A Calculus of Cyber-Physical Systems

# A Calculus of Cyber-Physical Systems

Ruggero Lanotte Dipartimento di Scienza e Alta Tecnologia, Università dell’Insubria, Como, Italy    Massimo Merro Dipartimento di Informatica, Università degli Studi di Verona, Italy
###### Abstract

We propose a hybrid process calculus for modelling and reasoning on cyber-physical systems (CPSs). The dynamics of the calculus is expressed in terms of a labelled transition system in the SOS style of Plotkin. This is used to define a bisimulation-based behavioural semantics which support compositional reasonings. Finally, we prove run-time properties and system equalities for a non-trivial case study.

###### Keywords:
Process calculus, cyber-physical system, semantics.

## 1 Introduction

Cyber-Physical Systems (CPSs) are integrations of networking and distributed computing systems with physical processes, where feedback loops allow physical processes to affect computations and vice versa. For example, in real-time control systems, a hierarchy of sensors, actuators and control processing components are connected to control stations. Different kinds of CPSs include supervisory control and data acquisition (SCADA), programmable logic controllers (PLC) and distributed control systems.

The physical plant of a CPS is typically represented by means of a discrete-time state-space model111See  for a tassonomy of time-scale models used to represent CPSs. consisting of two equations of the form

where is the current (physical) state, is the input (i.e., the control actions implemented through actuators) and is the output (i.e., the measurements from the sensors). The uncertainty and the measurement error represent perturbation and sensor noise, respectively, and , , and are matrices modelling the dynamics of the physical system. The next state depends on the current state and the corresponding control actions , at the sampling instant . Note that, the state cannot be directly observed: only its measurements can be observed.

The physical plant is supported by a communication network through which the sensor measurements and actuator data are exchanged with the controller(s), i.e., the cyber component, also called logics, of a CPS (see Figure 1).

The range of CPSs applications is rapidly increasing and already covers several domains : advanced automotive systems, energy conservation, environmental monitoring, avionics, critical infrastructure control (electric power, water resources, and communications systems for example), etc.

However, there is still a lack of research on the modelling and validation of CPSs through formal methodologies that might allow to model the interactions among the system components, and to verify the correctness of a CPS, as a whole, before its practical implementation. A straightforward utilisation of these techniques is for model-checking, i.e. to statically assess whether the current system deployment can guarantee the expected behaviour. However, they can also be an important aid for system planning, for instance to decide whether different deployments for a given application are behavioural equivalent.

In this paper, we propose a contribution in the area of formal methods for CPSs, by defining a hybrid process calculus, called CCPS, with a clearly-defined behavioural semantics for specifying and reasoning on CPSs. In CCPS, systems are represented as terms of the form , where denotes the physical plant (also called environment) of the system, containing information on state variables, actuators, sensors, evolution law, etc., while represents the cyber component of the system, i.e., the controller that governs sensor reading and actuator writing, as well as channel-based communication with other cyber components. Thus, channels are used for logical interactions between cyber components, whereas sensors and actuators make possible the interaction between cyber and physical components. Despite this conceptual similarity, messages transmitted via channels are “consumed” upon reception, whereas actuators’ states (think of a valve) remains unchanged until its controller modifies it.

CCPS is equipped with a labelled transition semantics (LTS) in the SOS style of Plotkin . We prove that our labelled transition semantics satisfies some standard time properties such as: time determinism, patience, maximal progress, and well-timedness. Based on our LTS, we define a natural notion of weak bisimilarity. As a main result, we prove that our bisimilarity is a congruence and it is hence suitable for compositional reasoning. We are not aware of similar results in the context of CPSs. Finally, we provide a non-trivial case study, taken from an engineering application, and use it to illustrate our definitions and our semantic theory for CPSs. Here, we wish to remark that while we have kept the example simple, it is actually far from trivial and designed to show that various CPSs can be modelled in this style.

#### Outline

In § 2, we give syntax and operational semantics of CCPS. In § 3 we provide a bisimulation-based behavioural semantics for CCPS and prove its compositionality. In § 4 we model in CCPS our case study, and prove for it run-time properties as well as system equalities. In § 5, we discuss related and future work.

## 2 The Calculus

In this section, we introduce our Calculus of Cyber-Physical Systems CCPS. Let us start with some preliminary notations. We use for state variables; for communication channels, for actuator devices, for sensors devices. Actuator names are metavariables for actuator devices like , , etc. Similarly, sensor names are metavariables for sensor devices, e.g., a sensor that measures, with a given precision, a state variable called . Values, ranged over by , are built from basic values, such as Booleans, integers and real numbers; they also include names.

Given a generic set of names , we write to denote the set of functions assigning a real value to each name in . For , and , we write to denote the function such that , for any , and . For , we write if , for any . Given and such that , we denote with the function in such that , if , and , if . Finally, given and a set of names , we write for the restriction of function to the set .

In CCPS, a cyber-physical system consists of two components: a physical environment that encloses all physical aspects of a system (state variables, physical devices, evolution law, etc) and a cyber component, represented as a concurrent process that interacts with the physical devices (sensors and actuators) of the system, and can communicate, via channels, with other processes of the same CPS or with processes of other CPSs.

We write to denote the resulting CPS, and use and to range over CPSs. Let us formally define physical environments.

###### Definition 1 (Physical environment)

Let be a set of state variables, be a set of actuators, and be a set of sensors. A physical environment is 7-tuple , where:

• is the state function,

• is the actuator function,

• is the uncertainty function,

• is the evolution map,

• is the sensor-error function,

• is the measurement map,

• is the invariant function.

All the functions defining an environment are total functions.

The state function returns the current value (in ) associated to each state variable of the system. The actuator function returns the current value associated to each actuator. The uncertainty function returns the uncertainty associated to each state variable. Thus, given a state variable , returns the maximum distance between the real value of and its representation in the model. Both the state function and the actuator function are supposed to change during the evolution of the system, whereas the uncertainty function is supposed to be constant.

Given a state function, an actuator function, and an uncertainty function, the evolution map returns the set of next admissible state functions. This function models the evolution law of the physical system, where changes made on actuators may reflect on state variables. Since we assume an uncertainty in our models, the evolution map does not return a single state function but a set of possible state functions. The evolution map is obviously monotone with respect to uncertainty: if then . Note also that, although the uncertainty function is constant, it can be used in the evolution map in an arbitrary way (e.g., it could have a heavier weight when a state variable reaches extreme values).

The sensor-error function returns the maximum error associated to each sensor in . Again due to the presence of the sensor-error function, the measurement map , given the current state function, returns a set of admissible measurement functions rather than a single one.

Finally, the invariant function represents the conditions that the state variables must satisfy to allow for the evolution of the system. A CPS whose state variables don’t satisfy the invariant is in deadlock.

Let us now formalise in CCPS the cyber components of CPSs. Our (logical) processes build on the timed process algebra TPL  (basically CCS enriched with a discrete notion of time). We extend TPL with two constructs: one to read values detected at sensors, and one to write values on actuators. The remaining processes of the calculus are the same as those of TPL.

###### Definition 2 (Processes)

Processes are defined by the grammar:

We write for the terminated process. The process sleeps for one time unit and then continues as . We write to denote the parallel composition of concurrent processes and . The process , with , denotes prefixing with timeout. Thus, sends the value on channel and, after that, it continues as ; otherwise, if no communication partner is available within one time unit, it evolves into . The process is the obvious counterpart for receiving. reads the value detected by the sensor and, after that, it continues as , where is replaced by ; otherwise, after one time unit, it evolves into . writes the value on the actuator and, after that, it continues as ; otherwise, after one time unit, it evolves into . The process is the channel restriction operator of CCS. It is quantified over the set of communication channels but we often use the shorthand to mean , for . The process is the standard conditional, where is a decidable guard. For simiplicity, as in CCS, we identify process with , if evaluates to true, and with , if evaluates to false. In processes of the form and , the occurrence of is said to be time-guarded. The process denotes time-guarded recursion as all occurrences of the process variable may only occur time-guarded in .

In the two constructs and , the variable is said to be bound. Similarly, the process variable is bound in . This gives rise to the standard notions of free/bound (process) variables and -conversion. We identify processes up to -conversion (similarly, we identify CPSs up to renaming of state variables, sensor names, and actuator names). A term is closed if it does not contain free (process) variables, and we assume to always work with closed processes: the absence of free variables is preserved at run-time. As further notation, we write for the substitution of the variable with the value in any expression of our language. Similarly, is the substitution of the process variable with the process in .

The syntax of our CPSs is slightly too permissive as a process might use sensors and/or actuators which are not defined in the physical environment.

###### Definition 3 (Well-formedness)

Given a process and an environment , the CPS is well-formed if: (i) for any sensor mentioned in , the function is defined in ; (ii) for any actuator mentioned in , the function is defined in .

Hereafter, we will always work with well-formed networks.

Finally, we assume a number of notational conventions. We write instead of , when does not occur in . We write (resp. ) when channel is used for pure synchronisation. For , we write as a shorthand for , where the prefix appears consecutive times. Given , we write for , and for .

### 2.1 Labelled Transition Semantics

In this section, we provide the dynamics of CCPS in terms of a labelled transition system (LTS) in the SOS style of Plotkin. In Definition 4, for convenience, we define some auxiliary operators on environments.

###### Definition 4

Let .

• ,

• ,

• ,

• .

The operator returns the set of possible measurements detected by sensor in the environment ; it returns a set of possible values rather than a single value due to the error of sensor . returns the new environment in which the actuator function is updated in such a manner to associate the actuator with the value . returns the set of the next admissible environments reachable from , by an application of the evolution map. checks whether the state variables satisfy the invariant (here, with an abuse of notation, we overload the meaning of the function ).

In Table 1, we provide transition rules for processes. Here, the meta-variable ranges over labels in the set . Rules (Outp), (Inpp) and (Com) serve to model channel communication, on some channel . Rules (Write) denotes the writing of some data on an actuator . Rule (Read) denotes the reading of some data via a sensor . Rule (Par) propagates untimed actions over parallel components. Rules (ChnRes) and (Rec) are the standard rules for channel restriction and recursion, respectively. The following four rules are standard, and model the passage of one time unit. The symmetric counterparts of rules (Com) and (Par) are obvious and thus omitted from the table.
In Table 2, we lift the transition rules from processes to systems. All rules have a common premise : a CPS can evolve only if the invariant is satisfied, otherwise it is deadlocked. Here, actions, ranged over by , are in the set . These actions denote: non-observable activities (); observable logical activities, i.e., channel transmission ( and ); the passage of time (). Rules (Out) and (Inp) model transmission and reception, with an external system, on a channel . Rule (SensRead) models the reading of the current data detected at sensor . Rule (ActWrite) models the writing of a value on an actuator . Rule (Tau) lifts non-observable actions from processes to systems. A similar lifting occurs in rule (Time) for timed actions, where returns the set of possible environments for the next time slot. Thus, by an application of rule (Time) a CPS moves to the next physical state, in the next time slot.
Now, having defined the actions that can be performed by a CPS, we can easily concatenate these actions to define execution traces. Formally, given a trace , we will write as an abbreviation for .
Below, we report a few desirable time properties which hold in our calculus: (a) time determinism, (b) maximal progress, (c) patience, and (d) well-timedness (symbol denotes standard structural congruence for timed processes [15, 14]).

###### Theorem 2.1 (Time properties)

Let .

• If and , then and .

• If then there is no such that .

• If for no then either or or there is such that .

• For any there is a such that if , with , then .

Well-timedness [14, 5] ensures the absence of infinite instantaneous traces which would prevent the passage of time, and hence the physical evolution of a CPS.

## 3 Bisimulation

Once defined the labelled transition semantics, we are ready to define our bisimulation-based behavioural equality for CPSs. We recall that the only observable activities in CCPS are: time passing and channel communication. As a consequence, the capability to observe physical events depends on the capability of the cyber components to recognise those events by acting on sensors and actuators, and then signalling them using (unrestricted) channels.

We adopt a standard notation for weak transitions: we write for the reflexive and transitive closure of -actions, namely , whereas means , and finally denotes if and otherwise.

###### Definition 5 (Bisimulation)

A binary symmetric relation over CPSs is a bisimulation if and implies that there exists such that and . We say that and are bisimilar, written , if for some bisimulation .

A main result of the paper is that our bisimilarity can be used to compare CPSs in a compositional manner. In particular, our bisimilarity is preserved by parallel composition of (non-interfering) CPSs, by parallel composition of (non-interfering) processes, and by channel restriction.

Two CPSs do not interfere with each other if they have a disjoint physical plant. Thus, let with sensors in , actuators in , and state variables in , for . If and and , then we define the disjoint union of the environments and , written , to be the environment such that: , , , , and

###### Definition 6 (Non-interfering CPSs)

Let , for . We say that and do not interfere with each other if and have disjoint sets of state variables, sensors and actuators. In this case, we write to denote the CPS defined as .

A similar but simpler definition can be given for processes. Let , a non-interfering process is a process which does not interfere with the plant as it never accesses its sensors and/or actuators. Thus, in the system the process cannot interfere with the physical evolution of . However, process can definitely affect the observable behaviour of the whole system by communicating on channels. Notice that, as we only consider well-formed CPSs (Definition 3), a non-interfering processes is basically a (pure) TPL process .

###### Definition 7 (Non-interfering processes)

A process is called non-interfering if it never acts on sensors and/or actuators.

Now, everything is in place to prove the compositionality of our bisimilarity .

###### Theorem 3.1 (Congruence results)

Let and be two CPSs.

1. implies , for any non-interfering CPS

2. implies , for any non-interfering process

3. implies , for any channel .

The presence of invariants in the definition of physical environment makes the proof of the second item of the theorem above non standard.

As we will see in the next section, these compositional properties will be very useful when reasoning about complex systems.

## 4 Case study

In this section, we model in CCPS an engine, called , whose temperature is maintained within a specific range by means of a cooling system. The physical environment of the engine is constituted by: (i) a state variable containing the current temperature of the engine; (ii) an actuator to turn on/off the cooling system; (iii) a sensor (such as a thermometer or a thermocouple) measuring the temperature of the engine; (iv) an uncertainty associated to the only variable ; (v) a simple evolution law that increases (resp., decreases) the value of of one degree per time unit if the cooling system is inactive (resp., active) — the evolution law is obviously affected by the uncertainty ; (vi) an error associated to the only sensor ; (vii) a measurement map to get the values detected by sensor , up to its error ; (viii) an invariant function saying that the system gets faulty when the temperature of the engine gets out of the range .

Formally, with:

• and ;

• and ; for the sake of simplicity, we can assume to be a mapping such that if , and if ;

• and ;

• , where if (active cooling), and if (inactive cooling);

• and ;

• ;

• if ; , otherwise.

The cyber component of consists of a process which models the controller activity. Intuitively, process senses the temperature of the engine at each time interval. When the sensed temperature is above , the controller activates the coolant. The cooling activity is maintained for consecutive time units. After that time, if the temperature does not drop below then the controller transmits its on a specific channel for signalling a , it keeps cooling for another time units, and then checks again the sensed temperature; otherwise, if the sensed temperature is not above the threshold , the controller turns off the cooling and moves to the next time interval. Formally,

The whole engine is defined as: where is the physical environment defined before.

Our operational semantics allows us to formally prove a number of run-time properties of our engine. For instance, the following proposition says that our engine never reaches a warning state and never deadlocks. never reaches a warning state.

###### Proposition 1

Let be the CPS defined before. If , for some , then , for , and there is such that , for some .

Actually, we can be quite precise on the temperature reached by the engine before and after the cooling activity: in each of the time slots of cooling, the temperature will drop of a value laying in the interval , where is the uncertainty of the model. Formally,

###### Proposition 2

For any execution trace of , we have:

• when turns on the cooling, the value of the state variable ranges over ;

• when turns off the cooling, the value of the variable ranges over .

In Figure 2, the left graphic collects a campaign of 100 simulations, lasting 250 time units each, showing that the value of the state variable when the cooling system is turned on (resp., off) lays in the interval (resp., ); these bounds are represented by the dashed horizontal lines. Since , these results are in line with those of Proposition 2. The right graphic shows three examples of possible evolutions in time of the state variable .

Now, the reader may wonder whether it is possible to design a variant of our engine which meets the same specifications with better performances. For instance, an engine consuming less coolant. Let us consider a variant of the engine described before:

Here, is the same as except for the evolution map, as we set if . This means that in we reduce the power of the cooling system by . In Figure 3, we report the results of our simulations over runs lasting time units each. From this graph, saves in average more than of coolant with respect to . So, the new question is: are these two engines behavioural equivalent? Do they meet the same specifications?

Our bisimilarity provides us with a precise answer to these questions.

###### Proposition 3

The two variants of the engine are bisimilar: .

At this point, one may wonder whether it is possible to improve the performances of our engine even more. For instance, by reducing the power of the cooling system by a further , by setting if . We can formally prove that this is not the case.

###### Proposition 4

Let be the same as , except for the evolution map, in which if . Then, .

Finally, we show how we can use the compositionality of our behavioural semantics (Theorem 3.1) to deal with bigger CPSs. Suppose that denotes the modelisation of an airplane engine. In this case, we could define in CCPS a very simple airplane control system that checks whether the left engine () and the right engine () are signalling warnings. The whole CPS is defined as follows:

 Airplane=((EngL⊎EngR)∥Check)∖{warning}

where , and, similarly, , and process is defined as:

for . Intuitively, if one of the two engines is in a warning state then the process , for , checks whether also the second engine moves into a warning state, in the following time intervals (i.e. during the cooling cycle). If both engines gets in a warning state then an is sent, otherwise, if only one engine is facing a warning then the airplane control system yields a failure signalling which engine is not working properly.

So, since we know that , the final question becomes the following: can we safely equip our airplane with the more performant engines, and , in which if , without affecting the whole observable behaviour of the airplane? The answer is “yes”, and this result can be formally proved by applying Proposition 3 and Theorem 3.1.

Let . Then, .

## 5 Related and Future Work

A number of approaches have been proposed for modelling CPSs using formal methods. For instance, hybrid automata  combine finite state transition systems with discrete variables (whose values capture the state of the modelled discrete or cyber components) and continuous variables (whose values capture the state of the modelled continuous or physical components).

Hybrid process algebras  are a powerful tool for reasoning about physical systems and provide techniques for analysing and verifying protocols for hybrid automata. CCPS shares some similarities with the -calculus , a hybrid extension of the -calculus . In the -calculus, a hybrid system is represented as a pair , where is the environment and is the process interacting with the environment. Unlike CCPS, in -calculus, given a system the process can dynamically change both the evolution law and the invariant of the system. However, the -calculus does not have a representation of physical devices and measurement law. Concerning behavioural semantics, the -calculus is equipped with a weak bisimilarity between systems that is not compositional.

In the HYPE process algebra , the continuous part of the system is represented by appropriate variables whose changes are determined by active influences (i.e., commands on actuators). The authors defines a strong bisimulation that extends the ic-bisimulation of . Unlike ic-bisimulation, the bisimulation in HYPE is preserved by a notion of parallel composition that is slightly more permessive than ours. However, bisimilar systems in HYPE must always have the same influence. Thus, in HYPE we cannot compare CPSs sending different commands on actuators at the same time, as we do in Proposition 3.

Vigo et al.  proposed a calculus for wireless-based cyber-physical systems endowed with a theory to study cryptographic primitives, together with explicit notions of communication failure and unwanted communication. The calculus does not provide any notion of behavioural equivalence. It also lacks a clear distinction between physical and logical components.

Lanese et al.  proposed an untimed calculus of mobile IoT devices interacting with the physical environment by means of sensors and actuators. The calculus does not allow any representation of the physical environment, and the bisimilarity is not preserved by parallel composition (compositionality is recovered by significantly strengthening the discriminating power).

Lanotte and Merro  extended and generalised the work of  in a timed setting by providing a bisimulation-based semantic theory that is suitable for compositional reasoning. As in , the physical environment is not represented.

Bodei et al.  proposed an untimed process calculus supporting a control flow analysis to track how data spread from sensors to the logics of the network, and how physical data are manipulated. Sensors and actuators are modelled as value-passing CCS channels. The dynamics of the calculus is given in terms of a reduction relation and no behavioural equivalence is defined.

As regards future works, we believe that our paper can lay and streamline theoretical foundations for the development of formal and automated tools to verify CPSs before their practical implementation. To that end, we will consider applying, possibly after proper enhancements, existing tools and frameworks for automated verification, such as Maude , Ariadne , and SMC UPPAAL , resorting to the development of an dedicated tool if existing ones prove not up to the task. Finally, in , we developed an extended version of CCPS to provide a formal study of a variety of cyber-physical attacks targeting physical devices. Also in this case, the final goal is to develop formal and automated tools to analyse security properties of CPSs.

#### Acknowledgements

We thank Riccardo Muradore for providing us with simulations in MATLAB.

## References

•  Alur, R., Courcoubetis, C., Henzinger, T., Ho, P.: Hybrid automata: An algorithmic approach to the specification and verification of hybrid systems. In: Hybrid Systems. LNCS, vol. 736, pp. 209–229. Springer (1992)
•  Benvenuti, L., Bresolin, D., Collins, P., Ferrari, A., Geretti, L., Villa, T.: Ariadne: Dominance checking of nonlinear hybrid automata using reachability analysis. In: RP 2012. LNCS, vol. 7550, pp. 79–91. Springer (2012)
•  Bergstra, J.A., Middleburg, C.A.: Process algebra for hybrid systems. TCS 335(2-3), 215–280 (2005)
•  Bodei, C., Degano, P., Ferrari, G.L., Galletta, L.: Where do your iot ingredients come from? In: Lluch-Lafuente, A., Proença, J. (eds.) COORDINATION 2016. LNCS, vol. 9686, pp. 35–50. Springer (2016)
•  Cerone, A., Hennessy, M., Merro, M.: Modelling mac-layer communications in wireless systems. Logical Methods in Computer Science 11(1:18) (2015)
•  Cuijpers, P., Reniers, M.: Hybrid process algebra. JLAP 62(2), 191–245 (2005)
•  David, D., Larsen, K.G., Legay, A., Mikucionis, M., Wang, Z.: Time for statistical model checking of real-time systems. In: Gopalakrishnan, G., Qadeer, S. (eds.) CAV 2011. LNCS, vol. 6806, pp. 349–355. Springer (2011)
•  Galpin, V., Bortolussi, L., Hillston, J.: HYPE: Hybrid modelling by composition of flows. Formal Asp. Comput. 25(4), 503–541 (2013)
•  Hennessy, M., Regan, T.: A process algebra for timed systems. I&C 117(2), 221–239 (1995)
•  Khaitan, S.K., McCalley, J.D.: Design Techniques and Applications of Cyberphysical Systems: A survey. IEEE Systems Journal 9(2), 350–365 (2015)
•  Lanese, I., Bedogni, L., Di Felice, M.: Internet of things: a process calculus approach. In: Shin, S., Maldonado, J. (eds.) ACM SAC 2013. pp. 1339–1346. ACM (2013)
•  Lanotte, R., Merro, M.: A semantic theory of the internet of things. In: Lluch-Lafuente, A., Proença, J. (eds.) COORDINATION 2016. LNCS, vol. 9686, pp. 157–174. Springer (2016)
•  Lanotte, R., Merro, M., Muradore, R., Viganò, L.: A Formal Approach to Cyber-Physical Attacks. CoRR abs/1611.01377 (2016)
•  Merro, M., Ballardin, F., Sibilio, E.: A timed calculus for wireless systems. TCS 412(47), 6585–6611 (2011)
•  Milner, R.: The polyadic -calculus: a tutorial. Tech. Rep. ECS–LFCS–91–180, LFCS (1991)
•  Ölveczky, P.C., Meseguer, J.: Semantics and pragmatics of real-time maude. Higher-Order and Symbolic Computation 20(1-2), 161–196 (2007)
•  Plotkin, G.: A structural approach to operational semantics. Tech. Rep. DAIMI FN-19, Aarhus University (1981)
•  Rounds, W.C., Song, H.: The -calculus: A language for distributed control of reconfigurable embedded systems. In: HSCC 2003. pp. 435–449. Springer (2003)
•  Vigo, R., Nielson, F., Riis Nielson, H.: Broadcast, denial-of-service, and secure communication. In: Johnsen, E.B., Petre, L. (eds.) IFM 213. LNCS, vol. 7940, pp. 412–427. Springer (2013)
•  Zacchia Lun, Y., D’Innocenzo, A., Malavolta, I., Di Benedetto, M.D.: Cyber-Physical Systems Security: a Systematic Mapping Study. CoRR abs/1605.09641 (2016)

## Appendix A Proofs

We recall that the cyber-components our CPSs are basically TPL-processes  extended with constructs to read sensors and write actuators. TPL already enjoys time determinism, patience and maximal progress. The well-timedness property is present in many process calculi with a discrete notion of time (e.g. ) similar to ours. Thus, it is straightforward to rewrite the proofs of those results for our slight variant of TPL.

###### Proposition 6 (Processes time properties [9, 14])
• If and , then .

• If then there is no such that .

• If for no then there is such that .

• For any there is a such that if , with , then .

The challenge in the proof of Theorem 2.1 is to lift the results of Proposition 6 to the CPSs of CCPS.

In its standard formulation, time determinism says that a system reaches at most one new state by executing a -action. However, by an application of Rule (Time), our CPSs may nondeterministically move into a new physical environment, according to the evolution law.

###### Proposition 7 (Time determinism for CPSs)

If and , then and .

###### Proof

Let . Since the only possible rule to derive is rule (Time), then we have that there is , , , such that

and

The result follows by Proposition 6.

According to , the maximal progress property says that processes communicate as soon as a possibility of communication arises. In our calculus, we generalise this property saying that -actions cannot be delayed, independently on how they are generated.

###### Proposition 8 (Maximal progress for CPSs)

If then there is no such that .

###### Proof

The proof is by contradiction. Let us suppose , for some . This is only possible by an application of rule (Time):

with . However, the premises requires which contradicts the fact that .

Patience in CCPS is more involved with respect to the same property in TPL. It basically says that if a CPS cannot evolve in time, then either (i) the physical plant does not contemplate an evolution, or (ii) the invariant is violated, or (iii) the CPS can perform an internal action.

###### Proposition 9 (Patience for CPS)

If for no then either or or there is such that .

###### Proof

The proof is by contradiction. Let us suppose that for no , and and and , for some . Since the only possible rule to derive is rule (Time), then for no , implies that the following derivation is not admissible for any and :

Since and and , for some , the only possibility is for no . Since for no , by Proposition 6 we have that . Since , by an application of rule (Tau) there is such that . This contradicts the initialy hypothesis that .

The following property is well-timedness. It basically says that time passing cannot be prevented by infinite sequences of internal actions.

###### Proposition 10 (Well-timedness for CPSs)

For any there is a such that if , with , then .

###### Proof

The proof is by contradiction. Suppose there is no satisfying the statement above. Hence there exists an unbounded derivation

with and .

By inspection of rules of Table 2 we have that, for any , and implies that , for some . Hence we have the following unbounded derivation

with . In contradiction with Proposition 6.

Proof of Theorem 2.1

###### Proof

The result follows by an application of Proposition 7, Proposition 8, Proposition 9 and Proposition 10.

In order to prove the compositionality or our bisimilarity, i.e. Theorem 3.1, we divide its statement in three different propositions.

In order to prove that preserves contextuality, we need a number of technical lemmas. Lemma 1 formalises a number of properties of the compound environment .

###### Lemma 1

Let and be two physical environments. If defined, the environment has the following properties:

1. is equal to , if is a sensor of , and it is equal to , if is a sensor of ;

2. implies that for any sensor in and for any environment ;

3. is equal to , if is an actuator of , and it is equal to , if is an actuator of ;

4. is equal to for any actuator in and for any environment ;

5. ;

6. .

###### Proof

By definition of the operator on physical environments.

Lemma 2 serves to propagate untimed actions on parallel CPSs.

###### Lemma 2

If , with , then , for any non-interfering CPS , with .

###### Proof

The proof is by rule induction on why . Let us suppose that and , for some , , and . We can distinguish several cases on why . We prove the case in which is derived by an application of rule (SensRead). The other cases can be proved in a similar manner. In this case, we have and there are , , and such that

with .

Since , by an applicaiton of rule (Par) we can derive . Since and, by hypothesis, , by an application of Lemma 1(6) we derive that . Since , by an application of Lemma 1(2) we derive that . This is enough to derive that:

Hence the result follows by assuming and .

Next lemma says the invariants of bisimilar CPSs must agree.

implies .

###### Proof

The proof is by contradiction. Suppose that , and (the other case is similar). By Proposition 10, there exists a finite derivation , with . Since , the CPSs cannot perform any action, and in particular, . From we derive that , for . Since , by Proposition 8 it follows that , for some . Since , we have and hene also .

Summarising: , and which contradict the definition of bisimilarity.

Here comes one of the main technical result: the bisimilarity is preserved by the parallel composition of non-interfering CPSs.

###### Proposition 11

implies , for any non-interfering CPS .

###### Proof

We show that the relation is a bisimulation where:

 R1={(M⊎O,N⊎O):M≈N}R2={(M,N):inv(M)=inv(N)=false}.

The relation is trivially a bisimulation because it contains pairs of deadlocked CPSs. Thus, we focus on when .

We proceed by case analysis on why (the case when is symmetric).

• Let , with and , for some , , and , by an application of rule (SensRead). This implies that

with . We recall that by definition of the environments and have different physical devices. Thus, there are two cases:

• is a sensor of .

In this case, , for some , and hence . Since and , by an application of Lemma 1(1) and Lemma 1(6), we derive and . Now, let ; it follows that . Since , , and , by an application of rule (SensRead) we have . As , there is such that with . Since , by several applications of Lemma 2 it follows that , with .

• is a sensor of .

In this case, , for some , and hence . Let ; it follows that . Let , for some and . By an application of rule (Par) we have that . Since and , by an application of Lemma 1(1) and Lemma 1(6), we derive and . As , by Lemma 3 it follows that , and hence . Since