# A denotational semantics of Simulink with higher-order UTP Xiong Xu, Bohua Zhan, Shuling Wang, Jean-Pierre Talpin, Naijun Zhan # ▶ To cite this version: Xiong Xu, Bohua Zhan, Shuling Wang, Jean-Pierre Talpin, Naijun Zhan. A denotational semantics of Simulink with higher-order UTP. Journal of Logical and Algebraic Methods in Programming, 2023, 130, pp.100809. 10.1016/j.jlamp.2022.100809. hal-03888092 # HAL Id: hal-03888092 https://inria.hal.science/hal-03888092 Submitted on 7 Dec 2022 **HAL** is a multi-disciplinary open access archive for the deposit and dissemination of scientific research documents, whether they are published or not. The documents may come from teaching and research institutions in France or abroad, or from public or private research centers. L'archive ouverte pluridisciplinaire **HAL**, est destinée au dépôt et à la diffusion de documents scientifiques de niveau recherche, publiés ou non, émanant des établissements d'enseignement et de recherche français ou étrangers, des laboratoires publics ou privés. # A denotational semantics of Simulink with higher-order UTP Xiong Xu<sup>a,c</sup>, Bohua Zhan<sup>a,b</sup>, Shuling Wang<sup>a</sup>, Jean-Pierre Talpin<sup>c</sup>, Naijun Zhan<sup>a,b,\*</sup> <sup>a</sup>Institute of Software, Chinese Academy of Sciences, Beijing, China <sup>b</sup>University of Chinese Academy of Sciences, Beijing, China <sup>c</sup>Inria, Rennes, France #### Abstract Matlab/Simulink is a de-facto industrial standard for modelling embedded systems. Reflecting the complexity of cyber-physical system (CPS) design, the semantics of Simulink is complex, mixing discrete and continuous time and events. In this paper, we define a compositional semantics of hierarchical Simulink diagrams using Higher-order Unifying Theories of Programming (HUTP) for CPS design. The HUTP theory satisfies the suitable algebraic properties to serve as a mathematical foundation for expressing the semantics of CPSs, in particular Simulink diagrams. We characterise a class of well-formed Simulink diagrams and prove the determinacy of their HUTP semantics. Moreover, we construct a framework for proving the consistency between Simulink diagrams and their translation to HCSP (Hybrid Communicating Sequential Processes). Finally, we provide a case study to illustrate and justify this translation. Keywords: model-based design, cyber-physical systems, unifying theory of programming, denotational semantics, Mathworks Simulink #### 1. Introduction Cyber-Physical Systems (CPSs) are networked computing units controlling physical plants as diverse as grids, factories, supply chains, ground, sea, air and space transportation systems. CPSs are complex to design, verify and maintain, while often entrusted safety-critical roles. The efficient and verified development of safe and reliable CPSs is hence a priority mandated by many Email address: znj@ios.ac.cn (Naijun Zhan) <sup>\*</sup>Corresponding author standards, yet a notoriously difficult and challenging field of engineering and research. Matlab/Simulink is a de-facto industrial standard for modelling cyber-physical systems. Reflecting the complexity of CPS design, Simulink is known to have a complex semantics, which need to describe interactions between discrete and continuous time behaviors, trigger events, hierarchical structure, and so on. Model-based design (MBD) (Gajski et al., 2009) has long become a predominant approach to break down the difficulties and challenges in CPS design into abstracted and comprehensible elements. Hoare and He's Unifying Theories of Programming (UTP) (Hoare and He, 1998) is built upon the mathematical foundations of theorem proving and has both the core simplicity and the necessary extensibility to capture models of imperative and concurrent software, hardware, and physics found in CPS design under a common relational calculus suitable for design and verification. Hybrid systems, which could be subsumed in the domain of CPSs, seam-lessly integrate discrete behavior with continuous dynamical systems, and have been extended to capture probabilistic, stochastic, time-delayed behaviours and even more complex features. In previous works (Xu et al., 2022a), we defined one such conservative extension to Hoare and He's UTP theory with higher-order quantification, i.e., the Higher-order UTP (HUTP), to provide a formal semantics for modelling and verifying hybrid systems, mixing discrete real-time processes and continuous dynamics. Within HUTP, we defined a calculus of normal hybrid designs to model and analyse hybrid systems. A normal hybrid design describes a contract between the component and its environment, and therefore supports the decomposition of engineering tasks to resolve system design complexity. Normal hybrid designs as a first-class notion in the HUTP theory enjoys some desired algebraic properties, and therefore can serve as a semantic foundation for CPS design. In (Zou et al., 2013b, 2015), we introduced methods for translation of Simulink and Stateflow diagrams to Hybrid Communicating Sequential Processes (HCSP), in order to verify them using the Hybrid Hoare Logic prover implemented in Isabelle/HOL (Zou et al., 2013a; Wang et al., 2015). The correctness of the translation can be proved using HUTP. Concretely, we define the respective HUTP semantics for Simulink and HCSP, and then compare the HUTP representations of Simulink diagrams and their HCSP models to check the semantic consistency. In (Xu et al., 2022a), we defined a formal semantics for Simulink based on normal hybrid designs. However, the normal-hybrid-design semantics is complex, which pose difficulties for ensuing analysis and verification. The complexity comes from (1) involvement of a large number of communications (including the communications between atomic discrete blocks), and (2) the use of normal hybrid design, although intuitive for system design, makes the definitions long and cumbersome. Moreover, compositional semantics for hierarchical Simulink subsystems is not considered. Therefore, we introduce in this paper a new compositional formalisation of denotational semantics for hierarchical Simulink diagrams based on HUTP, featuring both discrete and continuous behaviours, as well as composition using normal, enabled and triggered subsystems. The expressivity of the present denotational semantics is well-suited for verifying correctness of translation from Simulink to other formalisms, such as HCSP (Zou et al., 2013b), differential dynamic logic (Liebrenz et al., 2018) and hybrid automata (Agrawal et al., 2004). We exercise this capability by constructing a framework for proving the semantic consistency between Simulink diagrams and their corresponding HCSP models, and provide a case study to demonstrate and justify our translation of Simulink into HCSP. In summary, the main contributions of this paper comprise: - A notion of Simulink processes and their parallel composition based on conjunction of relations, which simplifies the HUTP theory for Simulink; - A denotational semantics for hierarchical Simulink diagrams based on Simulink processes, reflecting the composability of subsystems and therefore following the principle of modular design; - Notions of well-formedness of Simulink diagrams, and proof of semantic determinacy for these diagrams; - A framework for proving correctness of translation from Simulink to HCSP, which is illustrated with a simple case study. Paper Organisation. The rest of the paper is organised as follows. Section 2 retrospects some preliminary concepts of Simulink, UTP and Higher-order UTP. Section 3 defines the notion of Simulink processes which serve as the semantic foundation for Simulink. Starting from Simulink blocks, Section 4 defines the HUTP semantics for Simulink diagrams by Simulink processes, and proves determinacy of the semantics for well-formed diagrams. Section 5 defines the compositional HUTP semantics for hierarchical Simulink diagrams containing normal, triggered and enabled subsystems. In Section 6, we illustrate by a case study how to prove the semantic consistency between Simulink diagrams and the corresponding HCSP models. Section 7 addresses the related work and Section 8 concludes this paper and discusses future work. # 2. Preliminaries In this section, we will present the preliminaries on Simulink, classical UTP, and our previous work on the higher-order UTP for hybrid systems. #### 2.1. Simulink Simulink (MathWorks, 2013) is a widely-used design environment for building embedded control systems, with support for graphical modelling and efficient numerical simulation. Dynamic systems, possibly combining continuous and discrete behaviors, can be modelled by Simulink block diagrams. A rich set of fixed-step and variable-step solvers is provided for simulating dynamic systems. Fig. 1 shows how a simple plant-control system can be modelled in Simulink. Fig. 1: A Simulink diagram of a plant-control model Blocks are the basic units for building Simulink models. Each block is defined with input and output ports, an output method that defines how the output values are calculated, optional internal states and corresponding update methods that define how the states are changed. It may also contain user-defined parameters that alter the functionality, such as the symbol parameter "+-" for Add block, resulting in Subtract; the parameter of threshold for Switch block, and so on. Sample time is one of the most important parameters of a block and specifies the rate of execution when the block executes the output method and the update method (if it exists). Among the different types of sample time, three basic ones are frequently used: discrete with sample time st for some st > 0, continuous with sample time 0, and inherited. For the inherited case, the sample time is not defined explicitly, but instead determined from the context of the corresponding block through a process called sample time propagation. For instance, if the sample times of all the input signals of an inherited block are known, then sample time of the block is computed as the greatest common divisor of the sample times of these input signals. According to sample time, blocks can be categorised into two kinds: discrete and continuous blocks. Simulink provides discrete and continuous solvers to compute the states of blocks at each time step respectively. Blocks are connected using lines to transfer signals from one block to another. The signals are time-varying and can be considered as functions mapping from real time to values. For discrete blocks the functions are piecewise constant. Blocks in a diagram may have different sample times, e.g. a multi-rate discrete system with discrete blocks that sample at different rates, or a hybrid continuous and discrete system. For such diagrams, the simulator must meet the precision specified on the continuous states, and hit all the sample times for the discrete states. The simulator needs to sort (or schedule) the blocks to be executed in a certain order. This may not be possible if there are algebraic loops in the diagram, in which case the diagram may be considered to be invalid. The blocks which maintain state variables such as the Integrator or Unit Delay blocks can break the loop. Blocks can be grouped into subsystems to establish a hierarchical structure on Simulink diagrams. We consider three types of subsystems: normal subsystems, triggered subsystems and enabled subsystems. A normal subsystem executes as a single unit within the model. It can specify its system sample time and its execution is equivalent to executing the blocks inside the subsystem. Both triggered and enabled subsystems are conditionally executed subsystems. A triggered subsystem is defined with inherited sample time, that runs when the trigger signal is rising, falling, or either (rising or falling) through a zero value. An enabled subsystem runs when its control signal is positive. A hierarchical Simulink model is thus composed of blocks, subsystems, and lines between them. After a Simulink model is built, it is ready for simulation. Each step of simulation corresponds to one sample time of the overall diagram. At each step, first compute the internal state and output of each block by invoking the corresponding output and update methods in the correct order; second, choose appropriate ODE solvers to compute evolution of continuous blocks through time. If there are triggered subsystems or integrator blocks with resets, zero crossings may need to be computed. The process ends when the given simulation time is reached. # 2.2. Unifying Theories of Programming Hoare and He's Unifying Theories of Programming (UTP) (Hoare and He, 1998) is an alphabetised refinement calculus unifying heterogeneous programming paradigms. An alphabetised relation consists of an alphabet $\alpha(P)$ , containing its variables x and primes x', and a relational predicate P referring to this vocabulary. The terms x and x' are called observable variables: x is observable at the start of execution and x' is observable at the end of execution. The behaviour of a program is encoded as a relation between the observable variables x and x'. In particular, assignment, sequential composition, conditional statement, non-deterministic choice, and recursion of imperative programs can be specified as alphabetised relations below, where x and x' are sequences or vectors of variables, $x \setminus \{x\}$ ( $x' \setminus \{x'\}$ ) denotes excluding x (x') from x (x'). To start with, the relational calculus comprises all operators of first-order logic. $$\begin{aligned} x &:= e &\;\; \widehat{=} \quad x' = e \land \boldsymbol{x}' \backslash \{x'\} = \boldsymbol{x} \backslash \{x\} \\ P \, \stackrel{\circ}{\circ} \, Q &\;\; \widehat{=} \quad \exists \boldsymbol{x}_* \cdot P[\boldsymbol{x}_*/\boldsymbol{x}'] \land Q[\boldsymbol{x}_*/\boldsymbol{x}] \\ P \lhd b \rhd Q &\;\; \widehat{=} \quad (b \land P) \lor (\neg b \land Q) \\ P \sqcap Q &\;\; \widehat{=} \quad P \lor Q \\ P \sqcup Q &\;\; \widehat{=} \quad P \land Q \end{aligned}$$ Conventionally, $\sqcap$ is an algebraic sibling for $\land$ and $\sqcup$ for $\lor$ . In the equal tradition of UTP (Hoare and He, 1998; Xu et al., 2022a), however, they denote $\lor$ and $\land$ , respectively. We will follow UTP's convention in this paper. Let P and Q be two predicates with the same alphabet, say $\{x, x'\}$ . Then, Q is a refinement of P, denoted $P \sqsubseteq Q$ , if $\forall x, x' \cdot Q \Rightarrow P$ . In addition, $P \sqsubseteq Q$ iff $P \sqcap Q = P$ iff $P \sqcup Q = Q$ . With respect to the refinement order $\sqsubseteq$ , the least $(\mu)$ and greatest $(\nu)$ fixed points of a function F between programs can be defined as follows: $$\mu F \ \stackrel{\frown}{=} \ \prod \{X \mid F(X) \sqsubseteq X\}$$ $$\nu F \ \stackrel{\frown}{=} \ \bigsqcup \{X \mid X \sqsubseteq F(X)\}$$ The notion of healthiness conditions plays an important role in the UTP theory. If a predicate satisfies $P = \mathcal{H}(P)$ , then it is said to be $\mathcal{H}$ -healthy. In other words, a healthiness condition $\mathcal{H}$ defines an invariant predicate set $\{X \mid \mathcal{H}(X) = X\}$ , and is required to be idempotent $(\mathcal{H} \circ \mathcal{H} = \mathcal{H})$ , which means that taking the medicine twice leaves you as healthy as taking it once (no overdoses). So, in UTP, the healthy predicates of a theory are the fixed points of idempotent functions. When $\mathcal{H}$ is monotonic on a complete lattice $(\mathbb{C},\sqsubseteq)$ , then according to the Knaster-Tarski theorem (Tarski, 1955), the UTP theory satisfying $\mathcal{H}$ forms a complete lattice $\{X \in \mathbb{C} \mid \mathcal{H}(X) = X\}$ . Additionally, recursion can be well defined. Distinct healthiness conditions can be composed to capture the characteristics of different programming paradigms. Concretely, a programming paradigm can be defined by a collection of healthiness conditions $\mathcal{H}_1, \mathcal{H}_2, \dots, \mathcal{H}_n$ . Their composition $\mathcal{H}_1 \circ \mathcal{H}_2 \circ \cdots \circ \mathcal{H}_n$ forms the semantic model of the domain-specific paradigm under consideration. For example, in Section 3.1, we introduce healthiness conditions characterising Simulink processes. # 2.3. The higher-order UTP for hybrid systems Higher-order UTP (HUTP) (Xu et al., 2022a) is a conservative extension to Hoare and He's UTP theory which supports the specification of discrete, real-time and continuous dynamics, concurrency and communication, and higher-order quantification. In (Xu et al., 2022a), we defined a formal semantics for Simulink based on a notion of normal hybrid designs. However, this semantics is complex and difficult to analyse for reasons given in Section 1. In this paper, we instead consider an abstracted HUTP semantics for Simulink, based on the notion of abstract hybrid processes proposed in (Xu et al., 2022a) as future work. While having weaker algebraic structure than normal hybrid designs (e.g., chaos is not a left zero of sequential composition), abstract hybrid processes are simpler, of sufficient expressivity to define a semantics of Simulink, and are more comfortable for verification. #### 2.3.1. Abstract hybrid processes As mentioned in (Xu et al., 2022a), HUTP separates the concerns in hybrid system design into time, state and trace. We introduce the notion of time by two observational variables $ti, ti' : \mathbb{R}_{\geq 0} \cup \{+\infty\}$ to specify the startand end-time of the observed behaviour. The notion of state is represented by real-time variables and their derivatives, which are functions over time, and differential relations over them that are very powerful to express all kinds of continuous dynamics. Therefore, there are three versions for each state variable v: - $v \in \mathbb{D}$ stands for its initial value in the domain $\mathbb{D}$ , where $\mathbb{D}$ could be a Banach space; - the primed version $v' \in \mathbb{D}$ stands for the final value, i.e., the output state variable; and - the real time version $\underline{v}:[ti,ti')\to\mathbb{D}$ stands for its dynamic trajectory from the start time ti to the end time ti', and $\underline{\dot{v}}:(ti,ti')\to\mathbb{D}$ is a partial function denoting the derivative of $\underline{v}$ . Timed traces tr and tr' record the execution history and capture communication behaviours, where tr represents the timed trace before the process is started and tr' stands for timed trace up to the moment of observation. However, in this paper, no communication is involved and the parallel composition is based on shared variables, so timed traces are abstracted away, which is the main feature of abstract hybrid processes. We use the boldface symbols $\mathbf{v}$ , $\mathbf{v}'$ , $\mathbf{v}$ and $\mathbf{v}$ to denote respective vectors of input, output, real-time state variables and their derivatives. The alphabet our theory depends on is $\{ti, ti', \mathbf{v}, \mathbf{v}, \mathbf{v}, \mathbf{v}', \mathbf{v}'\}$ by default. Therefore, first-order predicate $P(\mathbf{x}, \mathbf{x}')$ used in classical UTP (Hoare and He, 1998) can be extended to higher-order differential relation $P(ti, ti', \mathbf{v}, \mathbf{v}, \mathbf{v}, \mathbf{v}', \mathbf{v}')$ . However, not all higher-order differential relations are expected, such as ti > ti' indicating time going backwards. Thus, we use healthiness conditions to exclude the ill behaviours. As introduced in (Xu et al., 2022a), the features of abstract hybrid processes can be captured by the following four healthiness conditions ( $\mathcal{H}_1$ is defined for traces, hence not applicable for abstract hybrid processes): • Time must be irreversible: $$\mathcal{H}_0^{\mathbf{A}}(X) = X \wedge ti \leq ti'$$ • If the preceding process does not terminate, i.e., $ti = +\infty$ , the current process should do nothing but keep the time observation unchanged, i.e., $$\mathcal{H}_{2}^{A}(X) = (ti = ti') \lhd ti = +\infty \rhd X$$ where $P \lhd b \rhd Q \triangleq (b \land P) \lor (\neg b \land Q)$ . • If the current process does not terminate, i.e., $ti' = +\infty$ , the values of the output state variables are unobservable, i.e., $$\mathcal{H}_{3}^{A}(X) = (\exists \boldsymbol{v}' \cdot X) \lhd ti' = +\infty \rhd X$$ • If the process evolves for a period of time, i.e., ti < ti', the real-time value $\boldsymbol{v}$ should stay right-continuous (RC) and semi-differentiable (SD). Let $\boldsymbol{v}_k$ , $\boldsymbol{v}_k$ , and $\boldsymbol{v}_k'$ denote the k-th variable in $\boldsymbol{v}$ , $\boldsymbol{v}_k$ , and $\boldsymbol{v}_k'$ , respectively. Then, we define $$RC \stackrel{\widehat{=}}{=} \forall k \cdot \forall t \in [ti, ti') \cdot \exists d \cdot \underline{v}_k(t) = \lim_{\delta \to 0^+} \underline{v}_k(t+\delta) = d$$ $$SD \stackrel{\widehat{=}}{=} \forall k \cdot \forall t \in (ti, ti') \cdot \exists d_0 \cdot \lim_{\delta \to 0^+} (\underline{v}_k(t+\delta) - \underline{v}_k(t)) / \delta = d_0$$ $$\land \exists d_1 \cdot \lim_{\delta \to 0^-} (\underline{v}_k(t+\delta) - \underline{v}_k(t)) / \delta = d_1$$ The healthiness condition $$\mathcal{H}_4(X) = X \wedge RC \wedge SD$$ rules out some ill behaviours, such as the Dirichlet function (returning 1 if t is a rational number and 0 otherwise) and the Weierstrass function (continuous everywhere but differentiable nowhere). **Remark 1.** Note that $\mathcal{H}_3^{\text{A}}$ does not mean that the values of $\boldsymbol{v}$ exist at infinity. The existential quantifier just indicates that the output $\boldsymbol{v}'$ can take arbitrary values, i.e., chaos. In addition, the output of a process exhibiting Zenobehaviour should also be unobservable (chaos). However, it cannot be captured by abstract hybrid processes as the trace information is abstracted away. An abstract hybrid process is a fixed point of $X = \mathcal{H}_{HP}^{A}(X)$ , where $$\mathcal{H}_{HP}^{A} \ \widehat{=} \ \mathcal{H}_{0}^{A} \circ \mathcal{H}_{2}^{A} \circ \mathcal{H}_{3}^{A} \circ \mathcal{H}_{4}$$ It is proved in (Xu et al., 2022a) that $\mathcal{H}_{HP}^{A}$ is idempotent and monotonic, which indicates that abstract hybrid processes form a complete lattice under the refinement order $\sqsubseteq$ . #### 3. Simulink processes in HUTP Based on abstract hybrid processes, we propose a new notion of Simulink processes which can serve as the semantic foundation for Simulink. We further define parallel composition of Simulink processes as conjunction of relations. Finally, we define some syntactic sugar to simplify the ensuing presentations. # 3.1. Simulink processes The semantics of Simulink can be represented by a subset of abstract hybrid processes subject to additional healthiness conditions. First, we assume that the execution of Simulink diagrams will consume time (ti < ti'). This corresponds to the requirement that simulation will last for non-zero amount of time. Moreover, we require that simulations will always terminate $(ti' < +\infty)$ . These two properties can be captured by the following healthiness condition: $$\mathcal{H}_{\text{SIM}}(X) = X \wedge ti < ti' < +\infty$$ It can be proved that $\mathcal{H}_{\text{\tiny SIM}}$ is idempotent and monotonic, which indicates that $$\mathcal{H}_{\scriptscriptstyle{\mathrm{SIM}}}^{\scriptscriptstyle{\mathrm{A}}} \ \widehat{=} \ \mathcal{H}_{\scriptscriptstyle{\mathrm{SIM}}} \circ \mathcal{H}_{\scriptscriptstyle{\mathrm{HP}}}^{\scriptscriptstyle{\mathrm{A}}}$$ also forms a complete lattice under the refinement order. We call the $\mathcal{H}_{\text{SIM}}^{A}$ -healthy relations $Simulink\ processes$ , and we prove the following property, which reveals that $\mathcal{H}_{0}^{A}$ , $\mathcal{H}_{2}^{A}$ and $\mathcal{H}_{3}^{A}$ are redundant and therefore simplifies the representation of Simulink processes. Property 2. $\mathcal{H}_{\scriptscriptstyle{ ext{SIM}}}^{\scriptscriptstyle{ ext{A}}} \equiv \mathcal{H}_{\scriptscriptstyle{ ext{SIM}}} \circ \mathcal{H}_{\scriptscriptstyle{4}}$ *Proof.* It can be checked that $$\mathcal{H}_{\text{SIM}} \circ \mathcal{H}_0^{\text{A}}(X) = \mathcal{H}_{\text{SIM}} \circ \mathcal{H}_2^{\text{A}}(X) = \mathcal{H}_{\text{SIM}} \circ \mathcal{H}_3^{\text{A}}(X) = \mathcal{H}_{\text{SIM}}(X)$$ . We next describe the meet $(\sqcap, \vee)$ , join $(\sqcup, \wedge)$ and sequential composition $(\S)$ operations on Simulink processes. They are specializations of corresponding operations for general hybrid processes defined in (Xu et al., 2022a). The sequential composition of two Simulink processes P and Q is defined as follows: $$P : Q \subseteq \exists ti_0, \boldsymbol{v}_0 \cdot P[ti_0, \boldsymbol{v}_0/ti', \boldsymbol{v}'] \wedge Q[ti_0, \boldsymbol{v}_0/ti, \boldsymbol{v}]$$ provided that $\alpha_{out}(\mathsf{P}) = \alpha'_{in}(\mathsf{Q})$ , where $\alpha_{out}(\mathsf{P})$ and $\alpha_{in}(\mathsf{Q})$ denote the sets of output and input variables in the respective alphabets of $\mathsf{P}$ and $\mathsf{Q}$ , and $\alpha'_{in}(\mathsf{Q})$ is the primed version by priming all the variables in $\alpha_{in}(\mathsf{Q})$ . If $\alpha_{out}(\mathsf{P}) \neq \alpha'_{in}(\mathsf{Q})$ , then we can extend the alphabets by $$\alpha_{out}^+(\mathsf{P}) = \alpha_{in}^+(\mathsf{Q}) \ \widehat{=} \ \alpha_{out}(\mathsf{P}) \cup \alpha_{in}'(\mathsf{Q})$$ to ensure the well-definedness of $\S$ . The meet and join operations simply correspond to union and intersection of relations. We then prove $\S$ , $\vee$ and $\wedge$ are $\mathcal{H}_{\text{SIM}}^{\text{A}}$ -preserving, and the proofs for other operations on Simulink processes are similar. **Property 3.** If P and Q are $\mathcal{H}_{SIM}^A$ -healthy, so are $P \ \ Q$ , Q, and Q are Q. *Proof.* By the definition of $\mathcal{H}_{\text{SIM}}^{\text{A}}$ , ``` \begin{array}{lll} \mathsf{P} \, \, \, \, \, \, & \mathsf{Q} & = & 0 < ti < ti' < +\infty \wedge \mathsf{P} \wedge RC(\boldsymbol{v},ti,ti') \wedge SD(\boldsymbol{v},ti,ti') \, \, \, \, \\ & & 0 < ti < ti' < +\infty \wedge \mathsf{Q} \wedge RC(\boldsymbol{v},ti,ti') \wedge SD(\boldsymbol{v},ti,ti') \, \, \, \\ & = & \exists ti_0, \boldsymbol{v}_0 \cdot 0 < ti < ti_0 < +\infty \wedge 0 < ti_0 < ti' < +\infty \\ & & \wedge \mathsf{P}[ti_0, \boldsymbol{v}_0/ti', \boldsymbol{v}'] \wedge \mathsf{Q}[ti_0, \boldsymbol{v}_0/ti, \boldsymbol{v}] \\ & & \wedge RC(\boldsymbol{v},ti,ti_0) \wedge RC(\boldsymbol{v},ti_0,ti') \wedge SD(\boldsymbol{v},ti,ti_0) \wedge SD(\boldsymbol{v},ti_0,ti') \\ & = & \exists ti_0, \boldsymbol{v}_0 \cdot 0 < ti < ti_0 < ti' < +\infty \\ & & \wedge \mathsf{P}[ti_0, \boldsymbol{v}_0/ti', \boldsymbol{v}'] \wedge \mathsf{Q}[ti_0, \boldsymbol{v}_0/ti, \boldsymbol{v}] \\ & & \wedge RC(\boldsymbol{v},ti,ti') \wedge SD(\boldsymbol{v},ti,ti') \end{array} ``` where RC and SD denote $\underline{\boldsymbol{v}}$ is right continuous and semi-differentiable as specified in healthiness condition $\mathcal{H}_4$ . We can also prove $$\begin{array}{lll} \mathsf{P} \vee \mathsf{Q} & = & 0 < ti < ti' < +\infty \wedge \mathsf{P} \wedge RC(\underline{v},ti,ti') \wedge SD(\underline{v},ti,ti') \vee \\ & 0 < ti < ti' < +\infty \wedge \mathsf{Q} \wedge RC(\underline{v},ti,ti') \wedge SD(\underline{v},ti,ti') \wedge \\ & = & 0 < ti < ti' < +\infty \wedge (\mathsf{P} \vee \mathsf{Q}) \wedge RC(\underline{v},ti,ti') \wedge SD(\underline{v},ti,ti') \\ \mathsf{P} \wedge \mathsf{Q} & = & 0 < ti < ti' < +\infty \wedge \mathsf{P} \wedge RC(\underline{v},ti,ti') \wedge SD(\underline{v},ti,ti') \wedge \\ & 0 < ti < ti' < +\infty \wedge \mathsf{Q} \wedge RC(\underline{v},ti,ti') \wedge SD(\underline{v},ti,ti') \\ & = & 0 < ti < ti' < +\infty \wedge (\mathsf{P} \wedge \mathsf{Q}) \wedge RC(\underline{v},ti,ti') \wedge SD(\underline{v},ti,ti') \end{array}$$ According to the above results, we can prove that $P \, {}^\circ_{9} \, Q$ , $P \vee Q$ and $P \wedge Q$ are $\mathcal{H}^{A}_{\text{SIM}}$ -healthy. # 3.2. Parallel composition Of all the operations, parallel composition is the most important. In (Xu et al., 2022a), we assume that the state variables of different processes are disjoint. Based on this assumption, a parallel-by-merge scheme is given. In this paper, we relax this assumption: state variables can be shared among processes. Intuitively, the combination is well-behaved because although variables are shared, the value of each variable is controlled by at most one process and only read by others. Hence, under some additional assumptions, we can prove that there exists unique assignment to all variables given the values of input variables to the overall process. Therefore, the parallel-by-merge scheme (Fig. 1 of (Xu et al., 2022a)) can be revisited to represent the parallel composition by shared state variables in this paper. The parallel-by-merge, originated from (Hoare and He, 1998), is a typical scheme to define parallel composition in UTP (Xu et al., 2022a; Foster et al., 2020). Intuitively, parallel processes first execute independently and their respective outputs are fed into the merge predicate M. Then, M produces the merged result as the output of the parallel composition. Each merge predicate reflects a parallel scheme, therefore the parallel composition is parametric over M, which is indicated by the notation $\|_{M}$ . Concretely, let P and Q be the parallel processes with respective state variables $\mathbf{v}_{0}$ and $\mathbf{v}_{1}$ (which are not necessarily disjoint), then $$P|_{M}Q \cong \mathcal{H}_{SIM}^{A}((P_{X} \wedge Q_{Y}) \circ M)$$ where $P_X(Q_Y)$ makes an X(Y)-version of P(Q) by adding the time variable ti' in P(Q) with the X(Y)-subscript, i.e., $$\begin{array}{lcl} \mathsf{P}_{X} & \widehat{=} & \mathsf{P}\, {}^{\circ}_{\mathfrak{I}}\left(ti=ti'_{X} \wedge \boldsymbol{v}_{0}=\boldsymbol{v}'_{0}\right) & = & \mathsf{P}[ti'_{X}/ti'] \\ \mathsf{Q}_{Y} & \widehat{=} & \mathsf{Q}\, {}^{\circ}_{\mathfrak{I}}\left(ti=ti'_{Y} \wedge \boldsymbol{v}_{1}=\boldsymbol{v}'_{1}\right) & = & \mathsf{Q}[ti'_{Y}/ti'] \end{array}$$ **Remark 4.** Note that the $\mathcal{H}_{\text{SIM}}^{\text{A}}$ -healthiness of parallel composition $\mathsf{P}||_{M}\mathsf{Q}$ is enforced. Otherwise, $\mathcal{H}_{\text{SIM}}^{\text{A}}$ -healthiness could be violated, because the merge predicate M can be arbitrary. We could investigate well-defined merge predicates that guarantee $\mathcal{H}_{\text{SIM}}^{\text{A}}$ -healthiness by definition (just as the merge predicate SIM, which does), but it is not the concern in this paper. For Simulink, we define a new merge predicate: SIM $$\hat{=}$$ $ti_X = ti_Y = ti' \wedge v'_0 = v_0 \wedge v'_1 = v_1$ It states that the parallel processes are synchronous on time $(ti_X = ti_Y)$ , i.e., their termination time should be identical $(+\infty$ for non-termination); and the output values of the shared state variables $\mathbf{v}_0 \cap \mathbf{v}_1$ should keep consistent. We denote the parallel operator defined by SIM as $\|_{\text{SIM}}$ . For brevity, in the remainder, we write $\|$ for $\|_{\text{SIM}}$ unless otherwise stated. The following property states that $\|$ is equivalent to conjunction. **Property 5.** $P||Q \equiv P \wedge Q \text{ if } P \text{ and } Q \text{ are Simulink processes.}$ $$\begin{array}{lll} (\mathsf{P}_X \wedge \mathsf{Q}_Y) \, \mathring{\mathfrak{g}} \, \mathsf{SIM} & = & (\mathsf{P}[ti_X'/ti'] \wedge \mathsf{Q}[ti_Y'/ti']) \mathring{\mathfrak{g}} \\ & & (ti_X = ti_Y = ti' \wedge \boldsymbol{v}_0' = \boldsymbol{v}_0 \wedge \boldsymbol{v}_1' = \boldsymbol{v}_1) \\ & = & \exists ti_X^\star, ti_Y^\star, \boldsymbol{v}_0^\star, \boldsymbol{v}_1^\star \cdot \mathsf{P}[ti_X^\star, \boldsymbol{v}_0^\star/ti', \boldsymbol{v}_0'] \wedge \mathsf{Q}[ti_Y^\star, \boldsymbol{v}_1^\star/ti', \boldsymbol{v}_1'] \\ & & \wedge (ti_X^\star = ti_Y^\star = ti' \wedge \boldsymbol{v}_0' = \boldsymbol{v}_0^\star \wedge \boldsymbol{v}_1' = \boldsymbol{v}_1^\star) \\ & = & \mathsf{P} \wedge \mathsf{Q} \end{array}$$ Since P and Q are $\mathcal{H}_{\text{SIM}}^{A}$ -healthy, P $\wedge$ Q is also $\mathcal{H}_{\text{SIM}}^{A}$ -healthy (Property 3). Then, we can get $$\mathsf{P} \| \mathsf{Q} \ = \ \mathcal{H}^{\mathsf{A}}_{\scriptscriptstyle{\mathrm{SIM}}} \left( (\mathsf{P}_X \wedge \mathsf{Q}_Y) \, \mathring{,} \, \mathsf{SIM} \right) \ = \ \mathcal{H}^{\mathsf{A}}_{\scriptscriptstyle{\mathrm{SIM}}} (\mathsf{P} \wedge \mathsf{Q}) \ = \ \mathsf{P} \wedge \mathsf{Q}$$ The property is proved. Although parallel composition is equivalent to conjunction in essence, we distinguish the two concepts in this paper. Concretely, parallel composition between blocks in a Simulink diagram or within a subsystem is called *conjunction*; while parallel composition between subsystems is called *parallel composition*. Consider the Simulink diagram in Fig. 1, where each block can be translated to a Simulink process. The semantics of subsystem Plant can be defined by the conjunction Integrator $0 \land \text{Integrator} 1$ , while the semantics of the whole diagram can be defined by the parallel composition Plant || Control, which is logically equivalent to Plant $\land$ Control. # 3.3. Syntactic sugar For brevity in the ensuing presentation, we introduce some syntactic sugar for the HUTP representation of Simulink semantics. Notice that the following notations are different from the definitions in (Xu et al., 2022a). Let $\underline{p}$ denote a predicate relating $\underline{v}$ and $\underline{\dot{v}}$ , then $$\lceil P \rceil \ \widehat{=} \ \mathcal{H}_{\text{SIM}}^{\text{A}} \left( \forall t \in (ti, ti') \cdot P(\boldsymbol{v}(t), \dot{\boldsymbol{v}}(t)) \right)$$ is a continuous process reflecting the flow of $\underline{v}$ over the time interval (ti, ti') for ti < ti', and it states that $\underline{P}$ holds at every instant t from ti to ti'. Note that although the input and output state variables $\boldsymbol{v}$ and $\boldsymbol{v}'$ do not appear in $\lceil \underline{P} \rceil$ , they are in the alphabet of $\lceil \underline{P} \rceil$ , or in other words, $\boldsymbol{v}$ and $\boldsymbol{v}'$ can take arbitrary values. We can also bind $\boldsymbol{v}$ and $\boldsymbol{v}'$ to the initial and final values of $\underline{\boldsymbol{v}}$ , respectively, resulting in the following definitions: $$\begin{array}{ll} \left\| \stackrel{\frown}{P} \right\| & \stackrel{\frown}{=} & \boldsymbol{v} = \underbrace{\boldsymbol{v}}(ti) \wedge \left\lceil \stackrel{\frown}{P} \right\rfloor \\ \left\lceil \stackrel{\frown}{P} \right\| & \stackrel{\frown}{=} & \left\lceil \stackrel{\frown}{P} \right\rfloor \wedge \boldsymbol{v}' = \underbrace{\boldsymbol{v}}(ti'^{-}) \\ \left\| \stackrel{\frown}{P} \right\| & \stackrel{\frown}{=} & \boldsymbol{v} = \underbrace{\boldsymbol{v}}(ti) \wedge \left\lceil \stackrel{\frown}{P} \right\rfloor \wedge \boldsymbol{v}' = \underbrace{\boldsymbol{v}}(ti'^{-}) \end{array}$$ Especially, we define Idle $$\hat{=}$$ $\|\dot{v} = 0\|$ Besides, we add subscripts to the above definitions to constrain the duration. For example, $$\begin{array}{ccc} \|P\|_d & \widehat{=} & \|P\| \wedge ti' - ti = d \\ \|\widetilde{P}\|_{\leq d} & \widehat{=} & \|\widetilde{P}\| \wedge ti' - ti \leq d \\ \end{array}$$ Note that the above continuous processes are all Simulink processes as they are $\mathcal{H}_{\text{SIM}}^{A}$ -healthy. A causal sequence of operations or events which is assumed to take no time is called super-dense computation (Manna and Pnueli, 1993). Under super-dense computation, rendering the time to compute the discrete operations is negligible. However, the causal order of computations is still significant. Under the assumption of super-dense computation, a discrete process is defined by $$[P] \ \widehat{=} \ ti = ti' < +\infty \wedge P$$ where P denotes a predicate relating $\boldsymbol{v}$ and $\boldsymbol{v}'$ . It executes instantly at time ti=ti', rather than continuously over a time interval. Note that [P] is not a Simulink process as its duration is 0. This would violate the healthiness condition $\mathcal{H}_{\text{SIM}}$ . However, the sequential composition of [P] and a Simulink process is usually $\mathcal{H}_{\text{SIM}}^{\text{A}}$ -healthy, as demonstrated in the later content. We define Skip $$\hat{=}$$ $ti = ti' < +\infty \land \boldsymbol{v} = \boldsymbol{v}'$ Similar to Property 16 in (Xu et al., 2022a), it can be proved that (Skip; P) = (P; Skip) = P for any Simulink process P. Since Simulink processes form a complete lattice according to the discussion at the end of Section 2.3.1, recursion can be defined. Theoretically, recursion is denoted by the fixed points of the equation X = F(X), where F constructs the body of the recursion. If F is monotonic, the fixed points of X = F(X) also form a complete lattice by the Knaster-Tarski theorem (Tarski, 1955). The least fixed point is denoted by $\mu X.F(X)$ , based on which we can define $$P^* = \mu X.(Skip \lor P ; X)$$ where P is a Simulink process. #### 4. Semantics for Simulink blocks In this section, we give the HUTP semantics of Simulink blocks in terms of Simulink processes. A (non-hierarchical) Simulink diagram consists of blocks graphically connected by directed lines. Each such connection is the output signal of a unique block. We represent a signal by a variable x defined as a real-valued function of time $x \in F = \mathbb{R}_{\geq 0} \to \mathbb{R}$ . A Simulink block can be represented by the tuple $(\mathcal{I}, \mathcal{O}, \mathcal{S}, \mathcal{R})$ , where $\mathcal{I}$ is the set of input variables, $\mathcal{O}$ is the set of output variables, $\mathcal{S}$ is the set of internal state variables, and $\mathcal{R}$ is a relation between the signals $F^{\mathcal{I}}$ , $F^{\mathcal{S}}$ and $F^{\mathcal{O}}$ . In the following, we use x(t) for the vector of input variables as a function of time, y(t) for the vector of output variables, and s(t) for the vector of state variables. Note that s is different from the state variables s in HUTP (Section 2.3), and the latter is actually the group of s, s and s. **Example 6.** A continuous Add block specifies that the output signal y is the sum of the two input signals $x_0$ and $x_1$ . Here $\mathcal{I} = \{x_1, x_2\}$ , $\mathcal{O} = \{y\}$ , $\mathcal{S} = \emptyset$ , and the relation for $\mathcal{R}$ is given by $$\forall t \ge 0 \cdot y(t) = x_1(t) + x_2(t).$$ **Example 7.** A discrete Add block with sample time st > 0 specifies that the output is updated to the sum of inputs whenever the time is a multiple of st, and keeps constant otherwise. Here, $\mathcal{I}$ , $\mathcal{O}$ and $\mathcal{S}$ are the same as before. The relation for $\mathcal{R}$ is given by $$\forall k \in \mathbb{N} \cdot \forall t \in [k \cdot \mathsf{st}, (k+1)\mathsf{st}) \cdot y(t) = x_1(k \cdot \mathsf{st}) + x_2(k \cdot \mathsf{st}).$$ **Example 8.** A continuous Switch block with condition ">0" specifies that the output y is equal to the top input $x_1$ if the middle input $x_2$ satisfies the condition; and the bottom input $x_3$ otherwise $(x_2 \le 0)$ . Here $\mathcal{I} = \{x_1, x_2, x_3\}$ , $\mathcal{O} = \{y\}$ and $\mathcal{S} = \emptyset$ . The relation for $\mathcal{R}$ is given by $$\forall t \ge 0 \cdot y(t) = x_1(t) \triangleleft x_2(t) > 0 \triangleright y(t) = x_3(t).$$ **Example 9.** A Unit Delay block with sample time st > 0 and initial value $v_0$ updates its state whenever the time is a multiple of st, and outputs the previous value of state. Here $\mathcal{I} = \{x\}$ , $\mathcal{O} = \{y\}$ and $\mathcal{S} = \{s\}$ . The relation for $\mathcal{R}$ is given by $$\forall k \in \mathbb{N} \cdot \forall t \in [k \cdot \mathsf{st}, (k+1)\mathsf{st}) \cdot s(t) = x(k \cdot \mathsf{st})$$ $$\land \quad \forall t \in [0, \mathsf{st}) \cdot y(t) = v_0 \quad \land$$ $$\forall k \in \mathbb{N} \cdot \forall t \in [(k+1)\mathsf{st}, (k+2)\mathsf{st}) \cdot y(t) = s(k \cdot \mathsf{st}).$$ **Example 10.** An Integrator block with initial state $s_0$ specifies that its state is the integral of the input signal and the output signal is consistent with the state. Here $\mathcal{I} = \{x\}$ , $\mathcal{O} = \{y\}$ and $\mathcal{S} = \{s\}$ . The relation for $\mathcal{R}$ is given by $$y(0) = s(0) = s_0 \land \forall t > 0 \cdot \dot{s}(t^+) = x(t) \land s(t^-) = s(t) = y(t).$$ Given a Simulink diagram consisting of blocks $\{b_i\}_{1 \leq i \leq m}$ . Let $\mathcal{I}(b_i)$ , $\mathcal{O}(b_i)$ , $\mathcal{S}(b_i)$ and $\mathcal{R}(b_i)$ be the sets of input variables, output variables, state variables, and relation for block $b_i$ , respectively. We require the state variables $\mathcal{S}(b_i)$ are disjoint from each other and from the input/output variables. Let $\{v_j\}_{1\leq j\leq \ell}$ be the set of variables denoting the lines (signals) connecting blocks of the Simulink diagram. Each $v_j$ is in at most one $\mathcal{O}(b_i)$ . The semantics of the Simulink diagram is a relation on $v_i(t)$ , defined to be the conjunction of the relation for each block: $$\mathcal{R} = \bigwedge_{1 \leq i \leq m} \mathcal{R}(\mathsf{b}_i)$$ Following the above analysis, we can define the HUTP semantics for (non-hierarchical) Simulink diagrams. The definition is bottom-up as we start from the individual blocks, then combine them to form the semantics of the entire diagram. # 4.1. Discrete blocks A discrete block is specified by a sample time st > 0, initial state $s_0$ , and two functions f and g for updating the state and computing the output, respectively. The values of state and output variables of a discrete block are constant on each time interval $[k \cdot st, (k+1)st)$ for $k \in \mathbb{N}$ . Hence, we only need to specify their values at times $k \cdot st$ . They satisfy the following equations: $$s(k \cdot st) = f(x(k \cdot st), s((k-1) \cdot st))$$ $y(k \cdot st) = g(x(k \cdot st), s((k-1) \cdot st))$ where we take s((k-1)st) to be $s_0$ for k=0. The main idea here is that the output and state at the current round is computed from the input at *current* round and state at *previous* round. For example, the discrete Add block in Example 7 is given by $$y(k \cdot \mathsf{st}) = g(x_1(k \cdot \mathsf{st}), x_2(k \cdot \mathsf{st})) = x_1(k \cdot \mathsf{st}) + x_2(k \cdot \mathsf{st}).$$ There is no need for f as there are no state variables. The discrete Unit Delay block in Example 9 is given by $$\begin{array}{lcl} s(k \cdot \mathsf{st}) & = & f(x(k \cdot \mathsf{st}), s((k-1) \cdot \mathsf{st})) & = & x(k \cdot \mathsf{st}) \\ y(k \cdot \mathsf{st}) & = & g(x(k \cdot \mathsf{st}), s((k-1) \cdot \mathsf{st})) & = & s((k-1) \cdot \mathsf{st}). \end{array}$$ Now we describe how to encode the above formulas using the HUTP language. A discrete block can either be stateful or stateless. For a stateless discrete block, there is no need for the function f. The computation of g is instant and can be expressed by the following discrete process: Comp $$\hat{=}$$ $[\boldsymbol{y}' = g(\boldsymbol{x}')].$ Intuitively, this means that the output y' is computed from the input values only after they are computed by other processes at the same round, that is after the values of x' are all available. This will enforce the ordering between computation of different blocks, as we will demonstrate afterwards. After the computation, the block will keep quiescent for the period of st (sample time), i.e., the output y remains unchanged, specified by the following continuous process: Period $$\ \widehat{=}\ \|\dot{\pmb{y}}=\mathbf{0}\|_{\mathsf{St}}$$ Thus, the hybrid process of the stateless discrete block is defined by DisBlock $$\widehat{=}$$ (Comp $\widehat{,}$ Period)\* $\widehat{,}$ Comp $\widehat{,}$ Tail where Tail $$\hat{=}$$ $\|\dot{y}=0\|_{\leq \mathsf{St}}$ means that the block can terminate at the times $k \cdot st$ or within the time intervals $(k \cdot st, (k+1)st)$ . For a stateful discrete block, its state variables $\boldsymbol{s}$ should be initialised, given by Init $$\hat{=}$$ $[s' = s_0]$ The state variables $\mathbf{s}$ and output variables $\mathbf{y}$ are updated periodically according to functions f and g, respectively. The update is instant and can be described by the following discrete process: $$\mathsf{Comp}' \ \widehat{=} \ [\mathbf{s}' = f(\mathbf{x}', \mathbf{s}) \land \mathbf{y}' = g(\mathbf{x}', \mathbf{s})]$$ The waiting period of the stateful discrete block is represented by the following continuous process: $$\mathsf{Period}' \ \widehat{=} \ \|\dot{\underline{s}} = \dot{\underline{y}} = 0 \rfloor_{\mathsf{St}}$$ During the period, state variables $\boldsymbol{s}$ and output variables $\boldsymbol{y}$ keep unchanged. Thus, similar to DisBlock, the hybrid process of the stateful discrete block is given by DisBlockSt $$\hat{}$$ Init $\hat{}$ (Comp' $\hat{}$ Period')\* $\hat{}$ Comp' $\hat{}$ Tail' where $$\mathsf{Tail}' \ \ \widehat{=} \ \ \llbracket \dot{\boldsymbol{s}} = \dot{\boldsymbol{y}} = \boldsymbol{0} \rfloor_{\leq \mathsf{St}}$$ Theorem 11. DisBlock and DisBlockSt are Simulink processes. *Proof.* The sequential composition Comp; Period can be expanded to $$[\boldsymbol{y}'=g(\boldsymbol{x}')]\, \boldsymbol{\mathring{\circ}}\, \lVert \boldsymbol{\dot{y}}=\mathbf{0} \rfloor_{\mathsf{St}} \ = \ \boldsymbol{\dot{y}}(ti)=g(\boldsymbol{\dot{x}}(ti)) \wedge \lceil \boldsymbol{\dot{y}}=\mathbf{0} \rfloor_{\mathsf{St}}$$ which is $\mathcal{H}_{\text{SIM}}^{A}$ -healthy according to the definition in Section 3.3. Similarly, we can prove $\mathsf{Comp}\,$ ; Tail is also $\mathcal{H}_{\text{SIM}}^{A}$ -healthy. According to Property 3 and by induction on the number of iterations of \*, DisBlock is $\mathcal{H}_{\text{SIM}}^{A}$ -healthy. Similarly, we can also prove DisBlockSt is $\mathcal{H}_{\text{SIM}}^{A}$ -healthy. **Example 12.** Consider two discrete blocks in sequence. One block $B_1$ has input line x and output line y, and set y := x + 1 every sample time 1; the other block $B_2$ has input line y and output line z, and set $z := 2 \cdot y$ every sample time 1. The Simulink processes for $B_1$ and $B_2$ are given by: We first rewrite the above two definitions to corresponding logical equations. By the definition of sequential composition $\S$ , the definition for [y'=x'+1] $\S$ $[y'=0]_1$ in $[B_1]_{HUTP}$ expands to $$[y' = x' + 1] \, \S \, [\dot{y} = 0]_1 \tag{1}$$ $$= (ti = ti' < +\infty \land y' = x' + 1) ;$$ (2) $$\begin{pmatrix} ti < ti' < +\infty \land x = \underline{x}(ti) \land y = \underline{y}(ti) \\ \land \forall t \in (ti, ti') \cdot \underline{\dot{y}}(t) = 0 \land ti' - ti = 1 \\ \land RC(\underline{x}, \underline{y}, ti, ti') \land SD(\underline{x}, \underline{y}, ti, ti') \end{pmatrix}$$ (3) $$= \exists t_0, x_0, y_0 \cdot ti = ti_0 < +\infty \land y_0 = x_0 + 1 \land ti_0 < ti' < +\infty \land x_0 = x(ti_0) \land y_0 = y(ti_0) \land \forall t \in (ti_0, ti') \cdot \dot{y}(t) = 0 \land ti' - ti_0 = 1 \land RC(x, y, ti_0, ti') \land SD(x, y, ti_0, ti')$$ $$= ti' - ti = 1 \wedge \underbrace{y(ti)}_{\sim} = \underbrace{x(ti)}_{\sim} + 1 \wedge \forall t \in (ti, ti + 1) \cdot \underbrace{\dot{y}(t)}_{\sim} = 0$$ $$\wedge RC(\underbrace{x, y, ti, ti + 1}_{\sim}) \wedge SD(\underbrace{x, y, ti, ti + 1}_{\sim})$$ Note that although $\underline{x}$ does not appear in $[\underline{\dot{y}} = 0]_1$ , it is in the alphabet of $[B_1]_{\text{HUTP}}$ . Therefore, we cannot remove $x = \underline{\dot{x}}(ti)$ from $[\underline{\dot{y}} = 0]_1$ (see (3)). Besides, by $\mathcal{H}_4^A$ , the continuous state variables in $[\underline{\dot{y}} = 0]_1$ are right continuous and semi-differentiable during the period, specified by RC and SD. Then, by induction, we can get $$([y' = x' + 1] \circ [[\dot{y} = 0]_1)^*)$$ $$= \operatorname{Skip} \vee \begin{pmatrix} \exists n \in \mathbb{N}^+ \cdot ti' - ti = n \\ \land \forall k \in \mathbb{N}_{< n} \cdot (\underline{y}(ti + k)) = (\underline{x}(ti + k)) + 1 \\ \land \forall t \in (ti + k, ti + k + 1) \cdot (\underline{y}(t)) = 0 \\ \land RC(\underline{x}, \underline{y}, ti, ti + n) \land SD(\underline{x}, \underline{y}, ti, ti + n) \end{pmatrix}$$ $$(4)$$ where $\mathbb{N}^+ \cong \mathbb{N} \setminus \{0\}$ and $\mathbb{N}_{\leq n} \cong \{k \in \mathbb{N} \mid k \leq n\}$ . Similar to (1), Based on the above results, $[B_1]_{HUTP}$ expands to $$\exists n \in \mathbb{N} \cdot n < ti' - ti \leq n + 1 \land \\ \forall k \in \mathbb{N}_{< n} \cdot \underbrace{y}(ti + k) = \underbrace{x}(ti + k) + 1 \land \underbrace{y}(ti + n) = \underbrace{x}(ti + n) + 1 \\ \land \forall t \in (ti + k, ti + k + 1) \cdot \underbrace{\dot{y}}(t) = 0 \land \forall t \in (ti + n, ti') \cdot \underbrace{\dot{y}}(t) = 0 \\ \land RC(\underbrace{x}, y, ti, ti') \land SD(\underbrace{x}, y, ti, ti')$$ Similarly, $[B_2]_{HUTP}$ expands to $$\exists n \in \mathbb{N} \cdot n < ti' - ti \leq n + 1 \land \forall k \in \mathbb{N}_{< n} \cdot \underline{z}(ti + k) = 2 \cdot \underline{y}(ti + k) \land \underline{z}(ti + n) = 2 \cdot \underline{y}(ti + n) \land \forall t \in (ti + k, ti + k + 1) \cdot \underline{\dot{z}}(t) = 0 \land \forall t \in (ti + n, ti') \cdot \underline{\dot{z}}(t) = 0 \land RC(y, \underline{z}, ti, ti') \land SD(y, \underline{z}, ti, ti')$$ The connection of $B_1$ and $B_2$ can be defined by $[\![B_1]\!]_{HUTP} \wedge [\![B_2]\!]_{HUTP}$ , i.e., $$\exists n \in \mathbb{N} \cdot n < ti' - ti \leq n + 1 \land$$ $$\forall k \in \mathbb{N}_{< n} \cdot \underbrace{y(ti + k)} = \underbrace{x(ti + k)} + 1 \land \underbrace{z(ti + k)} = 2 \cdot \underbrace{y(ti + k)}$$ $$\land \underbrace{y(ti + n)} = \underbrace{x(ti + n)} + 1 \land \underbrace{z(ti + n)} = 2 \cdot \underbrace{y(ti + n)}$$ $$\land \forall t \in (ti + k, ti + k + 1) \cdot \underbrace{\dot{y}(t)} = \underbrace{\dot{z}(t)} = 0$$ $$\land \forall t \in (ti + n, ti') \cdot \underbrace{\dot{y}(t)} = \underbrace{\dot{z}(t)} = 0$$ $$\land RC(\underbrace{x}, y, \underbrace{z}, ti, ti') \land SD(\underbrace{x}, y, \underbrace{z}, ti, ti')$$ This example demonstrates that the parallel composition of the HUTP semantics for $B_1$ and $B_2$ simplifies to the desired form, enforcing that the computation in $B_1$ is performed before that of $B_2$ at every sample time. We further note that the values of $\underline{y}$ and $\underline{z}$ are determined given values of input signal $\underline{x}$ . #### 4.2. Continuous blocks We consider two kinds of continuous blocks: computation blocks and Integrator blocks. A computation block is a stateless block with sample time 0 (see Examples 6 and 8). When building Simulink diagrams, the sample time of computation blocks are usually inherited from integrator blocks by sample time propagation. It is specified by a function g from its input x to its output y, so its relation is specified by $\forall t \geq 0 \cdot y(t) = g(x(t))$ . Hence, its HUTP representation is $$\mathsf{ConBlock} \ \ \widehat{=} \ \ \lceil \boldsymbol{y} = g(\boldsymbol{x}) \rfloor$$ **Remark 13.** For a continuous block, our concern is the evolution of its output signals $(\underline{y})$ according to its input signals $(\underline{x})$ rather than its initial and/or final observations (x, y, x', and y'). Thus, we use $\lceil \cdot \rfloor$ rather than $\lceil \cdot \rfloor$ in ConBlock. The Integrator block is already given in Example 10, and its HUTP representation is given by IntBlock $$\hat{z} = y(ti) = \underline{s}(ti) = s_0 \wedge [\dot{\underline{s}}^+ = \underline{x} \wedge \underline{s}^- = \underline{s} = y]$$ where $s_0$ is the initial state of s, and $\dot{s}^+$ and $\dot{s}^-$ denote the right-hand derivative and the left limit of $\dot{s}$ , respectively. Since $\dot{x}$ could be discontinuous but at least right continuous as stated by $\mathcal{H}_4$ , we use $\dot{s}^+$ rather than $\dot{s}$ in the representation. Besides, $\dot{s}$ should be continuous and the output signal should keep consistent with the state, so we need the condition $\dot{s}^- = \dot{s} = \dot{y}$ . Theorem 14. ConBlock and IntBlock are Simulink processes. *Proof.* ConBlock and IntBlock are $\mathcal{H}_{\text{SIM}}^{A}$ -healthy by the definition of $\lceil \cdot \rfloor$ specified in Section 3.3. Property 15. $$\lceil P \rceil \wedge \lceil Q \rceil = \lceil P \wedge Q \rceil$$ *Proof.* According to the definition of $\lceil \cdot \rceil$ , $$\begin{split} \lceil \underline{\mathcal{P}} \rfloor \wedge \lceil \underline{\mathcal{Q}} \rfloor &= 0 < ti < ti' < +\infty \wedge \forall t \in (ti, ti') \cdot \underline{\mathcal{P}}(\underline{\boldsymbol{v}}(t), \underline{\dot{\boldsymbol{v}}}(t)) \\ & \wedge RC(\underline{\boldsymbol{v}}, ti, ti') \wedge SD(\underline{\boldsymbol{v}}, ti, ti') \wedge \\ & 0 < ti < ti' < +\infty \wedge \forall t \in (ti, ti') \cdot \underline{\mathcal{Q}}(\underline{\boldsymbol{v}}(t), \underline{\dot{\boldsymbol{v}}}(t)) \\ & \wedge RC(\underline{\boldsymbol{v}}, ti, ti') \wedge SD(\underline{\boldsymbol{v}}, ti, ti') \\ &= \lceil \underline{\mathcal{P}} \wedge \underline{\mathcal{Q}} \rfloor \end{split}$$ The property is proved. **Example 16.** Consider an Integrator block $B_3$ with state s, input line z and output line x, and s is set to 0 initially. The Simulink process for $B_3$ is given by: $$[B_3]_{\text{HUTP}} = \underbrace{x(ti) = \underline{s}(ti) = 0 \land \lceil \underline{\dot{s}}^+ = \underline{z} \land \underline{s}^- = \underline{s} = \underline{x} \rfloor }_{\text{ti} < ti' < +\infty \land \underline{x}(ti) = \underline{s}(ti) = 0 }_{\text{ti} \in (ti, ti') \cdot \underline{\dot{s}}(t^+) = \underline{z}(t) \land \underline{s}(t^-) = \underline{s}(t) = \underline{x}(t) }_{\text{ti} \in (x, \underline{s}, \underline{z}, ti, ti') \land SD(\underline{x}, \underline{s}, \underline{z}, ti, ti') }$$ #### 4.3. Composition A (non-hierarchical) Simulink diagram is composed of discrete and continuous blocks connected by lines. Given such a diagram, we can construct a directed graph $\mathcal{G}$ , called its causality graph, as follows. The vertices of $\mathcal{G}$ are the input/output variables, and there is an edge from $v_i$ to $v_j$ if $v_i$ is the input and $v_j$ is the output of some non-delay discrete or computation block $B_k$ . Note that the discrete delay block and the integrator block are excluded. If $\mathcal{G}$ is acyclic, then the diagram is said to be well-formed. Otherwise, there exist some loops among discrete and/or computation blocks called algebraic loops (also called logical loops in (Zou et al., 2013b)), which may not always admit a solution. Actually, the cycle-freedom of causality graphs is a necessary condition for Simulink diagrams to behave well. In particular, it allows to avoid straightforward deadlocks. To our knowledge, should the causality graph of a diagram contain a cycle, the tool Matlab/Simulink would reject it, returning an error or a warning. Accordingly, we only consider Simulink diagrams with acyclic causality graphs in this paper. If the diagram is well-formed, its HUTP semantics can be described by the parallel composition of the atomic blocks it contains. Specifically, given a well-formed diagram consisting of n blocks whose semantics are represented by $P_i$ $(1 \le i \le n)$ , the semantics of the diagram is denoted by the following parallel composition, which is equivalent to the conjunction by Property 5: $$P_1 \| \cdots \| P_n \equiv \bigwedge_{i=1}^n P_i$$ We say the semantics of a diagram is determined if, given any choice of input signals to the overall diagram, there are unique functions for all output and state variables that satisfies $\bigwedge_{i=1}^{n} P_i$ . We wish to prove that under additional conditions related to the unique solvability of ODEs, the HUTP semantics of a well-formed diagram is determined. Before proving this result, we prove the following lemmas. **Lemma 17.** Consider a well-formed Simulink diagram consisting of n discrete blocks whose semantics are represented respectively by $P_i$ . Given any choice of input signals to the overall diagram, there are unique functions for all input, output, and state variables that satisfy $\bigwedge_{i=1}^{n} P_i$ . Moreover, let st be the sample time of the diagram (greatest common divisor of the sample times of the blocks), then the values of output and state variables depend only on the values of input variables at multiples of st, and they are constant over each time interval $[k \cdot st, (k+1) \cdot st)$ . *Proof.* Since the causality graph $\mathcal{G}$ of the Simulink diagram is acyclic, we can choose a topological ordering $y_1, \dots, y_m$ for the input and output variables of the blocks in the diagram. For brevity, we assume that the sample time of the diagram is 1. We prove by induction on k that there exist unique values for input, output and state variables on each time interval [k, k+1). First, consider the base case k=0, we perform a second induction on the index i in the ordering $y_i$ . For the variable $y_i$ , by the induction hypothesis, we can assume $y_j(0)$ is uniquely determined for each j < i. $y_i$ is either an input to the overall diagram, or the output of some block $B_j$ . If $B_j$ is a delay block, then $y_i(0)$ is given by the initial value of the state. Otherwise, according to the definition of $\mathcal{G}$ , all input variables of the block occur earlier in the topological order, whose values at 0 are uniquely determined by induction, so again $y_i(0)$ is uniquely determined. Since the values of state variables at time 0 is a function of input variables at time 0 and the initial state, they are also determined. Now consider the inductive case k+1. Again, we induct on the index i in the ordering $y_i$ . If $y_i$ is an input to the overall diagram, then it is already determined. So suppose $y_i$ is the output of some block $B_j$ . If the sample time of block $B_j$ is a multiple of k+1, again we divide into cases for delay block and non-delay block. For the delay block, the value of $y_i(k+1)$ is given by the value of state at a previous time. For non-delay blocks, the value of $y_i(k+1)$ is a function of $y_j(k+1)$ for j < i and state variables at time k. In both cases the value is determined. Finally, if the sample time of $B_j$ is not a multiple of k+1, we have $y_i(k+1) = y_i(k)$ . This shows $y_i(k+1)$ is determined for all $1 \le i \le m$ . Then, since the state variables at time k+1 is a function of variables $y_i(k+1)$ and state variables at time k, they are determined as well. In this way, we construct the values of all $y_i$ , as well as that of the state variables, at the integer time points. In the process, we have considered relations for all blocks. Hence, the solution we obtained satisfies the relation $\bigwedge_{i=1}^{n} \mathsf{P}_i$ . Finally, by the construction in this proof, it is clear that the output and state variables depend only on the values of input variables at each integer k, and are constant over each time interval [k, k+1). **Lemma 18.** For a well-formed Simulink diagram consisting of continuous blocks, let $\mathbf{v}$ be the line variables of the diagram, where $\mathbf{x}$ denote the input variables to the diagram and $\mathbf{s}$ and $\mathbf{y}$ represent the state and output variables of the Integrator blocks in the diagram. Then, (1) its semantics can be expressed in the form of $$\mathbf{y}(ti) = \mathbf{s}(ti) = \mathbf{s}_0 \wedge \lceil \tilde{p}(\mathbf{v}) \wedge \dot{\mathbf{s}}^+ = E(\mathbf{v} \uplus \mathbf{s}) \wedge \mathbf{s}^- = \mathbf{s} = \mathbf{v} \rfloor$$ (5) where $\mathbf{s}_0$ are the initial states of $\mathbf{s}$ , $\tilde{P}$ is a relation only relating $\tilde{\mathbf{v}}$ , and E is a (vector) function in terms of variables in $\tilde{\mathbf{x}} \uplus \tilde{\mathbf{s}}$ ; - (2) if the function E satisfies the global Lipschitz condition, given any choice of input signals to the overall diagram, there are unique functions for all input, output, and state variables that satisfy the semantics. - Proof. (1) Assume the diagram consists of m Integrator blocks and n computation blocks. Label the Integrator blocks by $B_i$ for $1 \le i \le m$ , and the computation blocks by $B_j$ for $m+1 \le j \le m+n$ . Let $a_i$ , $s_i$ and $y_i$ be the input, state and output variables of an Integrator block $B_i$ , respectively, and $b_j$ and $c_j$ be the input and output variables of a computation block $B_j$ , respectively. According to the semantics of these continuous blocks (see Section 4.2) and Property 15, the semantics of the diagram can be defined by Init $$\wedge$$ Evolve (6) where $$\begin{array}{ll} \text{Init} & \widehat{=} & \bigwedge_{i=1}^m \underline{y}_i(ti) = \underline{s}_i(ti) = s_{i,0} \\ \text{Evolve} & \widehat{=} & \left[ \bigwedge_{i=1}^m \dot{\underline{s}}_i^+ = \underline{a}_i \wedge \underline{s}_i^- = \underline{s}_i = \underline{y}_i \wedge \bigwedge_{j=m+1}^{m+n} \underline{\boldsymbol{c}}_j = g_j(\underline{\boldsymbol{b}}_j) \right] \end{array}$$ where $s_{i,0}$ is the initial value of $s_i$ . For each computation block $\mathsf{B}_j$ , it defines a variable substitution mapping $\Gamma_{jk}$ . Concretely, it maps each output variable $c_{jk} \in c_j$ of the block to an expression $g_{jk}$ on the input variables $\boldsymbol{b}_j$ , i.e., $\Gamma_{jk}(c_{jk}) = g_{jk}(\boldsymbol{b}_j)$ , where all the $g_{jk}$ form the function $g_j$ . Since the diagram is well-formed, the input and output variables of all computation blocks in the diagram form a directed acyclic graph. Therefore, all the mapping functions $\Gamma_{jk}$ can be composed to form a function $\Gamma$ that maps the input variable $a_i$ (which could be some $c_{j,k}$ ) of each Integrator block $\mathsf{B}_i$ to $\Gamma(a_i)$ which is an expression on $\boldsymbol{x} \uplus \boldsymbol{s}$ , denoted $e_i(\boldsymbol{x} \uplus \boldsymbol{s})$ . Note that for $a_i \notin \mathrm{dom}(\Gamma)$ , we let $\Gamma(a_i) = a_i$ . All the expressions $e_i(\boldsymbol{x} \uplus \boldsymbol{s})$ form the expression function E. Besides, $\bigwedge_{j=m+1}^{m+n} c_j = g_j(\boldsymbol{b}_j)$ denotes the relation P in the representation. In summary, the formula of (6) can be expresses in the form of (5). (2) According to Equation (5), the right-hand derivative of $\underline{s}$ always exists, which means $\underline{s}$ is piecewise differentiable. By induction on the time intervals where $\underline{s}$ is differentiable, and using the fact that E satisfies the global Lipschitz condition, we obtain the existence and uniqueness of the solution. The lemma is proved. $\Box$ **Theorem 19.** For a well-formed diagram consisting of discrete and continuous blocks, if the expression function E of the continuous sub-diagram (consisting of the continuous blocks) satisfies the global Lipschitz condition, then the HUTP semantics of the entire diagram is determined and can be represented by a Simulink process. *Proof.* By Property 3 and Theorems 11 and 14, the HUTP semantics is a Simulink process. To show that the HUTP semantics of the combination of discrete and continuous sub-diagrams is determined, we perform an induction on multiples of the sample time st of the discrete sub-diagram (as defined in Lemma 17). At each step k, the computation of the discrete diagram provides the initial conditions at time $k \cdot st$ for evolution of the continuous diagram, and the continuous evolution provides the initial value for the discrete diagram at time $(k+1) \cdot st$ . Hence determinacy follows from Lemma 17 and Lemma 18. **Example 20.** The connection of $B_1$ , $B_2$ (Example 12) and $B_3$ (Example 16) forms a closed Simulink diagram with the causality graph $\mathcal{G} = \{(x,y), (y,z)\}$ acyclic, hence the diagram is well-formed. Then, the HUTP semantics of this diagram is $[B_1]_{HUTP} \wedge [B_2]_{HUTP} \wedge [B_3]_{HUTP}$ , expanding as follows: $$\begin{pmatrix} \underbrace{\ddot{x}(ti) = \ddot{s}(ti) = 0 \wedge}_{\exists n \in \mathbb{N} \cdot n < ti' - ti \leq n + 1 \wedge \forall k \in \mathbb{N}_{< n} \cdot}_{y(ti + k) = \ddot{x}(ti + k) + 1 \wedge \ddot{z}(ti + k) = 2 \cdot \ddot{y}(ti + k) \wedge}_{y(ti + n) = \ddot{x}(ti + n) + 1 \wedge \ddot{z}(ti + n) = 2 \cdot \ddot{y}(ti + n) \wedge}_{\forall t \in (ti + k, ti + k + 1) \cdot \dot{y}(t) = \dot{z}(t) = 0 \wedge \dot{s}(t) = \ddot{z}(t) \wedge}_{\forall t \in (ti, ti') \cdot \ddot{y}(t) = \ddot{z}(t) = 0 \wedge \dot{s}(t) = \ddot{z}(t) \wedge}_{\forall t \in (ti, ti') \cdot \ddot{s}(t^{-}) = \ddot{s}(t) = \ddot{x}(t) \wedge}_{RC(x, y, z, s, ti, ti') \wedge SD(x, y, z, s, ti, ti')}$$ Since $\underline{z}$ is differentiable within the intervals (ti+k, ti+k+1) and (ti+n, ti'), $\underline{\dot{s}}(t^+)$ is replaced with $\underline{\dot{s}}(t)$ in the above formula. For ensuring the continuity of $\underline{\dot{s}}$ , there should be $\underline{\dot{s}}^- = \underline{\dot{s}}$ during the period. For the above formula, we get the following unique solution: $$\forall t \in [ti, ti') \cdot \exists d \in \mathbb{R} \cdot d = t - ti \land \begin{pmatrix} \underbrace{z(t)} = 2 \cdot 3^{\lfloor d \rfloor} (d - \lfloor d \rfloor) + 3^{\lfloor d \rfloor} - 1 \\ \underbrace{z(t)} = 2 \cdot 3^{\lfloor d \rfloor} (d - \lfloor d \rfloor) + 3^{\lfloor d \rfloor} - 1 \\ \underbrace{y(t)} = 3^{\lfloor d \rfloor} \\ \underbrace{z(t)} = 2 \cdot 3^{\lfloor d \rfloor} \end{pmatrix}$$ which is exactly the semantics of the Simulink diagram (here $\lfloor \cdot \rfloor : \mathbb{R} \to \mathbb{Z}$ is the floor function). # 5. Hierarchical Simulink diagrams Modular design is a design principle that subdivides a system into smaller parts called modules (or subsystems), which can be independently created, modified, replaced, or exchanged with other modules or between different systems. The modelling of hierarchical Simulink diagrams reflects the principle of modular design: a Simulink diagram is composed of hierarchical subsystems, which may include enabled or triggered behaviours. In this section, we establish the HUTP semantics for *normal*, *triggered* and *enabled* subsystems, which forms hierarchical Simulink diagrams. #### 5.1. Normal subsystems A normal subsystem groups a set of atomic Simulink blocks together, and will execute them as a single unit. Simulink distinguishes the input (output) variables i (o) as seen from within the subsystem and the input (output) variables $\bar{i}$ ( $\bar{o}$ ) as seen from outside (as lines in the overall diagram). For normal subsystems, we will identify the variables i with $\bar{i}$ , and variables o with $\bar{o}$ (see x and y in Fig. 2). Later on, we may not identify i with $\bar{i}$ for triggered and enabled subsystems. A normal subsystem is well-formed if its causality graph is acyclic. The effect of executing a well-formed normal subsystem is equivalent to executing the corresponding Simulink diagram consisting of the same set of blocks. Therefore, the semantics of a normal subsystem can be defined by the conjunction of the semantics of all the blocks it contains, as specified in Section 4.3. Fig. 2: A well-formed Simulink diagram composed of two subsystems. The left is the original hierarchical diagram and the right is the flattened form. In the translation algorithm from Simulink to HCSP presented in (Zou et al., 2013b), the subsystem is flattened by connecting the in-ports and outports as seen from inside with the corresponding in-ports and out-ports on the outside. The result of this process is shown on the right side of Fig. 2. This flattening makes the translation process easier to implement, and is necessary for collecting together all continuous blocks in the diagram for translation to a single ODE. However, it violates to some extent the principle of modular design, i.e., the hierarchical structure of the Simulink diagram is not reflected in the translated HCSP process. In this paper, subsystems are not flattened and therefore the structure of Simulink diagrams can be reflected in their HUTP semantics. For example, the Simulink diagram on the left of Fig. 2 is composed of two well-formed subsystems Subsystem0 and Subsystem1 whose semantics are given by $$\begin{split} & [[Subsystem 0]]_{HUTP} & \ \widehat{=} \ \ [[Int 0]]_{HUTP} \wedge [[Bias 0]]_{HUTP} \\ & [[Subsystem 1]]_{HUTP} & \ \widehat{=} \ \ [[Int 1]]_{HUTP} \wedge [[Bias 1]]_{HUTP} \\ \end{split}$$ where [Bias0]<sub>HUTP</sub> and [Bias1]<sub>HUTP</sub> are discrete processes (Section 4.1), and [Int0]<sub>HUTP</sub> and [Int1]<sub>HUTP</sub> are continuous processes (Section 4.2). # 5.2. Triggered subsystems A triggered subsystem only contains blocks with inherited sample time (-1). Such a block has no specified sample time, whose execution depends solely on the triggering signal. Concretely, the blocks execute at the instant when the trigger condition on the trigger line holds. A sketch of a triggered subsystem with rising edge trigger is shown in Fig. 3. Similar to well-formed normal subsystems, a triggered subsystem is well-formed if its causality graph is acyclic. The trigger port senses the input signal z in real time. In this paper, we assume that each triggered subsystem has only one trigger line. There are three basic trigger types: rising, falling and either. For the rising edge trigger, the subsystem is triggered at time t whenever (1) z rises from negative to non-negative at t or (2) z rises from non-positive to positive at t. Formally, $$z(t^-) < 0 \land z(t) \ge 0 \quad \lor \quad z(t^-) \le 0 \land z(t) > 0$$ The triggering conditions for the other two trigger types can be defined similarly. Therefore, in this section, we only define the HUTP semantics for triggered subsystems with rising edge trigger. In this paper, we assume that the trigger line of each triggered subsystem is the output of a discrete block, hence piecewise constant with some sample time st. Treatment of continuous triggering will be more complicated, involving analysis of zero-crossing detection and potential cascade of zero-crossings (Benveniste et al., 2012). Fig. 3: A sketch of a triggered subsystem with rising edge trigger Now we consider the HUTP semantics of well-formed triggered subsystems. The subsystem is triggered at current time iff (1) the previous value of the signal z is less than 0 and the current value of z reaches or crosses 0; or (2) the previous value of z is not greater than 0 and the current value of z crosses 0. After that, the signal z will keep "not triggering" for some period until it satisfies the trigger condition again. Therefore, the behaviour of z between two adjacent triggering time instants can be defined by Trigger $$\hat{=}$$ $[z < 0 \land z' \ge 0 \quad \lor \quad z \le 0 \land z' > 0] \$ $\neg \text{trigger} \parallel$ where trigger $$\hat{=}$$ $z^- < 0 \land z \ge 0 \quad \lor \quad z^- \le 0 \land z > 0$ When triggered, the subsystem gets the latest values from the input ports, given by the relation $\mathbf{x}(ti) = \mathbf{a}(ti)$ , where ti is the current triggering time, $\mathbf{x}$ denote the input variables from within the subsystem while $\mathbf{a}$ denote the input variables to the overall subsystem (see Fig. 3). The reason we distinguish $\mathbf{x}$ and $\mathbf{a}$ is that their values are not the same at all times: during the idle period of the subsystem, $\mathbf{x}$ will keep unchanged while $\mathbf{a}$ can change dynamically according to the behaviour of its source subsystem. The input variables $\mathbf{x}$ synchronise with the input variables $\mathbf{a}$ from the outside only when the triggering signal arrives. However, for output variables, it is not necessary to distinguish the output variables to within the subsystem and the output variables from the overall subsystem, because the output variables are controlled by the subsystem solely and they will not be modified by other subsystems, i.e., they always keep consistent. After the input synchronisation ( $\boldsymbol{x}$ obtain the values of $\boldsymbol{a}$ ), the subsystem will perform the computation and then keep idle for some period, which can be represented by the conjunction of the idle process $[\dot{\boldsymbol{v}} = \boldsymbol{0}]$ , where $\boldsymbol{v}$ are the variables inner the subsystem, and the continuous processes $[P_i]$ $(1 \le i \le n)$ of all blocks in the subsystem. Therefore, according to Property 15, which indicates $$\begin{bmatrix} \dot{\boldsymbol{v}} = \mathbf{0} \end{bmatrix} \wedge \bigwedge_{i=1}^n \begin{bmatrix} P_i \end{bmatrix} = \begin{bmatrix} \dot{\boldsymbol{v}} = \mathbf{0} \wedge \bigwedge_{i=1}^n P_i \end{bmatrix}$$ Fig. 4: An example of a triggered subsystem with rising edge trigger the behaviour of the subsystem can be captured by SubSys $$\hat{\boldsymbol{x}}(ti) = \boldsymbol{a}(ti) \wedge [\dot{\boldsymbol{v}} = \boldsymbol{0} \wedge \bigwedge_{i=1}^{n} P_i]$$ Before triggering, the variables v of the lines in the subsystem should be initialised, because if the subsystem is not triggered at the beginning, it should be guaranteed that the values of v are valid. By default, v are initialised to v0 in Simulink. If the subsystem is not triggered initially, the values of v1 will keep constant. Besides, the trigger line v2 should also be initialised, because at the beginning, it will compare the initial value of v2 with the current value of v3 to determine if the subsystem should be triggered at the time. By default, we also set v3 to 0 initially. Then, the initialisation is specified by InitTrig $$\hat{=}$$ $[v' = 0 \land z' = 0]$ $(\text{Trigger} \land \text{SubSys} \lor \text{Idle})$ In summary, the semantics of triggered subsystem can be defined by TrigSubSys $$\hat{=}$$ InitTrig $\hat{g}$ (Trigger $\wedge$ SubSys)\* When creating the causality graph of a triggered subsystem, we add edges from the trigger line to each input line inside the subsystem, since whether the input lines receive values from the outside is determined by the trigger line. For the example in Fig. 4, the causality graph $\mathcal{G}$ is given by $\{(z,x),(a,x),(x,y),(y,b)\}$ . **Example 21.** Consider the triggered subsystem in Fig. 4, we only analyse SubSys. Concretely, SubSys is equivalent to $$\underline{x}(ti) = \underline{a}(ti) \land \lceil \underline{\dot{x}} = \underline{\dot{y}} = \underline{\dot{b}} = 0 \land \underline{b} = 2 \cdot \underline{y} \land \underline{y} = \underline{x} + 1 \rfloor$$ which can expand as follows: $$\underline{x}(ti^{+}) = \underline{x}(ti) = \underline{a}(ti) = \underline{a}(ti^{+}) \land y(ti) = y(ti^{+}) \land \underline{b}(ti) = \underline{b}(ti^{+}) \land \tag{7}$$ $$\forall t \in (ti, ti') \cdot \dot{\underline{x}}(t) = \dot{\underline{y}}(t) = \dot{\underline{b}}(t) = 0 \wedge \underline{b}(t) = 2 \cdot \underline{y}(t) \wedge \underline{y}(t) = \underline{x}(t) + 1 \quad (8)$$ $$\wedge RC(a, ti, ti') \wedge SD(a, ti, ti')$$ This process specifies the behaviour that the subsystem is triggered at the beginning and then keeps idle for some period. First, the subsystem gets the latest input at ti, i.e., $\underline{x}(ti) = \underline{a}(ti)$ ; then, according to (8), we can get the relation $\underline{b}(ti^+) = 2 \cdot \underline{y}(ti^+) \wedge \underline{y}(ti^+) = \underline{x}(ti^+) + 1$ ; combining (7), we can infer that $$b(ti) = 2 \cdot y(ti) \wedge y(ti) = x(ti) + 1 \tag{9}$$ which indicates the subsystem executes the computation at the beginning when triggered; afterwards, x, y and b keep constant from ti to ti', and therefore the relation between these variables always holds during the period (see (8)). **Theorem 22.** If the triggered subsystem is well-formed, then TrigSubSys is a Simulink process with determined semantics. *Proof.* According to Property 3 and by induction on the number of iterations of \*, TrigSubSys is a Simulink process. When the triggering signal z is determined, the triggering times are determined as well. When triggered, the subsystem gets the latest inputs and performs the execution expressed by a relation between the variables at the time (see (9)). Since the subsystem is well-formed, the solution of the relation is unique given any choice of input signals. The signals then keep constant during the period until the next trigger time arrives. Therefore, the semantics represented by TrigSubSys is determined. #### 5.3. Enabled subsystems An enabled subsystem is similar to a normal subsystem except that its execution depends on the enabled signal: it executes as usual when the value of the enabled signal is larger than 0 and keeps idle otherwise. A sketch of an enabled subsystem is illustrated in Fig. 5. Similar to triggered subsystems, we assume that each enabled subsystem has only one enabling line z. Fig. 5: A sketch of an enabled subsystem The evolution of the enabled signal z can be seen as an interleaving of positive and non-positive phases. Concretely, the evolution of z can be defined by $$(z \le 0 \land \lceil z > 0 \parallel \lor z \ge 0 \land \lceil z \le 0 \parallel)^*$$ In the beginning of a positive phase, it checks if the value of z from the preceding phase (which should be non-positive) is non-positive ( $z \le 0$ ); if so, the value of z will keep positive for some period ( $\lceil z > 0 \rfloor$ ). The behaviour of non-positive phases are similar. In a positive phase, the inner input variables $\boldsymbol{x}$ should keep consistent with the input variables $\boldsymbol{a}$ to the overall subsystem, and then the subsystem executes as if it were a normal subsystem. Concretely, let $\mathsf{P}_i$ $(1 \leq i \leq n)$ be the process denoting the semantics of the i-th block in the subsystem, then the behaviour of the enabled subsystem in a positive phase can be described by Enabled $$\hat{z} \leq 0 \wedge [z > 0]$$ $\wedge [\boldsymbol{a} = \boldsymbol{x}] \wedge \bigwedge_{i=1}^{n} P_i \wedge \boldsymbol{v}' = \boldsymbol{v}(ti')$ where v are the variables of all the lines in the subsystem. Note that $a \cap v = \emptyset$ and $x \subseteq v$ . In each non-positive phase, the subsystem does nothing and keep idle: Disabled $$\hat{z} \geq 0 \land [z \leq 0] \land [\dot{v} = 0]$$ In addition, similar to triggered subsystems, the variables $\boldsymbol{v}$ of the lines in the subsystem should also be initialised. By default, $\boldsymbol{v}$ are initialised to $\boldsymbol{0}$ . If the subsystem is disabled during the initial period, i.e., z keeps non-positive, then $\boldsymbol{v}$ will keep constant: $$\mathsf{Disabled'} \ \ \widehat{=} \ \ \lceil \underline{z} \leq 0 \rfloor \rfloor \quad \land \quad \lceil \underline{v} = \mathbf{0} \rfloor$$ Otherwise, i.e., z keeps positive initially, the subsystem is enabled during the period: $$\mathsf{Enabled'} \ \ \widehat{=} \ \ \lceil \underline{z} > 0 \rfloor \quad \ \wedge \quad \bigwedge_{i=1}^n \mathsf{P}_i \wedge \boldsymbol{v'} = \underline{\boldsymbol{v}}(ti'^-)$$ In summary, the semantics of an enabled subsystem can be denoted by $$EnSubSys \cong (Enabled' \lor Disabled')$$ $(Enabled \lor Disabled)^*$ As with triggered subsystems, when creating the causality graph of an enabled subsystem, we add edges from the enabling line to each input line inside the subsystem. An enabled subsystem is well-formed if its causality graph is acyclic. **Theorem 23.** If the enabled subsystem is well-formed, then EnSubSys is a Simulink process with determined semantics. *Proof.* According to Property 3 and Theorem 19 and by induction on the number of iterations of \*, EnSubSys is a Simulink process. Whether the subsystem is enabled or not depends on the enabling signal z. During the enabled period, the subsystem performs as a (well-formed) normal subsystem with determined semantics; during the disabled period, the subsystem keeps quiescent. In summary, the semantics represented by EnSubSys is determined. #### 5.4. Composite systems A complex Simulink diagram is usually composed of hierarchical subsystems each encapsulating specific functions. Preferably, the hierarchical structure should be preserved when defining the Simulink semantics. In this section, we show how modular design can be taken into account when defining the HUTP semantics of hierarchical Simulink diagrams. Overall, we adopt the bottom-up approach for defining the semantics. We start from the normal, enabled and triggered subsystems specified from Sections 5.1 to 5.3. Each well-formed subsystem can be treated as a unit, and we obtain the causality relation between its input and output variables by abstracting from the causality graph of the subsystem. For example, the causality graph of the triggered subsystem in Fig. 4 is $\{(z,x),(a,x),(x,y),(y,b)\}$ , yielding the causality relation of the subsystem: $\{(z,b),(a,b)\}$ . The causality graph of a high-level subsystem is then defined in terms of the causality relations of its component subsystems. We say a high-level subsystem is well-formed if (1) all its subsystems are well-formed and (2) the causality graph of the high-level subsystem is acyclic. For a well-formed high-level subsystem, its semantics can be represented by the parallel composition of the subsystems it contains. **Theorem 24.** For a well-formed high-level subsystem, if the semantics of its subsystems are determined, then its HUTP semantics is determined and can be represented by a Simulink processes. *Proof.* Since the semantics of the subsystems in the high-level subsystem are determined, the theorem can be proved from Theorems 19, 22 and 23 and by the well-formedness of the high-level subsystem (the causality graph of variables constructed from the causality relations of its subsystems is acyclic). Subsystems on the same level can be connected together by parallel composition. In this way, a Simulink diagram can be organised as a composite system composed of hierarchical subsystems, from atomic (normal, triggered and enabled) subsystems to high-level subsystems. **Example 25.** Consider the Simulink diagram on the left of Fig. 2, it is a structured diagram consisting of two well-formed subsystems. Note that although the causality graphs of these two subsystems are $\{(a, x)\}$ and $\{(b, y)\}$ , respectively, the causality relations of these two subsystems are empty, as there is no causality relation between x and y. Therefore, this diagram, which is a high-level subsystem, is well-formed. Then, we can define its semantics by the parallel composition of the two subsystems: $$[\![ \mathsf{Diagram}]\!]_{\mathsf{HUTP}} \ \widehat{=} \ [\![ \mathsf{Subsystem0}]\!]_{\mathsf{HUTP}} \parallel [\![ \mathsf{Subsystem1}]\!]_{\mathsf{HUTP}}$$ where $[Subsystem0]_{HUTP}$ and $[Subsystem1]_{HUTP}$ are referred in Section 5.1. # 6. Case study: proving the semantic consistency between Simulink and HCSP In this section, we illustrate by an example how to prove the semantic consistency between Simulink diagrams and the translated HCSP models based on the simplified HUTP semantics of Simulink. The example is shown in Fig. 2 which is borrowed from Section 6.4 of (Xu et al., 2022a) but with a slight modification. The syntax and semantics of HCSP can be found in (Zhan et al., 2017). Consider the Simulink diagram in Fig. 2, we set the initial values of variables y and a to 0, then the corresponding HCSP model is shown as follows, by the translation algorithm in (Zou et al., 2013b). $$\begin{split} \text{ $[$Diagram]$}_{\text{HCSP}} & \ \widehat{=} \ \ \text{ConSubDiag} \| \text{DisSubDiag} \\ \text{ConSubDiag} & \ \widehat{=} \ \ y := 0; a := 0; \\ & \ \left( \langle \dot{a} = y, \dot{y} = b \& \mathbf{true} \rangle \trianglerighteq \mathbb{I} \left( \begin{array}{c} ch_a! a \to \mathsf{skip} \\ ch_b? b \to \mathsf{skip} \end{array} \right) \right)^* \\ \text{DisSubDiag} & \ \widehat{=} \ \ t := 0; \left( \begin{array}{c} t\%2 == 0 \to (ch_a? a; x := a + 1); \\ t\%3 == 0 \to (b := x + 1; ch_b! b); \\ \mathbf{wait}(1) \end{array} \right)^* \end{split}$$ where we now use $\parallel$ to denote the parallel operator in HCSP (and use $\parallel_{\text{SIM}}$ to denote parallel operator on Simulink processes). As shown in Fig. 2 (right), the diagram consisting of two subsystems is flattened and then divided into two sub-diagrams: - (1) the continuous sub-diagram ConSubDiag consisting of continuous blocks Int0 and Int1; - (2) the discrete sub-diagram DisSubDiag consisting of discrete blocks Bias0 and Bias1. The parallel composition of ConSubDiag and DisSubDiag is by communication: ConSubDiag evolves along the ODEs $\dot{a}=y,\dot{y}=b$ and then gets interrupted by the communication along $ch_a$ or $ch_b$ . It sends the value of a to DisSubDiag via channel $ch_a$ and receives the value of b from DisSubDiag via channel $ch_b$ . Notice that shared variables are not allowed in the context of HCSP. In the latest version of our tool chain MARS<sup>1</sup>, we implemented a new translation algorithm from Simulink to HCSP, avoiding the use of communication. Hence the Simulink diagram is translated to one sequential HCSP process. For the diagram in Fig. 2 (right), it is translated to the following process: $$[\![ \text{Diagram} ]\!]_{\text{HCSP}} \quad \widehat{=} \quad tt := 0; a := 0; y := 0;$$ $$\begin{pmatrix} tt\%2 == 0 \to x := a + 1; \\ tt\%3 == 0 \to b := x + 1; \\ \langle \dot{a} = y, \dot{y} = b, \dot{t}t = 1\&\mathbf{true} \rangle \trianglerighteq_{1} \operatorname{skip} \end{pmatrix}^{+}$$ $$(10)$$ In the above process, we use tt to denote the time variable, and it is set to 0 initially. The initial values of a and y, the output lines of two Integrator blocks, are also set to 0. Then, at each iteration, we execute the discrete blocks according to a topological order. In the discrete sub-diagram in Fig. 2 (right), Bias0 is prior to Bias1 as the input of the latter depends on the output of the former. For Bias0, it can execute (update the output x according to the latest input a) if the current time is a multiple of the sample time 2, and it does nothing otherwise, depicted by the HCSP process $tt\%2 == 0 \rightarrow x := a+1$ . The process of Bias1 is similar. After the discrete blocks update their outputs, the whole diagram waits for 1 time unit which is the greatest common divisor of the sample times of Bias0 and Bias1. During the waiting period, the continuous blocks Int0 and Int1 can evolve. The evolution can be described by an ODE $\langle \dot{a} = y, \dot{y} = b, \dot{t}t = 1\& true \rangle \trianglerighteq_1 skip$ , which indicates the ODE can only evolve for 1 time unit $(\trianglerighteq_1)$ and then does nothing (skip). The superscript + means the loop iterates at least once. We will prove the consistency between the example and the new translated HCSP process (10), by comparing the HUTP semantics of Diagram and [Diagram]<sub>HCSP</sub>. The HUTP semantics of HCSP has already been given in (Xu et al., 2022a), but it is based on normal hybrid designs. Since defining the new HUTP semantics of HCSP in terms of abstract hybrid processes is not the concern of this paper, we simply present the definitions which are sufficient to express the HUTP semantics of [Diagram]<sub>HCSP</sub> of (10): <sup>&</sup>lt;sup>1</sup>https://gitee.com/bhzhan/mars.git • The skip statement terminates immediately having no effect on variables, and it is modelled as the rational identity: $$[skip]_{HUTP} \stackrel{\widehat{=}}{=} Skip$$ • The assignment of the value e to a variable x is modelled as setting x to e and keeping all other variables constant if e can be successfully evaluated. Let the alphabet be $\{ti, ti', \mathbf{v}, \mathbf{v}'\}$ , where $x \in \mathbf{v}$ , then $$[\![x:=e]\!]_{\mathrm{HUTP}} \ \ \widehat{=} \ \ [\varphi(e) \wedge x' = e \wedge \mathbf{v}' \backslash \{x'\} = \mathbf{v} \backslash \{x\}]$$ where $\varphi(e)$ specifies the condition by which e can be evaluated. • The sequential composition P; Q behaves as P first and as Q afterwards: $$[\![P;Q]\!]_{\mathsf{HUTP}} \ \widehat{=} \ [\![P]\!]_{\mathsf{HUTP}} \ \widehat{\mathfrak{g}} \ [\![Q]\!]_{\mathsf{HUTP}}$$ • The alternative $B \to P$ , where B is a Boolean expression, behaves as P if B is true; otherwise, it does nothing: $$[\![B \to \mathsf{P}]\!]_{\mathsf{HUTP}} \ \ \widehat{=} \ \ [\![\mathsf{P}]\!]_{\mathsf{HUTP}} \lhd B \rhd \mathsf{Skip}$$ • The recursion P<sup>+</sup> can be defined as the least fixed point: $$[\![\mathsf{P}^+]\!]_{\mathsf{HUTP}} \ \widehat{=} \ [\![\mathsf{P}]\!]_{\mathsf{HUTP}}^+ \ = \ \mu X. ([\![\mathsf{P}]\!]_{\mathsf{HUTP}} \ \lor \ [\![\mathsf{P}]\!]_{\mathsf{HUTP}} \ \mathring{\varsigma} \, X)$$ • A continuous evolution statement $\langle F(\dot{\boldsymbol{s}}, \boldsymbol{s}) = 0 \& B \rangle$ says that the process keeps waiting, and meanwhile keeps continuously evolving following the differential equations F, until the domain constraint B is violated: $$[\![\langle F(\dot{\boldsymbol{s}},\boldsymbol{s})=0\&B\rangle]\!]_{\mathrm{HUTP}}\ \widehat{=}\ \mathrm{Exit}\ \lor\ (\mathrm{ODE}\ \S\ \mathrm{Exit})$$ where Exit $$\hat{=} [\neg B(s) \land s' = s]$$ ODE $\hat{=} [F(\dot{s}, s) = 0 \land B[s/s]||$ • $\langle F(\dot{\boldsymbol{s}}, \boldsymbol{s}) = 0 \& B \rangle \geq_d \mathsf{P}$ behaves like $\langle F(\dot{\boldsymbol{s}}, \boldsymbol{s}) = 0 \& B \rangle$ , if the evolution terminates before d time units. Otherwise, after d time units of evolution, it moves on to execute $\mathsf{P}$ : $$\begin{split} [\![ \langle F(\dot{\boldsymbol{s}}, \boldsymbol{s}) = 0 \& B \rangle & \trianglerighteq_d \mathsf{P} ]\!]_{\mathsf{HUTP}} & \; \widehat{=} \; \; \mathsf{Exit} \lor (\mathsf{ODE}_{< d} \, \mathring{\circ} \, \mathsf{Exit}) \\ & \lor (\mathsf{ODE}_d \, \mathring{\circ} \, [\![ \mathsf{P} ]\!]_{\mathsf{HUTP}}) \end{aligned}$$ where $$\begin{array}{ll} \mathsf{ODE}_{< d} & \widehat{=} & \llbracket F(\dot{\boldsymbol{s}}, \boldsymbol{s}) = 0 \wedge B[\underline{\boldsymbol{s}}/\boldsymbol{s}] \rrbracket_{< d} \\ \mathsf{ODE}_{d} & \widehat{=} & \llbracket F(\dot{\boldsymbol{s}}, \boldsymbol{s}) = 0 \wedge B[\underline{\boldsymbol{s}}/\boldsymbol{s}] \rrbracket_{d} \end{array}$$ The semantics of other statements, like communication (ch?x and ch!e), ODE with communication interruption $(\langle F(\dot{s}, s) = 0\&B \rangle \trianglerighteq []_{i \in I}(io_i \longrightarrow P_i))$ and parallel composition (P||Q), can also be represented by abstract hybrid processes. Since they are not involved in $[Diagram]_{HCSP}$ of (10), we will not introduce the details. Note that the above HUTP representations of the HCSP processes are abstract hybrid processes rather than Simulink processes, because $[skip]_{HUTP}$ and $[x := e]_{HUTP}$ are not Simulink processes as they violate healthiness condition $\mathcal{H}_{SIM}$ . Hence, the HUTP representation of [Diagram]<sub>HCSP</sub> of (10) can expand to According to the above result, $[[Diagram]_{HCSP}]_{HUTP}$ is $\mathcal{H}_{SIM}$ -healthy, i.e., it is a Simulink process. For the HUTP semantics of the left diagram in Fig. 2, we can get $$\begin{array}{lll} [\![ \mathsf{Diagram} ]\!]_{\mathsf{HUTP}} & = & [\![ \mathsf{Subsystem0} ]\!]_{\mathsf{HUTP}} & [\![ \mathsf{Subsystem1} ]\!]_{\mathsf{HUTP}} \\ & = & [\![ \mathsf{Subsystem0} ]\!]_{\mathsf{HUTP}} \wedge [\![ \mathsf{Subsystem1} ]\!]_{\mathsf{HUTP}} & (\mathrm{Property}\ 5) \\ \end{array}$$ where $\parallel$ denotes $\parallel_{SIM}$ , and Note that in the above formulas, for brevity, we omit the state variables and replace them by the corresponding output variables, because the state variable and the output variable of an Integrator block are consistent in this setting. However, $[\![\![Diagram]\!]_{HUTP}]\!]_{HUTP} \neq [\![Diagram]\!]_{HUTP}$ in two aspects: (1) there are more variables involved in $[\![\![Diagram]\!]_{HUTP}]\!]_{HUTP}$ , such as tt; (2) the duration of $[\![\![\![Diagram]\!]_{HUTP}]\!]_{HUTP}$ is always a positive integer $(ti'-ti=n\in\mathbb{N}^+)$ but the one of $[\![\![\![Diagram]\!]_{HUTP}]\!]_{HUTP}$ can be any positive real number. Therefore, we formulate a notion of equivalence under which $[\![\![\![\![\![Diagram]\!]_{HUTP}]\!]_{HUTP}]\!]_{HUTP}$ and $[\![\![\![\![\![\![\![\![\![\!]\!]]]]\!]_{HUTP}]\!]_{CAN}]\!]_{CAN}$ are considered to be equivalent. **Definition 26** (Equivalence). Let Diagram be a Simulink diagram, S be the set of variables occurring in Diagram, and N be a positive integer. Then Diagram and its translation to HCSP, i.e., $[Diagram]_{HCSP}$ , are equivalent with respect to S until time N, if $[[Diagram]_{HCSP}]_{HUTP}$ is equivalent to $[Diagram]_{HUTP}$ on the variables in S under the constraint ti' - ti = N, denoted $$\begin{split} \llbracket [\![ \mathsf{Diagram} ]\!]_{\mathsf{HUTP}} &\equiv_{N,S} \quad \llbracket \mathsf{Diagram} ]\!]_{\mathsf{HUTP}} \\ & If \ \forall N \in \mathbb{N}^+ \cdot \llbracket [\![ \mathsf{Diagram} ]\!]_{\mathsf{HCSP}} ]\!]_{\mathsf{HUTP}} \equiv_{N,S} \quad \llbracket \mathsf{Diagram} ]\!]_{\mathsf{HUTP}}, \ then \\ & \quad \llbracket [\![ \mathsf{Diagram} ]\!]_{\mathsf{HCSP}} ]\!]_{\mathsf{HUTP}} \quad \equiv_{S} \quad \llbracket \mathsf{Diagram} ]\!]_{\mathsf{HUTP}} \end{split}$$ Intuitively, we compare two HUTP representations (with potentially different alphabets) by projecting them on their shared variables first, and then by checking whether the two resulting representations are equivalent within the same duration. Since we are only concerned with the variables relating to the lines in the Simulink diagram, we let $S = \{\underline{a}, \underline{b}, \underline{x}, \underline{y}\}$ . Then we expand $(ti' - ti = N) \land [Diagram]_{HUTP}$ . Before expanding, we reformulate $(ti' - ti = N) \land [Subsystem0]_{HUTP}$ to observe the finer-grained behaviour of Subsystem0, i.e., we shorten the step size of Subsystem0 from 2 to 1. Therefore, $$(ti'-ti=N) \wedge [Subsystem0]_{HUTP} = (ti'-ti=N) \wedge [Int0]_{HUTP} \wedge [Bias0]_{HUTP}$$ can expand to $$ti' - ti = N \land \underline{a}(ti) = 0 \land \forall K \in \mathbb{N}_{< N} \cdot \underline{x}(ti + K) = \underline{a}(ti + K) + 1 \lhd K\%2 = 0 \rhd \underline{x}(ti + K) = \underline{x}(ti + K - 1) \cdot \underline{\dot{a}}(t) = \underline{\dot{y}}(t) \land \underline{\dot{x}}(t) = 0$$ $$\land \forall t \in (ti, ti') \cdot \underline{a}(t^{-}) = \underline{a}(t) \land RC(\underline{a}, \underline{x}, y, ti, ti') \land SD(\underline{a}, \underline{x}, y, ti, ti')$$ We can also reformulate $(ti' - ti = N) \wedge [Subsystem1]_{HUTP}$ by shortening the step size from 3 to 1: $$ti' - ti = N \wedge y(ti) = 0 \wedge \forall K \in \mathbb{N}_{< N} \cdot b(ti + K) = \underbrace{x(ti + K) + 1}_{< K} \forall K \leq N \leq N \cdot b(ti + K) = \underbrace{b(ti + K - 1)}_{< \forall t \in (ti + K, ti + K + 1)} \cdot \underbrace{\dot{y}(t)}_{< K} = \underbrace{b(ti + K)}_{< K} = \underbrace{b(ti + K - 1)}_{< K} \cdot b(ti + K - 1)$$ $$\wedge \forall t \in (ti, ti') \cdot y(t^{-}) = y(t) \wedge RC(\underbrace{b}_{< X}, y, ti, ti') \wedge SD(\underbrace{b}_{< X}, y, ti, ti')$$ Therefore, we can get which can expand to $$\begin{split} &ti'-ti=N \wedge \underline{a}(ti)=0 \wedge \underline{y}(ti)=0 \wedge \forall K \in \mathbb{N}_{< N} \cdot \\ &(\underline{x}(ti+K)=\underline{a}(ti+K)+1 \lhd K\%2=0 \rhd \underline{x}(ti+K)=\underline{x}(ti+K-1)) \\ &\wedge (\underline{b}(ti+K)=\underline{x}(ti+K)+1 \lhd K\%3=0 \rhd \underline{b}(ti+K)=\underline{b}(ti+K-1)) \\ &\wedge \forall t \in (ti+K,ti+K+1) \cdot \underline{\dot{a}}(t)=\underline{y}(t) \wedge \underline{\dot{y}}(t)=\underline{b}(t) \wedge \underline{\dot{b}}(t)=\underline{\dot{x}}(t)=0 \\ &\wedge \forall t \in (ti,ti') \cdot \underline{a}(t^-)=\underline{a}(t) \wedge \underline{y}(t^-)=\underline{y}(t) \\ &\wedge RC(\underline{a},\underline{b},\underline{x},y,ti,ti') \wedge SD(\underline{a},\underline{b},\underline{x},y,ti,ti') \end{split}$$ and it can be proved that $[\![\![\mathsf{Diagram}]\!]_{\mathsf{HCSP}}]\!]_{\mathsf{HUTP}} \equiv_{N,S} [\![\![\mathsf{Diagram}]\!]_{\mathsf{HUTP}}]$ for any $N \in \mathbb{N}^+$ , i.e., $$[\![\![\mathsf{Diagram}]\!]_{\mathsf{HUTP}} \equiv_S [\![\mathsf{Diagram}]\!]_{\mathsf{HUTP}}$$ Comparing with the proof of semantic consistency based on normal hybrid designs in Section 6.4 of (Xu et al., 2022a), the proof in this section is more formal and concise, because we adopt Simulink processes as the semantic foundation for Simulink. After all, Simulink processes, a subset of abstract hybrid processes, are much simpler than normal hybrid designs, and arguably more suitable for defining the Simulink semantics. #### 7. Related works There is a large amount of existing work on formal semantics of Simulink and translation of Simulink models to other languages as part of various system design workflows. Initial work focused on the discrete part of Simulink. Tripakis et al. described a translation of discrete Simulink to the dataflow language Lustre (Tripakis et al., 2005). Dragomir et al. Simulink's hierarchical block diagrams into an algebra of transformers connected together via series, parallel and feedback operators (Dragomir et al., 2016). In follow-up work, Preoteasa et al. proved the determinacy of these translations, showing that the semantics of the resulting model does not depend on the various choices made during translation (Preoteasa et al., 2019). The proofs are formalised in the interactive theorem prover Isabelle/HOL. These work resulted in the Refinement Calculus of Reactive Systems (RCRS) toolset for modelling and reasoning about reactive systems (Dragomir et al., 2020). Compared to RCRS, we consider in addition the continuous blocks in Simulink (without discretisation), triggered and enabled subsystems, and multi-rate systems, establishing the determinacy of the semantics in this more general setting. Ye et al. present a compositional assume-guarantee reasoning framework to provide a purely relational mathematical semantics for discrete time Simulink diagrams, and then to verify the diagrams against the contracts in the same semantics in UTP (Ye et al., 2020). However, the work only captures single sampling rate Simulink models, while multi-rate models are not supported by the reasoning framework. Existing work take different approaches to formalise the semantics of continuous blocks in Simulink. Some focused on describing in detail how ODE solving and zero-crossing detection are performed. For example, Bouissou et al. gave an operational semantics for both continuous-time and discrete-time blocks in Simulink that emphasises the details of numerical simulation (Bouissou and Chapoutot, 2012). Other works focused on first giving a mathematically precise definition of the semantics, and then possibly consider connections to numerical simulation results. Lee and Zheng (Lee and Zheng, 2005) detailed the issues that arise when defining semantics of hybrid systems. They described a semantic model where each signal is given by a function from tags to states, where each tag consists of a time and an integer, thus able to describe multiple computation steps at a single time point. While they give semantics for HyVisual (part of the Ptolemy framework), many of the ideas apply to Simulink as well. Benveniste et al. (Benveniste et al., 2018) gave an alternative semantic model based on the theory of non-standard analysis, which is able to handle cascades of zero-crossings resulting continuous triggers in the system. Based on this model, Bourke et al. proposed Zélus (Bourke and Pouzet, 2013), extending a Lustre-like synchronous language with ODEs. The Zélus language is then used to give semantics to a large collection of Simulink blocks (Bourke et al., 2017). Compared to semantics based on tags and non-standard analysis, we use a simpler semantic model based on functions from real numbers. On the other hand we currently do not consider continuous triggers and hence cascaded zero-crossings. Several existing work connected translation from Simulink to models of hybrid systems with verification using either model checking or theorem proving. Librenz et al. (Liebrenz et al., 2018) proposed a translation from Simulink diagrams to differential dynamic logic (Platzer, 2008), for verification in the KeYmaera X tool. The work of Agrawal et al. (Agrawal et al., 2004) provides a characterisation of Simulink as a translation or interpretation as hybrid automata. Minopoli et al. (Minopoli and Frehse, 2016) translates Simulink into SpaceEx models. Our work originated from the initial translation method of Zou et al. (Zou et al., 2013b) from Simulink models into HCSP, within the MARS platform for analysis, verification and simulation of hybrid systems (Chen et al., 2017), and the theory of higher-order UTP (Xu et al., 2022a). We then proposed a unified graphical co-modelling, analysis and verification of CPSs by combining AADL and Simulink/Stateflow (Xu et al., 2022b) based on these works. Compared to these previous works, our method yields simpler translated results, and permits easier proofs of semantic determinacy as well as correctness of translation. # 8. Conclusions and future works Reflecting the complexity of cyber-physical systems design, the semantics of Simulink models is highly complex. In the aim of breaking down this complexity, we abstract the meaning of hierarchical Simulink diagrams into logically and mathematically comprehensible terms, by employing a notion of Simulink processes, a subset of abstract hybrid processes, defined in HUTP. Based on our HUTP semantics of Simulink, we construct a framework for proving Simulink diagrams consistent with their translation into HCSP. We provide a case study that illustrates and justifies this translation. Future works. As mentioned in Section 5.1, existing translation procedures from Simulink to HCSP begin by flattening some subsystems, which undermines the modular design of Simulink diagrams. Therefore, we will consider improving the translation algorithm to take modular design into account. In this paper, we only introduce parts of the new HUTP semantics of HCSP when proving the semantic consistency in Section 6. In the future, we will provide the complete definition of the new HUTP representation of HCSP, covering communication and ODE with communication interrupts, and prove its consistency with the operational semantics of HCSP. Finally, based on the HUTP representation, we will provide a systematic proof (not just by examples) for the correctness of the translation algorithm from Simulink to HCSP. # Acknowledgement This research is partly supported by NSFC under grant No. 62192732, 62192730, 62032024, and 61972385, and is also partly funded by Inria's joint research project CONVEX. The authors would like to thank the editors and anonymous reviewers, whose criticisms and suggestions did improve the presentation of our work very much. #### References - Agrawal, A., Simon, G., Karsai, G., 2004. Semantic translation of Simulink/Stateflow models to hybrid automata using graph transformations. Electron. Notes Theor. Comput. Sci. 109, 43–56. - Benveniste, A., Bourke, T., Caillaud, B., Pouzet, M., 2012. Non-standard semantics of hybrid systems modelers. J. Comput. Syst. Sci. 78, 877–910. - Benveniste, A., Caillaud, B., Nickovic, D., Passerone, R., Raclet, J.B., Reinkemeier, P., Sangiovanni-Vincentelli, A.L., Damm, W., Henzinger, T.A., Larsen, K.G., 2018. Contracts for system design. Foundations and Trends in Electronic Design Automation 12, 124–400. - Bouissou, O., Chapoutot, A., 2012. An operational semantics for simulink's simulation engine. SIGPLAN Not. 47, 129–138. - Bourke, T., Carcenac, F., Colaço, J., Pagano, B., Pasteur, C., Pouzet, M., 2017. A synchronous look at the Simulink standard library. ACM Trans. Embed. Comput. Syst. 16, 176:1–176:24. - Bourke, T., Pouzet, M., 2013. Zélus: a synchronous language with ODEs, in: 16th international conference on Hybrid systems: computation and control (HSCC), pp. 113–118. - Chen, M., Han, X., Tang, T., Wang, S., Yang, M., Zhan, N., Zhao, H., Zou, L., 2017. MARS: A toolchain for modelling, analysis and verification of hybrid systems, in: Provably Correct Systems. Springer. NASA Monographs in Systems and Software Engineering, pp. 39–58. - Dragomir, I., Preoteasa, V., Tripakis, S., 2016. Compositional semantics and analysis of hierarchical block diagrams, in: 23rd International Symposium on Model Checking Software (SPIN), Springer. pp. 38–56. - Dragomir, I., Preoteasa, V., Tripakis, S., 2020. The refinement calculus of reactive systems toolset. Int. J. Softw. Tools Technol. Transf. 22, 689–708. - Foster, S., Cavalcanti, A., Canham, S., Woodcock, J., Zeyda, F., 2020. Unifying theories of reactive design contracts. Theor. Comput. Sci. 802, 105–140. - Gajski, D.D., Abdi, S., Gerstlauer, A., Schirner, G., 2009. Embedded System Design: Modeling, Synthesis, Verification. Springer-Verlag. - Hoare, C.A.R., He, J., 1998. Unifying Theories of Programming. Prentice Hall, Englewood Cliffs. - Lee, E.A., Zheng, H., 2005. Operational semantics of hybrid systems, in: Hybrid Systems: Computation and Control, 8th International Workshop (HSCC), pp. 25–53. - Liebrenz, T., Herber, P., Glesner, S., 2018. Deductive verification of hybrid control systems modeled in Simulink with KeYmaera X, in: International Conference on Formal Engineering Methods (ICFEM), Springer. pp. 89– 105. - Manna, Z., Pnueli, A., 1993. Verifying hybrid systems, in: Grossman, R.L., Nerode, A., Ravn, A.P., Rischel, H. (Eds.), Hybrid Systems, Springer Berlin Heidelberg, Berlin, Heidelberg, pp. 4–35. - MathWorks, 2013. Simulink® User's Guide. http://www.mathworks.com/help/pdf\_doc/simulink/sl\_using.pdf. - Minopoli, S., Frehse, G., 2016. SL2SX translator: From Simulink to SpaceEx models, in: 19th International Conference on Hybrid Systems: Computation and Control (HSCC), pp. 93–98. - Platzer, A., 2008. Differential dynamic logic for hybrid systems. J. Autom. Reason. 41, 143–189. - Preoteasa, V., Dragomir, I., Tripakis, S., 2019. Mechanically proving determinacy of hierarchical block diagram translations, in: 20th International Conference on Verification, Model Checking, and Abstract Interpretation (VMCAI), pp. 577–600. - Tarski, A., 1955. A lattice-theoretical fixpoint theorem and its applications. Pacific Journal of Mathematics 5, 285–309. - Tripakis, S., Sofronis, C., Caspi, P., Curic, A., 2005. Translating discrete-time Simulink to Lustre. ACM Trans. Embed. Comput. Syst. 4, 779–818. - Wang, S., Zhan, N., Zou, L., 2015. An improved HHL prover: an interactive theorem prover for hybrid systems, in: International Conference on Formal Engineering Methods (ICFEM), Springer. pp. 382–399. - Xu, X., Talpin, J.P., Wang, S., Zhan, B., Zhan, N., 2022a. Semantics foundation for cyber-physical systems using higher-order UTP. ACM Trans. Softw. Eng. Methodol. . - Xu, X., Wang, S., Zhan, B., Jin, X., Talpin, J.P., Zhan, N., 2022b. Unified graphical co-modeling, analysis and verification of cyber-physical systems by combining AADL and Simulink/Stateflow. Theor. Comput. Sci. 903, 1–25. - Ye, K., Foster, S., Woodcock, J., 2020. Compositional assume-guarantee reasoning of control law diagrams using UTP, in: From Astrophysics to Unconventional Computation. Springer, pp. 215–254. - Zhan, N., Wang, S., Zhao, H., 2017. Formal Verification of Simulink/State-flow Diagrams (A Deductive Approach). Springer. - Zou, L., Lv, J., Wang, S., Zhan, N., Tang, T., Yuan, L., Liu, Y., 2013a. Verifying Chinese train control system under a combined scenario by theorem proving, in: Verified Software: Theories, Tools, Experiments (VSTTE), pp. 262–280. - Zou, L., Zhan, N., Wang, S., Fränzle, M., 2015. Formal verification of Simulink/Stateflow diagrams, in: 13th International Symposium on Automated Technology for Verification and Analysis (ATVA), Springer. pp. 464–481. Zou, L., Zhan, N., Wang, S., Fränzle, M., Qin, S., 2013b. Verifying Simulink diagrams via a hybrid Hoare logic prover, in: International Conference on Embedded Software (EMSOFT), IEEE. pp. 1–10.