A constraint-based language for modelling intelligent environments

Abstract

Intelligent environments can be described as hybrid systems, which combine continuous dynamics, modelling the behaviour of physical components, and discrete dynamics, modelling the software components that control the evolution of the physical variables. The growing boom in intelligent environments makes the construction of complex discrete components necessary, which may require the use of more sophisticated concurrent languages. Hy-tccp is a concurrent language for modelling hybrid systems with high-level notations that facilitate the description of computational systems, abstracting away from the implementation details. In this paper, we present an operational semantics based on hybrid automata for Hy-tccp which is a theoretical basis for the analysis and verification of hybrid systems like intelligent environment.

Appendices

Appendices

1.1 Appendix A: Discretised operational semantics for Hy-tccp oriented to implementation

In this appendix, we present, in detail, a precise discretised operational semantics of Hy-tccp. As mentioned, the idea is to approximate continuous transitions by using the abstract domain of convex polyhedra [18]. All possible consecutive continuous transitions of arbitrary duration are collapsed into a single one that records the possible reachable values by means of a convex polyhedron. Unlike the coarse semantic rules given in Fig. 5, the new rules of Fig. 15 calculate precisely the discrete and continuous evolution of polyhedra. The complexity of the rules show that this construction is not trivial in most cases.

As in Sect. 5, we consider the case of rectangular hybrid systems, i.e. systems in which values and dynamics of continuous variables range in intervals of reals, for example \(x \in [2,6]\) and its first derivative \(\dot{x} \in [0,1]\).

In this section, we represent the continuous store \(\tilde{d}\) as a tuple of the form \((\tilde{d}_v, \tilde{d}_f)\), where \(\tilde{d}_v\) and \(\tilde{d}_f\) are the convex polyhedra containing the values and the first derivatives of continuous variables defined by \(\tilde{d}\), respectively. Observe that the notation has slightly changed compared to that used in Sect. 5. In the following description, we assume that all polyhedra have the same dimension \(n>0\) that coincides with the maximum number of continuous variables of the system. In addition, each continuous variable is unequivocally associated with a specific polyhedra dimension. For instance, variables x and y may refer to the first and second dimension of polyhedron \(\{(a,b) \in \mathbb {R}^2 | \ a \in [1,2], b \in [0,3] \}\), respectively. To simplify the notation, we will make this association explicit such that, for instance, in polyhedron \(\{(x,y) \in \mathbb {R}^2 | \ x \in [0,1], x = y\}\). Given a convex polyhedron \(\tilde{d}_i\), with \(i \in \{v,f\}\), and a continuous variable of the system x, \(\tilde{d}_i|_x\) is the projection of \(\tilde{d}_i\) on the x-axis. For instance, if \(\tilde{d}_v=\{(x,y) \in \mathbb {R}^2 | x \in [0,1], x = y\}\), then \(\tilde{d}_v|_y= [0,1]\).

As usual, given two convex polyhedra \(\tilde{d}_v\) and \(\tilde{d}'_v\), \(\tilde{d}_v\subseteq \tilde{d}'_v\), \(\tilde{d}_v \cap \tilde{d}'_v\), and \(\tilde{d}_v - \tilde{d}'_v\) represent the polyhedra inclusion, intersection and difference, respectively. Observe that \(\tilde{d}_v\cap \tilde{d}'_v\) is also a convex polyhedra, but \(\tilde{d}_v - \tilde{d}'_v\) may not be. Given a polyhedra \(\tilde{d}_v\) , \(\mathop {\tilde{\exists }}\nolimits _{y} \tilde{d}_v\) represents the polyhedron \(\tilde{d}_v\) with the dimension of y unconstrained, that is, \(y \in (-\infty ,\infty )\). By abuse of notation, we will sometimes apply operator \(\mathop {\tilde{\exists }}\nolimits _{y} \) to arbitrary sets with the same meaning.

We assume that the underlying constraint system includes linear and equality constraints defined by means of \(\mathbf {Lin}:=\langle { Lin },\,{\Leftarrow },\,{\wedge },\,{\vee },\,{ false },{ true },\,{ Var \, \cup \, \widetilde{ Var }}\,{\exists }\rangle \).

The domain of constraints \( Lin \) is formed of finite conjunctions of either linear inequalities (strict and not) or equalities over \(\mathbb {Z}\) and \( Var \cup \widetilde{ Var }= \{x,y,\ldots \}\) (e.g. \(x>4\), \(y\ge 10 \wedge w<-3\)). The entailment relation is the implication \(\Rightarrow \) (the inverse of the order relation \(\Leftarrow \)), the \( lub \) is the conjunction \(\wedge \) and \(\exists _{x}\) is the operation which removes (after information has been propagated within a constraint) all conjuncts referring to variable x (e.g. \((\exists _{x}(x=y \wedge x>3)) = (y>3)\)).

Given a linear constraint \(c \in Lin\), \(Pol(\mathop {\exists }\nolimits _{ Var } c)\) is the n-dimensional convex polyhedron determined by the continuous part of c. For instance, assuming that the system has three continuous variables, named x,  y and z, \(Pol(x\le y) = \{(x,y,z) \in \mathbb {R}^3 | x \le y\}\). Given a discrete store \(d \in \mathcal {C}\) and a polyhedron of values \(\tilde{d}_v\), we denote with \(d \wedge \tilde{d}_v\) the subset of tuples in \(\tilde{d}_v\) that satisfy the continuous part of d, that is, \(d\wedge \tilde{d}_v = Pol(\mathop {\exists }\nolimits _{ Var } d) \cap \tilde{d}_v\). Observe that since \(Pol(\mathop {\exists }\nolimits _{ Var } d)\) and \(\tilde{d}_v\) are convex polyhedra, \(d \wedge \tilde{d}_v\) is a convex polyhedron as well. For example, assuming two continuous variables x and y, \((y \le 2) \wedge \{(x,y) \in \mathbb {R}^2 | x = y, x \ge 0\} = \{(x,y) \in \mathbb {R}^2 | x = y, x \ge 0, x \le 2\}\). Given discrete and continuous stores d and \(\tilde{d} = (\tilde{d}_v,\tilde{d}_f)\), d and \(\tilde{d}\) are consistent iff \(d\wedge \tilde{d}_v\) is not empty. For example, the discrete store \(d=\{ y \le 1\}\) and the continuous store \(\tilde{d} = (\tilde{d}_v,\tilde{d}_f)\) with \(\tilde{d}_v = \{(x,y) \in \mathbb {R}^2 | x = y, x \ge 2\} \) are inconsistent.

Fig. 15

The discrete transition system for Hy-tccp

Finally, given a continuous store \(\tilde{d} = (\tilde{d}_v,\tilde{d}_f)\), function \({{elapse}\,}(\tilde{d}_v, \tilde{d}_f)\) computes the continuous evolution of \(\tilde{d}_v\) over time, considering that each variable follows the derivative given in \(\tilde{d}_f\). For instance, assume that \(\tilde{d}_v = \{(x,y) \in \mathbb {R}^2 | x = y, x \ge 1\}\) and \(\tilde{d}_f = \{(\dot{x},\dot{y}) \in \mathbb {R}^2 | \dot{x} = 1, \dot{y} = -2\}\), then \({{elapse}\,}(\tilde{d}_v, \tilde{d}_f) = \{(x,y) \in \mathbb {R}^2 | x \ge y, 2x + y \ge 3\}\).

The discretised operational semantics of Hy-tccp, described in Fig. 15, is defined by a transition system \(T=( Conf ,{\xrightarrow {v_c}_{\sigma }},{\xrightarrow {v_c}_{\tau }})\). Configurations in \( Conf \) are triples \({\langle A, \, d, \, \tilde{d} \rangle }\), where A is the agent to be executed in the store \({\langle d, \, \tilde{d} \rangle }\), \(d\in \mathcal {C}\) is the discrete component of the store, and \(\tilde{d} = (\tilde{d}_v,\tilde{d}_f)\) is the continuous store, as defined above.

Similar to the original semantics, the discrete transition relation \({\xrightarrow {v_c}_{\sigma }} \subseteq Conf \times Conf \) represents a step that does not consume continuous time. The discretised continuous transition relation \({\xrightarrow {v_c}_{\tau }} \subseteq Conf \times Conf \) models the effects of performing an arbitrary long continuous transition from an initial configuration. It changes the continuous store by computing a convex polyhedron of values that approximates the set of reachable values. The label \(v_c\) in transition relations contains the continuous variables changed during a discrete transition (by means of \({\mathsf {change}}\) agents). This set is used in the rules below to detect inconsistencies when several \({\mathsf {change}}\) agents are executed in parallel, since two agents that update the same continuous variables are considered to be inconsistent by the rules. This label is only used in discrete transitions, but we have also added them to the continuous transition relation to keep both transition relations similar.

1.2 Appendix A.1: Description of semantic rules

In the following paragraphs, we discuss, in detail, some of the transition rules in Fig. 15. Observe that the discretised semantics involves more transition rules than the non-discretised one given in Fig. 2. This is because the new semantics represents the continuous variables with polyhedra instead of single values, and a polyhedron may produce more than one evolution of the configuration. In most rules, we use the expression \(d \wedge \tilde{d}_v \not = \emptyset \) to represent that the discrete and continuous stores are consistent in the sense discussed above. Otherwise, no rule can be applied, and the system blocks.

Agent change

Agent \({\mathsf {change}}{(y,I_v, I_f )}\) updates the continuous store \(\tilde{d}\) with linear constraints representing the new values and flows for variable y (rule change1), or only the new flows for y (rule change2). The updated polyhedron \(d_v\) (similarly \(d_f\)) is the intersection of two polyhedra. The first one is \(d_v\) with the dimension of y unconstrained, and the second one has the dimension of y constrained with the new values (or flows) and the rest of the dimensions (variables) unconstrained. Observe that y is added to set \(v_c\).

Agent choice

In Sect. 3, we described the behaviour of the \(\mathsf {choice}\) agent with two rules, one to describe the discrete transition of \({{\mathsf {ask}}}\) (disc), and another to describe the continuous transition of \({\widetilde{\mathsf {ask}}}\) (cont). The use of convex polyhedra to represent continuous variables makes more difficult to express this behaviour, since a convex polyhedron could include values that make an \({{\mathsf {ask}}}\) agent executable and not executable simultaneously. In this section, the behaviour of the agent choice is defined by three transition rules, namely: ask_disc, ask_cont and ask_blocked.

• The rule ask_disc describes the discrete transition for the non-deterministic choice. Due to the new representation of the continuous store, a different check for the satisfiability of the guards is needed to select an \({{\mathsf {ask}}}\) branch. On the one hand, the discrete store d has to entail the discrete part of the guard (\(\exists _{\widetilde{ Var }}c_k\)) and, on the other, the continuous store (the polyhedron of values) has to be compatible with the continuous part of the guard (\(\exists _{ Var }c_k\)). In this case, the branch \(c_k\) may be chosen, and the system evolves towards a new configuration that incorporates, in the polyhedron of values, the new constraints imposed by \(\exists _{ Var }c_k\). Label \(\widetilde{ Var }(c_k)\) makes it explicit that the continuous variables of \(c_k\) have been checked in the transition.

• The rule ask_cont describes the discretised continuous transition for the non-deterministic choice takes place for one of the \({\widetilde{\mathsf {ask}}}\) branches when the following conditions hold:

  • The discrete store entails the discrete fragment of the invariant \(\exists _{\widetilde{ Var }} inv _k\).

  • The polyhedron obtained by letting the current polyhedron \(\tilde{d}_v\) evolve over time following the flows given in \(\tilde{d}_f\), is consistent with the continuous part of invariant \(\exists _{ Var } inv _k\) (the intersection is not empty).

  The resulting polyhedron of values \(\tilde{d}_v\) is formed by the new values obtained by function elapse that satisfy the invariant \(\exists _{ Var } inv _k\).

• Finally, the rule ask_blocked describes the behaviour of the agent \(\mathsf {choice}\) which blocks because the continuous store contains values that can completely block the agent. This happens when the following conditions holds:

  • The discrete and continuous stores are consistent, that is \(d \wedge \tilde{d}_v \ne \emptyset \).

  • For all the discrete guards \(c_i\), the discrete store does not entail any of them (\(d \,{\nvdash }\,\mathop {\exists }\nolimits _{\widetilde{ Var }} c_{k}\)), or the continuous store has values that block all these guards (\((d \wedge \tilde{d}_v) - Pol(\mathop {\exists }\nolimits _{ Var } c_k) \ne \emptyset \)).

  • For all the invariants \(inv_j\), the discrete store does not entail the discrete part (\(d \,{\nvdash }\,\mathop {\exists }\nolimits _{\widetilde{ Var }} inv _{k}\)), or the continuous store has values that do not satisfy them (\( (\tilde{d}_v \cap Pol(\mathop {\exists }\nolimits _{ Var } d)) -Pol(\mathop {\exists }\nolimits _{ Var } inv _k) \ne \emptyset \)).

  If the three conditions hold and the discrete and continuous store are unchanged, then the agent to be executed in the next step is the same \(\mathsf {choice}\) agent.

Agent now

Since we are assuming that in agent \({\mathsf {now}}\, c \, {\mathsf {then}}\, A \,{\mathsf {else}}\, B\), constraint c cannot contain continuous variables, and given that agents do not block thanks to the rule ask_blocked, this agent is defined with only two rules: one to describe the selection of the \(\mathsf {then}\) branch, and another for the selection of the \(\mathsf {else}\) branch. These two rules are similar to those of the non-discretised semantics of Hy-tccp.

Agent Parallel

The application of the parallel agent has to take into account a number of different situations:

• Rule c_par deals with the case when both agents may evolve continuously following the discretised continuous transition \(\tau \). In this case, the parallel agent evolves to the configuration which contains the polyhedron of the values reached by both agents.

• Rule d_par_1 applies when there are values in \(\tilde{d}_v\) for which agents A and B may simultaneously transit. To apply the rule, we check that no variable is simultaneously changed (\(v_{c}'\cap v_{c}'' = \emptyset \)) by agents A and B. In this case, the resulting continuous store \((\tilde{d}'_v \otimes \tilde{d}''_v, \tilde{d}'_f\otimes \tilde{d}''_f)\) is calculated as follows. Assume that the system variables are \(\{x_1,\ldots ,x_n\}\) and that variable \(x_i\) is associated with the ith dimension of polyhedra. Given \(w_c = v_c'\cup v_c''\) then \((a_1,\ldots ,a_n) \in \tilde{d}'_v \otimes \tilde{d}''_v\) if, and only if, \( \exists (a'_1,\ldots ,a'_n) \in \tilde{\exists }_{w_c}\tilde{d}_v' \cap \tilde{\exists }_{w_c} \tilde{d}_v''\) and the following conditions hold for all \(1\le i \le n\): (1) if \(x_i \not \in w_c\) then \(\ a_i = a'_i\); (2) if \(x_i \in v_c' \) then \( a_i \in \tilde{d}_v'|_{x_i}\); (3) if \( x_i \in v_c'' \) then \( a_i \in \tilde{d}_v''|_{x_i}\). The polyhedron of flows \(\tilde{d}'_f\otimes \tilde{d}''_f\) is calculated in a similar way. We are aware that the definition of operator \(\otimes \) depends on sets \(v_c'\) and \(v_c''\), but we have preferred to hide this dependency to simplify the notation.

• Rule d_par_2 is only applied when there are no \({\mathsf {change}}\) agents in parallel. In this case both agents can transit, but transitions are enabled in disjoint regions of polyhedron \(d_v\). Thus, only A transits, and B remains blocked. Condition \((\tilde{d}'_v-\tilde{d}''_v) \ne \emptyset \) explicitly states that there are values in \(\tilde{v}\) that allow agent A to transit, but not agent B. For instance, assume that \(\tilde{d}_v = \{(x,y) \in \mathbb {R}^2 | x = y, x \ge 0\}\), and that \(A = {\mathsf {ask}}(x\ge 2)\rightarrow \cdots \) and \(B = {\mathsf {ask}}(y \ge 3)\rightarrow \cdots \). The set of values \(\{(x,y) \in \mathbb {R}^2 | x = y ,2 \le x <3 \}\) of \(\tilde{d}_v\) makes it possible for agent A to transit, but for these values B is blocked.

• Rule d_par_3 is applied when agents in parallel try to change the same variables In this case, the resulting continuous store is inconsistent, represented by empty polyhedra.

Definition 10

(Discrete operational semantics of Hy-tccp)

Let \(P=D.A\) be a Hy-tccp program. The discrete operational semantics of P is defined as:

$$\begin{aligned} \mathcal {O}^{\delta }_p\llbracket D.A \rrbracket&:=\bigcup _{{\langle c_0, \, \tilde{p}_{v_0}, \, \tilde{p}_{f_0} \rangle }\in (\mathcal {C}\times {\mathbb {P}}\times {\mathbb {P}})} \big \{{\langle c_0, \, \tilde{p}_{v_0}, \, \tilde{p}_{f_0} \rangle }\\&\qquad \cdots {\langle c_n, \, \tilde{p}_{v_n}, \, \tilde{p}_{f_n} \rangle } \mid \\&\qquad {\langle A, \, c_0, \, (\tilde{p}_{v_0},\tilde{p}_{f_0}) \rangle } {\xrightarrow {-}_{\lambda _1}}\\&\qquad \cdots {\xrightarrow {-}_{\lambda _n}} {\langle A_n, \, c_n, \, (\tilde{p}_{v_n},\tilde{p}_{f_n}) \rangle },\, \\&\qquad \forall 1\le i \le n.\ \lambda _i \in \{\sigma ,\delta \} \big \}, \end{aligned}$$

where \({\xrightarrow {-}_{\lambda }}\) with \(\lambda \in \{\sigma ,\tau \}\) is the transition relation given in Fig. 15.

The following definition states the observable provided by the discreterised semantics.

Definition 11

(Discrete behaviour of Hy-tccp) Let \(P=D.A\) be a Hy-tccp program. The discrete behaviour of P is defined as:

$$\begin{aligned} \mathcal {B}^{\delta }_p\llbracket D.A \rrbracket&:=\{{\langle c_0, \, \tilde{p}_{v_0} \rangle } \cdots {\langle c_n, \, \tilde{p}_{v_n} \rangle } \mid \\&\qquad {\langle c_0, \, \tilde{p}_{v_0}, \, \tilde{p}_{f_0} \rangle } \cdots {\langle c_n, \, \tilde{p}_{v_n}, \, \tilde{p}_{f_n} \rangle } \in \mathcal {O}^{\delta }_p\llbracket D.A \rrbracket \} \end{aligned}$$

Proposition 2 states that the new discretised semantics \(\mathcal {B}^{\delta }_p\llbracket D.A \rrbracket \) is a correct over-approximation of the original semantics of Hy-tccp given by \(\mathcal {B}^{ ss }_{join}\llbracket D.A \rrbracket \) more precise than the simplified semantics \(\mathcal {B}^{ \delta } \llbracket D.A \rrbracket \). To prove the proposition, some preliminary lemmas are needed.

Lemma 1

Given \({\langle A_0, \, c_0, \, (\tilde{S}_0,\tilde{c}_{f_0}) \rangle } {\langle A_1, \, c_1, \, (\tilde{S}_1,\tilde{c}_{f_1}) \rangle } \in \mathcal {O}^{ ss }_{join}\llbracket P \rrbracket \), and a polyhedron \(\tilde{Q}_0 \supseteq \tilde{S}_0\), there exists a polyhedron \(\tilde{Q}_1 \supseteq \tilde{S}_1\) such that \({\langle A_0, \, c_0, \, (\tilde{Q}_0,\tilde{c}_{f_0}) \rangle } \langle A_1, c_1, (\tilde{Q}_1,\tilde{c}_{f_1})\rangle \in \mathcal {O}_p^{ \delta }\llbracket P \rrbracket \).

Proof

By the definition of the equivalence relation \(\simeq \) (Sect. 5), we know that for all \(\tilde{c}_{v_0} \in \tilde{S}_0\), there exists \(\tilde{c}_{v_1} \in \tilde{S}_1\) such that for some \(v \subseteq \widetilde{ Var }\), \({\langle A_0, \, c_0, \, (\tilde{c}_{v_0},\tilde{c}_{f_0}) \rangle } \mathop {{ \longrightarrow _\lambda }}\limits ^{v} {\langle A_1, \, c_1, \, (\tilde{c}_{v_1},\tilde{c}_{f_1}) \rangle }\), where \(\mathop {{ \longrightarrow _\lambda }}\limits ^{v}\) with \(\lambda \in \mathbb {R}^{>0} \cup \{\sigma \}\) is the Hy-tccp transition relation given by the rules of Fig. 2. We now reason considering the different cases for transition relation \(\mathop {{ \longrightarrow _\lambda }}\limits ^{v}\). Observe that in the proof below, rules of Fig. 2 belong to the original Hy-tccp semantics, while rules of Fig. 15 correspond to the discreterised semantics presented in this Appendix.

\(\mathbf {tell}\):

Let agent \(A_0\) be \({\mathsf {tell}}(c)\) for some constraint \(c \in \mathcal {C}\). Then, by rule \(\mathbf {tell}\) of Fig. 2, we have that \({\langle {\mathsf {tell}}(c), \, c_0, \, (\tilde{c}_{v_0},\tilde{c}_{f_0}) \rangle } \mathop {{ \longrightarrow _\sigma }}\limits ^{\emptyset } {\langle {\mathsf {stop}}, \, c_0 \wedge c, \, (\tilde{c}_{v_0},\tilde{c}_{f_0}) \rangle }\). Now, by definition of the equivalence relation \(\simeq \), we have that \(c_1 = c_0 \wedge c\) and \(\tilde{S}_1 = \tilde{S}_0\). Consider polyhedron \(\tilde{Q}_0 \supseteq \tilde{S}_0 \) given by the hypothesis. By rule \(\mathbf {tell}\) of the discreterised transition of Fig. 15, we have that \({\langle {\mathsf {tell}}(c), \, c_0, \, (\tilde{Q}_0,\tilde{d}_f) \rangle } {\xrightarrow {\emptyset }_{\sigma }} \langle {\mathsf {stop}}, c \,\wedge \,c_0, (\tilde{Q}_0, \tilde{d}_f) \rangle \). Thus, we obtain the result, taking \(\tilde{Q}_1 = \tilde{Q}_0 (\supseteq \tilde{S}_1 = \tilde{S}_0)\).

\(\mathbf {change}\):

Let agent \(A_0\) be \({\mathsf {change}}{(y,v,f)}\) with \(y \in \widetilde{ Var }\), \(v, f \in \mathbb {R}\).

By rule \(\mathbf {change}\) of Fig. 2, we have that \( \langle {\mathsf {change}}{(y,v,f)}, c_0,(\tilde{c}_{v_0},\tilde{c}_{f_0}) \rangle \mathop {\longrightarrow }\limits ^{\{y\}}_\sigma \langle {\mathsf {stop}},c_0, (\tilde{\exists }_y\tilde{c}_{v_0}\wedge y\mapsto v,\tilde{\exists }_y\tilde{c}_{f_0}\wedge y \mapsto f)\rangle \), that is, \(c_1 = c_0\) and \(\tilde{c}_{v_1} = \tilde{\exists }_y\tilde{c}_{v_0}\wedge y\mapsto v\). Since rule \(\mathbf {change}\) behaves similarly for all \(c_v \in \tilde{S}_0\), we can conclude that \(\tilde{S}_1 = \mathop {\tilde{\exists }}\nolimits _{y} \tilde{S}_0 \cap Pol(y = v)\).³

Given polyhedron \(\tilde{Q}_0 \supseteq \tilde{S}_0\), clearly \(\mathop {\tilde{\exists }}\nolimits _{y} \tilde{Q}_0 \cap Pol(y = v) \supseteq \mathop {\tilde{\exists }}\nolimits _{y} \tilde{S}_0 \cap Pol(y = v)=\tilde{S}_1\). Thus, given \(\tilde{Q}_1=\mathop {\tilde{\exists }}\nolimits _{y} \tilde{Q}_0 \cap Pol(y = v)\), transition \(\langle {\mathsf {change}}{(y,v,f)},c_0, (\tilde{Q}_0,\tilde{d}_f)\rangle {\xrightarrow {\{y\}}_{\sigma }} {\langle {\mathsf {stop}}, \, c_0, \, (\mathop {\tilde{\exists }}\nolimits _{y} \tilde{Q}_0 \cap Pol(y = v),\mathop {\tilde{\exists }}\nolimits _{y} \tilde{d}_f\cap Pol(\dot{y} {=} f) \rangle }\) is given by rule \(\mathbf {change1}\) of Fig. 15, and so, \(\langle \mathop {\mathsf {change}}(y,v, f), c_0,(\tilde{Q}_0,\tilde{c}_{f_0}) {\langle {\mathsf {stop}}, \, c_0, \, (\tilde{Q}_1,\tilde{\exists }_y\tilde{c}_{f_0}\wedge y \mapsto f) \rangle } \in \mathcal {O}_p^{ \delta }\llbracket P \rrbracket \).

The case for \({\mathsf {change}}{(y,-,f)}\) is simpler, since the agent does not modify the polyhedron of values (it only changes the polyhedron of flows).

\(\mathbf {ask\_disc}\):

Let \(A_0 = \textstyle {\sum _{i=1}^{n}{\mathsf {ask}}(d_{i})\rightarrow B_i + \sum _{j=1}^{m}{\widetilde{\mathsf {ask}}}( inv _j)}\), and assume that \(A_1 = B_k\) for some \(1 \le k \le n\). Denote \(\tilde{c}_0 = (\tilde{c}_{v_0},\tilde{c}_{f_0})\). By rule \(\mathbf {ask\_disc}\) of Fig. 2, we have that \(c_0 \wedge \tilde{c}_0 {\,\vdash \,}d_k\) and \({\langle A_0, \, c_0, \, \tilde{c}_{0} \rangle } \mathop {{ \longrightarrow _\sigma }}\limits ^ \emptyset {\langle B_k, \, c_0, \, \tilde{c}_{0} \rangle }\). This means that, on the one hand, since \(\tilde{c}_{v_0}\) is an arbitrary value of \(\tilde{S}_0\), transition \({\langle A_0, \, c_0, \, \tilde{c}_{0} \rangle }\mathop {{ \longrightarrow _\sigma }}\limits ^ \emptyset {\langle B_k, \, c_0, \, \tilde{c}_{0} \rangle }\) is possible for any element of \(\tilde{S}_0\) and, in consequence, we can conclude that \(\tilde{S}_0 = \tilde{S}_1\).

On the other hand, since \(d_k\) may refer to both discrete and continuous variables, condition \(c_0 \wedge \tilde{c}_0 {\,\vdash \,}d_k\) implies that, (1) \(c_0 {\,\vdash \,}\exists _{\widetilde{ Var }}d_k\), that is, the discrete part of the store \(c_0\) has to satisfy the discrete part of the guard, and (2) \(\exists _{ Var }c_0 \wedge \bigwedge _{x \in \widetilde{ Var }} (x = \tilde{c}_{0}(x).v) {\,\vdash \,}\exists _{ Var }d_k\), that is, the continuous part of the store \({\langle c_0, \, \tilde{c}_0 \rangle }\) must satisfy the continuous part of the constraint \(d_k\). Since this is true for any \(\tilde{c}_{v_0}\) of \(\tilde{S_0}\), we may conclude that all values in \(\tilde{S}_0\) satisfy guard, that is, \(\tilde{S}_0 \subseteq Pol(\exists _{ Var } d_k)\). In consequence, \(\tilde{Q}_0 \cap Pol(\exists _{ Var } d_k) \not = \emptyset \). Finally, since for all \(\tilde{c}_v \in \tilde{S}_0\), store \({\langle c_0, \, (\tilde{c}_v,\tilde{c}_{f_0}) \rangle }\) must be consistent, we have that \( \tilde{S}_0 \subseteq c_0 \wedge \tilde{Q}_0\),⁴ and since we have proved that \(\tilde{S}_0 \subseteq Pol(\exists _{ Var } d_k)\), we can conclude that \(c_0 \wedge \tilde{Q}_0 \cap Pol(\exists _{ Var } d_k) \not = \emptyset \).

Since \(c_0 {\,\vdash \,}\exists _{\widetilde{ Var }}d_k\) and \(c_0 \wedge \tilde{Q}_0 \cap Pol(\exists _{ Var } d_k) \not = \emptyset \), we can transit using rule \(\mathbf {ask\_disc}\) of Fig. 15 from \({\langle A_0, \, c_0, \, (\tilde{Q}_0,\tilde{c}_{f_0}) \rangle }\) to \({\langle B_k, \, c_0, \, (Pol(\exists _{ Var } d_k) \cap \tilde{Q}_0,\tilde{c}_{f_0}) \rangle }\). Thus, we obtain the result defining \( \tilde{Q}_1 = Pol(\exists _{ Var } d_k) \cap \tilde{Q}_0\).

\(\mathbf {ask\_cont}\):

Let \(A_0 = A_1 = \textstyle {\sum _{i=1}^{n}{\mathsf {ask}}(d_{i})\rightarrow B_i + \sum _{j=1}^{m}{\widetilde{\mathsf {ask}}}( inv _j)}\). Let us denote \(\tilde{c}_0 = (\tilde{c}_{v_0},\tilde{c}_{f_0})\). By rule \(\mathbf {ask\_cont}\) of the original Hy-tccp semantics (in Fig. 2), there must exist an invariant \( inv _k\) and a positive time interval \([0,\tau ]\) with \(\tau \in \mathbb {R}^{>0}\) such that invariant \( inv _k\) remains \( true \) during the interval, which is denoted as \({\langle c_0, \, \tilde{c}_0 \rangle } \rightsquigarrow _\tau ^{ inv _k}{\langle c_0, \, \tilde{c}_{0_\tau } \rangle }\), where \(\tilde{c}_{0_\tau } = (\tilde{c}_{v_{0_\tau }},\tilde{c}_{f_0})\). Value \(\tilde{c}_{v_{0_\tau }}\) represents the evolution of \(\tilde{c}_{v_{0}}\) following the flow defined by \(\tilde{c}_{f_0}\). With this notation, transition \({\langle A_0, \, c_0, \, (\tilde{c}_{v_0},\tilde{c}_{f_0}) \rangle }\mathop {{ \longrightarrow _\tau }}\limits ^ \emptyset \) \({\langle A_0, \, c_0, \, (\tilde{c}_{v_{0_\tau }},\tilde{c}_{f_0}) \rangle }\) is provided by the original Hy-tccp transition system. Now, applying the transition rule \(\mathbf {ask\_cont}\) of Fig. 2 to each value of \(\tilde{S}_0\), we have that \(\tilde{S}_1=\{\tilde{c}_{v_{{\tau }}}| \exists \tilde{c}_{v} \in \tilde{S}_0 \ such \ that \ {\langle c_0, \, (\tilde{c}_{v},\tilde{c}_{f_0}) \rangle } \rightsquigarrow _\tau ^{ inv _k} \langle c_0,(\tilde{c}_{v_{{\tau }}}, \tilde{c}_{f_0}) \rangle \}\). That is, \(\tilde{S}_1\) is the set of values obtained as time projections of values in \(\tilde{S}_0\) following the flow defined by \(\tilde{c}_{f_0}\). Now, consider a polyhedron \(\tilde{Q}_0 \supseteq \tilde{S}_0\). To apply rule \(\mathbf {ask\_cont}\) of Fig. 15 to \({\langle A_0, \, c_0, \, (\tilde{Q}_0,\tilde{c}_{f_0}) \rangle }\), we need two conditions hold: on the one hand, \(c_0 {\,\vdash \,}\mathop {\exists }\nolimits _{\widetilde{ Var }} inv _{k}\), that is, the discrete store must satisfy the discrete part of the invariant \( inv _k\). But, this is true since relation \(\rightsquigarrow _\tau ^{ inv _k}\) implies that the initial store (at time 0) (\({\langle c_0, \, \tilde{c}_0 \rangle } \)) satisfies the whole invariant (including the discrete part). On the other, it is necessary that \({{{elapse}\,}}(\tilde{Q}_0, \tilde{d}_f) \cap Pol(\mathop {\exists }\nolimits _{ Var } inv _k) \cap Pol(\mathop {\exists }\nolimits _{ Var } c_0) \not = \emptyset \). This is also true since

1. 1.

   \(\tilde{S}_0 \subseteq \tilde{Q}_0 \subseteq {{{elapse}\,}}(\tilde{Q}_0, \tilde{d}_f)\).

2. 2.

   \(\tilde{S}_0 \subseteq Pol(\mathop {\exists }\nolimits _{ Var } inv _k)\), since each element of \(\tilde{c}_v \in \tilde{S}_0\) satisfies invariant \( inv _k\) by hypothesis.

3. 3.

   \(\tilde{S}_0 \subseteq Pol(\mathop {\exists }\nolimits _{ Var } c_0)\), since each element of \(\tilde{c}_v \in \tilde{S}_0\) store \({\langle c_0, \, (\tilde{c}_v,\tilde{c}_{f_0}) \rangle }\) is consistent.

Thus, the application of \(\mathbf {ask\_cont}\) of Fig. 15 gives us the transition

$$\begin{aligned} {\langle A_0, \, c_0, \, (\tilde{Q}_0,\tilde{c}_{f_0}) \rangle } {\xrightarrow {\emptyset }_{\tau }}{\langle A_0, \, c_0, \, (\tilde{Q}_1,\tilde{c}_{f_0}) \rangle }, \end{aligned}$$

where polyhedron \(\tilde{Q}_1 = Pol(\exists _{ Var } inv _k) \cap {{{elapse}\,}}(\tilde{Q}_0, \tilde{c}_{f_0})\). Let us see now that \(\tilde{S}_1 \subseteq \tilde{Q}_1\). On the one hand, relation \(\rightsquigarrow _\tau ^{ inv _k}\) guarantees that all elements of \(\tilde{S}_1\) satisfy continuous part of the invariant, thus, we have that \( \tilde{S}_1 \subseteq Pol(\exists _{ Var } inv _k)\). On the other, \({{{elapse}\,}}(\tilde{Q}_0, \tilde{c}_{f_0})\) contains the projections, at any future time instant, of \(\tilde{Q}_0\) and, since \(\tilde{S}_0 \subseteq \tilde{Q}_0\), in particular, it contains the elements of \(\tilde{S}_1\), that is, \({{{elapse}\,}}(\tilde{Q}_0, \tilde{c}_{f_0}) \supseteq \tilde{S}_1\). Thus, \(\tilde{S}_1 \subseteq Pol(\exists _{ Var } inv _k) \cap {{{elapse}\,}}(\tilde{Q}_0, \tilde{c}_{f_0}) = \tilde{Q}_1\). In conclusion, we have constructed the pair \( {\langle A_0, \, c_0, \, (\tilde{Q}_0,\tilde{c}_{f_0}) \rangle } \langle A_0,c_0,(\tilde{Q}_1, \tilde{c}_{f_0})\rangle \in \mathcal {O}_p^{ \delta }\llbracket P \rrbracket \) with \(\tilde{Q}_1 \supseteq \tilde{S}_1\).

\(\mathbf {now\_then1}\):

Let us assume that \(A_0 = {\mathsf {now}}\, c \, {\mathsf {then}}\, A \,{\mathsf {else}}\, B\) and \(A_1 = A'\) with \({\langle A, \, c_0, \, (\tilde{c}_{v_0},\tilde{c}_{f_0}) \rangle } \mathop {{ \longrightarrow _\lambda }}\limits ^{v} {\langle A', \, c_1, \, (\tilde{c}_{v_1},\tilde{c}_{f_1}) \rangle }\) and \(c_0 {\,\vdash \,}c\) (rule \(\mathbf {now\_then1}\) of Fig. 2).

Applying induction to \({\langle A, \, c_0, \, (\tilde{S}_0,\tilde{c}_{f_0}) \rangle } \langle A',c_0,(\tilde{S}_1, \tilde{c}_{f_0}) \rangle \) and polyhedron \(\tilde{Q}_0 \supseteq \tilde{S}_0\), we have that there exists a polyhedron \(\tilde{Q}_1 \supseteq \tilde{S}_1\) such that \({\langle A, \, c_0, \, (\tilde{Q}_0,\tilde{c}_{f_0} \rangle } {\xrightarrow {-}_{\lambda }} \langle A', c_0,(\tilde{Q}_1,\tilde{c}_{f_0}) \rangle \). Now, we can use rule \(\mathbf {now\_then1}\) of Fig. 15 to transit from \({\langle {\mathsf {now}}\, c \, {\mathsf {then}}\, A \,{\mathsf {else}}\, B, \, c_0, \, (\tilde{Q}_0,\tilde{c}_{f_0}) \rangle }\) to \(\langle A',{c_0},(\tilde{Q}_1,\tilde{c}_{f_0})\rangle \) which proves the lemma for this case.

\(\mathbf {now\_then2}\):

Let us assume that \(A_0 = {\mathsf {now}}\, c \, {\mathsf {then}}\, A \,{\mathsf {else}}\, B\) and \(A_1 = A\) with (rule \(\mathbf {now\_then2}\) of Fig. 2). This means that for all \(\tilde{c}_v \in \tilde{S}_0\), \(\tilde{c}_v {\,\vdash \,}c\) and and, in consequence, \(\tilde{S}_1 = \tilde{S}_0\). In addition, means that agent A is a choice (it is the only Hy-tccp agent that may block). Let \(\tilde{Q}_0 \supseteq \tilde{S}_0\). Since for all \(\tilde{c}_v \in \tilde{S}_0\), , we can apply rule \(\mathbf {ask\_cont\_blocked}\) of Fig. 15 and obtain transition \(\langle A, c_0,(\tilde{Q}_0,c_{f_0}) \rangle {\xrightarrow {\emptyset }_{\sigma }} \langle A, c_0,(\tilde{Q}_0,c_{f_0}) \rangle \). Finally, defining \(\tilde{Q}_1 = \tilde{Q}_0\), and using rule \(\mathbf {now\_then}\) of Fig. 15, we have \({\langle {\mathsf {now}}\, c \, {\mathsf {then}}\, A \,{\mathsf {else}}\, B, \, c_0, \, (\tilde{Q}_0,\tilde{c}_{f_v}) \rangle } {\langle A, \, c_0, \, (\tilde{Q}_1,\tilde{c}_{f_v}) \rangle }\in \mathcal {O}_p^{ \delta }\llbracket P \rrbracket \) with \(\tilde{Q}_1 \supseteq \tilde{S}_1 = \tilde{S}_0.\)

\(\mathbf {now\_else1}\) and \(\mathbf {now\_else2}\):

Proofs are similar to those for \(\mathbf {now\_then1}\) and \(\mathbf {now\_}\mathbf {then2}\).

\(\mathbf {par1}\):

Let us assume that \(A_0 = B||C\) and \(A_1 = B'||C'\). In this case, B and C may have carried out a discrete or continuous transition to \(B'\) and \(C'\), respectively, that is,

$$\begin{aligned}&{\langle B, \, c_0, \, (\tilde{S}_0,\tilde{c}_{f_0}) \rangle } {\langle B', \, d_B, \, (\tilde{S}_B,\tilde{d}_{f_B}) \rangle } \in \mathcal {O}^{ ss }_{join}\llbracket P \rrbracket ,\\&{\langle C, \, c_0, \, (\tilde{S}_0,\tilde{c}_{f_0}) \rangle } {\langle C', \, d_C, \, (\tilde{S}_C,\tilde{d}_{f_C}) \rangle } \in \mathcal {O}^{ ss }_{join}\llbracket P \rrbracket \end{aligned}$$

Thus, applying rule \(\mathbf {par1}\) of Fig. 2 to each element of \(\tilde{S}_0\), we have that \(c_1 = d_B \wedge d_C\), \(\tilde{S}_1 = \tilde{S}_B \otimes \tilde{S}_C\) and \(\tilde{c}_{f_1} = \tilde{d}_{f_B} \otimes \tilde{d}_{f_C}\). To simplify the proof, we have omitted the labels of the transition rules which are used to prevent agents B and C from updating simultaneously the same continuous variable. Thus, assuming that no continuous variable is changed by both agents, operator \(\otimes \) (defined above) calculates the intersection of sets \(\tilde{S}_B\) and \(\tilde{S}_C\), taking into account the new values of continuous variables changed by each agent.

By induction hypothesis, given \(\tilde{Q}_0\supseteq \tilde{S_0}\), there exists two polyhedra \(\tilde{Q}_B \supseteq \tilde{S}_B\) and \(\tilde{Q}_C \supseteq \tilde{S}_C\) such that

$$\begin{aligned}&{\langle B, \, c_0, \, (\tilde{Q}_0,\tilde{c}_{f_0}) \rangle } {\langle B', \, d_B, \, (\tilde{Q}_B,\tilde{d}_{f_B}) \rangle } \in \mathcal {O}_p^{ \delta }\llbracket P \rrbracket ,\\&{\langle C, \, c_0, \, (\tilde{Q}_0,\tilde{c}_{f_0}) \rangle } {\langle C', \, d_C, \, (\tilde{Q}_C,\tilde{d}_{f_C}) \rangle } \in \mathcal {O}_p^{ \delta }\llbracket P \rrbracket \end{aligned}$$

Now, we can apply rule \(\mathbf {c\_par}\) (continuous transition) or rule \(\mathbf {d\_par\_1}\) (discrete transition) Fig. 15 to compose \({\langle B, \, c_0, \, (\tilde{Q}_0,\tilde{c}_{f_0}) \rangle }\) and \({\langle C, \, c_0, \, (\tilde{Q}_0,\tilde{c}_{f_0}) \rangle }\) using the parallel operator. In both cases, we obtain the pair

$$\begin{aligned}&{\langle B||C, \, c_0, \, (\tilde{Q}_0,\tilde{c}_{f_0}) \rangle } \langle B'||C', d_B \wedge d_C,\\&\quad (\tilde{Q}_B\otimes \tilde{Q}_C,\tilde{d}_{f_B} \otimes \tilde{d}_{f_C} )\rangle \in \mathcal {O}_p^{ \delta }\llbracket P \rrbracket \end{aligned}$$

Let \(\tilde{Q}_1 = \tilde{Q}_B \otimes \tilde{Q}_C\). To prove that \(\tilde{Q}_1 \supseteq \tilde{S}_1 = \tilde{S}_B \otimes \tilde{S}_C\), it is sufficient to observe that since \(\tilde{Q}_B \supseteq \tilde{S}_B\) and \(\tilde{Q}_C \supseteq \tilde{S}_C\) then intersection \(\tilde{Q}_B \otimes \tilde{Q}_C\) has to contain intersection \(\tilde{S}_B \otimes \tilde{S}_C\).

\(\mathbf {par2}\):

This case is simpler to prove since only one of the two parallel agents evolve by means a discrete transition. The other does not evolve because it wants to execute a continuous transition (and discrete transitions have higher priority) or because it is temporally blocked to synchronise with other agents (rule \(\mathbf {par2}\) of Fig. 2). Anyway, since one of the two agents is stopped, the construction of polyhedron \(\tilde{Q}_1\) is easily carried out applying induction on the agent that can evolve using rules \(\mathbf {d\_par\_2}\), \(\mathbf {d\_c\_par}\) or \(\mathbf {par\_notrans}\) of Fig. 15.

\(\mathbf {exists}\):

Consider \(A_0 = \mathop {\exists ^{\langle l,\, \tilde{L} \rangle }{x}} {A}\) with \(\tilde{L} =(\tilde{L}_v,\tilde{l}_f)\), and assume that

$$\begin{aligned} {\langle \mathop {\exists ^{\langle l,\, \tilde{L} \rangle }{x}} {A}, \, c_0, \, (\tilde{S}_0,\tilde{d}_{f_0}) \rangle }{\langle B, \, c_1, \, (\tilde{S}_1,\tilde{d}_{f_1}) \rangle } \in \mathcal {O}^{ ss }_{join}\llbracket P \rrbracket \end{aligned}$$

By rule \(\mathbf {exists}\) of Fig. 2, we have that \(c_1 = c_0 \wedge \exists _x l'\), \(\tilde{S}_1 = \tilde{S}_0 \cap \tilde{\exists } \tilde{L}'_v\), \(\tilde{d}_{f_1} = \tilde{d}_{f_0} \cap \tilde{\exists } \tilde{l}'_f\) and

$$\begin{aligned}&{\langle A, \, l \wedge \exists _x c_0, \, (\tilde{L}_v\cap \exists _x\tilde{S}_0,\tilde{l}_f \cup \exists _x \tilde{d}_{f_0}) \rangle } \langle {B},{l'},\\&\quad (\tilde{L}'_v,\tilde{l}'_f)\rangle \in \mathcal {O}^{ ss }_{join}\llbracket P \rrbracket \end{aligned}$$

Now, applying induction, we know that given polyhedron \(\tilde{R}_0 = \tilde{\exists }_x\tilde{Q}_0 \cap \tilde{L}_v\), there exists a polyhedron \(\tilde{R}_1 \supseteq \tilde{L}'_v\) such that

$$\begin{aligned} {\langle A, \, l \wedge \exists _x c_0, \, (\tilde{R}_0,\tilde{l}_f\cap \tilde{\exists }_x \tilde{d}_{f_0}) \rangle } {\langle B, \, l', \, (\tilde{R}_1,\tilde{l}'_f) \rangle } \in \mathcal {O}_p^{ \delta }\llbracket P \rrbracket \end{aligned}$$

Thus, applying rule \(\mathbf {exists}\) of Fig. 15, and denoting \(\tilde{R} = (\tilde{R}_0,\tilde{l}_f)\), \(\tilde{R}'= (\tilde{R}_1,\tilde{l}'_f)\), we have that

$$\begin{aligned}&{\langle \mathop {\exists ^{\langle l,\, \tilde{R} \rangle }{x}} {A}, \, c_0, \, (\tilde{Q}_0,\tilde{d}_{f_0} \rangle } \langle \mathop {\exists ^{\langle l',\, \tilde{R}' \rangle }{x}} {B},\\&\quad c_0 \wedge \exists _x l',(\tilde{Q}_0 \cap \tilde{\exists }_x\tilde{R}_1,\tilde{d}_{f_0} \cap \tilde{\exists }_x \tilde{l}'_f)\rangle \end{aligned}$$

is in \(\mathcal {O}_p^{ \delta }\llbracket P \rrbracket \). Thus, finally, let \(\tilde{Q}_1 = \tilde{Q}_0 \cap \tilde{\exists }_x\tilde{R}_1\). Since, \(\tilde{R}_1 \supseteq \tilde{L}'_v\), we have that \(\tilde{Q}_1 \supseteq \tilde{S}_1\).

\(\mathbf {pcall}\):

The proof for this case is very simple since the store does not change when a procedure call is executed.

Lemma 2

Given \({\langle c_0, \, \tilde{P}_0 \rangle } {\langle c_1, \, \tilde{P}_1 \rangle } \in {\delta }({\mathcal {B}^{ ss }_{join}\llbracket P \rrbracket })\), and a polyhedron \(\tilde{Q}_0 \supseteq \tilde{P}_0\), there exists a polyhedron \(\tilde{Q}_1 \supseteq \tilde{P}_1\) such that \({\langle c_0, \, \tilde{Q}_0 \rangle } {\langle c_1, \, \tilde{Q}_1 \rangle } \in \mathcal {B}_p^{ \delta }\llbracket P \rrbracket \).

Proof

By definition of \(\delta \) (Sect. 5), if \({\langle c_0, \, \tilde{P}_0 \rangle } {\langle c_1, \, \tilde{P}_1 \rangle } \in {\delta }({\mathcal {B}^{ ss }_{join}\llbracket P \rrbracket })\) then there exist two sets \(\tilde{S}_i (i = 0,1)\) such that \(\delta ({\langle c_i, \, \tilde{S}_i \rangle })= {\langle c_i, \, \tilde{P}_i \rangle }\) and \({\langle c_0, \, \tilde{S}_0 \rangle } {\langle c_1, \, \tilde{S}_1 \rangle } \in \mathcal {B}^{ ss }_{join}\llbracket P \rrbracket \). This implies, by definition of semantics \(\mathcal {B}^{ ss }_{join}\llbracket P \rrbracket \), that there exist two agents \(A_0\), \(A_1\), and two flows \(\tilde{c}_{f_0}\), \(\tilde{c}_{f_1}\) that

$$\begin{aligned} {\langle A_0, \, c_0, \, (\tilde{S}_0,\tilde{c}_{f_0}) \rangle }{\langle A_1, \, c_1, \, (\tilde{S}_1,\tilde{c}_{f_1}) \rangle } \in \mathcal {O}^{ ss }_{join}\llbracket P \rrbracket \end{aligned}$$

Consider now \(\tilde{Q}_0 \supseteq \tilde{P}_0 \supseteq \tilde{S}_0\). By Proposition 1, there exists a polyhedron \(\tilde{Q}_1 \supseteq \tilde{S}_1\) such that

$$\begin{aligned} {\langle A_0, \, c_0, \, (\tilde{Q}_0,\tilde{c}_{f_0}) \rangle } {\langle A_1, \, c_1, \, (\tilde{Q}_1,\tilde{c}_{f_1}) \rangle }\in \mathcal {O}_p^{ \delta }\llbracket P \rrbracket \end{aligned}$$

that is, \({\langle c_0, \, \tilde{Q}_0 \rangle } {\langle c_1, \, \tilde{Q}_1 \rangle } \in \mathcal {B}_p^{ \delta }\llbracket P \rrbracket \). To prove the result, it is sufficient to observe that \(\tilde{Q}_1 \supseteq \tilde{P}_1\) since \(\tilde{P}_1\) is the smallest polyhedron containing \(\tilde{S}_1\).

Lemma 3

Given \({\langle c_0, \, \tilde{Q}_0 \rangle } {\langle c_1, \, \tilde{Q}_1 \rangle } \in \mathcal {B}_p^{ \delta }\llbracket P \rrbracket \), and a polyhedron \(\tilde{I}_0 \supseteq \tilde{Q}_0\) there exists a polyhedron \(\tilde{I}_1 \supseteq \tilde{Q}_1\) such that \({\langle c_0, \, \tilde{I}_0 \rangle } {\langle c_1, \, \tilde{I}_1 \rangle } \in \mathcal {B}^{ \delta }\llbracket P \rrbracket \).

Proof

The proof of this lemma is trivial since rules \(\mathbf {continuous}\) and \(\mathbf {discrete}\) of the simplified transition relation given in Fig. 13 allow any polyhedron to evolve towards polyhedra of unbounded size.

Proposition 2

For each Hy-tccp program P,

$$\begin{aligned} {\delta }({\mathcal {B}^{ ss }_{join}\llbracket P \rrbracket }) \le \mathcal {B}_p^{ \delta }\llbracket P \rrbracket \le \mathcal {B}^{ \delta }\llbracket P \rrbracket . \end{aligned}$$

Proof

We first start proving that \({\delta }({\mathcal {B}^{ ss }_{join}\llbracket P \rrbracket }) \le \mathcal {B}_p^{ \delta }\llbracket P \rrbracket \).

Fig. 16

Automaton for the state of the subject

The elements of \({\delta }({\mathcal {B}^{ ss }_{join}\llbracket P \rrbracket })\) and \(\mathcal {B}_p^{ \delta }\llbracket P \rrbracket \) are of the form \({\langle c_0, \, \tilde{P}_0 \rangle } \cdots {\langle c_n, \, \tilde{P}_n \rangle }\), where \( \forall 0 \!\le \!i \!\le \!n. c_i \!\in \!\mathcal {C}\) is a constraint and \(\tilde{P}_i \in \mathbb {P}\) is a polyhedron. Taking into account the relation order \(\le \) on sequences given in Sect. 5, to prove the assertion we have to find, for each sequence \({\langle c_0, \, \tilde{P}_0 \rangle } \cdots {\langle c_n, \, \tilde{P}_n \rangle } \in {\delta }({\mathcal {B}^{ ss }_{join}\llbracket P \rrbracket })\), a sequence \({\langle c_0, \, \tilde{Q}_0 \rangle } \cdots {\langle c_n, \, \tilde{Q}_n \rangle } \in \mathcal {B}_p^{ \delta }\llbracket P \rrbracket \) such that \(\forall 0 \!\le \! i \!\le \!n. \tilde{P}_i \!\subseteq \!\tilde{Q}_i\).

We reason on induction on the length n of the sequences. Lemma 2 proves the assertion for sequences of length 2 (\(n = 1\)), taking \(\tilde{Q}_0 = \tilde{P}_0\). Now, given a sequence \({\langle c_0, \, \tilde{P}_0 \rangle } \cdots {\langle c_n, \, \tilde{P}_n \rangle }\) of length greater than 2 (\(n > 1\)), the result is also easily obtained by applying n times the Lemma 2, once for each subsequence \({\langle c_i, \, \tilde{P}_i \rangle } {\langle c_1, \, \tilde{P}_{i+1} \rangle }\) (\(i<n\)), and polyhedron \(\tilde{Q}_i\) being \(\tilde{P}_0\) iff \(i=0\), or the result of the previous application of the Lemma, otherwise. The second assertion \(\mathcal {B}_p^{ \delta }\llbracket P \rrbracket \le \mathcal {B}^{ \delta }\llbracket P \rrbracket \) is similarly proved using Lemma 3.

Appendix B: Modelling systems with Hy-tccp

In this section, we model three different systems in Hy-tccp. The first example is a system which represents an ambient assisted living house for elderly people capable of detecting anomalous situations. The second example describes a smart home which monitors the activity of one or more users. The last example is set in a different domain. It is a conflict prevention algorithm that detects the approximation of two drones and corrects their trajectories in the case that they exceed the minimum separation distance.

1.1 Appendix B.1: An ambient assisted living system for elderly people

In this example, we model, in Hy-tccp, a simplification of the ambient assisted living system for elderly people presented in [11]. The monitoring system comprises a house which has a room equipped with sensors used to capture information from the environment and to send the relevant information to a control system which determines whether the current situation is normal or the user has a problem. Figure 16 depicts the automaton and covers each possible situations that could arise in the house.

Fig. 17

Hy-tccp model for the ambient assisted living system

Figure 17 shows the Hy-tccp program modelling a system comprising \(\mathsf {main}\) process, which is the brain of the system, and \(\mathsf {user}\), who is the person living in the house. The user  non-deterministically performs actions such as moving, resting in the chair or sleeping at the bed. The type of actions which the user carries out depends on the current state of him/her. For example, if the user is sleeping at the bed and thus the sensors detect his/her presence at the bed, it is not possible that the sensors also detect a presence at the chair. Thus, we do not allow the user to be assigned a behaviour that the automaton does not specify. In the room, there are two sensors: S1 detects actions such as the user being at the bed (\( atBed / noAtBed \)) or when the door opens(\( openDoor / noOpenDoor \)), and S2 detects whether the user is moving (\( activity / noActivity \)). user  has an internal timer which means that the user needs a minimal amount of time to change the activity. Thus, the user process updates the values of the sensors via the streams S1 and S2, which are used as communication channels between the user and the main procedures. The main procedure sets the user’s state, stream U, through the information obtained from the sensors (user procedure). If it detects any incorrect behaviour on the part of the system or that the user is in an emergency situation, it throws an alarm. For these anomalous situations, the system activates a timer \(T_m\) that is set to different values depending on the user’s state and the flow to \(\dot{T_m} = -1\). The agent \({\widetilde{\mathsf {ask}}}(T_u \ge 0 \wedge T_u \le 24)\) limits the timer \(T_u\) to 24 hours, a day; and the agent \(T_m \ge 0 \wedge T_m \le 12\) guarantees that the continuous variable \(T_m\) always has valid values. In this model, the user process behaves specifically i.e.: if the user is in the state \( resting \), it will be blocked in the \( anomalous \) state. This is one possibility, but the user procedure can be modelled in many different ways.

Fig. 18

Ambient assisted living system trace example

Discretised trace

Consider the Hy-tccp ambient assisted living system previously introduced in Fig. 17. We show a possible discretised execution trace in Fig. 18 starting from the initial store \(\langle true ,\, (\mathcal {U},\mathcal {U}) \rangle \), where \(\mathcal {U}\) represents an unconstrained (universe) polyhedron. We denote by \(A_U\) and \(A_M\) the bodies of user and \({main}\,\), respectively. The first discrete transition initialises \(T_u\) and \(T_m\) (the continuous store is updated using \({\mathsf {change}}\) agents), the stream U to \( active \) and the call to processes user and \({main}\,\). The second transition corresponds to the parallel execution of the choice agents. In both processes, only the continuous branches are enabled in the interval \(T_u\in [0,24]\) and \(T_m \in [0,12]\). In the next transition, the user selects the third branch of its \({{\mathsf {ask}}}\), in which the user updates the tail of the stream U, the sensors S1 and S2 and the flow and initial value of \(T_u\), while the choice of \({main}\,\) is blocked. The program continues executing and after 12 steps, the store contains new streams such as U\(^{\prime }\) and U\(^{\prime \prime }\) which save the user states, S1\(^{\prime }\) and S1\(^{\prime \prime }\) and S2\(^\prime \), which have the information generated by the sensors. The user is \( resting \) (U\(^{\prime \prime }\) stream) at the chair (S1\(^{\prime }\)) and there is no activity detected (S2). Due to the absence of activity in the \( resting \) state, after two more steps, the user process changes to \( anomalous \) state and then, it is blocked and the execution ends.

Definition of properties

Now we define some universal properties using \( {\models ^{+}} \) and \( {\models ^{-}} \) which can be used in the analysis of Hy-tccp programs. One property that the system must satisfy is: if the user is in the state \( active \), at any moment in the future, the user will be in another state (liveness property). This property corresponds to the formula:

$$\begin{aligned} \mathcal {B}^{ \delta }\llbracket eHome \rrbracket \cap \llbracket \Box (last(U) = active \xrightarrow {.} {\mathop {\Diamond }} {last(U) \ne active ) } \rrbracket ^+ = \emptyset \end{aligned}$$

Fig. 19

Smarthome initialisation, central unit and sensor models

1.2 Appendix B.2: SmartHome interaction

This example is inspired by the smart home case study described in [4] (promela models are included in the annex of the original paper). We have adapted the example as follows: a smart home has three sensors in different rooms (kitchen, bathroom and bedroom). Sensors are able to detect users doing different activities (sitting, walking or lying down). Besides, the sensors can distinguish between the house owner (occ) and a visitor (vis). When a sensor detects someone is in its area, it informs a central processing unit about the user and his/her activity. In this case study, the central unit calls the emergency services when the house owner (occ) is lying down in one of the rooms.

Figures 19 and 20 show the Hy-tccp model of the different elements. The Hy-tccp model comprises a main process, called \(\textit{Home}\) that determines the number of sensors and their location, launches the central unit, and non-deterministically decides whether the first user detected is the occupant or a visitor. The process \(\textit{Sensor}\) models the behaviour of a generic sensor, whose location is determined by parameter L. Sensors detect the user’s activity by means of stream S, and send this information to the central unit using stream variable C. We have modelled the users (occupant and visitor) to non-deterministically change their location and activity in the time interval [50, 100]. However, these models can be as complex as desired to reflect specific behaviour patterns. We can also include more complex behaviour in the central unit, for instance including a timer that tracks the time a user is lying down.

Discretised trace

Figure 21 shows a possible discretised execution trace of the SmartHome example, starting from the initial store \(\langle \textit{Home},\) \( true ,\) \((\mathcal {U}, \mathcal {U}) \rangle \), where \(\mathcal {U}\) represents an unconstrained (universe) polyhedron. We denote by \(\textit{Sen}_{K}\), \(\textit{Sen}_{B}\) and \(\textit{Sen}_{R}\) the body of the sensors located in the kitchen, the bathroom and the bedroom, respectively. In addition, we denote by \(\textit{Sen}_{K1}\) \(\textit{Sen}_{K2}\) the agents in parallel after selecting the first or second branch of the sensor choice agent. The body of the central unit, the occupant and the visitor are denoted, respectively, by CU, Occ and \( Vis \). In this trace, we assume that the first user detected is the occupant, who is lying down in the bathroom.

Fig. 20

Smarthome Model: occupant, visitor

Definition of properties

Finally, using the logic \(\textsf {csLTL}_{}\) and the relations \( {\models ^{+}} \) and \( {\models ^{-}} \), we specify a property for this example, that could be analysed with future verification tools. We are particularly interested in verifying that when a user (occupant or visitor) changes his/her activity, e.g. to lying down, the central unit is informed. The property can be expressed with relations \( {\models ^{+}} \) and \( {\models ^{-}} \) in two different ways.

$$\begin{aligned}&\mathcal {B}^{ \delta }\llbracket \textit{Home}\rrbracket \cap \llbracket \mathop {\Diamond } {(last(S) = (\_,lying,\_) \wedge last(C) \ne (\_, lying,\_) \wedge }\\&\quad \Box {last(C) \ne (\_, lying,\_))}\rrbracket ^+ = \emptyset \end{aligned}$$

The previous formula states that the intersection between the discretised traces of the system (\( \mathcal {B}^{ \delta }\llbracket \textit{Home}\rrbracket \)) and the over-approximated traces that satisfy \(\lnot \phi _1\) has to be empty, thus, all traces of \( \mathcal {B}^{ \delta }\llbracket \textit{Home}\rrbracket \) satisfy \(\phi _1\), where \(\lnot \phi _1 =\) \({\mathop {\Diamond }}( last(S) = (\_,lying,\_)\ \wedge \ last(C) \ne (\_, lying,\_) \ \wedge \Box {last(C) \ne (\_, lying,\_)})\). Furthermore, we can verify the same property, using the under-approximated relation. In this case, the formula states that all discretised traces have to be contained in the set of under-approximated traces that satisfy \(\phi _2\), where

$$\begin{aligned} {B}^{ \delta }\llbracket \textit{Home}\rrbracket\subseteq & {} \llbracket \Box {(last(A_S) = lying \wedge last(A_C) \ne lying) } \\&\xrightarrow {.} {\mathop {\Diamond }}{last(A_C) = lying}) \rrbracket ^- \end{aligned}$$

Fig. 21

Smarthome trace example

Fig. 22

CD2D modelled with Hy-tccp

1.3 Appendix B.3: CD2D algorithm

The CD2D algorithm [24] is a conflict prevention algorithm which is part of the Airbourne Coordinate Conflict Resolution and Detection (ACCoRD) formal framework developed by NASA.⁵ This algorithm detects when two drones (or aircraft) are in a situation of conflict. A loss of separation occurs when the distance between the two drones is lower than a minimum horizontal distance D. A conflict is a predicted loss of separation within a lookahead time T. The two drones are referred to as the ownship and the intruder. In CD2D, the vertical component (altitude) is ignored, thus the position of the ownship and the intruder are modelled as the vectors \(\mathbf {s}_{o}=(s_{ox},s_{oy})\) and \(\mathbf {s}_{i}=(s_{ix},s_{iy})\), respectively. In the same way, the velocity of the ownship and the intruder are modelled as the vectors \(\mathbf {v}_{o}=(v_{ox},v_{oy})\) and \(\mathbf {v}_{i}=(v_{ix},v_{iy})\), respectively. For simplicity, CD2D uses a relative coordinate system where the intruder is at the centre of the system, thus the ownship position is \(\mathbf {s} = \mathbf {s}_{o} - \mathbf {s}_{i}\) and it moves at a relative velocity of \(\mathbf {v} = \mathbf {v}_{o} - \mathbf {v}_{i}\). The position changes with respect to the velocity by following the following ordinary differential equations: \(\dot{s_x} = v_x\) and \(\dot{s_y} = v_y\).

Figure 22 depicts a Hy-tccp program that models a variant of the the CD2D algorithm. In this variant, a loss of separation occurs when the ownship is inside a square of dimension \(D\times D\) centred on the intruder, instead of checking if it is inside a circle of radius D. It is worth noting that the condition considered here is a correct approximation of the original one, therefore it also detects the violation of the original condition. This change as a result of the current restriction to rectangular systems that we imposed.

The controller process checks if a loss of separation has occurred. This happens when the ownship is predicted to be inside the square of dimension \(D\times D\) centred on the intruder position (the origin of the system) within the lookahead time T. In this case, the controller sends the new velocities to the ownship in order to prevent the loss of separation. The new velocities are computed by checking in which quadrant of the system the ownship is positioned and by adding or subtracting D to make the ownship departing from the intruder. The ownship process models the ownship drone, which moves following its velocity in case no loss of separation occurs. If a loss of separation occurs (i.e., new velocities from the controller have been received), it changes direction and moves following the new velocities. The main process calls the ownship and the controller processes in parallel and initialises the global variables.