Timed automata and the theory of real numbers

A Tutorial on Uppaal4.0Updated November28,2006Gerd Behrmann,Alexandre David,and Kim rsenDepartment of Computer Science,Aalborg University,Denmark{behrmann,adavid,kgl}@cs.auc.dk.Abstract.This is a tutorial paper on the tool Uppaal.Its goal is to bea short introduction on theflavour of timed automata implemented inthe tool,to present its interface,and to explain how to use the tool.Thecontribution of the paper is to provide reference examples and modellingpatterns.1IntroductionUppaal is a toolbox for verification of real-time systems jointly developed by Uppsala University and Aalborg University.It has been applied successfully in case studies ranging from communication protocols to multimedia applications [35,55,24,23,34,43,54,44,30].The tool is designed to verify systems that can be modelled as networks of timed automata extended with integer variables,struc-tured data types,user defined functions,and channel synchronisation.Thefirst version of Uppaal was released in1995[52].Since then it has been in constant development[21,5,13,10,26,27].Experiments and improvements in-clude data structures[53],partial order reduction[20],a distributed version of Uppaal[17,9],guided and minimal cost reachability[15,51,16],work on UML Statecharts[29],acceleration techniques[38],and new data structures and memory reductions[18,14].Version4.0[12]brings symmetry reduction[36], the generalised sweep-line method[49],new abstraction techniques[11],priori-ties[28],and user defined functions to the mainstream.Uppaal has also gen-erated related Ph.D.theses[50,57,45,56,19,25,32,8,31].It features a Java user interface and a verification engine written in C++.It is freely available at /.This tutorial covers networks of timed automata and theflavour of timed automata used in Uppaal in section2.The tool itself is described in section3, and three extensive examples are covered in sections4,5,and6.Finally,section7 introduces common modelling patterns often used with Uppaal.2Timed Automata in UppaalThe model-checker Uppaal is based on the theory of timed automata[4](see[42] for automata theory)and its modelling language offers additional features such as bounded integer variables and urgency.The query language of Uppaal,usedto specify properties to be checked,is a subset of TCTL (timed computation tree logic)[39,3].In this section we present the modelling and the query languages of Uppaal and we give an intuitive explanation of time in timed automata.2.1The Modelling LanguageNetworks of Timed Automata A timed automaton is a finite-state machine extended with clock variables.It uses a dense-time model where a clock variable evaluates to a real number.All the clocks progress synchronously.In Uppaal ,a system is modelled as a network of several such timed automata in parallel.The model is further extended with bounded discrete variables that are part of the state.These variables are used as in programming languages:They are read,written,and are subject to common arithmetic operations.A state of the system is defined by the locations of all automata,the clock values,and the values of the discrete variables.Every automaton may fire an edge (sometimes misleadingly called a transition)separately or synchronise with another automaton 1,which leads to a new state.Figure 1(a)shows a timed automaton modelling a simple lamp.The lamp has three locations:off ,low ,and bright .If the user presses a button,i.e.,synchronises with press?,then the lamp is turned on.If the user presses the button again,the lamp is turned off.However,if the user is fast and rapidly presses the button twice,the lamp is turned on and becomes bright.The user model is shown in Fig.1(b).The user can press the button randomly at any time or even not press the button at all.The clock y of the lamp is used to detect if the user was fast (y <5)or slow (y >=5).press?‚‚‚‚‚press!(a)Lamp.(b)User.Fig.1.The simple lamp example.We give the basic definitions of the syntax and semantics for the basic timed automata.In the following we will skip the richer flavour of timed automata supported in Uppaal ,i.e.,with integer variables and the extensions of urgent and committed locations.For additional information,please refer to the helpmenu inside the tool.We use the following notations:C is a set of clocks and B (C )is the set of conjunctions over simple conditions of the form x ⊲⊳c or x −y ⊲⊳c ,where x,y ∈C ,c ∈N and ⊲⊳∈{<,≤,=,≥,>}.A timed automaton is a finite directed graph annotated with conditions over and resets of non-negative real valued clocks.Definition 1(Timed Automaton (TA)).A timed automaton is a tuple (L,l 0,C,A,E,I ),where L is a set of locations,l 0∈L is the initial location,C is the set of clocks,A is a set of actions,co-actions and the internal τ-action,E ⊆L ×A ×B (C )×2C ×L is a set of edges between locations with an action,a guard and a set of clocks to be reset,and I :L →B (C )assigns invariants to locations. In the previous example on Fig.1,y:=0is the reset of the clock y ,and the labels press?and press!denote action–co-action (channel synchronisations here).We now define the semantics of a timed automaton.A clock valuation is a function u :C →R ≥0from the set of clocks to the non-negative reals.Let R C be the set of all clock valuations.Let u 0(x )=0for all x ∈C .We will abuse the notation by considering guards and invariants as sets of clock valuations,writing u ∈I (l )to mean that u satisfies I (l ).0000000001111111110001110000000000000000000000000000000000000000000000001111111111111111111111111111111111111111111111110000000000000000000000000000000000000000000000000000000011111111111111111111111111111111111111111111111111111111000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000011111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110000111100001111<B,x=1><A,x=2><A,x=3><A,x=3>action transition delay(+1) transition delay(+2) transition state: <A,x=1>actiontransitionOK invalid action transition invalid state: invariant x<3 violatedFig.2.Semantics of TA:different transitions from a given initial state.Definition 2(Semantics of TA).Let (L,l 0,C,A,E,I )be a timed automaton.The semantics is defined as a labelled transition system S,s 0,→ ,where S ⊆L ×R C is the set of states,s 0=(l 0,u 0)is the initial state,and →⊆S ×(R ≥0∪A )×S is the transition relation such that:–(l,u )d−→(l,u +d )if ∀d ′:0≤d ′≤d =⇒u +d ′∈I (l ),and –(l,u )a −→(l ′,u ′)if there exists e =(l,a,g,r,l ′)∈E s.t.u ∈g ,u ′=[r →0]u ,and u ′∈I (l ′),3where for d∈R≥0,u+d maps each clock x in C to the value u(x)+d,and [r→0]u denotes the clock valuation which maps each clock in r to0and agrees with u over C\r. Figure2illustrates the semantics of TA.From a given initial state,we can choose to take an action or a delay transition(different values here).Depending of the chosen delay,further actions may be forbidden.Timed automata are often composed into a network of timed automata over a common set of clocks and actions,consisting of n timed automata A i= (L i,l0i,C,A,E i,I i),1≤i≤n.A location vector is a vector¯l=(l1,...,l n). We compose the invariant functions into a common function over location vec-tors I(¯l)=∧i I i(l i).We write¯l[l′i/l i]to denote the vector where the i th element l i of¯l is replaced by l′i.In the following we define the semantics of a network of timed automata.Definition3(Semantics of a network of Timed Automata).Let A i= (L i,l0i,C,A,E i,I i)be a network of n timed automata.Let¯l0=(l01,...,l0n)be the initial location vector.The semantics is defined as a transition system S,s0,→ , where S=(L1×···×L n)×R C is the set of states,s0=(¯l0,u0)is the initial state,and→⊆S×S is the transition relation defined by:–(¯l,u)d−→(¯l,u+d)if∀d′:0≤d′≤d=⇒u+d′∈I(¯l).−−→l′i s.t.u∈g,–(¯l,u)a−→(¯l[l′i/l i],u′)if there exists l iτgru′=[r→0]u and u′∈I(¯l[l′i/l i]).–(¯l,u)a−→(¯l[l′j/l j,l′i/l i],u′)if there exist l i c?g i r i−−−−→l′i and−−−−→l′j s.t.u∈(g i∧g j),u′=[r i∪r j→0]u and u′∈I(¯l[l′j/l j,l′i/l i]).l j c!g j r jAs an example of the semantics,the lamp in Fig.1may have the follow-ing states(we skip the user):(Lamp.off,y=0)→(Lamp.off,y=3)→(Lamp.low,y=0)→(Lamp.low,y=0.5)→(Lamp.bright,y=0.5)→(Lamp.bright,y=1000)...Timed Automata in Uppaal The Uppaal modelling language extends timed automata with the following additional features(see Fig.3:Templates automata are defined with a set of parameters that can be of any type(e.g.,int,chan).These parameters are substituted for a given argument in the process declaration.Constants are declared as const name value.Constants by definition cannot be modified and must have an integer value.Bounded integer variables are declared as int[min,max]name,where min and max are the lower and upper bound,respectively.Guards,invariants,and assignments may contain expressions ranging over bounded integer variables.The bounds are checked upon verification and violating a bound leads to an invalid state that is discarded(at run-time).If the bounds are omitted,the default range of-32768to32768is used.4Fig.3.Declarations of a constant and a variable,and illustration of some of the channel synchronisations between two templates of the train gate example of Section4,and some committed locations.5Binary synchronisation channels are declared as chan c.An edge labelled with c!synchronises with another labelled c?.A synchronisation pair is chosen non-deterministically if several combinations are enabled. Broadcast channels are declared as broadcast chan c.In a broadcast syn-chronisation one sender c!can synchronise with an arbitrary number of receivers c?.Any receiver than can synchronise in the current state must do so.If there are no receivers,then the sender can still execute the c!action,i.e.broadcast sending is never blocking.Urgent synchronisation channels are declared by prefixing the channel decla-ration with the keyword urgent.Delays must not occur if a synchronisation transition on an urgent channel is enabled.Edges using urgent channels for synchronisation cannot have time constraints,i.e.,no clock guards. Urgent locations are semantically equivalent to adding an extra clock x,that is reset on all incoming edges,and having an invariant x<=0on the location.Hence,time is not allowed to pass when the system is in an urgent location. Committed locations are even more restrictive on the execution than urgent locations.A state is committed if any of the locations in the state is commit-ted.A committed state cannot delay and the next transition must involve an outgoing edge of at least one of the committed locations.Arrays are allowed for clocks,channels,constants and integer variables.They are defined by appending a size to the variable name,e.g.chan c[4];clock a[2];int[3,5]u[7];.Initialisers are used to initialise integer variables and arrays of integer vari-ables.For instance,int i=2;or int i[3]={1,2,3};.Record types are declared with the struct construct like in C.Custom types are defined with the C-like typedef construct.You can define any custom-type from other basic types such as records.User functions are defined either globally or locally to templates.Template parameters are accessible from local functions.The syntax is similar to C except that there is no pointer.C++syntax for references is supported for the arguments only.Expressions in Uppaal Expressions in Uppaal range over clocks and integer variables.The BNF is given in Fig.33in the appendix.Expressions are used with the following labels:Select A select label contains a comma separated list of name:type expressions where name is a variable name and type is a defined type(built-in or custom).These variables are accessible on the associated edge only and they will takea non-deterministic value in the range of their respective types.Guard A guard is a particular expression satisfying the following conditions: it is side-effect free;it evaluates to a boolean;only clocks,integer variables, and constants are referenced(or arrays of these types);clocks and clock differences are only compared to integer expressions;guards over clocks are essentially conjunctions(disjunctions are allowed over integer conditions).A guard may call a side-effect free function that returns a bool,although clock constraints are not supported in such functions.6Synchronisation A synchronisation label is either on the form Expression!or Expression?or is an empty label.The expression must be side-effect free, evaluate to a channel,and only refer to integers,constants and channels. Update An update label is a comma separated list of expressions with a side-effect;expressions must only refer to clocks,integer variables,and constants and only assign integer values to clocks.They may also call functions. Invariant An invariant is an expression that satisfies the following conditions:it is side-effect free;only clock,integer variables,and constants are referenced;it is a conjunction of conditions of the form x<e or x<=e where x is a clock reference and e evaluates to an integer.An invariant may call a side-effect free function that returns a bool,although clock constraints are not supported in such functions.2.2The Query LanguageThe main purpose of a model-checker is verify the model w.r.t.a requirement specification.Like the model,the requirement specification must be expressed in a formally well-defined and machine readable language.Several such logics exist in the scientific literature,and Uppaal uses a simplified version of TCTL. Like in TCTL,the query language consists of path formulae and state formulae.2 State formulae describe individual states,whereas path formulae quantify over paths or traces of the model.Path formulae can be classified into reachability, safety and liveness.Figure4illustrates the different path formulae supported by Uppaal.Each type is described below.State Formulae A state formula is an expression(see Fig.33)that can be evaluated for a state without looking at the behaviour of the model.For instance, this could be a simple expression,like i==7,that is true in a state whenever i equals7.The syntax of state formulae is a superset of that of guards,i.e.,a state formula is a side-effect free expression,but in contrast to guards,the use of disjunctions is not restricted.It is also possible to test whether a particular process is in a given location using an expression on the form P.l,where P is a process and l is a location.In Uppaal,deadlock is expressed using a special state formula(although this is not strictly a state formula).The formula simply consists of the keyword deadlock and is satisfied for all deadlock states.A state is a deadlock state if there are no outgoing action transitions neither from the state itself or any of its delay successors.Due to current limitations in Uppaal,the deadlock state formula can only be used with reachability and invariantly path formulae(see below).Reachability Properties Reachability properties are the simplest form of properties.They ask whether a given state formula,ϕ,possibly can be satisfied3Notice that A ϕ=¬E3¬ϕ8there should exist a maximal path such thatϕis always true.4In Uppaal we write A[]ϕand E[]ϕ,respectively.Liveness Properties Liveness properties are of the form:something will even-tually happen,e.g.when pressing the on button of the remote control of the television,then eventually the television should turn on.Or in a model of a communication protocol,any message that has been sent should eventually be received.In its simple form,liveness is expressed with the path formula A3ϕ,mean-ingϕis eventually satisfied.5The more useful form is the leads to or response property,writtenϕ ψwhich is read as wheneverϕis satisfied,then eventu-allyψwill be satisfied,e.g.whenever a message is sent,then eventually it will be received.6In Uppaal these properties are written as A<>ϕandϕ-->ψ, respectively.2.3Understanding TimeInvariants and Guards Uppaal uses a continuous time model.We illustrate the concept of time with a simple example that makes use of an observer.Nor-mally an observer is an add-on automaton in charge of detecting events without changing the observed system.In our case the clock reset(x:=0)is delegated to the observer for illustration purposes.Figure5shows thefirst model with its observer.We have two automata in parallel.Thefirst automaton has a self-loop guarded by x>=2,x being a clock,that synchronises on the channel reset with the second automaton.The second automaton,the observer,detects when the self loop edge is taken with the location taken and then has an edge going back to idle that resets the clock x.We moved the reset of x from the self loop to the observer only to test what happens on the transition before the reset.Notice that the location taken is committed(marked c)to avoid delay in that location.The following properties can be verified in Uppaal(see section3for an overview of the interface).Assuming we name the observer automaton Obs,we have:–A[]Obs.taken imply x>=2:all resets offx will happen when x is above2.This query means that for all reachable states,being in the locationObs.taken implies that x>=2.–E<>Obs.idle and x>3:this property requires,that it is possible to reach-able state where Obs is in the location idle and x is bigger than3.Essentially we check that we may delay at least3time units between resets.The result would have been the same for larger values like30000,since there are no invariants in this model.x>=2reset!‚‚‚‚‚246824"time"c l o c k x (a)Test.(b)Observer.(c)Behaviour:one possible run.Fig.5.First example with anobserver.x>=2reset!246824"time"c l o c k x(a)Test.(b)Updated behaviour with an invariant.Fig.6.Updated example with an invariant.The observer is the same as in Fig.5and is not shown here.We update the first model and add an invariant to the location loop ,as shown in Fig.6.The invariant is a progress condition:the system is not allowed to stay in the state more than 3time units,so that the transition has to be taken and the clock reset in our example.Now the clock x has 3as an upper bound.The following properties hold:–A[]Obs.taken imply (x>=2and x<=3)shows that the transition is takenwhen x is between 2and 3,i.e.,after a delay between 2and 3.–E<>Obs.idle and x>2:it is possible to take the transition when x is be-tween 2and 3.The upper bound 3is checked with the next property.–A[]Obs.idle imply x<=3:to show that the upper bound is respected.The former property E<>Obs.idle and x>3no longer holds.Now,if we remove the invariant and change the guard to x>=2and x<=3,you may think that it is the same as before,but it is not!The system has no progress condition,just a new condition on the guard.Figure 7shows what happens:the system may take the same transitions as before,but deadlock may also occur.The system may be stuck if it does not take the transition after 3time units.In fact,the system fails the property A[]not deadlock .The property A[]Obs.idle imply x<=3does not hold any longer and the deadlock can also be illustrated by the property A[]x>3imply not Obs.taken ,i.e.,after 3time units,the transition is not taken any more.10x>=2 && x<=3reset!246824"time"c l o c k x(a)Test.(b)Updated behaviour with a guard and no invariant.Fig.7.Updated example with a guard and no invariant.P0P1P2Fig.8.Automata in parallel with normal,urgent and commit states.The clocks are local,i.e.,P0.x and P1.x are two different clocks.Committed and Urgent Locations There are three different types of loca-tions in Uppaal :normal locations with or without invariants (e.g.,x<=3in the previous example),urgent locations,and committed locations.Figure 8shows 3automata to illustrate the difference.The location marked u is urgent and the one marked c is committed.The clocks are local to the automata,i.e.,x in P0is different from x in P1.To understand the difference between normal locations and urgent locations,we can observe that the following properties hold:–E<>P0.S1and P0.x>0:it is possible to wait in S1of P0.–A[]P1.S1imply P1.x==0:it is not possible to wait in S1of P1.An urgent location is equivalent to a location with incoming edges reseting a designated clock y and labelled with the invariant y<=0.Time may not progress in an urgent state,but interleavings with normal states are allowed.A committed location is more restrictive:in all the states where P2.S1is active (in our example),the only possible transition is the one that fires the edge outgoing from P2.S1.A state having a committed location active is said to11be committed:delay is not allowed and the committed location must be left in the successor state(or one of the committed locations if there are several ones). 3Overview of the Uppaal ToolkitUppaal uses a client-server architecture,splitting the tool into a graphical user interface and a model checking engine.The user interface,or client,is imple-mented in Java and the engine,or server,is compiled for different platforms (Linux,Windows,Solaris).7As the names suggest,these two components may be run on different machines as they communicate with each other via TCP/IP. There is also a stand-alone version of the engine that can be used on the com-mand line.3.1The Java ClientThe idea behind the tool is to model a system with timed automata using a graphical editor,simulate it to validate that it behaves as intended,andfinally to verify that it is correct with respect to a set of properties.The graphical interface(GUI)of the Java client reflects this idea and is divided into three main parts:the editor,the simulator,and the verifier,accessible via three“tabs”. The Editor A system is defined as a network of timed automata,called pro-cesses in the tool,put in parallel.A process is instantiated from a parameterised template.The editor is divided into two parts:a tree pane to access the different templates and declarations and a drawing canvas/text editor.Figure9shows the editor with the train gate example of section4.Locations are labelled with names and invariants and edges are labelled with guard conditions(e.g.,e==id), synchronisations(e.g.,go?),and assignments(e.g.,x:=0).The tree on the left hand side gives access to different parts of the system description:Global declaration Contains global integer variables,clocks,synchronisation channels,and constants.Templates Train,Gate,and IntQueue are different parameterised timed au-tomata.A template may have local declarations of variables,channels,and constants.Process assignments Templates are instantiated into processes.The process assignment section contains declarations for these instances.System definition The list of processes in the system.The syntax used in the labels and the declarations is described in the help system of the tool.The local and global declarations are shown in Fig.10.The graphical syntax is directly inspired from the description of timed automata in section2.12Fig.9.The train automaton of the train gate example.The select button is activated in the tool-bar.In this mode the user can move locations and edges or edit labels. The other modes are for adding locations,edges,and vertices on edges(called nails).A new location has no name by default.Two textfields allow the user to define the template name and its eful trick:The middle mouse button is a shortcut for adding new elements,i.e.pressing it on the canvas,a location,or edge adds a new location,edge,or nail,respectively.The Simulator The simulator can be used in three ways:the user can run the system manually and choose which transitions to take,the random mode can be toggled to let the system run on its own,or the user can go through a trace (saved or imported from the verifier)to see how certain states are reachable. Figure11shows the simulator.It is divided into four parts:The control part is used to choose andfire enabled transitions,go through a trace,and toggle the random simulation.The variable view shows the values of the integer variables and the clock con-straints.Uppaal does not show concrete states with actual values for the clocks.Since there are infinitely many of such states,Uppaal instead shows sets of concrete states known as symbolic states.All concrete states in a sym-bolic state share the same location vector and the same values for discretevariables.The possible values of the clocks is described by a set of con-Fig.10.The different local and global declarations of the train gate example.We superpose several screen-shots of the tool to show the declarations in a compact manner.straints.The clock validation in the symbolic state are exactly those that satisfy all constraints.The system view shows all instantiated automata and active locations of the current state.The message sequence chart shows the synchronisations between the differ-ent processes as well as the active locations at every step.The Verifier The verifier“tab”is shown in Fig.12.Properties are selectable in the Overview list.The user may model-check one or several properties,8insert or remove properties,and toggle the view to see the properties or the comments in the list.When a property is selected,it is possible to edit its definition(e.g., E<>Train1.Cross and Train2.Stop...)or comments to document what the property means informally.The Status panel at the bottom shows the commu-nication with the server.When trace generation is enabled and the model-checkerfinds a trace,the user is asked if she wants to import it into the simulator.Satisfied properties are marked green and violated ones red.In case either an over approximation or an under approximation has been selected in the options menu,then it may happen that the verification is inconclusive with the approximation used.In that casethe properties are marked yellow.Fig.11.View of the simulator tab for the train gate example.The interpretation of the constraint system in the variable panel depends on whether a transition in the transition panel is selected or not.If no transition is selected,then the constrain system shows all possible clock valuations that can be reached along the path.If a transition is selected,then only those clock valuations from which the transition can be taken are shown.Keyboard bindings for navigating the simulator without the mouse can be found in the integrated help system.3.2The Stand-alone VerifierWhen running large verification tasks,it is often cumbersome to execute these from inside the GUI.For such situations,the stand-alone command line verifier called verifyta is more appropriate.It also makes it easy to run the verification on a remote UNIX machine with memory to spare.It accepts command line arguments for all options available in the GUI,see Table3in the appendix.4Example1:The Train Gate4.1DescriptionThe train gate example is distributed with Uppaal.It is a railway control system which controls access to a bridge for several trains.The bridge is a critical shared resource that may be accessed only by one train at a time.The system is defined as a number of trains(assume4for this example)and a controller.A train can not be stopped instantly and restarting also takes time.Therefor,there are timing constraints on the trains before entering the bridge.When approaching,15。

伽达默尔哲学的七个关键术语本文系帕尔默教授2002年6月27日在安徽师范大学作的学术报告，由江涛译为中文，潘德荣校。

【作者简介】R.E.帕尔默(1933-)，男，美国伊利诺伊州麦克默里大学哲学教授，从事诠释学教学与研究30多年，他于1960年写的《诠释学》，系该学科的标准教材。

【内容提要】“存在之显现”是伽达默尔的真理观念。

“时间性”指的是通过语言性、书写性、和诗歌的奇迹，产生了文本战胜历史“时间”而具有“同时性”的奇迹。

“实践智慧”是伦理方式选择善的理智。

“应用”的意思是当我们理解过去的某件事物时，我们同样领会它在今天是如何应用的“传统”是指我们在语言中继承下来的态度和方法，在我们试图弄懂任何事物时都会在我们的意识中发生作用，而“效果历史意识”是一种历史总结在发挥作用的意识。

语言最典型地生存于交谈、问答、对话的平等交换之中。

使人类团结在一起的节日庆典是真正交流的基础。

【英文摘要】“Emergency into being”is Gadamer's concept of truth.Zeitlichreit(timeliness)refers to the fact that though the miracle of language,writtenness and poetry,comes the miracle of“simutaneity”in a text that overcomes historical time.Phronoesis (practicle wisdom) is the intelligence that chooses the Good in an ethical way.Applicatio(application) means that when we understand something in the past,and we also see how it applies at present.Tradition refers to our seeing that an attitude and way of seeing that we inherit in our language is at work inour consciousness as we attempt to understand anything,while wirkungschichttiches Buwusstsein (effect consciousness) is a consciousnes in which history is always working.For Gadamer language lives most typically in the give and take of conversation,of question and answer,of dialogue.Gadamer also argues that the rituals and rites that hold humanbeings together in solitarity are their basis for real communication.【关键词】真理/实践智慧/应用/传统和效果历史意识/谈话/团结/Wahrheit(truth)/Zeitlichkeit(timeliness)/Pronolisis(practicalwisdom)/Applicatio(application)/Tradition and wirkungs geschichtliches(tradition and effect historical consciousness)/Gespraech(dialogue)/Solidaritaet(unity)一非常荣幸应我的朋友潘德荣邀请来和你们谈谈伽达默尔的诠释哲学，谢谢大家!在1999年退休前，当我在我的学院讲授“儒教、道教和禅宗”这门课程时[1]，我试图在第一堂课中通过较详细地给一些关键术语下定义来解释儒家学说。

笛卡尔的本体论之争首先周一公布2001年6月18日;实质性修改太阳2006年10月15日笛卡尔的本体论（或先验）的论点，既是哲学的一个最迷人，他的理解方面的不足。

论据与魅力源于努力证明神的存在，从简单的处所，但功能强大。

存在是产生立即从清晰和明确的想法是一个无比完美。

讽刺的是，简单的说法也产生了一些误读，加剧了部分由笛卡尔没有一套单一版本。

该声明的论点主要出现在第五沉思。

这种说法因果来得早在接踵而至的一个神的存在，沉思在第三，不同的证据提出问题的两项之间的秩序和关系。

重复笛卡尔哲学原理，包括本体论争论的几个文本等中央。

他还辩解首先由一些主要的知识分子，他在一天，严厉打击反对第二次回复，和第五。

笛卡尔不是第一位哲学家，制订一个本体论的论点。

一个早期版本的说法已大力安瑟伦辩护圣在11世纪，然后圣托马斯阿奎那批评由当代），后来被命名为Gaunilo和尚（安瑟伦（尽管他的言论是针对然而，另一个版本参数）。

阿奎那的批评被视为如此具有破坏性，本体论的争论了数百年死亡。

它的出现，作为一个同时代的惊喜笛卡尔，他应该试图复活它。

虽然他声称没有被证明的熟悉安瑟伦的版本，笛卡尔似乎他自己的工艺参数，以阻止传统的反对。

尽管相似之处，笛卡尔的论点的版本不同于安瑟伦方式在重要的。

后者的版本被认为要从定义这个词的含义“上帝”，上帝是一个被一大于不能设想。

笛卡尔的观点相反，中，主要是基于两个他的哲学的中心原则-天生的思想理论和学说明确的印象和独特的。

他声称不依赖于上帝的任意定义，而是一种天生的想法，其内容是“的。

” 笛卡尔的版本也非常简单。

神的存在是直接从推断的事实，有必要存在的想法是包含在一个清晰而鲜明的超级完美的存在。

事实上，在一些场合，他建议，所谓的本体论“的论调”是不是一个正式的哲学偏见的证据，而是在所有不言而喻的公理直观地掌握了一个心灵的自由。

笛卡尔的本体论的争论相比往往以几何论证，认为有必要存在的想法不能排除再从神比事实平等的角度，其角度，例如两权，可以被排除在一个三角形的想法。

终极理论物理学术语终极理论英语名称是the Theory of Ultimate，在物理学中，终极理论又称万有理论，是二十世纪六十年代以后，量子论物理学家们提出的一个标准模型理论。

物理学家们即将把引力、电磁力与原子核力用单独一项数学定律来描述。

那么万物的理论是什么？万物理论是科学界广泛使用的术语。

实际上，有一个著名物理学家史蒂芬·霍金教授的传记，以该理论命名。

如果你认为万物理论是对物理学中所有问题的解答，并且它将标志着人类长期以来对宇宙的好奇心的终结，那么你是错的。

万物理论并不能解决所有问题，这就像可以推导出其他一切的基本定律一样。

例如，库仑定律是静电的基本定律，可以从高斯定理中得出，反之亦然。

实际上，科学家说，万物理论仅仅是个开始。

从技术上讲，万物理论是一个假设框架，涵盖了宇宙的所有物理方面。

简而言之，就是极限理论告诉我们宇宙是如何工作的。

现在，让我们深入研究所有重要的理论以了解其含义。

描述物理学万物理论都有哪些最初描述万物理论的是20世纪的量子力学和相对论，在自远古时代以来，人类一直对它们的存在及其在宇宙中的地位感到好奇。

但是，将自然的工作描述为基本定律并不总是哲学家的趋势。

可能，第一个提供描述自然规律的理论框架的哲学家是阿基米德原理中的阿基米德，阿基米德原理是流体力学的基本定律。

我们可以清楚地描述某些物理现象，但是万物理论的主要目的是使它们统一。

例如，我们可以使用爱因斯坦的相对论通论来定义重力，并可以使用麦克斯韦定律来定义电磁力，但是当我们试图统一它们时就会出现主要问题。

爱因斯坦竭尽全力统一这两个基本力量，但他失败了。

假设我们需要创建一个融合的电引力理论。

我们该怎么做？一个理论必须是极简主义的，这意味着我们需要创建可以结合重力和电磁学的定律。

在我们建立了可以成功地结合重力和电磁学并定义了电引力各个方面的定律之后，我们就成功地发现了一个新理论。

现在，这种新理论具有导出电磁定律和重力定律的能力，这使其成为非常重要的理论。

DIRECTIVE NUMBER: CPL 02-00-150 EFFECTIVE DATE: April 22, 2011 SUBJECT: Field Operations Manual (FOM)ABSTRACTPurpose: This instruction cancels and replaces OSHA Instruction CPL 02-00-148,Field Operations Manual (FOM), issued November 9, 2009, whichreplaced the September 26, 1994 Instruction that implemented the FieldInspection Reference Manual (FIRM). The FOM is a revision of OSHA’senforcement policies and procedures manual that provides the field officesa reference document for identifying the responsibilities associated withthe majority of their inspection duties. This Instruction also cancels OSHAInstruction FAP 01-00-003 Federal Agency Safety and Health Programs,May 17, 1996 and Chapter 13 of OSHA Instruction CPL 02-00-045,Revised Field Operations Manual, June 15, 1989.Scope: OSHA-wide.References: Title 29 Code of Federal Regulations §1903.6, Advance Notice ofInspections; 29 Code of Federal Regulations §1903.14, Policy RegardingEmployee Rescue Activities; 29 Code of Federal Regulations §1903.19,Abatement Verification; 29 Code of Federal Regulations §1904.39,Reporting Fatalities and Multiple Hospitalizations to OSHA; and Housingfor Agricultural Workers: Final Rule, Federal Register, March 4, 1980 (45FR 14180).Cancellations: OSHA Instruction CPL 02-00-148, Field Operations Manual, November9, 2009.OSHA Instruction FAP 01-00-003, Federal Agency Safety and HealthPrograms, May 17, 1996.Chapter 13 of OSHA Instruction CPL 02-00-045, Revised FieldOperations Manual, June 15, 1989.State Impact: Notice of Intent and Adoption required. See paragraph VI.Action Offices: National, Regional, and Area OfficesOriginating Office: Directorate of Enforcement Programs Contact: Directorate of Enforcement ProgramsOffice of General Industry Enforcement200 Constitution Avenue, NW, N3 119Washington, DC 20210202-693-1850By and Under the Authority ofDavid Michaels, PhD, MPHAssistant SecretaryExecutive SummaryThis instruction cancels and replaces OSHA Instruction CPL 02-00-148, Field Operations Manual (FOM), issued November 9, 2009. The one remaining part of the prior Field Operations Manual, the chapter on Disclosure, will be added at a later date. This Instruction also cancels OSHA Instruction FAP 01-00-003 Federal Agency Safety and Health Programs, May 17, 1996 and Chapter 13 of OSHA Instruction CPL 02-00-045, Revised Field Operations Manual, June 15, 1989. This Instruction constitutes OSHA’s general enforcement policies and procedures manual for use by the field offices in conducting inspections, issuing citations and proposing penalties.Significant Changes∙A new Table of Contents for the entire FOM is added.∙ A new References section for the entire FOM is added∙ A new Cancellations section for the entire FOM is added.∙Adds a Maritime Industry Sector to Section III of Chapter 10, Industry Sectors.∙Revises sections referring to the Enhanced Enforcement Program (EEP) replacing the information with the Severe Violator Enforcement Program (SVEP).∙Adds Chapter 13, Federal Agency Field Activities.∙Cancels OSHA Instruction FAP 01-00-003, Federal Agency Safety and Health Programs, May 17, 1996.DisclaimerThis manual is intended to provide instruction regarding some of the internal operations of the Occupational Safety and Health Administration (OSHA), and is solely for the benefit of the Government. No duties, rights, or benefits, substantive or procedural, are created or implied by this manual. The contents of this manual are not enforceable by any person or entity against the Department of Labor or the United States. Statements which reflect current Occupational Safety and Health Review Commission or court precedents do not necessarily indicate acquiescence with those precedents.Table of ContentsCHAPTER 1INTRODUCTIONI.PURPOSE. ........................................................................................................... 1-1 II.SCOPE. ................................................................................................................ 1-1 III.REFERENCES .................................................................................................... 1-1 IV.CANCELLATIONS............................................................................................. 1-8 V. ACTION INFORMATION ................................................................................. 1-8A.R ESPONSIBLE O FFICE.......................................................................................................................................... 1-8B.A CTION O FFICES. .................................................................................................................... 1-8C. I NFORMATION O FFICES............................................................................................................ 1-8 VI. STATE IMPACT. ................................................................................................ 1-8 VII.SIGNIFICANT CHANGES. ............................................................................... 1-9 VIII.BACKGROUND. ................................................................................................. 1-9 IX. DEFINITIONS AND TERMINOLOGY. ........................................................ 1-10A.T HE A CT................................................................................................................................................................. 1-10B. C OMPLIANCE S AFETY AND H EALTH O FFICER (CSHO). ...........................................................1-10B.H E/S HE AND H IS/H ERS ..................................................................................................................................... 1-10C.P ROFESSIONAL J UDGMENT............................................................................................................................... 1-10E. W ORKPLACE AND W ORKSITE ......................................................................................................................... 1-10CHAPTER 2PROGRAM PLANNINGI.INTRODUCTION ............................................................................................... 2-1 II.AREA OFFICE RESPONSIBILITIES. .............................................................. 2-1A.P ROVIDING A SSISTANCE TO S MALL E MPLOYERS. ...................................................................................... 2-1B.A REA O FFICE O UTREACH P ROGRAM. ............................................................................................................. 2-1C. R ESPONDING TO R EQUESTS FOR A SSISTANCE. ............................................................................................ 2-2 III. OSHA COOPERATIVE PROGRAMS OVERVIEW. ...................................... 2-2A.V OLUNTARY P ROTECTION P ROGRAM (VPP). ........................................................................... 2-2B.O NSITE C ONSULTATION P ROGRAM. ................................................................................................................ 2-2C.S TRATEGIC P ARTNERSHIPS................................................................................................................................. 2-3D.A LLIANCE P ROGRAM ........................................................................................................................................... 2-3 IV. ENFORCEMENT PROGRAM SCHEDULING. ................................................ 2-4A.G ENERAL ................................................................................................................................................................. 2-4B.I NSPECTION P RIORITY C RITERIA. ..................................................................................................................... 2-4C.E FFECT OF C ONTEST ............................................................................................................................................ 2-5D.E NFORCEMENT E XEMPTIONS AND L IMITATIONS. ....................................................................................... 2-6E.P REEMPTION BY A NOTHER F EDERAL A GENCY ........................................................................................... 2-6F.U NITED S TATES P OSTAL S ERVICE. .................................................................................................................. 2-7G.H OME-B ASED W ORKSITES. ................................................................................................................................ 2-8H.I NSPECTION/I NVESTIGATION T YPES. ............................................................................................................... 2-8 V.UNPROGRAMMED ACTIVITY – HAZARD EVALUATION AND INSPECTION SCHEDULING ............................................................................ 2-9 VI.PROGRAMMED INSPECTIONS. ................................................................... 2-10A.S ITE-S PECIFIC T ARGETING (SST) P ROGRAM. ............................................................................................. 2-10B.S CHEDULING FOR C ONSTRUCTION I NSPECTIONS. ..................................................................................... 2-10C.S CHEDULING FOR M ARITIME I NSPECTIONS. ............................................................................. 2-11D.S PECIAL E MPHASIS P ROGRAMS (SEP S). ................................................................................... 2-12E.N ATIONAL E MPHASIS P ROGRAMS (NEP S) ............................................................................... 2-13F.L OCAL E MPHASIS P ROGRAMS (LEP S) AND R EGIONAL E MPHASIS P ROGRAMS (REP S) ............ 2-13G.O THER S PECIAL P ROGRAMS. ............................................................................................................................ 2-13H.I NSPECTION S CHEDULING AND I NTERFACE WITH C OOPERATIVE P ROGRAM P ARTICIPANTS ....... 2-13CHAPTER 3INSPECTION PROCEDURESI.INSPECTION PREPARATION. .......................................................................... 3-1 II.INSPECTION PLANNING. .................................................................................. 3-1A.R EVIEW OF I NSPECTION H ISTORY .................................................................................................................... 3-1B.R EVIEW OF C OOPERATIVE P ROGRAM P ARTICIPATION .............................................................................. 3-1C.OSHA D ATA I NITIATIVE (ODI) D ATA R EVIEW .......................................................................................... 3-2D.S AFETY AND H EALTH I SSUES R ELATING TO CSHO S.................................................................. 3-2E.A DVANCE N OTICE. ................................................................................................................................................ 3-3F.P RE-I NSPECTION C OMPULSORY P ROCESS ...................................................................................................... 3-5G.P ERSONAL S ECURITY C LEARANCE. ................................................................................................................. 3-5H.E XPERT A SSISTANCE. ........................................................................................................................................... 3-5 III. INSPECTION SCOPE. ......................................................................................... 3-6A.C OMPREHENSIVE ................................................................................................................................................... 3-6B.P ARTIAL. ................................................................................................................................................................... 3-6 IV. CONDUCT OF INSPECTION .............................................................................. 3-6A.T IME OF I NSPECTION............................................................................................................................................. 3-6B.P RESENTING C REDENTIALS. ............................................................................................................................... 3-6C.R EFUSAL TO P ERMIT I NSPECTION AND I NTERFERENCE ............................................................................. 3-7D.E MPLOYEE P ARTICIPATION. ............................................................................................................................... 3-9E.R ELEASE FOR E NTRY ............................................................................................................................................ 3-9F.B ANKRUPT OR O UT OF B USINESS. .................................................................................................................... 3-9G.E MPLOYEE R ESPONSIBILITIES. ................................................................................................. 3-10H.S TRIKE OR L ABOR D ISPUTE ............................................................................................................................. 3-10I. V ARIANCES. .......................................................................................................................................................... 3-11 V. OPENING CONFERENCE. ................................................................................ 3-11A.G ENERAL ................................................................................................................................................................ 3-11B.R EVIEW OF A PPROPRIATION A CT E XEMPTIONS AND L IMITATION. ..................................................... 3-13C.R EVIEW S CREENING FOR P ROCESS S AFETY M ANAGEMENT (PSM) C OVERAGE............................. 3-13D.R EVIEW OF V OLUNTARY C OMPLIANCE P ROGRAMS. ................................................................................ 3-14E.D ISRUPTIVE C ONDUCT. ...................................................................................................................................... 3-15F.C LASSIFIED A REAS ............................................................................................................................................. 3-16VI. REVIEW OF RECORDS. ................................................................................... 3-16A.I NJURY AND I LLNESS R ECORDS...................................................................................................................... 3-16B.R ECORDING C RITERIA. ...................................................................................................................................... 3-18C. R ECORDKEEPING D EFICIENCIES. .................................................................................................................. 3-18 VII. WALKAROUND INSPECTION. ....................................................................... 3-19A.W ALKAROUND R EPRESENTATIVES ............................................................................................................... 3-19B.E VALUATION OF S AFETY AND H EALTH M ANAGEMENT S YSTEM. ....................................................... 3-20C.R ECORD A LL F ACTS P ERTINENT TO A V IOLATION. ................................................................................. 3-20D.T ESTIFYING IN H EARINGS ................................................................................................................................ 3-21E.T RADE S ECRETS. ................................................................................................................................................. 3-21F.C OLLECTING S AMPLES. ..................................................................................................................................... 3-22G.P HOTOGRAPHS AND V IDEOTAPES.................................................................................................................. 3-22H.V IOLATIONS OF O THER L AWS. ....................................................................................................................... 3-23I.I NTERVIEWS OF N ON-M ANAGERIAL E MPLOYEES .................................................................................... 3-23J.M ULTI-E MPLOYER W ORKSITES ..................................................................................................................... 3-27 K.A DMINISTRATIVE S UBPOENA.......................................................................................................................... 3-27 L.E MPLOYER A BATEMENT A SSISTANCE. ........................................................................................................ 3-27 VIII. CLOSING CONFERENCE. .............................................................................. 3-28A.P ARTICIPANTS. ..................................................................................................................................................... 3-28B.D ISCUSSION I TEMS. ............................................................................................................................................ 3-28C.A DVICE TO A TTENDEES .................................................................................................................................... 3-29D.P ENALTIES............................................................................................................................................................. 3-30E.F EASIBLE A DMINISTRATIVE, W ORK P RACTICE AND E NGINEERING C ONTROLS. ............................ 3-30F.R EDUCING E MPLOYEE E XPOSURE. ................................................................................................................ 3-32G.A BATEMENT V ERIFICATION. ........................................................................................................................... 3-32H.E MPLOYEE D ISCRIMINATION .......................................................................................................................... 3-33 IX. SPECIAL INSPECTION PROCEDURES. ...................................................... 3-33A.F OLLOW-UP AND M ONITORING I NSPECTIONS............................................................................................ 3-33B.C ONSTRUCTION I NSPECTIONS ......................................................................................................................... 3-34C. F EDERAL A GENCY I NSPECTIONS. ................................................................................................................. 3-35CHAPTER 4VIOLATIONSI. BASIS OF VIOLATIONS ..................................................................................... 4-1A.S TANDARDS AND R EGULATIONS. .................................................................................................................... 4-1B.E MPLOYEE E XPOSURE. ........................................................................................................................................ 4-3C.R EGULATORY R EQUIREMENTS. ........................................................................................................................ 4-6D.H AZARD C OMMUNICATION. .............................................................................................................................. 4-6E. E MPLOYER/E MPLOYEE R ESPONSIBILITIES ................................................................................................... 4-6 II. SERIOUS VIOLATIONS. .................................................................................... 4-8A.S ECTION 17(K). ......................................................................................................................... 4-8B.E STABLISHING S ERIOUS V IOLATIONS ............................................................................................................ 4-8C. F OUR S TEPS TO BE D OCUMENTED. ................................................................................................................... 4-8 III. GENERAL DUTY REQUIREMENTS ............................................................. 4-14A.E VALUATION OF G ENERAL D UTY R EQUIREMENTS ................................................................................. 4-14B.E LEMENTS OF A G ENERAL D UTY R EQUIREMENT V IOLATION.............................................................. 4-14C. U SE OF THE G ENERAL D UTY C LAUSE ........................................................................................................ 4-23D.L IMITATIONS OF U SE OF THE G ENERAL D UTY C LAUSE. ..............................................................E.C LASSIFICATION OF V IOLATIONS C ITED U NDER THE G ENERAL D UTY C LAUSE. ..................F. P ROCEDURES FOR I MPLEMENTATION OF S ECTION 5(A)(1) E NFORCEMENT ............................ 4-25 4-27 4-27IV.OTHER-THAN-SERIOUS VIOLATIONS ............................................... 4-28 V.WILLFUL VIOLATIONS. ......................................................................... 4-28A.I NTENTIONAL D ISREGARD V IOLATIONS. ..........................................................................................4-28B.P LAIN I NDIFFERENCE V IOLATIONS. ...................................................................................................4-29 VI. CRIMINAL/WILLFUL VIOLATIONS. ................................................... 4-30A.A REA D IRECTOR C OORDINATION ....................................................................................................... 4-31B.C RITERIA FOR I NVESTIGATING P OSSIBLE C RIMINAL/W ILLFUL V IOLATIONS ........................ 4-31C. W ILLFUL V IOLATIONS R ELATED TO A F ATALITY .......................................................................... 4-32 VII. REPEATED VIOLATIONS. ...................................................................... 4-32A.F EDERAL AND S TATE P LAN V IOLATIONS. ........................................................................................4-32B.I DENTICAL S TANDARDS. .......................................................................................................................4-32C.D IFFERENT S TANDARDS. .......................................................................................................................4-33D.O BTAINING I NSPECTION H ISTORY. .....................................................................................................4-33E.T IME L IMITATIONS..................................................................................................................................4-34F.R EPEATED V. F AILURE TO A BATE....................................................................................................... 4-34G. A REA D IRECTOR R ESPONSIBILITIES. .............................................................................. 4-35 VIII. DE MINIMIS CONDITIONS. ................................................................... 4-36A.C RITERIA ................................................................................................................................................... 4-36B.P ROFESSIONAL J UDGMENT. ..................................................................................................................4-37C. A REA D IRECTOR R ESPONSIBILITIES. .............................................................................. 4-37 IX. CITING IN THE ALTERNATIVE ............................................................ 4-37 X. COMBINING AND GROUPING VIOLATIONS. ................................... 4-37A.C OMBINING. ..............................................................................................................................................4-37B.G ROUPING. ................................................................................................................................................4-38C. W HEN N OT TO G ROUP OR C OMBINE. ................................................................................................4-38 XI. HEALTH STANDARD VIOLATIONS ....................................................... 4-39A.C ITATION OF V ENTILATION S TANDARDS ......................................................................................... 4-39B.V IOLATIONS OF THE N OISE S TANDARD. ...........................................................................................4-40 XII. VIOLATIONS OF THE RESPIRATORY PROTECTION STANDARD(§1910.134). ....................................................................................................... XIII. VIOLATIONS OF AIR CONTAMINANT STANDARDS (§1910.1000) ... 4-43 4-43A.R EQUIREMENTS UNDER THE STANDARD: .................................................................................................. 4-43B.C LASSIFICATION OF V IOLATIONS OF A IR C ONTAMINANT S TANDARDS. ......................................... 4-43 XIV. CITING IMPROPER PERSONAL HYGIENE PRACTICES. ................... 4-45A.I NGESTION H AZARDS. .................................................................................................................................... 4-45B.A BSORPTION H AZARDS. ................................................................................................................................ 4-46C.W IPE S AMPLING. ............................................................................................................................................. 4-46D.C ITATION P OLICY ............................................................................................................................................ 4-46 XV. BIOLOGICAL MONITORING. ...................................................................... 4-47CHAPTER 5CASE FILE PREPARATION AND DOCUMENTATIONI.INTRODUCTION ............................................................................................... 5-1 II.INSPECTION CONDUCTED, CITATIONS BEING ISSUED. .................... 5-1A.OSHA-1 ................................................................................................................................... 5-1B.OSHA-1A. ............................................................................................................................... 5-1C. OSHA-1B. ................................................................................................................................ 5-2 III.INSPECTION CONDUCTED BUT NO CITATIONS ISSUED .................... 5-5 IV.NO INSPECTION ............................................................................................... 5-5 V. HEALTH INSPECTIONS. ................................................................................. 5-6A.D OCUMENT P OTENTIAL E XPOSURE. ............................................................................................................... 5-6B.E MPLOYER’S O CCUPATIONAL S AFETY AND H EALTH S YSTEM. ............................................................. 5-6 VI. AFFIRMATIVE DEFENSES............................................................................. 5-8A.B URDEN OF P ROOF. .............................................................................................................................................. 5-8B.E XPLANATIONS. ..................................................................................................................................................... 5-8 VII. INTERVIEW STATEMENTS. ........................................................................ 5-10A.G ENERALLY. ......................................................................................................................................................... 5-10B.CSHO S SHALL OBTAIN WRITTEN STATEMENTS WHEN: .......................................................................... 5-10C.L ANGUAGE AND W ORDING OF S TATEMENT. ............................................................................................. 5-11D.R EFUSAL TO S IGN S TATEMENT ...................................................................................................................... 5-11E.V IDEO AND A UDIOTAPED S TATEMENTS. ..................................................................................................... 5-11F.A DMINISTRATIVE D EPOSITIONS. .............................................................................................5-11 VIII. PAPERWORK AND WRITTEN PROGRAM REQUIREMENTS. .......... 5-12 IX.GUIDELINES FOR CASE FILE DOCUMENTATION FOR USE WITH VIDEOTAPES AND AUDIOTAPES .............................................................. 5-12 X.CASE FILE ACTIVITY DIARY SHEET. ..................................................... 5-12 XI. CITATIONS. ..................................................................................................... 5-12A.S TATUTE OF L IMITATIONS. .............................................................................................................................. 5-13B.I SSUING C ITATIONS. ........................................................................................................................................... 5-13C.A MENDING/W ITHDRAWING C ITATIONS AND N OTIFICATION OF P ENALTIES. .................................. 5-13D.P ROCEDURES FOR A MENDING OR W ITHDRAWING C ITATIONS ............................................................ 5-14 XII. INSPECTION RECORDS. ............................................................................... 5-15A.G ENERALLY. ......................................................................................................................................................... 5-15B.R ELEASE OF I NSPECTION I NFORMATION ..................................................................................................... 5-15C. C LASSIFIED AND T RADE S ECRET I NFORMATION ...................................................................................... 5-16。

《斯普林格数学研究生教材丛书》（Graduate Texts in Mathematics）GTM001《Introduction to Axiomatic Set Theory》Gaisi Takeuti, Wilson M.Zaring GTM002《Measure and Category》John C.Oxtoby（测度和范畴）（2ed.）GTM003《Topological Vector Spaces》H.H.Schaefer, M.P.Wolff（2ed.）GTM004《A Course in Homological Algebra》P.J.Hilton, U.Stammbach（2ed.）（同调代数教程）GTM005《Categories for the Working Mathematician》Saunders Mac Lane（2ed.）GTM006《Projective Planes》Daniel R.Hughes, Fred C.Piper（投射平面）GTM007《A Course in Arithmetic》Jean-Pierre Serre（数论教程）GTM008《Axiomatic set theory》Gaisi Takeuti, Wilson M.Zaring（2ed.）GTM009《Introduction to Lie Algebras and Representation Theory》James E.Humphreys（李代数和表示论导论）GTM010《A Course in Simple-Homotopy Theory》M.M CohenGTM011《Functions of One Complex VariableⅠ》John B.ConwayGTM012《Advanced Mathematical Analysis》Richard BealsGTM013《Rings and Categories of Modules》Frank W.Anderson, Kent R.Fuller（环和模的范畴）（2ed.）GTM014《Stable Mappings and Their Singularities》Martin Golubitsky, Victor Guillemin （稳定映射及其奇点）GTM015《Lectures in Functional Analysis and Operator Theory》Sterling K.Berberian GTM016《The Structure of Fields》David J.Winter（域结构）GTM017《Random Processes》Murray RosenblattGTM018《Measure Theory》Paul R.Halmos（测度论）GTM019《A Hilbert Space Problem Book》Paul R.Halmos（希尔伯特问题集）GTM020《Fibre Bundles》Dale Husemoller（纤维丛）GTM021《Linear Algebraic Groups》James E.Humphreys（线性代数群）GTM022《An Algebraic Introduction to Mathematical Logic》Donald W.Barnes, John M.MackGTM023《Linear Algebra》Werner H.Greub（线性代数）GTM024《Geometric Functional Analysis and Its Applications》Paul R.HolmesGTM025《Real and Abstract Analysis》Edwin Hewitt, Karl StrombergGTM026《Algebraic Theories》Ernest G.ManesGTM027《General Topology》John L.Kelley（一般拓扑学）GTM028《Commutative Algebra》VolumeⅠOscar Zariski, Pierre Samuel（交换代数）GTM029《Commutative Algebra》VolumeⅡOscar Zariski, Pierre Samuel（交换代数）GTM030《Lectures in Abstract AlgebraⅠ.Basic Concepts》Nathan Jacobson（抽象代数讲义Ⅰ基本概念分册）GTM031《Lectures in Abstract AlgebraⅡ.Linear Algabra》Nathan.Jacobson（抽象代数讲义Ⅱ线性代数分册）GTM032《Lectures in Abstract AlgebraⅢ.Theory of Fields and Galois Theory》Nathan.Jacobson（抽象代数讲义Ⅲ域和伽罗瓦理论）GTM033《Differential Topology》Morris W.Hirsch（微分拓扑）GTM034《Principles of Random Walk》Frank Spitzer（2ed.）（随机游动原理）GTM035《Several Complex Variables and Banach Algebras》Herbert Alexander, John Wermer（多复变和Banach代数）GTM036《Linear Topological Spaces》John L.Kelley, Isaac Namioka（线性拓扑空间）GTM037《Mathematical Logic》J.Donald Monk（数理逻辑）GTM038《Several Complex Variables》H.Grauert, K.FritzsheGTM039《An Invitation to C*-Algebras》William Arveson（C*-代数引论）GTM040《Denumerable Markov Chains》John G.Kemeny, urie Snell, Anthony W.KnappGTM041《Modular Functions and Dirichlet Series in Number Theory》Tom M.Apostol （数论中的模函数和Dirichlet序列）GTM042《Linear Representations of Finite Groups》Jean-Pierre Serre（有限群的线性表示）GTM043《Rings of Continuous Functions》Leonard Gillman, Meyer JerisonGTM044《Elementary Algebraic Geometry》Keith KendigGTM045《Probability TheoryⅠ》M.Loève（概率论Ⅰ）（4ed.）GTM046《Probability TheoryⅡ》M.Loève（概率论Ⅱ）（4ed.）GTM047《Geometric Topology in Dimensions 2 and 3》Edwin E.MoiseGTM048《General Relativity for Mathematicians》Rainer.K.Sachs, H.Wu伍鸿熙（为数学家写的广义相对论）GTM049《Linear Geometry》K.W.Gruenberg, A.J.Weir（2ed.）GTM050《Fermat's Last Theorem》Harold M.EdwardsGTM051《A Course in Differential Geometry》Wilhelm Klingenberg（微分几何教程）GTM052《Algebraic Geometry》Robin Hartshorne（代数几何）GTM053《A Course in Mathematical Logic for Mathematicians》Yu.I.Manin（2ed.）GTM054《Combinatorics with Emphasis on the Theory of Graphs》Jack E.Graver, Mark E.WatkinsGTM055《Introduction to Operator TheoryⅠ》Arlen Brown, Carl PearcyGTM056《Algebraic Topology：An Introduction》W.S.MasseyGTM057《Introduction to Knot Theory》Richard.H.Crowell, Ralph.H.FoxGTM058《p-adic Numbers, p-adic Analysis, and Zeta-Functions》Neal Koblitz（p-adic 数、p-adic分析和Z函数）GTM059《Cyclotomic Fields》Serge LangGTM060《Mathematical Methods of Classical Mechanics》V.I.Arnold（经典力学的数学方法）（2ed.）GTM061《Elements of Homotopy Theory》George W.Whitehead（同论论基础）GTM062《Fundamentals of the Theory of Groups》M.I.Kargapolov, Ju.I.Merzljakov GTM063《Modern Graph Theory》Béla BollobásGTM064《Fourier Series：A Modern Introduction》VolumeⅠ（2ed.）R.E.Edwards（傅里叶级数）GTM065《Differential Analysis on Complex Manifolds》Raymond O.Wells, Jr.（3ed.）GTM066《Introduction to Affine Group Schemes》William C.Waterhouse（仿射群概型引论）GTM067《Local Fields》Jean-Pierre Serre（局部域）GTM069《Cyclotomic FieldsⅠandⅡ》Serge LangGTM070《Singular Homology Theory》William S.MasseyGTM071《Riemann Surfaces》Herschel M.Farkas, Irwin Kra（黎曼曲面）GTM072《Classical Topology and Combinatorial Group Theory》John Stillwell（经典拓扑和组合群论）GTM073《Algebra》Thomas W.Hungerford（代数）GTM074《Multiplicative Number Theory》Harold Davenport（乘法数论）（3ed.）GTM075《Basic Theory of Algebraic Groups and Lie Algebras》G.P.HochschildGTM076《Algebraic Geometry：An Introduction to Birational Geometry of Algebraic Varieties》Shigeru IitakaGTM077《Lectures on the Theory of Algebraic Numbers》Erich HeckeGTM078《A Course in Universal Algebra》Stanley Burris, H.P.Sankappanavar（泛代数教程）GTM079《An Introduction to Ergodic Theory》Peter Walters（遍历性理论引论）GTM080《A Course in_the Theory of Groups》Derek J.S.RobinsonGTM081《Lectures on Riemann Surfaces》Otto ForsterGTM082《Differential Forms in Algebraic Topology》Raoul Bott, Loring W.Tu（代数拓扑中的微分形式）GTM083《Introduction to Cyclotomic Fields》Lawrence C.Washington（割圆域引论）GTM084《A Classical Introduction to Modern Number Theory》Kenneth Ireland, Michael Rosen（现代数论经典引论）GTM085《Fourier Series A Modern Introduction》Volume 1（2ed.）R.E.Edwards GTM086《Introduction to Coding Theory》J.H.van Lint（3ed .）GTM087《Cohomology of Groups》Kenneth S.Brown（上同调群）GTM088《Associative Algebras》Richard S.PierceGTM089《Introduction to Algebraic and Abelian Functions》Serge Lang（代数和交换函数引论）GTM090《An Introduction to Convex Polytopes》Ame BrondstedGTM091《The Geometry of Discrete Groups》Alan F.BeardonGTM092《Sequences and Series in BanachSpaces》Joseph DiestelGTM093《Modern Geometry-Methods and Applications》（PartⅠ.The of geometry Surfaces Transformation Groups and Fields）B.A.Dubrovin, A.T.Fomenko, S.P.Novikov （现代几何学方法和应用）GTM094《Foundations of Differentiable Manifolds and Lie Groups》Frank W.Warner（可微流形和李群基础）GTM095《Probability》A.N.Shiryaev（2ed.）GTM096《A Course in Functional Analysis》John B.Conway（泛函分析教程）GTM097《Introduction to Elliptic Curves and Modular Forms》Neal Koblitz（椭圆曲线和模形式引论）GTM098《Representations of Compact Lie Groups》Theodor Breöcker, Tammo tom DieckGTM099《Finite Reflection Groups》L.C.Grove, C.T.Benson（2ed.）GTM100《Harmonic Analysis on Semigroups》Christensen Berg, Jens Peter Reus Christensen, Paul ResselGTM101《Galois Theory》Harold M.Edwards（伽罗瓦理论）GTM102《Lie Groups, Lie Algebras, and Their Representation》V.S.Varadarajan（李群、李代数及其表示）GTM103《Complex Analysis》Serge LangGTM104《Modern Geometry-Methods and Applications》（PartⅡ.Geometry and Topology of Manifolds）B.A.Dubrovin, A.T.Fomenko, S.P.Novikov（现代几何学方法和应用）GTM105《SL₂ (R)》Serge Lang（SL₂ (R)群）GTM106《The Arithmetic of Elliptic Curves》Joseph H.Silverman（椭圆曲线的算术理论）GTM107《Applications of Lie Groups to Differential Equations》Peter J.Olver（李群在微分方程中的应用）GTM108《Holomorphic Functions and Integral Representations in Several Complex Variables》R.Michael RangeGTM109《Univalent Functions and Teichmueller Spaces》Lehto OlliGTM110《Algebraic Number Theory》Serge Lang（代数数论）GTM111《Elliptic Curves》Dale Husemoeller（椭圆曲线）GTM112《Elliptic Functions》Serge Lang（椭圆函数）GTM113《Brownian Motion and Stochastic Calculus》Ioannis Karatzas, Steven E.Shreve （布朗运动和随机计算）GTM114《A Course in Number Theory and Cryptography》Neal Koblitz（数论和密码学教程）GTM115《Differential Geometry：Manifolds, Curves, and Surfaces》M.Berger, B.Gostiaux GTM116《Measure and Integral》Volume1 John L.Kelley, T.P.SrinivasanGTM117《Algebraic Groups and Class Fields》Jean-Pierre Serre（代数群和类域）GTM118《Analysis Now》Gert K.Pedersen（现代分析）GTM119《An introduction to Algebraic Topology》Jossph J.Rotman（代数拓扑导论）GTM120《Weakly Differentiable Functions》William P.Ziemer（弱可微函数）GTM121《Cyclotomic Fields》Serge LangGTM122《Theory of Complex Functions》Reinhold RemmertGTM123《Numbers》H.-D.Ebbinghaus, H.Hermes, F.Hirzebruch, M.Koecher, K.Mainzer, J.Neukirch, A.Prestel, R.Remmert（2ed.）GTM124《Modern Geometry-Methods and Applications》（PartⅢ.Introduction to Homology Theory）B.A.Dubrovin, A.T.Fomenko, S.P.Novikov（现代几何学方法和应用）GTM125《Complex Variables：An introduction》Garlos A.Berenstein, Roger Gay GTM126《Linear Algebraic Groups》Armand Borel（线性代数群）GTM127《A Basic Course in Algebraic Topology》William S.Massey（代数拓扑基础教程）GTM128《Partial Differential Equations》Jeffrey RauchGTM129《Representation Theory：A First Course》William Fulton, Joe HarrisGTM130《Tensor Geometry》C.T.J.Dodson, T.Poston（张量几何）GTM131《A First Course in Noncommutative Rings》m（非交换环初级教程）GTM132《Iteration of Rational Functions：Complex Analytic Dynamical Systems》AlanF.Beardon（有理函数的迭代：复解析动力系统）GTM133《Algebraic Geometry：A First Course》Joe Harris（代数几何）GTM134《Coding and Information Theory》Steven RomanGTM135《Advanced Linear Algebra》Steven RomanGTM136《Algebra：An Approach via Module Theory》William A.Adkins, Steven H.WeintraubGTM137《Harmonic Function Theory》Sheldon Axler, Paul Bourdon, Wade Ramey（调和函数理论）GTM138《A Course in Computational Algebraic Number Theory》Henri Cohen（计算代数数论教程）GTM139《Topology and Geometry》Glen E.BredonGTM140《Optima and Equilibria：An Introduction to Nonlinear Analysis》Jean-Pierre AubinGTM141《A Computational Approach to Commutative Algebra》Gröbner Bases, Thomas Becker, Volker Weispfenning, Heinz KredelGTM142《Real and Functional Analysis》Serge Lang（3ed.）GTM143《Measure Theory》J.L.DoobGTM144《Noncommutative Algebra》Benson Farb, R.Keith DennisGTM145《Homology Theory：An Introduction to Algebraic Topology》James W.Vick（同调论：代数拓扑简介）GTM146《Computability：A Mathematical Sketchbook》Douglas S.BridgesGTM147《Algebraic K-Theory and Its Applications》Jonathan Rosenberg（代数K理论及其应用）GTM148《An Introduction to the Theory of Groups》Joseph J.Rotman（群论入门）GTM149《Foundations of Hyperbolic Manifolds》John G.Ratcliffe（双曲流形基础）GTM150《Commutative Algebra with a view toward Algebraic Geometry》David EisenbudGTM151《Advanced Topics in the Arithmetic of Elliptic Curves》Joseph H.Silverman（椭圆曲线的算术高级选题）GTM152《Lectures on Polytopes》Günter M.ZieglerGTM153《Algebraic Topology：A First Course》William Fulton（代数拓扑）GTM154《An introduction to Analysis》Arlen Brown, Carl PearcyGTM155《Quantum Groups》Christian Kassel（量子群）GTM156《Classical Descriptive Set Theory》Alexander S.KechrisGTM157《Integration and Probability》Paul MalliavinGTM158《Field theory》Steven Roman（2ed.）GTM159《Functions of One Complex Variable VolⅡ》John B.ConwayGTM160《Differential and Riemannian Manifolds》Serge Lang（微分流形和黎曼流形）GTM161《Polynomials and Polynomial Inequalities》Peter Borwein, Tamás Erdélyi（多项式和多项式不等式）GTM162《Groups and Representations》J.L.Alperin, Rowen B.Bell（群及其表示）GTM163《Permutation Groups》John D.Dixon, Brian Mortime rGTM164《Additive Number Theory：The Classical Bases》Melvyn B.NathansonGTM165《Additive Number Theory：Inverse Problems and the Geometry of Sumsets》Melvyn B.NathansonGTM166《Differential Geometry：Cartan's Generalization of Klein's Erlangen Program》R.W.SharpeGTM167《Field and Galois Theory》Patrick MorandiGTM168《Combinatorial Convexity and Algebraic Geometry》Günter Ewald（组合凸面体和代数几何）GTM169《Matrix Analysis》Rajendra BhatiaGTM170《Sheaf Theory》Glen E.Bredon（2ed.）GTM171《Riemannian Geometry》Peter Petersen（黎曼几何）GTM172《Classical Topics in Complex Function Theory》Reinhold RemmertGTM173《Graph Theory》Reinhard Diestel（图论）（3ed.）GTM174《Foundations of Real and Abstract Analysis》Douglas S.Bridges（实分析和抽象分析基础）GTM175《An Introduction to Knot Theory》W.B.Raymond LickorishGTM176《Riemannian Manifolds：An Introduction to Curvature》John M.LeeGTM177《Analytic Number Theory》Donald J.Newman（解析数论）GTM178《Nonsmooth Analysis and Control Theory》F.H.clarke, Yu.S.Ledyaev, R.J.Stern, P.R.Wolenski（非光滑分析和控制论）GTM179《Banach Algebra Techniques in Operator Theory》Ronald G.Douglas（2ed.）GTM180《A Course on Borel Sets》S.M.Srivastava（Borel 集教程）GTM181《Numerical Analysis》Rainer KressGTM182《Ordinary Differential Equations》Wolfgang WalterGTM183《An introduction to Banach Spaces》Robert E.MegginsonGTM184《Modern Graph Theory》Béla Bollobás（现代图论）GTM185《Using Algebraic Geomety》David A.Cox, John Little, Donal O’Shea（应用代数几何）GTM186《Fourier Analysis on Number Fields》Dinakar Ramakrishnan, Robert J.Valenza GTM187《Moduli of Curves》Joe Harris, Ian Morrison（曲线模）GTM188《Lectures on the Hyperreals：An Introduction to Nonstandard Analysis》Robert GoldblattGTM189《Lectures on Modules and Rings》m（模和环讲义）GTM190《Problems in Algebraic Number Theory》M.Ram Murty, Jody Esmonde（代数数论中的问题）GTM191《Fundamentals of Differential Geometry》Serge Lang（微分几何基础）GTM192《Elements of Functional Analysis》Francis Hirsch, Gilles LacombeGTM193《Advanced Topics in Computational Number Theory》Henri CohenGTM194《One-Parameter Semigroups for Linear Evolution Equations》Klaus-Jochen Engel, Rainer Nagel（线性发展方程的单参数半群）GTM195《Elementary Methods in Number Theory》Melvyn B.Nathanson（数论中的基本方法）GTM196《Basic Homological Algebra》M.Scott OsborneGTM197《The Geometry of Schemes》David Eisenbud, Joe HarrisGTM198《A Course in p-adic Analysis》Alain M.RobertGTM199《Theory of Bergman Spaces》Hakan Hedenmalm, Boris Korenblum, Kehe Zhu（Bergman空间理论）GTM200《An Introduction to Riemann-Finsler Geometry》D.Bao, S.-S.Chern, Z.Shen GTM201《Diophantine Geometry An Introduction》Marc Hindry, Joseph H.Silverman GTM202《Introduction to Topological Manifolds》John M.LeeGTM203《The Symmetric Group》Bruce E.SaganGTM204《Galois Theory》Jean-Pierre EscofierGTM205《Rational Homotopy Theory》Yves Félix, Stephen Halperin, Jean-Claude Thomas（有理同伦论）GTM206《Problems in Analytic Number Theory》M.Ram MurtyGTM207《Algebraic Graph Theory》Chris Godsil, Gordon Royle（代数图论）GTM208《Analysis for Applied Mathematics》Ward CheneyGTM209《A Short Course on Spectral Theory》William Arveson（谱理论简明教程）GTM210《Number Theory in Function Fields》Michael RosenGTM211《Algebra》Serge Lang（代数）GTM212《Lectures on Discrete Geometry》Jiri Matousek（离散几何讲义）GTM213《From Holomorphic Functions to Complex Manifolds》Klaus Fritzsche, Hans Grauert（从正则函数到复流形）GTM214《Partial Differential Equations》Jüergen Jost（偏微分方程）GTM215《Algebraic Functions and Projective Curves》David M.Goldschmidt（代数函数和投影曲线）GTM216《Matrices：Theory and Applications》Denis Serre（矩阵：理论及应用）GTM217《Model Theory An Introduction》David Marker（模型论引论）GTM218《Introduction to Smooth Manifolds》John M.Lee（光滑流形引论）GTM219《The Arithmetic of Hyperbolic 3-Manifolds》Colin Maclachlan, Alan W.Reid GTM220《Smooth Manifolds and Observables》Jet Nestruev（光滑流形和直观）GTM221《Convex Polytopes》Branko GrüenbaumGTM222《Lie Groups, Lie Algebras, and Representations》Brian C.Hall（李群、李代数和表示）GTM223《Fourier Analysis and its Applications》Anders Vretblad（傅立叶分析及其应用）GTM224《Metric Structures in Differential Geometry》Gerard Walschap（微分几何中的度量结构）GTM225《Lie Groups》Daniel Bump（李群）GTM226《Spaces of Holomorphic Functions in the Unit Ball》Kehe Zhu（单位球内的全纯函数空间）GTM227《Combinatorial Commutative Algebra》Ezra Miller, Bernd Sturmfels（组合交换代数）GTM228《A First Course in Modular Forms》Fred Diamond, Jerry Shurman（模形式初级教程）GTM229《The Geometry of Syzygies》David Eisenbud（合冲几何）GTM230《An Introduction to Markov Processes》Daniel W.Stroock（马尔可夫过程引论）GTM231《Combinatorics of Coxeter Groups》Anders Bjröner, Francesco Brenti（Coxeter 群的组合学）GTM232《An Introduction to Number Theory》Graham Everest, Thomas Ward（数论入门）GTM233《Topics in Banach Space Theory》Fenando Albiac, Nigel J.Kalton（Banach空间理论选题）GTM234《Analysis and Probability：Wavelets, Signals, Fractals》Palle E.T.Jorgensen（分析与概率）GTM235《Compact Lie Groups》Mark R.Sepanski（紧致李群）GTM236《Bounded Analytic Functions》John B.Garnett（有界解析函数）GTM237《An Introduction to Operators on the Hardy-Hilbert Space》Rubén A.Martínez-Avendano, Peter Rosenthal（哈代-希尔伯特空间算子引论）GTM238《A Course in Enumeration》Martin Aigner（枚举教程）GTM239《Number Theory：VolumeⅠTools and Diophantine Equations》Henri Cohen GTM240《Number Theory：VolumeⅡAnalytic and Modern Tools》Henri Cohen GTM241《The Arithmetic of Dynamical Systems》Joseph H.SilvermanGTM242《Abstract Algebra》Pierre Antoine Grillet（抽象代数）GTM243《Topological Methods in Group Theory》Ross GeogheganGTM244《Graph Theory》J.A.Bondy, U.S.R.MurtyGTM245《Complex Analysis：In the Spirit of Lipman Bers》Jane P.Gilman, Irwin Kra, Rubi E.RodriguezGTM246《A Course in Commutative Banach Algebras》Eberhard KaniuthGTM247《Braid Groups》Christian Kassel, Vladimir TuraevGTM248《Buildings Theory and Applications》Peter Abramenko, Kenneth S.Brown GTM249《Classical Fourier Analysis》Loukas Grafakos（经典傅里叶分析）GTM250《Modern Fourier Analysis》Loukas Grafakos（现代傅里叶分析）GTM251《The Finite Simple Groups》Robert A.WilsonGTM252《Distributions and Operators》Gerd GrubbGTM253《Elementary Functional Analysis》Barbara D.MacCluerGTM254《Algebraic Function Fields and Codes》Henning StichtenothGTM255《Symmetry Representations and Invariants》Roe Goodman, Nolan R.Wallach GTM256《A Course in Commutative Algebra》Kemper GregorGTM257《Deformation Theory》Robin HartshorneGTM258《Foundation of Optimization》Osman GülerGTM259《Ergodic Theory：with a view towards Number Theory》Manfred Einsiedler, Thomas WardGTM260《Monomial Ideals》Jurgen Herzog, Takayuki HibiGTM261《Probability and Stochastics》Erhan CinlarGTM262《Essentials of Integration Theory for Analysis》Daniel W.StroockGTM263《Analysis on Fock Spaces》Kehe ZhuGTM264《Functional Analysis, Calculus of Variations and Optimal Control》Francis ClarkeGTM265《Unbounded Self-adjoint Operatorson Hilbert Space》Konrad Schmüdgen GTM266《Calculus Without Derivatives》Jean-Paul PenotGTM267《Quantum Theory for Mathematicians》Brian C.HallGTM268《Geometric Analysis of the Bergman Kernel and Metric》Steven G.Krantz GTM269《Locally Convex Spaces》M.Scott Osborne。

3)本课题研究得到国家自然科学基金(No.60573085)和国家重点基础研究973计划(No.2002CB312001)的资助。

陈铭松　硕士研究生,主要研究方向为模型检验、软件测试;赵建华　教授,硕导,主要研究方向为形式化方法、软件工程及程序设计语言;李宣东　教授,博导,主要研究方向为面向对象技术、形式化方法;郑国梁　教授,博导,主要研究方向为软件工程、软件开发环境及面向对象技术。

计算机科学2007Vol 134№11一种动态消减时间自动机可达性搜索空间的方法3)陈铭松　赵建华　李宣东　郑国梁(南京大学计算机软件新技术国家重点实验室,南京大学计算机科学与技术系　南京210093)摘　要　时间自动机的可达性分析算法通常采用对符号状态的枚举来遍历其状态空间。

符号状态由位置与时间区域组成,时间区域用形如x -y ≤(<)n 的原子公式的合取式来表示。

在对时间自动机进行可达性分析的过程中,分析算法将生成大量的符号状态,往往导致对计算机内存的需求超出了可行的范围。

本文给出了一个消减符号状态个数的方法。

该方法通过对符号状态间的依赖关系进行分析,在不影响分析结果的前提下消去某些时间区域的原子公式,从而扩展符号状态。

扩展后的符号状态包含有更加多的其它的状态,通过删除掉那些被包含的符号状态可以减少算法存储的状态个数,节省存储空间。

本文最后给出了相关的案例分析,结果表明这个算法有效地减少了某些时间自动机可达性分析过程中所需的存储空间。

关键词　时间自动机,模型检验,符号状态,时间区域　An Algorithm to Dynamically R educe the State Space of TimedAutomata during the R eachability AnalysisCH EN Ming 2Song ZHAO Jian 2Hua L I Xuan 2Dong ZH EN G Guo 2Liang(National Laboratory of Novel Software Technology ,Depart ment of Computer Science and Technology ,Nanjing University ,Nanjing 210093)Abstract The reachability analysis algorithm explores the state space of a timed automaton by enumeration of symbolic states.Each symbolic state consists of a location and a time zone which are conjunctions of automatic formulae in the form x -y ≤(<)n .Sometimes the amount of generated symbolic states is very large ,the memory required to store the generated symbolic states is not feasible.In this paper ,we present an approach to reduce the memory requirement of the reachability analysis algorithm.By analyzing the dependence relation between symbolic states ,we can expand some of the symbolic states by removing specific kinds of atomic formulae without changing the reachability analysis re 2sult.The expanded states can contain more symbolic states.Removing these contained states can reduce the memory requirement of reachability analysis.The case studies presented in this paper show that our algorithm can save memory in the practical application efficiently.K eyw ords Timed automata ,Model checking ,Symbolic state ,Time zone 1　引言模型检验(model checking )[1]是一种被用来自动验证有穷状态系统的形式化技术。

ST语言中定时器转换为C语言的研究作者：李雨真来源：《计算机时代》2019年第06期摘; 要： C语言具有良好的可移植性，适合于可编程控制器（Programmable Logical Controller，PLC）的嵌入式系统实现和研发;而定时器在PLC系统负责时序逻辑描述，具有很重要的作用。

文章着重研究如何将PLC结构化文本（Structured Text，ST）语言中的定时器转换为C语言程序的问题。

介绍了ST定时器时间自动机模型的构建，以及将该时间自动机描述为C程序，并采用UPPAAL模型检测工具进行验证，从而保证转换前后功能的一致性。

关键词：结构化文本; 定时器; 时间自动机; UPPAAL中图分类号：TP301.6; ; ; ; ; 文献标志码：A; ; ;文章编号：1006-8228（2019）06-12-04Abstract： Having good portability， C language is suitable for realizing and developing the embedded system of programmable logical controller. And timer is responsible for sequential logic description and plays an important role in PLC system. This article focuses on how to convert the timer in PLC structured text （ST） language into C language. The construction of ST timer time automata model is introduced， and the model is described with C language program. The model checker UPPAAL is used for verification to ensure the consistency of functions before and after the conversion.Key words： structured text; timer; timed automata; UPPAAL0 引言随着电子技术的发展，嵌入式处理器的性能日益增强，逐渐达到PLC的性能要求。

第24 卷第9期2004 年9月计算机应用Comp uter ApplicationsVol. 24 No. 9Sept . 2004文章编号:1001 - 9081 (2004) 09 - 0129 - 03基于U PPAAL 的实时系统模型验证周清雷1 , 2 ,姬莉霞1 ,王艳梅1(1. 郑州大学信息工程学院,河南郑州450052 ; 2. 信息工程大学信息工程学院,河南郑州450002)(****************.cn)摘要: U PPAAL 是一种使用时间自动机模型的实时系统验证工具,它可以避免时间自动机求积时状态空间的爆炸。

介绍了时间自动机理论和工具U PPAAL ,着重说明如何用U PPAAL 迚行模型检查,幵给出了一个应用实例。

关键词:实时系统;模型检查;时间自动机;U PPAA L中图分类号: TP316. 2 ; TP301. 1 文献标识码:AModel checking of real2time systems based on UPPAALZHOU Qing2lei1 , 2 , J I Li2xia1 ,WAN G Yan2mei1(1 . School of Inf ormation Engineering , Zhengzhou University , Zhengzhou Henan 450052 , China;2 . C ollege of Inf ormation Engineering , Inf ormation Engineering University of PL A , Zhengzhou Henan 450002 , China)Abstract : U PPAAL is a tool for real2time system verification using timed automata model. U PPAAL can avoid the state space explosion when computing the product of timed automata. We introduced the theory of timed automata and U PPAAL , described ho w U PPAAL worked and gave an example of its application. Last , the development and foreground of U P PAAL were discussed.K ey words : real2time systems ; model checking ; timed automata ; U P PAAL0 引言实时系统是指能对来自所控制的外部环境(物理过程) 的交互作用做出及时响应以达预定目的的计算机系统,是一种定量的反应式系统[ 1 ] 。

现代电子技术Modern Electronics Technique2023年9月1日第46卷第17期Sep. 2023Vol. 46 No. 170 引 言随着长距离油气输送管道建设、运行及管理模式向“无人化/少人化”发展，自动化程度不断提升，管道输送工艺日趋复杂，无疑对管道控制系统的逻辑安全性与可靠性提出了更高的要求[1]。

相较于阀门、输油泵、压缩机等显性元件，基于元件间隐性逻辑关系的控制逻辑更被视为长输油气管道自动控制的核心。

管道控制逻辑多以逻辑图或程序流程图等图形化方式呈现，用于描述操作原理，为系统集成厂商提供相应的编程依据，可分为单体控制逻辑与联锁控制逻辑，单体控制逻辑用于描述设备本身所具有的逻辑功能，如调节阀、开关阀等，联锁控制逻辑则用于描述多台设备的联锁控制，如站启/停输、紧急停车（Emergency Shutdown System, ESD ）等[2]。

站场电动放空阀控制逻辑的形式化建模与验证董秀娟1， 赵浩羽2， 徐宝昌2， 周裕东2， 董长锁1， 赵正开1（1.国家管网集团北京管道有限公司， 北京 100101；2.中国石油大学（北京） 信息科学与工程学院， 北京 102249）摘 要： 在油气管道控制系统典型逻辑标准编制的早期，对拟标准化控制逻辑的建模与验证能够提前发现设计缺陷，有助于提高控制系统的功能完整性与安全性，进而避免因控制逻辑设计失误导致的危险事故发生。

根据形式化验证方法中模型检验的原理，利用时间自动机及其验证工具UPPAAL ，对天然气站场电动放空阀通用控制逻辑开展形式化建模与验证，将逻辑图中的各类功能组件以及阀门动作流程独立建模，用于刻画完整的控制逻辑操作过程，综合验证结果发现，阀门的“开”“关”切换逻辑存在设计缺陷。

最后，通过反例分析给出合理的优化方案，优化后的验证结果表明，优化方案能够满足控制系统功能完整性与安全性需求，形式化方法为管道站控系统控制逻辑可靠性验证提供了一个全新的技术路径。

文章编号：1673-0291（2023）02-0001-12DOI ：10.11860/j.issn.1673-0291.20220154第 47 卷 第 2 期2023 年 4 月Vol .47 N o .2Apr. 2023北京交通大学学报JOURNAL OF BEIJING JIAOTONG UNIVERSITYCTCS -1级列控系统无线广播通信场景建模与验证刘中田 1， 张茜 2， 赵焕 1（1.北京交通大学 电子信息工程学院，北京 100044；2.北京和利时系统工程有限公司，北京 100176）摘要：在高铁线路故障情况下，为了支持高铁动车组在普速线路上运行，国铁集团组织研究了高铁动车组利用普速线迂回运行系统.该系统车地间无线通信拟采用的无线单向广播方案，在现有的列控系统中从未使用过，对其进行建模与验证研究具有重要意义.通过分析CTCS -1级列控系统的总体技术规范，对无线广播通信场景进行详细设计和完善，采用SysML 语言对场景建模，通过设计SysML -PRISM 模型的转换规则将场景的SysML 模型转换为概率模型，得到由信道模块、车站数据服务器（Station Data Server ， SDS ）模块、列车模块构成的无线广播通信场景概率模型，采用概率模型检验工具PRISM 对场景的概率模型进行描述和验证.结果表明：场景设计合理、无线单向广播通信方式可行、SDS 规定的优先发送报文的次数应该为2次或3次.本文中对无线广播通信场景的研究能提早发现系统技术方案中可能存在的问题，为相关研究提供参考.关键词：列控系统；无线广播通信场景；概率模型检验；SysML ；车站数据服务器中图分类号：U238.2；TP301 文献标志码：AModeling and verification of radio broadcast communication scenariofor CTCS -1 train control systemLIU Zhongtian 1, ZHANG Xi 2, ZHAO Huan 1（1.School of Electronic and Information Engineering, Beijing Jiaotong University, Beijing 100044, China ； 2.BeijngHollySys Co., Ltd., Beijing 100176, China ）Abstract :In order to support the operation of high -speed EMUs on common speed line after the fault of high -speed railway line, China Railway Group has organized and studied the circuitous operation system of high -speed railway EMUs using the common speed line. Radio one -way broadcasting method is used in the communication between the train and the ground of the system, which has never been used in the existing train control system before, so it is of great significance to model and analyze it. By analyzing the overall technical specification of CTCS -1 train control system, the radio broadcast communication scenario is designed and improved in detail. The scenario is modeled by SysML lan⁃guage, the SysML model is transformed into probability model through the designed conversion rule of SysML -PRISM model. Finally, the probability model of radio broadcast communication scenario composed of channel module, Station Data Server (SDS) module and train module is obtained. The probabilistic model checking tool PRISM is used to describe and verify the probability model of the收稿日期：2022-11-11；修回日期：2023-01-27基金项目：国家自然科学基金（52272328）Foundation item : National Natural Science Foundation of China （52272328）第一作者：刘中田（1979—），男，安徽蚌埠人，副教授，博士.研究方向为列控系统建模、可靠性、安全性研究.email ：***************.cn.引用格式：刘中田，张茜，赵焕.CTCS -1级列控系统无线广播通信场景建模与验证［J ］.北京交通大学学报，2023，47（2）：1-12.LIU Zhongtian ，ZHANG Xi ，ZHAO Huan.Modeling and verification of radio broadcast communication scenario for CTCS -1 train control system ［J ］.Journal of Beijing Jiaotong University ，2023，47（2）：1-12.（in Chinese ）北京交通大学学报第 47 卷scenario. The results indicate that the rationality of the scenario design, the feasibility of radio one-way broadcast communication, and the number of preferentially sending telegrams specified by SDS should be 2 or 3 times. The research of radio broadcast communication scenario can find the possible problems in the system technical scheme in advance and provide referencs for related research units.Keywords:train control system；radio broadcast communication scenario；probabilistic model check⁃ing； SysML； station data serverCTCS-0级列控系统的构成包括列车运行监控装置（Train Operation Monitoring Device，LKJ）及通用机车信号，LKJ在一些情况下具有安全隐患，如线路数据发生变化、机车长交路大面积运用、机车调配较频繁等情况［1-2］.目前装备CTCS-3级列控系统的高速动车组仅能运行在高速铁路上，不具备在普速线路运行的条件，当高速铁路某段线路发生故障后，如果动车组能够通过普速线路来绕过故障段，那么运输效率能够得到提升.基于以上两点原因，2020年，中国铁路总公司组织相关单位研究了C3高铁动车组利用普速线迂回运行系统（简称CTCS-1级列控系统）的总体技术方案，该系统在尽量减少对普速线路上既有设备改造的前提下，把普速线改造成CTCS-1级列控系统，不仅解决了CTCS-0级列控系统存在的安全相关问题，而且支持动车组在普速线路上运行.新提出的CTCS-1级列控系统的技术方案目前尚不成熟［3-4］，在当前的系统总体技术方案中，车地之间的通信采用基于400 MHz的无线单向广播通信方式，与现有的列控系统的车地通信方式有明显的差别，这种单向广播通信方式提高了列控数据传输的时效性和准确性，并且大大降低了运行成本和施工难度.对无线广播通信方式进行研究能提前发现系统技术方案中可能存在的问题.目前，对列控系统车地通信的研究主要集中在GSM-R（GSM for Railway）无线通信系统.赵会兵等［5］采用基于SimEvents和Stateflow的方法对C3车地无线通信系统建模，得到建立安全连接时间、无线应用消息传输延迟时间.徐田华等［6］采用CPN研究ETCS无线通信系统，仿真得到数据帧延迟时间概率分布.全宏宇等［7］利用概率模型检验工具PRISM建立C3无线通信系统的概率模型，得到系统的稳态概率、列车运行速度对无线通信可靠性的影响.Jansen等［8］采用StoCHARTS研究ETCS（Eu⁃rope Train Control System）无线通信系统，得到确定时间延迟下，信道可靠的概率.谢雨飞等［9］利用交互式马尔可夫链研究CTCS无线通信系统，结合模型检验算法，分析无线通信的可靠性.然而，以上的研究主要针对GSM-R无线通信系统，未涉及到对基于400 MHz无线单向广播通信方式的研究.本文根据CTCS-1级列控系统总体技术规范，对无线广播通信场景进行设计和完善，采用SysML 和PRISM相结合的方法对无线广播通信场景进行研究.首先建立了无线广播通信场景SysML模型，并通过设计SysML-PRISM模型的转换规则将场景的SysML模型转换为概率模型，最后采用概率模型检验工具PRISM对场景的概率模型进行验证分析，验证了无线广播通信场景设计的合理性，确定了无线通信参数，对CTCS-1级列控系统技术方案后续研究工作具有重要参考价值.1无线广播通信场景设计1.1CTCS-1级列控系统简介CTCS-1级列控系统由车载设备、地面设备组成，其结构图如图1所示.车载设备包括：主控单元、无线通信单元、轨道电路信息接收单元、应答器信息接收单元、数据记录单元、列车接口单元、人机界面、测速测距单元等.地面设备包括：车站数据服务器（Station Data Server， SDS）、联锁（Computer-Based Interlockin，CBI）、临时限速服务器（Temporary Speed Restriction Server，TSRS）、闭塞、轨道电路、应答器、400 MHz无线通信设备等.地面的核心设备是SDS，其根据自身存储的车站线路信息、从CBI 获得的进路信息、从TSRS获得的临时限速信息，生成无线报文，采用无线单向广播通信方式发送给列车，车载设备把无线报文、轨道电路码序相结合，生成监控列车运行的目标距离速度控制曲线［10］.1.2无线广播通信场景设计在CTCS-1级列控系统总体技术规范文档中，对无线广播通信场景的描述很少，缺少场景的详细细描述和设计.依据CTCS-1级列控系统的结构、功能以及技术规范，对无线广播通信场景进行设计，如图2所示.设定在图2所示的线路上有3列车运行，列车1办理正线发车进路，列车2办理侧线接车进路，列车3办理侧线通过进路.3列车在运行过程中车地之间的通信过程如下：1）车站未办理任何进路时，SDS从存储的线2刘中田等：CTCS-1级列控系统无线广播通信场景建模与验证第 2 期路数据中获取进站口处BYS、BS、BYX、BX共4个应答器的无进路状态的报文，以及出站口处BXF、BYXF、BSF、BYSF共4个应答器的报文.在无进路情况下SDS通过轮询方式广播无线报文的顺序为：应答器BYS报文、应答器BS报文、应答器BYX报文、应答器BX报文、应答器BXF报文、应答器BYXF报文、应答器BSF报文、应答器BYSF报文.2）随后，车站办理了列车1的下行正向正线发车进路，SDS根据联锁提供的正线发车进路信息和区间方向信息，结合线路数据和临时限速信息，SDS 生成针对应答器BXI、BSI的无线报文.然后，车站办理了列车2的下行正向侧线接车进路，SDS根据联锁提供的侧线接车进路信息和区间方向信息，结合线路数据和临时限速信息，SDS生成针对应答器图 1　CTCS-1级列控系统结构XⅠG列车3列车1图 2　无线广播通信场景设计的示意图Fig.2　Schematic diagram of radio broadcast communication scenario design3北京交通大学学报第 47 卷BYX、BX的无线报文.最后，车站办理了列车3的上行正向侧线通过进路，SDS根据联锁提供的侧线通过进路信息和区间方向信息，结合线路数据和临时限速信息，SDS生成针对应答器BYS、BS、BX4、BS4的无线报文.3）由于车站为上述3列车办理了进路，SDS应优先发送这3条进路对应的应答器的报文.在该情况下SDS以轮询方式向3列车广播无线报文的顺序变为：应答器BXI报文、应答器BSI报文、应答器BYX报文、应答器BX报文、应答器BYS报文、应答器BS报文、应答器BX4报文、应答器BS4报文、应答器BXF报文、应答器BYXF报文、应答器BSF报文、应答器BYSF报文.SDS每500 ms发送一条应答器报文.4）3列车运行过程中，每列车的车载设备实时接收SDS发送的所有应答器报文，并将接收到的报文存储在车载设备中.5）当列车1运行至应答器BSI时，车载设备从已经接收到的报文中根据应答器编号选取并使用应答器BSI的报文；当列车1运行至应答器BXI时，车载设备从已经接收到的报文中根据应答器编号选取并使用应答器BXI的报文；依据应答器报文提供的线路参数信息生成目标距离模式曲线，监控列车1完成正线发车.6）当列车2分别运行至应答器BYX、BX时，车载设备从已经接收到的报文中分别选取并使用相应应答器的报文，然后依据应答器报文提供的线路参数信息生成目标距离模式曲线，监控列车2完成侧线接车.7）当列车3分别运行至应答器BYS、BS、BX4、BS4时，车载设备从已经接收到的报文中分别选取并使用相应应答器的报文，然后依据应答器报文提供的线路参数信息生成目标距离模式曲线，监控列车3完成侧线通过.2基于SysML和PRISM的建模验证本文提出基于SysML和PRISM的建模与验证方法，避免直接使用概率模型检验方法进行建模，降低了概率模型检验方法的使用难度，同时为SysML 模型的形式化验证和分析提供参考.首先采用SysML建模语言对场景进行建模，为场景验证提供基础模型.其次设计SysML模型-PRISM模型的转换规则，从而得到场景的PRISM模型，并采用概率模型检验工具PRISM进行验证［11-12］.2.1概率模型检验工具PRISMPRISM是一种开源的概率模型检验工具，可以对具有随机特性或概率行为的系统进行建模分析［13］.如分析系统在4 h后的失效概率，30 min后消息队列的预期大小等.PRISM检验的框架如图3所示［14-15］.从图3中可以看出，概率模型检验工具PRISM有两个输入：1）用PRISM描述的系统概率模型，PRISM支持的概率模型有：连续时间马尔可夫链（Continous-Times Markov Chain， CTMC）、离散时间马尔可夫链（Dis⁃crete Time Markov Chain， DTMC）、概率时间自动机（Probabilistic Timed Automata， PTA）、马尔可夫决策过程（Markov Decisim Praess， MDP）等［16-17］；2）用概率时序逻辑描述的系统属性，PRISM中用概率计算树逻辑（Probabilistic Computational Tree Logic，PCTL）来刻画DTMC、MDP、PTA模型的属性规范，用连续时间随机逻辑（Stochastu Logic， CSL）来刻画CTMC 模型的属性规范［18］用PRISM描述系统的概率模型时，最重要的部分是模块、变量.每个模块的格式为：module name...endmodule每个模块的定义包含变量和命令两部分.变量描述了模块可以处于的状态，命令描述了状态随时间变化的行为，命令的格式如下：［action］guard -> prob_1 ：update_1 + … + prob_n ： update_n；其中如果条件（guard）为真，模块的变量将按照相应的概率进行更新.用PRISM完成对系统的概率模型的描述之后，需要用概率时序逻辑描述模型待分析的性质. PRISM的概率时序逻辑中最重要的运算符是P运算符和S运算符.其中P运算符用来推理事件发生的概率，适用于PRISM支持的所有概率模型.P运算符的格式为：P bound ［pathprop］，其在模型的状态s中为真，表示“来自状态s的路径满足路径属性pathprop的概率满足边界bound”.S运算符用来推理模型的稳态行为，即模型在长期或均衡中的行为，适用于PRISM支持的DTMC和CTMC模型.S运算符的格式为：S bound ［prop］，其在模型的状态s中图 3　PRISM检验框架Fig.3　Structure of PRISM checker4刘中田等：CTCS-1级列控系统无线广播通信场景建模与验证第 2 期为真，表示“从s开始，处于满足PRISM 属性 prop 的状态的稳态（长期）概率满足边界bound”.用概率时序逻辑完成对模型待分析性质的描述之后，在PRISM中进行验证，进而得到验证结果.2.2SysML模型到PRISM模型的转换规则建立SysML活动图到PRISM模型的转换规则，具体的转换过程如下：1）SysML活动图简化.复杂SysML活动图包含顶层活动图、活动子图，需要将其分解为多个仅包含基本元素的标准化活动图［19］.2）标准化活动图转换.以一个标准化活动图的转换为例，首先识别出该标准化SysML活动图中的所有基本元素，其次把每个基本元素转换为概率模型，活动图中若未标记概率则默认为条件满足时活动发生概率为1，最后用PRISM语言描述转换后的概率模型.把所有基本元素转换后的概率模型组合在一起得到整个SysML活动图转换后的概率模型，用PRISM语言对其进行描述，最终完成该标准化活动图到PRISM模型的转换.SysML活动图中的每个基本元素转换为PRISM模型的规则［20-22］如表1所示.规则1：初始节点的转换.初始节点标志着活动图的起点，其标识法是一个小的实心圆形，一般仅有一条输出边.在表1中，活动由初始节点开始后到达活动A，首先把其转换为概率模型，再把概率模型用PRISM语言描述.规则2：动作节点的转换.动作节点是活动图的基本节点，描述创建、调用、销毁一个对象的方法，用圆角矩形表示.表1中描述了存在一个输入转移A 和一个输出转移B的动作节点的转换过程.规则3：活动最终节点的转换.活动最终节点标记整个活动图的结束，其标识法是包含小的实心圆形的圆形，在一个活动图中可以添加多个活动最终节点.规则4：分支节点的转换.分支节点代表活动中并发序列的开始，其标识法是具有一条输入边、多条输出边的线段，令牌到达分支节点后提供给所有的输出边.规则5：流最终节点的转换.流最终节点代表单个控制流的结束.其标识法是包含×的圆形，令牌到达流最终节点后会被销毁.规则6：集合节点的转换.集合节点代表并发序列的结束，其标识法是具有多条输入边、一条输出边的线段.规则7：决定节点的转换.决定节点代表可选序列的开始，其标识法是具有一条输入边、多条输出边的菱形.在表1中，决定节点有两条输出边.规则8：合并节点的转换.合并节点代表可选序列的结束，其标识法是具有多条输入边、一条输出边的空心菱形.表 1　活动图中的基本元素的转换规则Tab.1　T ransformation rules for basic elements in activity diagram初始节点的转换动作节点的转换活动最终节点的转换分支节点的转换Initial: bool init trueA: [0. . M] init 0;[Initial]Initial & A<M->(Initial'=false) & (A'=A+1);A: [0. . M] init M;B: [0. . M] init 0;A>0 & B<M->(A'=A-1) & (B'=B+1);A: [0. . M] init M;Final: bool init false;[A]A>0 &! Final->(A'=A-1)&(Final'=true);A: [0. . M] init M;B: [0. . M] init 0;C: [0. . M] init 0;[A]A>0 & B<M & C<M-> (A'=A-1) & (B'=B+1) & (C'=C+1);规则SysML活动图片段活动图转换后的概率模型用PRISM语言描述的概率模型5北京交通大学学报第 47 卷流最终节点的转换集合节点的转换决定节点的转换合并节点的转换A: [0. . M] init M;FlowFinal: [0. . M] init 0;[A]A>0 & FlowFinal<M->(A'=A-1) & (FlowFinal'= FlowFinal +1);formula Join = Join_pin1>0 & Join_pin2>0;formula Join=Join_pin1>0 & Join_pin2>0;A: [0. . M] init M;B: [0. . M] init M;Join_pin1: [0. . M] init 0;Join_pin2: [0. . M] init 0;C: [0. . M] init 0;[A]A>0 & Join_pin1<M->(A'=A-1) & (Join_pin1'= Join_pin1 +1);[A]B>0 & Join_pin2<M->(B'=B-1) & (Join_pin2'= Join_pin2 +1);Join & C<M-> (Join_pin1'= Join_pin1 -1)& (Join_pin2'= Join_pin2 -1) & (C'=C+1);A: [0. . M] init M;B: [0. . M] init 0;C: [0. . M] init 0;[A]A>0 & B<M & C<M->p:(A'=A-1) & (B'=B+1)+(1-p): (A'=A-1) & (C'=C+1);A: [0. . M] init M;B: [0. . M] init M;C: [0. . M] init 0;[A]A>0 & C<M & C<M-> (C'=C+1) &(A'=A-1);[B]B>0 & C<M & C<M-> (C'=C+1) &(B'=B-1);续表规则SysML活动图片段活动图转换后的概率模型用PRISM语言描述的概率模型3无线广播通信场景建模与验证3.1无线广播通信场景SysML模型根据1.2节中设计的无线广播通信场景，使用EA软件建立无线广播通信场景的活动图.活动图表示随着时间的推移，行为和事件的发生序列，可以通过行为来表示事件、数据或能量的流动［23］.无线广播通信场景的活动图如图4和图5所示.在1.2节中设计的3列车的车地通信流程的基础上，图4中的活动图描述了车站数据服务器向列车车载设备发送无线报文的过程.当车站数据服务器向列车发送无线报文时，考虑到无线通信信道是否故障以及其他因素的影响，假设信道正常时，车站数据服务器成功向列车发送报文，信道故障时，车站数据服务器向列车发送报文失败.同时车站数据服务器以500 ms为周期向列车广播无线报文，即车站数据服务器每500 ms发送一条应答器报文.图4中用到了等待时间动作，启动等待时间动作后，开始计时，500 ms后，执行过程会进入下一个节点.图5中的活动图描述了3列车接收车站数据服务器发送的无线报文的过程.办理进路后，列车运行至应答器，如果车站数据服务器发送报文成功，列车接收到该应答器报文，如果车站数据服务器发送报文失败，则列车接收不到该应答器报文.3.2无线广播通信场景概率模型DTMC模型的数学定义为：D=（S，s_0，P，L），其中S为模型所有的有限状态；s_0∈S表示模型的初始状态；P：S×S→［0，1］为概率转移矩阵；L：S→6刘中田等：CTCS-1级列控系统无线广播通信场景建模与验证第 2 期2^AP表示一系列来自原子命题的功能标签.SDS 向列车发送无线报文时，如果从CBI、TSRS获取的进路信息或者临时限速信息发生变化时，要优先选择该进路的无线报文发送，SDS根据配置信息选择图 4　SDS发送无线报文的活动图Fig.4　Activity diagram of SDS sending radio messages7北京交通大学学报第 47 卷优先发送机制，将需要优先发送的报文在发送队列中优先发送2~6次.如果SDS将需要优先发送的报文发送的次数过多，会导致车站中的某些列车不能及时接收到其进路上的应答器的报文，进而影响该列车的运行.因此，SDS的优先发送机制中规定的优先发送报文的次数取2~6之间的任意整数是否合理有待验证.按照2.2节中提出的SysML模型转换为PRISM模型的规则，把无线广播通信场景的活动图转换为适用于概率模型检验工具PRISM进行验证的概率模型.将SDS发送无线报文的活动图映射为概率模型中的SDS模块，将3列车接收并选用无线报文的活动图映射为概率模型中的列车模块，在此基础上，在概率模型中添加信道模块，信道模块用来描述无线通信信道的随机特征.在无线广播通信场景的概率模型中添加的信道模块如图6所示，信道模块一共有3个状态，chan⁃nel0代表信道空闲，channel1代表信道占用，chan⁃nel2代表信道故障.当无线通信信道空闲时，以概率P1进入到信道占用状态，以概率1-P1进入到信道故障状态.当信道占用时，以概率1进入信道空闲状态.当信道故障时，以概率0.98进入信道空闲状态，以概率0.02返回到信道故障状态.无线广播通信场景的概率模型中的SDS模块是由3.1节中建立的SDS发送无线报文的活动图转换得到的.按照提出的SysML-PRISM模型的转换规则，考虑通信过程中的误码问题，在转换后的概率模型上增加误码率Pe得到SDS模块，如图7所示. SDS模块一共有4个状态，SDS0表示SDS处于无连接状态，SDS1表示SDS处于开始发送某个应答器的图 5　列车接收并选用无线报文的活动图Fig.5　Activity diagram of the three trains receiving and selecting radio messages 8刘中田等：CTCS -1级列控系统无线广播通信场景建模与验证第 2 期报文的状态，SDS 2表示SDS 处于成功发送该应答器的报文的状态，SDS 3表示SDS 发送该应答器的报文失败的状态.当SDS 处于状态SDS 0时，以概率1转移到状态SDS 1.当SDS 处于状态SDS 1时，如果满足条件①，那么以概率1−Pe 转移到状态SDS 2，以概率Pe 转移到状态SDS 3.当SDS 处于状态SDS 1时，如果满足条件②，那么以概率1转移到状态SDS 3.当SDS 处于状态SDS 2或者状态SDS 3时，如果满足条件③，那么以概率1转移到状态SDS 1；如果满足条件④，那么以概率1转移到状态SDS 0.无线广播通信场景的概率模型中的列车模块是由3.1节中建立的3列车接收并选用无线报文的活动图转换得到的.按照提出的SysML -PRISM 模型的转换规则，转换后的列车模块如图8所示. 信道模块、SDS 模块、列车模块中状态转移条件和变量的含义如表2和表3所示.Train10表示列车1处于无连接状态，Train11表示列车1处于接收SDS 发送的应答器报文的状态，Train12表示列车1处于到达应答器BSI 时已经收到该应答器报文的状态，Train13表示列车1处于到达应答器BSI 时未收到该应答器报文的状态.当列车1处于状态Train10时，以概率1转移到状态Train11.当列车1处于状态Train11时，如果满足条件⑤，那么以概率1转移到状态Train12；如果满足条件⑥，那么以概率1转移到状态Train13.Train20表示列车2处于无连接状态，Train21表示列车2处于接收SDS 发送的应答器报文的状态，Train22表示列车2处于到达应答器BYX 时已经收到该应答器报文的状态，Train23表示列车2处于到达应答器BYX 时未收到该应答器报文的状态，Train24表示列车2处于到达应答器BX 时已经收到该应答器报文的状态，Train25表示列车2处于到达应答器BX 时未收到该应答器报文的状态.当列车2处于状态Train20时，以概率1转移到状态Train21.当列车2处于状态Train21时，如果满足条件⑦，那么以概率1转移到状态Train22；如果满足条件⑧，那么以概率1转移到状态Train23；如果满足条件⑨，那么以概率1转移到状态Train24；如果满足条件⑩，那么以概率1转移到状态Train25.Train30表示列车3处于无连接状态，Train31表示列车3处于接收SDS 发送的应答器报文的状态，Train32表示列车3处于到达应答器BYS 时已经收Fig.7　SDS module in probability model图 6　概率模型中的信道模块Fig.6　Channel module in probability model（a ）列车1模型列车2模型列车3模型（b ）（c ）图8　概率模型中的列车模块Fig.8　Train module in probability model9北京交通大学学报第 47 卷到该应答器报文的状态，Train33表示列车3处于到达应答器BYS时未收到该应答器报文的状态，Train34表示列车3处于到达应答器BS时已经收到该应答器报文的状态，Train35表示列车3处于到达应答器BS时未收到该应答器报文的状态.当列车3处于状态Train30时，以概率1转移到状态Train31.当列车3处于状态Train31时，如果满足条件⑪，那么以概率1转移到状态Train32；如果满足条件⑫，那么以概率1转移到状态Train33；如果满足条件⑬，那么以概率1转移到状态Train34；如果满足条件⑭，那么以概率1转移到状态Train35.信道模块、SDS模块、列车模块共同组成了无线广播通信场景的概率模型.采用PRISM语言描述建立场景的概率模型，具体的描述过程不再详细介绍.3.3无线广播通信场景概率模型形式化验证采用概率模型检验工具PRISM验证场景概率模型，设置无线通信信道无故障概率P1=0.9，通信误码率p e=1×10−6.目标是确定SDS的优先发送机制中规定的优先发送变化报文的次数N取2~6之间的任意整数是否合理，然后用概率计算树逻辑PCTL对待分析的性质进行描述.1）性质1：在一定的信道无故障概率和通信误码率下，当SDS的优先发送机制中规定的优先发送变化报文的次数N分别取2、3、4、5、6时，列车1运行至应答器BSI时，计算已经收到该应答器报文的概率PRISM语言：P=？［F （train1=2）］；其中train= 2表示列车1运行至~应答器BSI时已经收到该应答器的报文.性质1的验证结果如表4所示.2）性质2：在一定的信道无故障概率和通信误码率下，当SDS的优先发送机制中规定的优先发送变化报文的次数N分别取2、3、4、5、6时，列车2运行至应答器BYX时，计算已经收到该应答器报文的概率PRISM语言：P=？［F （train2=2）］；其中train2= 2表示列车2运行至应答器BYX时已经收到该应答器的报文，性质2的验证结果如表4所示.3）性质3：在一定的信道无故障概率和通信误码率下，当SDS的优先发送机制中规定的优先发送变化报文的次数N分别取2、3、4、5、6时，列车2运行至应答器BX时，计算已经收到该应答器报文的概率PRISM语言：P=？［F （train2=4）］；其中train2= 4表示列车2运行至应答器BX时已经收到该应答器表 4　性质1~性质5的验证结果Tab.4　V erification results of properties 1 to 5 N23456性质10.990 380.997 250.999 210.999 780.999 94性质20.985 430.995 840.998 810.999 660.998 81性质30.999 990.999 990.999 990.999 990.999 90性质40.985 430.995 83性质50.999 990.999 970.999 990.999 650.999 90表 3　无线广播通信场景概率模型中变量的含义Tab.3　T he meaning of variables in probability model of radio broadcast communication scenario变量P1 p e recs recf priorityNT1 T2 T3 T4 T5 recs1 recs2 recs3 recs4 recs5含义信道无故障概率车地通信的误码率SDS发送某个应答器的报文成功的次数SDS发送某个应答器的报文失败的次数SDS重复发送某个应答器报文的次数SDS的优先发送机制中规定的优先发送变化报文的次数（N取2~6之间的任意整数）列车1从开始运行至到达应答器BSI时所用的时间列车2从开始运行至到达应答器BYX时所用的时间列车2从开始运行至到达应答器BX时所用的时间列车3从开始运行至到达应答器BYS时所用的时间列车3从开始运行至到达应答器BS时所用的时间SDS发送应答器BSI的报文成功的次数SDS发送应答器BYX的报文成功的次数SDS发送应答器BX的报文成功的次数SDS发送应答器BYS的报文成功的次数SDS发送应答器BS的报文成功的次数表 2　无线广播通信场景概率模型中状态转移条件Tab.2　S tate transition conditions in probability model of ra⁃dio broadcast communication scenario数字①②③④⑤⑥⑦⑧⑨⑩⑪⑫⑬⑭状态转移条件channel!=2；1-Pe: recs:=recs+1；priority:=priority+1；Pe: recf:=recf+1；priority:=priority+1；channel=2；recf:=recf+1；priority:=priority+1；priority<N；priority=N；t=T1；recs1>0；t=T1；recs1=0；t=T2；recs2>0；t=T2；recs2=0；t=T3；recs3>0；t=T3；recs3=0；t=T4；recs4>0；t=T4；recs4=0；t=T5；recs5>0；t=T5；recs5=0；10。

高中英语哲学思想单选题50题1. Which of the following statements best represents the idea of Plato's Theory of Forms?A. The physical world is the ultimate reality.B. Ideas are more real than the physical objects.C. Sensory experiences are the only source of knowledge.D. Everything is constantly changing and unpredictable.答案：B。

柏拉图的理念论认为理念（形式）比具体的物质世界更真实，A 选项说物质世界是终极现实，与柏拉图的观点相悖；C 选项感官经验是唯一知识来源并非柏拉图的观点；D 选项一切都在不断变化且不可预测不符合柏拉图的理念论。

2. In Aristotelian philosophy, the concept of "entelechy" refers to:A. The potentiality of a thing to become something else.B. The final cause that guides the development of a thing.C. The randomness in the evolution of all beings.D. The complete absence of purpose in nature.答案：B。

亚里士多德哲学中的“隐德来希”指的是引导事物发展的最终原因，A 选项指的是事物成为其他东西的可能性；C 选项说的是所有生物进化的随机性不符合；D 选项自然界完全没有目的也不正确。

3. According to Stoicism, which of the following is most important for a person to achieve inner peace?A. Pursuing pleasure and material wealth.B. Controlling one's emotions and accepting fate.C. Always striving to change the external world.D. Focusing on personal achievements and recognition.答案：B。

自然哲学的数学原理英语The principles of natural philosophy, when intertwinedwith mathematics, reveal a harmonious language that the universe speaks. This language is not just a set of equations, but a profound expression of the cosmos's order and symmetry.From the orbits of celestial bodies to the patterns on a butterfly's wings, mathematics provides the framework to understand the intricate designs of nature. It is throughthis lens that we can glimpse the elegance of natural laws, which govern everything from the smallest atom to the vast expanse of galaxies.As we delve deeper into the realm of natural philosophy, mathematics serves as a bridge connecting the observable phenomena with the underlying principles. It is through mathematical models that we can predict and explain the behavior of natural systems, from the tides of the ocean tothe life cycles of species.Moreover, the application of mathematics in natural philosophy has led to groundbreaking discoveries. For instance, the laws of motion and gravity, derived from mathematical principles, have revolutionized ourunderstanding of the physical world and our place within it.In essence, the marriage of natural philosophy and mathematics is a testament to the interconnectedness of allthings. It is a reminder that the universe is a complex tapestry woven from the threads of mathematics, and by studying these threads, we can unravel the mysteries of our existence.As we continue to explore the cosmos and the natural world, the role of mathematics in natural philosophy will only grow. It is through this powerful tool that we can hope to understand the universe's deepest secrets and perhaps one day, find our place within it.In conclusion, the mathematical principles of natural philosophy are not just about solving equations; they are about understanding the fundamental nature of reality. As we continue to learn and grow, may we always remember the beauty and power of this mathematical language that speaks to the very core of existence.。

时间理解论下载温馨提示：该文档是我店铺精心编制而成，希望大家下载以后，能够帮助大家解决实际的问题。

文档下载后可定制随意修改，请根据实际需要进行相应的调整和使用，谢谢!并且，本店铺为大家提供各种各样类型的实用资料，如教育随笔、日记赏析、句子摘抄、古诗大全、经典美文、话题作文、工作总结、词语解析、文案摘录、其他资料等等，如想了解不同资料格式和写法，敬请关注!Download tips: This document is carefully compiled by the editor. I hope that after you download them, they can help yousolve practical problems. The document can be customized and modified after downloading, please adjust and use it according to actual needs, thank you!In addition, our shop provides you with various types of practical materials, such as educational essays, diary appreciation, sentence excerpts, ancient poems, classic articles, topic composition, work summary, word parsing, copy excerpts,other materials and so on, want to know different data formats and writing methods, please pay attention!时间是一个非常奇妙的概念。

在我们的日常生活中，时间似乎是无所不在的，我们总是在追赶时间，又常常在抱怨时间不够用。

人工智能时代的真实与虚构作文英文回答：Artificial intelligence (AI) has become one of the most talked-about topics in recent years. With advancements in technology, AI has started to play a significant role in various aspects of our lives. However, there is a constant debate about the reality and fiction of the AI era.On one hand, the reality of the AI era is evident inits practical applications. AI has made significant progress in fields such as healthcare, finance, and transportation. For example, AI algorithms can analyze large amounts of medical data to assist doctors in diagnosing diseases more accurately. In finance, AI-powered systems can analyze market trends and make investment decisions with high accuracy. In the transportation sector, self-driving cars powered by AI technology are becoming a reality. These examples demonstrate that AI is not just a fictional concept but a tangible force that is transformingindustries.On the other hand, there are concerns about the potential negative consequences of AI. One of the main fears is the loss of jobs due to automation. As AI technology advances, many routine tasks can be performed by machines, leading to unemployment for certain job sectors. Another concern is the ethical implications of AI. For instance, there are debates about the use of AI in military applications and the potential for autonomous weapons. These concerns highlight the fiction aspect of the AI era, as they reflect the fears and uncertainties associated with the rapid development of AI.中文回答：人工智能（AI）已成为近年来最热门的话题之一。

What Is a Hybrid System?Jan LunzeInstitute of Automation and Computer ControlRuhr-University BochumUniversitätsstraße150D-44780Bochumphone:+492343224071http://www.ruhr-uni-bochum.de/atpAbstract.Hybrid systems have become a major research topic in Control Engineering and other disciplines.Many different models have been proposed for describing them.However, the question what a hybrid system is has remained a matter of debate.This paper argues that state jumps are the basic hybrid phenomenon that cannot be represented and analysed by methods elaborated either in continuous or in discrete systems theory.Hence,a system has to be considered as a hybrid system if both the continuous movement and the state jumps are important for the control task to be solved.1IntroductionDuring the last decade,hybrid dynamical systems have become a major research topic.The conference proceedings like(Alur et al.,1996,Antsaklis et al.,1999, Antsaklis et al.,1995,Antsaklis et al.,1997,Grossman et al.,1993,Lynch and Krogh,2000),the special journal issues(Antsaklis and Nerode,1998a,DEDS’98, 1998)and(Automatica35(3),1999)and this book describe the different research directions and results obtained.The hybrid nature of such systems has attracted the interest of mathematicians,control engineers and computer scientists.The methods applied and the results obtained are as diverse as the backgrounds of these researchers. No common definition of a hybrid system is available.A major argument in the hybrid system literature says that a given dynamical system should be considered a hybrid system if(and only if)it is impossible to deal with it either as a purely continuous–variable system or as a purely discrete–event system without ignoring important phenomena that result from the combination of continuous and discrete movements of this system.Here and in the rest of the paper, the terms continuous and discrete are used with respect to the range of the signals and not with respect to the time over which the signals are defined.This argument does not clarify what a hybrid system is.Most of the theoretical papers start with a given hybrid system and do not consider whether and why hybrid systems theory has to be applied to the system under investigation.Likewise,ap-plication papers use hybrid models and analysis tools but do not elaborate the main reasons why the system had to be dealt with as a hybrid system.Most of the chap-ters of this book adopt the same position and investigate different kinds of hybrid systems.S. Engell, G. Frehse, E. Schnieder (Eds.): Modelling, Analysis and Design of Hybrid Systems, LNCIS 279, pp. 3−14, 2002.Springer-Verlag Berlin Heidelberg 20024J.LunzeThis situation is due to the fact that the theories of continuous and discrete systems have been elaborated completely separately until recently.Hybrid systems pose the problem of bridging the gap between both theories.This has been done until now not only by considering a combination of continuous and discrete subsystems but also by investigating different extensions of either continuous or discrete systems.Timed or hybrid Petri Nets and timed automata generalise the untimed models that are typically used in discrete systems theory whereas switched systems extend continu-ous systems by discrete phenomena,to mention some example systems investigated in this book.From a theoretical point of view the definition of thefield of hybrid systems by a collection of different kinds of systems or models is not satisfactory.It is important to know why the new class of hybrid systems has to be defined,because this clarifies the novelty of dynamical phenomena to be investigated and the necessity of developing new concepts,methods and tools.This chapter gives an answer to the question of what a hybrid system is.It argues that a new notion should only be defined if the class of systems under investigation does not fall within the framework of the already existing theory.The characterisation of hybrid systems given here is in some contradiction with definitions used in literature.It should initiate a thorough discussion of this new notion.The problem of defining a hybrid system is rather involved because it is not the characteristics of a given dynamical system alone that distinguishes continuous from discrete and hybrid systems.For example,a tank system is usually considered to be continuous if a level controller is to be designed but it is tackled as a discrete system if it is analysed as a part of a batch process,in which only the discrete state of a full or an empty tank are distinguished.The intentions of modelling,analysis or control have a considerable influence on the fact whether a system has to be considered as a hybrid system or not.Hybrid dynamical systems have existed for long,but before the appearance of the currently developing theory on hybrid systems,these systems have either been considered as purely continuous or as purely discrete.The reason why they became a hot topic in research is given by the fact that many modern technological processes cannot be analysed and controlled by investigating only the continuous or only the discrete movements.As the theories of continuous or discrete systems have made contradictory basic assumptions,which have to be satisfied by the systems in order to make their representation in the framework of the respective theory possible, the consideration of both continuous and discrete phenomena makes it necessary to develop a new theory.Roughly speaking,if the main assumptions of both theories are not satisfied,a system has to be dealt with as a hybrid system.Definition1.A hybrid system is a dynamical system that cannot be represented and analysed with sufficient precision either by the methods of the continuous systems theory or by the methods of the discrete systems theory.What Is a Hybrid System?5 Remarks.Continuous systems theory assumes that the system under consideration can be described by some differential equation˙x=f(x(t),u(t),t),x(0)=x0(1) y(t)=g(x(t),u(t),t)(2) where x∈R n is the state vector,u∈R m the input vector and y∈R r the output vector.x0denotes the initial state.More generally,(1)can be replaced by a set of difference and algebraic equations,which then is called a differential–algebraic system(DAE system).The key assumption of continuous systems theory concerns the fact that the functions f and g satisfy a Lipschitz condition.With respect to the state x this smoothness assumption means for the function f that a constant L has to exist for which the inequalityf(x,u,t)−f(ˆx,u,t) ≤L· x−ˆx (3) holds for all x,ˆx,u and t,where · symbolises a vector norm.A similar condition should be satisfied with respect to u.Under this assumption,uniqueness and existence results can be derived for the solution of the differential equation(1).Furthermore, many analysis methods assume the property(3).Discrete systems theory considers systems whose signals have discrete range. That is,all signals are assumed to be binary–valued or have values from afinite or infinite discrete value set.Due to this assumption,the system jumps from one discrete state to another but the continuous movements of the system cannot be described. The abrupt state changes are called events.These basic assumptions of the continuous and discrete systems theories are,on the one hand,contradictory,but on the other hand complementary.A system can be either continuous or discrete,because it either moves Lipschitz–continuously from one real–valued state to another or it jumps among different discrete states.In many situations it is satisfactory to consider either the continuous movement or the discrete jumps of the system.2Hybrid PhenomenaHybrid phenomena are state transitions that cannot be represented or analysed by the methods developed in continuous or discrete systems theory.That is,these phe-nomena do not satisfy the Lipschitz condition(3)and cannot be represented as a sequence of discrete state values.Hence,neither a purely continuous nor a purely discrete representation is appropriate for the task at hand.Hypothesis1Consider a dynamical system subject to some continuous input u.The basic hybrid phenomenon is a combination of continuous state changes and abrupt state jumps.6J.LunzeRemarks.Figure 1shows a state trajectory x (t )of an autonomous first–order system which includes a state jump at time t k .The state jump is an autonomous jump which occurs after the state has reached a threshold x s .This trajectory cannot occur as the solution of models that are developed either in continuous or in discrete systems theory.On the one hand,the Lipschitz condition (3)is not satisfied for x =x s (and u =0)and,hence,the system cannot be dealt with by the methods of continuous systems theory.On the other hand,the continuous movement of the system cannot be represented by models with discrete–valued state,because such a model could only describe the discrete state jump between x (t k −0)=x s =3and x (t k +0)=1but not the system behaviour for time t =t k .12x s =3xk Fig.1.Hybrid trajectoryIn the literature on hybrid systems four phenomena are called hybrid (Branicky,1995),(Branicky,1996):autonomous and controlled jumps and autonomous and controlled switches.The following remarks show how these phenomena relate to Hypothesis 1.The discussion concentrates on the state evolution x (t ),but extensions to systems with outputs y (t )are mentioned later.Autonomous state jumps.The first situation concerns the fact that the state of a system may jump after it has reached a threshold x s or,more generally,the border ofa subset X of the continuous state space.Hence,the derivative ˙xexceeds all bounds but has the form of a Dirac impulse.A simple example is the first–order system˙x =−x (t )+δ(x (t )−x s ),x (0)=x 0(4)for which the functionf (x )=−x +δ(x −x s )violates the Lipschitz condition (3)for x =x s .If both the continuous movement between the jumps and the state jumps have to be considered when solving a given modelling,analysis or control task,the system has to be considered as hybrid.The jump occurs at time t k for which the conditionx (t k )=x s (5)is satisfied.As the jump has no duration,the time instances t k −0before the k -th jump and t k +0after the jump are often distinguished.The point here is that the timeWhat Is a Hybrid System?7 t k(or t k−0)is implicitly described by the system equation(4).It depends upon the movement of the system and,hence,upon the initial state x0.If the system trajectory is to be determined,the time t k has also to be determined.For the system(4)an explicit representation can be obtainedt k=−ln x sx0if|x0|>|x s|and x0x s>0,(6)but for higher–order linear systems and for most nonlinear systems,such an explicit formula cannot be found.State jumps occur in particular,if the dynamics of a DAE system change when the state reaches a hypersurface in the state space.Then the state vector may even change its length.Details about such systems are described in(Verghese et al.,1981). Controlled state jumps.The state of a system may change discontinuously if the continuous input reaches a given bound u s.Then the vectorfield f(x,u,t)violates the Lipschitz condition for u=u s.A simple example is thefirst–order system˙x=−x(t)+δ(u(t)−u s),x(0)=x0(7)whose state jumps if the input reaches the threshold u s.The occurrence time of the jump depends upon the input and,more generally,may also depend upon the state, as in the system˙x=−x(t)+δ(x(t)−u(t)−u s),x(0)=x0.(8)Like autonomous state jumps,controlled jumps occur if the combined vector(x u ) reaches a threshold(or a hyperplane).Contrary to autonomous jumps,controlled jumps can be forced or prevented to occur by appropriately choosing the input u.For example,for the control u(t)=x(t)the state of the system(8)never jumps.These controlled jumps have to be distinguished from jumps that occur due to input jumps or impulses.In systems theory,Dirac impulses are considered as a possible input to the system.Then a state jump occurs due to the infinite magnitude of the input which implies an infinite magnitude of the vectorfield f.Such jumps do not represent a hybrid phenomenon.Therefore,in Hypothesis1the input u has been restricted to be continuous.Then,state jumps are a result of the dynamical properties of the system.In summary,state jumps that are brought about by continuous input signals represent a hybrid phenomenon.Autonomous switching.An abrupt change of the vectorfield f if the state x reaches a given bound is called switching.Formally,the system can be represented by two or more different vectorfields f q together with conditions that describe the validity of these vectorfields,for example by˙x=f(x)(9)8J.Lunzewithf=f1(x)for h(x)≤0f2(x)for h(x)>0.(10)If the system is currently described by the vectorfield f1and the state reaches the border h(x)=0of the region of validity of this vectorfield,the vectorfield switches to f2which is valid until the border described by h(x)=0is reached from the other side.The notion of switching has been introduced in order to denote the fact that the system is governed by two(or more)different differential equations,which can be analysed separately by well known results from continuous systems theory but whose common analysis poses new problems.If the vectorfields are linear and the system is described by˙x=A1x for h(x)≤0˙x=A2x for h(x)>0,the separate analysis of the two models is very easy but the analysis of the system as a whole is difficult.It is known,for example,that the system may be unstable even if the two matrices A1and A2are stable.This consideration shows that the notion of switching has been introduced mainly due to the modelling phenomenon that the vectorfield f cannot be described by a unique analytical expression.This,however,does not imply that the system is hybrid in the sense defined above.A Lipschitz condition may be satisfied even if the vector field switches.If x s denotes a state on the border between the two regions of validity of the vectorfields f1and f2,the conditionf(x s)−f(ˆx) ≤L· x s−ˆx (11) can be satisfied for some constant L for allˆx and x s satisfying the relation h(x s)=0. Hence,switching does not imply state jumps and,therefore,does not describe a hybrid phenomenon.If the vectorfield f in(10)satisfies the condition(11),the system can be dealt with by continuous systems theory.If the Lipschitz condition is not satisfied,because for some state x s the relationlimε→0f1(x s−ε)=f2(x s)holds,the vectorfield includes some“step”and represents a piecewise continuous function.Then the trajectory x(t)is not differentiable but piecewise differentiable. Even in this case,the trajectory x(t)does not include any state jumps.The system is continuous although its analysis is more involved due to the properties of the vector field f.However,the system is not hybrid.This consequence is in contrast with the fact that switching systems are currently considered as an important subject of hybrid systems theory.At this point of the argument it should be stressed that Hypothesis1has been formulated with the aim to investigate the necessity of introducing the new notionWhat Is a Hybrid System?9of hybrid systems.It does not question the fact that switching systems pose a lot of unsolved theoretical problems,which even represent a focus of the current literature of systems theory.Controlled switching.The same arguments apply to systems with controlled swit-ching where the vectorfield also changes abruptly in response to an input command u.Here,the notion of switching is used for systems with piecewise constant input, where for a given time interval the input isfixed to some value¯u and,hence,thevectorfield isfixed tof(x,¯u)=¯f(x).This kind of switching is nothing else than a change in the vectorfield due to a given input.As the autonomous system can be analysed more easily than a system with(arbitrary)input,the system with piecewise constant input is considered as an autonomous system with switching dynamics,which does not imply that the system exhibits hybrid phenomena.Switched linear systems occur for this reason.If the input to the system˙x=A x(t)+B u(t)is piecewise constant and can assume only the discrete values u i(i=1,...,q),the system is governed by the affine differential equation˙x=A x(t)+B u i=A x(t)+b ias long as the input does not change.The system is considered as a switching system, although it is merely a linear system with piecewise constant input.Similarly to systems with autonomous switching,it is an interesting and useful way to analyse the vectorfield that drives the system between the switchings se-parately and to combine the results to get an analysis result for the overall system. However,from the viewpoint adopted here it becomes clear that this way of analysis does not make the system hybrid.Extension to systems with outputs.For systems where the output y is generated by some function g as described by(2)the considerations above have to be extended. Then,the Lipschitz condition has to be imposed on g as well.Depending on whether both f and g satisfy Lipschitz conditions or not,the system may have different kinds of state or output jumps.As shown in(Verghese et al.,1981),systems may have a continuous output y although the state x jumps.On the other hand,quantised systems(Lunze,2000)are systems with continuous state evolution but jumping output.Note also that the jumps considered here concern the state or the output of the system for continuous input.Output jumps may occur even if the function f and the input u remainfinite.An example for this is the linear system˙x=A x+B uy=C x+D u10J.Lunzewith D=O.This system simply transfers a jump in the input directly to the output. Hence,jumps of the output do not necessarily indicate a hybrid system behaviour. It has to be analysed whether the jumps originate from the input or from the system dynamics.Only in the latter case,the system is hybrid.3Representation of Hybrid Systems by Differential EquationsTime is continuously changing.Therefore,the most natural description of any dy-namical system includes signals that are defined over the real time axis R+.As the hybrid systems are considered here with a continuous time axis,the question ari-ses whether they can be described by differential equations.The answer is in the affirmative.Hypothesis2A hybrid dynamical system can be described by the differential equa-tion˙x=f(x,u,t)(12) where the function f includes a Lipschitz–continuous part˜f(x,u,t)and Dirac im-pulses:f(x,u,t)=˜f(x,u,t)+n xi=1f iδ(g i(x(t),u(t),t))(13)Remarks.A state jump occurs at time t k if the state derivative˙x includes a Dirac impulsef iδ(g i(x(t),u(t),t))=δ(t−t k).This impulse occurs whenever the state x and the input u reach at time t k the hyper-plane described by g i(x,u,t)=0.Note that the time t k is implicitly defined by the movement of the system,the input and the definition of the hyperplane.For example,the system˙x=−x(t)+δ(x(t)−x s),x(0)=x0(14) has a continuous trajectory until the state assumes the value x s at time t k.In this case the system jumps to the new statex(t k+0)=x(t k−0)+1.Hypothesis2and this example point to the fact that a hybrid system can be repre-sented by a differential equation and that the hybrid nature of a system does not imply that the system can only be described by a combination of differential equations andWhat Is a Hybrid System?11 automata,which is often argued in hybrid systems theory(cf.Sect.4).However, they also show that hybrid systems are nonlinear systems,whose vectorfields do not satisfy the smoothness assumption made in nonlinear systems theory.The exi-stence of Dirac impulses in the representation of the vectorfield is a consequence of Hypothesis1.It should be mentioned that the arbiter,which has been used in(Branicky,1995) (p.110)as an example system that cannot be represented by any differential equation, can be described by a differential equation of the form(13).The argument given in(Branicky,1995)is only true with respect to Lipschitz–continuous vectorfields.If the restriction concerning the continuity of the vectorfield is relaxed,a differential equation also exists for the arbiter.4Decomposition of Hybrid SystemsHybrid systems theory has tackled the question of which structure a hybrid system may be appropriately represented.Many authors use the decomposition of the hybrid system into a continuous and a discrete subsystem.This decomposition is reasonable, because this definition makes it possible to use,at least in part,the models and analysis methods that have been elaborated in the two corresponding theories(Fig.2).The continuous input u and the continuous output y are associated with the continuous–variable subsystem whereas the discrete–valued input v and output w concern the discrete–event subsystem.Both subsystems have to be connected through interfaces that transform continuous signals into discrete and vice versa.These interfaces are called quantiser and injector.Note that all signals represented in Fig.2by some arrow are defined over the continuous time axis.Fig.2.Decomposed hybrid systemDifferent models have been proposed in literature in order to satisfy two aims:•The model should be capable of describing dynamical systems that exhibit hybrid phenomena.•It should be possible to analyse the model by rigorous methods.12J.LunzeThese aims are contradictory.Whereas thefirst aim necessitates that the model shouldbe as general as possible,the second aim can be satisfied only if the model is as specificas possible.Whereas in(13)the continuous and the discrete movement of the state are descri-bed in a common model,the decomposition depicted in Fig.2describes the systemby two different mathematical models.As this decomposition should take advantageof the methods of discrete systems theory,untimed discrete-event models are oftenused.This,however,brings about a new theoretical difficulty which is to be explainedbelow.The discrete subsystem,like the continuous subsystem,changes its state over thecontinuous time t and can be described by a differential equation.The state z jumpsamong different state values if the vectorfield includes impulses like ˙z=δ(t−t k)˙z=δ(z−v).Thefirst equation describes a discrete system in which a state jump occurs after acertain time t k is elapsed.The second equation represents a system whose state jumpoccurs at the time instant at which the input v assumes the discrete value z.Such a description is called a timed model in discrete–event systems theory.Many models proposed in hybrid systems theory assume that the discrete model isuntimed.Typically,(untimed)automata or Petri Nets are used.The time at which astate transition occurs is given by the discrete input v which generally consists ofdiscrete control inputs to the system and of quantised continuous-variable signals(cf.Fig.2).The quantiser is used not only to determine the discrete value of the input v but also to determine the time t k at which the untimed model changes its state.In a more precise representation,the connection between the discrete-valued con-tinuous-time input v and output w of the discrete subsystem has to use two signals:One that describes the values v(t k)or w(t k)of the input and output signal and the second which describes the time instant t k at which the discrete subsystem changesits state(Fig.3).Two blocks have to be used as interfaces between discrete-valuedcontinuous-time and discrete-valued discrete-time signals.This distinction is oftenignored in the hybrid system literature.Fig.3.Quantisation with discrete signal and clock signalWhat Is a Hybrid System?13 The representation of a hybrid system as a composition of a continuous and a discrete subsystem has several advantages:•The representation shows the hybrid nature of the system explicitly.•The methods available for continuous and discrete systems can be applied to the separate subsystems(although the results obtained for the isolated subsystems are not valid for the overall hybrid system.)For example,automata theory can be applied to the discrete subsystems whereas results from continuous systems theory(controllability analysis,stability analysis etc.)can be applied to the continuous subsystem.However,the representation of a system in the form depicted in Fig.2does not imply that the system is hybrid.Switched linear systems may be represented in this form where the quantiser determines the region in which the state resides and the discrete subsystem switches to a new model“number”after the boundary of a region is reached.As the discussion above has shown,such a system can be represented as a nonlinear system with a piecewise continuous vectorfield.5ConclusionsHybrid systems has emerged as a newfield of research.To see the novelty of this field,it has to be precisely defined what a hybrid system is.Only with this definition it becomes clear which new questions have to be answered.This paper shows that state jumps within a continuous movement is the basic and probably the only hybrid phenomenon.Hence only those modelling,analysis and control tools that deal with this particular phenomenon are specific for hybrid systems.This arguments can be used to evaluate the growing number of papers entitled hybrid systems and to elaborate interesting research topics that bring forward the main ideas and intentions of hybrid systems.For example,analysis methods for switched linear systems are certainly an interesting research topic but from the view-point adopted in this chapter this class of systems does not exhibit the main problems encountered in hybrid systems.Likewise timed Petri Nets or timed automata are in-teresting extensions of classical discrete-event systems,but they should be combined in future research with continuous state or output variables to contribute to the main ideas of hybrid systems theory.This chapter concentrated on the question of what hybrid systems are.It did not concern the problem whether in a specific situation a hybrid system should be really tackled by the methods developed in hybrid systems theory.For example,methods for the discrete-event representation of quantised or hybrid systems surveyed in the chapter on“Discrete models for hybrid systems”concern the question of how the hybrid nature of the system can be neglected in order to simplify the analysis or control tasks.The resulting discrete-event model ignores the continuous movement of the system and,hence,cannot describe the hybrid system precisely.On the other hand,it may be interesting to analyse continuous systems by using methods developed14J.Lunzein hybrid systems.The example of switching systems,which can be represented by coupled discrete and continuous subsystems,has already been mentioned.Here,the application of a hybrid representation scheme should not be confused with the hybrid nature of the system under investigation.Finally,the question of how to decide from an input-output viewpoint whether a given system is hybrid,is still open.A continuity index has been proposed in(Lichten-berg and Kamau,2001)to distinguish continuous systems from hybrid systems.This method is,however,only thefirst step towards a thorough analysis of this important identification problem.。