hybrid systems cif 3

8/9/2019 Hybrid Systems CIF 3

http://slidepdf.com/reader/full/hybrid-systems-cif-3 1/71

Preliminary Notes

Analysis of Hybrid Systems

D.A. van Beek and J.E. Rooda

March 23, 2010



ii



Preface

Hybrid systems are a combination of continuous-time systems, discrete-event systems and/or

discrete-time systems.In continuous-time systems, the state changes continuously. Therefore, an infinite number of

state changes are possible in any given finite time interval. Examples of such systems are

chemical systems in the process industry and mechanical systems.

In discrete-event systems, the state changes at discrete points of time; in between these time

points the state remains the same. Therefore, there can only be a finite number of changes in

a time-interval. Examples of plants that can be regarded as discrete-event systems are plants

where discrete products are transported, assembled or packaged, such as car or integrated circuit

manufacturing plants. Discrete-time systems are discrete-event systems where the state changes

at equidistant points of time. Such systems are usually the result of sampling continuous-time

systems.Examples of hybrid systems are batch processes in the process industry; factories with both

continuous and discrete process steps, such as batch production of beer that ends with the dis-

crete packing of bottles in a crate; and discrete-event scheduling or supervisory systems that are

used to control continuous or hybrid systems.

Dealing with hybrid systems requires a hybrid world view. Such a world view comprises lan-

guages, methods, techniques and tools. It can be obtained by means of the χ and CIF for-

malisms that are treated in these course notes. The formalisms are used for modeling, sim-

ulation and control of industrial systems. They integrate continuous-time and discrete-event

concepts, and enable analysis of the dynamic behavior of hybrid processes, of hybrid embed-

ded systems, as well as of complete hybrid plants. The course notes deal with the hybrid aspectsof the formalisms.

Acknowledgments

The authors would like to thank Ramon Schiffelers for participating with the authors in the

development of the (hybrid) χ and CIF languages, and for the many stimulating discussions.

They also thank Dennis Hendriks, Albert Hofkamp and Ramon for providing the χ and CIF

iii



iv Preface

simulators that are available via the Systems Engineering Wiki pages, and they thank Jasper

Fonteijn for improving the text and automating the document generation process of the lecturenotes. Finally, they would like to thank Jos Baeten, Pieter Cuijpers, and Michel Reniers from

the Computer Science Department for their contributions to the development of the χ and CIF

languages.

http://se.wtb.tue.nl/sewiki/

http://se.wtb.tue.nl/sewiki/



Contents

Preface iii

1 Overview of the syntax of the Chi language 1

1.1 Model syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

1.2 Expressions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

1.3 Statement syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

2 Informal semantics of the Chi language 7

2.1 Conditional expressions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

2.2 Behavior of atomic statements . . . . . . . . . . . . . . . . . . . . . . . . . . 8

2.3 Behavior of compound statements . . . . . . . . . . . . . . . . . . . . . . . . 9

2.4 Behavior of models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

2.5 Process definition and instantiation . . . . . . . . . . . . . . . . . . . . . . . . 15

3 Tank level control strategies 19

3.1 The controlled tank system . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

3.2 Discrete-event control using repetition . . . . . . . . . . . . . . . . . . . . . . 20

3.3 Discrete-event control using recursion . . . . . . . . . . . . . . . . . . . . . . 21

3.4 P control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

3.5 PI control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

3.6 PI control with anti-windup . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

v



vi Contents

4 Hybrid automata related modeling 35

4.1 Constrained pendulum . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

4.2 Bottle filling line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

5 Examples 41

5.1 Dry friction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

5.2 Bottle filling system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

5.3 Conveyor system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Bibliography 65



Chapter 1

Overview of the syntax of the Chi

language

1.1 Model syntax

In this section, the syntax of χ models is defined using a Backes-Naur Form (BNF) like notation.

The symbol | defines choice, notation { Z }∗ denotes a sequence of zero or more Z ’s, and notation

{ Z }0 defines Z as being optional. The syntax of a χ model is defined by the following BNF

definition for χmodel:

χmodel ::= model id ({ Dm}0) = | [ { D ::}0 p ]|

where id is an identifier that represents the name of the model, and Dm denotes the (optional)

model parameter declarations as defined below. Furthermore, D denotes the (optional) dec-

laration of variables and/or channels of the model. This type of declaration is also used to

declare the local variables and channels in scope statements. Finally, p denotes a statement,

also known as process term. The scope statement and statement p are both defined in Section

1.3. The syntax of the declarations Dm and D is:

Dm ::= val S {, S }∗ | Dm, Dm value parameter declaration D ::= chan S {, S }∗ channel declaration

| (var | cont | alg) IS {, IS }∗ variable declaration

| time = e time initialization

| init u general initialization

| mode X = p {, X = p}∗ mode declaration

| D, D

1



2 Chapter 1. Overview of the syntax of the Chi language

IS ::= id {, id }∗: t = e declaration with initialization

| S S ::= id {, id }∗: t declaration without initialization

Here, t denotes the type of a variable or channel, e denotes an expression, u denotes a pred-

icate over variables (including the variable time) and dotted (continuous) variables (deriva-

tives), and id denotes an identifier. The comma in predicate u denotes conjunction. E.g.

init u1, u2 means init u1 and u2. An executable model instantiation for a model declared

as model M (val x1: t 1, . . . , xn: t n) is obtained by M (c1, . . . , cn), where ci denotes a value

for the corresponding model parameter x i . The following items can be declared in D:

• Channels, such as in chan h: real, close: void, which declares a communicationchannel h, that communicates values of type real, and a synchronization channel close

(no data exchange).

• Discrete variables, such as in var k,n: int, v_set: real = 1.0. This declares two

uninitialized variables k,n of type int (integer), and a variable v_set with initial value

1.0. The values of discrete variables remain constant when model time progresses.

• Continuous variables, such as in cont x: real = 1.0. Continuous variables are the only

variables for which dotted variables (derivatives) can be used in models. Therefore, the

declaration cont x: real = 1.0 implies that x and its dotted version dot x (which rep-

resents ˙ x), can both be used in the model. The values of continuous variables may change

according to a continuous function of time when model time progresses. The values of

continuous variables are further restricted by equations and invariants (defined in the next

section).

• Algebraic variables, such as in alg y,z: real. These variables behave in a similar way as

continuous variables. The differences are that algebraic variables may change according to

a discontinuous function of time, and algebraic variables are not allowed to occur as dotted

variables.

• The (initial) value of the model time, such as in time = 1 (see below).

• An initialization predicate, such as init dot x = 0. This predicate can be used for initial

conditions that go beyond specification of the initial value of a variable.

• Mode declarations, such as

mode off = (V <= 8 -> n:= 1; on), mode on = (V >= 10 -> n:= 0; off).

Besides the variables mentioned in the model defined above, the existence of the predefined

reserved global variable time is assumed. This variable denotes the current model time. Its

initial value is zero, unless specified otherwise. It cannot be declared, nor can it be assigned a

value. It can only be used in expressions in statements p.



1.3. Statement syntax 3

1.2 Expressions

An expression e in χ is a combination of values, variables, operators, and mathematical or user

defined functions that that can be evaluated to a value, assuming that the values of the variables

are defined. E.g. the value of expression 2 + x is 5, assuming that the value of x is 3. Apart from

the ‘normal’ mathematical expressions, the χ language also allows conditional expressions. Let

e denote an arbitrary expression, then the syntax of conditional expressions is:

econd ::= (ec)

ec ::= u → e

| ec ‘|’ ec

The value of a conditional expression (u1 → e1 | · · · | un → en) is the value of expression ei

for which the associated guard u i is true, assuming that such a guard exists. An example of a

conditional expression is the equation eqn x = ( y < 0 → 0 | 0 ≤ y ≤ 1 → y | y > 1 → 1)

that defines the value of variable x to be equal to the value of variable y, unless the value of y

is smaller than 0 or bigger than 1, in which case saturation occurs. The meaning of conditional

expressions is more precisely defined in Section 2.1.

1.3 Statement syntax

The syntax of χ statements p, is as follows:

p ::= patom atomic statement

| p; p sequential composition statement

| p p alternative composition statement

| p p parallel composition statement

| ∗ p loop statement

| b ∗→ p while statement

| |[ D :: p ]| scope statement

| id (e) process instantiation statement

where b denotes a predicate (boolean/logical expression) over variables, D denotes a declaration

as defined in Section 1.1, and e denotes comma separated expressions e1, . . . , en (see Section

1.2).

Statements can be divided in two classes: the atomic statements patom, that represent the small-

est statement units; and the compound statements, that are constructed from one or more

(atomic) statements by means of operators. A further division of the statements is based on

the action and delay behavior of the statements. A statement executing an action, such as an

assignment, does so in zero time. The delay behavior of statements on the other hand, involves




the passing of time (see Chapter 2 for a more precise explanation). The syntax of the atomic χ

statements patom is as follows:

patom ::= pndact non-delayable action statement

| b → pndact guarded non-delayable action statement

| pdact delayable action statement

| b → pdact guarded delayable action statement

| d delay statement

| eqn u equation statement

| inv u invariant statement

| X mode statement

where d denotes an expression of type real, and X denotes an identifier. Equation statementsoccur in the form of differential algebraic equations, such as eqn ˙ x = y , y = n. Invariants

usually occur in the form of an inequality, such as inv x ≥ 1, but they may also occur as

equations.

The non-delayable action statements can only execute actions. They are defined as:

pndact ::= skip non-delayable skip statement

| x := e non-delayable (multi-)assignment statement

| h ?? x | h?? non-delayable receive statement

| h !! e | h!! non-delayable send statement

where x and e denote comma separated variables x1, . . . , xn and expressions e1, . . . , en, respec-

tively, for n ≥ 1, and h denotes a channel.

The guarded non-delayable action statement b → pndact can only delay while the value of the

guard is false. The action can, in principle, be executed when the value of the guard is true.

The delayable action statements can, in principle, execute an action or they can perform arbi-

trary delays. They are defined as:

pdact ::= [skip] delayable skip statement

| [x := e] delayable (multi-)assignment statement

| h ! e | h! delayable send statement| h ? x | h? delayable receive statement

The guarded delayable action statement b → pdact can, in principle, execute an action when the

value of the guard is true, or it can perform arbitrary delays. The delay statement d can delay

while the value of d is bigger than zero. When the value of d equals zero, the delay statement

can do an action. Finally, the equation and invariant statements eqn u and inv u can only delay;

they restricts the values (solutions) of the variables while delaying.



1.3. Statement syntax 5

The operators are listed in descending order of their binding strength as follows:

{∗, ∗→ , → }, ; , { , }.

The operators inside the braces have equal binding strength. For example, x := 1; y := x x := 2; y := 2 x means ( x := 1; y := x) ( x := 2; y := 2 x). Parentheses may be used to

group statements. To avoid confusion, parenthesis are obligatory when alternative composition

and parallel composition are used together. E.g. p q r is not allowed and should either be

written as ( p q ) r , or as p (q r ).



Chapter 2

Informal semantics of the Chi language

In this chapter, the meaning (semantics) of a χ model is informally defined in terms of delay

behavior and action behavior, based on the formal semantics as presented in [4] and [7]. Action

behavior is instantaneous: time does not progress, and the semantics defines for each variable

the relation between its value before and after the action. Delay behavior involves passing of

time, where the semantics defines for each variable how its value changes as a function of time.

Actions and delays are done by active atomic statements. Instead of the term delay, also the

term ‘time step’ is used.

Section 2.2 defines the behavior of active atomic statements in terms of execution of actions

and delays, Section 2.3 defines the behavior of compound statements in terms of the relationbetween activation, action execution, termination, and deactivation of statements, and Section

2.4 defines the behavior of models.

2.1 Conditional expressions

Let e denote an expression, and let ξ (e) denote the value of expression e, then:

ξ((u1 → e1 | · · · | u n → en)) =ξ(e1) if ξ(u1)...ξ(en) if ξ(un)

Thus, the value of the conditional expression is the value of an expression ei associated to a

condition ui that is true. It is assumed that at least one of the conditions evaluates to true:

ξ(u1) ∨ · · · ∨ ξ (un) = true. The meaning is not defined when none of the conditions evaluate

to true. In case more than one of the conditions are true, it is assumed that the values of the

associated expressions are the same. More precisely, for all conditional expressions (u1 → e1 |· · · | un → en) and for all i and j between 1 and n, we assume that if ξ (ui ∧u j ), then ξ (ei = e j ).

7



8 Chapter 2. Informal semantics of the Chi language

2.2 Behavior of atomic statements

2.2.1 Action behavior of action statements

An active multi-assignment statement xn := en for n ≥ 1 can do an unnamed action that changes

the values of the variables x1, . . . , xn in one step to the values of expressions e1, . . . , en, respec-

tively, and then terminates. For n = 1, this gives a normal assignment x := e.

An active skip statement can do an unnamed action without changing the values of the discrete

and continuous variables. Note that the purpose of the skip statement is twofold: it can be used

to model waiting for a condition b, as in b → skip, and/or it can be used to enforce a choice in

an alternative composition (see process Tank in Section 4.2).

An active send statement h !! e, h!!, h ! e, or h !, can, in principle, do a send action; and an active

receive statement h ?? e, h??, h ? x, or h?, can, in principle, do a receive action.

With respect to the action behavior, there is no difference between the delayable and nonde-

layable versions of the skip ([skip]), assignment ([x := e]), send (h ! e) and receive (h ? x)

statements, respectively.

A guarded (skip/assignment/send/receive) statement can do its corresponding action only if the

value of the guard is true.

The unnamed action is a non-synchronizing action, meaning that it always occurs by itself.

The send and receive actions are synchronizing actions: a send action can be executed only

simultaneously with a receive action on the same channel, as is explained in Section 2.3.4.

2.2.2 Delay behavior of action statements

The delay behavior of active atomic action statements is as follows:

• The non-delayable, non-guarded versions of the skip statement, assignment, and send and

receive statements can never delay.

• The guarded versions of the non-delayable atomic statements can delay for as long as the

guard remains false.

• The (possibly guarded) delayable versions of the skip statement, assignment, and send and

receive statements can always delay.

2.2.3 Behavior of the delay statement

A delay statement d behaves as a timer with an invisible local timing variable that keeps track

of the remaining time. The value of this timing variable is set to the value of expression d when

the delay statement is activated for the first time, or when it is re-activated after having been



2.3. Behavior of compound statements 9

deactivated. The behavior of the timer depends on the value of the timing variable. Assuming

the value of the timing variable to be c, then:

• For c > 0, an active delay statement can delay (do a time step) for at most c time units.

After a delay of t (t ≤ c) time units, the new value of the timing variable is set to c − t .

• For c ≤ 0, an active delay statement can do an unnamed action.

2.2.4 Behavior of the equation and invariant statement

An active equation statement eqn u or invariant statement inv u can delay, but it cannot do

actions. A equation or invariant statement can delay for as long as it has a solution. Such a

solution defines the values of the continuous and algebraic variables as a function of time for

the period of the delay. The values of the discrete variables do not change while delaying.

At each time point during the delay, an active equation / invariant must be satisfied (its value

must be true), when all variables and dotted variables in the predicate are replaced by their

current value (the value of the associated solution function at the time point).

The difference between equation statements and invariant statements is that equation statements

are assumed to always have a solution, although this is currently not checked in the simulator,

whereas for an invariant, depending on the values of the variables, there may not be a solution.

In the case that an invariant cannot be satisfied, the simulator ensures that the invariant is not

activated. In this way, invariant statements also restrict the action behavior of χ models, because

the active invariants must hold before and after each action. In fact, the active invariants and

equations of a χ model must hold at all times. This is referred to as the ‘consistent equation

semantics’.

The relation between the solution function of a continuous variable x and the solution function

of its ‘derivative’ ˙ x is given by the Caratheodory solution concept: x(t ) = x(0) + t

0 ˙ x(s)ds.

This allows a non-smooth (but continuous) function for a differential variable x in the case

that the solution function of its ‘derivative’ ˙ x is non-smooth or even discontinuous, as in, for

example, model M () = |[ cont x : real = 0.0 :: ˙ x = step(time − 1) ]|, where step( y) equals 0

for y ≤ 0 and 1 for y > 0.

2.3 Behavior of compound statements

This section defines the action behavior of compound statements. Compound statements com-

bine statements by means of operators.

The delay behavior of compound statements is not explicitly defined. It is defined implicitly,

because only active atomic statements can execute delays, and the set of active (atomic) state-

ments is defined by the action behavior of compound statements and by the action behavior of

the model (see Section 2.4); the set of active atomic statements does not change when delaying.




Actions are done by active atomic statements. Section 2.3.1 gives an overview of how oper-

ators define the relation between action execution, termination, activation and deactivation of statements. The sections thereafter define the behavior of the individual operators.

2.3.1 Overview

• Atomic statements terminate by doing an action. A statement that terminates becomes

inactive by doing so, and simultaneously may cause another statement to be activated (in

the cased of sequential composition, loop statements, while statements) and/or deactivated

(in the case of alternative composition).

• Activating a compound statement implies activating one or more of its sub-statements. E.g.

activating a sequential composition p1; . . . ; pn implies activating the first statement p1,

whereas activating a parallel composition p1 . . . pn implies activating all statements

p1 . . . pn.

• Deactivating a compound statement implies deactivating all of its sub-statements.

• Termination of a sub-statement may imply termination of its parent statement (the statement

of which it is a sub-statement). E.g. a sequential composition p1; . . . ; pn terminates upon

termination of its last sub-statement pn, whereas an alternative composition p1 . . . pn

terminates upon termination of any of its sub-statements p1, . . . , pn.

• Action execution of a sub-statement implies action execution of its parent statement. There-

fore, a compound statement executes an action if one of its sub-statements executes an

action.

2.3.2 Sequential composition

In a sequential composition p1; . . . ; pn (n ≥ 2), only one statement pi , 1 ≤ i ≤ n, can be active

at the same time.

• Activating a sequential composition p1; . . . ; pn implies activating its first statement p1.

• When statement pi (1 ≤ i ≤ n − 1) terminates (and is therefore also deactivated), the nextstatement pi+1 is activated.

• The sequential composition terminates upon termination of its last statement pn.

2.3.3 Alternative composition

• Activating p1 . . . pn (n ≥ 2) activates the statements p1, . . . , pn .




• Execution of an action by any one of the statements p1 . . . pn deactivates the other state-

ments. In this way, execution of the first action makes a choice.

• When one of the statements p1, . . . , pn terminates, the alternative composition p1 . . . pn

also terminates.

2.3.4 Parallelism

• Activating p1 . . . pn (n ≥ 2) activates the statements p1, . . . , pn.

• When a statement pi (1 ≤ i ≤ n) executes an action, the other statements remain unchanged

(active/inactive).

• The parallel composition p1 . . . pn terminates when the statements p1, . . . , pn have all

terminated.

Send and receive statements can be executed only in the context of parallel composition. Con-

sider a parallel composition p1 . . . pn (n ≥ 2). A send statement occurring in statement

pi (1 ≤ i ≤ n ) can be executed only if simultaneously a receive statement on the same chan-

nel, and occurring in another part p j (1 ≤ j ≤ n, i = j ) of the parallel composition, can be

executed. The result of the simultaneous execution of a send action and a receive action on

the same channel is a communication action. E.g. the simultaneous execution of the send and

receive action in h ! 1 h ? x leads to a communication action, the result of which is comparable

to execution of the assignment x := 1. If no data is sent via the channel (as in h! h ?), theresulting communication action is comparable to execution of skip.

Informally, we often refer to the statements p1, . . . , pn occurring in p1 . . . pn as parallel

processes. Parallel processes interact by means of shared variables or by means of synchronous

point-to-point communication or synchronization via a channel. Communication in χ is the

sending of values of one or more expressions by one parallel process via a channel to another

parallel process, where the received values are stored in variables. In case no values are sent

and received, we refer to synchronization instead of communication.

2.3.5 Loop and while statement

Loop statement ∗ p represents the infinite repetition of statement p.

• When ∗ p is activated, p is activated.

• Termination of p results in re-activation of p.

The while statement b ∗→ p can be interpreted as ‘while b do p’.

• Activation of b ∗→ p when b is true activates p (by means of an unnamed action).




• Activation of b ∗→ p when b is false, leads to termination of the while statement (by means

of an unnamed action).

The two operators can be expressed in terms of a scope statement (see Section 2.3.7) in the

following way:

∗ p |[ mode X = ( p; X ) :: X ]|b

∗→ p |[ mode X = ( u → skip; p; X

¬u → skip

)

:: X

]|In the definition of ∗ p and u

∗→ p, identifier X denotes a fresh mode variable not occurring

free in p.

2.3.6 Scope statement declaring variables or channels

The scope statement may introduce new variables and new channels. Any occurrence of a

variable or channel in p that is declared in D refers to that local variable or channel and not

to any more global declaration of the variable or channel with the same name, if such a more

global declaration should exist.

• Activation of a scope statement |[ D :: p ]|, where the local declaration part D introduces

new variables and or channels according to the specification of D in Section 1.1, performs

the variable initializations specified in D and activates statement p.

• Termination of p terminates the scope statement |[ D :: p ]|.

2.3.7 Recursion

Recursion refers to the use of modes in one of the following ways:

• Modes can be declared in the declaration part D of a model. E.g.

model M () = |[ mode X 1 = ( p1), . . . , mode X n = ( pn) :: pn+1 ]|

Here, X 1 . . . X n are identifiers representing different modes, and p1 . . . pn+1 represent state-

ments.

• Modes can be declared using the scope statement. For this purpose, the scope statement is

of the form |[mode X 1 = ( p1) , . . . ,mode X n = ( pn) :: pn+1 ]|. This type of scope statement

is referred to as ‘mode scope statement’.




• Execution of a mode is modeled by means of the mode statement X .

The formal semantics of the scope statement and the mode statement is defined in [3]. Below,

we informally define the semantics of the mode scope statement and the mode statement for a

subset of the Chi language. The subset is defined by means of three restrictions on the use of

the mode scope statement and the mode statement:

• If a mode statement X occurs in a sequential composition, it occurs at the end. This use of

modes is known as tail recursion.

• Mode scope statements and models that declare modes in the declaration part of the model

are ‘complete’. This means that in a mode scope statement, or model statement, of the form

|[ mode X

1 = ( p

1) , . . . , mode X

n = ( p

n) ::

pn+1 ]|

,

or

model M () = |[ mode X 1 = ( p1) , . . . , mode X n = ( pn) :: pn+1 ]|,respectively, all occurrences of free (unbound) mode identifiers (statements) X i in p j (1 ≤i ≤ n , 1 ≤ j ≤ n + 1) must be defined in the mode scope statement, or model, respectively.

Formally: freerecvar( p j ) ⊆ { X 1 , . . . , X n} for each 1 ≤ j ≤ n + 1, where freerecvar( p j ) is

a function that returns the set of free (unbound) occurrences of mode identifiers in p j .

• Mode statement do not occur in a parallel composition with other statements. Mode scope

statements are allowed to occur in a parallel composition.

These restrictions ensure that termination of any of the statements pi also terminates the scope

operator itself.

Although mode statements cannot be placed in parallel directly, two mode scope statements can

occur in parallel, as in:

|[ mode X 1 = ( p1) :: X 1 ]| |[ mode X 2 = ( p2) :: X 2 ]|,

where the two mode identifiers X 1 and X 2 can of course have the same name, without changing

the meaning of the model.

The meaning of a mode scope statement

|[ mode X 1

= ( p1), . . . , mode X n

= ( pn)

:: pn

+1

]|satisfying the restrictions defined above, is as follows:

• Activating the mode scope statement activates the statement pn+1.

• When a mode statement X i , occurring at the end of a statement p j (1 ≤ j ≤ n + 1), is acti-

vated (or deactivated), its corresponding statement pi is activated (or deactivated) instead.

• When a statement p j (1 ≤ j ≤ n + 1) terminates, the mode scope statement terminates.

The meaning of a model M () = |[ mode X 1 = ( p1), . . . , mode X n = ( pn) :: pn+1 ]| is defined

likewise.




2.4 Behavior of models

Execution of a χ model M , defined as model M ( D0) = |[ D1 :: p0 ]|, takes place by first

initializing the model, followed by executing a sequence of actions and delays, as defined in

the following sections.

2.4.1 Initialization

Initialization of the model can be defined as a separate step, that does not involve actions, nor

delays:

• All initialization expressions of the variables declared in D1 are evaluated, and the corre-sponding variables are initialized.

• Statement p0 is activated.

• The variables that are not initialized in D1, including the dotted continuous variables, are

initialized in such a way that the initialization predicate (predicate u of init u , if present) in

D1 holds, and all active equations and all active invariants hold (if statement eqn u is active,

u holds, and likewise for inv u ).

If such an initial solution does not exist, the model has no behavior. If multiple initial solutions

exist, the model may start in any of the allowed initial solutions (nondeterminism).

2.4.2 Action execution

• The model can execute an unnamed action if an active atomic statement can execute an

unnamed action, and the new set of active equations and invariants (after execution of the

action) can be satisfied as follows:

In a skip statement, the values of the discrete and continuous variables remain unchanged,

and the values of the algebraic and dotted variables are changed such that the new set of

active equations and invariants is satisfied.

In an assignment statement x := e, the values of the variables that occur in x change to thevalue of e. The values of the other discrete and continuous variables remain unchanged.

The values of the other algebraic and dotted variables are changed such that the new set of

active equations and invariants is satisfied.

• The model can execute a communication action if a pair of an active send statement and

active receive statement, that are placed in parallel, can execute a communication action.

After execution of the communication action, the new set of equations and invariants is

satisfied as follows: for h! h ?, the new values of the variables are defined in a similar

way as specified for the skip statement; and for h ! e h ? x, the new values of the variables



2.5. Process definition and instantiation 15

are defined in a similar way as specified for the assignment statement x := e. For reasons

of simplicity, we assume that the new set of active equations and invariants can always besatisfied after a communication action.

2.4.3 Delaying

The model can execute a delay when the following requirements are met:

• All active statements can simultaneously execute the same delay. Note that the set of all

active equations and invariants can delay for as long as they have a solution.

• No communication action is possible at the start of the delay and during the delay. A

communication action may become possible at the end point (last time point) of the delay

(due to the fact that the values of the guards of send or receive statements may become true

while delaying). Communication should not be possible while delaying because, by default,

channels in χ are urgent: communication cannot be postponed by delaying.

2.4.4 Nondeterminism

When different actions and/or delays are possible, any of these can be chosen. This is referred to

as nondeterministic choice. Note that delays may always be shorter than the maximum possible

length.

In models of physical systems, the delay behavior of the continuous and algebraic variables is

usually uniquely determined: there is usually only one solution of the set of active differential

algebraic equations. Multiple delays / solutions can be caused by under-specified systems of

equations, where there are less equations than variables, or by equations or invariants that allow

multiple solutions, such as inv ˙ x ≥ 1, inv true or eqn ˙ x ∈ [0, 1].

2.5 Process definition and instantiation

To simplify the explanation, process instantiation id (e) is rewritten in a more specific form

id (xn, zm, hl , ek ), where id denotes a process name, xn denotes the continuous variables x1, . . . , xn, zm denotes the algebraic variables z 1, . . . , zm, hl denotes the channels h1, . . . , hl ,

and ek denotes the expressions e1, . . . , ek . Process instantiation enables (re)-use of a process

definition. A process definition is specified once, but it can be instantiated many times, usually

with different parameters.

The meaning of process instantiation

id (xn, zm, hl , ek )




with corresponding process definition

proc id (cont xn : tc , alg z

m : ta , chan hl{!|?}0 : th , val vk : tv) = |[ D :: p ]|

is obtained by the syntactical substitution of the process instantiation by

|[ var vk : tv = wk , D :: p ]| [xn, zm , hl , ek /xn, z

m , hm, wk ],

where notation t... denotes a data type, and hl{!|?}0 denotes the channels h

1{!|?}0, . . . , hl{!|?}0,

where each channel is optionally postfixed with ! or ?. The meaning of h ! or h ? in the formal

parameter list is that the use of channel h in p is limited to sending (h!.. or h !!..) or receiving

(h?.. or h ??..), respectively. Notation r [b1, . . . , bi /a1, . . . , ai

] denotes the statement obtained

from r by syntactic substitution of the free occurrences of the variables/channels a1, . . . , ai in

r by b1, . . . , bi , respectively. Free variables (or channels) in p are variables (or channels) that

are not defined in D or in declaration parts of scope operators occurring in p.

The substitution replaces the process instantiation id (xn, zm , hl , ek ) by the process body |[ D :: p ]|, whereafter the value parameters vk are added to the local declarations D as discrete vari-

ables that are initialized to the values of the new variables wk . Finally, the (free) variables

xn, z

m , wk and the (free) channels hm occurring in the body are substituted by xn, zm , ek , hl ,

respectively.

The substitution is defined in such a way that no variables from xn , zm or ek , and no channels

from hl become bound. This is the case if the variables xn, zm , the variables occurring in ek ,

and the channels hl are all different from the local variables and channels defined in D and

different from vk . If substitution would cause new bindings, the local variable or local channel

that a variable or channel from xn, zm, ek , or hl would become bound to, is renamed into a fresh

variable or fresh channel before the substitution takes place.

The substitution declares the value parameters vk as local discrete variables with initial values

ev. By convention, however, process term p normally does not change the values of these

variables. In Section 4.2.1, substitution of process instantiations is illustrated by means of an

example.

The substitution is illustrated using a model of a system that consists of two tanks. Each tank is

filled by means of an incoming flow, and emptied by means of an outgoing flow. The outflow

Qout of the first tank is connected to the inflow Qin of the second tank. The volume of each

tank is specified by continuous variable V, and its initial volume is given by parameter V0:

proc T(alg Qin,Qout: real, val V0: real) =

|[ cont V: real = V0

:: eqn dot V = Qin - Qout

]|

model TwoT() =



2.5. Process definition and instantiation 17

|[ alg Q0,Q1,Q2: real

:: T(Q0,Q1,2.0)|| T(Q1,Q2,3.0)

|| eqn Q0 = 1.0

, Q1 = 1.0

, Q2 = 1.0

]|

The meaning of this model is obtained by substituting the two process instantiations by their

bodies as defined above. This leads to the model:

model TwoT() =

|[ alg Q0,Q1,Q2:real

:: |[ var V0: real = 2.0

, cont V: real = V0

:: eqn dot V = Q0 - Q1

]|

|| |[ var V0:real = 3.0

, cont V:real = V0

:: eqn dot V = Q1 - Q2

]|

|| eqn Q0 = 1.0

, Q1 = 1.0

, Q2 = 1.0

]|

Adding a controller that pumps the contents of the first tank into the second tank leads to the

following model, where process PC models the pump and the controller. The pump is switched

off when the first tank is empty or when the second tank is full (V2 = 1.0), whatever comes

first:

proc T(cont V:real, alg Qin,Qout:real) =

|[ eqn dot V = Qin - Qout ]|

proc PC(cont V1,V2: real, alg Q: real, val Qset: real) =

|[ var n: nat = 0:: n:= 1; ( V1 <= 0 -> n:= 0

| V2 >= 1 -> n:= 0

)

|| eqn Q = n*Qset

]|

model TwoT2() =

|[ cont V1:real = 2.0

, V2:real = 3.0

, alg Q0,Q1,Q2:real




:: T(V1,Q0,Q1)

|| T(V2,Q1,Q2)|| PC(V1,V2,Q1,0.5)

|| eqn Q0 = 0.0

, Q2 = 0.0

]|

The meaning of this model is again obtained by substitution of the process instantiations by

their bodies and subsequent rewriting, which leads to the model:

model TwoT2() =

|[ cont V1: real = 2.0

, V2: real = 3.0, alg Q0,Q1,Q2: real

:: |[ eqn dot V1 = Q0 - Q1 ]|

|| |[ eqn dot V2 = Q1 - Q2 ]|

|| |[ var Qset: real = 0.5

, n: nat = 0

:: n:= 1; ( V1 <= 0 -> n:= 0

| V2 >= 1 -> n:= 0

)

|| eqn Q1 = n*Qset

]|

|| eqn Q0 = 0.0

, Q2 = 0.0

]|



Chapter 3

Tank level control strategies

In this chapter, the χ language is used for specification and analysis of different control strate-

gies for a nonlinear tank system.

3.1 The controlled tank system

The controlled nonlinear tank system is shown in Figure 3.1. The control system LC tries to

keep the level in the tank close to a set point h set. There is a continuous flow Qout out of the

vessel. The value of this flow depends on the height of the liquid in the vessel. The controllercontrols the level of the tank by adjusting the position of the valve, thus controlling the incoming

flow Qin. In the discrete-event controller of the next section the valve can only be switched on

and off. In the continuous and discrete-time controllers of subsequent sections the position of

the valve can be adjusted linearly between 1 (fully open) and 0 (closed).

The tank equations of a tank with no incoming flow, and outgoing flow Q , are derived by means

of the formula psource =

ploss

which are assumed to satisfy

ρgh = K L Q2

Qi

Qo

LCh

Figure 3.1: The controlled tank system.

19



20 Chapter 3. Tank level control strategies

0

0.2

0.4

0.6

0.8

1

1.2

0 5 10 15 20 25

DE1()

h(time)Qi(time)

Figure 3.2: Discrete-event on/off control.

where K L is the loss factor. This can be rewritten as

Q =

ρgh

K L= k

√ h

3.2 Discrete-event control using repetition

The first controller is a discrete-event controller that keeps the liquid between between two

levels: 0.8 and 1.0. The valve is modeled by the discrete variable n. When the liquid in the

tank drops below 0.8, the valve is opened (n:= 1). When the liquid in the tank rises above 1.0,

the valve is closed (n:= 0). The incoming and outgoing flows are modeled by the algebraic

variables Qi and Qo, respectively. Initially, the volume in the tank equals 0.1, and the valve

is closed (n = 0). Figure 3.2 shows the results of a simulation run. In the model DE1 below,

sqrt(h) represents√

h.

from standardlib import *

model DE1() =

|[ cont h: real = 0.1

, alg Qi,Qo: real

, var n : nat = 0

, A : real = 10.0

, k : real = 0.5

, Qmax : real = 1.2

:: eqn dot h = (Qi - Qo) / A

, Qo = k * sqrt(h)



3.3. Discrete-event control using recursion 21

, Qi = n * Qmax

|| *( h <= 0.8 -> n:= 1; h >= 1.0 -> n:= 0 )]|

Eliminating the parameters A,k and Qmax, and using the volume V instead of the height h, leads

to the model:

model DE2() =

|[ cont V: real = 1.0

, alg Qi,Qo: real

, var n : nat = 0

:: eqn dot V = Qi - Qo

, Qo = 0.5 * sqrt(V/10), Qi = n * 1.2

|| *( V <= 8 -> n:= 1; V >= 10 -> n:= 0 )

]|

The controller *(V <= 8 -> n:= 1; V >= 10 -> n:= 0) is correct only for initial condi-

tions satisfying V < = 8 or n = 0. A controller that is correct for all initial conditions is:

* ( n = 0 a n d V < = 8 - > n : = 1

| n = 1 a n d V > = 1 0 - > n : = 0

)

3.3 Discrete-event control using recursion

The discrete-event controller

*( V <= 8 -> n:= 1; V >= 10 -> n:= 0 )

can be replaced by the following equivalent controller using a recursion definition:

|[ mode X = (V <= 8 -> n:= 1; V >= 10 -> n:= 0; X )

:: X]|

This recursion definition can be replaced by two definitions, such that the two modes on (valve

is opened) and off (valve is closed) can be distinguished:

|[ mode off = ( V <= 8 -> n:= 1; on )

, o n = ( V > = 10 - > n:= 0 ; off )

:: off

]|




A controller using modes that is correct for all initial conditions is:

|[ mode off = ( V <= 8 -> n:= 1; on )

, o n = ( V > = 10 - > n:= 0 ; off )

:: n = 0 -> skip; off | n = 1 -> skip; on

]|

Recall from Section 2.1 that a condition ui associated with an expression e1. Since a mode

statement is no expression, they have to be preceded with an arbitrary expression. A simplified

controller that is also correct for all initial conditions is:

|[ mode off = ( V <= 8 -> n:= 1; on )

, o n = ( V > = 10 - > n:= 0 ; off ):: off | on

]|

In this case, initially, both modes are activated. This means that initially, both modes off and

on are activated. If both guards are false, then the two initial statements of the modes V <= 8

-> n:= 1 and V >= 10 -> n:= 0 can both delay. When one of the two guard is, or becomes,

true, delaying is no longer possible. After executing the action (n:=1 or n:= 0), the other mode

is disabled, so that subsequently, only one mode is enabled. The complete model is:

model DE3() =|[ cont V: real = 1.0

, alg Qi,Qo: real

, var n : nat = 0

:: eqn dot V = Qi - Qo

, Qo = 0.5 * sqrt(V/10)

, Qi = n * 1.2

|| |[ mode o ff = ( V < = 8 -> n:= 1; on )

, o n = ( V > = 10 - > n:= 0 ; off )

:: off | on

]|

]|

The initial position of the valve is defined by the initial value of variable n.

If the controller does not need to be separated from the physical system, the variable n can be

eliminated by integrating the incoming flow into the control specification. This leads to the

model:

model DE4() =

|[ cont V: real = 1.0



3.4. P control 23

, alg Qi,Qo: real

:: eqn dot V = Qi - Qo, Qo = 0.5 * sqrt(V/10)

|| |[ mode off = ( eqn Qi = 0

| V <= 8 -> skip; on

)

, on = ( e qn Qi = 1 .2

| V >= 10 -> skip; off

)

:: off

]|

]|

Here, the initial position of the valve is defined by the initial mode, which is off in the model

DE4(). The model is correct for all initial values of V.

3.4 P control

In this example, the on/off valve used in the previous section is replaced by a valve that can be

adjusted linearly between fully open and closed. The control input of the valve is represented

by variable u; the output of the valve is the flow Qi.

The valve is modeled by means of an equation and a conditional expression:

eqn Qi = ( u < 0 -> 0

| 0 < = u a n d u < = 1 - > u * Q m a x

| u > 1 -> Qmax

)

It is assumed that the valve operates in its linear mode for 0 ≤ u ≤ 1. If the valve is fully opened

(u ≥ 1), the input flow equals Qmax. If u becomes negative, the flow becomes zero.

3.4.1 Continuous-time control

The input variable u of the valve is adjusted by the continuous-time proportional controller,

which consists of (algebraic) equations only. The error is the difference between the required

level hset and the actual level h. The control output u is obtained by multiplying the error by

constant Kp. The χ model of the tank system with a continuous-time proportional controller

follows below (model P_C).




_ )

0

0.2

0.4

0.6

0.8

1

1.2

0 5 10 15 20

Qi(time)Qo(time)

h(time)e(time)

Qtot(time)

0

2

4

6

8

10

12

14

16

18

0 5 10 15 20

u(time)

Figure 3.3: Continuous-time P control (Kp = 20).

model P_C(val Kp: real) =


, alg Qi,Qo: real

, e,u: real

, var hset: real = 1.0

, alg Qtot: real

:: Tank(h,Qi,Qo,u)

|| eqn e = hset - h

, u = Kp * e

|| eqn Qtot = Qi - Qo

]|

where process Tank is defined as:

proc Tank(cont h: real, alg Qi,Qo,u: real) =



3.4. P control 25

|[ var A : real = 10.0

, k : real = 0.5, Qmax: real = 1.2


, Qo = k * sqrt(h)

, Qi = ( u < 0 -> 0.0

| u > = 0 a n d u < = 1 - > u * Q m a x

| u > 1 -> Qmax

)

]|

The results of the simulation run are shown in Figure 3.3, at the top of the figure the model

name can be found along with the parameter value. The ASCII data output of the simulator(not shown here) shows that the final error hset - h approaches 0.025, which corresponds

to the theoretical expectations. In this proportional controller, the minimum error is directly

proportional to the required inflow Q i. In the linear mode of the valve, Q i = u Qmax. Combined

with u = K pe, this leads to e = Qi

K p Qmax. The minimum value of Qi is obtained in steady state

conditions when the derivative h (h’ in the model) equals zero, so that Qi = Qo. Figure 3.3

shows that after 20 time units, the value of h does not noticeably increase anymore, so that

steady state conditions can indeed be assumed. Since the error is very small under steady state

conditions, Qo = k √

h ≈ k √

hset = 0.5, leading to e = Qi

K p Qmax≈

0.520·1 = 0.025.

Hybrid valve model

A alternative model for the valve can be obtained by defining three modes of operation for the

valve in a mode scope statement, and switching between these modes by means of actions:

|[ mode low = ( eqn Qi = 0 | u >= 0 -> skip; lin )

, mode lin = ( eqn Qi = u * Qmax

| u > 1 -> skip; high

| u < 0 -> skip; low

)

, mode high = ( eqn Qi = Qmax | u <= 1 -> skip; lin ):: lin

]|

Initially, mode lin is activated. If, initially, this mode does not correspond to the value of the

input u (u > 1 or u < 0), then one of the statements u > 1 -> skip or u < 0 -> skip will

have a guard that is true. In such a case, delaying will be impossible, and the model will switch

to the correct mode by means of an action. The complete model is given below.




proc TankModes(cont h: real, alg Qi,Qo,u: real) =

|[ var A : real = 10.0, k : real = 0.5

, Qmax: real = 1.2


, Qo = k * sqrt(h)

|| |[ mode low = ( eqn Qi = 0 | u >= 0 -> skip; lin )

, l in = ( eqn Q i = u * Qmax

| u > 1 -> skip; high

| u < 0 -> skip; low

)

, high = ( eqn Qi = Qmax | u <= 1 -> skip; lin )

:: lin]|

]|

model P_C_M(val Kp,hini: real) =

|[ cont h: real = hini

, alg Qi,Qo: real

, e,u: real


:: TankModes(h,Qi,Qo,u)

|| eqn e = hset - h

, u = Kp * e]|

There is no visible difference between the graphical output of the simulation of this model,

when started from the initial height hini=0.1, and the simulation results as shown in Figure

3.3. The model starts by executing an action at time 0 (switching to mode high), followed

by a delay until time point 10.12, where an action is executed that switches the mode to lin,

followed by a delay until time 20.

3.4.2 Discrete-time control

For comparison we replace the continuous-time controller by a discrete-time controller, leading

to the model P_DT. It is a discrete-time controller, because it takes a sample of the level of the

liquid every ts seconds. In the repetition of the discrete-time controller, the error e (e:= hset

- h) and the control output u (u:= Kp * e) are calculated first. After this, the sampler waits

for ts seconds. Since the assignments are non-delayable, the model can do time steps only

when the delay statement delay ts is active. Therefore, the samples are spaced at exactly ts

seconds.

Figure 3.4 shows the simulation results, which are similar to the results shown in Figure 3.3.

The graph clearly shows that the control output stays constant in a sample period.



3.4. P control 27

_ , . )

0

0.2

0.4

0.6

0.8

1

1.2

0 5 10 15 20

Qi(time)Qo(time)

h(time)e(time)

Qtot(time)

0

2

4

6

8

10

12

14

16

18

0 5 10 15 20

u(time)

Figure 3.4: Discrete-time P control (Kp = 20, ts = 0.5).

model P_DT(val Kp,ts: real) =


, alg Qi,Qo: real


, e: real

, u: real = 0.0

, alg Qtot: real

:: Tank(h,Qi,Qo,u)

|| *( e := hset - h

; u : = K p * e

; delay ts

)

|| eqn Qtot = Qi - Qo

]|




_ , )

0

0.2

0.4

0.6

0.8

1

1.2

0 10 20 30 40 50 60

Qi(time)Qo(time)

h(time)Qtot(time)

0

2

4

6

8

10

12

14

16

18

0 10 20 30 40 50 60

u(time)Kp_e(time)Ki_Ie(time)

Figure 3.5: Continuous PI control (Kp = 20, Ki = 2).

3.5 PI control

3.5.1 Continuous-time control

To eliminate the final error of the proportional controller, an integral action is introduced in

model PI_CD. The integral term is represented by the variable Ie. This integral action isswitched on after 20 time units for comparison. The result of the simulation run is shown

in Figures 3.5 and 3.6. The figures clearly shows that the final error e now approaches zero as

a result of the integral action.

model PI_CD(val Kp,Ki: real) =

|[ cont h: real = 0.1, Ie: real = 0.0

, alg Qi,Qo: real

, e,u: real




3.5. PI control 29

0

0.2

0.4

0.6

0.8

1

0 10 20 30 40 50 60

PI_CD(20, 2)



, b: bool = false

, alg Qtot,Kp_e,Ki_Ie: real

:: Tank(h,Qi,Qo,u)

|| eqn e = hset - h

, dot Ie = (not b -> 0.0 | b -> e)

, u = Kp * e + Ki * Ie

|| delay 20; b:= true

|| e qn K p_e = K p * e, Ki_Ie = Ki * Ie

, Qtot = Qi - Qo

]|

In the model PI_C, shown below, the integral action is active from the start. Figures 3.7 and 3.8

show that this leads to a considerable overshoot initially, and the settling time becomes much

longer. This integrator windup is caused by the fact that initially the output saturates: no matter

how big the value of u, the incoming flow cannot be bigger than Qmax. This causes the error to

stay big for a long time. The integrator initially integrates this big error, leading to overshoot.

model PI_C(val Kp,Ki: real) =

|[ cont h: real = 0.1, Ie: real = 0.0


, alg Qi,Qo: real

, e,u: real


:: Tank(h,Qi,Qo,u)

|| eqn e = hset - h

, d o t I e = e




_ , )

-0.2

0

0.2

0.4

0.6

0.8

1

1.2

1.4

0 20 40 60 80 100

Qi(time)Qo(time)

h(time)Qtot(time)

-5

0

5

10

15

0 20 40 60 80 100



, u = Kp * e + Ki * Ie

|| e qn K p_e = K p * e

, Ki_Ie = Ki * Ie

, Qtot = Qi - Qo

]|

3.5.2 Discrete-time control

For the discrete-time version of the controller PI_CD, the integral of the error Ie is calculated

by cumulative addition of the product of the error and the sample time. Figure 3.9 shows the

simulation results.

model PI_DT(val Kp,Ki,ts: real) =



3.6. PI control with anti-windup 31

-1

-0.5

0

0.5

1

1.5

2

0 20 40 60 80 100

PI_C(20, 2)




, alg Qi,Qo: real


, e: real = 0.0

, Ie: real = 0.0

, u: real = 0.0


:: Tank(h,Qi,Qo,u)|| *( e := hset - h

; I e : = I e + e * t s

; u : = K p * e + K i * I e

; delay ts

)

|| e qn K p_e = K p * e

, Ki_Ie = Ki * Ie

, Qtot = Qi - Qo

]|

3.6 PI control with anti-windup

Several anti-windup strategies are treated in the literature (e.g. [5]). Here we use a strategy for

discrete-time controllers. The process PIA_DT with anti-windup is shown below. The amount

of saturation of the output (u − 1 for u > 1, and u for u < 0) is subtracted from the integral term

Ie in order to reduce the saturation effect. This may initially lead to negative values of Ie, as

is shown in Figures 3.10 and 3.11. After 25 time units, the value of the error e (hset − h) is

smaller than 0.0001.




_ , , . )

-0.5

0

0.5

1

0 10 20 30 40 50

Qi(time)Qo(time)

h(time)Qtot(time)

-5

0

5

10

15

20

0 10 20 30 40 50


Figure 3.9: Discrete-time PI control (Kp = 20, Ki = 2, ts = 0.5).

model PIA_DT(val Kp,Ki,ts: real) =


, alg Qi,Qo: real

, var e: real = 0.0

, hset: real = 1.0

, Ie: real = 0.0

, u: real = 0.0

, alg Kp_e: real, var Ie0: real

:: Tank(h,Qi,Qo,u)

|| *( e := hset - h

; Ie:= Ie + Ki * e * ts; Ie0:= Ie

; u : = K p * e + I e

; ( u < 0.0 -> Ie:= Ie - u

| 0.0 <= u and u <= 1.0 -> skip

| u > 1.0 -> Ie:= Ie - (u - 1)



3.6. PI control with anti-windup 33

_ , , )

0

0.2

0.4

0.6

0.8

1

1.2

0 5 10 15 20 25

Qi(time)Qo(time)

h(time)e(time)

-5

0

5

10

0 5 10 15 20 25

u(time)Kp_e(time)

Ie0(time)Ie(time)

Figure 3.10: Discrete-time PI control with anti-windup (Kp = 10, Ki = 5, ts = 1).

)

; delay ts

)

|| eqn Kp_e = Kp * e

]|




-2

-1.5

-1

-0.5

0

0.5

1

1.5

2

0 5 10 15 20 25

PIA_DT(10, 5, 1)

u(time)Kp_e(time)

Ie0(time)Ie(time)

Figure 3.11: Discrete-time PI control with anti-windup (Kp = 10, Ki = 5, ts = 1).



Chapter 4

Hybrid automata related modeling

4.1 Constrained pendulum

Figure 4.1 shows a constrained pendulum that is also defined in [6]. The equations of motion

of this pendulum are given by Equation 4.1. The angle between the pendulum and the vertical

is denoted by θ , ω denotes the angular velocity of the pendulum, and l denotes the distance

between the rotation point and the mass.

θ = ω

ml ω = −mg sin(θ) − dlω(4.1)

P

m m

L

Lp

P

OO

θ p

θ

−θ

θ p

Ls = L − L p

Lp

Figure 4.1: Constrained Pendulum.

The mass and maximum length of the pendulum are represented by m and L , respectively. The

damping coefficient and the acceleration due to gravity are denoted by d and g. The angle of

the constraint is denoted by θ p. In order to keep the example as small and clear as possible, it is

35



36 Chapter 4. Hybrid automata related modeling

assumed that θ p ≥ 0 and |θ | ≤ π /2. Also, it is assumed that the pendulum always remains in a

straight line from the rotation point to the end point. The χ model is:

model Pendulum(val θ 0, ω0, d , m, g : real) =|[ cont θ : real = θ 0 , ω : real = ω0 , alg l : real:: |[ mode long = ( (eqn l = L inv θ ≤ θ p) [ω := L

Lsω]; short )

, mode short = ( (eqn l = Ls inv θ ≥ θ p) [ω := Ls

L ω]; long )

:: (skip; long skip; short)

]| eqn θ = ω

, ml ω = −mg sin(θ ) − dlω

]|,

where θ 0 and ω0 denote constants representing the initial values of θ and ω, respectively. When

θ ≤ θ p or θ ≥ θ p, the pendulum can delay in mode long or short, respectively. In mode long,

the assignment ω := L Ls

ω can be executed only if the invariant inv θ ≥ θ p of mode short can

be satisfied in the new state after the assignment to ω, because active invariants (and equations)

must always be satisfied. Notice that the equation eqn l = L s can always be satisfied. Therefore,

mode switches are possible only for θ = θ p. The assignment [ω := L Ls

ω] must be delayable,

because otherwise the assignment and the alternative composition would not be able to delay.

Note that the model allows infinite switching between modes long and short, without progress

of time, when θ

= θ p. This switching behavior can, in principle, be avoided by guarding the

delayable assignments [ω := L Ls ω] and [ω := Ls L ω] with (non-trivial) conditions that preventmode switching when no delay behavior is possible in the new mode.

4.2 Bottle filling line

Figure 4.2 shows a bottle filling line, based on [1], consisting of a storage tank that is contin-

uously filled with a flow Qin, a conveyor belt that supplies empty bottles, and a valve that is

opened when an empty bottle is below the filling nozzle, and is closed when the bottle is full.

When a bottle has been filled, the conveyor starts moving to put the next bottle under the filling

nozzle, which takes one unit of time. When the storage tank is not empty, the bottle filling

flow Q equals Qset. When the storage tank is empty, the bottle filling flow equals the flow Qin.

The system should operate in such a way that overflow of the tank does not occur. We assume

Qin < Qset.

Figure 4.3 shows an iconic representation of the model of the filling line. It consists of the

processes Tank and Conveyor that interact by means of the channels open and close, and shared

variable Q. The model is defined below. It has two parameters: the initial volume V T0 of the

storage tank, and the value Q in of the flow that is used to fill the storage tank. The constants Q set,

V Tmax, and V Bmax define the maximum value of the bottle filling flow Q, the maximum volume

of the storage tank, and the filling volume of the bottles, respectively. The model FillingLine



4.2. Bottle filling line 37

V T

Q

V B

Qin

Figure 4.2: Filling Line.

Tank

C onveyor

open closeQ

Figure 4.3: Iconic model of the filling line.

consists of the algebraic variable Q, the channels open and close, and the parallel composition

of the process instantiations for the tank and the conveyor.

const Qset : real = 3

, V Tmax : real = 20

, V Bmax : real = 10

model FillingLine(val V T0, Q in : real) =|[ alg Q : real, chan open, close : void:: Tank (Q, open, close, V T0, Q in) Conveyor (Q, open, close)

]|

The tank process has a local continuous variable V T that is initialized to V T0. Its process body

is a mode scope statement consisting of three modes: closed, opened, and openedempty that

correspond to the valve being closed, the valve being open, and the valve being open while the

storage tank is empty. In the mode opened, the storage tank is usually not empty. When the

storage tank is empty in mode opened, the delayable skip statement [skip] may be executed

causing the next mode to be openedempty. The skip statement can be executed only if theinvariant in the next mode openedempty holds. This means, among others, that V T = 0 must

hold. Therefore, the transition to mode openedempty can be taken only when the storage tank

is empty.

proc Tank (alg Q : real, chan open?, close? : void, val V T0, Q in : real) =|[ cont V T : real = V T0

:: |[ mode closed =( (eqn V T = Q in , Q = 0 inv 0 ≤ V T ≤ V Tmax) open?; opened )

, mode opened =




( (eqn V T = Qin − Q , Q = Qset inv 0 ≤ V T ≤ V Tmax)

[skip]; openedempty close?; closed

)

, mode openedempty =( (eqn Q = Qin inv V T = 0) close?; closed )

:: closed

]|]|

Process Conveyor supplies an empty bottle in 1 unit of time (V B := 0; 1). Then it synchronizes

with the storage tank process by means of the send statement open!, and it proceeds in mode

filling. When the bottle is filled in mode filling (V B ≥ V Bmax), the process synchronizes with thestorage tank to close the valve and returns to mode moving. The initial mode is moving.

proc Conveyor (alg Q : real, chan open!, close! : void) =|[ cont V B : real = 0

:: |[ mode moving = ( V B := 0; 1; open!; filling )

, mode filling = ( V B ≥ V Bmax → close!; moving )

:: moving

]| eqn V B = Q

]|Figure 4.4 shows the results of the first 12 time units of a simulation run of the model

FillingLine(5, 1.5), that is with model parameters V T0 = 5 and Q in = 1.5. The graph shows that

the first bottle is filled from time point 1 until time point 1 + 10/3 ≈ 4.33. Filling of the second

bottle starts 1 time unit later, and somewhat after 7 time units, the storage tank becomes empty,

so that filling continues at the reduced flow rate.

4.2.1 Elimination of process instantiation

Elimination of the process instantiations for the Tank and Conveyor processes by replacing the

process instantiations by their definitions, as defined in [4], leads to the following model:

model FillingLine(val V T0, Q in : real) =|[ alg Q : real, chan open, close : void:: |[ cont V T : real = V L

T0

, var V LT0 : real = V T0 , QL

in : real = Qin

:: |[ mode closed =( (eqn V T = QL

in , Q = 0 inv 0 ≤ V T ≤ V Tmax) open?; opened )

, mode opened =( (eqn V T = QL

in − Q , Q = Qset inv 0 ≤ V T ≤ V Tmax)



4.2. Bottle filling line 39

0

2

4

6

8

10

12

14

0 2 4 6 8 10 12

time

V TV BQ

Figure 4.4: Simulation results of model FillingLine.

[skip]; openedempty

close?; closed

)

, mode openedempty =( (eqn Q = QL

in inv V T = 0) close?; closed )

:: closed

]|]| |[ cont V B : real = 0

:: |[ mode moving = ( V B := 0; 1; open!; filling )

, mode filling = ( V B ≥ V Bmax → close!; moving )

:: moving

]| eqn V B = Q

]|]|

To avoid naming conflicts between the formal parameters V T0 and Qin declared in the process

definition for process Tank , and the actual arguments V T0 and Qin in the process instantiation

Tank (Q, open, close, V T0, Q in), the newly defined local discrete variables that are used to hold

the values of the last two parameters of the process instantiation, are renamed to V LT0 and Q Lin.



Chapter 5

Examples

In this chapter, the χ formalism is illustrated by several examples taken from various application

domains.

5.1 Dry friction

A model that combines assignments to discrete variables occurring in equations and assign-

ments to differential variables, deals with modeling of dry friction as shown in Figure 5.1.

Fd

Fn

Ff

Fz

x

Figure 5.1: Dry friction.

A driving force Fd is applied to a body on a flat surface with frictional force Ff. When the body

is moving with positive velocity v, the frictional force is given by Ff = mu * Fn, where Fn =

m * g. When the velocity of the body is 0, the frictional force neutralizes the applied driving

force. If the driving force exceeds mu0 * Fn, the body suddenly starts moving according to

dot v = (Fd - Ff)/m.

In model Fiction, dry friction is modeled in a mode scope statement. Each mode represents a

possible state of the body, having positive, zero of negative velocity. In the modes guards are put

alternative to equations. As long as the guards can delay, the alternative composition can delay

41



42 Chapter 5. Examples

v

Ff

mu0*Fn mu*Fn

Figure 5.2: Dry friction in relation to velocity.

and the equations will be solved. When the guards can do an action, the alternative composition

can delay no longer and the action execution will terminate the alternative composition and

therefore the equation. In the new mode the equations are enabled and they can delay as long

as the guards can delay.

The initial mode is determined by means of an alternative composition depending on the initial

value of v. A case of special interest occurs when the driving force Fd drops below -mu0 * Fn

before the speed v becomes smaller than 0. In this case when the speed becomes negative, both

guards are true at the same time and a choice will be made between the different expressions

non-deterministically. Either the second expression is chosen and the mode neg will become

active, or the first expression is chosen and the mode stop will become active. When in modestop, the second guard is immediately true and the mode neg will become active. It is therefore

arguable to leave out the second guards for the positive and negative modes and always let the

changing of modes happen via stop, thus making the model deterministic. Note that taking the

equation for dot v out of the mode scope and putting it in parallel as is done with Fn, Fd and

dot x is also possible.


model Friction() =

|[ cont x: real = -2.0, v: real = 0.0

, alg Fd // driving force, Ff // friction force

, Fn : real // normal force due to gravity

, var m: real = 1.0 // mass of body

, g: real = 10.0 // gravity

, mu0: real = 0.18 // friction coefficient for zero velocity

, mu: real = 0.1 // friction coefficient for non-zero velocity

: : e q n F n = m * g

, Fd = 2 * sin(0.25 * 3.14 * time)

, d o t x = v



5.1. Dry friction 43

-2

-1.5

-1

-0.5

0

0.5

1

1.5 2

0 2 4 6 8 10

Friction()

x(time)v(time)Fd(time)Ff(time)

Figure 5.3: Friction simulation.

|| |[ mode pos =

( eqn dot v = (Fd - Ff) / m

, Ff = mu * Fn

| Fd < mu * Fn and v <= 0 -> v:= 0.0; stop

| Fd <= -mu0 * Fn and v <= 0 -> skip; neg

)

, mode stop =

( eqn dot v = 0, Ff = Fd

| Fd >= mu0 * Fn -> skip; pos

| Fd <= -mu0 * Fn -> skip; neg

)

, mode neg =

( eqn d ot v = ( Fd - Ff) / m

, Ff = -mu * Fn

| Fd > -mu * Fn and v >= 0 -> v:= 0.0; stop

| Fd >= mu0 * Fn and v >= 0 -> skip; pos

)

:: ( v > 0 -> skip; pos| v = 0 -> skip; stop

| v < 0 -> skip; neg

)

]|

]|




5.2 Bottle filling system

The bottle filling system from Figure 5.4 consists of a liquid storage tank, and two identical

bottle filling lines.

Qu Qa , ca

V T , n , c, pH

QF2QF1

Figure 5.4: The bottle filling system.

The bottles are filled with liquid from the storage tank. A control system keeps the volume Vt

in the storage tank between 2 and 10, and the pH level (acidity) of the liquid in the storage

tank between 7 and 7.1. The liquid in the storage tank slowly becomes less acidic (pH level

increases). To correct this, a strong acid is dribbled into the storage tank when the acidity of the

liquid becomes too low (pH >= 7.1).

Figure 5.5 shows the iconic model of the bottle filling system. The lines ending in a small circle

represent shared variables (V T, QF1, Q F1

).

QF2

F

V T V T

F QF1

T

Figure 5.5: Iconic representation of the bottle filling system model.

The acid and liquid supply processes are not modeled, since we consider the acid and liquid

always to be available, and we are not interested in the amount of acid or liquid that is used.

The χ specification of the bottle filling system is as follows:



5.2. Bottle filling system 45


model BottleFilling() =

|[ cont Vt: real = 2.0

, alg Qf1,Qf2: real

:: T(Vt,Qf1,Qf2)

|| F(Vt,Qf1)

|| F(Vt,Qf2)

]|

The storage tank and the two bottle filling lines are connected by means of the variables Qf1,

and Qf2, respectively. Since a bottle may start filling only if the storage tank contains at least a

volume of 0.7, the volume Vt of the storage tank is available in both bottle filling processes.

The molar quantity and molar concentration of the acid in the storage tank are denoted by n and

c, respectively, where n=cV. The incoming flows of liquid and acid of the liquid storage tank T

are denoted by Qu and Qa, respectively. The outgoing flows to the two bottle filling processes

are denoted by Qf1 and Qf2, respectively.

It is assumed that the liquids are incompressible, and that the volumes of the fluids remain the

same when they are mixed. In such a case, the volume V of the mixed liquid equals the sum of

its components which leads to the equation

dot V = Qu + Qa - Qf1 - Qf2 .

Next, the mass balance (actually mol balance) for the dissolved substance is derived. Acid

comes into the tank by means of the flows Qu and Qa. Acid leaves the tank in outgoing flows

Qf1 and Qf2. Because the concentrations are in [mol/m3], they can be directly multiplied with

the flows (in [m3/s]), which leads to

dot n = cu*Qu + ca*Qa - c*Qf1 - c*Qf2 ,

where cu and ca denote the concentrations of acid in the flows Qu and Qa. The gradual reduction

of the acidity of the liquid is modeled by means of a constant Kloss, which leads to

dot n = cu*Qu + ca*Qa - c*Qf1 - c*Qf2 - Kloss*V.

It is assumed that the acid is completely decomposed. Taking into account that the units of c

are in [mol/m3] instead of [mol/l], the pH is given by

pH = -log (c/1000).

The χ specification of the liquid storage tank follows below, where symbols Qseta, Qsetu, ca,

cu and Kloss denote constants:




proc T(cont V: real, alg Qf1,Qf2: real) =

|[ var alpha: nat = 0, beta: nat = 0, cont n: real

, alg pH: real

, c,Qa,Qu: real

, var Qseta: real = 0.5

, Qsetu: real = 1.5

, ca: real = 0.0005

, cu: real = 0.0

, Kloss: real = 0.000002

, init pH = 7.0

:: eqn dot V = Qu + Qa - Qf1 - Qf2

, dot n = cu*Qu + ca*Qa - c*Qf1 - c*Qf2 - Kloss*V, n = c*V

, pH = -log (c/1000)

, Qa = alpha*Qseta

, Qu = beta*Qsetu

|| *( pH >= 7.1 -> alpha := 1; pH <= 7 -> alpha := 0 )

|| *( V <= 2 -> beta := 1; V >= 10 -> beta := 0 )

]|

In most cases, the differential variables, in this case V and n, are declared as continuous vari-

ables. The other variables, not occurring with a dot (derivative) are then declared as algebraic

variables. This ensures that the differential variables can be assigned new values, causing dis-

continuities. The algebraic variables will then simultaneously jump to their new values satis-

fying the equations. This declaration scheme is used in process T. Variable V is an external

variable that is declared as a continuous variable in the preceding χ process that defines the

complete bottle filling system.

Note that even though pH is an algebraic variable, which is not normally assigned new values,

pH can be initialized, in this case to a value of 7, in the initialization predicate. In this case the

differential variable n does not have to be initialized.

In process T, the only discontinuities in continuous variables occur in the flows Qf1, Qf2, Qa,

and Qu, that are switched on and off discontinuously in process T, and in process F that follows

below. Therefore, the algebraic variables apart from these flows could just as well have been

declared as continuous variables as in cont n,pH,c.

The behavior of the model is explained as follows. Initially, the pH of the liquid in the storage

tank equals 7. It is assumed that the pH level of the incoming liquid is 7 or more, since the

acidity controller can only make the acidity of the storage tank increase, causing the pH to

decrease. If the pH value exceeds the maximum value (pH >= 7.1), the acid valve is opened

(alpha := 1) so that acid is dribbled into the tank. Dribbling of the acid continues until the pH

value comes back at 7, and the valve is closed (alpha := 0). In a similar way, the controller

tries to keep the level of the storage tank between 2 and 10.




ott e ng )

2

2.5

3

3.5

0 2 4 6 8 10

Vt(time)

0 0.2 0.4 0.6 0.8

1

0 2 4 6 8 10

Qf1(time)

0 0.2 0.4 0.6 0.8

1

0 2 4 6 8 10

Qf2(time)

7

7.02 7.04 7.06 7.08 7.1

0 2 4 6 8 10

pH(time)

Figure 5.6: Bottle filling system.

lb

V V

x

lc

ls

Figure 5.7: The conveyor system.



5.3. Conveyor system 49

5.3.1 A process for each conveyor belt

Figure 5.8 shows the iconic model of a generator G , two conveyor belts V and the associated

control processes C . Processes V end and C end are added to obtain a closed system; they do not

model actual behavior. The model is a simplified version of the model treated in [ 2]. The dashed

lines with arrow heads represent directed synchronization channels ( pc0, pc1, pc2, p0, p1, p2),

and the lines ending in a small circle represent shared variables (s0, s1, v0, v1).

G

C 1 C 1 C end

V end V 1V 1

pc0

p0

pc1

v0

pc2

v1

p1

s0

p2

s1s0 s1

Figure 5.8: Iconic model of the conveyor system for process per belt.

Global position variable declarations

The χ specification of the iconic model from Figure 5.8 is as follows:

model C1V1(val x1ini,x2ini: real) =

|[ cont x1: real = x1ini, x2: real = x2ini

, var v1: nat = 0, v2: nat = 0

, s0: bool = false, s1: bool = false, s2: bool = false

, chan pc0,pc1,pc2: void

, p0,p1,p2: void

:: G(pc0,p0)

|| C1(v1,s1,pc0,pc1) || V1(x1,v1,s0,s1,p0,p1)|| C1(v2,s2,pc1,pc2) || V1(x2,v2,s1,s2,p1,p2)

|| Cend(pc2) || Vend(s2,p2)

]|

Channels p0, p1, p2 are used to synchronize the box transition from the current to the next belt.

Channels pc0, pc1, pc2 are directed synchronization channels. Variables s0, s1, v0, v1 are shared

variables, where s0 and s1 represent the sensors that indicate the presence of a box, and v0 and

v1 are actuators that determine the velocity of the respective conveyors. The process definitions

are:




proc G(chan pc!: void, p!: void) =

|[ *( pc!; delay 1.0; p!! ) ]|

proc Cend(chan pc?: void) =

|[ * pc? ]|

proc V1( cont x: real, var v: nat, var sprev: bool, s: bool, chan pin?,pout!: void) =

|[ eqn dot x = ( x < -0.5 -> 0.0 | x >= -0.5 -> v*1.0 )

|| |[ mode waitforSensor =

( x >= 5 -> s:= true

; x >= 6 and v > 0 -> pout!

; x := -1.0; waitforTray

)

, mode waitforTray =

( pin?

; x:= 0.0

; x >= 3 -> sprev:= false; waitforSensor

)

:: ( x = -1 -> skip; waitforTray

| x >= 0 and x < 3 -> !! "Error, incorrect initial value for x"

; deadlock

| x >= 3 -> skip; waitforSensor

)

]|

]|

proc Vend(var sprev: bool, chan pin?: void) =

|[ cont x: real = -1.0

:: eqn dot x = ( x < -0.5 -> 0.0 | x >= -0.5 -> 1.0 )

|| *( pin?

; x:= 0.0

; x >= 3 -> sprev, x := false, -1.0

)

]|

Conservative control strategy For this system, different control strategy’s are possible. We

first start with a conservative control strategy, where a new box is allowed to enter the belt, afterthe previous box has passed the sensor completely.

proc C1(var v: nat, var s: bool, chan pcin?,pcout!: void) =

|[ mode emptyon = ( ( pcin?

| delay 5.0; v:= 0; pcin?; v:= 1

)

; entering

)

, mode entering = ( s -> skip; atsensor)




C1V1(-(1), -(1))

-1 0 1 2 3 4 5 6

0 5 10 15 20 25 30

x2(time)v2(time)s2(time)

-1 0 1 2

3 4 5 6

0 5 10 15 20 25 30


Figure 5.9: Conveyors initially empty.

, mode atsensor = ( pcout!; leaving

| delay 0.2; v:= 0; pcout!; v:= 1; leaving

)

, mode leaving = ( not s -> skip; emptyon)

:: v:= 1

; ( s -> skip; atsensor

| delay 3.0; emptyon

)

]|

Figures 5.9 and 5.10 show simulation results for conveyors that are initially empty for and

conveyors where the initial positions of the boxes are 4,3, respectively. Figure 5.11 shows the

simulation result for initially only a box on the first conveyor.

High throughput control strategy The throughput of the system can be improved by allow-

ing boxes to enter as soon as the current box on the belt is leaving this belt. To achieve this

goal, a new mode is added to the controller, allowing a box to enter as soon as the current box

is leaving the belt.

proc C2(var v: nat, var s: bool, chan pcin?,pcout!: void) =


| delay 5.0; v:= 0; pcin?; v:= 1

)




C1V1(4, 3)

-1 0 1 2 3 4 5 6

0 5 10 15 20


-1 0 1 2 3 4

5 6

0 5 10 15 20

x1(time)v1(time)

s1(time)

Figure 5.10: Conveyors with boxes initially present.

C1V1(4, -(1))

-1 0 1 2 3 4 5 6

0 5 10 15 20


-1 0 1 2 3 4

5 6

0 5 10 15 20

x1(time)v1(time)

s1(time)

Figure 5.11: Conveyors with box initially present on first conveyor only.




; entering

), mode entering = ( s -> skip; atsensor)



)

, mode leaving = ( not s -> skip; emptyon

| pcin?; leaving_entering

)

, mode leaving_entering = ( not s -> skip; entering )

:: v:= 1



)

]|

The other processes remain the same, leading to model C2V1.



, var v1: nat = 0, v2: nat = 0



, p0,p1,p2: void

:: G(pc0,p0)

|| C2(v1,s1,pc0,pc1) || V1(x1,v1,s0,s1,p0,p1)

|| C2(v2,s2,pc1,pc2) || V1(x2,v2,s1,s2,p1,p2)

|| Cend(pc2) || Vend(s2,p2)

]|

G

C 2 C 2 C end

V end V 1V 1

pc0

p0

pc1

v0

pc2

v1

p1

s0

p2

s1s0 s1

Figure 5.12: Iconic model for process per belt with high throughput.

Figures 5.13 and 5.14 show simulation results for conveyors that are initially empty for and

conveyors where the initial positions of the boxes are 4,3, respectively. Figure 5.13 shows the




C2V1(-(1), -(1))

-1 0 1 2 3 4 5 6

0 5 10 15 20


-1 0 1 2

3 4 5 6

0 5 10 15 20



desired behavior, with boxes entering a belt as soon as this is allowed be the controller. Figure

5.14 however, shows undesired behavior. Somehow the box on the first belt is not allowed to

enter the second belt and continuing on the first belt beyond position 6. This is physically not

possible. Figure 5.15 zooms in on this. The cause of this lies in the process of the belt V1. Inthe mode waitforSensor, the synchronization pout! is delayable, allowing the box to move

beyond position 6.

Improved belt model In order to eliminate the possibility for boxes to go beyond position

6, the process of the belt has been improved, leading to model C2V2. In Figure 5.16 the cor-

responding iconic model is given. Here the solid lines with arrow heads represent directed

communication channels, since now the position of the box is communicated.

proc G2(chan pc!: void, p!: real) =

|[ *( pc!; delay 1.0; p!!0.0 ) ]|

proc V2( cont x: real, var v: nat, var sprev: bool, s: bool, chan pin?,pout!: real) =

|[ eqn dot x = ( x < -0.5 -> 0.0 | x >= -0.5 -> v*1.0 )

|| |[ mode waitforSensor =

( x >= 5 -> s:= true

; x >= 6 and v > 0 -> pout! x - 6

; x := -1.0; waitforTray

)

, mode waitforTray =




C2V1(4, 3)

0

1

2

3

4

5

6

0 5 10 15 20


-1 0 1 2

3 4 5 6

0 5 10 15 20



4

4.5

5

5.5

6

6.5

0 1 2 3 4 5

C2V1(4, 3)



( pin?x

; x >= 3 -> sprev:= false; waitforSensor

)

:: ( x = -1 -> skip; waitforTray

| x >= 0 and x < 3 -> !! "Error, incorrect initial value for x"

; deadlock

| x >= 3 -> skip; waitforSensor

)

]|




]|



, var v1: nat = 0, v2: nat = 0



, p0,p1,p2: real

:: G2(pc0,p0)

|| C2(v1,s1,pc0,pc1) || V2(x1,v1,s0,s1,p0,p1)

|| C2(v2,s2,pc1,pc2) || V2(x2,v2,s1,s2,p1,p2)

|| Cend(pc2) || Vend2(s2,p2)

]|

G

C 2 C 2 C end

V end V 2V 2

pc0

p0

pc1

v0

pc2

v1

p1

s0

p2

s1s0 s1

Figure 5.16: Iconic model for process per belt with improved belt model.

Now the system is again simulated for different initial conditions. Figures 5.17 and 5.18 show

simulation results for conveyors that are initially empty for and conveyors where the initial

positions of the boxes are 4,3, respectively. Figure 5.19 zooms in on the same area that had

incorrect behavior in model C2V1. Now it can be seen that even though the box goes beyond

position 6, the model works properly because box enters the next belt taking in to account that

difference.

Local position variable declarations

The same system can be modeled using local variable declarations for the positions of the boxes.

This leads to the following model:

model CVlocal() =

|[ var v1: nat = 0, v2: nat = 0





C2V2(-(1), -(1))

-1 0 1 2 3 4 5 6

0 5 10 15 20 25 30


-1 0 1 2 3 4

5 6

0 5 10 15 20 25 30

x1(time)v1(time)

s1(time)


C2V2(4, 3)

-1 0 1 2 3 4 5 6

0 5 10 15 20


-1 0 1 2 3 4 5 6

0 5 10 15 20

x1(time)v1(time)

s1(time)





4

4.5

5

5.5

6

6.5

0 1 2 3 4 5

C2V2(4, 3)


0

0.5

1

1.5

2

2.5

0 1 2 3 4 5

C2V2(4, 3)




, p0,p1,p2: void:: G(pc0,p0)

|| C1(v1,s1,pc0,pc1) || Vlocal(v1,s0,s1,p0,p1)

|| C1(v2,s2,pc1,pc2) || Vlocal(v2,s1,s2,p1,p2)

|| Cend(pc2) || Vlocalend(s2,p2)

]|

The only changes are the process definitions that model the conveyor belts. The initialization

of the boxes has been omitted for the sake of clarity:

proc Vlocal(var v: nat, var sprev: bool, s: bool, chan pin?,pout!: void) =

|[ *( pin?; |[ cont x: real = 0.0

:: ( eqn dot x = v*1.0 | x >= 3 -> sprev:= false )

; ( eqn dot x = v*1.0 | x >= 5 -> s:= true )

; ( eqn dot x = v*1.0 | x >= 6 -> pout!! )

]|

)

]|

proc Vlocalend(var sprev: bool, chan pin?: void) =

|[ *( pin?

; |[ cont x: real = 0.0

:: ( eqn dot x = 1 | x >= 3 -> sprev:= false )]|

)

]|

5.3.2 A process for each box

Another way of modeling the conveyor belts with boxes is to define a process for each box,

instead of a process for each conveyor.




Discrete variables for sensors

In Figure 5.20 the iconic model for the process per box approach is given. In this figure, lines

with a small circle at one end and a arrowhead at the other end, represent a shared variable as

well as directed communication. The iconic model leads to the following model in χ :

model CBmode(val xini,yini,zini: real) =

|[ cont x: real = xini, y: real = yini, z: real = zini

, var v1: nat = 0, v2: nat = 0

, s1: bool = false, s2: bool = false


, p0,p1,p2: real

:: G(x,y,z,pc0,p0,p1,p2)

|| C(v1,s1,pc0,pc1)|| C(v2,s2,pc1,pc2)

|| Cend(pc2)

|| BoxMode(x,v1,v2,s1,s2,p0)

|| BoxMode(y,v1,v2,s1,s2,p1)

|| BoxMode(z,v1,v2,s1,s2,p2)

]|

proc G(cont x,y,z: real, chan pc!: void, p0,p1,p2!: real) =

|[ var i: nat = 0

// assume that if trays are initially present, x >= y >= z holds

:: ( x = -1 -> i:= 0 // all empty

| x /= -1 and y = -1 -> i:= 1 // tray in x

| x /= -1 and y /= -1 and z = -1 -> i:= 2 // trays in x,y

| x /= -1 and y /= -1 and z /= -1 -> i:= 0 // trays in x,y,z

)

; *( pc!; delay 1.0

; ( i = 0 -> p0!!0.0

| i = 1 -> p1!!0.0

| i = 2 -> p2!!0.0

)

; i:= (i + 1) mod 3

)

]|

The model of the conveyor control process has been changed to allow a new box to enter a

conveyor as soon as the current box on the conveyor has started to leave the conveyor:

proc C(var v: nat, var s: bool, chan pcin?,pcout!: void) =


| delay 5.0; v:= 0; pcin?; v:= 1

)

; entering

)




C C C E

G

BM BM BM

pc0

x, p0

y, p1

z, p2

pc1

v1, s1 v1, s1

v1, s1

pc1

v2, s2

v2, s2 v2, s2

Figure 5.20: Iconic model of the conveyor system for process per box.

, mode entering = ( s -> skip; atsensor)



)

, mode leaving = ( not s -> skip; emptyon

| pcin?; leaving_entering

)

, mode leaving_entering = ( not s -> skip; entering )

:: v:= 1



)

]|

proc Cend(chan pc?: void) =

|[ * pc? ]|

The initial value for the position of a box x must be in the interval: 3 ≤ x ≤ 6, or 9 ≤ x ≤ 12,

or 15 ≤ x ≤ 18, because the controller cannot deal with an initial tray that activates a previous

sensor. This is, however, not checked.

proc BoxMode(cont x: real, var v1,v2: nat, s1,s2: bool, chan pin?: real) =

|[ eqn dot x = ( x < -0.1 -> 0

| -0.1 <= x and x < (6+2) -> v1

| (6+2) <= x and x < (12+2) -> v2




| x >= (12+2) -> 1

)|| |[ mode none = ( pin?x; pre1 )

, pre1 = ( x >= (6-1) -> s1:= true; on1 )

, on1 = ( x >= (6+3) -> s1:= false; post1 )

, post1 = ( x >= (12-1) -> s2:= true; on2 )

, on2 = ( x >= (12+3) -> s2:= false; post2 )

, post2 = ( x >= (12+4) -> x:= -1.0; none )

:: ( x = -1 -> skip; none

| 0 <= x and x < (6-1) -> skip; pre1

| (6-1) <= x and x < (6+3) -> s1:= true; on1

| (6+3) <= x and x < (12-1) -> skip; post1

| (12-1) <= x and x < (12+3) -> s2:= true; on2

| (12+3) <= x -> skip; post2

)]|

]|

Figures 5.21 and 5.22 shows simulation results for conveyors that are initially empty and con-

veyors with boxes on positions 4 and 3, respectively. Recall that for the process per belt, the

latter initialization gave a deadlock in the model. The process per box approach clearly does

not have this problem.

Algebraic variables for sensors

Using algebraic variables for the sensors simplifies the process definitions for the boxes. The

equations defining the values of the sensors are now defined at the model level:

model CBalg(val xini,yini,zini: real) =

|[ cont x: real = xini, y: real = yini, z: real = zini

, var v1: nat = 0, v2: nat = 0

, alg s1,s2: bool


, p0,p1,p2: real

:: eqn s1 = ((x >= 5 and x <= 9) or (y >= 5 and y <= 9) or (z >= 5 and z <= 9))

, s2 = ((x >= 11 and x <= 15) or (y >= 11 and y <= 15) or (z >= 11 and z <= 15))

|| Galg(pc0,p0,p1,p2)

|| C(v1,s1,pc0,pc1)

|| C(v2,s2,pc1,pc2)

|| Cend(pc2)

|| BoxAlg(x,v1,v2,p0)

|| BoxAlg(y,v1,v2,p1)

|| BoxAlg(z,v1,v2,p2)

]|

proc Galg(chan pc!: void, p0,p1,p2!: real) =




CBmode(-(1), -(1), -(1))

02468

10121416

0 5 10 15 20 25 30

x(time)y(time)z(time)

0

0.2 0.4

0.6 0.8

1

0 5 10 15 20 25 30

v1(time)s1(time)

0 0.2 0.4

0.6 0.8

1

0 5 10 15 20 25 30

v2(time)s2(time)


|[ *( pc!; delay 1.0

; (p0!!0.0 | p1!!0.0 | p2!!0.0)

)

]|

proc BoxAlg(cont x: real, var v1,v2: nat, chan pin?: real) =

|[ mode empty =

( (eqn dot x = 0 | pin?x); tray )

, mode tray =

( e q n d o t x = ( x < = 8 - > v 1 | 8 < x a n d x < = 1 4 - > v 2 | x > 1 4 - > 1 )

| x >= (2*6)+4 -> x:= -1.0; empty)

:: ( x = -1 -> skip; empty // assume initially x = -1 or x >= 0

| x >= 0 -> skip; tray

)

]|

The process definitions for the controllers remain unchanged.




CBmode(9, 4, -(1))

02468

10121416

0 5 10 15 20 25 30

x(time)y(time)z(time)

0

0.2 0.4 0.6

0.8 1

0 5 10 15 20 25 30

v1(time)s1(time)

0 0.2

0.4 0.6 0.8

1

0 5 10 15 20 25 30

v2(time)s2(time)

Figure 5.22: Conveyors initially full.



Bibliography

[1] J. C. M. Baeten and C. A. Middelburg. Process Algebra with Timing. EACTS Monographs

in Theoretical Computer Science. Springer-Verlag, 2002.

[2] D. A. van Beek, S. H. F. Gordijn, and J. E. Rooda. Integrating continuous-time and discrete-

event concepts in modelling and simulation of manufacturing machines. Simulation Prac-

tice and Theory, 5(7-8):653–669, 1997.

[3] D. A. van Beek, A. T. Hofkamp, M. A. Reniers, J. E. Rooda, and R. R. H. Schiffelers.

Syntax and formal semantics of Chi 2.0. SE Report 2008-01, Eindhoven University of

Technology, Systems Engineering Group, Department of Mechanical Engineering, Eind-

hoven, The Netherlands, 2008.

[4] D. A. van Beek, K. L. Man, M. A. Reniers, J. E. Rooda, and R. R. H. Schiffelers. Syntax and

consistent equation semantics of hybrid Chi. Journal of Logic and Algebraic Programming,68(1-2):129–210, 2006.

[5] C. Bohn and D. P. Atherton. An analysis package comparing PID anti-windup strategies.

IEEE Control Systems, 15(2):34–40, 1995.

[6] F. Breitenecker and I. Husinsky, editors. Simulation News Europe, chapter ARGESIM

Comparisons. Number 0-40. EUROSIM, 1990-2004.

[7] K. L. Man and R. R. H. Schiffelers. Formal Specification and Analysis of Hybrid Systems.

PhD thesis, Eindhoven University of Technology, 2006.

hybrid systems cif 3

Documents