Hybrid Systems CIF 3
Content
Preliminary Notes
Analysis of Hybrid Systems
D.A. van Beek and J.E. Rooda
March 23, 2010
ii
Preface
Hybrid systems are a combination of continuous-time systems, discrete-event systems and/or
discrete-time systems.
In continuous-time systems, the state changes continuously. Therefore, an infinite number of
state changes are possible in any given finite time interval. Examples of such systems are
chemical systems in the process industry and mechanical systems.
In discrete-event systems, the state changes at discrete points of time; in between these time
points the state remains the same. Therefore, there can only be a finite number of changes in
a time-interval. Examples of plants that can be regarded as discrete-event systems are plants
where discrete products are transported, assembled or packaged, such as car or integrated circuit
manufacturing plants. Discrete-time systems are discrete-event systems where the state changes
at equidistant points of time. Such systems are usually the result of sampling continuous-time
systems.
Examples of hybrid systems are batch processes in the process industry; factories with both
continuous and discrete process steps, such as batch production of beer that ends with the discrete packing of bottles in a crate; and discrete-event scheduling or supervisory systems that are
used to control continuous or hybrid systems.
Dealing with hybrid systems requires a hybrid world view. Such a world view comprises languages, methods, techniques and tools. It can be obtained by means of the χ and CIF formalisms that are treated in these course notes. The formalisms are used for modeling, simulation and control of industrial systems. They integrate continuous-time and discrete-event
concepts, and enable analysis of the dynamic behavior of hybrid processes, of hybrid embedded systems, as well as of complete hybrid plants. The course notes deal with the hybrid aspects
of the formalisms.
Acknowledgments
The authors would like to thank Ramon Schiffelers for participating with the authors in the
development of the (hybrid) χ and CIF languages, and for the many stimulating discussions.
They also thank Dennis Hendriks, Albert Hofkamp and Ramon for providing the χ and CIF
iii
iv
Preface
simulators that are available via the Systems Engineering Wiki pages, and they thank Jasper
Fonteijn for improving the text and automating the document generation process of the lecture
notes. Finally, they would like to thank Jos Baeten, Pieter Cuijpers, and Michel Reniers from
the Computer Science Department for their contributions to the development of the χ and CIF
languages.
Contents
Preface
1
2
3
iii
Overview of the syntax of the Chi language
1
1.1
Model syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1
1.2
Expressions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3
1.3
Statement syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3
Informal semantics of the Chi language
7
2.1
Conditional expressions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7
2.2
Behavior of atomic statements . . . . . . . . . . . . . . . . . . . . . . . . . .
8
2.3
Behavior of compound statements . . . . . . . . . . . . . . . . . . . . . . . .
9
2.4
Behavior of models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
14
2.5
Process definition and instantiation . . . . . . . . . . . . . . . . . . . . . . . .
15
Tank level control strategies
19
3.1
The controlled tank system . . . . . . . . . . . . . . . . . . . . . . . . . . . .
19
3.2
Discrete-event control using repetition . . . . . . . . . . . . . . . . . . . . . .
20
3.3
Discrete-event control using recursion . . . . . . . . . . . . . . . . . . . . . .
21
3.4
P control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
23
3.5
PI control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
28
3.6
PI control with anti-windup . . . . . . . . . . . . . . . . . . . . . . . . . . . .
31
v
vi
4
5
Contents
Hybrid automata related modeling
35
4.1
Constrained pendulum . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
35
4.2
Bottle filling line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
36
Examples
41
5.1
Dry friction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
41
5.2
Bottle filling system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
44
5.3
Conveyor system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
47
Bibliography
65
Chapter 1
Overview of the syntax of the Chi
language
1.1
Model syntax
In this section, the syntax of χ models is defined using a Backes-Naur Form (BNF) like notation.
The symbol | defines choice, notation {Z }∗ denotes a sequence of zero or more Z ’s, and notation
{Z }0 defines Z as being optional. The syntax of a χ model is defined by the following BNF
definition for χmodel :
χmodel ::= model id({Dm }0 ) = |[ {D ::}0 p ]|
where id is an identifier that represents the name of the model, and Dm denotes the (optional)
model parameter declarations as defined below. Furthermore, D denotes the (optional) declaration of variables and/or channels of the model. This type of declaration is also used to
declare the local variables and channels in scope statements. Finally, p denotes a statement,
also known as process term. The scope statement and statement p are both defined in Section
1.3. The syntax of the declarations Dm and D is:
Dm ::= val S {, S}∗ | Dm , Dm
D ::=
|
|
|
|
|
chan S {, S}∗
(var | cont | alg) IS {, IS}∗
time = e
init u
mode X = p {, X = p}∗
D, D
value parameter declaration
channel declaration
variable declaration
time initialization
general initialization
mode declaration
1
2
Chapter 1. Overview of the syntax of the Chi language
IS ::= id {, id}∗ : t = e
| S
declaration with initialization
S ::= id {, id}∗ : t
declaration without initialization
Here, t denotes the type of a variable or channel, e denotes an expression, u denotes a predicate over variables (including the variable time) and dotted (continuous) variables (derivatives), and id denotes an identifier. The comma in predicate u denotes conjunction. E.g.
init u 1 , u 2 means init u 1 and u 2 . An executable model instantiation for a model declared
as model M(val x1 : t1 , . . . , xn : tn ) is obtained by M(c1 , . . . , cn ), where ci denotes a value
for the corresponding model parameter xi . The following items can be declared in D:
• Channels, such as in chan h: real, close: void, which declares a communication
channel h, that communicates values of type real, and a synchronization channel close
(no data exchange).
• Discrete variables, such as in var k,n: int, v_set: real = 1.0. This declares two
uninitialized variables k,n of type int (integer), and a variable v_set with initial value
1.0. The values of discrete variables remain constant when model time progresses.
• Continuous variables, such as in cont x: real = 1.0. Continuous variables are the only
variables for which dotted variables (derivatives) can be used in models. Therefore, the
declaration cont x: real = 1.0 implies that x and its dotted version dot x (which represents x),
˙ can both be used in the model. The values of continuous variables may change
according to a continuous function of time when model time progresses. The values of
continuous variables are further restricted by equations and invariants (defined in the next
section).
• Algebraic variables, such as in alg y,z: real. These variables behave in a similar way as
continuous variables. The differences are that algebraic variables may change according to
a discontinuous function of time, and algebraic variables are not allowed to occur as dotted
variables.
• The (initial) value of the model time, such as in time = 1 (see below).
• An initialization predicate, such as init dot x = 0. This predicate can be used for initial
conditions that go beyond specification of the initial value of a variable.
• Mode declarations, such as
mode off = (V <= 8 -> n:= 1; on), mode on = (V >= 10 -> n:= 0; off).
Besides the variables mentioned in the model defined above, the existence of the predefined
reserved global variable time is assumed. This variable denotes the current model time. Its
initial value is zero, unless specified otherwise. It cannot be declared, nor can it be assigned a
value. It can only be used in expressions in statements p.
1.3. Statement syntax
1.2
3
Expressions
An expression e in χ is a combination of values, variables, operators, and mathematical or user
defined functions that that can be evaluated to a value, assuming that the values of the variables
are defined. E.g. the value of expression 2 + x is 5, assuming that the value of x is 3. Apart from
the ‘normal’ mathematical expressions, the χ language also allows conditional expressions. Let
e denote an arbitrary expression, then the syntax of conditional expressions is:
econd ::= (ec )
ec
::= u → e
| ec ‘|’ ec
The value of a conditional expression (u 1 → e1 | · · · | u n → en ) is the value of expression ei
for which the associated guard u i is true, assuming that such a guard exists. An example of a
conditional expression is the equation eqn x = (y < 0 → 0 | 0 ≤ y ≤ 1 → y | y > 1 → 1)
that defines the value of variable x to be equal to the value of variable y, unless the value of y
is smaller than 0 or bigger than 1, in which case saturation occurs. The meaning of conditional
expressions is more precisely defined in Section 2.1.
1.3
Statement syntax
The syntax of χ statements p, is as follows:
p ::=
|
|
|
|
|
|
|
patom
atomic statement
p; p
sequential composition statement
p8p
alternative composition statement
pkp
parallel composition statement
∗p
loop statement
∗
b → p
while statement
|[ D :: p ]| scope statement
id(e)
process instantiation statement
where b denotes a predicate (boolean/logical expression) over variables, D denotes a declaration
as defined in Section 1.1, and e denotes comma separated expressions e1 , . . . , en (see Section
1.2).
Statements can be divided in two classes: the atomic statements patom , that represent the smallest statement units; and the compound statements, that are constructed from one or more
(atomic) statements by means of operators. A further division of the statements is based on
the action and delay behavior of the statements. A statement executing an action, such as an
assignment, does so in zero time. The delay behavior of statements on the other hand, involves
4
Chapter 1. Overview of the syntax of the Chi language
the passing of time (see Chapter 2 for a more precise explanation). The syntax of the atomic χ
statements patom is as follows:
patom ::=
|
|
|
|
|
|
|
non-delayable action statement
guarded non-delayable action statement
delayable action statement
guarded delayable action statement
delay statement
equation statement
invariant statement
mode statement
pndact
b → pndact
pdact
b → pdact
1d
eqn u
inv u
X
where d denotes an expression of type real, and X denotes an identifier. Equation statements
occur in the form of differential algebraic equations, such as eqn x˙ = y , y = n. Invariants
usually occur in the form of an inequality, such as inv x ≥ 1, but they may also occur as
equations.
The non-delayable action statements can only execute actions. They are defined as:
pndact ::=
|
|
|
skip
x := e
h ?? x |
h !! e |
h??
h!!
non-delayable skip statement
non-delayable (multi-)assignment statement
non-delayable receive statement
non-delayable send statement
where x and e denote comma separated variables x1 , . . . , xn and expressions e1 , . . . , en , respectively, for n ≥ 1, and h denotes a channel.
The guarded non-delayable action statement b → pndact can only delay while the value of the
guard is false. The action can, in principle, be executed when the value of the guard is true.
The delayable action statements can, in principle, execute an action or they can perform arbitrary delays. They are defined as:
pdact ::=
|
|
|
[skip]
[x := e]
h !e
|
h ?x |
h!
h?
delayable skip statement
delayable (multi-)assignment statement
delayable send statement
delayable receive statement
The guarded delayable action statement b → pdact can, in principle, execute an action when the
value of the guard is true, or it can perform arbitrary delays. The delay statement 1d can delay
while the value of d is bigger than zero. When the value of d equals zero, the delay statement
can do an action. Finally, the equation and invariant statements eqn u and inv u can only delay;
they restricts the values (solutions) of the variables while delaying.
1.3. Statement syntax
5
The operators are listed in descending order of their binding strength as follows:
∗
{∗, → , → }, ; , {k , 8 }.
The operators inside the braces have equal binding strength. For example, x := 1; y := x 8
x := 2; y := 2x means (x := 1; y := x) 8 (x := 2; y := 2x). Parentheses may be used to
group statements. To avoid confusion, parenthesis are obligatory when alternative composition
and parallel composition are used together. E.g. p 8 q k r is not allowed and should either be
written as ( p 8 q) k r , or as p 8 (q k r ).
6
Chapter 1. Overview of the syntax of the Chi language
Chapter 2
Informal semantics of the Chi language
In this chapter, the meaning (semantics) of a χ model is informally defined in terms of delay
behavior and action behavior, based on the formal semantics as presented in [4] and [7]. Action
behavior is instantaneous: time does not progress, and the semantics defines for each variable
the relation between its value before and after the action. Delay behavior involves passing of
time, where the semantics defines for each variable how its value changes as a function of time.
Actions and delays are done by active atomic statements. Instead of the term delay, also the
term ‘time step’ is used.
Section 2.2 defines the behavior of active atomic statements in terms of execution of actions
and delays, Section 2.3 defines the behavior of compound statements in terms of the relation
between activation, action execution, termination, and deactivation of statements, and Section
2.4 defines the behavior of models.
2.1
Conditional expressions
Let e denote an expression, and let ξ(e) denote the value of expression e, then:
ξ(e1 ) if ξ(u 1 )
.
ξ((u 1 → e1 | · · · | u n → en )) = ..
ξ(e ) if ξ(u )
n
n
Thus, the value of the conditional expression is the value of an expression ei associated to a
condition u i that is true. It is assumed that at least one of the conditions evaluates to true:
ξ(u 1 ) ∨ · · · ∨ ξ(u n ) = true. The meaning is not defined when none of the conditions evaluate
to true. In case more than one of the conditions are true, it is assumed that the values of the
associated expressions are the same. More precisely, for all conditional expressions (u 1 → e1 |
· · · | u n → en ) and for all i and j between 1 and n, we assume that if ξ(u i ∧ u j ), then ξ(ei = e j ).
7
8
Chapter 2. Informal semantics of the Chi language
2.2
2.2.1
Behavior of atomic statements
Action behavior of action statements
An active multi-assignment statement xn := en for n ≥ 1 can do an unnamed action that changes
the values of the variables x1 , . . . , xn in one step to the values of expressions e1 , . . . , en , respectively, and then terminates. For n = 1, this gives a normal assignment x := e.
An active skip statement can do an unnamed action without changing the values of the discrete
and continuous variables. Note that the purpose of the skip statement is twofold: it can be used
to model waiting for a condition b, as in b → skip, and/or it can be used to enforce a choice in
an alternative composition (see process Tank in Section 4.2).
An active send statement h !! e, h!!, h ! e, or h!, can, in principle, do a send action; and an active
receive statement h ?? e, h??, h ? x, or h?, can, in principle, do a receive action.
With respect to the action behavior, there is no difference between the delayable and nondelayable versions of the skip ([skip]), assignment ([x := e]), send (h ! e) and receive (h ? x)
statements, respectively.
A guarded (skip/assignment/send/receive) statement can do its corresponding action only if the
value of the guard is true.
The unnamed action is a non-synchronizing action, meaning that it always occurs by itself.
The send and receive actions are synchronizing actions: a send action can be executed only
simultaneously with a receive action on the same channel, as is explained in Section 2.3.4.
2.2.2
Delay behavior of action statements
The delay behavior of active atomic action statements is as follows:
• The non-delayable, non-guarded versions of the skip statement, assignment, and send and
receive statements can never delay.
• The guarded versions of the non-delayable atomic statements can delay for as long as the
guard remains false.
• The (possibly guarded) delayable versions of the skip statement, assignment, and send and
receive statements can always delay.
2.2.3
Behavior of the delay statement
A delay statement 1d behaves as a timer with an invisible local timing variable that keeps track
of the remaining time. The value of this timing variable is set to the value of expression d when
the delay statement is activated for the first time, or when it is re-activated after having been
2.3. Behavior of compound statements
9
deactivated. The behavior of the timer depends on the value of the timing variable. Assuming
the value of the timing variable to be c, then:
• For c > 0, an active delay statement can delay (do a time step) for at most c time units.
After a delay of t (t ≤ c) time units, the new value of the timing variable is set to c − t.
• For c ≤ 0, an active delay statement can do an unnamed action.
2.2.4
Behavior of the equation and invariant statement
An active equation statement eqn u or invariant statement inv u can delay, but it cannot do
actions. A equation or invariant statement can delay for as long as it has a solution. Such a
solution defines the values of the continuous and algebraic variables as a function of time for
the period of the delay. The values of the discrete variables do not change while delaying.
At each time point during the delay, an active equation / invariant must be satisfied (its value
must be true), when all variables and dotted variables in the predicate are replaced by their
current value (the value of the associated solution function at the time point).
The difference between equation statements and invariant statements is that equation statements
are assumed to always have a solution, although this is currently not checked in the simulator,
whereas for an invariant, depending on the values of the variables, there may not be a solution.
In the case that an invariant cannot be satisfied, the simulator ensures that the invariant is not
activated. In this way, invariant statements also restrict the action behavior of χ models, because
the active invariants must hold before and after each action. In fact, the active invariants and
equations of a χ model must hold at all times. This is referred to as the ‘consistent equation
semantics’.
The relation between the solution function of a continuous variable x and the solution
R tfunction
of its ‘derivative’ x˙ is given by the Caratheodory solution concept: x(t) = x(0) + 0 x(s)ds.
˙
This allows a non-smooth (but continuous) function for a differential variable x in the case
that the solution function of its ‘derivative’ x˙ is non-smooth or even discontinuous, as in, for
example, model M() = |[ cont x : real = 0.0 :: x˙ = step(time − 1) ]|, where step(y) equals 0
for y ≤ 0 and 1 for y > 0.
2.3
Behavior of compound statements
This section defines the action behavior of compound statements. Compound statements combine statements by means of operators.
The delay behavior of compound statements is not explicitly defined. It is defined implicitly,
because only active atomic statements can execute delays, and the set of active (atomic) statements is defined by the action behavior of compound statements and by the action behavior of
the model (see Section 2.4); the set of active atomic statements does not change when delaying.
10
Chapter 2. Informal semantics of the Chi language
Actions are done by active atomic statements. Section 2.3.1 gives an overview of how operators define the relation between action execution, termination, activation and deactivation of
statements. The sections thereafter define the behavior of the individual operators.
2.3.1
Overview
• Atomic statements terminate by doing an action. A statement that terminates becomes
inactive by doing so, and simultaneously may cause another statement to be activated (in
the cased of sequential composition, loop statements, while statements) and/or deactivated
(in the case of alternative composition).
• Activating a compound statement implies activating one or more of its sub-statements. E.g.
activating a sequential composition p1 ; . . . ; pn implies activating the first statement p1 ,
whereas activating a parallel composition p1 k . . . k pn implies activating all statements
p1 . . . pn .
• Deactivating a compound statement implies deactivating all of its sub-statements.
• Termination of a sub-statement may imply termination of its parent statement (the statement
of which it is a sub-statement). E.g. a sequential composition p1 ; . . . ; pn terminates upon
termination of its last sub-statement pn , whereas an alternative composition p1 8 . . . 8 pn
terminates upon termination of any of its sub-statements p1 , . . . , pn .
• Action execution of a sub-statement implies action execution of its parent statement. Therefore, a compound statement executes an action if one of its sub-statements executes an
action.
2.3.2
Sequential composition
In a sequential composition p1 ; . . . ; pn (n ≥ 2), only one statement pi , 1 ≤ i ≤ n, can be active
at the same time.
• Activating a sequential composition p1 ; . . . ; pn implies activating its first statement p1 .
• When statement pi (1 ≤ i ≤ n − 1) terminates (and is therefore also deactivated), the next
statement pi+1 is activated.
• The sequential composition terminates upon termination of its last statement pn .
2.3.3
Alternative composition
• Activating p1 8 . . . 8 pn (n ≥ 2) activates the statements p1 , . . . , pn .
2.3. Behavior of compound statements
11
• Execution of an action by any one of the statements p1 . . . pn deactivates the other statements. In this way, execution of the first action makes a choice.
• When one of the statements p1 , . . . , pn terminates, the alternative composition p1 8 . . . 8 pn
also terminates.
2.3.4
Parallelism
• Activating p1 k . . . k pn (n ≥ 2) activates the statements p1 , . . . , pn .
• When a statement pi (1 ≤ i ≤ n) executes an action, the other statements remain unchanged
(active/inactive).
• The parallel composition p1 k . . . k pn terminates when the statements p1 , . . . , pn have all
terminated.
Send and receive statements can be executed only in the context of parallel composition. Consider a parallel composition p1 k . . . k pn (n ≥ 2). A send statement occurring in statement
pi (1 ≤ i ≤ n) can be executed only if simultaneously a receive statement on the same channel, and occurring in another part p j (1 ≤ j ≤ n, i 6= j) of the parallel composition, can be
executed. The result of the simultaneous execution of a send action and a receive action on
the same channel is a communication action. E.g. the simultaneous execution of the send and
receive action in h ! 1 k h ? x leads to a communication action, the result of which is comparable
to execution of the assignment x := 1. If no data is sent via the channel (as in h! k h?), the
resulting communication action is comparable to execution of skip.
Informally, we often refer to the statements p1 , . . . , pn occurring in p1 k . . . k pn as parallel
processes. Parallel processes interact by means of shared variables or by means of synchronous
point-to-point communication or synchronization via a channel. Communication in χ is the
sending of values of one or more expressions by one parallel process via a channel to another
parallel process, where the received values are stored in variables. In case no values are sent
and received, we refer to synchronization instead of communication.
2.3.5
Loop and while statement
Loop statement ∗ p represents the infinite repetition of statement p.
• When ∗ p is activated, p is activated.
• Termination of p results in re-activation of p.
∗
The while statement b → p can be interpreted as ‘while b do p’.
∗
• Activation of b → p when b is true activates p (by means of an unnamed action).
12
Chapter 2. Informal semantics of the Chi language
∗
• Activation of b → p when b is false, leads to termination of the while statement (by means
of an unnamed action).
The two operators can be expressed in terms of a scope statement (see Section 2.3.7) in the
following way:
∗p
, |[ mode X = ( p; X ) :: X ]|
∗
b → p , |[ mode X = ( u → skip; p; X
8 ¬u → skip
)
:: X
]|
∗
In the definition of ∗ p and u → p, identifier X denotes a fresh mode variable not occurring
free in p.
2.3.6
Scope statement declaring variables or channels
The scope statement may introduce new variables and new channels. Any occurrence of a
variable or channel in p that is declared in D refers to that local variable or channel and not
to any more global declaration of the variable or channel with the same name, if such a more
global declaration should exist.
• Activation of a scope statement |[ D :: p ]|, where the local declaration part D introduces
new variables and or channels according to the specification of D in Section 1.1, performs
the variable initializations specified in D and activates statement p.
• Termination of p terminates the scope statement |[ D :: p ]|.
2.3.7
Recursion
Recursion refers to the use of modes in one of the following ways:
• Modes can be declared in the declaration part D of a model. E.g.
model M() = |[ mode X 1 = ( p1 ), . . . , mode X n = ( pn ) :: pn+1 ]|
Here, X 1 . . . X n are identifiers representing different modes, and p1 . . . pn+1 represent statements.
• Modes can be declared using the scope statement. For this purpose, the scope statement is
of the form |[ mode X 1 = ( p1 ), . . . , mode X n = ( pn ) :: pn+1 ]|. This type of scope statement
is referred to as ‘mode scope statement’.
2.3. Behavior of compound statements
13
• Execution of a mode is modeled by means of the mode statement X .
The formal semantics of the scope statement and the mode statement is defined in [3]. Below,
we informally define the semantics of the mode scope statement and the mode statement for a
subset of the Chi language. The subset is defined by means of three restrictions on the use of
the mode scope statement and the mode statement:
• If a mode statement X occurs in a sequential composition, it occurs at the end. This use of
modes is known as tail recursion.
• Mode scope statements and models that declare modes in the declaration part of the model
are ‘complete’. This means that in a mode scope statement, or model statement, of the form
|[ mode X 1 = ( p1 ), . . . , mode X n = ( pn ) :: pn+1 ]|,
or
model M() = |[ mode X 1 = ( p1 ), . . . , mode X n = ( pn ) :: pn+1 ]|,
respectively, all occurrences of free (unbound) mode identifiers (statements) X i in p j (1 ≤
i ≤ n, 1 ≤ j ≤ n + 1) must be defined in the mode scope statement, or model, respectively.
Formally: freerecvar( p j ) ⊆ {X 1 , . . . , X n } for each 1 ≤ j ≤ n + 1, where freerecvar( p j ) is
a function that returns the set of free (unbound) occurrences of mode identifiers in p j .
• Mode statement do not occur in a parallel composition with other statements. Mode scope
statements are allowed to occur in a parallel composition.
These restrictions ensure that termination of any of the statements pi also terminates the scope
operator itself.
Although mode statements cannot be placed in parallel directly, two mode scope statements can
occur in parallel, as in:
|[ mode X 1 = ( p1 ) :: X 1 ]| k |[ mode X 2 = ( p2 ) :: X 2 ]|,
where the two mode identifiers X 1 and X 2 can of course have the same name, without changing
the meaning of the model.
The meaning of a mode scope statement |[ mode X 1 = ( p1 ), . . . , mode X n = ( pn ) :: pn+1 ]|
satisfying the restrictions defined above, is as follows:
• Activating the mode scope statement activates the statement pn+1 .
• When a mode statement X i , occurring at the end of a statement p j (1 ≤ j ≤ n + 1), is activated (or deactivated), its corresponding statement pi is activated (or deactivated) instead.
• When a statement p j (1 ≤ j ≤ n + 1) terminates, the mode scope statement terminates.
The meaning of a model M() = |[ mode X 1 = ( p1 ), . . . , mode X n = ( pn ) :: pn+1 ]| is defined
likewise.
14
Chapter 2. Informal semantics of the Chi language
2.4
Behavior of models
Execution of a χ model M, defined as model M(D0 ) = |[ D1 :: p0 ]|, takes place by first
initializing the model, followed by executing a sequence of actions and delays, as defined in
the following sections.
2.4.1
Initialization
Initialization of the model can be defined as a separate step, that does not involve actions, nor
delays:
• All initialization expressions of the variables declared in D1 are evaluated, and the corresponding variables are initialized.
• Statement p0 is activated.
• The variables that are not initialized in D1 , including the dotted continuous variables, are
initialized in such a way that the initialization predicate (predicate u of init u, if present) in
D1 holds, and all active equations and all active invariants hold (if statement eqn u is active,
u holds, and likewise for inv u).
If such an initial solution does not exist, the model has no behavior. If multiple initial solutions
exist, the model may start in any of the allowed initial solutions (nondeterminism).
2.4.2
Action execution
• The model can execute an unnamed action if an active atomic statement can execute an
unnamed action, and the new set of active equations and invariants (after execution of the
action) can be satisfied as follows:
In a skip statement, the values of the discrete and continuous variables remain unchanged,
and the values of the algebraic and dotted variables are changed such that the new set of
active equations and invariants is satisfied.
In an assignment statement x := e, the values of the variables that occur in x change to the
value of e. The values of the other discrete and continuous variables remain unchanged.
The values of the other algebraic and dotted variables are changed such that the new set of
active equations and invariants is satisfied.
• The model can execute a communication action if a pair of an active send statement and
active receive statement, that are placed in parallel, can execute a communication action.
After execution of the communication action, the new set of equations and invariants is
satisfied as follows: for h! k h?, the new values of the variables are defined in a similar
way as specified for the skip statement; and for h ! e k h ? x, the new values of the variables
2.5. Process definition and instantiation
15
are defined in a similar way as specified for the assignment statement x := e. For reasons
of simplicity, we assume that the new set of active equations and invariants can always be
satisfied after a communication action.
2.4.3
Delaying
The model can execute a delay when the following requirements are met:
• All active statements can simultaneously execute the same delay. Note that the set of all
active equations and invariants can delay for as long as they have a solution.
• No communication action is possible at the start of the delay and during the delay. A
communication action may become possible at the end point (last time point) of the delay
(due to the fact that the values of the guards of send or receive statements may become true
while delaying). Communication should not be possible while delaying because, by default,
channels in χ are urgent: communication cannot be postponed by delaying.
2.4.4
Nondeterminism
When different actions and/or delays are possible, any of these can be chosen. This is referred to
as nondeterministic choice. Note that delays may always be shorter than the maximum possible
length.
In models of physical systems, the delay behavior of the continuous and algebraic variables is
usually uniquely determined: there is usually only one solution of the set of active differential
algebraic equations. Multiple delays / solutions can be caused by under-specified systems of
equations, where there are less equations than variables, or by equations or invariants that allow
multiple solutions, such as inv x˙ ≥ 1, inv true or eqn x˙ ∈ [0, 1].
2.5
Process definition and instantiation
To simplify the explanation, process instantiation id(e) is rewritten in a more specific form
id(xn , zm , hl , ek ), where id denotes a process name, xn denotes the continuous variables
x1 , . . . , xn , zm denotes the algebraic variables z 1 , . . . , z m , hl denotes the channels h 1 , . . . , h l ,
and ek denotes the expressions e1 , . . . , ek . Process instantiation enables (re)-use of a process
definition. A process definition is specified once, but it can be instantiated many times, usually
with different parameters.
The meaning of process instantiation
id(xn , zm , hl , ek )
16
Chapter 2. Informal semantics of the Chi language
with corresponding process definition
proc id(cont x0n : tc , alg z0m : ta , chan hl0 {!|?}0 : th , val vk : tv ) = |[ D :: p ]|
is obtained by the syntactical substitution of the process instantiation by
|[ var vk : tv = wk , D :: p ]| [xn , zm , hl , ek /x0 n , z0m , h0m , wk ],
where notation t... denotes a data type, and hl0 {!|?}0 denotes the channels h 01 {!|?}0 , . . . , h l0 {!|?}0 ,
where each channel is optionally postfixed with ! or ?. The meaning of h! or h? in the formal
parameter list is that the use of channel h in p is limited to sending (h!.. or h!!..) or receiving
(h?.. or h??..), respectively. Notation r [b1 , . . . , bi /a1 , . . . , ai ] denotes the statement obtained
from r by syntactic substitution of the free occurrences of the variables/channels a1 , . . . , ai in
r by b1 , . . . , bi , respectively. Free variables (or channels) in p are variables (or channels) that
are not defined in D or in declaration parts of scope operators occurring in p.
The substitution replaces the process instantiation id(xn , zm , hl , ek ) by the process body |[ D ::
p ]|, whereafter the value parameters vk are added to the local declarations D as discrete variables that are initialized to the values of the new variables wk . Finally, the (free) variables
x0 n , z0 m , wk and the (free) channels h0 m occurring in the body are substituted by xn , zm , ek , hl ,
respectively.
The substitution is defined in such a way that no variables from xn , zm or ek , and no channels
from hl become bound. This is the case if the variables xn , zm , the variables occurring in ek ,
and the channels hl are all different from the local variables and channels defined in D and
different from vk . If substitution would cause new bindings, the local variable or local channel
that a variable or channel from xn , zm , ek , or hl would become bound to, is renamed into a fresh
variable or fresh channel before the substitution takes place.
The substitution declares the value parameters vk as local discrete variables with initial values
ev . By convention, however, process term p normally does not change the values of these
variables. In Section 4.2.1, substitution of process instantiations is illustrated by means of an
example.
The substitution is illustrated using a model of a system that consists of two tanks. Each tank is
filled by means of an incoming flow, and emptied by means of an outgoing flow. The outflow
Qout of the first tank is connected to the inflow Qin of the second tank. The volume of each
tank is specified by continuous variable V, and its initial volume is given by parameter V0:
proc T(alg Qin,Qout: real, val V0: real) =
|[ cont V: real = V0
:: eqn dot V = Qin - Qout
]|
model TwoT() =
2.5. Process definition and instantiation
|[
::
||
||
17
alg Q0,Q1,Q2: real
T(Q0,Q1,2.0)
T(Q1,Q2,3.0)
eqn Q0 = 1.0
, Q1 = 1.0
, Q2 = 1.0
]|
The meaning of this model is obtained by substituting the two process instantiations by their
bodies as defined above. This leads to the model:
model TwoT() =
|[ alg Q0,Q1,Q2:real
:: |[ var V0: real = 2.0
, cont V: real = V0
:: eqn dot V = Q0 - Q1
]|
|| |[ var V0:real = 3.0
, cont V:real = V0
:: eqn dot V = Q1 - Q2
]|
|| eqn Q0 = 1.0
, Q1 = 1.0
, Q2 = 1.0
]|
Adding a controller that pumps the contents of the first tank into the second tank leads to the
following model, where process PC models the pump and the controller. The pump is switched
off when the first tank is empty or when the second tank is full (V2 = 1.0), whatever comes
first:
proc T(cont V:real, alg Qin,Qout:real) =
|[ eqn dot V = Qin - Qout ]|
proc PC(cont V1,V2: real, alg Q: real, val Qset: real) =
|[ var n: nat = 0
:: n:= 1; ( V1 <= 0 -> n:= 0
| V2 >= 1 -> n:= 0
)
|| eqn Q = n*Qset
]|
model TwoT2() =
|[ cont V1:real = 2.0
, V2:real = 3.0
, alg Q0,Q1,Q2:real
18
::
||
||
||
Chapter 2. Informal semantics of the Chi language
T(V1,Q0,Q1)
T(V2,Q1,Q2)
PC(V1,V2,Q1,0.5)
eqn Q0 = 0.0
, Q2 = 0.0
]|
The meaning of this model is again obtained by substitution of the process instantiations by
their bodies and subsequent rewriting, which leads to the model:
model TwoT2() =
|[ cont V1: real = 2.0
, V2: real = 3.0
, alg Q0,Q1,Q2: real
:: |[ eqn dot V1 = Q0 - Q1 ]|
|| |[ eqn dot V2 = Q1 - Q2 ]|
|| |[ var Qset: real = 0.5
, n: nat = 0
:: n:= 1; ( V1 <= 0 -> n:= 0
| V2 >= 1 -> n:= 0
)
|| eqn Q1 = n*Qset
]|
|| eqn Q0 = 0.0
, Q2 = 0.0
]|
Chapter 3
Tank level control strategies
In this chapter, the χ language is used for specification and analysis of different control strategies for a nonlinear tank system.
3.1
The controlled tank system
The controlled nonlinear tank system is shown in Figure 3.1. The control system LC tries to
keep the level in the tank close to a set point h set . There is a continuous flow Q out out of the
vessel. The value of this flow depends on the height of the liquid in the vessel. The controller
controls the level of the tank by adjusting the position of the valve, thus controlling the incoming
flow Q in . In the discrete-event controller of the next section the valve can only be switched on
and off. In the continuous and discrete-time controllers of subsequent sections the position of
the valve can be adjusted linearly between 1 (fully open) and 0 (closed).
The tank equations of a tank with no incoming flow, and outgoing flow Q, are derived by means
of the formula
X
X
psource =
ploss
which are assumed to satisfy
ρgh = K L Q 2
Qi
LC
h
Qo
Figure 3.1: The controlled tank system.
19
20
Chapter 3. Tank level control strategies
DE1()
h(time)
Qi(time)
1.2
1
0.8
0.6
0.4
0.2
0
0
5
10
15
20
25
Figure 3.2: Discrete-event on/off control.
where K L is the loss factor. This can be rewritten as
s
√
ρgh
Q=
=k h
KL
3.2
Discrete-event control using repetition
The first controller is a discrete-event controller that keeps the liquid between between two
levels: 0.8 and 1.0. The valve is modeled by the discrete variable n. When the liquid in the
tank drops below 0.8, the valve is opened (n:= 1). When the liquid in the tank rises above 1.0,
the valve is closed (n:= 0). The incoming and outgoing flows are modeled by the algebraic
variables Qi and Qo, respectively. Initially, the volume in the tank equals 0.1, and the valve
is closed (n = 0). Figure
3.2 shows the results of a simulation run. In the model DE1 below,
√
sqrt(h) represents h.
from standardlib import *
model DE1() =
|[ cont
h: real
, alg Qi,Qo: real
, var n
: nat
, A
: real
, k
: real
, Qmax : real
:: eqn dot h = (Qi
,
Qo = k *
= 0.1
= 0
= 10.0
= 0.5
= 1.2
- Qo) / A
sqrt(h)
3.3. Discrete-event control using recursion
21
,
Qi = n * Qmax
|| *( h <= 0.8 -> n:= 1; h >= 1.0 -> n:= 0 )
]|
Eliminating the parameters A,k and Qmax, and using the volume V instead of the height h, leads
to the model:
model DE2() =
|[ cont
V: real = 1.0
, alg Qi,Qo: real
, var n
: nat = 0
:: eqn dot V = Qi - Qo
,
Qo = 0.5 * sqrt(V/10)
,
Qi = n * 1.2
|| *( V <= 8 -> n:= 1; V >= 10 -> n:= 0 )
]|
The controller *(V <= 8 -> n:= 1; V >= 10 -> n:= 0) is correct only for initial conditions satisfying V <= 8 or n = 0. A controller that is correct for all initial conditions is:
*( n = 0 and V <= 8 -> n:= 1
| n = 1 and V >= 10 -> n:= 0
)
3.3
Discrete-event control using recursion
The discrete-event controller
*( V <= 8 -> n:= 1; V >= 10 -> n:= 0 )
can be replaced by the following equivalent controller using a recursion definition:
|[ mode X = (V <= 8 -> n:= 1; V >= 10 -> n:= 0; X )
:: X
]|
This recursion definition can be replaced by two definitions, such that the two modes on (valve
is opened) and off (valve is closed) can be distinguished:
|[ mode off = ( V <= 8 -> n:= 1; on )
, on = ( V >= 10 -> n:= 0; off )
:: off
]|
22
Chapter 3. Tank level control strategies
A controller using modes that is correct for all initial conditions is:
|[ mode off = ( V <= 8 -> n:= 1; on )
, on = ( V >= 10 -> n:= 0; off )
:: n = 0 -> skip; off | n = 1 -> skip; on
]|
Recall from Section 2.1 that a condition u i associated with an expression e1 . Since a mode
statement is no expression, they have to be preceded with an arbitrary expression. A simplified
controller that is also correct for all initial conditions is:
|[ mode off = ( V <= 8 -> n:= 1; on )
, on = ( V >= 10 -> n:= 0; off )
:: off | on
]|
In this case, initially, both modes are activated. This means that initially, both modes off and
on are activated. If both guards are false, then the two initial statements of the modes V <= 8
-> n:= 1 and V >= 10 -> n:= 0 can both delay. When one of the two guard is, or becomes,
true, delaying is no longer possible. After executing the action (n:=1 or n:= 0), the other mode
is disabled, so that subsequently, only one mode is enabled. The complete model is:
model DE3() =
|[ cont
V: real = 1.0
, alg Qi,Qo: real
, var n
: nat = 0
:: eqn dot V = Qi - Qo
,
Qo = 0.5 * sqrt(V/10)
,
Qi = n * 1.2
|| |[ mode off = ( V <= 8 -> n:= 1; on )
, on = ( V >= 10 -> n:= 0; off )
:: off | on
]|
]|
The initial position of the valve is defined by the initial value of variable n.
If the controller does not need to be separated from the physical system, the variable n can be
eliminated by integrating the incoming flow into the control specification. This leads to the
model:
model DE4() =
|[ cont
V: real = 1.0
3.4. P control
23
, alg Qi,Qo: real
:: eqn dot V = Qi - Qo
,
Qo = 0.5 * sqrt(V/10)
|| |[ mode off = ( eqn Qi = 0
| V <= 8 -> skip; on
)
, on = ( eqn Qi = 1.2
| V >= 10 -> skip; off
)
:: off
]|
]|
Here, the initial position of the valve is defined by the initial mode, which is off in the model
DE4(). The model is correct for all initial values of V.
3.4
P control
In this example, the on/off valve used in the previous section is replaced by a valve that can be
adjusted linearly between fully open and closed. The control input of the valve is represented
by variable u; the output of the valve is the flow Qi.
The valve is modeled by means of an equation and a conditional expression:
eqn Qi = ( u < 0
-> 0
| 0 <= u and u <= 1 -> u * Qmax
| u > 1
-> Qmax
)
It is assumed that the valve operates in its linear mode for 0 ≤ u ≤ 1. If the valve is fully opened
(u ≥ 1), the input flow equals Qmax. If u becomes negative, the flow becomes zero.
3.4.1
Continuous-time control
The input variable u of the valve is adjusted by the continuous-time proportional controller,
which consists of (algebraic) equations only. The error is the difference between the required
level hset and the actual level h. The control output u is obtained by multiplying the error by
constant Kp. The χ model of the tank system with a continuous-time proportional controller
follows below (model P_C).
24
Chapter 3. Tank level control strategies
P_C(20)
Qi(time)
Qo(time)
h(time)
e(time)
Qtot(time)
1.2
1
0.8
0.6
0.4
0.2
0
0
5
10
15
20
u(time)
18
16
14
12
10
8
6
4
2
0
0
5
10
15
20
Figure 3.3: Continuous-time P control (Kp = 20).
model P_C(val Kp: real) =
|[ cont
h: real = 0.1
, alg Qi,Qo: real
,
e,u: real
, var hset: real = 1.0
, alg Qtot: real
:: Tank(h,Qi,Qo,u)
|| eqn e = hset - h
, u = Kp * e
|| eqn Qtot = Qi - Qo
]|
where process Tank is defined as:
proc Tank(cont h: real, alg Qi,Qo,u: real) =
3.4. P control
|[ var
,
,
:: eqn
,
,
A
:
k
:
Qmax:
dot h
Qo
Qi
25
real = 10.0
real = 0.5
real = 1.2
= (Qi - Qo) / A
= k * sqrt(h)
= ( u < 0
-> 0.0
| u >= 0 and u <= 1 -> u * Qmax
| u > 1
-> Qmax
)
]|
The results of the simulation run are shown in Figure 3.3, at the top of the figure the model
name can be found along with the parameter value. The ASCII data output of the simulator
(not shown here) shows that the final error hset - h approaches 0.025, which corresponds
to the theoretical expectations. In this proportional controller, the minimum error is directly
proportional to the required inflow Q i . In the linear mode of the valve, Q i = u Q max . Combined
with u = K p e, this leads to e = K p QQimax . The minimum value of Q i is obtained in steady state
conditions when the derivative h˙ (h’ in the model) equals zero, so that Q i = Q o . Figure 3.3
shows that after 20 time units, the value of h does not noticeably increase anymore, so that
steady state conditions
indeed be assumed. Since the error is very small under steady state
√ can √
0.5
conditions, Q o = k h ≈ k h set = 0.5, leading to e = K p QQimax ≈ 20·1
= 0.025.
Hybrid valve model
A alternative model for the valve can be obtained by defining three modes of operation for the
valve in a mode scope statement, and switching between these modes by means of actions:
|[ mode low
, mode lin
= ( eqn
= ( eqn
| u >
| u <
)
, mode high = ( eqn
:: lin
]|
Qi =
Qi =
1 ->
0 ->
0 | u >= 0 -> skip; lin )
u * Qmax
skip; high
skip; low
Qi = Qmax | u <= 1 -> skip; lin )
Initially, mode lin is activated. If, initially, this mode does not correspond to the value of the
input u (u > 1 or u < 0), then one of the statements u > 1 -> skip or u < 0 -> skip will
have a guard that is true. In such a case, delaying will be impossible, and the model will switch
to the correct mode by means of an action. The complete model is given below.
26
Chapter 3. Tank level control strategies
proc TankModes(cont h: real,
|[ var A
: real = 10.0
, k
: real = 0.5
, Qmax: real = 1.2
:: eqn dot h = (Qi - Qo) / A
,
Qo = k * sqrt(h)
|| |[ mode low = ( eqn Qi =
, lin = ( eqn Qi =
| u > 1 ->
| u < 0 ->
)
, high = ( eqn Qi =
:: lin
]|
]|
alg Qi,Qo,u: real) =
0 | u >= 0 -> skip; lin )
u * Qmax
skip; high
skip; low
Qmax | u <= 1 -> skip; lin )
model P_C_M(val Kp,hini: real) =
|[ cont
h: real = hini
, alg Qi,Qo: real
,
e,u: real
, var
hset: real = 1.0
:: TankModes(h,Qi,Qo,u)
|| eqn e = hset - h
, u = Kp * e
]|
There is no visible difference between the graphical output of the simulation of this model,
when started from the initial height hini=0.1, and the simulation results as shown in Figure
3.3. The model starts by executing an action at time 0 (switching to mode high), followed
by a delay until time point 10.12, where an action is executed that switches the mode to lin,
followed by a delay until time 20.
3.4.2
Discrete-time control
For comparison we replace the continuous-time controller by a discrete-time controller, leading
to the model P_DT. It is a discrete-time controller, because it takes a sample of the level of the
liquid every ts seconds. In the repetition of the discrete-time controller, the error e (e:= hset
- h) and the control output u (u:= Kp * e) are calculated first. After this, the sampler waits
for ts seconds. Since the assignments are non-delayable, the model can do time steps only
when the delay statement delay ts is active. Therefore, the samples are spaced at exactly ts
seconds.
Figure 3.4 shows the simulation results, which are similar to the results shown in Figure 3.3.
The graph clearly shows that the control output stays constant in a sample period.
3.4. P control
27
P_DT(20, 0.5)
Qi(time)
Qo(time)
h(time)
e(time)
Qtot(time)
1.2
1
0.8
0.6
0.4
0.2
0
0
5
10
15
20
u(time)
18
16
14
12
10
8
6
4
2
0
0
5
10
15
20
Figure 3.4: Discrete-time P control (Kp = 20, ts = 0.5).
model P_DT(val Kp,ts:
|[ cont
h: real =
, alg Qi,Qo: real
, var
hset: real =
,
e: real
,
u: real =
, alg Qtot: real
:: Tank(h,Qi,Qo,u)
|| *( e := hset - h
; u := Kp * e
; delay ts
)
|| eqn Qtot = Qi - Qo
]|
real) =
0.1
1.0
0.0
28
Chapter 3. Tank level control strategies
PI_CD(20, 2)
Qi(time)
Qo(time)
h(time)
Qtot(time)
1.2
1
0.8
0.6
0.4
0.2
0
0
10
20
30
40
50
60
u(time)
Kp_e(time)
Ki_Ie(time)
18
16
14
12
10
8
6
4
2
0
0
10
20
30
40
50
60
Figure 3.5: Continuous PI control (Kp = 20, Ki = 2).
3.5
3.5.1
PI control
Continuous-time control
To eliminate the final error of the proportional controller, an integral action is introduced in
model PI_CD. The integral term is represented by the variable Ie. This integral action is
switched on after 20 time units for comparison. The result of the simulation run is shown
in Figures 3.5 and 3.6. The figures clearly shows that the final error e now approaches zero as
a result of the integral action.
model PI_CD(val Kp,Ki: real) =
|[ cont
h: real = 0.1, Ie: real = 0.0
, alg Qi,Qo: real
,
e,u: real
, var hset: real = 1.0
3.5. PI control
29
PI_CD(20, 2)
1
u(time)
Kp_e(time)
Ki_Ie(time)
0.8
0.6
0.4
0.2
0
0
10
20
30
40
50
60
Figure 3.6: Continuous PI control (Kp = 20, Ki = 2).
,
b: bool = false
, alg Qtot,Kp_e,Ki_Ie: real
:: Tank(h,Qi,Qo,u)
|| eqn
e = hset - h
, dot Ie = (not b -> 0.0 | b -> e)
,
u = Kp * e + Ki * Ie
|| delay 20; b:= true
|| eqn Kp_e = Kp * e
, Ki_Ie = Ki * Ie
, Qtot = Qi - Qo
]|
In the model PI_C, shown below, the integral action is active from the start. Figures 3.7 and 3.8
show that this leads to a considerable overshoot initially, and the settling time becomes much
longer. This integrator windup is caused by the fact that initially the output saturates: no matter
how big the value of u, the incoming flow cannot be bigger than Qmax. This causes the error to
stay big for a long time. The integrator initially integrates this big error, leading to overshoot.
model PI_C(val Kp,Ki: real) =
|[ cont
h: real = 0.1, Ie: real = 0.0
, var hset: real = 1.0
, alg Qi,Qo: real
,
e,u: real
, alg Qtot,Kp_e,Ki_Ie: real
:: Tank(h,Qi,Qo,u)
|| eqn
e = hset - h
, dot Ie = e
30
Chapter 3. Tank level control strategies
PI_C(20, 2)
1.4
Qi(time)
Qo(time)
h(time)
Qtot(time)
1.2
1
0.8
0.6
0.4
0.2
0
-0.2
0
20
40
60
80
100
u(time)
Kp_e(time)
Ki_Ie(time)
15
10
5
0
-5
0
20
40
60
80
100
Figure 3.7: Continuous PI control (Kp = 20, Ki = 2).
,
u = Kp * e + Ki * Ie
|| eqn Kp_e = Kp * e
, Ki_Ie = Ki * Ie
, Qtot = Qi - Qo
]|
3.5.2
Discrete-time control
For the discrete-time version of the controller PI_CD, the integral of the error Ie is calculated
by cumulative addition of the product of the error and the sample time. Figure 3.9 shows the
simulation results.
model PI_DT(val Kp,Ki,ts: real) =
3.6. PI control with anti-windup
31
PI_C(20, 2)
2
u(time)
Kp_e(time)
Ki_Ie(time)
1.5
1
0.5
0
-0.5
-1
0
20
40
60
80
100
Figure 3.8: Continuous PI control (Kp = 20, Ki = 2).
|[ cont
h: real = 0.1
, alg Qi,Qo: real
, var
hset: real = 1.0
,
e: real = 0.0
,
Ie: real = 0.0
,
u: real = 0.0
, alg Qtot,Kp_e,Ki_Ie: real
:: Tank(h,Qi,Qo,u)
|| *( e := hset - h
; Ie := Ie + e * ts
; u := Kp * e + Ki * Ie
; delay ts
)
|| eqn Kp_e = Kp * e
, Ki_Ie = Ki * Ie
, Qtot = Qi - Qo
]|
3.6
PI control with anti-windup
Several anti-windup strategies are treated in the literature (e.g. [5]). Here we use a strategy for
discrete-time controllers. The process PIA_DT with anti-windup is shown below. The amount
of saturation of the output (u − 1 for u > 1, and u for u < 0) is subtracted from the integral term
Ie in order to reduce the saturation effect. This may initially lead to negative values of Ie, as
is shown in Figures 3.10 and 3.11. After 25 time units, the value of the error e (hset − h) is
smaller than 0.0001.
32
Chapter 3. Tank level control strategies
PI_DT(20, 2, 0.5)
Qi(time)
Qo(time)
h(time)
Qtot(time)
1
0.5
0
-0.5
0
10
20
30
40
50
20
u(time)
Kp_e(time)
Ki_Ie(time)
15
10
5
0
-5
0
10
20
30
40
50
Figure 3.9: Discrete-time PI control (Kp = 20, Ki = 2, ts = 0.5).
model PIA_DT(val Kp,Ki,ts: real) =
|[ cont
h: real = 0.1
, alg Qi,Qo: real
, var
e: real = 0.0
, hset: real = 1.0
,
Ie: real = 0.0
,
u: real = 0.0
, alg Kp_e: real, var Ie0: real
:: Tank(h,Qi,Qo,u)
|| *( e := hset - h
; Ie:= Ie + Ki * e * ts; Ie0:= Ie
; u:= Kp * e + Ie
; ( u < 0.0
-> Ie:= Ie - u
| 0.0 <= u and u <= 1.0 -> skip
| u > 1.0
-> Ie:= Ie - (u - 1)
3.6. PI control with anti-windup
33
PIA_DT(10, 5, 1)
Qi(time)
Qo(time)
h(time)
e(time)
1.2
1
0.8
0.6
0.4
0.2
0
0
5
10
15
20
25
u(time)
Kp_e(time)
Ie0(time)
Ie(time)
10
5
0
-5
0
5
10
15
20
25
Figure 3.10: Discrete-time PI control with anti-windup (Kp = 10, Ki = 5, ts = 1).
)
; delay ts
)
|| eqn Kp_e = Kp * e
]|
34
Chapter 3. Tank level control strategies
PIA_DT(10, 5, 1)
2
u(time)
Kp_e(time)
Ie0(time)
Ie(time)
1.5
1
0.5
0
-0.5
-1
-1.5
-2
0
5
10
15
20
25
Figure 3.11: Discrete-time PI control with anti-windup (Kp = 10, Ki = 5, ts = 1).
Chapter 4
Hybrid automata related modeling
4.1
Constrained pendulum
Figure 4.1 shows a constrained pendulum that is also defined in [6]. The equations of motion
of this pendulum are given by Equation 4.1. The angle between the pendulum and the vertical
is denoted by θ , ω denotes the angular velocity of the pendulum, and l denotes the distance
between the rotation point and the mass.
θ˙ = ω
(4.1)
ml ω˙ = −mg sin(θ ) − dlω
O
O
Lp
Lp
P
θp
θp
P
L
−θ
Ls = L − Lp
θ
m
m
Figure 4.1: Constrained Pendulum.
The mass and maximum length of the pendulum are represented by m and L, respectively. The
damping coefficient and the acceleration due to gravity are denoted by d and g. The angle of
the constraint is denoted by θp . In order to keep the example as small and clear as possible, it is
35
36
Chapter 4. Hybrid automata related modeling
assumed that θp ≥ 0 and |θ | ≤ π/2. Also, it is assumed that the pendulum always remains in a
straight line from the rotation point to the end point. The χ model is:
model Pendulum(val θ0 , ω0 , d, m, g : real) =
|[ cont θ : real = θ0 , ω : real = ω0 , alg l : real
:: |[ mode long = ( (eqn l = L k inv θ ≤ θp ) 8 [ω := LLs ω]; short )
, mode short = ( (eqn l = L s k inv θ ≥ θp ) 8 [ω := LLs ω]; long )
:: (skip; long 8 skip; short)
]|
k eqn θ˙ = ω
, ml ω˙ = −mg sin(θ ) − dlω
]|,
where θ0 and ω0 denote constants representing the initial values of θ and ω, respectively. When
θ ≤ θp or θ ≥ θp , the pendulum can delay in mode long or short, respectively. In mode long,
the assignment ω := LLs ω can be executed only if the invariant inv θ ≥ θp of mode short can
be satisfied in the new state after the assignment to ω, because active invariants (and equations)
must always be satisfied. Notice that the equation eqn l = L s can always be satisfied. Therefore,
mode switches are possible only for θ = θp . The assignment [ω := LLs ω] must be delayable,
because otherwise the assignment and the alternative composition would not be able to delay.
Note that the model allows infinite switching between modes long and short, without progress
of time, when θ = θp . This switching behavior can, in principle, be avoided by guarding the
delayable assignments [ω := LLs ω] and [ω := LLs ω] with (non-trivial) conditions that prevent
mode switching when no delay behavior is possible in the new mode.
4.2
Bottle filling line
Figure 4.2 shows a bottle filling line, based on [1], consisting of a storage tank that is continuously filled with a flow Q in , a conveyor belt that supplies empty bottles, and a valve that is
opened when an empty bottle is below the filling nozzle, and is closed when the bottle is full.
When a bottle has been filled, the conveyor starts moving to put the next bottle under the filling
nozzle, which takes one unit of time. When the storage tank is not empty, the bottle filling
flow Q equals Q set . When the storage tank is empty, the bottle filling flow equals the flow Q in .
The system should operate in such a way that overflow of the tank does not occur. We assume
Q in < Q set .
Figure 4.3 shows an iconic representation of the model of the filling line. It consists of the
processes Tank and Conveyor that interact by means of the channels open and close, and shared
variable Q. The model is defined below. It has two parameters: the initial volume VT0 of the
storage tank, and the value Q in of the flow that is used to fill the storage tank. The constants Q set ,
VTmax , and VBmax define the maximum value of the bottle filling flow Q, the maximum volume
of the storage tank, and the filling volume of the bottles, respectively. The model FillingLine
4.2. Bottle filling line
37
Q in
T ank
VT
Q
open
Q
close
VB
Conveyor
Figure 4.2: Filling Line.
Figure 4.3: Iconic model of the filling line.
consists of the algebraic variable Q, the channels open and close, and the parallel composition
of the process instantiations for the tank and the conveyor.
const Q set : real = 3
, VTmax : real = 20
, VBmax : real = 10
model FillingLine(val VT0 , Q in : real) =
|[ alg Q : real, chan open, close : void
:: Tank(Q, open, close, VT0 , Q in ) k Conveyor(Q, open, close)
]|
The tank process has a local continuous variable VT that is initialized to VT0 . Its process body
is a mode scope statement consisting of three modes: closed, opened, and openedempty that
correspond to the valve being closed, the valve being open, and the valve being open while the
storage tank is empty. In the mode opened, the storage tank is usually not empty. When the
storage tank is empty in mode opened, the delayable skip statement [skip] may be executed
causing the next mode to be openedempty. The skip statement can be executed only if the
invariant in the next mode openedempty holds. This means, among others, that VT = 0 must
hold. Therefore, the transition to mode openedempty can be taken only when the storage tank
is empty.
proc Tank(alg Q : real, chan open?, close? : void, val VT0 , Q in : real) =
|[ cont VT : real = VT0
:: |[ mode closed =
( (eqn V˙T = Q in , Q = 0 k inv 0 ≤ VT ≤ VTmax ) 8 open?; opened )
, mode opened =
38
Chapter 4. Hybrid automata related modeling
( (eqn V˙T = Q in − Q , Q = Q set k inv 0 ≤ VT ≤ VTmax )
8 [skip]; openedempty
8 close?; closed
)
, mode openedempty =
( (eqn Q = Q in k inv VT = 0) 8 close?; closed )
:: closed
]|
]|
Process Conveyor supplies an empty bottle in 1 unit of time (VB := 0; 11). Then it synchronizes
with the storage tank process by means of the send statement open!, and it proceeds in mode
filling. When the bottle is filled in mode filling (VB ≥ VBmax ), the process synchronizes with the
storage tank to close the valve and returns to mode moving. The initial mode is moving.
proc Conveyor(alg Q : real, chan open!, close! : void) =
|[ cont VB : real = 0
:: |[ mode moving = ( VB := 0; 11; open!; filling )
, mode filling = ( VB ≥ VBmax → close!; moving )
:: moving
]|
k eqn V˙B = Q
]|
Figure 4.4 shows the results of the first 12 time units of a simulation run of the model
FillingLine(5, 1.5), that is with model parameters VT0 = 5 and Q in = 1.5. The graph shows that
the first bottle is filled from time point 1 until time point 1 + 10/3 ≈ 4.33. Filling of the second
bottle starts 1 time unit later, and somewhat after 7 time units, the storage tank becomes empty,
so that filling continues at the reduced flow rate.
4.2.1
Elimination of process instantiation
Elimination of the process instantiations for the Tank and Conveyor processes by replacing the
process instantiations by their definitions, as defined in [4], leads to the following model:
model FillingLine(val VT0 , Q in : real) =
|[ alg Q : real, chan open, close : void
L
:: |[ cont VT : real = VT0
L
, var VT0 : real = VT0 , Q Lin : real = Q in
:: |[ mode closed =
( (eqn V˙T = Q Lin , Q = 0 k inv 0 ≤ VT ≤ VTmax ) 8 open?; opened )
, mode opened =
( (eqn V˙T = Q Lin − Q , Q = Q set k inv 0 ≤ VT ≤ VTmax )
4.2. Bottle filling line
39
14
VT
VB
Q
12
10
8
6
4
2
0
0
2
4
6
8
10
12
time
Figure 4.4: Simulation results of model FillingLine.
8 [skip]; openedempty
8 close?; closed
)
, mode openedempty =
( (eqn Q = Q Lin k inv VT = 0) 8 close?; closed )
:: closed
]|
]|
k |[ cont VB : real = 0
:: |[ mode moving = ( VB := 0; 11; open!; filling )
, mode filling = ( VB ≥ VBmax → close!; moving )
:: moving
]|
k eqn V˙B = Q
]|
]|
To avoid naming conflicts between the formal parameters VT0 and Q in declared in the process
definition for process Tank, and the actual arguments VT0 and Q in in the process instantiation
Tank(Q, open, close, VT0 , Q in ), the newly defined local discrete variables that are used to hold
L
and Q Lin .
the values of the last two parameters of the process instantiation, are renamed to VT0
40
Chapter 4. Hybrid automata related modeling
Chapter 5
Examples
In this chapter, the χ formalism is illustrated by several examples taken from various application
domains.
5.1
Dry friction
A model that combines assignments to discrete variables occurring in equations and assignments to differential variables, deals with modeling of dry friction as shown in Figure 5.1.
x
Fn
Fd
Ff
Fz
Figure 5.1: Dry friction.
A driving force Fd is applied to a body on a flat surface with frictional force Ff. When the body
is moving with positive velocity v, the frictional force is given by Ff = mu * Fn, where Fn =
m * g. When the velocity of the body is 0, the frictional force neutralizes the applied driving
force. If the driving force exceeds mu0 * Fn, the body suddenly starts moving according to
dot v = (Fd - Ff)/m.
In model Fiction, dry friction is modeled in a mode scope statement. Each mode represents a
possible state of the body, having positive, zero of negative velocity. In the modes guards are put
alternative to equations. As long as the guards can delay, the alternative composition can delay
41
42
Chapter 5. Examples
Ff
mu0*Fn
mu*Fn
v
Figure 5.2: Dry friction in relation to velocity.
and the equations will be solved. When the guards can do an action, the alternative composition
can delay no longer and the action execution will terminate the alternative composition and
therefore the equation. In the new mode the equations are enabled and they can delay as long
as the guards can delay.
The initial mode is determined by means of an alternative composition depending on the initial
value of v. A case of special interest occurs when the driving force Fd drops below -mu0 * Fn
before the speed v becomes smaller than 0. In this case when the speed becomes negative, both
guards are true at the same time and a choice will be made between the different expressions
non-deterministically. Either the second expression is chosen and the mode neg will become
active, or the first expression is chosen and the mode stop will become active. When in mode
stop, the second guard is immediately true and the mode neg will become active. It is therefore
arguable to leave out the second guards for the positive and negative modes and always let the
changing of modes happen via stop, thus making the model deterministic. Note that taking the
equation for dot v out of the mode scope and putting it in parallel as is done with Fn, Fd and
dot x is also possible.
from standardlib import *
model Friction() =
|[ cont x: real = -2.0,
, alg Fd
, Ff
, Fn : real
, var m: real
= 1.0
, g: real
= 10.0
, mu0: real = 0.18
, mu: real = 0.1
:: eqn Fn = m * g
, Fd = 2 * sin(0.25
, dot x = v
v:
//
//
//
//
//
//
//
real = 0.0
driving force
friction force
normal force due to gravity
mass of body
gravity
friction coefficient for zero velocity
friction coefficient for non-zero velocity
* 3.14 * time)
5.1. Dry friction
43
Friction()
x(time)
v(time)
Fd(time)
Ff(time)
2
1.5
1
0.5
0
-0.5
-1
-1.5
-2
0
2
4
6
8
10
Figure 5.3: Friction simulation.
|| |[ mode pos =
( eqn dot v = (Fd - Ff) / m
,
Ff = mu * Fn
| Fd <
mu * Fn and v <= 0 ->
| Fd <= -mu0 * Fn and v <= 0 ->
)
, mode stop =
( eqn dot v = 0
,
Ff = Fd
| Fd >= mu0 * Fn -> skip; pos
| Fd <= -mu0 * Fn -> skip; neg
)
, mode neg =
( eqn dot v = (Fd - Ff) / m
,
Ff = -mu * Fn
| Fd > -mu * Fn and v >= 0 ->
| Fd >= mu0 * Fn and v >= 0 ->
)
:: ( v > 0 -> skip; pos
| v = 0 -> skip; stop
| v < 0 -> skip; neg
)
]|
]|
v:= 0.0; stop
skip; neg
v:= 0.0; stop
skip; pos
44
5.2
Chapter 5. Examples
Bottle filling system
The bottle filling system from Figure 5.4 consists of a liquid storage tank, and two identical
bottle filling lines.
Q a , ca
Qu
VT , n , c, pH
Q F1
Q F2
Figure 5.4: The bottle filling system.
The bottles are filled with liquid from the storage tank. A control system keeps the volume Vt
in the storage tank between 2 and 10, and the pH level (acidity) of the liquid in the storage
tank between 7 and 7.1. The liquid in the storage tank slowly becomes less acidic (pH level
increases). To correct this, a strong acid is dribbled into the storage tank when the acidity of the
liquid becomes too low (pH >= 7.1).
Figure 5.5 shows the iconic model of the bottle filling system. The lines ending in a small circle
represent shared variables (VT , Q F1 , Q F1 ).
T
VT
VT
Q F1
F
Q F2
F
Figure 5.5: Iconic representation of the bottle filling system model.
The acid and liquid supply processes are not modeled, since we consider the acid and liquid
always to be available, and we are not interested in the amount of acid or liquid that is used.
The χ specification of the bottle filling system is as follows:
5.2. Bottle filling system
45
from standardlib import *
model BottleFilling() =
|[ cont Vt: real = 2.0
, alg Qf1,Qf2: real
:: T(Vt,Qf1,Qf2)
|| F(Vt,Qf1)
|| F(Vt,Qf2)
]|
The storage tank and the two bottle filling lines are connected by means of the variables Qf1,
and Qf2, respectively. Since a bottle may start filling only if the storage tank contains at least a
volume of 0.7, the volume Vt of the storage tank is available in both bottle filling processes.
The molar quantity and molar concentration of the acid in the storage tank are denoted by n and
c, respectively, where n=cV. The incoming flows of liquid and acid of the liquid storage tank T
are denoted by Qu and Qa, respectively. The outgoing flows to the two bottle filling processes
are denoted by Qf1 and Qf2, respectively.
It is assumed that the liquids are incompressible, and that the volumes of the fluids remain the
same when they are mixed. In such a case, the volume V of the mixed liquid equals the sum of
its components which leads to the equation
dot V = Qu + Qa - Qf1 - Qf2.
Next, the mass balance (actually mol balance) for the dissolved substance is derived. Acid
comes into the tank by means of the flows Qu and Qa. Acid leaves the tank in outgoing flows
Qf1 and Qf2. Because the concentrations are in [mol/m3 ], they can be directly multiplied with
the flows (in [m3 /s]), which leads to
dot n = cu*Qu + ca*Qa - c*Qf1 - c*Qf2,
where cu and ca denote the concentrations of acid in the flows Qu and Qa. The gradual reduction
of the acidity of the liquid is modeled by means of a constant Kloss, which leads to
dot n = cu*Qu + ca*Qa - c*Qf1 - c*Qf2 - Kloss*V.
It is assumed that the acid is completely decomposed. Taking into account that the units of c
are in [mol/m3 ] instead of [mol/l], the pH is given by
pH = -log (c/1000).
The χ specification of the liquid storage tank follows below, where symbols Qseta, Qsetu, ca,
cu and Kloss denote constants:
46
Chapter 5. Examples
proc T(cont V: real, alg Qf1,Qf2: real) =
|[ var alpha: nat = 0, beta: nat = 0
, cont n: real
, alg pH: real
, c,Qa,Qu: real
, var Qseta: real = 0.5
, Qsetu: real = 1.5
, ca:
real = 0.0005
, cu:
real = 0.0
, Kloss: real = 0.000002
, init pH = 7.0
:: eqn dot V = Qu + Qa - Qf1 - Qf2
, dot n = cu*Qu + ca*Qa - c*Qf1 - c*Qf2 - Kloss*V
,
n = c*V
,
pH = -log (c/1000)
,
Qa = alpha*Qseta
,
Qu = beta*Qsetu
|| *( pH >= 7.1 -> alpha := 1; pH <= 7 -> alpha := 0 )
|| *( V <= 2 -> beta := 1; V >= 10 -> beta := 0 )
]|
In most cases, the differential variables, in this case V and n, are declared as continuous variables. The other variables, not occurring with a dot (derivative) are then declared as algebraic
variables. This ensures that the differential variables can be assigned new values, causing discontinuities. The algebraic variables will then simultaneously jump to their new values satisfying the equations. This declaration scheme is used in process T. Variable V is an external
variable that is declared as a continuous variable in the preceding χ process that defines the
complete bottle filling system.
Note that even though pH is an algebraic variable, which is not normally assigned new values,
pH can be initialized, in this case to a value of 7, in the initialization predicate. In this case the
differential variable n does not have to be initialized.
In process T, the only discontinuities in continuous variables occur in the flows Qf1, Qf2, Qa,
and Qu, that are switched on and off discontinuously in process T, and in process F that follows
below. Therefore, the algebraic variables apart from these flows could just as well have been
declared as continuous variables as in cont n,pH,c.
The behavior of the model is explained as follows. Initially, the pH of the liquid in the storage
tank equals 7. It is assumed that the pH level of the incoming liquid is 7 or more, since the
acidity controller can only make the acidity of the storage tank increase, causing the pH to
decrease. If the pH value exceeds the maximum value (pH >= 7.1), the acid valve is opened
(alpha := 1) so that acid is dribbled into the tank. Dribbling of the acid continues until the pH
value comes back at 7, and the valve is closed (alpha := 0). In a similar way, the controller
tries to keep the level of the storage tank between 2 and 10.
5.3. Conveyor system
47
The model of a bottle filling line follows below, where symbols Qf, and ttr denote constants.
proc F(cont Vt: real, alg Qf: real) =
|[ var alpha: nat = 0, cont V: real = 0.0
, var Qsetf: real = 1.0, ttr: real = 0.2
:: eqn dot V = Qf
,
Qf = alpha*Qsetf
|| *( Vt >= 0.7 -> alpha := 1
; alpha = 1 *> ( V >= 1 -> alpha := 0
| Vt <= 0.5 -> alpha := 0; Vt >= 0.7 -> alpha := 1
)
; delay ttr; V := 0.0
)
]|
The valve switching the flow Qf is modeled by means of the discrete variable alpha. When the
volume in the storage tank is at least 0.7, the bottle filling process can be started (alpha :=
1). Filling stops when the volume in the storage tank drops below 0.5 (Vt <= 0.5 -> alpha
:= 0). Filling resumes when the volume in the storage tank is at least 0.7. Filling also stops
when the bottle is full (V >= 1 -> alpha := 0). The time needed to place a new bottle under
the filling nozzle is given by ttr. After that, the bottle volume is reset to 0, which models the
arrival of a new bottle, and the filling process is repeated.
In Figure 5.6 the model is simulated. The two bottles are filled at the same time so these lines
are the same. The volume of the storage tank, Vt, increases over time when the bottles are
not being filled, however when the bottles are being filled the volume sometimes decreases and
sometimes it stays constant. This is due to the contribution of the acid to the inflow of the tank.
Also the Ph of the liquid is plotted. Because of the increase of the volume in the tank over time,
the frequency at which the Ph alternates decreases over time.
5.3
Conveyor system
Figure 5.7 shows a conveyor system that is used for transportation and buffering of boxes. It
consists of a line of conveyor belts driven by motors. Each conveyor belt is equipped with a
sensor (represented in the figure by a small rectangle), that detects the presence of a box.
In the models below, we use the following values for the dimensions of the conveyor system:
• lc = 6 (length of the conveyor)
• lb = 4 (length of the box)
• ls = 1 (distance of the sensor to end of conveyor)
48
Chapter 5. Examples
BottleFilling()
Vt(time)
3.5
3
2.5
2
0
2
4
6
8
10
1
0.8
0.6
0.4
0.2
0
Qf1(time)
0
2
4
6
8
10
1
0.8
0.6
0.4
0.2
0
Qf2(time)
0
2
4
6
8
10
7.1
7.08
7.06
7.04
7.02
7
pH(time)
0
2
4
6
8
10
Figure 5.6: Bottle filling system.
lc
ls
lb
x
V
Figure 5.7: The conveyor system.
V
5.3. Conveyor system
5.3.1
49
A process for each conveyor belt
Figure 5.8 shows the iconic model of a generator G, two conveyor belts V and the associated
control processes C. Processes Vend and Cend are added to obtain a closed system; they do not
model actual behavior. The model is a simplified version of the model treated in [2]. The dashed
lines with arrow heads represent directed synchronization channels (pc0 , pc1 , pc2 , p0 , p1 , p2 ),
and the lines ending in a small circle represent shared variables (s0 , s1 , v0 , v1 ).
pc1
C1
pc2
C1
Cend
pc0
v0
s0
G
s0
s1
v1
s1
p0
V1
p1
V1
p2
Vend
Figure 5.8: Iconic model of the conveyor system for process per belt.
Global position variable declarations
The χ specification of the iconic model from Figure 5.8 is as follows:
model C1V1(val x1ini,x2ini: real) =
|[ cont x1: real = x1ini, x2: real = x2ini
, var v1: nat = 0, v2: nat = 0
, s0: bool = false, s1: bool = false, s2: bool = false
, chan pc0,pc1,pc2: void
, p0,p1,p2: void
:: G(pc0,p0)
|| C1(v1,s1,pc0,pc1) || V1(x1,v1,s0,s1,p0,p1)
|| C1(v2,s2,pc1,pc2) || V1(x2,v2,s1,s2,p1,p2)
|| Cend(pc2)
|| Vend(s2,p2)
]|
Channels p0 , p1 , p2 are used to synchronize the box transition from the current to the next belt.
Channels pc0 , pc1 , pc2 are directed synchronization channels. Variables s0 , s1 , v0 , v1 are shared
variables, where s0 and s1 represent the sensors that indicate the presence of a box, and v0 and
v1 are actuators that determine the velocity of the respective conveyors. The process definitions
are:
50
Chapter 5. Examples
proc G(chan pc!: void, p!: void) =
|[ *( pc!; delay 1.0; p!! ) ]|
proc Cend(chan pc?: void) =
|[ * pc? ]|
proc V1( cont x: real, var v: nat, var sprev: bool, s: bool, chan pin?,pout!: void) =
|[ eqn dot x = ( x < -0.5 -> 0.0 | x >= -0.5 -> v*1.0 )
|| |[ mode waitforSensor =
( x >= 5 -> s:= true
; x >= 6 and v > 0 -> pout!
; x := -1.0; waitforTray
)
, mode waitforTray =
( pin?
; x:= 0.0
; x >= 3 -> sprev:= false; waitforSensor
)
:: ( x = -1
-> skip; waitforTray
| x >= 0 and x < 3 -> !! "Error, incorrect initial value for x"
; deadlock
| x >= 3
-> skip; waitforSensor
)
]|
]|
proc Vend(var sprev: bool, chan pin?: void) =
|[ cont x: real = -1.0
:: eqn dot x = ( x < -0.5 -> 0.0 | x >= -0.5 -> 1.0 )
|| *( pin?
; x:= 0.0
; x >= 3 -> sprev, x := false, -1.0
)
]|
Conservative control strategy For this system, different control strategy’s are possible. We
first start with a conservative control strategy, where a new box is allowed to enter the belt, after
the previous box has passed the sensor completely.
proc C1(var v: nat, var s: bool, chan pcin?,pcout!: void) =
|[ mode emptyon = ( ( pcin?
| delay 5.0; v:= 0; pcin?; v:= 1
)
; entering
)
, mode entering = ( s -> skip; atsensor)
5.3. Conveyor system
51
C1V1(-(1), -(1))
6
5
4
3
2
1
0
-1
x2(time)
v2(time)
s2(time)
0
5
10
15
20
25
30
6
5
4
3
2
1
0
-1
x1(time)
v1(time)
s1(time)
0
5
10
15
20
25
30
Figure 5.9: Conveyors initially empty.
, mode atsensor = ( pcout!; leaving
| delay 0.2; v:= 0; pcout!; v:= 1; leaving
)
, mode leaving = ( not s -> skip; emptyon
)
:: v:= 1
; ( s -> skip; atsensor
| delay 3.0; emptyon
)
]|
Figures 5.9 and 5.10 show simulation results for conveyors that are initially empty for and
conveyors where the initial positions of the boxes are 4,3, respectively. Figure 5.11 shows the
simulation result for initially only a box on the first conveyor.
High throughput control strategy The throughput of the system can be improved by allowing boxes to enter as soon as the current box on the belt is leaving this belt. To achieve this
goal, a new mode is added to the controller, allowing a box to enter as soon as the current box
is leaving the belt.
proc C2(var v: nat, var s: bool, chan pcin?,pcout!: void) =
|[ mode emptyon = ( ( pcin?
| delay 5.0; v:= 0; pcin?; v:= 1
)
52
Chapter 5. Examples
C1V1(4, 3)
6
5
4
3
2
1
0
-1
x2(time)
v2(time)
s2(time)
0
5
10
15
20
6
5
4
3
2
1
0
-1
x1(time)
v1(time)
s1(time)
0
5
10
15
20
Figure 5.10: Conveyors with boxes initially present.
C1V1(4, -(1))
6
5
4
3
2
1
0
-1
x2(time)
v2(time)
s2(time)
0
5
10
15
20
6
5
4
3
2
1
0
-1
x1(time)
v1(time)
s1(time)
0
5
10
15
20
Figure 5.11: Conveyors with box initially present on first conveyor only.
5.3. Conveyor system
,
,
,
,
::
;
53
; entering
)
mode entering = ( s -> skip; atsensor)
mode atsensor = ( pcout!; leaving
| delay 0.2; v:= 0; pcout!; v:= 1; leaving
)
mode leaving = ( not s -> skip; emptyon
| pcin?; leaving_entering
)
mode leaving_entering = ( not s -> skip; entering )
v:= 1
( s -> skip; atsensor
| delay 3.0; emptyon
)
]|
The other processes remain the same, leading to model C2V1.
model C2V1(val x1ini,x2ini: real) =
|[ cont x1: real = x1ini, x2: real = x2ini
, var v1: nat = 0, v2: nat = 0
, s0: bool = false, s1: bool = false, s2: bool = false
, chan pc0,pc1,pc2: void
, p0,p1,p2: void
:: G(pc0,p0)
|| C2(v1,s1,pc0,pc1) || V1(x1,v1,s0,s1,p0,p1)
|| C2(v2,s2,pc1,pc2) || V1(x2,v2,s1,s2,p1,p2)
|| Cend(pc2)
|| Vend(s2,p2)
]|
pc1
C2
pc2
C2
Cend
pc0
v0
s0
G
s0
v1
s1
s1
p0
V1
p1
V1
p2
Vend
Figure 5.12: Iconic model for process per belt with high throughput.
Figures 5.13 and 5.14 show simulation results for conveyors that are initially empty for and
conveyors where the initial positions of the boxes are 4,3, respectively. Figure 5.13 shows the
54
Chapter 5. Examples
C2V1(-(1), -(1))
6
5
4
3
2
1
0
-1
x2(time)
v2(time)
s2(time)
0
5
10
15
20
6
5
4
3
2
1
0
-1
x1(time)
v1(time)
s1(time)
0
5
10
15
20
Figure 5.13: Conveyors initially empty.
desired behavior, with boxes entering a belt as soon as this is allowed be the controller. Figure
5.14 however, shows undesired behavior. Somehow the box on the first belt is not allowed to
enter the second belt and continuing on the first belt beyond position 6. This is physically not
possible. Figure 5.15 zooms in on this. The cause of this lies in the process of the belt V1. In
the mode waitforSensor, the synchronization pout! is delayable, allowing the box to move
beyond position 6.
Improved belt model In order to eliminate the possibility for boxes to go beyond position
6, the process of the belt has been improved, leading to model C2V2. In Figure 5.16 the corresponding iconic model is given. Here the solid lines with arrow heads represent directed
communication channels, since now the position of the box is communicated.
proc G2(chan pc!: void, p!: real) =
|[ *( pc!; delay 1.0; p!!0.0 ) ]|
proc V2( cont x: real, var v: nat, var sprev: bool, s: bool, chan pin?,pout!: real) =
|[ eqn dot x = ( x < -0.5 -> 0.0 | x >= -0.5 -> v*1.0 )
|| |[ mode waitforSensor =
( x >= 5 -> s:= true
; x >= 6 and v > 0 -> pout! x - 6
; x := -1.0; waitforTray
)
, mode waitforTray =
5.3. Conveyor system
55
C2V1(4, 3)
6
5
4
3
2
1
0
x2(time)
v2(time)
s2(time)
0
5
10
15
20
x1(time)
v1(time)
s1(time)
6
5
4
3
2
1
0
-1
0
5
10
15
20
Figure 5.14: Conveyors with boxes initially present.
C2V1(4, 3)
6.5
x1(time)
v1(time)
s1(time)
6
5.5
5
4.5
4
0
1
2
3
4
5
Figure 5.15: Conveyors with boxes initially present.
(
;
)
:: ( x
| x
pin?x
x >= 3 -> sprev:= false; waitforSensor
= -1
-> skip; waitforTray
>= 0 and x < 3 -> !! "Error, incorrect initial value for x"
; deadlock
| x >= 3
-> skip; waitforSensor
)
]|
56
Chapter 5. Examples
]|
model C2V2(val x1ini,x2ini: real) =
|[ cont x1: real = x1ini, x2: real = x2ini
, var v1: nat = 0, v2: nat = 0
, s0: bool = false, s1: bool = false, s2: bool = false
, chan pc0,pc1,pc2: void
, p0,p1,p2: real
:: G2(pc0,p0)
|| C2(v1,s1,pc0,pc1) || V2(x1,v1,s0,s1,p0,p1)
|| C2(v2,s2,pc1,pc2) || V2(x2,v2,s1,s2,p1,p2)
|| Cend(pc2)
|| Vend2(s2,p2)
]|
pc1
C2
pc2
C2
Cend
pc0
v0
s0
G
s0
s1
v1
s1
p0
V2
p1
V2
p2
Vend
Figure 5.16: Iconic model for process per belt with improved belt model.
Now the system is again simulated for different initial conditions. Figures 5.17 and 5.18 show
simulation results for conveyors that are initially empty for and conveyors where the initial
positions of the boxes are 4,3, respectively. Figure 5.19 zooms in on the same area that had
incorrect behavior in model C2V1. Now it can be seen that even though the box goes beyond
position 6, the model works properly because box enters the next belt taking in to account that
difference.
Local position variable declarations
The same system can be modeled using local variable declarations for the positions of the boxes.
This leads to the following model:
model CVlocal() =
|[ var v1: nat = 0, v2: nat = 0
, s0: bool = false, s1: bool = false, s2: bool = false
5.3. Conveyor system
57
C2V2(-(1), -(1))
6
5
4
3
2
1
0
-1
x2(time)
v2(time)
s2(time)
0
5
10
15
20
25
30
6
5
4
3
2
1
0
-1
x1(time)
v1(time)
s1(time)
0
5
10
15
20
25
30
Figure 5.17: Conveyors initially empty.
C2V2(4, 3)
6
5
4
3
2
1
0
-1
x2(time)
v2(time)
s2(time)
0
5
10
15
20
x1(time)
v1(time)
s1(time)
6
5
4
3
2
1
0
-1
0
5
10
15
20
Figure 5.18: Conveyors with boxes initially present.
58
Chapter 5. Examples
C2V2(4, 3)
C2V2(4, 3)
6.5
x1(time)
v1(time)
s1(time)
6
5.5
2.5
x2(time)
v2(time)
s2(time)
2
1.5
5
1
4.5
0.5
4
0
0
1
2
3
4
5
0
1
2
3
4
5
Figure 5.19: Conveyors with boxes initially present.
, chan pc0,pc1,pc2: void
, p0,p1,p2: void
:: G(pc0,p0)
|| C1(v1,s1,pc0,pc1) || Vlocal(v1,s0,s1,p0,p1)
|| C1(v2,s2,pc1,pc2) || Vlocal(v2,s1,s2,p1,p2)
|| Cend(pc2)
|| Vlocalend(s2,p2)
]|
The only changes are the process definitions that model the conveyor belts. The initialization
of the boxes has been omitted for the sake of clarity:
proc Vlocal(var v: nat, var sprev: bool, s: bool, chan pin?,pout!: void) =
|[ *( pin?
; |[ cont x: real = 0.0
:: ( eqn dot x = v*1.0 | x >= 3 -> sprev:= false )
; ( eqn dot x = v*1.0 | x >= 5 -> s:= true )
; ( eqn dot x = v*1.0 | x >= 6 -> pout!! )
]|
)
]|
proc Vlocalend(var sprev: bool, chan pin?: void) =
|[ *( pin?
; |[ cont x: real = 0.0
:: ( eqn dot x = 1 | x >= 3 -> sprev:= false )
]|
)
]|
5.3.2
A process for each box
Another way of modeling the conveyor belts with boxes is to define a process for each box,
instead of a process for each conveyor.
5.3. Conveyor system
59
Discrete variables for sensors
In Figure 5.20 the iconic model for the process per box approach is given. In this figure, lines
with a small circle at one end and a arrowhead at the other end, represent a shared variable as
well as directed communication. The iconic model leads to the following model in χ :
model CBmode(val xini,yini,zini: real) =
|[ cont x: real = xini, y: real = yini, z: real = zini
, var v1: nat = 0, v2: nat = 0
, s1: bool = false, s2: bool = false
, chan pc0,pc1,pc2: void
, p0,p1,p2: real
:: G(x,y,z,pc0,p0,p1,p2)
|| C(v1,s1,pc0,pc1)
|| C(v2,s2,pc1,pc2)
|| Cend(pc2)
|| BoxMode(x,v1,v2,s1,s2,p0)
|| BoxMode(y,v1,v2,s1,s2,p1)
|| BoxMode(z,v1,v2,s1,s2,p2)
]|
proc G(cont x,y,z: real, chan pc!: void, p0,p1,p2!: real) =
|[ var i: nat = 0
// assume that if trays are initially present, x >= y >= z holds
:: ( x = -1
-> i:= 0 // all empty
| x /= -1 and y = -1
-> i:= 1 // tray in x
| x /= -1 and y /= -1 and z = -1 -> i:= 2 // trays in x,y
| x /= -1 and y /= -1 and z /= -1 -> i:= 0 // trays in x,y,z
)
; *( pc!; delay 1.0
; ( i = 0 -> p0!!0.0
| i = 1 -> p1!!0.0
| i = 2 -> p2!!0.0
)
; i:= (i + 1) mod 3
)
]|
The model of the conveyor control process has been changed to allow a new box to enter a
conveyor as soon as the current box on the conveyor has started to leave the conveyor:
proc C(var v: nat, var s: bool, chan pcin?,pcout!: void) =
|[ mode emptyon = ( ( pcin?
| delay 5.0; v:= 0; pcin?; v:= 1
)
; entering
)
60
Chapter 5. Examples
C
pc1
C
pc1
CE
pc0
v1 , s1
v2 , s2
v1 , s1
v2 , s2
G
x, p0
v2 , s2
BM
v1 , s1
BM
BM
y, p1
z, p2
Figure 5.20: Iconic model of the conveyor system for process per box.
, mode entering = ( s -> skip; atsensor)
, mode atsensor = ( pcout!; leaving
| delay 0.2; v:= 0; pcout!; v:= 1; leaving
)
, mode leaving = ( not s -> skip; emptyon
| pcin?; leaving_entering
)
, mode leaving_entering = ( not s -> skip; entering )
:: v:= 1
; ( s -> skip; atsensor
| delay 3.0; emptyon
)
]|
proc Cend(chan pc?: void) =
|[ * pc? ]|
The initial value for the position of a box x must be in the interval: 3 ≤ x ≤ 6, or 9 ≤ x ≤ 12,
or 15 ≤ x ≤ 18, because the controller cannot deal with an initial tray that activates a previous
sensor. This is, however, not checked.
proc BoxMode(cont
|[ eqn dot x = (
|
|
x: real, var v1,v2: nat, s1,s2: bool, chan pin?: real) =
x < -0.1 -> 0
-0.1 <= x and x < (6+2) -> v1
(6+2) <= x and x < (12+2) -> v2
5.3. Conveyor system
61
| x >= (12+2) -> 1
)
|| |[ mode none = ( pin?x; pre1 )
, pre1 = ( x >= (6-1) -> s1:= true; on1 )
, on1
= ( x >= (6+3) -> s1:= false; post1 )
, post1 = ( x >= (12-1) -> s2:= true; on2 )
, on2
= ( x >= (12+3) -> s2:= false; post2 )
, post2 = ( x >= (12+4) -> x:= -1.0; none )
:: ( x = -1
-> skip; none
| 0 <= x and x < (6-1)
-> skip; pre1
| (6-1) <= x and x < (6+3)
-> s1:= true; on1
| (6+3) <= x and x < (12-1) -> skip; post1
| (12-1) <= x and x < (12+3) -> s2:= true; on2
| (12+3) <= x
-> skip; post2
)
]|
]|
Figures 5.21 and 5.22 shows simulation results for conveyors that are initially empty and conveyors with boxes on positions 4 and 3, respectively. Recall that for the process per belt, the
latter initialization gave a deadlock in the model. The process per box approach clearly does
not have this problem.
Algebraic variables for sensors
Using algebraic variables for the sensors simplifies the process definitions for the boxes. The
equations defining the values of the sensors are now defined at the model level:
model CBalg(val xini,yini,zini: real) =
|[ cont x: real = xini, y: real = yini, z: real = zini
, var v1: nat = 0, v2: nat = 0
, alg s1,s2: bool
, chan pc0,pc1,pc2: void
, p0,p1,p2: real
:: eqn s1 = ((x >= 5 and x <= 9) or (y >= 5 and y <= 9) or (z >= 5 and z <= 9))
, s2 = ((x >= 11 and x <= 15) or (y >= 11 and y <= 15) or (z >= 11 and z <= 15))
|| Galg(pc0,p0,p1,p2)
|| C(v1,s1,pc0,pc1)
|| C(v2,s2,pc1,pc2)
|| Cend(pc2)
|| BoxAlg(x,v1,v2,p0)
|| BoxAlg(y,v1,v2,p1)
|| BoxAlg(z,v1,v2,p2)
]|
proc Galg(chan pc!: void, p0,p1,p2!: real) =
62
Chapter 5. Examples
CBmode(-(1), -(1), -(1))
16
14
12
10
8
6
4
2
0
x(time)
y(time)
z(time)
0
5
10
15
20
25
30
1
0.8
0.6
0.4
0.2
0
v1(time)
s1(time)
0
5
10
15
20
25
30
1
0.8
0.6
0.4
0.2
0
v2(time)
s2(time)
0
5
10
15
20
25
30
Figure 5.21: Conveyors initially empty.
|[ *( pc!; delay 1.0
; (p0!!0.0 | p1!!0.0 | p2!!0.0)
)
]|
proc BoxAlg(cont x: real, var v1,v2: nat, chan pin?: real) =
|[ mode empty =
( (eqn dot x = 0 | pin?x); tray )
, mode tray =
( eqn dot x = ( x <= 8 -> v1 | 8 < x and x <= 14 -> v2 | x > 14 -> 1 )
| x >= (2*6)+4 -> x:= -1.0; empty
)
:: ( x = -1 -> skip; empty
// assume initially x = -1 or x >= 0
| x >= 0
-> skip; tray
)
]|
The process definitions for the controllers remain unchanged.
5.3. Conveyor system
63
CBmode(9, 4, -(1))
16
14
12
10
8
6
4
2
0
x(time)
y(time)
z(time)
0
5
10
15
20
25
30
1
0.8
0.6
0.4
0.2
0
v1(time)
s1(time)
0
5
10
15
20
25
30
1
0.8
0.6
0.4
0.2
0
v2(time)
s2(time)
0
5
10
15
20
25
30
Figure 5.22: Conveyors initially full.
64
Chapter 5. Examples
Bibliography
[1] J. C. M. Baeten and C. A. Middelburg. Process Algebra with Timing. EACTS Monographs
in Theoretical Computer Science. Springer-Verlag, 2002.
[2] D. A. van Beek, S. H. F. Gordijn, and J. E. Rooda. Integrating continuous-time and discreteevent concepts in modelling and simulation of manufacturing machines. Simulation Practice and Theory, 5(7-8):653–669, 1997.
[3] D. A. van Beek, A. T. Hofkamp, M. A. Reniers, J. E. Rooda, and R. R. H. Schiffelers.
Syntax and formal semantics of Chi 2.0. SE Report 2008-01, Eindhoven University of
Technology, Systems Engineering Group, Department of Mechanical Engineering, Eindhoven, The Netherlands, 2008.
[4] D. A. van Beek, K. L. Man, M. A. Reniers, J. E. Rooda, and R. R. H. Schiffelers. Syntax and
consistent equation semantics of hybrid Chi. Journal of Logic and Algebraic Programming,
68(1-2):129–210, 2006.
[5] C. Bohn and D. P. Atherton. An analysis package comparing PID anti-windup strategies.
IEEE Control Systems, 15(2):34–40, 1995.
[6] F. Breitenecker and I. Husinsky, editors. Simulation News Europe, chapter ARGESIM
Comparisons. Number 0-40. EUROSIM, 1990-2004.
[7] K. L. Man and R. R. H. Schiffelers. Formal Specification and Analysis of Hybrid Systems.
PhD thesis, Eindhoven University of Technology, 2006.
65
Analysis of Hybrid Systems
D.A. van Beek and J.E. Rooda
March 23, 2010
ii
Preface
Hybrid systems are a combination of continuous-time systems, discrete-event systems and/or
discrete-time systems.
In continuous-time systems, the state changes continuously. Therefore, an infinite number of
state changes are possible in any given finite time interval. Examples of such systems are
chemical systems in the process industry and mechanical systems.
In discrete-event systems, the state changes at discrete points of time; in between these time
points the state remains the same. Therefore, there can only be a finite number of changes in
a time-interval. Examples of plants that can be regarded as discrete-event systems are plants
where discrete products are transported, assembled or packaged, such as car or integrated circuit
manufacturing plants. Discrete-time systems are discrete-event systems where the state changes
at equidistant points of time. Such systems are usually the result of sampling continuous-time
systems.
Examples of hybrid systems are batch processes in the process industry; factories with both
continuous and discrete process steps, such as batch production of beer that ends with the discrete packing of bottles in a crate; and discrete-event scheduling or supervisory systems that are
used to control continuous or hybrid systems.
Dealing with hybrid systems requires a hybrid world view. Such a world view comprises languages, methods, techniques and tools. It can be obtained by means of the χ and CIF formalisms that are treated in these course notes. The formalisms are used for modeling, simulation and control of industrial systems. They integrate continuous-time and discrete-event
concepts, and enable analysis of the dynamic behavior of hybrid processes, of hybrid embedded systems, as well as of complete hybrid plants. The course notes deal with the hybrid aspects
of the formalisms.
Acknowledgments
The authors would like to thank Ramon Schiffelers for participating with the authors in the
development of the (hybrid) χ and CIF languages, and for the many stimulating discussions.
They also thank Dennis Hendriks, Albert Hofkamp and Ramon for providing the χ and CIF
iii
iv
Preface
simulators that are available via the Systems Engineering Wiki pages, and they thank Jasper
Fonteijn for improving the text and automating the document generation process of the lecture
notes. Finally, they would like to thank Jos Baeten, Pieter Cuijpers, and Michel Reniers from
the Computer Science Department for their contributions to the development of the χ and CIF
languages.
Contents
Preface
1
2
3
iii
Overview of the syntax of the Chi language
1
1.1
Model syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1
1.2
Expressions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3
1.3
Statement syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3
Informal semantics of the Chi language
7
2.1
Conditional expressions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7
2.2
Behavior of atomic statements . . . . . . . . . . . . . . . . . . . . . . . . . .
8
2.3
Behavior of compound statements . . . . . . . . . . . . . . . . . . . . . . . .
9
2.4
Behavior of models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
14
2.5
Process definition and instantiation . . . . . . . . . . . . . . . . . . . . . . . .
15
Tank level control strategies
19
3.1
The controlled tank system . . . . . . . . . . . . . . . . . . . . . . . . . . . .
19
3.2
Discrete-event control using repetition . . . . . . . . . . . . . . . . . . . . . .
20
3.3
Discrete-event control using recursion . . . . . . . . . . . . . . . . . . . . . .
21
3.4
P control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
23
3.5
PI control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
28
3.6
PI control with anti-windup . . . . . . . . . . . . . . . . . . . . . . . . . . . .
31
v
vi
4
5
Contents
Hybrid automata related modeling
35
4.1
Constrained pendulum . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
35
4.2
Bottle filling line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
36
Examples
41
5.1
Dry friction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
41
5.2
Bottle filling system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
44
5.3
Conveyor system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
47
Bibliography
65
Chapter 1
Overview of the syntax of the Chi
language
1.1
Model syntax
In this section, the syntax of χ models is defined using a Backes-Naur Form (BNF) like notation.
The symbol | defines choice, notation {Z }∗ denotes a sequence of zero or more Z ’s, and notation
{Z }0 defines Z as being optional. The syntax of a χ model is defined by the following BNF
definition for χmodel :
χmodel ::= model id({Dm }0 ) = |[ {D ::}0 p ]|
where id is an identifier that represents the name of the model, and Dm denotes the (optional)
model parameter declarations as defined below. Furthermore, D denotes the (optional) declaration of variables and/or channels of the model. This type of declaration is also used to
declare the local variables and channels in scope statements. Finally, p denotes a statement,
also known as process term. The scope statement and statement p are both defined in Section
1.3. The syntax of the declarations Dm and D is:
Dm ::= val S {, S}∗ | Dm , Dm
D ::=
|
|
|
|
|
chan S {, S}∗
(var | cont | alg) IS {, IS}∗
time = e
init u
mode X = p {, X = p}∗
D, D
value parameter declaration
channel declaration
variable declaration
time initialization
general initialization
mode declaration
1
2
Chapter 1. Overview of the syntax of the Chi language
IS ::= id {, id}∗ : t = e
| S
declaration with initialization
S ::= id {, id}∗ : t
declaration without initialization
Here, t denotes the type of a variable or channel, e denotes an expression, u denotes a predicate over variables (including the variable time) and dotted (continuous) variables (derivatives), and id denotes an identifier. The comma in predicate u denotes conjunction. E.g.
init u 1 , u 2 means init u 1 and u 2 . An executable model instantiation for a model declared
as model M(val x1 : t1 , . . . , xn : tn ) is obtained by M(c1 , . . . , cn ), where ci denotes a value
for the corresponding model parameter xi . The following items can be declared in D:
• Channels, such as in chan h: real, close: void, which declares a communication
channel h, that communicates values of type real, and a synchronization channel close
(no data exchange).
• Discrete variables, such as in var k,n: int, v_set: real = 1.0. This declares two
uninitialized variables k,n of type int (integer), and a variable v_set with initial value
1.0. The values of discrete variables remain constant when model time progresses.
• Continuous variables, such as in cont x: real = 1.0. Continuous variables are the only
variables for which dotted variables (derivatives) can be used in models. Therefore, the
declaration cont x: real = 1.0 implies that x and its dotted version dot x (which represents x),
˙ can both be used in the model. The values of continuous variables may change
according to a continuous function of time when model time progresses. The values of
continuous variables are further restricted by equations and invariants (defined in the next
section).
• Algebraic variables, such as in alg y,z: real. These variables behave in a similar way as
continuous variables. The differences are that algebraic variables may change according to
a discontinuous function of time, and algebraic variables are not allowed to occur as dotted
variables.
• The (initial) value of the model time, such as in time = 1 (see below).
• An initialization predicate, such as init dot x = 0. This predicate can be used for initial
conditions that go beyond specification of the initial value of a variable.
• Mode declarations, such as
mode off = (V <= 8 -> n:= 1; on), mode on = (V >= 10 -> n:= 0; off).
Besides the variables mentioned in the model defined above, the existence of the predefined
reserved global variable time is assumed. This variable denotes the current model time. Its
initial value is zero, unless specified otherwise. It cannot be declared, nor can it be assigned a
value. It can only be used in expressions in statements p.
1.3. Statement syntax
1.2
3
Expressions
An expression e in χ is a combination of values, variables, operators, and mathematical or user
defined functions that that can be evaluated to a value, assuming that the values of the variables
are defined. E.g. the value of expression 2 + x is 5, assuming that the value of x is 3. Apart from
the ‘normal’ mathematical expressions, the χ language also allows conditional expressions. Let
e denote an arbitrary expression, then the syntax of conditional expressions is:
econd ::= (ec )
ec
::= u → e
| ec ‘|’ ec
The value of a conditional expression (u 1 → e1 | · · · | u n → en ) is the value of expression ei
for which the associated guard u i is true, assuming that such a guard exists. An example of a
conditional expression is the equation eqn x = (y < 0 → 0 | 0 ≤ y ≤ 1 → y | y > 1 → 1)
that defines the value of variable x to be equal to the value of variable y, unless the value of y
is smaller than 0 or bigger than 1, in which case saturation occurs. The meaning of conditional
expressions is more precisely defined in Section 2.1.
1.3
Statement syntax
The syntax of χ statements p, is as follows:
p ::=
|
|
|
|
|
|
|
patom
atomic statement
p; p
sequential composition statement
p8p
alternative composition statement
pkp
parallel composition statement
∗p
loop statement
∗
b → p
while statement
|[ D :: p ]| scope statement
id(e)
process instantiation statement
where b denotes a predicate (boolean/logical expression) over variables, D denotes a declaration
as defined in Section 1.1, and e denotes comma separated expressions e1 , . . . , en (see Section
1.2).
Statements can be divided in two classes: the atomic statements patom , that represent the smallest statement units; and the compound statements, that are constructed from one or more
(atomic) statements by means of operators. A further division of the statements is based on
the action and delay behavior of the statements. A statement executing an action, such as an
assignment, does so in zero time. The delay behavior of statements on the other hand, involves
4
Chapter 1. Overview of the syntax of the Chi language
the passing of time (see Chapter 2 for a more precise explanation). The syntax of the atomic χ
statements patom is as follows:
patom ::=
|
|
|
|
|
|
|
non-delayable action statement
guarded non-delayable action statement
delayable action statement
guarded delayable action statement
delay statement
equation statement
invariant statement
mode statement
pndact
b → pndact
pdact
b → pdact
1d
eqn u
inv u
X
where d denotes an expression of type real, and X denotes an identifier. Equation statements
occur in the form of differential algebraic equations, such as eqn x˙ = y , y = n. Invariants
usually occur in the form of an inequality, such as inv x ≥ 1, but they may also occur as
equations.
The non-delayable action statements can only execute actions. They are defined as:
pndact ::=
|
|
|
skip
x := e
h ?? x |
h !! e |
h??
h!!
non-delayable skip statement
non-delayable (multi-)assignment statement
non-delayable receive statement
non-delayable send statement
where x and e denote comma separated variables x1 , . . . , xn and expressions e1 , . . . , en , respectively, for n ≥ 1, and h denotes a channel.
The guarded non-delayable action statement b → pndact can only delay while the value of the
guard is false. The action can, in principle, be executed when the value of the guard is true.
The delayable action statements can, in principle, execute an action or they can perform arbitrary delays. They are defined as:
pdact ::=
|
|
|
[skip]
[x := e]
h !e
|
h ?x |
h!
h?
delayable skip statement
delayable (multi-)assignment statement
delayable send statement
delayable receive statement
The guarded delayable action statement b → pdact can, in principle, execute an action when the
value of the guard is true, or it can perform arbitrary delays. The delay statement 1d can delay
while the value of d is bigger than zero. When the value of d equals zero, the delay statement
can do an action. Finally, the equation and invariant statements eqn u and inv u can only delay;
they restricts the values (solutions) of the variables while delaying.
1.3. Statement syntax
5
The operators are listed in descending order of their binding strength as follows:
∗
{∗, → , → }, ; , {k , 8 }.
The operators inside the braces have equal binding strength. For example, x := 1; y := x 8
x := 2; y := 2x means (x := 1; y := x) 8 (x := 2; y := 2x). Parentheses may be used to
group statements. To avoid confusion, parenthesis are obligatory when alternative composition
and parallel composition are used together. E.g. p 8 q k r is not allowed and should either be
written as ( p 8 q) k r , or as p 8 (q k r ).
6
Chapter 1. Overview of the syntax of the Chi language
Chapter 2
Informal semantics of the Chi language
In this chapter, the meaning (semantics) of a χ model is informally defined in terms of delay
behavior and action behavior, based on the formal semantics as presented in [4] and [7]. Action
behavior is instantaneous: time does not progress, and the semantics defines for each variable
the relation between its value before and after the action. Delay behavior involves passing of
time, where the semantics defines for each variable how its value changes as a function of time.
Actions and delays are done by active atomic statements. Instead of the term delay, also the
term ‘time step’ is used.
Section 2.2 defines the behavior of active atomic statements in terms of execution of actions
and delays, Section 2.3 defines the behavior of compound statements in terms of the relation
between activation, action execution, termination, and deactivation of statements, and Section
2.4 defines the behavior of models.
2.1
Conditional expressions
Let e denote an expression, and let ξ(e) denote the value of expression e, then:
ξ(e1 ) if ξ(u 1 )
.
ξ((u 1 → e1 | · · · | u n → en )) = ..
ξ(e ) if ξ(u )
n
n
Thus, the value of the conditional expression is the value of an expression ei associated to a
condition u i that is true. It is assumed that at least one of the conditions evaluates to true:
ξ(u 1 ) ∨ · · · ∨ ξ(u n ) = true. The meaning is not defined when none of the conditions evaluate
to true. In case more than one of the conditions are true, it is assumed that the values of the
associated expressions are the same. More precisely, for all conditional expressions (u 1 → e1 |
· · · | u n → en ) and for all i and j between 1 and n, we assume that if ξ(u i ∧ u j ), then ξ(ei = e j ).
7
8
Chapter 2. Informal semantics of the Chi language
2.2
2.2.1
Behavior of atomic statements
Action behavior of action statements
An active multi-assignment statement xn := en for n ≥ 1 can do an unnamed action that changes
the values of the variables x1 , . . . , xn in one step to the values of expressions e1 , . . . , en , respectively, and then terminates. For n = 1, this gives a normal assignment x := e.
An active skip statement can do an unnamed action without changing the values of the discrete
and continuous variables. Note that the purpose of the skip statement is twofold: it can be used
to model waiting for a condition b, as in b → skip, and/or it can be used to enforce a choice in
an alternative composition (see process Tank in Section 4.2).
An active send statement h !! e, h!!, h ! e, or h!, can, in principle, do a send action; and an active
receive statement h ?? e, h??, h ? x, or h?, can, in principle, do a receive action.
With respect to the action behavior, there is no difference between the delayable and nondelayable versions of the skip ([skip]), assignment ([x := e]), send (h ! e) and receive (h ? x)
statements, respectively.
A guarded (skip/assignment/send/receive) statement can do its corresponding action only if the
value of the guard is true.
The unnamed action is a non-synchronizing action, meaning that it always occurs by itself.
The send and receive actions are synchronizing actions: a send action can be executed only
simultaneously with a receive action on the same channel, as is explained in Section 2.3.4.
2.2.2
Delay behavior of action statements
The delay behavior of active atomic action statements is as follows:
• The non-delayable, non-guarded versions of the skip statement, assignment, and send and
receive statements can never delay.
• The guarded versions of the non-delayable atomic statements can delay for as long as the
guard remains false.
• The (possibly guarded) delayable versions of the skip statement, assignment, and send and
receive statements can always delay.
2.2.3
Behavior of the delay statement
A delay statement 1d behaves as a timer with an invisible local timing variable that keeps track
of the remaining time. The value of this timing variable is set to the value of expression d when
the delay statement is activated for the first time, or when it is re-activated after having been
2.3. Behavior of compound statements
9
deactivated. The behavior of the timer depends on the value of the timing variable. Assuming
the value of the timing variable to be c, then:
• For c > 0, an active delay statement can delay (do a time step) for at most c time units.
After a delay of t (t ≤ c) time units, the new value of the timing variable is set to c − t.
• For c ≤ 0, an active delay statement can do an unnamed action.
2.2.4
Behavior of the equation and invariant statement
An active equation statement eqn u or invariant statement inv u can delay, but it cannot do
actions. A equation or invariant statement can delay for as long as it has a solution. Such a
solution defines the values of the continuous and algebraic variables as a function of time for
the period of the delay. The values of the discrete variables do not change while delaying.
At each time point during the delay, an active equation / invariant must be satisfied (its value
must be true), when all variables and dotted variables in the predicate are replaced by their
current value (the value of the associated solution function at the time point).
The difference between equation statements and invariant statements is that equation statements
are assumed to always have a solution, although this is currently not checked in the simulator,
whereas for an invariant, depending on the values of the variables, there may not be a solution.
In the case that an invariant cannot be satisfied, the simulator ensures that the invariant is not
activated. In this way, invariant statements also restrict the action behavior of χ models, because
the active invariants must hold before and after each action. In fact, the active invariants and
equations of a χ model must hold at all times. This is referred to as the ‘consistent equation
semantics’.
The relation between the solution function of a continuous variable x and the solution
R tfunction
of its ‘derivative’ x˙ is given by the Caratheodory solution concept: x(t) = x(0) + 0 x(s)ds.
˙
This allows a non-smooth (but continuous) function for a differential variable x in the case
that the solution function of its ‘derivative’ x˙ is non-smooth or even discontinuous, as in, for
example, model M() = |[ cont x : real = 0.0 :: x˙ = step(time − 1) ]|, where step(y) equals 0
for y ≤ 0 and 1 for y > 0.
2.3
Behavior of compound statements
This section defines the action behavior of compound statements. Compound statements combine statements by means of operators.
The delay behavior of compound statements is not explicitly defined. It is defined implicitly,
because only active atomic statements can execute delays, and the set of active (atomic) statements is defined by the action behavior of compound statements and by the action behavior of
the model (see Section 2.4); the set of active atomic statements does not change when delaying.
10
Chapter 2. Informal semantics of the Chi language
Actions are done by active atomic statements. Section 2.3.1 gives an overview of how operators define the relation between action execution, termination, activation and deactivation of
statements. The sections thereafter define the behavior of the individual operators.
2.3.1
Overview
• Atomic statements terminate by doing an action. A statement that terminates becomes
inactive by doing so, and simultaneously may cause another statement to be activated (in
the cased of sequential composition, loop statements, while statements) and/or deactivated
(in the case of alternative composition).
• Activating a compound statement implies activating one or more of its sub-statements. E.g.
activating a sequential composition p1 ; . . . ; pn implies activating the first statement p1 ,
whereas activating a parallel composition p1 k . . . k pn implies activating all statements
p1 . . . pn .
• Deactivating a compound statement implies deactivating all of its sub-statements.
• Termination of a sub-statement may imply termination of its parent statement (the statement
of which it is a sub-statement). E.g. a sequential composition p1 ; . . . ; pn terminates upon
termination of its last sub-statement pn , whereas an alternative composition p1 8 . . . 8 pn
terminates upon termination of any of its sub-statements p1 , . . . , pn .
• Action execution of a sub-statement implies action execution of its parent statement. Therefore, a compound statement executes an action if one of its sub-statements executes an
action.
2.3.2
Sequential composition
In a sequential composition p1 ; . . . ; pn (n ≥ 2), only one statement pi , 1 ≤ i ≤ n, can be active
at the same time.
• Activating a sequential composition p1 ; . . . ; pn implies activating its first statement p1 .
• When statement pi (1 ≤ i ≤ n − 1) terminates (and is therefore also deactivated), the next
statement pi+1 is activated.
• The sequential composition terminates upon termination of its last statement pn .
2.3.3
Alternative composition
• Activating p1 8 . . . 8 pn (n ≥ 2) activates the statements p1 , . . . , pn .
2.3. Behavior of compound statements
11
• Execution of an action by any one of the statements p1 . . . pn deactivates the other statements. In this way, execution of the first action makes a choice.
• When one of the statements p1 , . . . , pn terminates, the alternative composition p1 8 . . . 8 pn
also terminates.
2.3.4
Parallelism
• Activating p1 k . . . k pn (n ≥ 2) activates the statements p1 , . . . , pn .
• When a statement pi (1 ≤ i ≤ n) executes an action, the other statements remain unchanged
(active/inactive).
• The parallel composition p1 k . . . k pn terminates when the statements p1 , . . . , pn have all
terminated.
Send and receive statements can be executed only in the context of parallel composition. Consider a parallel composition p1 k . . . k pn (n ≥ 2). A send statement occurring in statement
pi (1 ≤ i ≤ n) can be executed only if simultaneously a receive statement on the same channel, and occurring in another part p j (1 ≤ j ≤ n, i 6= j) of the parallel composition, can be
executed. The result of the simultaneous execution of a send action and a receive action on
the same channel is a communication action. E.g. the simultaneous execution of the send and
receive action in h ! 1 k h ? x leads to a communication action, the result of which is comparable
to execution of the assignment x := 1. If no data is sent via the channel (as in h! k h?), the
resulting communication action is comparable to execution of skip.
Informally, we often refer to the statements p1 , . . . , pn occurring in p1 k . . . k pn as parallel
processes. Parallel processes interact by means of shared variables or by means of synchronous
point-to-point communication or synchronization via a channel. Communication in χ is the
sending of values of one or more expressions by one parallel process via a channel to another
parallel process, where the received values are stored in variables. In case no values are sent
and received, we refer to synchronization instead of communication.
2.3.5
Loop and while statement
Loop statement ∗ p represents the infinite repetition of statement p.
• When ∗ p is activated, p is activated.
• Termination of p results in re-activation of p.
∗
The while statement b → p can be interpreted as ‘while b do p’.
∗
• Activation of b → p when b is true activates p (by means of an unnamed action).
12
Chapter 2. Informal semantics of the Chi language
∗
• Activation of b → p when b is false, leads to termination of the while statement (by means
of an unnamed action).
The two operators can be expressed in terms of a scope statement (see Section 2.3.7) in the
following way:
∗p
, |[ mode X = ( p; X ) :: X ]|
∗
b → p , |[ mode X = ( u → skip; p; X
8 ¬u → skip
)
:: X
]|
∗
In the definition of ∗ p and u → p, identifier X denotes a fresh mode variable not occurring
free in p.
2.3.6
Scope statement declaring variables or channels
The scope statement may introduce new variables and new channels. Any occurrence of a
variable or channel in p that is declared in D refers to that local variable or channel and not
to any more global declaration of the variable or channel with the same name, if such a more
global declaration should exist.
• Activation of a scope statement |[ D :: p ]|, where the local declaration part D introduces
new variables and or channels according to the specification of D in Section 1.1, performs
the variable initializations specified in D and activates statement p.
• Termination of p terminates the scope statement |[ D :: p ]|.
2.3.7
Recursion
Recursion refers to the use of modes in one of the following ways:
• Modes can be declared in the declaration part D of a model. E.g.
model M() = |[ mode X 1 = ( p1 ), . . . , mode X n = ( pn ) :: pn+1 ]|
Here, X 1 . . . X n are identifiers representing different modes, and p1 . . . pn+1 represent statements.
• Modes can be declared using the scope statement. For this purpose, the scope statement is
of the form |[ mode X 1 = ( p1 ), . . . , mode X n = ( pn ) :: pn+1 ]|. This type of scope statement
is referred to as ‘mode scope statement’.
2.3. Behavior of compound statements
13
• Execution of a mode is modeled by means of the mode statement X .
The formal semantics of the scope statement and the mode statement is defined in [3]. Below,
we informally define the semantics of the mode scope statement and the mode statement for a
subset of the Chi language. The subset is defined by means of three restrictions on the use of
the mode scope statement and the mode statement:
• If a mode statement X occurs in a sequential composition, it occurs at the end. This use of
modes is known as tail recursion.
• Mode scope statements and models that declare modes in the declaration part of the model
are ‘complete’. This means that in a mode scope statement, or model statement, of the form
|[ mode X 1 = ( p1 ), . . . , mode X n = ( pn ) :: pn+1 ]|,
or
model M() = |[ mode X 1 = ( p1 ), . . . , mode X n = ( pn ) :: pn+1 ]|,
respectively, all occurrences of free (unbound) mode identifiers (statements) X i in p j (1 ≤
i ≤ n, 1 ≤ j ≤ n + 1) must be defined in the mode scope statement, or model, respectively.
Formally: freerecvar( p j ) ⊆ {X 1 , . . . , X n } for each 1 ≤ j ≤ n + 1, where freerecvar( p j ) is
a function that returns the set of free (unbound) occurrences of mode identifiers in p j .
• Mode statement do not occur in a parallel composition with other statements. Mode scope
statements are allowed to occur in a parallel composition.
These restrictions ensure that termination of any of the statements pi also terminates the scope
operator itself.
Although mode statements cannot be placed in parallel directly, two mode scope statements can
occur in parallel, as in:
|[ mode X 1 = ( p1 ) :: X 1 ]| k |[ mode X 2 = ( p2 ) :: X 2 ]|,
where the two mode identifiers X 1 and X 2 can of course have the same name, without changing
the meaning of the model.
The meaning of a mode scope statement |[ mode X 1 = ( p1 ), . . . , mode X n = ( pn ) :: pn+1 ]|
satisfying the restrictions defined above, is as follows:
• Activating the mode scope statement activates the statement pn+1 .
• When a mode statement X i , occurring at the end of a statement p j (1 ≤ j ≤ n + 1), is activated (or deactivated), its corresponding statement pi is activated (or deactivated) instead.
• When a statement p j (1 ≤ j ≤ n + 1) terminates, the mode scope statement terminates.
The meaning of a model M() = |[ mode X 1 = ( p1 ), . . . , mode X n = ( pn ) :: pn+1 ]| is defined
likewise.
14
Chapter 2. Informal semantics of the Chi language
2.4
Behavior of models
Execution of a χ model M, defined as model M(D0 ) = |[ D1 :: p0 ]|, takes place by first
initializing the model, followed by executing a sequence of actions and delays, as defined in
the following sections.
2.4.1
Initialization
Initialization of the model can be defined as a separate step, that does not involve actions, nor
delays:
• All initialization expressions of the variables declared in D1 are evaluated, and the corresponding variables are initialized.
• Statement p0 is activated.
• The variables that are not initialized in D1 , including the dotted continuous variables, are
initialized in such a way that the initialization predicate (predicate u of init u, if present) in
D1 holds, and all active equations and all active invariants hold (if statement eqn u is active,
u holds, and likewise for inv u).
If such an initial solution does not exist, the model has no behavior. If multiple initial solutions
exist, the model may start in any of the allowed initial solutions (nondeterminism).
2.4.2
Action execution
• The model can execute an unnamed action if an active atomic statement can execute an
unnamed action, and the new set of active equations and invariants (after execution of the
action) can be satisfied as follows:
In a skip statement, the values of the discrete and continuous variables remain unchanged,
and the values of the algebraic and dotted variables are changed such that the new set of
active equations and invariants is satisfied.
In an assignment statement x := e, the values of the variables that occur in x change to the
value of e. The values of the other discrete and continuous variables remain unchanged.
The values of the other algebraic and dotted variables are changed such that the new set of
active equations and invariants is satisfied.
• The model can execute a communication action if a pair of an active send statement and
active receive statement, that are placed in parallel, can execute a communication action.
After execution of the communication action, the new set of equations and invariants is
satisfied as follows: for h! k h?, the new values of the variables are defined in a similar
way as specified for the skip statement; and for h ! e k h ? x, the new values of the variables
2.5. Process definition and instantiation
15
are defined in a similar way as specified for the assignment statement x := e. For reasons
of simplicity, we assume that the new set of active equations and invariants can always be
satisfied after a communication action.
2.4.3
Delaying
The model can execute a delay when the following requirements are met:
• All active statements can simultaneously execute the same delay. Note that the set of all
active equations and invariants can delay for as long as they have a solution.
• No communication action is possible at the start of the delay and during the delay. A
communication action may become possible at the end point (last time point) of the delay
(due to the fact that the values of the guards of send or receive statements may become true
while delaying). Communication should not be possible while delaying because, by default,
channels in χ are urgent: communication cannot be postponed by delaying.
2.4.4
Nondeterminism
When different actions and/or delays are possible, any of these can be chosen. This is referred to
as nondeterministic choice. Note that delays may always be shorter than the maximum possible
length.
In models of physical systems, the delay behavior of the continuous and algebraic variables is
usually uniquely determined: there is usually only one solution of the set of active differential
algebraic equations. Multiple delays / solutions can be caused by under-specified systems of
equations, where there are less equations than variables, or by equations or invariants that allow
multiple solutions, such as inv x˙ ≥ 1, inv true or eqn x˙ ∈ [0, 1].
2.5
Process definition and instantiation
To simplify the explanation, process instantiation id(e) is rewritten in a more specific form
id(xn , zm , hl , ek ), where id denotes a process name, xn denotes the continuous variables
x1 , . . . , xn , zm denotes the algebraic variables z 1 , . . . , z m , hl denotes the channels h 1 , . . . , h l ,
and ek denotes the expressions e1 , . . . , ek . Process instantiation enables (re)-use of a process
definition. A process definition is specified once, but it can be instantiated many times, usually
with different parameters.
The meaning of process instantiation
id(xn , zm , hl , ek )
16
Chapter 2. Informal semantics of the Chi language
with corresponding process definition
proc id(cont x0n : tc , alg z0m : ta , chan hl0 {!|?}0 : th , val vk : tv ) = |[ D :: p ]|
is obtained by the syntactical substitution of the process instantiation by
|[ var vk : tv = wk , D :: p ]| [xn , zm , hl , ek /x0 n , z0m , h0m , wk ],
where notation t... denotes a data type, and hl0 {!|?}0 denotes the channels h 01 {!|?}0 , . . . , h l0 {!|?}0 ,
where each channel is optionally postfixed with ! or ?. The meaning of h! or h? in the formal
parameter list is that the use of channel h in p is limited to sending (h!.. or h!!..) or receiving
(h?.. or h??..), respectively. Notation r [b1 , . . . , bi /a1 , . . . , ai ] denotes the statement obtained
from r by syntactic substitution of the free occurrences of the variables/channels a1 , . . . , ai in
r by b1 , . . . , bi , respectively. Free variables (or channels) in p are variables (or channels) that
are not defined in D or in declaration parts of scope operators occurring in p.
The substitution replaces the process instantiation id(xn , zm , hl , ek ) by the process body |[ D ::
p ]|, whereafter the value parameters vk are added to the local declarations D as discrete variables that are initialized to the values of the new variables wk . Finally, the (free) variables
x0 n , z0 m , wk and the (free) channels h0 m occurring in the body are substituted by xn , zm , ek , hl ,
respectively.
The substitution is defined in such a way that no variables from xn , zm or ek , and no channels
from hl become bound. This is the case if the variables xn , zm , the variables occurring in ek ,
and the channels hl are all different from the local variables and channels defined in D and
different from vk . If substitution would cause new bindings, the local variable or local channel
that a variable or channel from xn , zm , ek , or hl would become bound to, is renamed into a fresh
variable or fresh channel before the substitution takes place.
The substitution declares the value parameters vk as local discrete variables with initial values
ev . By convention, however, process term p normally does not change the values of these
variables. In Section 4.2.1, substitution of process instantiations is illustrated by means of an
example.
The substitution is illustrated using a model of a system that consists of two tanks. Each tank is
filled by means of an incoming flow, and emptied by means of an outgoing flow. The outflow
Qout of the first tank is connected to the inflow Qin of the second tank. The volume of each
tank is specified by continuous variable V, and its initial volume is given by parameter V0:
proc T(alg Qin,Qout: real, val V0: real) =
|[ cont V: real = V0
:: eqn dot V = Qin - Qout
]|
model TwoT() =
2.5. Process definition and instantiation
|[
::
||
||
17
alg Q0,Q1,Q2: real
T(Q0,Q1,2.0)
T(Q1,Q2,3.0)
eqn Q0 = 1.0
, Q1 = 1.0
, Q2 = 1.0
]|
The meaning of this model is obtained by substituting the two process instantiations by their
bodies as defined above. This leads to the model:
model TwoT() =
|[ alg Q0,Q1,Q2:real
:: |[ var V0: real = 2.0
, cont V: real = V0
:: eqn dot V = Q0 - Q1
]|
|| |[ var V0:real = 3.0
, cont V:real = V0
:: eqn dot V = Q1 - Q2
]|
|| eqn Q0 = 1.0
, Q1 = 1.0
, Q2 = 1.0
]|
Adding a controller that pumps the contents of the first tank into the second tank leads to the
following model, where process PC models the pump and the controller. The pump is switched
off when the first tank is empty or when the second tank is full (V2 = 1.0), whatever comes
first:
proc T(cont V:real, alg Qin,Qout:real) =
|[ eqn dot V = Qin - Qout ]|
proc PC(cont V1,V2: real, alg Q: real, val Qset: real) =
|[ var n: nat = 0
:: n:= 1; ( V1 <= 0 -> n:= 0
| V2 >= 1 -> n:= 0
)
|| eqn Q = n*Qset
]|
model TwoT2() =
|[ cont V1:real = 2.0
, V2:real = 3.0
, alg Q0,Q1,Q2:real
18
::
||
||
||
Chapter 2. Informal semantics of the Chi language
T(V1,Q0,Q1)
T(V2,Q1,Q2)
PC(V1,V2,Q1,0.5)
eqn Q0 = 0.0
, Q2 = 0.0
]|
The meaning of this model is again obtained by substitution of the process instantiations by
their bodies and subsequent rewriting, which leads to the model:
model TwoT2() =
|[ cont V1: real = 2.0
, V2: real = 3.0
, alg Q0,Q1,Q2: real
:: |[ eqn dot V1 = Q0 - Q1 ]|
|| |[ eqn dot V2 = Q1 - Q2 ]|
|| |[ var Qset: real = 0.5
, n: nat = 0
:: n:= 1; ( V1 <= 0 -> n:= 0
| V2 >= 1 -> n:= 0
)
|| eqn Q1 = n*Qset
]|
|| eqn Q0 = 0.0
, Q2 = 0.0
]|
Chapter 3
Tank level control strategies
In this chapter, the χ language is used for specification and analysis of different control strategies for a nonlinear tank system.
3.1
The controlled tank system
The controlled nonlinear tank system is shown in Figure 3.1. The control system LC tries to
keep the level in the tank close to a set point h set . There is a continuous flow Q out out of the
vessel. The value of this flow depends on the height of the liquid in the vessel. The controller
controls the level of the tank by adjusting the position of the valve, thus controlling the incoming
flow Q in . In the discrete-event controller of the next section the valve can only be switched on
and off. In the continuous and discrete-time controllers of subsequent sections the position of
the valve can be adjusted linearly between 1 (fully open) and 0 (closed).
The tank equations of a tank with no incoming flow, and outgoing flow Q, are derived by means
of the formula
X
X
psource =
ploss
which are assumed to satisfy
ρgh = K L Q 2
Qi
LC
h
Qo
Figure 3.1: The controlled tank system.
19
20
Chapter 3. Tank level control strategies
DE1()
h(time)
Qi(time)
1.2
1
0.8
0.6
0.4
0.2
0
0
5
10
15
20
25
Figure 3.2: Discrete-event on/off control.
where K L is the loss factor. This can be rewritten as
s
√
ρgh
Q=
=k h
KL
3.2
Discrete-event control using repetition
The first controller is a discrete-event controller that keeps the liquid between between two
levels: 0.8 and 1.0. The valve is modeled by the discrete variable n. When the liquid in the
tank drops below 0.8, the valve is opened (n:= 1). When the liquid in the tank rises above 1.0,
the valve is closed (n:= 0). The incoming and outgoing flows are modeled by the algebraic
variables Qi and Qo, respectively. Initially, the volume in the tank equals 0.1, and the valve
is closed (n = 0). Figure
3.2 shows the results of a simulation run. In the model DE1 below,
√
sqrt(h) represents h.
from standardlib import *
model DE1() =
|[ cont
h: real
, alg Qi,Qo: real
, var n
: nat
, A
: real
, k
: real
, Qmax : real
:: eqn dot h = (Qi
,
Qo = k *
= 0.1
= 0
= 10.0
= 0.5
= 1.2
- Qo) / A
sqrt(h)
3.3. Discrete-event control using recursion
21
,
Qi = n * Qmax
|| *( h <= 0.8 -> n:= 1; h >= 1.0 -> n:= 0 )
]|
Eliminating the parameters A,k and Qmax, and using the volume V instead of the height h, leads
to the model:
model DE2() =
|[ cont
V: real = 1.0
, alg Qi,Qo: real
, var n
: nat = 0
:: eqn dot V = Qi - Qo
,
Qo = 0.5 * sqrt(V/10)
,
Qi = n * 1.2
|| *( V <= 8 -> n:= 1; V >= 10 -> n:= 0 )
]|
The controller *(V <= 8 -> n:= 1; V >= 10 -> n:= 0) is correct only for initial conditions satisfying V <= 8 or n = 0. A controller that is correct for all initial conditions is:
*( n = 0 and V <= 8 -> n:= 1
| n = 1 and V >= 10 -> n:= 0
)
3.3
Discrete-event control using recursion
The discrete-event controller
*( V <= 8 -> n:= 1; V >= 10 -> n:= 0 )
can be replaced by the following equivalent controller using a recursion definition:
|[ mode X = (V <= 8 -> n:= 1; V >= 10 -> n:= 0; X )
:: X
]|
This recursion definition can be replaced by two definitions, such that the two modes on (valve
is opened) and off (valve is closed) can be distinguished:
|[ mode off = ( V <= 8 -> n:= 1; on )
, on = ( V >= 10 -> n:= 0; off )
:: off
]|
22
Chapter 3. Tank level control strategies
A controller using modes that is correct for all initial conditions is:
|[ mode off = ( V <= 8 -> n:= 1; on )
, on = ( V >= 10 -> n:= 0; off )
:: n = 0 -> skip; off | n = 1 -> skip; on
]|
Recall from Section 2.1 that a condition u i associated with an expression e1 . Since a mode
statement is no expression, they have to be preceded with an arbitrary expression. A simplified
controller that is also correct for all initial conditions is:
|[ mode off = ( V <= 8 -> n:= 1; on )
, on = ( V >= 10 -> n:= 0; off )
:: off | on
]|
In this case, initially, both modes are activated. This means that initially, both modes off and
on are activated. If both guards are false, then the two initial statements of the modes V <= 8
-> n:= 1 and V >= 10 -> n:= 0 can both delay. When one of the two guard is, or becomes,
true, delaying is no longer possible. After executing the action (n:=1 or n:= 0), the other mode
is disabled, so that subsequently, only one mode is enabled. The complete model is:
model DE3() =
|[ cont
V: real = 1.0
, alg Qi,Qo: real
, var n
: nat = 0
:: eqn dot V = Qi - Qo
,
Qo = 0.5 * sqrt(V/10)
,
Qi = n * 1.2
|| |[ mode off = ( V <= 8 -> n:= 1; on )
, on = ( V >= 10 -> n:= 0; off )
:: off | on
]|
]|
The initial position of the valve is defined by the initial value of variable n.
If the controller does not need to be separated from the physical system, the variable n can be
eliminated by integrating the incoming flow into the control specification. This leads to the
model:
model DE4() =
|[ cont
V: real = 1.0
3.4. P control
23
, alg Qi,Qo: real
:: eqn dot V = Qi - Qo
,
Qo = 0.5 * sqrt(V/10)
|| |[ mode off = ( eqn Qi = 0
| V <= 8 -> skip; on
)
, on = ( eqn Qi = 1.2
| V >= 10 -> skip; off
)
:: off
]|
]|
Here, the initial position of the valve is defined by the initial mode, which is off in the model
DE4(). The model is correct for all initial values of V.
3.4
P control
In this example, the on/off valve used in the previous section is replaced by a valve that can be
adjusted linearly between fully open and closed. The control input of the valve is represented
by variable u; the output of the valve is the flow Qi.
The valve is modeled by means of an equation and a conditional expression:
eqn Qi = ( u < 0
-> 0
| 0 <= u and u <= 1 -> u * Qmax
| u > 1
-> Qmax
)
It is assumed that the valve operates in its linear mode for 0 ≤ u ≤ 1. If the valve is fully opened
(u ≥ 1), the input flow equals Qmax. If u becomes negative, the flow becomes zero.
3.4.1
Continuous-time control
The input variable u of the valve is adjusted by the continuous-time proportional controller,
which consists of (algebraic) equations only. The error is the difference between the required
level hset and the actual level h. The control output u is obtained by multiplying the error by
constant Kp. The χ model of the tank system with a continuous-time proportional controller
follows below (model P_C).
24
Chapter 3. Tank level control strategies
P_C(20)
Qi(time)
Qo(time)
h(time)
e(time)
Qtot(time)
1.2
1
0.8
0.6
0.4
0.2
0
0
5
10
15
20
u(time)
18
16
14
12
10
8
6
4
2
0
0
5
10
15
20
Figure 3.3: Continuous-time P control (Kp = 20).
model P_C(val Kp: real) =
|[ cont
h: real = 0.1
, alg Qi,Qo: real
,
e,u: real
, var hset: real = 1.0
, alg Qtot: real
:: Tank(h,Qi,Qo,u)
|| eqn e = hset - h
, u = Kp * e
|| eqn Qtot = Qi - Qo
]|
where process Tank is defined as:
proc Tank(cont h: real, alg Qi,Qo,u: real) =
3.4. P control
|[ var
,
,
:: eqn
,
,
A
:
k
:
Qmax:
dot h
Qo
Qi
25
real = 10.0
real = 0.5
real = 1.2
= (Qi - Qo) / A
= k * sqrt(h)
= ( u < 0
-> 0.0
| u >= 0 and u <= 1 -> u * Qmax
| u > 1
-> Qmax
)
]|
The results of the simulation run are shown in Figure 3.3, at the top of the figure the model
name can be found along with the parameter value. The ASCII data output of the simulator
(not shown here) shows that the final error hset - h approaches 0.025, which corresponds
to the theoretical expectations. In this proportional controller, the minimum error is directly
proportional to the required inflow Q i . In the linear mode of the valve, Q i = u Q max . Combined
with u = K p e, this leads to e = K p QQimax . The minimum value of Q i is obtained in steady state
conditions when the derivative h˙ (h’ in the model) equals zero, so that Q i = Q o . Figure 3.3
shows that after 20 time units, the value of h does not noticeably increase anymore, so that
steady state conditions
indeed be assumed. Since the error is very small under steady state
√ can √
0.5
conditions, Q o = k h ≈ k h set = 0.5, leading to e = K p QQimax ≈ 20·1
= 0.025.
Hybrid valve model
A alternative model for the valve can be obtained by defining three modes of operation for the
valve in a mode scope statement, and switching between these modes by means of actions:
|[ mode low
, mode lin
= ( eqn
= ( eqn
| u >
| u <
)
, mode high = ( eqn
:: lin
]|
Qi =
Qi =
1 ->
0 ->
0 | u >= 0 -> skip; lin )
u * Qmax
skip; high
skip; low
Qi = Qmax | u <= 1 -> skip; lin )
Initially, mode lin is activated. If, initially, this mode does not correspond to the value of the
input u (u > 1 or u < 0), then one of the statements u > 1 -> skip or u < 0 -> skip will
have a guard that is true. In such a case, delaying will be impossible, and the model will switch
to the correct mode by means of an action. The complete model is given below.
26
Chapter 3. Tank level control strategies
proc TankModes(cont h: real,
|[ var A
: real = 10.0
, k
: real = 0.5
, Qmax: real = 1.2
:: eqn dot h = (Qi - Qo) / A
,
Qo = k * sqrt(h)
|| |[ mode low = ( eqn Qi =
, lin = ( eqn Qi =
| u > 1 ->
| u < 0 ->
)
, high = ( eqn Qi =
:: lin
]|
]|
alg Qi,Qo,u: real) =
0 | u >= 0 -> skip; lin )
u * Qmax
skip; high
skip; low
Qmax | u <= 1 -> skip; lin )
model P_C_M(val Kp,hini: real) =
|[ cont
h: real = hini
, alg Qi,Qo: real
,
e,u: real
, var
hset: real = 1.0
:: TankModes(h,Qi,Qo,u)
|| eqn e = hset - h
, u = Kp * e
]|
There is no visible difference between the graphical output of the simulation of this model,
when started from the initial height hini=0.1, and the simulation results as shown in Figure
3.3. The model starts by executing an action at time 0 (switching to mode high), followed
by a delay until time point 10.12, where an action is executed that switches the mode to lin,
followed by a delay until time 20.
3.4.2
Discrete-time control
For comparison we replace the continuous-time controller by a discrete-time controller, leading
to the model P_DT. It is a discrete-time controller, because it takes a sample of the level of the
liquid every ts seconds. In the repetition of the discrete-time controller, the error e (e:= hset
- h) and the control output u (u:= Kp * e) are calculated first. After this, the sampler waits
for ts seconds. Since the assignments are non-delayable, the model can do time steps only
when the delay statement delay ts is active. Therefore, the samples are spaced at exactly ts
seconds.
Figure 3.4 shows the simulation results, which are similar to the results shown in Figure 3.3.
The graph clearly shows that the control output stays constant in a sample period.
3.4. P control
27
P_DT(20, 0.5)
Qi(time)
Qo(time)
h(time)
e(time)
Qtot(time)
1.2
1
0.8
0.6
0.4
0.2
0
0
5
10
15
20
u(time)
18
16
14
12
10
8
6
4
2
0
0
5
10
15
20
Figure 3.4: Discrete-time P control (Kp = 20, ts = 0.5).
model P_DT(val Kp,ts:
|[ cont
h: real =
, alg Qi,Qo: real
, var
hset: real =
,
e: real
,
u: real =
, alg Qtot: real
:: Tank(h,Qi,Qo,u)
|| *( e := hset - h
; u := Kp * e
; delay ts
)
|| eqn Qtot = Qi - Qo
]|
real) =
0.1
1.0
0.0
28
Chapter 3. Tank level control strategies
PI_CD(20, 2)
Qi(time)
Qo(time)
h(time)
Qtot(time)
1.2
1
0.8
0.6
0.4
0.2
0
0
10
20
30
40
50
60
u(time)
Kp_e(time)
Ki_Ie(time)
18
16
14
12
10
8
6
4
2
0
0
10
20
30
40
50
60
Figure 3.5: Continuous PI control (Kp = 20, Ki = 2).
3.5
3.5.1
PI control
Continuous-time control
To eliminate the final error of the proportional controller, an integral action is introduced in
model PI_CD. The integral term is represented by the variable Ie. This integral action is
switched on after 20 time units for comparison. The result of the simulation run is shown
in Figures 3.5 and 3.6. The figures clearly shows that the final error e now approaches zero as
a result of the integral action.
model PI_CD(val Kp,Ki: real) =
|[ cont
h: real = 0.1, Ie: real = 0.0
, alg Qi,Qo: real
,
e,u: real
, var hset: real = 1.0
3.5. PI control
29
PI_CD(20, 2)
1
u(time)
Kp_e(time)
Ki_Ie(time)
0.8
0.6
0.4
0.2
0
0
10
20
30
40
50
60
Figure 3.6: Continuous PI control (Kp = 20, Ki = 2).
,
b: bool = false
, alg Qtot,Kp_e,Ki_Ie: real
:: Tank(h,Qi,Qo,u)
|| eqn
e = hset - h
, dot Ie = (not b -> 0.0 | b -> e)
,
u = Kp * e + Ki * Ie
|| delay 20; b:= true
|| eqn Kp_e = Kp * e
, Ki_Ie = Ki * Ie
, Qtot = Qi - Qo
]|
In the model PI_C, shown below, the integral action is active from the start. Figures 3.7 and 3.8
show that this leads to a considerable overshoot initially, and the settling time becomes much
longer. This integrator windup is caused by the fact that initially the output saturates: no matter
how big the value of u, the incoming flow cannot be bigger than Qmax. This causes the error to
stay big for a long time. The integrator initially integrates this big error, leading to overshoot.
model PI_C(val Kp,Ki: real) =
|[ cont
h: real = 0.1, Ie: real = 0.0
, var hset: real = 1.0
, alg Qi,Qo: real
,
e,u: real
, alg Qtot,Kp_e,Ki_Ie: real
:: Tank(h,Qi,Qo,u)
|| eqn
e = hset - h
, dot Ie = e
30
Chapter 3. Tank level control strategies
PI_C(20, 2)
1.4
Qi(time)
Qo(time)
h(time)
Qtot(time)
1.2
1
0.8
0.6
0.4
0.2
0
-0.2
0
20
40
60
80
100
u(time)
Kp_e(time)
Ki_Ie(time)
15
10
5
0
-5
0
20
40
60
80
100
Figure 3.7: Continuous PI control (Kp = 20, Ki = 2).
,
u = Kp * e + Ki * Ie
|| eqn Kp_e = Kp * e
, Ki_Ie = Ki * Ie
, Qtot = Qi - Qo
]|
3.5.2
Discrete-time control
For the discrete-time version of the controller PI_CD, the integral of the error Ie is calculated
by cumulative addition of the product of the error and the sample time. Figure 3.9 shows the
simulation results.
model PI_DT(val Kp,Ki,ts: real) =
3.6. PI control with anti-windup
31
PI_C(20, 2)
2
u(time)
Kp_e(time)
Ki_Ie(time)
1.5
1
0.5
0
-0.5
-1
0
20
40
60
80
100
Figure 3.8: Continuous PI control (Kp = 20, Ki = 2).
|[ cont
h: real = 0.1
, alg Qi,Qo: real
, var
hset: real = 1.0
,
e: real = 0.0
,
Ie: real = 0.0
,
u: real = 0.0
, alg Qtot,Kp_e,Ki_Ie: real
:: Tank(h,Qi,Qo,u)
|| *( e := hset - h
; Ie := Ie + e * ts
; u := Kp * e + Ki * Ie
; delay ts
)
|| eqn Kp_e = Kp * e
, Ki_Ie = Ki * Ie
, Qtot = Qi - Qo
]|
3.6
PI control with anti-windup
Several anti-windup strategies are treated in the literature (e.g. [5]). Here we use a strategy for
discrete-time controllers. The process PIA_DT with anti-windup is shown below. The amount
of saturation of the output (u − 1 for u > 1, and u for u < 0) is subtracted from the integral term
Ie in order to reduce the saturation effect. This may initially lead to negative values of Ie, as
is shown in Figures 3.10 and 3.11. After 25 time units, the value of the error e (hset − h) is
smaller than 0.0001.
32
Chapter 3. Tank level control strategies
PI_DT(20, 2, 0.5)
Qi(time)
Qo(time)
h(time)
Qtot(time)
1
0.5
0
-0.5
0
10
20
30
40
50
20
u(time)
Kp_e(time)
Ki_Ie(time)
15
10
5
0
-5
0
10
20
30
40
50
Figure 3.9: Discrete-time PI control (Kp = 20, Ki = 2, ts = 0.5).
model PIA_DT(val Kp,Ki,ts: real) =
|[ cont
h: real = 0.1
, alg Qi,Qo: real
, var
e: real = 0.0
, hset: real = 1.0
,
Ie: real = 0.0
,
u: real = 0.0
, alg Kp_e: real, var Ie0: real
:: Tank(h,Qi,Qo,u)
|| *( e := hset - h
; Ie:= Ie + Ki * e * ts; Ie0:= Ie
; u:= Kp * e + Ie
; ( u < 0.0
-> Ie:= Ie - u
| 0.0 <= u and u <= 1.0 -> skip
| u > 1.0
-> Ie:= Ie - (u - 1)
3.6. PI control with anti-windup
33
PIA_DT(10, 5, 1)
Qi(time)
Qo(time)
h(time)
e(time)
1.2
1
0.8
0.6
0.4
0.2
0
0
5
10
15
20
25
u(time)
Kp_e(time)
Ie0(time)
Ie(time)
10
5
0
-5
0
5
10
15
20
25
Figure 3.10: Discrete-time PI control with anti-windup (Kp = 10, Ki = 5, ts = 1).
)
; delay ts
)
|| eqn Kp_e = Kp * e
]|
34
Chapter 3. Tank level control strategies
PIA_DT(10, 5, 1)
2
u(time)
Kp_e(time)
Ie0(time)
Ie(time)
1.5
1
0.5
0
-0.5
-1
-1.5
-2
0
5
10
15
20
25
Figure 3.11: Discrete-time PI control with anti-windup (Kp = 10, Ki = 5, ts = 1).
Chapter 4
Hybrid automata related modeling
4.1
Constrained pendulum
Figure 4.1 shows a constrained pendulum that is also defined in [6]. The equations of motion
of this pendulum are given by Equation 4.1. The angle between the pendulum and the vertical
is denoted by θ , ω denotes the angular velocity of the pendulum, and l denotes the distance
between the rotation point and the mass.
θ˙ = ω
(4.1)
ml ω˙ = −mg sin(θ ) − dlω
O
O
Lp
Lp
P
θp
θp
P
L
−θ
Ls = L − Lp
θ
m
m
Figure 4.1: Constrained Pendulum.
The mass and maximum length of the pendulum are represented by m and L, respectively. The
damping coefficient and the acceleration due to gravity are denoted by d and g. The angle of
the constraint is denoted by θp . In order to keep the example as small and clear as possible, it is
35
36
Chapter 4. Hybrid automata related modeling
assumed that θp ≥ 0 and |θ | ≤ π/2. Also, it is assumed that the pendulum always remains in a
straight line from the rotation point to the end point. The χ model is:
model Pendulum(val θ0 , ω0 , d, m, g : real) =
|[ cont θ : real = θ0 , ω : real = ω0 , alg l : real
:: |[ mode long = ( (eqn l = L k inv θ ≤ θp ) 8 [ω := LLs ω]; short )
, mode short = ( (eqn l = L s k inv θ ≥ θp ) 8 [ω := LLs ω]; long )
:: (skip; long 8 skip; short)
]|
k eqn θ˙ = ω
, ml ω˙ = −mg sin(θ ) − dlω
]|,
where θ0 and ω0 denote constants representing the initial values of θ and ω, respectively. When
θ ≤ θp or θ ≥ θp , the pendulum can delay in mode long or short, respectively. In mode long,
the assignment ω := LLs ω can be executed only if the invariant inv θ ≥ θp of mode short can
be satisfied in the new state after the assignment to ω, because active invariants (and equations)
must always be satisfied. Notice that the equation eqn l = L s can always be satisfied. Therefore,
mode switches are possible only for θ = θp . The assignment [ω := LLs ω] must be delayable,
because otherwise the assignment and the alternative composition would not be able to delay.
Note that the model allows infinite switching between modes long and short, without progress
of time, when θ = θp . This switching behavior can, in principle, be avoided by guarding the
delayable assignments [ω := LLs ω] and [ω := LLs ω] with (non-trivial) conditions that prevent
mode switching when no delay behavior is possible in the new mode.
4.2
Bottle filling line
Figure 4.2 shows a bottle filling line, based on [1], consisting of a storage tank that is continuously filled with a flow Q in , a conveyor belt that supplies empty bottles, and a valve that is
opened when an empty bottle is below the filling nozzle, and is closed when the bottle is full.
When a bottle has been filled, the conveyor starts moving to put the next bottle under the filling
nozzle, which takes one unit of time. When the storage tank is not empty, the bottle filling
flow Q equals Q set . When the storage tank is empty, the bottle filling flow equals the flow Q in .
The system should operate in such a way that overflow of the tank does not occur. We assume
Q in < Q set .
Figure 4.3 shows an iconic representation of the model of the filling line. It consists of the
processes Tank and Conveyor that interact by means of the channels open and close, and shared
variable Q. The model is defined below. It has two parameters: the initial volume VT0 of the
storage tank, and the value Q in of the flow that is used to fill the storage tank. The constants Q set ,
VTmax , and VBmax define the maximum value of the bottle filling flow Q, the maximum volume
of the storage tank, and the filling volume of the bottles, respectively. The model FillingLine
4.2. Bottle filling line
37
Q in
T ank
VT
Q
open
Q
close
VB
Conveyor
Figure 4.2: Filling Line.
Figure 4.3: Iconic model of the filling line.
consists of the algebraic variable Q, the channels open and close, and the parallel composition
of the process instantiations for the tank and the conveyor.
const Q set : real = 3
, VTmax : real = 20
, VBmax : real = 10
model FillingLine(val VT0 , Q in : real) =
|[ alg Q : real, chan open, close : void
:: Tank(Q, open, close, VT0 , Q in ) k Conveyor(Q, open, close)
]|
The tank process has a local continuous variable VT that is initialized to VT0 . Its process body
is a mode scope statement consisting of three modes: closed, opened, and openedempty that
correspond to the valve being closed, the valve being open, and the valve being open while the
storage tank is empty. In the mode opened, the storage tank is usually not empty. When the
storage tank is empty in mode opened, the delayable skip statement [skip] may be executed
causing the next mode to be openedempty. The skip statement can be executed only if the
invariant in the next mode openedempty holds. This means, among others, that VT = 0 must
hold. Therefore, the transition to mode openedempty can be taken only when the storage tank
is empty.
proc Tank(alg Q : real, chan open?, close? : void, val VT0 , Q in : real) =
|[ cont VT : real = VT0
:: |[ mode closed =
( (eqn V˙T = Q in , Q = 0 k inv 0 ≤ VT ≤ VTmax ) 8 open?; opened )
, mode opened =
38
Chapter 4. Hybrid automata related modeling
( (eqn V˙T = Q in − Q , Q = Q set k inv 0 ≤ VT ≤ VTmax )
8 [skip]; openedempty
8 close?; closed
)
, mode openedempty =
( (eqn Q = Q in k inv VT = 0) 8 close?; closed )
:: closed
]|
]|
Process Conveyor supplies an empty bottle in 1 unit of time (VB := 0; 11). Then it synchronizes
with the storage tank process by means of the send statement open!, and it proceeds in mode
filling. When the bottle is filled in mode filling (VB ≥ VBmax ), the process synchronizes with the
storage tank to close the valve and returns to mode moving. The initial mode is moving.
proc Conveyor(alg Q : real, chan open!, close! : void) =
|[ cont VB : real = 0
:: |[ mode moving = ( VB := 0; 11; open!; filling )
, mode filling = ( VB ≥ VBmax → close!; moving )
:: moving
]|
k eqn V˙B = Q
]|
Figure 4.4 shows the results of the first 12 time units of a simulation run of the model
FillingLine(5, 1.5), that is with model parameters VT0 = 5 and Q in = 1.5. The graph shows that
the first bottle is filled from time point 1 until time point 1 + 10/3 ≈ 4.33. Filling of the second
bottle starts 1 time unit later, and somewhat after 7 time units, the storage tank becomes empty,
so that filling continues at the reduced flow rate.
4.2.1
Elimination of process instantiation
Elimination of the process instantiations for the Tank and Conveyor processes by replacing the
process instantiations by their definitions, as defined in [4], leads to the following model:
model FillingLine(val VT0 , Q in : real) =
|[ alg Q : real, chan open, close : void
L
:: |[ cont VT : real = VT0
L
, var VT0 : real = VT0 , Q Lin : real = Q in
:: |[ mode closed =
( (eqn V˙T = Q Lin , Q = 0 k inv 0 ≤ VT ≤ VTmax ) 8 open?; opened )
, mode opened =
( (eqn V˙T = Q Lin − Q , Q = Q set k inv 0 ≤ VT ≤ VTmax )
4.2. Bottle filling line
39
14
VT
VB
Q
12
10
8
6
4
2
0
0
2
4
6
8
10
12
time
Figure 4.4: Simulation results of model FillingLine.
8 [skip]; openedempty
8 close?; closed
)
, mode openedempty =
( (eqn Q = Q Lin k inv VT = 0) 8 close?; closed )
:: closed
]|
]|
k |[ cont VB : real = 0
:: |[ mode moving = ( VB := 0; 11; open!; filling )
, mode filling = ( VB ≥ VBmax → close!; moving )
:: moving
]|
k eqn V˙B = Q
]|
]|
To avoid naming conflicts between the formal parameters VT0 and Q in declared in the process
definition for process Tank, and the actual arguments VT0 and Q in in the process instantiation
Tank(Q, open, close, VT0 , Q in ), the newly defined local discrete variables that are used to hold
L
and Q Lin .
the values of the last two parameters of the process instantiation, are renamed to VT0
40
Chapter 4. Hybrid automata related modeling
Chapter 5
Examples
In this chapter, the χ formalism is illustrated by several examples taken from various application
domains.
5.1
Dry friction
A model that combines assignments to discrete variables occurring in equations and assignments to differential variables, deals with modeling of dry friction as shown in Figure 5.1.
x
Fn
Fd
Ff
Fz
Figure 5.1: Dry friction.
A driving force Fd is applied to a body on a flat surface with frictional force Ff. When the body
is moving with positive velocity v, the frictional force is given by Ff = mu * Fn, where Fn =
m * g. When the velocity of the body is 0, the frictional force neutralizes the applied driving
force. If the driving force exceeds mu0 * Fn, the body suddenly starts moving according to
dot v = (Fd - Ff)/m.
In model Fiction, dry friction is modeled in a mode scope statement. Each mode represents a
possible state of the body, having positive, zero of negative velocity. In the modes guards are put
alternative to equations. As long as the guards can delay, the alternative composition can delay
41
42
Chapter 5. Examples
Ff
mu0*Fn
mu*Fn
v
Figure 5.2: Dry friction in relation to velocity.
and the equations will be solved. When the guards can do an action, the alternative composition
can delay no longer and the action execution will terminate the alternative composition and
therefore the equation. In the new mode the equations are enabled and they can delay as long
as the guards can delay.
The initial mode is determined by means of an alternative composition depending on the initial
value of v. A case of special interest occurs when the driving force Fd drops below -mu0 * Fn
before the speed v becomes smaller than 0. In this case when the speed becomes negative, both
guards are true at the same time and a choice will be made between the different expressions
non-deterministically. Either the second expression is chosen and the mode neg will become
active, or the first expression is chosen and the mode stop will become active. When in mode
stop, the second guard is immediately true and the mode neg will become active. It is therefore
arguable to leave out the second guards for the positive and negative modes and always let the
changing of modes happen via stop, thus making the model deterministic. Note that taking the
equation for dot v out of the mode scope and putting it in parallel as is done with Fn, Fd and
dot x is also possible.
from standardlib import *
model Friction() =
|[ cont x: real = -2.0,
, alg Fd
, Ff
, Fn : real
, var m: real
= 1.0
, g: real
= 10.0
, mu0: real = 0.18
, mu: real = 0.1
:: eqn Fn = m * g
, Fd = 2 * sin(0.25
, dot x = v
v:
//
//
//
//
//
//
//
real = 0.0
driving force
friction force
normal force due to gravity
mass of body
gravity
friction coefficient for zero velocity
friction coefficient for non-zero velocity
* 3.14 * time)
5.1. Dry friction
43
Friction()
x(time)
v(time)
Fd(time)
Ff(time)
2
1.5
1
0.5
0
-0.5
-1
-1.5
-2
0
2
4
6
8
10
Figure 5.3: Friction simulation.
|| |[ mode pos =
( eqn dot v = (Fd - Ff) / m
,
Ff = mu * Fn
| Fd <
mu * Fn and v <= 0 ->
| Fd <= -mu0 * Fn and v <= 0 ->
)
, mode stop =
( eqn dot v = 0
,
Ff = Fd
| Fd >= mu0 * Fn -> skip; pos
| Fd <= -mu0 * Fn -> skip; neg
)
, mode neg =
( eqn dot v = (Fd - Ff) / m
,
Ff = -mu * Fn
| Fd > -mu * Fn and v >= 0 ->
| Fd >= mu0 * Fn and v >= 0 ->
)
:: ( v > 0 -> skip; pos
| v = 0 -> skip; stop
| v < 0 -> skip; neg
)
]|
]|
v:= 0.0; stop
skip; neg
v:= 0.0; stop
skip; pos
44
5.2
Chapter 5. Examples
Bottle filling system
The bottle filling system from Figure 5.4 consists of a liquid storage tank, and two identical
bottle filling lines.
Q a , ca
Qu
VT , n , c, pH
Q F1
Q F2
Figure 5.4: The bottle filling system.
The bottles are filled with liquid from the storage tank. A control system keeps the volume Vt
in the storage tank between 2 and 10, and the pH level (acidity) of the liquid in the storage
tank between 7 and 7.1. The liquid in the storage tank slowly becomes less acidic (pH level
increases). To correct this, a strong acid is dribbled into the storage tank when the acidity of the
liquid becomes too low (pH >= 7.1).
Figure 5.5 shows the iconic model of the bottle filling system. The lines ending in a small circle
represent shared variables (VT , Q F1 , Q F1 ).
T
VT
VT
Q F1
F
Q F2
F
Figure 5.5: Iconic representation of the bottle filling system model.
The acid and liquid supply processes are not modeled, since we consider the acid and liquid
always to be available, and we are not interested in the amount of acid or liquid that is used.
The χ specification of the bottle filling system is as follows:
5.2. Bottle filling system
45
from standardlib import *
model BottleFilling() =
|[ cont Vt: real = 2.0
, alg Qf1,Qf2: real
:: T(Vt,Qf1,Qf2)
|| F(Vt,Qf1)
|| F(Vt,Qf2)
]|
The storage tank and the two bottle filling lines are connected by means of the variables Qf1,
and Qf2, respectively. Since a bottle may start filling only if the storage tank contains at least a
volume of 0.7, the volume Vt of the storage tank is available in both bottle filling processes.
The molar quantity and molar concentration of the acid in the storage tank are denoted by n and
c, respectively, where n=cV. The incoming flows of liquid and acid of the liquid storage tank T
are denoted by Qu and Qa, respectively. The outgoing flows to the two bottle filling processes
are denoted by Qf1 and Qf2, respectively.
It is assumed that the liquids are incompressible, and that the volumes of the fluids remain the
same when they are mixed. In such a case, the volume V of the mixed liquid equals the sum of
its components which leads to the equation
dot V = Qu + Qa - Qf1 - Qf2.
Next, the mass balance (actually mol balance) for the dissolved substance is derived. Acid
comes into the tank by means of the flows Qu and Qa. Acid leaves the tank in outgoing flows
Qf1 and Qf2. Because the concentrations are in [mol/m3 ], they can be directly multiplied with
the flows (in [m3 /s]), which leads to
dot n = cu*Qu + ca*Qa - c*Qf1 - c*Qf2,
where cu and ca denote the concentrations of acid in the flows Qu and Qa. The gradual reduction
of the acidity of the liquid is modeled by means of a constant Kloss, which leads to
dot n = cu*Qu + ca*Qa - c*Qf1 - c*Qf2 - Kloss*V.
It is assumed that the acid is completely decomposed. Taking into account that the units of c
are in [mol/m3 ] instead of [mol/l], the pH is given by
pH = -log (c/1000).
The χ specification of the liquid storage tank follows below, where symbols Qseta, Qsetu, ca,
cu and Kloss denote constants:
46
Chapter 5. Examples
proc T(cont V: real, alg Qf1,Qf2: real) =
|[ var alpha: nat = 0, beta: nat = 0
, cont n: real
, alg pH: real
, c,Qa,Qu: real
, var Qseta: real = 0.5
, Qsetu: real = 1.5
, ca:
real = 0.0005
, cu:
real = 0.0
, Kloss: real = 0.000002
, init pH = 7.0
:: eqn dot V = Qu + Qa - Qf1 - Qf2
, dot n = cu*Qu + ca*Qa - c*Qf1 - c*Qf2 - Kloss*V
,
n = c*V
,
pH = -log (c/1000)
,
Qa = alpha*Qseta
,
Qu = beta*Qsetu
|| *( pH >= 7.1 -> alpha := 1; pH <= 7 -> alpha := 0 )
|| *( V <= 2 -> beta := 1; V >= 10 -> beta := 0 )
]|
In most cases, the differential variables, in this case V and n, are declared as continuous variables. The other variables, not occurring with a dot (derivative) are then declared as algebraic
variables. This ensures that the differential variables can be assigned new values, causing discontinuities. The algebraic variables will then simultaneously jump to their new values satisfying the equations. This declaration scheme is used in process T. Variable V is an external
variable that is declared as a continuous variable in the preceding χ process that defines the
complete bottle filling system.
Note that even though pH is an algebraic variable, which is not normally assigned new values,
pH can be initialized, in this case to a value of 7, in the initialization predicate. In this case the
differential variable n does not have to be initialized.
In process T, the only discontinuities in continuous variables occur in the flows Qf1, Qf2, Qa,
and Qu, that are switched on and off discontinuously in process T, and in process F that follows
below. Therefore, the algebraic variables apart from these flows could just as well have been
declared as continuous variables as in cont n,pH,c.
The behavior of the model is explained as follows. Initially, the pH of the liquid in the storage
tank equals 7. It is assumed that the pH level of the incoming liquid is 7 or more, since the
acidity controller can only make the acidity of the storage tank increase, causing the pH to
decrease. If the pH value exceeds the maximum value (pH >= 7.1), the acid valve is opened
(alpha := 1) so that acid is dribbled into the tank. Dribbling of the acid continues until the pH
value comes back at 7, and the valve is closed (alpha := 0). In a similar way, the controller
tries to keep the level of the storage tank between 2 and 10.
5.3. Conveyor system
47
The model of a bottle filling line follows below, where symbols Qf, and ttr denote constants.
proc F(cont Vt: real, alg Qf: real) =
|[ var alpha: nat = 0, cont V: real = 0.0
, var Qsetf: real = 1.0, ttr: real = 0.2
:: eqn dot V = Qf
,
Qf = alpha*Qsetf
|| *( Vt >= 0.7 -> alpha := 1
; alpha = 1 *> ( V >= 1 -> alpha := 0
| Vt <= 0.5 -> alpha := 0; Vt >= 0.7 -> alpha := 1
)
; delay ttr; V := 0.0
)
]|
The valve switching the flow Qf is modeled by means of the discrete variable alpha. When the
volume in the storage tank is at least 0.7, the bottle filling process can be started (alpha :=
1). Filling stops when the volume in the storage tank drops below 0.5 (Vt <= 0.5 -> alpha
:= 0). Filling resumes when the volume in the storage tank is at least 0.7. Filling also stops
when the bottle is full (V >= 1 -> alpha := 0). The time needed to place a new bottle under
the filling nozzle is given by ttr. After that, the bottle volume is reset to 0, which models the
arrival of a new bottle, and the filling process is repeated.
In Figure 5.6 the model is simulated. The two bottles are filled at the same time so these lines
are the same. The volume of the storage tank, Vt, increases over time when the bottles are
not being filled, however when the bottles are being filled the volume sometimes decreases and
sometimes it stays constant. This is due to the contribution of the acid to the inflow of the tank.
Also the Ph of the liquid is plotted. Because of the increase of the volume in the tank over time,
the frequency at which the Ph alternates decreases over time.
5.3
Conveyor system
Figure 5.7 shows a conveyor system that is used for transportation and buffering of boxes. It
consists of a line of conveyor belts driven by motors. Each conveyor belt is equipped with a
sensor (represented in the figure by a small rectangle), that detects the presence of a box.
In the models below, we use the following values for the dimensions of the conveyor system:
• lc = 6 (length of the conveyor)
• lb = 4 (length of the box)
• ls = 1 (distance of the sensor to end of conveyor)
48
Chapter 5. Examples
BottleFilling()
Vt(time)
3.5
3
2.5
2
0
2
4
6
8
10
1
0.8
0.6
0.4
0.2
0
Qf1(time)
0
2
4
6
8
10
1
0.8
0.6
0.4
0.2
0
Qf2(time)
0
2
4
6
8
10
7.1
7.08
7.06
7.04
7.02
7
pH(time)
0
2
4
6
8
10
Figure 5.6: Bottle filling system.
lc
ls
lb
x
V
Figure 5.7: The conveyor system.
V
5.3. Conveyor system
5.3.1
49
A process for each conveyor belt
Figure 5.8 shows the iconic model of a generator G, two conveyor belts V and the associated
control processes C. Processes Vend and Cend are added to obtain a closed system; they do not
model actual behavior. The model is a simplified version of the model treated in [2]. The dashed
lines with arrow heads represent directed synchronization channels (pc0 , pc1 , pc2 , p0 , p1 , p2 ),
and the lines ending in a small circle represent shared variables (s0 , s1 , v0 , v1 ).
pc1
C1
pc2
C1
Cend
pc0
v0
s0
G
s0
s1
v1
s1
p0
V1
p1
V1
p2
Vend
Figure 5.8: Iconic model of the conveyor system for process per belt.
Global position variable declarations
The χ specification of the iconic model from Figure 5.8 is as follows:
model C1V1(val x1ini,x2ini: real) =
|[ cont x1: real = x1ini, x2: real = x2ini
, var v1: nat = 0, v2: nat = 0
, s0: bool = false, s1: bool = false, s2: bool = false
, chan pc0,pc1,pc2: void
, p0,p1,p2: void
:: G(pc0,p0)
|| C1(v1,s1,pc0,pc1) || V1(x1,v1,s0,s1,p0,p1)
|| C1(v2,s2,pc1,pc2) || V1(x2,v2,s1,s2,p1,p2)
|| Cend(pc2)
|| Vend(s2,p2)
]|
Channels p0 , p1 , p2 are used to synchronize the box transition from the current to the next belt.
Channels pc0 , pc1 , pc2 are directed synchronization channels. Variables s0 , s1 , v0 , v1 are shared
variables, where s0 and s1 represent the sensors that indicate the presence of a box, and v0 and
v1 are actuators that determine the velocity of the respective conveyors. The process definitions
are:
50
Chapter 5. Examples
proc G(chan pc!: void, p!: void) =
|[ *( pc!; delay 1.0; p!! ) ]|
proc Cend(chan pc?: void) =
|[ * pc? ]|
proc V1( cont x: real, var v: nat, var sprev: bool, s: bool, chan pin?,pout!: void) =
|[ eqn dot x = ( x < -0.5 -> 0.0 | x >= -0.5 -> v*1.0 )
|| |[ mode waitforSensor =
( x >= 5 -> s:= true
; x >= 6 and v > 0 -> pout!
; x := -1.0; waitforTray
)
, mode waitforTray =
( pin?
; x:= 0.0
; x >= 3 -> sprev:= false; waitforSensor
)
:: ( x = -1
-> skip; waitforTray
| x >= 0 and x < 3 -> !! "Error, incorrect initial value for x"
; deadlock
| x >= 3
-> skip; waitforSensor
)
]|
]|
proc Vend(var sprev: bool, chan pin?: void) =
|[ cont x: real = -1.0
:: eqn dot x = ( x < -0.5 -> 0.0 | x >= -0.5 -> 1.0 )
|| *( pin?
; x:= 0.0
; x >= 3 -> sprev, x := false, -1.0
)
]|
Conservative control strategy For this system, different control strategy’s are possible. We
first start with a conservative control strategy, where a new box is allowed to enter the belt, after
the previous box has passed the sensor completely.
proc C1(var v: nat, var s: bool, chan pcin?,pcout!: void) =
|[ mode emptyon = ( ( pcin?
| delay 5.0; v:= 0; pcin?; v:= 1
)
; entering
)
, mode entering = ( s -> skip; atsensor)
5.3. Conveyor system
51
C1V1(-(1), -(1))
6
5
4
3
2
1
0
-1
x2(time)
v2(time)
s2(time)
0
5
10
15
20
25
30
6
5
4
3
2
1
0
-1
x1(time)
v1(time)
s1(time)
0
5
10
15
20
25
30
Figure 5.9: Conveyors initially empty.
, mode atsensor = ( pcout!; leaving
| delay 0.2; v:= 0; pcout!; v:= 1; leaving
)
, mode leaving = ( not s -> skip; emptyon
)
:: v:= 1
; ( s -> skip; atsensor
| delay 3.0; emptyon
)
]|
Figures 5.9 and 5.10 show simulation results for conveyors that are initially empty for and
conveyors where the initial positions of the boxes are 4,3, respectively. Figure 5.11 shows the
simulation result for initially only a box on the first conveyor.
High throughput control strategy The throughput of the system can be improved by allowing boxes to enter as soon as the current box on the belt is leaving this belt. To achieve this
goal, a new mode is added to the controller, allowing a box to enter as soon as the current box
is leaving the belt.
proc C2(var v: nat, var s: bool, chan pcin?,pcout!: void) =
|[ mode emptyon = ( ( pcin?
| delay 5.0; v:= 0; pcin?; v:= 1
)
52
Chapter 5. Examples
C1V1(4, 3)
6
5
4
3
2
1
0
-1
x2(time)
v2(time)
s2(time)
0
5
10
15
20
6
5
4
3
2
1
0
-1
x1(time)
v1(time)
s1(time)
0
5
10
15
20
Figure 5.10: Conveyors with boxes initially present.
C1V1(4, -(1))
6
5
4
3
2
1
0
-1
x2(time)
v2(time)
s2(time)
0
5
10
15
20
6
5
4
3
2
1
0
-1
x1(time)
v1(time)
s1(time)
0
5
10
15
20
Figure 5.11: Conveyors with box initially present on first conveyor only.
5.3. Conveyor system
,
,
,
,
::
;
53
; entering
)
mode entering = ( s -> skip; atsensor)
mode atsensor = ( pcout!; leaving
| delay 0.2; v:= 0; pcout!; v:= 1; leaving
)
mode leaving = ( not s -> skip; emptyon
| pcin?; leaving_entering
)
mode leaving_entering = ( not s -> skip; entering )
v:= 1
( s -> skip; atsensor
| delay 3.0; emptyon
)
]|
The other processes remain the same, leading to model C2V1.
model C2V1(val x1ini,x2ini: real) =
|[ cont x1: real = x1ini, x2: real = x2ini
, var v1: nat = 0, v2: nat = 0
, s0: bool = false, s1: bool = false, s2: bool = false
, chan pc0,pc1,pc2: void
, p0,p1,p2: void
:: G(pc0,p0)
|| C2(v1,s1,pc0,pc1) || V1(x1,v1,s0,s1,p0,p1)
|| C2(v2,s2,pc1,pc2) || V1(x2,v2,s1,s2,p1,p2)
|| Cend(pc2)
|| Vend(s2,p2)
]|
pc1
C2
pc2
C2
Cend
pc0
v0
s0
G
s0
v1
s1
s1
p0
V1
p1
V1
p2
Vend
Figure 5.12: Iconic model for process per belt with high throughput.
Figures 5.13 and 5.14 show simulation results for conveyors that are initially empty for and
conveyors where the initial positions of the boxes are 4,3, respectively. Figure 5.13 shows the
54
Chapter 5. Examples
C2V1(-(1), -(1))
6
5
4
3
2
1
0
-1
x2(time)
v2(time)
s2(time)
0
5
10
15
20
6
5
4
3
2
1
0
-1
x1(time)
v1(time)
s1(time)
0
5
10
15
20
Figure 5.13: Conveyors initially empty.
desired behavior, with boxes entering a belt as soon as this is allowed be the controller. Figure
5.14 however, shows undesired behavior. Somehow the box on the first belt is not allowed to
enter the second belt and continuing on the first belt beyond position 6. This is physically not
possible. Figure 5.15 zooms in on this. The cause of this lies in the process of the belt V1. In
the mode waitforSensor, the synchronization pout! is delayable, allowing the box to move
beyond position 6.
Improved belt model In order to eliminate the possibility for boxes to go beyond position
6, the process of the belt has been improved, leading to model C2V2. In Figure 5.16 the corresponding iconic model is given. Here the solid lines with arrow heads represent directed
communication channels, since now the position of the box is communicated.
proc G2(chan pc!: void, p!: real) =
|[ *( pc!; delay 1.0; p!!0.0 ) ]|
proc V2( cont x: real, var v: nat, var sprev: bool, s: bool, chan pin?,pout!: real) =
|[ eqn dot x = ( x < -0.5 -> 0.0 | x >= -0.5 -> v*1.0 )
|| |[ mode waitforSensor =
( x >= 5 -> s:= true
; x >= 6 and v > 0 -> pout! x - 6
; x := -1.0; waitforTray
)
, mode waitforTray =
5.3. Conveyor system
55
C2V1(4, 3)
6
5
4
3
2
1
0
x2(time)
v2(time)
s2(time)
0
5
10
15
20
x1(time)
v1(time)
s1(time)
6
5
4
3
2
1
0
-1
0
5
10
15
20
Figure 5.14: Conveyors with boxes initially present.
C2V1(4, 3)
6.5
x1(time)
v1(time)
s1(time)
6
5.5
5
4.5
4
0
1
2
3
4
5
Figure 5.15: Conveyors with boxes initially present.
(
;
)
:: ( x
| x
pin?x
x >= 3 -> sprev:= false; waitforSensor
= -1
-> skip; waitforTray
>= 0 and x < 3 -> !! "Error, incorrect initial value for x"
; deadlock
| x >= 3
-> skip; waitforSensor
)
]|
56
Chapter 5. Examples
]|
model C2V2(val x1ini,x2ini: real) =
|[ cont x1: real = x1ini, x2: real = x2ini
, var v1: nat = 0, v2: nat = 0
, s0: bool = false, s1: bool = false, s2: bool = false
, chan pc0,pc1,pc2: void
, p0,p1,p2: real
:: G2(pc0,p0)
|| C2(v1,s1,pc0,pc1) || V2(x1,v1,s0,s1,p0,p1)
|| C2(v2,s2,pc1,pc2) || V2(x2,v2,s1,s2,p1,p2)
|| Cend(pc2)
|| Vend2(s2,p2)
]|
pc1
C2
pc2
C2
Cend
pc0
v0
s0
G
s0
s1
v1
s1
p0
V2
p1
V2
p2
Vend
Figure 5.16: Iconic model for process per belt with improved belt model.
Now the system is again simulated for different initial conditions. Figures 5.17 and 5.18 show
simulation results for conveyors that are initially empty for and conveyors where the initial
positions of the boxes are 4,3, respectively. Figure 5.19 zooms in on the same area that had
incorrect behavior in model C2V1. Now it can be seen that even though the box goes beyond
position 6, the model works properly because box enters the next belt taking in to account that
difference.
Local position variable declarations
The same system can be modeled using local variable declarations for the positions of the boxes.
This leads to the following model:
model CVlocal() =
|[ var v1: nat = 0, v2: nat = 0
, s0: bool = false, s1: bool = false, s2: bool = false
5.3. Conveyor system
57
C2V2(-(1), -(1))
6
5
4
3
2
1
0
-1
x2(time)
v2(time)
s2(time)
0
5
10
15
20
25
30
6
5
4
3
2
1
0
-1
x1(time)
v1(time)
s1(time)
0
5
10
15
20
25
30
Figure 5.17: Conveyors initially empty.
C2V2(4, 3)
6
5
4
3
2
1
0
-1
x2(time)
v2(time)
s2(time)
0
5
10
15
20
x1(time)
v1(time)
s1(time)
6
5
4
3
2
1
0
-1
0
5
10
15
20
Figure 5.18: Conveyors with boxes initially present.
58
Chapter 5. Examples
C2V2(4, 3)
C2V2(4, 3)
6.5
x1(time)
v1(time)
s1(time)
6
5.5
2.5
x2(time)
v2(time)
s2(time)
2
1.5
5
1
4.5
0.5
4
0
0
1
2
3
4
5
0
1
2
3
4
5
Figure 5.19: Conveyors with boxes initially present.
, chan pc0,pc1,pc2: void
, p0,p1,p2: void
:: G(pc0,p0)
|| C1(v1,s1,pc0,pc1) || Vlocal(v1,s0,s1,p0,p1)
|| C1(v2,s2,pc1,pc2) || Vlocal(v2,s1,s2,p1,p2)
|| Cend(pc2)
|| Vlocalend(s2,p2)
]|
The only changes are the process definitions that model the conveyor belts. The initialization
of the boxes has been omitted for the sake of clarity:
proc Vlocal(var v: nat, var sprev: bool, s: bool, chan pin?,pout!: void) =
|[ *( pin?
; |[ cont x: real = 0.0
:: ( eqn dot x = v*1.0 | x >= 3 -> sprev:= false )
; ( eqn dot x = v*1.0 | x >= 5 -> s:= true )
; ( eqn dot x = v*1.0 | x >= 6 -> pout!! )
]|
)
]|
proc Vlocalend(var sprev: bool, chan pin?: void) =
|[ *( pin?
; |[ cont x: real = 0.0
:: ( eqn dot x = 1 | x >= 3 -> sprev:= false )
]|
)
]|
5.3.2
A process for each box
Another way of modeling the conveyor belts with boxes is to define a process for each box,
instead of a process for each conveyor.
5.3. Conveyor system
59
Discrete variables for sensors
In Figure 5.20 the iconic model for the process per box approach is given. In this figure, lines
with a small circle at one end and a arrowhead at the other end, represent a shared variable as
well as directed communication. The iconic model leads to the following model in χ :
model CBmode(val xini,yini,zini: real) =
|[ cont x: real = xini, y: real = yini, z: real = zini
, var v1: nat = 0, v2: nat = 0
, s1: bool = false, s2: bool = false
, chan pc0,pc1,pc2: void
, p0,p1,p2: real
:: G(x,y,z,pc0,p0,p1,p2)
|| C(v1,s1,pc0,pc1)
|| C(v2,s2,pc1,pc2)
|| Cend(pc2)
|| BoxMode(x,v1,v2,s1,s2,p0)
|| BoxMode(y,v1,v2,s1,s2,p1)
|| BoxMode(z,v1,v2,s1,s2,p2)
]|
proc G(cont x,y,z: real, chan pc!: void, p0,p1,p2!: real) =
|[ var i: nat = 0
// assume that if trays are initially present, x >= y >= z holds
:: ( x = -1
-> i:= 0 // all empty
| x /= -1 and y = -1
-> i:= 1 // tray in x
| x /= -1 and y /= -1 and z = -1 -> i:= 2 // trays in x,y
| x /= -1 and y /= -1 and z /= -1 -> i:= 0 // trays in x,y,z
)
; *( pc!; delay 1.0
; ( i = 0 -> p0!!0.0
| i = 1 -> p1!!0.0
| i = 2 -> p2!!0.0
)
; i:= (i + 1) mod 3
)
]|
The model of the conveyor control process has been changed to allow a new box to enter a
conveyor as soon as the current box on the conveyor has started to leave the conveyor:
proc C(var v: nat, var s: bool, chan pcin?,pcout!: void) =
|[ mode emptyon = ( ( pcin?
| delay 5.0; v:= 0; pcin?; v:= 1
)
; entering
)
60
Chapter 5. Examples
C
pc1
C
pc1
CE
pc0
v1 , s1
v2 , s2
v1 , s1
v2 , s2
G
x, p0
v2 , s2
BM
v1 , s1
BM
BM
y, p1
z, p2
Figure 5.20: Iconic model of the conveyor system for process per box.
, mode entering = ( s -> skip; atsensor)
, mode atsensor = ( pcout!; leaving
| delay 0.2; v:= 0; pcout!; v:= 1; leaving
)
, mode leaving = ( not s -> skip; emptyon
| pcin?; leaving_entering
)
, mode leaving_entering = ( not s -> skip; entering )
:: v:= 1
; ( s -> skip; atsensor
| delay 3.0; emptyon
)
]|
proc Cend(chan pc?: void) =
|[ * pc? ]|
The initial value for the position of a box x must be in the interval: 3 ≤ x ≤ 6, or 9 ≤ x ≤ 12,
or 15 ≤ x ≤ 18, because the controller cannot deal with an initial tray that activates a previous
sensor. This is, however, not checked.
proc BoxMode(cont
|[ eqn dot x = (
|
|
x: real, var v1,v2: nat, s1,s2: bool, chan pin?: real) =
x < -0.1 -> 0
-0.1 <= x and x < (6+2) -> v1
(6+2) <= x and x < (12+2) -> v2
5.3. Conveyor system
61
| x >= (12+2) -> 1
)
|| |[ mode none = ( pin?x; pre1 )
, pre1 = ( x >= (6-1) -> s1:= true; on1 )
, on1
= ( x >= (6+3) -> s1:= false; post1 )
, post1 = ( x >= (12-1) -> s2:= true; on2 )
, on2
= ( x >= (12+3) -> s2:= false; post2 )
, post2 = ( x >= (12+4) -> x:= -1.0; none )
:: ( x = -1
-> skip; none
| 0 <= x and x < (6-1)
-> skip; pre1
| (6-1) <= x and x < (6+3)
-> s1:= true; on1
| (6+3) <= x and x < (12-1) -> skip; post1
| (12-1) <= x and x < (12+3) -> s2:= true; on2
| (12+3) <= x
-> skip; post2
)
]|
]|
Figures 5.21 and 5.22 shows simulation results for conveyors that are initially empty and conveyors with boxes on positions 4 and 3, respectively. Recall that for the process per belt, the
latter initialization gave a deadlock in the model. The process per box approach clearly does
not have this problem.
Algebraic variables for sensors
Using algebraic variables for the sensors simplifies the process definitions for the boxes. The
equations defining the values of the sensors are now defined at the model level:
model CBalg(val xini,yini,zini: real) =
|[ cont x: real = xini, y: real = yini, z: real = zini
, var v1: nat = 0, v2: nat = 0
, alg s1,s2: bool
, chan pc0,pc1,pc2: void
, p0,p1,p2: real
:: eqn s1 = ((x >= 5 and x <= 9) or (y >= 5 and y <= 9) or (z >= 5 and z <= 9))
, s2 = ((x >= 11 and x <= 15) or (y >= 11 and y <= 15) or (z >= 11 and z <= 15))
|| Galg(pc0,p0,p1,p2)
|| C(v1,s1,pc0,pc1)
|| C(v2,s2,pc1,pc2)
|| Cend(pc2)
|| BoxAlg(x,v1,v2,p0)
|| BoxAlg(y,v1,v2,p1)
|| BoxAlg(z,v1,v2,p2)
]|
proc Galg(chan pc!: void, p0,p1,p2!: real) =
62
Chapter 5. Examples
CBmode(-(1), -(1), -(1))
16
14
12
10
8
6
4
2
0
x(time)
y(time)
z(time)
0
5
10
15
20
25
30
1
0.8
0.6
0.4
0.2
0
v1(time)
s1(time)
0
5
10
15
20
25
30
1
0.8
0.6
0.4
0.2
0
v2(time)
s2(time)
0
5
10
15
20
25
30
Figure 5.21: Conveyors initially empty.
|[ *( pc!; delay 1.0
; (p0!!0.0 | p1!!0.0 | p2!!0.0)
)
]|
proc BoxAlg(cont x: real, var v1,v2: nat, chan pin?: real) =
|[ mode empty =
( (eqn dot x = 0 | pin?x); tray )
, mode tray =
( eqn dot x = ( x <= 8 -> v1 | 8 < x and x <= 14 -> v2 | x > 14 -> 1 )
| x >= (2*6)+4 -> x:= -1.0; empty
)
:: ( x = -1 -> skip; empty
// assume initially x = -1 or x >= 0
| x >= 0
-> skip; tray
)
]|
The process definitions for the controllers remain unchanged.
5.3. Conveyor system
63
CBmode(9, 4, -(1))
16
14
12
10
8
6
4
2
0
x(time)
y(time)
z(time)
0
5
10
15
20
25
30
1
0.8
0.6
0.4
0.2
0
v1(time)
s1(time)
0
5
10
15
20
25
30
1
0.8
0.6
0.4
0.2
0
v2(time)
s2(time)
0
5
10
15
20
25
30
Figure 5.22: Conveyors initially full.
64
Chapter 5. Examples
Bibliography
[1] J. C. M. Baeten and C. A. Middelburg. Process Algebra with Timing. EACTS Monographs
in Theoretical Computer Science. Springer-Verlag, 2002.
[2] D. A. van Beek, S. H. F. Gordijn, and J. E. Rooda. Integrating continuous-time and discreteevent concepts in modelling and simulation of manufacturing machines. Simulation Practice and Theory, 5(7-8):653–669, 1997.
[3] D. A. van Beek, A. T. Hofkamp, M. A. Reniers, J. E. Rooda, and R. R. H. Schiffelers.
Syntax and formal semantics of Chi 2.0. SE Report 2008-01, Eindhoven University of
Technology, Systems Engineering Group, Department of Mechanical Engineering, Eindhoven, The Netherlands, 2008.
[4] D. A. van Beek, K. L. Man, M. A. Reniers, J. E. Rooda, and R. R. H. Schiffelers. Syntax and
consistent equation semantics of hybrid Chi. Journal of Logic and Algebraic Programming,
68(1-2):129–210, 2006.
[5] C. Bohn and D. P. Atherton. An analysis package comparing PID anti-windup strategies.
IEEE Control Systems, 15(2):34–40, 1995.
[6] F. Breitenecker and I. Husinsky, editors. Simulation News Europe, chapter ARGESIM
Comparisons. Number 0-40. EUROSIM, 1990-2004.
[7] K. L. Man and R. R. H. Schiffelers. Formal Specification and Analysis of Hybrid Systems.
PhD thesis, Eindhoven University of Technology, 2006.
65
