th⌉;

¬N(B, ε) ∧ ∀i ∈ I.ioi ∧ ¬ioi → ∀i ∈ I.ioi := 0;∃i.ioi ∧ ioi → (8i∈I ioi → (∀i ∈ I.ioi := 0;Dh,ε(Qi)));

(N(B, ε) ∧ ∀i ∈ I.ioi ∧ ¬ioi)→ (x := x; stop);P ∗

(Dh,ε(P ))∗P‖Q

Dh,ε(P )‖Dh,ε(Q)

Table 1.The rules for discretization of HCSP

⌈Th⌉ number of times, and then followed by the assignment ofx to the equilibrium point

and stop forever. Both of them are guarded by the conditionN(B, ε). For a communi-cation interrupt〈x = f(x)&B〉 � 8i∈I(ioi → Qi), supposeT is sufficiently large s.t.when the time is larger thanT , the distance between the actual state ofx and the equi-librium point, denoted byx, is less thanε, and furthermore, if the interruption occurs, itmust occur beforeT , and letch∗ be the dual ofch∗, e.g., ifch∗ = ch?, thench∗ = ch!and vice versa. After all the readiness variables corresponding to{ioi}I are set to 1 atthe beginning, the discretization is taken by the followingsteps: first, ifN(B, ε) holdsand no communication among{ioi}i∈I is ready, it executes following the discretizationof continuous evolution, for at most⌈T

h⌉ number of steps; then ifN(B, ε) turns false

without any communication occurring, the whole process terminates and meanwhilethe readiness variables are reset to 0; otherwise if some communications get ready, anexternal choice between these ready communications is taken, and then, the readinessvariables are reset to 0 and the correspondingQi is followed; finally, if the commu-nications never occur and the continuous evolution never terminates, the continuousvariable is assigned to the equilibrium point and the time progresses forever. It shouldbe noticed that, the readiness variables of the partner processes will be used to decidewhether a communication is able to occur. They are shared between parallel processes,but will always be written by one side.

Consider the water tank system introduced in Sec. 4, by usingthe rules in Table 1,a discretized systemWTSh,ε is obtained as follows:

WTSh,εdef= Watertankh,ε‖Controllerh,ε

Watertankh,εdef= v := v0; d := d0; (v = 1→ (wl! := 1;

(wl! ∧ ¬wl?→ (d = d+ h(Qmax − πr2√2gd);wait h; ))⌈

T1h

⌉;wl! ∧ wl?→ (wl!d;wl! := 0; cv? := 1; cv?v; cv? := 0);wl! ∧ ¬wl?→ (d = Q2

max/2gπ2r4; stop));

v = 0→ (wl! := 1;

(wl! ∧ ¬wl?→ (d = d+ h(−πr2√2gd);wait h; ))⌈T2h

⌉;

wl! ∧ wl?→ (wl!d;wl! := 0; cv? := 1; cv?v; cv? := 0);wl! ∧ ¬wl?→ (d = 0; stop)))∗

Controllerh,εdef= y := v0;x := d0; (wait p;wl? := 1;wl?x;wl? := 0;

x ≥ ub → y := 0;x ≤ lb → y := 1; cv! := 1; cv!y; cv! := 0)∗

5.3 Properties

Before giving the main theorem, we introduce some notations. In order to keep theconsistency between the behavior of an HCSP process and its discretized process, weintroduce the notion of(δ, ǫ)-robustly safe. First, letφ denote a formula andǫ a pre-cision, defineN(φ,−ǫ) as the set{x|x ∈ φ ∧ ∀y ∈ ¬φ.‖x − y‖ > ǫ}. Intuitively,whenx ∈ N(φ,−ǫ), thenx is insideφ and moreover the distance between it and theboundary ofφ is greater thanǫ.

Definition 6 ((δ, ǫ)-robustly safe). An HCSP processP is (δ, ǫ)-robustly safe, for agiven initial statev0, a time precisionδ > 0 and a value precisionǫ > 0, if the followingtwo conditions hold:

– for every continuous evolution〈x = f(x)&B〉 occurring inP , whenP executes upto 〈x = f(x)&B〉 at timet with statev, if v(B) = false, then there existst > t

with t−t < δ s.t. for anyσ satisfyingd(σ, v[x 7→ X(t, x0)]) < ǫ,σ ∈ N(¬B,−ǫ),whereX(t, x0)]) is the solution ofx = f(x) with initial valuex0 = v0(x);

– for every alternative processB → P occurring inS, if B depends on continuousvariables ofP , then whenP executes up toB → P at statev, v ∈ N(B,−ǫ) orv ∈ N(¬B,−ǫ).

As a result, whenP is discretized with a time error less thanδ and a value error lessthanǫ, thenP and its discretized process have the same control flow. The main theoremis given below.

Theorem 5. LetP be an HCSP process andv0 is the initial state. AssumeP is (δ, ǫ)-robustly safe with respect tov0. Let0 < ε < ǫ be a precision. If for any ODEx = f(x)occurring inP , f is Lipschitz continuous andx = f(x) is GAS withf(x) = 0 for somex, then there existh > 0 and the equilibrium time for each ODEF in P , TF > 0, s.t.P ∼=h,ε Dh,ε(P ).

We can compute that, the relationLδ+Mh ≤ ε holds for some constantsL andM .Especially,L is the maximum value of the first derivative ofx with respect tot. Moredetails can be found in [34].

6 Case study

In this section, we illustrate our method through the safetyverification of the water tanksystem,WTS, that is introduced in Sec. 4. The safety property is to maintain the value ofd within [low, high], which needs to compute the reachable set ofWTS. However, it isusually difficult because of the complexity of the system. Fortunately, the reachable setof the discretizedWTSh,ε in Sec. 5 could be easily obtained. Therefore, we can verifythe original systemWTSthrough the discretized one,WTSh,ε, as follows.

ε h Reach(WTSh,ε) Reach(WTS)0.2 0.2 [3.41, 6.5] [3.21, 6.7]0.1 0.05 [3.42, 6.47] [3.32, 6.57]0.050.01 [3.43, 6.46] [3.38, 6.51]

Table 2.The reachable set for different precisions

In order to analyze the system, first of all, we set the values of parameters toQmax = 2.0, π = 3.14, r = 0.18, g = 9.8, p = 1, lb = 4.1, ub = 5.9, low = 3.3,high = 6.6, v0 = 1, andd0 = 4.5 (units are omitted here). Then, by simulation, wecompute the values ofδ andǫ as0.5 and0.24, s.t.WTSis (δ, ǫ)-robustly safe. By Theo-rem 5, for a givenε with 0 < ε < ǫ, sinced andd are monotonic for both ODEs, we cancompute ah > 0 s.t.WTS∼=h,ε WTSh,ε. For different values ofε andh, Reach(WTSh,ε)could be computed, and then based on Theorem 1, we can obtainReach(WTS). Table2 shows the results for different choices ofε andh. As seen from the results, when thevalues of precisions become smaller,Reach(WTSh,ε) andReach(WTS) get closer andtighter. For the smaller precisions, i.e.,(ε = 0.1, h = 0.05) and(ε = 0.05, h = 0.01),the safety property of the system is proved to be true. However, for (ε = 0.2, h = 0.2),the safety property of the system can not be promised.

7 Conclusion

Approximate bisimulation is a useful notion for analyzing complex dynamic systemsvia simpler abstract systems. In this paper, we define the approximate bisimulation ofhybrid systems modelled by HCSP, and present an algorithm for deciding whether twoHCSP processes are approximately bisimilar. We have provedthat if all the ODEs areGAS, then the algorithm terminates in a finite number of steps. Furthermore, we definethe discretization of HCSP processes, by representing the continuous dynamics by Eu-ler approximation. We have proved for an HCSP process that, if the process is robustlysafe, and if each ODE occurring in the process is Lipschitz continuous andGAS, thenthere must exist a discretization of the original HCSP process such that they are ap-proximate bisimilar with the given precisions. Thus, the results of analysis performedon the discrete system can be carried over into the original dynamic system, and viceversa. At the end, we illustrate our method by presenting thediscretization of a watertank example. Note thatGAS and robust safety are very restrictive from a theoreticalpoint of view, but most of real applications satisfy these conditions in practice.

Regarding future work, we will focus on the implementation,in particular, the trans-formation from HCSP to ANSI-C. Moreover, it could be interesting to investigate ap-proximate bisimularity with time bounds so that the assumptions of GAS and robustsafety can be dropped. In addition, it deserves to investigate richer refinement theoriesfor HCSP based on the notion of approximately bisimulation,although itself can beseen as a refinement relation as discussed in process algebra.

References

1. Simulink User’s Guide, 2013.http://www.mathworks.com/help/pdf_doc/simulink/sl_using.pdf.2. Stateflow User’s Guide, 2013.http://www.mathworks.com/help/pdf_doc/stateflow/sf_using.pdf.3. SysML V 1.4 Beta Specification, 2013.http://www.omg.org/spec/SysML.4. E. Ahmad, Y. Dong, S. Wang, N. Zhan, and L. Zou. Adding formal meanings to AADL with

hybrid annex. InFACS, pages 228–247. Springer, 2014.5. R. Alur, T. Dang, J. Esposito, Y. Hur, F. Ivancic, V. Kumar,P. Mishra, G. Pappas, and

O. Sokolsky. Hierarchical modeling and analysis of embedded systems. Proceedings ofthe IEEE, 91(1):11–28, 2003.

6. D. Angeli et al. A Lyapunov approach to incremental stability properties.IEEE Transactionson Automatic Control, 47(3):410–421, 2002.

7. D. Angeli and E. Sontag. Forward completeness, unboundedness observability, and theirLyapunov characterizations.Systems and Control Letters, 38(4):209–217, 1999.

8. M. Chen, A. Ravn, S. Wang, M. Yang, and N. Zhan. A two-way path between formal andinformal design of embedded systems. InUTP 2016, LNCS. 2016.

9. F. Dormoy. Scade 6: a model based solution for safety critical software development. InERTS 08, pages 1–9, 2008.

10. J. Eker, J. Janneck, et al. Taming heterogeneity - the Ptolemy approach.Proceedings of theIEEE, 91(1):127–144, 2003.

11. A. Girard, A. Julius, and G. Pappas. Approximate simulation relations for hybrid systems.Discrete Event Dynamic Systems, 18(2):163–179, 2008.

12. A. Girard and G. Pappas. Approximation metrics for discrete and continuous systems.IEEETransactions on Automatic Control, 52(5):782–798, 2007.

13. D. Guelev, S. Wang, and N. Zhan. Hoare-style reasoning about hybrid CSP in the durationcalculus. Technical Report ISCAS-SKLCS-13-01, Instituteof Software, Chinese Academyof Sciences, 2013.

14. J. He. From CSP to hybrid systems. InA Classical Mind, Essays in Honour of C.A.R. Hoare,pages 171–189. Prentice Hall International (UK) Ltd., 1994.

15. T. Henzinger, P. Ho, and H. Wong-Toi. Algorithmic analysis of nonlinear hybrid systems.IEEE Transactions on Automatic Control, 43(4):540–554, 1998.

16. T. Henzinger and J. Sifakis. The embedded systems designchallenge. InFM 2006, volume4085 ofLNCS, pages 1–15. Springer, 2006.

17. T. A. Henzinger. The theory of hybrid automata. InLICS 1996, pages 278–292, 1996.18. A. Julius, A. D’Innocenzo, M. Di Benedetto, and G. Pappas. Approximate equivalence and

synchronization of metric transition systems.Systems and Control Letters, 58(2):94–101,2009.

19. H.K. Khalil and JW. Grizzle.Nonlinear systems, volume 3. Prentice hall New Jersey, 1996.20. R. Lanotte and S. Tini. Taylor approximation for hybrid systems. InHybrid Systems: Com-

putation and Control, pages 402–416. Springer, 2005.21. E.A. Lee. What’s ahead for embedded software?Computer, 33(9):18–26, 2000.

22. J. Liu, J. Lv, Z. Quan, N. Zhan, H. Zhao, C. Zhou, and L. Zou.A calculus for hybrid CSP.In APLAS 2010, volume 6461 ofLNCS, pages 1–15. Springer, 2010.

23. R. Majumdar and M. Zamani. Approximately bisimilar symbolic models for digital controlsystems. InCAV 2012, pages 362–377. Springer, 2012.

24. A. Platzer. Differential-algebraic dynamic logic for differential-algebraic programs.Journalof Logic and Computation, 20(1):309–352, 2010.

25. A. Platzer. The complete proof theory of hybrid systems.In LICS 2012, pages 541–550.IEEE, 2012.

26. G. Pola, A. Girard, and P. Tabuada. Approximately bisimilar symbolic models for nonlinearcontrol systems.Automatica, 44(10):2508–2516, 2008.

27. G. Pola, P. Pepe, and M. Di Benedetto. Symbolic models fornetworks of discrete-timenonlinear control systems. InACC 2014, pages 1787–1792. IEEE, 2014.

28. B. Selic and S. Gerard.Modeling and Analysis of Real-Time and Embedded Systems withUML and MARTE: Developing Cyber-Physical Systems. Elsevier, 2013.

29. E.D Sontag. Mathematical control theory: deterministic finite dimensional systems, vol-ume 6. Springer Science & Business Media, 2013.

30. J. Stoer and R. Bulirsch.Introduction to numerical analysis, volume 12. Springer, 2013.31. M. Tiller. Introduction to physical modeling with Modelica, volume 615. Springer, 2012.32. A. Tiwari. Abstractions for hybrid systems.Formal Methods in System Design, 32(1):57–83,

2008.33. S. Wang, N. Zhan, and D. Guelev. An assume/guarantee based compositional calculus for

hybrid CSP. InTAMC 2012, volume 7287 ofLNCS, pages 72–83. Springer, 2012.34. G. Yan, L. Jiao, Y. Li, S. Wang, and N. Zhan. Approximate Bisimulation and Discretization

of Hybrid CSP.CoRR, abs/1609.00091, August 2016.35. N. Zhan, S. Wang, and H. Zhao. Formal modelling, analysisand verification of hybrid

systems. InUnifying Theories of Programming and Formal Engineering Methods, volume8050 ofLNCS, pages 207–281. Springer, 2013.

36. C. Zhou, J. Wang, and A. Ravn. A formal description of hybrid systems. InHybrid SystemsIII , pages 511–530. Springer, 1996.

Appendix

Proof of Lemma 1: For any(q1,q2) ∈⋃

i∈I Bih,ε, there existsi ∈ I such that(q1,q2) ∈

Bih,ε. Then,d(H1(q1), H2(q2)) ≤ ε. Moreover, for allq1

l։1 q′

1, there existsq2l′

==⇒2

q′2 such that(q′

1,q′2) ∈ Bi

h,ε ⊆⋃

i∈I Bih,ε anddis(l, l′) ≤ h, and for allq2

l։2 q′

2,

there existsq1l′

==⇒1 q′1 such that(q′

1,q′2) ∈ Bi

h,ε ⊆⋃

i∈I Bih,ε anddis(l, l′) ≤ h.

Therefore,⋃

i∈I Bih,ε is also a(h, ε)-approximate bisimulation relations betweenT1

andT2. �

Proof of Theorem 1: In order to prove Theorem 1, we need the following Lemma:

Lemma 2. If T1∼=h,ε T2, then for all observation trajectory ofT1,

y01

l0։ y1

1

l1։ y2

1

l2։ ...,

there exists an observation trajectory ofT2 with the sequence of labels

y02

l′0==⇒ y12

l′1==⇒ y22

l′2==⇒ ...,

such that∀i ∈ N, d(yi1,y

i2) ≤ ε and dis(li, l′i) ≤ h.

Proof. For y01

l0։ y1

1

l1։ y2

1

l2։ ..., there exists a state trajectory inT1, q0

1

l0։ q1

1

l1։

q21

l2։ ..., such that∀i ∈ N, H1(q

i1) = yi

1. Forq01 ∈ Q0

1, then there existsq02 ∈ Q0

2

such that(q01,q

02) is in theBh,ε. With the second property of Def. 4, it can be shown by

induction that there exists a state trajectory ofT2, q02

l′0==⇒ q12

l′1==⇒ q22

l′2==⇒ ..., such that

∀i ∈ N, (qi1,q

i2) ∈ Bh,ε. Lety0

2

l′0==⇒ y12

l′1==⇒ y22

l′2==⇒ ... be the associated observationtrajectory ofT2 (∀i ∈ N, H2(q

i2) = yi

2). Then,

d(yi1,y

i2) = d(H1(q

i1), H2(q

i2)) ≤ ε and dis(li, l′i) ≤ h

for all i ∈ N. �

Therefore, from the definition ofReach(T ) and Lemma 2, it is straightforward thatTheorem 1 holds. �

Proof of Theorem 2: In order to ensure the termination of Algorithm 1, both ofthe repeat pieces should be proved to be ended in finite steps.For the first loop (lines1-5), T (Pm).T i is increasingly constructed, until a fixed point whereT (Pm).T i =T (Pm).T i−1 reached. SinceT (Pm).T i collect the feasible transitions inT (Pm), whichis the transition system generated fromPm, we just need to prove thatPm terminateswithin a bounded time, with a given time stepd. We assume all communication actionsare feasible, i.e., they could happen in a limited time interval. So all HCSP processeswithout ODEs can terminate within a finite time duration. Forprocesses with contin-uous evolution statements, as all ODEs inPm are GAS, we know that for each ODE,there exists an equilibrium timeT i

j for j = 1, ..., ki, which is used to construct the set

T (Pm).T i+1. If the ODE is interrupted beforeT ij , the continuous evolution will termi-

nate beforeT ij , which is a bounded time. Otherwise, if the ODE keeps evolution until

its equilibrium time, according to the constrain defined in the process ofT (Pm).T i+1

construction,snd(q′)(tij) < T ij , no more transitions will be generated afterT i

j , whichmeans the ODE terminates atT i

j . Therefore, we can conclude that all HCSP processesPm can terminate in a bounded time, with a given time stepd and the GAS assumption.That is to say, the first repeat part (lines 1-5) can terminatein finite steps. Moreover,sinceT (Pm).Q is directly derived fromT (Pm).T , T (Pm).T andT (Pm).Q are bothfinite sets, which are used for constructing another finite set, B0

h,ε (line 7) that includesall compositional states that the distance between them is not greater thanε. In thesecond repeat section (lines 8-11), from the construct process ofBi

h,ε and the fact thatT (Pm).T andT (Pm).Q have finite elements, it is clear that it can reach a fixed pointin a finite number of steps. In conclusion, Algorithm 1 terminates.

In order to prove the second part of Theorem 2, we need to provethat Bh,ε =⋂i=N

i=0 Bih,ε, in whichN is the repeat time for the computation ofBi

h,ε, is an approx-imate bisimulation relation, moreover, it is the maximal one. Assume that the max-imal bisimulation relation with(h, ε) is Bmax

h,ε , therefore,⋂i=N

i=0 Bih,ε = Bmax

h,ε need

to be proved, i.e.,⋂i=N

i=0 Bih,ε ⊆ Bmax

h,ε andBmaxh,ε ⊆

⋂i=Ni=0 Bi

h,ε should be hold si-

multaneously. According to the computation ofB0h,ε, B

i+1h,ε andBh,ε, it is clear that

Bmaxh,ε ⊆

⋂i=N

i=0 Bih,ε. Hence, we just need to show

⋂i=N

i=0 Bih,ε ⊆ Bmax

h,ε , i.e.,⋂i=N

i=0 Bih,ε

is a (h, ε)-approximate simulation relation betweenT1 and T2. For any(q1, q2) ∈⋂i=N

i=0 Bih,ε, then particularly(q1, q2) ∈ B0

h,ε. Hence,d(H1(q1), H2(q2)) ≤ ε. As thesequence{Bi

h,ε}i∈[0,N ] is decreasing and approach a fixed point asi increasing toN ,

so, forN − 1, BN−1h,ε = BN

h,ε =⋂i=N

i=0 Bih,ε, Therefore,BN

h,ε could be defined by

BNh,ε = {d(H1(q1), H2(q2)) ≤ ε and ∀q1

l։1 q′1, ∃q2

l′

==⇒2 q′2 such that

(q′1, q′2) ∈ BN−1

h,ε = BNh,ε and dis(l, l′) ≤ h, and ∀q2

l։2 q′2, ∃q1

l′

==⇒1 q′1such that (q′1, q

′2) ∈ BN−1

h,ε = BNh,ε and dis(l, l′) ≤ h}

for all (q1, q2) ∈ BNh,ε. It follows that

⋂i=N

i=0 Bih,ε is a (h, ε)-approximate simulation

relation betweenT1 andT2 �

Proof of Theorem 3: Let {xi} andh0 the approximate sequence and step size re-spectively in Theorem3 of [25], i.e.,x0 = x0, and for allh satisfying0 < h ≤ h0, andfor all n satisfyingnh ≤ (T − t0), the sequencexn = xn−1 + hf(xn−1) satisfies:

‖X(nh, x0)− xn‖ ≤h

2max

ζ∈[t0,T ]‖X ′′(ζ)‖

eL(T−t0) − 1

L

As ‖x0 − x0‖ ≤ ξ1, andx1 = x0 + hf(x0), x1 = x0 + hf(x0), andf is Lipschitz-continuous with Lipschitz-constantL, it is easy to conclude that‖x1 − x1‖ ≤ (Lh +1)ξ1. Similarity, it can be concluded that‖x2 − x2‖ ≤ (Lh+ 1)2ξ1. By induction, wehave:

‖xn − xn‖ ≤ (Lh+ 1)nξ1

Therfore, it is to see that:

‖X(nh, x0)− xn‖ ≤ ‖X(nh, x0)− xn‖+ ‖xn − xn‖

≤ (Lh+ 1)nξ1 +h2 max

ζ∈[t0,T ]‖X ′′(ζ)‖ eL(T−t0)−1

L

≤ (e)nhLξ1 +h2 max

ζ∈[t0,T ]‖X ′′(ζ)‖ eL(T−t0)−1

L

≤ (e)(T−t0)Lξ1 +h2 max

ζ∈[t0,T ]‖X ′′(ζ)‖ eL(T−t0)−1

L,

since‖x+ y‖ ≤ ‖x‖+ ‖y‖ and0 < 1 + Lh ≤ eLh for Lh > 0. �

Proof of Theorem 4: As x = f(x) is GAS with the equilibrium pointx, for a givenξ > 0, we know that there existsT > 0 whent > T − t0 holds,‖X(t, x0) − x‖ < ξ,andX(t, x0) → x whent → ∞. SinceN = ⌈T−t0

h⌉, we know that after the execution

of N numbers of Euler expansion withh step length, the ODE reachesX(T ′, x0) withT ′ = Nh ≥ T − t0, which means the “distance” between the ODE and the equilibriumpoint x will no more greater thanξ afterT ′. The structure of the discretized processindicates that the transition system generated from it is a deterministic one. Also, sincethe Lipschitz continuous condition is assumed, the transition system of the ODE isdeterministic. Therefore, it is clear that the ODE and the discretized process is(h, ξ)-approximate bisimilar on[T ′,∞]. Next, we prove they are(h, ξ)-approximate bisimilaron [t0, T ′].

From Def. 5, we know that if there exists a(h, ξ)-approximate bisimulation relation,Bh,ξ, between the transition systems of the ODE and the discretized process such that(x0,x0) ∈ Bh,ξ, the continuous and discretized ones are(h, ξ)-approximate bisimilar.Since‖x0 − x0‖ < ξ1, we assumeξ1 ≤ ξ here, which satisfied the first conditionin Def. 4. In order to illustrate the existence ofBh,ξ and (x0,x0) ∈ Bh,ξ, we justneed to ensure that the “distance” between the ODE and the discretized process nevergreater thanξ within every interval[ih, (i+ 1)h] for i ∈ [0, N − 1]. The reason is thatthe transition systems of the ODE and the discretized process are both deterministic,and only time delay and assignment labels occur. It is easilyunderstood: for givenh andξ1, we can compute the approximation Euler sequence{x0,x1, ...,xN}, if foranyxi+1 with i ∈ [0, N − 1], the “distance” betweenX(ti, x0) andxi+1, in whichti ∈ [ih, (i + 1)h], is not greater thanξ, i.e., ‖X(ti, x0) − xi+1‖ ≤ ξ for everytiin [ih, (i + 1)h], we can see that for any two states satisfy‖X(ti, x0),xi+1‖ ≤ ξ,

∀X(ti, x0)t։1 X(ti + t, x0) with t ∈ R

+, ∃xi+1⌈ti+t−(i+1)h

h⌉h

==========⇒2 xk with k =

⌈ ti+th

⌉h such that‖X(ti + t, x0)− xk‖ ≤ ξ and‖⌈ ti+t−(i+1)hh

⌉h− t‖ ≤ h hold, and

∀xi+1τ։2 xi+2, ∃X(ti+1, x0)

τ0

։1 X(ti+1, x0) such that‖X(ti+1, x0) − xi+2‖ ≤

ξ, and∀xi+1h։2 xi+1, ∃X(ti, x0)

(i+1)h−ti։ 1 X((i + 1)h, x0) such that‖X((i +

1)h, x0) − xi+1‖ ≤ ξ and‖(i + 1)h − ti − h‖ = ‖ih − ti‖ ≤ h. By induction, the(h, ξ)-approximate bisimilar on[t0, T ′] is proved.

As mentioned above, with the assumption thatξ1 ≤ ξ and the “distance” limitation,we can indicate that the continuous and the discretized process are(h, ξ)-approximatebisimilar. For anyξ > 0, it always can choose aξ1 which makes0 < ξ1 ≤ ξ holds. Inthe following, we will illustrate the existence ofh that satisfies the “distance” assump-tion, i.e.,‖X(ti, x0)− xi+1‖ ≤ ξ for ti ∈ [ih, (i+ 1)h] andi ∈ [0, N − 1].

First of all, we have

‖X(ti, x0)− xi+1‖ ≤ ‖X(ti, x0)−X((i+ 1)h, x0)‖+ ‖X((i+ 1)h, x0)− xi+1‖

From Theorem 3, the following inequality holds.

‖X((i+ 1)h, x0)− xi+1‖ ≤ e(T′−t0)Lξ1 +

h

2max

ζ∈[t0,T ′]‖X ′′(ζ)‖

eL(T ′−t0) − 1

L

Accordingly,‖X(ti, x0) − X((i + 1)h, x0)‖ denotes the “distance” betweenX((i +1)h, x0) andX(rih, x0), with real numberri ∈ [i, i+1]. From Theorem (7.1.1) of [30],we know thatX(t, x0) is continuous and continuously differentiable on[t0, T

′], henceon every segment[ih, (i + 1)h] for 0 ≤ i ≤ (N − 1). From the Lagrange MeanValue Theorem, we have‖X(rih, x0)−X((i+1)h, x0)‖ = ∆h‖f(ζi)‖, where∆h =(i+1−ri)h andζi is a point betweenrih and(i+1)h. For allri ∈ [i, i+1], there mustexist armax

i ∈ [i, i+ 1] such that‖X(rmaxi h, x0) −X((i + 1)h, x0)‖ = Dih, where

Di is a constant, is the maximal value on the segment[ih, (i + 1)h]. In other words,‖X(rih, x0)−X((i+ 1)h, x0)‖ ≤ Dih for anyri ∈ [i, i+ 1].

So, the “distance” betweenX(ti, x0) andxi+1 on [ih, (i + 1)h] can be boundedusing

‖X(ti, x0)− xi+1‖ ≤ Dih+ e(T′−t0)Lξ1 +

h

2max

ζ∈[t0,T ′]‖X ′′(ζ)‖

eL(T ′−t0) − 1

L

Then, on the whole interval[t0, T ′], the “distance” is bounded by

‖X(ti, x0)− xi+1‖ ≤ Mh+ e(T′−t0)Lξ1 +

h

2max

ζ∈[t0,T ′]‖X ′′(ζ)‖

eL(T ′−t0) − 1

L

whereM = max(D0, D1, ..., DN−1).In conclusion, if

Mh+ e(T′−t0)Lξ1 +

h

2max

ζ∈[t0,T ′]‖X ′′(ζ)‖

eL(T ′−t0) − 1

L≤ ξ

holds, we can say that the original ODE and the discretized process are(h, ξ)-approximatebisimilar on[t0, T ′]. Since we can always choose small enoughh andξ1 to make theinequality satisfied, the theorem is true. �

Proof of Theorem 5: First of all, with proper equilibrium timeTF for each ODEF of P , given a step sizeh, we prove that the global discretized error ofP is Mh forsome constantM . As a result, whenh is sufficiently small (e.g.,h < ε

M), Mh < ε is

guaranteed. Now assumeP andDh,ε(P ) start to execute from the same initial stateσ.SupposeP executes toP1 with stateσ1, and in correspondence,Dh,ε(P ) executes toDh,ε(P1) with some stateβ1. Denoted(σ1, β1) by ε1, supposeε1 < ε isM1h for someM1, we prove that withε1 as the initial error, after the execution ofP1 andDh,ε(P1),the global error (denoted byε2) isM2h for some constantM2. As a consequence, theremust exist sufficiently smallh such that the global error ofP is less thanε. Notice thatfor the special case whenP1 is P , ε1 is 0, and the above fact implies the theorem. Theproof is given by structural induction onP1.

– CaseP1 = skip: the discretized process is skip. Obviouslyε2 = ε1.– CaseP1 = (x := e): the discretized process isx := e, wheree is an expression

of variables, thus can be written as a function application of form f(x1, · · · , xn),among whichx1, · · · , xn denote the variables occurring ine. After the assignment,only the value ofx is changed. Thus, from the definition ofd, we have the factε2 = max(ε1, |a2 − a1|), in whicha1 = σ1(e) anda2 = β1(e) represent the valueof x after the assignment. From the definition ofe, a2 = f(β1(x1), · · · , β1(xn)).For eachi = 1, · · · , n, there existsδi such thatβ1(xi) = σ1(xi)+δi and|δi| ≤ ε1.By the Lagrange Mean Value Theorem, the following equation holds:

a2 = f(σ1(x1), · · · , σ1(xn)) +

n∑

i=1

∂f

∂xi

(σ1(xi) + θδi)δi

whereθ ∈ (0, 1). From the factf(σ1(x1), · · · , σ1(xn)) = a1,

|a2 − a1| = |

n∑

i=1

∂f

∂xi

(σ1(xi) + θδi)δi| ≤ ε1

n∑

i=1

maxo∈(σ1(xi)−ε1,σ1(xi)+ε1)

|∂f

∂xi

(o)|

n is a constant, and∂f∂xi

is bounded in the interval(σ1(xi)− ε1, σ1(xi) + ε1), thus|a2 − a1| is bounded by a multiplication ofε1 with a bounded constant.ε2 is themaximum ofε1 and this upper bound of|a2 − a1|. The fact holds obviously.

– CaseP1 = wait d: the discretized process is waitd. Obviouslyε2 = ε1.– CaseP1 = ch?x: the discretized process isch? := 1; ch?x; ch? := 0. Notice that

the auxiliary readiness variablech? is added in the discretized process, however,it will not introduce errors. Thus, we only consider the error between the commonvariables, i.e. process variables, ofP1 and its discretization. There are two cases forthe transitions ofP1 andDh,ε(P1). The first case is waiting for some time units.For this case, if the waiting time is finite, then let the time durations for both sidesbe the same,ε2 = ε1 holds obviously; if the waiting time is infinite, indicatingthata deadlock occurs,ε2 = ε1 holds also. For the finite case, at some time, an eventch?c occurs, wherec is the value received, and as a consequence,x is assigned toc. For both sides, let the value received, denoted byc1 andc2 respectively, satisfy|c1 − c2| ≤ Mε1 for some constantM . As a result, after the performance of theeventsch?c1 andch?c2 respectively,ε2 = max{ε1, Mε1}.

– CaseP1 = ch!e: the discretized process isch! := 1; ch!e; ch! := 0. Same to input,there are two cases for the transitions ofch!e. For the first case, let the time durationfor both sides be the same, thusε2 = ε1 obviously. For the second case, the eventsch!σ1(e) andch!β1(e) occur, and from the proof for assignment, there must exista constantM such that|β1(e)− σ1(e)| < Mε1 holds. No variable is changed as aconsequence of an output, thus, after the communication,ε2 = ε1 still holds.

– CaseP1 = Q;Q′: the discretized process isDh,ε(Q);Dh,ε(Q′). By induction hy-

pothesis, assume the error after the execution ofQ with initial error ε1 is εm, thenε2 = M3εm andεm = M4h for some constantsM3,M4. ε2 = M3M4h holds.

– CaseP1 = B → Q: the discretized process isB → Dh,ε(Q). From the assumptiond(σ1, β1) = ε1 = M1h, then there exists sufficiently smallh such thatε1 < ε. Let

ε < ǫ, thend(σ1, β1) < ǫ. P is (h, ǫ)-robustly safe, thus ifσ1(B) is true, from thedefinition that the distance betweenσ1 and any state that makes¬B true is largerthanǫ, we can prove thatβ1(B) must be true. For this case,Q andDh,ε(Q) willbe executed. By induction hypothesis, we haveε2 = M3h for some constantM3.Likewise, if σ1(B) is false, thenβ1(B) must be false. For this case,P1 terminatesimmediately. By induction hypothesis,ε2 = ε1, thus the fact holds.

– CaseP1 = Q ⊓ Q′: the discretized process isDh,ε(Q) ⊓ Dh,ε(Q′). There are two

cases for the execution of bothP1 and its descretized process. By making the samechoice, supposeQ andDh,ε(Q) are chosen to execute. By induction hypothesis, wehaveε2 = M3h for some constantM3. The other case whenQ′ andDh,ε(Q

′) arechosen can be proved similarly.

– CaseP1 = 〈x = f(x)&B〉: Let X(t, σ1(x)) represent the trajectory ofx =f(x) with initial value σ1(x). x = f(x) is GAS with the equilibrium pointx,then limt→∞ ‖X(t, σ1(x))‖ = x. There must existT such that whent > T ,‖X(t, σ1(x)) − x‖ < ε. Before timeT , by Theorem 3 and the initial errorε1 isM1h, thus the global error betweenX(t, σ1(x)) and the corresponding discretizedxn is M3h for some constantM3 defined in Theorem 3. Now we consider theescape ofP1 because of the failure ofB, and how the discretized process behaves.There are two cases. First, ifB is always true along the trajectoryX(t, σ1(x)) onthe infinite interval[0,∞), thenN(B, ε) will be always true for the discretizedpointsxn. For this case,P1 and the discretization will go close to the equilibriumpoint eventually, and the distance between them is always less thanε by choosingh satisfyingM3h < ε. Second, ifB fails to hold for someX(tf , σ1(x)) at timetf ,then from the assumption thatP is (δ, ǫ)-robustly safe, there existst such thatt−tf < δ and for allσ satisfyingd(σ, σ1[x 7→ X(t, σ1(x))]) < ǫ, σ ∈ N(¬B,−ǫ).Assumet ∈ (tN , tN+1] for someN , sod(σ1[x 7→ X(t, σ1(x))], β1[x 7→ xN+1]) <M3h. Let h be sufficiently small such thatM3h < ǫ. Thusβ1[x 7→ xN+1] ∈(N(¬B,−ǫ)), which impliesβ1[x 7→ xN+1](N(B, ε)) is false. As a result, thediscretization of continuous evolution stops update correspondingly at timetN+1.Thus we know that, the continuous evolution runs fortf − t0 time units in all andthen escapes, and the discretization fortN+1 − t0 time units, for the initial timet0. Obviously the time precision|tN+1 − tf | ≤ |tN+1 − t| + |t − tf | ≤ h+ δ ≤(1 + ⌈ δ

h⌉)h holds. Meanwhile, the value precision‖X(tf , σ1(x)) − xN+1‖ ≤

‖X(tf , σ1(x))−X(t, σ1(x))‖+‖X(t, σ1(x))−xN+1‖ ≤ maxξ∈[tf ,tN+1] ‖X′(ξ)(

tf − tN+1)‖+M3h < maxξ∈[tf ,tN+1] ‖X′(ξ)(δ+h)‖+M3h. Thus by choosingh

sufficiently small, and with properǫ, the error is less thanε. The fact is thus provedfor all the cases.

– CaseP1 = 〈x = f(x)&B〉 � 8i∈I(ioi → Qi): First of all, notice that in thediscretization ofP1, the auxiliary variablesioi, ioi are added for assisting the ex-ecution of interruption. These variables do not introduce errors. LetX(t, σ1(x))represent the trajectory ofx = f(x) with initial valueσ1(x). x = f(x) is GASwith the equilibrium pointx, thenlimt→∞ ‖X(t, σ1(x))‖ = x. There must existT such that whent > T , ‖X(t, σ1(x)) − x‖ < ε. According to the transition se-mantics of communication interrupt, there are several cases. If the communications{ioi} never occur, then the execution of the communication interrupt is equal to theexecution of the continuous evolution. Correspondingly, in the discretized process,

the first, the second and the fourth lines are executed depending on whether thecontinuous evolution terminates or not. Similar to the proof of the continuous evo-lution, the fact holds for this case. Otherwise, there must exist timeTc such that forthe first time some communications{joj} for j ∈ J ⊆ I get ready simultaneously,while others inI\J are not. LetT be sufficiently large such thatTc < T holds. Forthis case, before timeTc, P1 executes by followingx = f(x), and at timeTc, theexternal choice between{joj} for j ∈ J ⊆ I occurs and after the communicationthe correspondingQj is followed for somej. Correspondingly, in the discretizedprocess, the first and the third lines are executed. SupposeTc ∈ (xnn, xnn+1]for somenn, i.e. the timeTc occurs in the(nn + 1)-th discretized interval. Be-cause the variablesiois andiois do not introduce errors, plus their definitions, weknow that atxnn+1, ∃i.ioi ∧ ioi is detected to turn to true. Before the communi-cation, forP1, the time delayTc − t0 occurs, and for the discretized process, thetime delayxnn+1 − t0 occurs, wheret0 denotes the initial time ofP1. Obviously|(Tc − t0)− (xnn+1 − t0)| < h holds. The global error isM3h for some constantM3 before timeTc obviously. When the continuous evolution is interrupted, ac-cording to the definition of the discretized process, the fact also holds by inductionhypothesis.

– CaseP1 = Q∗: the discretized process isDh,ε(Q)∗. From the definition of rep-etition, there exists a finiteN > 0 such thatP1 = Qm andm ≤ N . Let in thediscretized process the upper bound of the number of repetition be alsoN . Denotethe global error after then-th (n ≤ N ) execution ofQ byωn. By induction hypoth-esis onQ andDh,ε(Q), there existMis (i ∈ {1, · · · , N}) such thatωi = Mih fori = {1, 2, · · · , N}. The fact is proved.

– CaseP1 = Q‖Q′: the discretized process isDh,ε(Q)‖Dh,ε(Q′). The global error

is the maximum of the errors for the discretization ofQ andQ′. According tothe transition semantics of HCSP, there are several cases for execution of parallelcomposition. If no compatible communication events over the common channels ofQ andQ′ exist, there are three cases: ifQ takes aτ event, thenDh,ε(Q) is able totake a sameτ event, and vice versa, by induction hypothesis, the global error aftertheτ event isM3h for some constantM3 obviously; the symmetric case whenQ′

andDh,ε(Q′) take aτ event can be handled similarly; for the third case, if both

Q andQ′ take progress ford time units, thenDh,ε(Q)‖Dh,ε(Q′) is able to take

progress ford time units, and vice versa, by induction hypothesis, the global errorafter thed time duration isM4h for some constantM4 obviously. For the case thata communication over a common channelch of Q andQ′ occurs, according to thesemantics, there is some valuec such that the eventsch?c andch!c occur for thetwo sides ofP1 respectively. Correspondingly, there is another valuec′ such thatthe eventsch?c′ andch!c′ occur for the two sides ofDh,ε(P1) respectively. Similarto the proof of assignment, we can prove that there must existsome constantM5

such that|c − c′| < M5ε1 holds. This fact is implied in the proofs of input andoutput events. After the occurrence of the communication, the global error is thusM6h for some constantM6. Finally, three cases are left,Q terminates earlier, orQ′ terminates earlier, or they terminate simultaneously. Forall the cases, at thetermination ofP1, the fact holds obviously by induction hypothesis.

Till now, we prove that the global error of the discretization, sayεg, is Mh for someconstantM , under the premise thatTF for each ODEF is chosen such thatF after timeTF is ε-closed to the corresponding equilibrium point. There mustexist a sufficientlylargeh such thatεg < ε holds. The fact is thus proved. �