The Box Algebra = Petri Nets + Process ExpressionsEike Best1, Raymond Devillers2 and Maciej Koutny31 Fachb. Inf., Carl von Ossietzky Universit�at, D{26111 Oldenburg, Germany2 D�epart. d'Inform., Universit�e Libre de Bruxelles, B-1050 Bruxelles, Belgium3 Dept. of Comp. Sci., University of Newcastle, Newcastle upon Tyne NE1 7RU, U.K.Abstract. The paper describes a Petri net as well as a structural operational semantics for analgebra of process expressions. It speci�cally addresses this problem for the box algebra, a model ofconcurrent computation which combines Petri nets and standard process algebras. The main resultis that it is possible to obtain a framework where process expressions can be given two, entirelyconsistent, kinds of semantics: one based on Petri nets, the other on SOS rules. This consistencycan also be extended to a partial order semantics.Keywords: Net-based algebraic calculi; relationships between net theory and other approaches;process algebras; box algebra; SOS semantics.1 IntroductionThis paper is about combining two widely known and well studied theories of concurrency: processalgebras [1, 16, 17, 20] and Petri nets [2, 21, 24]. Process algebras: (i) allow the study of connectivesdirectly related to actual programming languages; (ii) are compositional by de�nition; (iii) come with avariety of logics facilitating reasoning about important properties of systems; and (iv) support a varietyof algebraic laws. On the other hand, Petri nets: (v) sharply distinguish between states and activities(the latter being de�ned as changes of state); (vi) treat global states and global activities as derivedfrom their basic local counterparts; (vii) have a graphical representation which is easy to grasp and hastherefore some wide appeal for practitioners; and (viii) have useful links both to graph theory and tolinear algebra.The work presented in this paper (in itself a continuation and consolidation of, among others, [4, 5, 18])does not subscribe to the ambition of trying to achieve a full combination of (i){(viii) above { at leastnot immediately. However, it attempts to forge links between a fundamental but restricted class of Petrinets and a basic but again restricted process algebra. This paper will investigate the structural andbehavioural aspects of these two basic models, and its main point is that there is, in fact, an extremelystrong equivalence between them.The box algebra is based on a set of process terms, called box expressions. Each box expressionhas associated two consistent kinds of semantics: a Petri net called a box (with its standard Petri nettransition �ring rule), and an operational semantics de�ned using SOS derivation rules [23]. A particularinstance of the box algebra is the Petri Box Calculus (PBC) [3, 4, 11, 15] { a direct inspiration for theintroduction of the box algebra. Note that the technique of associating Petri nets with process algebraexpressions has also been studied for other models [9, 10, 13, 14, 22, 25].The model we are going to describe is based on a set of operators, OpBox, which can be used to con-struct valid box expressions. For each operator op 2 OpBox there is an associated operator in the domainof boxes, op. This allows one to compositionally de�ne, for every box expression E = op(E1; E2; : : : ),a corresponding net, box(E) = op(box(E1); box(E2); : : :), where the application of op to an operandtuple (box(E1); box(E2); : : : ) corresponds to net theoretic re�nement. The set of PBC operators includessequence (denoted by the semicolon), choice (denoted by ), and parallel composition (denoted by k).However, the box algebra supports much richer a set of constructs because op can be chosen from a verylarge set of boxes.The two semantical models of the box algebra have been studied and developed in, e.g., [3, 5, 18].In particular, it has been shown there that the two semantics are equivalent in the sense of generatingstrongly equivalent behaviours (in bisimulation sense [20]). This paper extends the already publishedresults in three directions. First, the previous results were only applicable to �nite operators; i.e., itwas assumed that op(K1;K2; : : :) = op(K1;K2; : : : ;Kn), for some n. In this paper, op can in general

take any number of arguments, in particular in�nitely many. The interest in such general operators ismotivated by a need to model operators like i2IEi, i.e., a fully generalised choice operator of Milner'sCCS [20], which in turn can be used to give formal semantics to a process algebra with value-passing.Second, we remove two restrictions previously imposed on nets representing operators and operandsfor reasons of behavioural integrity; but we also analyse the conditions under which such a step doesnot compromise the integrity of the model. The third extension concerns consistency between the netsemantics and operational semantics. The interest here is in establishing as strong as possible semanticalcorrespondence between the two models, thus allowing a direct transfer of behavioural properties fromone framework to another. We strengthen the previous results by proving that they generate, for everyprocess expression, not only bisimulation equivalent, but in fact isomorphic transition systems; thusproviding arguably the strongest possible consistency result.The paper is organised as follows. In the next section, we introduce various classes of Petri nets usedthroughout the paper. Section 3 de�nes net re�nement, the basic device to compose nets. Sections 4 and5 develop a variant of the structured operational semantics (SOS) for the class of composite nets de�nedthrough net re�nement. Sections 6{8 present an algebra of process expressions based on the formalismdeveloped in the preceding sections, and prove the above consistency result. Section 9 completes thecomparative study of the net algebra and expression algebra, by extending the consistency results to apartial order semantics based on Mazurkiewicz traces.The paper is a full version of the conference paper [6].2 PreliminariesThroughout the paper, we use the standard mathematical notation. In particular, mult(Z) denotes theset of all �nite multisets over a set Z, and �[ the disjoint set union. Other multiset-related notation arethe sum (+) and di�erence (-).Each operator on nets will be based on a special net op whose transitions v1; v2; : : : are re�ned bythe corresponding nets �1; �2; : : : in the process of forming a new net � = op(�1; �2; : : : ). To carrythis out, we need to distinguish nets that are easily composable with one another. The chosen class ofPetri nets, called boxes, have interfaces expressed by labellings of places and transitions. There are twomain classes of boxes which we will be interested in, viz. plain boxes and operator boxes. Plain boxes(�;�1; �2; : : : above) form the class of elements of our Petri net domain upon which various operatorsare de�ned. Operator boxes (op above) are patterns (or functions) de�ning the ways of constructingnew plain boxes out of given ones.Actions and relabellings We assume a set Lab of actions to be given; each a 2 Lab represents someinterface activity. A relabelling � is a relation � � mult(Lab) � Lab such that (;; a) 2 � if and only if� = f(;; a)g. The intuition behind a pair (�; a) belonging to � is that it speci�es some interface changewhich can be applied to a (�nite) group of transitions whose labels match the argument, i.e., the multisetof actions � , and which are synchronised to yield a new transition labelled a.A constant relabelling, �a = f(;; a)g, where a is an action in Lab, can be identi�ed with a itself, so thatwe may consider the set of actions Lab to be embedded in the set of all relabellings. If a relabelling is notconstant, then it will be called transformational ; in that case, the empty set will not be in its domain, inorder not to create an action out of nothing. The identity relabelling, �id = f(fag; a) j a 2 Labg capturesthe `keep things as they are' (non)change.Labelled nets By a (marked) labelled net we will mean a tuple � = (S; T;W; �;M ) such that: S and T aredisjoint sets of respectively places and transitions; W is a weight function from the set (S�T )[ (T�S) tothe set of natural numbersN; � is a labelling function for places and transitions such that �(s) 2 fe; i; xg,for every place s 2 S, and �(t) is a relabelling �, for every transition t 2 T ; and M is a marking, i.e., amapping assigning a natural number to each place s 2 S.1 We adopt the standard rules about representingnets as directed graphs. To avoid ambiguity, we will sometime decorate the various components of �with the index �; thus, T� denotes the set of transitions of �, etc. A net is �nite if both S and T are�nite sets. Figure 1 shows the graph of a labelled net �0.1 Sometimes we will treat M as a multiset or as a set, if M(S) � f0; 1g.

�0s0e s1i s2x s3 e� t0� t1 �t2 ft2g ft2g ft2gft0; t2gft0g ft1; t2gft1gFigure 1. A labelled net and its reachability graph.If the labelling of a place s is e, i or x, then s is an entry, internal or exit place, respectively. Byconvention, ��, �� and �� denote respectively the entry, exit and internal places of �. For every place(transition) x, we use �x to denote is pre-set, i.e., the set of all transitions (places) y such that there is anarc from y to x, that is, W (y; x) > 0. The post-set x� is de�ned in a similar way. The pre- and post-setnotation extends in the usual way to sets R of places and transitions, e.g., �R = Sr2R �r. In what follows,all nets are assumed to be T-restricted, i.e., the pre- and post-sets of each transition are nonempty. � iscalled simple if W always returns 0 or 1, and pure if for all transitions t 2 T , �t\ t� = ;. For the labellednet of �gure 1 we have ��0 = fs0; s3g, ��0 = fs2g, ��0 = fs1g, �s0 = ; and fs0; s1g� = ft0; t1g. This netis �nite and simple, but not pure as s3 2 �t2 \ t�2.We will use three explicit ways of modifying the marking of �. We de�ne b�c as (S; T;W; �; ;)which amounts to erasing all the tokens. Moreover, � and � are, respectively, (S; T;W; �; ��) and(S; T;W; �;��). These operations correspond to placing one token on each entry (resp. exit) place andnothing elsewhere, forming the entry marking (resp. the exit marking) of �.Execution semantics The behaviour of � is de�ned by its �nite step sequence semantics: a �nite multisetof transitions U , called a step, is enabled by � if for every place s 2 S, M (s) � P t2U(U (t) �W (s; t)).We denote this by M [U i or � [U i . An enabled step U can be executed leading to a follower markingM 0 de�ned, for every s 2 S, byM 0(s) =M (s) +Xt2U(U (t) � (W (t; s) �W (s; t))):We will denote this by M [U iM 0 or � [U i �0, where �0 = (S; T;W; �;M 0). For �0 in �gure 1, ft0; t2gis an enabled step. After its execution, ft1g is enabled and, hence, ft0; t2gft1g is a step sequence of �0.Transition labelling may be extended to steps, through the formula�(U ) = Xt2U U (t) � n�(t)o 2 mult(Lab):In particular, we will denote � [� ilab � whenever there is a multiset of transitions U such that � [U i �and � = �(U ). This allows one to translate various behavioural notions de�ned in terms of multisets oftransitions into notions based on multisets of transition labels (or labelled steps).A step sequence of � is a possibly empty sequence of steps, ! = U1 : : :Uk, such that there are nets�1; : : : ; �k satisfying � [U1i �1 [U2i � � � [Uki �k. We will denote this by � [!i �k or �k 2 [�i , andcall �k derivable from � and its marking,M�k , reachable from M�.A markingM is safe ifM (S)�f0; 1g. A marking is clean if it is not a proper super-multisetset of ��nor ��, i.e., if �� �M or �� �M implies �� =M or �� =M , respectively. The marking of the net in�gure 1 is both safe and clean. A labelled net � is: ex-restricted if �� 6= ; 6= ��; e-directed if �(��) = ;;x-directed if (��)� = ;; and ex-directed if it is both e-directed and x-directed. � is ex-exclusive if, forevery markingM reachable from M� or �� or ��, it is the case that M \ �� = ; or M \�� = ;.

Let ind� be the symmetric, not necessarily transitive, relation on the transitions of �, de�ned byind� = n(t; u) 2 T � T ��� (�t [ t�) \ (�u [ u�) = ;o:It is called the independence relation, because two distinct transitions belonging to ind� have no impact ontheir respective environments. If they are both enabled separately, then they are enabled simultaneously(as a step). Conversely, if � is safe (which will later be our exclusive case of interest), it can be shownthat any two transitions occurring in the same step are independent. Notice that T-restrictedness impliesthe irre exivity of the independence relation, i.e., ind� \ idT� = ;, since for every t 2 T , (t; t) 62 ind�.T-restrictedness also implies that the emptiness (non-emptiness) of markings is preserved over transitionsteps. Later, when we say that a net is `marked', this will mean that its marking is nonempty.Behavioural equivalence Although the whole set of step sequences of a net may be speci�ed by de�ningthe full reachability graph (see �gure 1), we do not �nd it a satisfactory representation in the presence oflabellings. For example, �gure 2 demonstrates that isomorphism (and, indeed, other reasonable notion ofbehavioural equivalence) of reachability graphs is not preserved by sequential composition of nets. Thisis due to the fact that it is necessary to distinguish the entry and exit markings when comparing thebehaviour of nets which are subsequently composed. Instead of modifying the de�nition of isomorphism,we address this problem by adding to � (arti�cially, and only for the purpose of de�ning the reachabilitygraph) two fresh transitions, skip and redo, so that �skip = redo� = ��, skip� = �redo = ��, �(skip) = skipand �(redo) = redo. Moreover, all the arcs adjacent to the skip and redo transitions are unitary andredo; skip 62 Lab. Denote the net � augmented with skip and redo by �sr.The transition system of a marked net � is de�ned as ts� = (V; L;A; v0) where V = f� j skip; redo 62T� ^ �sr 2 [�sri g is the set of states, v0 = � is the initial state, L = mult(Lab [ fredo; skipg) is the setof arc labels, and A = f(�;�; ) 2 V � L � V j �sr [� ilab srg is the set of arcs. In other words, ts� isthe labelled full reachability graph of �sr with all references to skip and redo in the nodes of the graph(but not in the arc labels) erased. The transition system of an unmarked net � is de�ned as ts� = ts�.Figure 2 shows that adding skip and redo does solve the problem; although the nets � and � haveisomorphic reachability graphs, their ts's are di�erent. This is not a mere chance; ts-isomorphism is acongruence in the algebra of nets described in this paper.2.1 Two base classes of labelled netsPlain boxes A box is a (possibly in�nite) ex-restricted labelled net �. Ex-restrictedness is importantsince without it, composing boxes would yield undesired results [7, 8].A box is, by de�nition, plain if each transition t 2 T� is labelled by a constant relabelling, i.e.,��(t) 2 Lab. A plain box � is static if M� = ; and every marking reachable from �� or �� is safe andclean. A plain box � is dynamic if M� 6= ; and every marking reachable from M� or �� or �� is safeand clean. A dynamic box � is an entry (exit) box ifM� = �� (resp. M� = ��). Note that the labellednet �0 in �gure 1 is not a box since it has a reachable marking,M = fs2; s3g, which is not clean. Thesets of plain entry, dynamic, exit and static boxes will, respectively, be denoted by Boxe, Boxd, Boxx, andBoxs.Proposition 2.1. Let � be a dynamic box and U be a step enabled by �.(1) Every labelled net derivable from � is a dynamic box.(2) U is a set of mutually independent transitions: U � U � ind� [ idT� .(3) All the arcs adjacent to the transitions in U are unitary: W�(U � S�) [W�(S� � U ) � f0; 1g.Proof: (1) Suppose that � is derivable from a dynamic box �. � is marked since � is T-restricted.Clearly, all the markings reachable from M� and �� and �� are safe and clean since those reachablefromM� and �� and �� are safe and clean and �� = �� and �� = ��. Hence � is a dynamic box.(2,3) Follow directly from the safeness of the markings before and after the execution of step U . ut

�e x� �

eix� ex� �;

eix�� �;eiix��f�g f�g f�g f�gf�g f�gts� f�g�redo� (skip) ts�f�g�redo� (skip)Figure 2. Five nets and the corresponding (labelled) full reachability graphs demonstrating that iso-morphism of reachability graphs is not preserved by sequential composition; the two discriminating ts'sfor � and � are also shown.

Operator boxes An operator box is a simple box with all relabellings being transformational such thatM = ; and all the markings reachable from � or � are safe and clean. But we still need to imposeon one more property, called factorisability [18], de�ned next.As the transitions of are meant to be re�ned by potentially complicated boxes, it is justi�ed toconsider that their execution may take long time or, indeed, may last inde�nitely. This may be capturedby a special kind of extended markings.A complex marking of is a pair M = (M;Q) composed of a normal marking M of (i.e., apossibly in�nite multiset of places) and a �nite multiset Q of engaged transitions of .2 The directreachability between two complex markings, M = (M;Q) and M0 = (M 0; Q0), is de�ned thus. Wehave M [U + V + + Z�i M0 if there are �nite multisets of transitions U , V and Z such that Z � Q,Q0 = Q+ V � Z and for every s 2 S, M (s) � ms and M 0(s) =M (s) �ms +m0s, wherems =P t2U+V W (s; t) � (U (t) + V (t))m0s =Pt2U+ZW (t; s) � (U (t) + Z(t)):A tuple of sets of transitions of , � = (�e; �d; �x; �s) is a factorisation of a complex safe3 marking(M;Q) if �d = Q and M = �Sv2�e�v �[ �Sv2�xv�and �s = T n (�e [ �d [ �x). itself will be called factorisable if for every safe complex marking of reachable from � or �, there is at least one factorisation. We will denote by fact the set of all thefactorisations of all the complex markings of reachable from � or �, and including also the onlyfactorisation (;; ;; ;; T) of the empty marking.Factorisability is absolutely necessary for the consistency results that will be obtained in this paper.In [5, 18] we show counterexamples when an operator box is only assumed to be simple, safe and clean,but not factorisible. Fortunately, but of course not coincidentally, all the standard process algebraicconstructs such as pre�x, sequence, choice (of various sorts), parallel composition (of various kinds),restriction, etc, can all be translated into (factorisable) operator boxes [5, 7].Properties of factorisations A factorisation of a reachable marking (M;Q) is essentially a way of repre-senting its real part, M , as the disjoint union of the pre-sets of a set of transitions, �e, and the post-setsof another set of transitions, �x. Intuitively, �e are transitions which can be concurrently executed at(M;Q), and �x are (possibly) transitions which have just been concurrently executed. However, suchan interpretation may be somewhat misleading since, besides the fact that �e and �x may be in�nite,it may happen that although (M;Q) is a reachable marking and v 2 �x, neither (Mnv�; Q [ fvg) nor((Mnv�)[ �v;Q) are reachable from the entry or exit marking of ; it may even happen that v is a deadtransition, whose sole role is to ensure the factorisability of .e ii i ix x x�id v1 �id v2�id v3Figure 3. An operator box with a dead transition.2 A standard marking M may then be identi�ed with the complex marking (M; ;).3 I.e., both M and Q are sets.

This is illustrated in �gure 3 where the operator is factorisable but the transition v2 is dead from theentry and exit markings. Yet if we dropped this dead (hence supposedly useless) transition, the operatorwould become unfactorisable since after the occurrences of v1 and v3, leading to the marking (fi; xg; ;),the internal place i could no longer be factored out. Notice that, contrary to what we have said about �x,if v 2 �e then both (Mn�v;Q [ fvg) and ((Mn�v) [ v�; Q) are reachable from the entry or exit markingof .In what follows, we will need several basic properties of factorisations which, for ease of reference,are gathered in the proposition below. In what follows, we will call a transition v of an operator box reversible if, for every complex marking (M;Q) reachable from � or �, v� � M implies that(M n v�; Q [ fvg) is also a marking reachable from � or �. In �gure 3, v1 and v3 are both reversible,while v2 is not.Proposition 2.2. Let be an operator box, � 2 fact be a factorisation of a safe complex marking(M;Q) reachable from � or �, and Trev be the set of all reversible transitions of .(1) �e, �d, �x and �s are disjoint sets of transitions, and �d is �nite.(2) For every �nite U � T and every �nite Z � Trev such that �Sv2U�v �[ �Sv2Zv� �M , it is the casethat (M n (�U [Z�); Q �[U �[Z) is a marking reachable from � or �. Moreover, both (M [ �Q; ;)and (M [Q�; ;) are markings reachable from � or �.(3) For every V � �d, every �nite U � �e, and every �nite Z � �x\Trev , the following are factorisationsin fact: ( �enU ; �d [ U ; �x ; �s ), ( �e [ V ; �dnV ; �x ; �s ), ( �e ; �dnV ; �x [ V ; �s ) and( �e ; �d [ Z ; �x n Z ; �s ).(4) The transitions of �e [�d [ (�x \Trev ) are mutually independent, and the transitions in �x are suchthat ��x \ (��e [ ��e) = ��x \ (��d [ ��d) = (�x n Trev )� \ (�(�x \ Trev ) [ (�x \ Trev )�) = ;and v� \w� = ;, for all distinct v; w 2 �x.(5) If � �M or � �M then �d = ; and M = � or M = �, respectively.Proof: The various parts of this proposition follow directly from the de�nition of a factorisation of acomplex marking, and the safeness and cleanness of . utDomain of application Let � : T ! Boxs [ Boxd be a function from the transitions of to static anddynamic boxes. We will refer to � as an -tuple and denote �(v) by �v, for every v 2 T. For a setof transitions V � T , �V = f�v j v 2 V g. If the set of transitions of is �nite, we assume thatT = fv1; : : : ; vng and then denote � = (�v1 ; : : : ; �vn). We extend the notion of factorisation to an-tuple � of static and dynamic boxes; the factorisation of � is the quadruple � = (�e; �d; �x; �s) suchthat �� = fv j �v 2 Box�g for � 2 fe; x; sg, and �d = fv j �v 2 Boxdn(Boxe [ Boxx)g.The domain of application of , denoted by dom, is then de�ned as the set comprising every {tupleof static and dynamic boxes � whose factorisation belongs to fact, and such that, for every v 2 T:- If �v \ v� 6= ; then �v is ex-exclusive. (Dom1)- If v is not reversible then �v is x-directed. (Dom2)(Dom1) is meant to prevent the non-safeness of re�nements in which a box is re�ned into a transitionwith a side place. This refers to expressions such as (�k�)�, which informally means: `repeat the concur-rent execution of � and � arbitrarily many times'. A naive attempt to translate this expression into a netgives a 2-safe, but not 1-safe net. The other condition, (Dom2), is related to the possible presence of deadtransitions in an operator box. Referring again to the operator box in �gure 3, we may observe that if wewere allowed to re�ne the transition v2 with a non-x-directed box �v2 , then some behaviours originatingfrom �v2 could be possible from the entry marking of the re�ned net, while no behaviour beginning atthe entry nor exit marking of the operator box can possibly involve v2. It it therefore justi�able to insistthat �v2 be x-directed4 in this case.4 We could have required that no transition be enabled at ��v2 , but x-directedness is a simple structural su�cientcondition for this.

In the previously published work on the box algebra, it was assumed that all boxes are ex-directed and,in addition, that operator boxes are both �nite (though this restriction was dropped in [12]) and pure.Then (Dom1) and (Dom2) are trivially satis�ed. Making such assumptions resulted in a simpli�cation ofthe formal treatment and proofs. The present framework is more di�cult to handle, but at the same timeit is much more expressive with obvious implications for the practical applicability of the box algebra.3 Net Re�nementNet re�nement embodies a mechanism by which transition re�nement and interface change speci�ed byrelabellings are combined. Both operations are de�ned for an operator box which serves as a pattern forgluing together a tuple of plain boxes � along their entry and exit interfaces. The relabellings annotatingthe transitions of specify the interface changes to which the boxes in � are subjected.As far as net re�nement as such is concerned, the names (identities) of newly constructed transitionsand places are basically irrelevant. However, in our dealing with partial order semantics of processexpressions, it will be important that such naming is done systematically (cf. section 9). Also, the namesplay a crucial role when recursion is treated (see [7, 8]). We found it convenient to use trees as names.Moreover, if using such explicit names is not agreeble with the reader, one might rather think of thesetrees as simply an additional injective labelling for places and transitions of a labelled net (whose nodesare then de�ned up to isomorphism).Place and transition trees We shall assume that there are two disjoint in�nite sets of basic place andtransition names, Proot and Troot. Each name � 2 Proot [ Troot can be viewed as a special tree with asingle root labelled with � which is also a leaf. We shall also employ more complex trees as transitionand place names, and use a linear notation to express such trees. To this end, an expression x�S, wherex is a basic name in Proot [Troot or a pair (t; a) 2 Troot � Lab, and S is a multiset of trees, denotes a treewhere the trees of the multiset are appended (with their multiplicity) to an x-labelled root. Moreover, ifS = fpg is a singleton then x�S will be denoted by x�p, and if S is empty then x�S = x.We shall further assume that in every operator box, all the places and transitions are basic names(i.e., single root trees) from respectively Proot and Troot. For the plain boxes, the trees used as namesmay be more complex. Each transition tree is a �nite tree labelled with elements of Troot (at the leaves)and Troot�Lab (elsewhere), and each place tree is a possibly in�nite (in depth and width) tree labelledwith basic names from Proot and Troot, which has the form t1�t2�: : :�tn�s�S, where t1; : : : ; tn 2 Troot(n � 0) are transition names and s 2 Proot is a place name (so that no confusion will be possible betweentransition-trees and place-trees: the latter always have a label from Proot and the former never). Wecomprise all these trees (including the basic ones consisting only of a root as special cases) in our sets ofallowed transition and place names, denoted respectively by Ptree and Ttree.Formal de�nition Let be an operator box, and � 2 dom be an -tuple of static and dynamic boxesin its domain of application. The result of a simultaneous substitution of boxes � for the transitions in is a labelled net (�) whose components are de�ned below. The de�nition is illustrated in �gure 4.Places The set of places of (�) is de�ned as the (disjoint) unionS(�) = Sv2T STvnew [ Ss2S SPsnew= Sv2T n v�i ��� i 2 ��vo [ Ss2S n s��fv�xvgv2�s + fw�ewgw2s�� ��� xv 2 ��v ^ ew 2 ��w o:If s is an isolated place, �s = s� = ;, then, by the de�nition of the tree appending operation, SPsnew = fsg.Notice that the multiset of trees in the de�nition of a placep = s��fv�xvgv2�s + fw�ewgw2s�� 2 SPsnew (1)is in fact a set, possibly in�nite, because even in case there is a side-loop between s and v = w, thenxv 6= ew since xv is an exit place and ew is an entry place of �v. The following notation is useful inmanipulating the tree names upon which a newly constructed place is based.

Let y be a transition in . Then for p = v� i in STvnew, we de�ne treesy(p) = fig if v = y, andtreesy(p) = ; if v 6= y; moreover, for p 2 SPsnew as in (1), we de�netreesy(p) = 8>><>>:fxy; eyg if y 2 �s \ s�fxyg if y 2 �s n s�feyg if y 2 s� n �s; otherwise.For example, in �gure 4, treesv1(s3�fv1�q13; v3�q31g) = fq13; q31g and treesv2(p7) = ;.Marking The marking of a place p in (�) is de�ned in the following way:M(�)(p) = 8<:M�v (i) if p = v�i 2 STvnewPv2�sM�v (xv) + Pw2s� M�w(ew) if p 2 SPsnew is as in (1): (2)Notice that if s 2 S is an isolated place then SPsnew = ; and M(�)(s) = 0. Moreover, M(�)(p) is awell de�ned natural number due to proposition 2.2(4).5Transitions The set of transitions of (�) is de�ned as the (disjoint) unionT(�) = [v2T Tvnew = [v2T n(v; �)�R ��� R 2 mult(T�v ) ^ ���v(R); �� 2 �(v)o:Notice that the multiset R in (v; �)�R will never be empty since no pair in ��v (v) has the empty multisetas its left argument.Similarly as for places, we will denote by trees(u) the multiset of transitions R upon which a newlyconstructed transition u = (v; �)�R 2 Tvnew is based. For example, in �gure 4, trees((v1; f)�ft11; t12g) =ft11; t12g and trees((v3; e)�ft31g) = ft31g.Labelling The label of a place or transitions x in (�) is de�ned in the following way:�(�)(x) = 8>><>>: i if x 2 STvnew�(s) if x 2 SPsnew� if x = (v; �)�R 2 Tvnew: (3)Weight function For a place p in S(�) and transition u in Tvnew, the weight function is given by:W(�)(p; u) = Pz2treesv(p) Pt2trees(u)W�v (z; t) � trees(u)(t)W(�)(u; p) = Pz2treesv(p) Pt2trees(u)W�v (t; z) � trees(u)(t); (4)where trees(u)(t) denotes the number of occurrences of t in the multiset trees(u).3.1 A running exampleFigure 4 shows an operator box 0 which will serve as a running example. 0 is a simple, pure, safeand clean box. A justi�cation that 0 is also factorisable is provided by the table below which lists all5 Later, we will also prove theorem 3.12 which asserts that (�) has a marking which is not only well de�nedbut even safe.

0e s1 e s2i s3 i s4x s5� v1 �id v2�id v3 0(�)

p1e p2ei p3 i p4x p8e p5p6i i p7f w1 ew4 c w2d w3

� = 0BBBBBBBBBBBBBBB@ ; ;q11e q12ex q13 x q14 e q21q22i x q23 e q31x q32a t11 b t12 c t21d t22 e t31 1CCCCCCCCCCCCCCCAp1 = s1�v1�q11 p2 = s1�v1�q12 w1 = (v1; f)�ft11; t12gp3 = s3�fv1�q13; v3�q31g p4 = s3�fv1�q14; v3�q31g w2 = (v2; c)�t21p5 = s2�v2�q21 p6 = v2�q22 w3 = (v2; d)�t22p7 = s4�fv2�q23; v3�q31g p8 = s5�v3�q32 w4 = (v3; e)�t31Figure 4. Boxes of the running example (� = �idnf(fag; a); (fbg; b)g[ f(fa; bg; f)g).

complex markings (M;Q) reachable from the entry or exit marking of 0, and their possible factorisations(�e; �d; �x; �s): M Q �e �d �x �sfs1; s2g ; fv1; v2g ; ; fv3gfs1g fv2g fv1g fv2g ; fv3gfs2g fv1g fv2g fv1g ; fv3gfs1; s4g ; fv1g ; fv2g fv3gfs2; s3g ; fv2g ; fv1g fv3g; fv1; v2g ; fv1; v2g ; fv3gfs3g fv2g ; fv2g fv1g fv3gfs4g fv1g ; fv1g fv2g fv3gfs3; s4g ; ; ; fv1; v2g fv3gfv3g ; ; fv1; v2g; fv3g ; fv3g ; fv1; v2gfs5g ; ; ; fv3g fv1; v2g (5)Thus fact0 comprises thirteen di�erent factorisations, as the only factorisation (;; ;; ;; fv1; v2; v3g) ofthe empty marking (M;Q) = (;; ;) also belongs to fact0 . Notice, and this is crucial as we shall see, thata marking may have more than one factorisation, like (M;Q) = (fs3; s4g; ;) above.One can see that dom0 = Boxd � Boxd � Boxs [Boxs � Boxs � Boxd [Boxs � Boxs � Boxs. Figure 4shows an 0-tuple of boxes, � = (�v1 ; �v2 ; �v3) whose factorisation, (fv1g; fv2g; ;; fv3g), belongs tofact0 , and the tuple itself belongs to the domain of application of the operator box 0. The box 0(�)exempli�es net re�nement, and the full linear notation for its place and transition (tree) names is alsoshown in �gure 4.3.2 Static properties of composite netsIn the rest of this paper, we will make frequent references to various notions used in the de�nition of netre�nement, (�). In particular, we will use the notations Tvnew, STvnew and SPsnew (the latter also liftedto sets of places R, through SPRnew = Ss2R SPsnew), and the notations trees(u) and treesv(p), where u andp are respectively a transition and a place in (�), and v is a transition in . Using these notations, wecan characterise several useful structural properties of the box (�).Proposition 3.1. The net (�) is a plain box which is unmarked if and only if each �v is unmarked.Proof: We �rst observe that, 8v 2 T 8q 2 S�v 9p 2 S(�) : q 2 treesv(p): (6)Indeed, if q 2 ��v then we can take p = v�q 2 SPvnew. If q 2 ��v then we take any s 2 �v (which can bedone since is T-restricted) and after that any p = s�f: : : ; v�q; : : :g 2 SPsnew will satisfy our requirement(at least one such p exists since all the boxes in � are ex-restricted). If q 2 ��v , we proceed similarly.Moreover, we observe that, 8s 2 S : SPsnew 6= ; (7)which follows directly from the de�nition (for an isolated s), or from the fact that all the boxes in� are ex-restricted (for a non-isolated s). Indeed, in the latter case, we can choose, for each v 2 s� (if any) an entryplace ev 2 ��v, and for each w 2 �s (if any) an exit place xw 2 ��w . Then s�(fv�evgv2s�+fw�xwgw2�s)is a place in SPsnew. We now proceed with the proof proper.It is clear that(�) is a plain labelled net; in particular, place markings are all natural numbers thanksto the fact that only �nitely many nets �v may contribute to the marking of a place in (�). The T-restrictedness and ex-restrictedness (needed to make it a plain box) are inherited from the correspondingproperties of the components, as shown below.(�) is T-restricted. Let u = (v; �)�R 2 T(�). To show �u 6= ;, we take any t 2 R and q 2 �t (theformer is possible since R 6= ;, and the latter since �v is T-restricted); by (4) it su�ces to �nd p 2 S(�)such that q 2 treesv(p). This, however, follows immediately from (6). To show u� 6= ;, we proceed

similarly.(�) is ex-restricted. Follows immediately from the ex-restrictedness of and (7).The second part of the proposition follows directly from the de�nition of the marking of (�) togetherwith (6) and (7). utProposition 3.2. If and �v, for every v 2 (�)�, are all e-directed boxes, then so is (�). Similarly,if and �v, for every v 2 �(�), are all x-directed boxes, then so is (�).Proof: If is e-directed then each entry place p of (�) is isolated, or arises from (i.e., it has a rootlabelled by) an entry place of , followed by its output transitions, followed by entry places of some ofthe �v's for v 2 (�)�. Since each such �v is e-directed, by the de�nition of the arc weights, p may onlyhave output transitions. And similarly for the x-directedness. utProposition 3.3. b(�)c = bc(b�c).Proof: Follows directly from the de�nition of M(�). utBelow, v and w are distinct transitions in . The �rst three results follow directly from the de�nitionof net re�nement and the ex-restrictedness of boxes.Proposition 3.4. Let z 2 ��v, q 2 ��v and r 2 ��v .(1) There is p 2 STvnew such that treesv(p) = fzg.(2) For every s 2 �vnv� there is p 2 SPsnew such that treesv(p) = fqg.(3) For every s 2 v�n�v there is p 2 SPsnew such that treesv(p) = frg.(4) For every s 2 �v \ v� there is p 2 SPsnew such that treesv(p) = fq; rg. utProposition 3.5. Suppose that one of the following holds:q 2 ��v ^ r 2 ��w ^ s 2 �v \ �w or q 2 ��v ^ r 2 ��w ^ s 2 v� \ �w orq 2 ��v ^ r 2 ��w ^ s 2 v� \w� or q 2 ��v ^ r 2 ��w ^ s 2 �v \w�:Then there is a place p in SPsnew such that q 2 treesv(p) and r 2 treesw(p). utProposition 3.6. Let p be a place in (�), and t 2 Tvnew. Thenp 2 �t() treesv(p) \ �trees(t) 6= ; and p 2 t� () treesv(p) \ trees(t)� 6= ;:Moreover, if p 2 SPsnew thenp 2 �t () (treesv(p) \ �trees(t) \��v 6= ; ^ s 2 v�) _ (treesv(p) \ �trees(t) \ ��v 6= ; ^ s 2 �v)p 2 t� () (treesv(p) \ trees(t)� \��v 6= ; ^ s 2 v�) _ (treesv(p) \ trees(t)� \ ��v 6= ; ^ s 2 �v):utApplying the above proposition to the example in �gure 4, we obtain that p3 2 �w4 since treesv3(p3) =fq31g and �trees(w4) = �ft31g = fq31g.In the results that now follow, we use predicates, Inet , Inxt , Outet and Outxt , where t is a transition inTvnew, to respectively denote: �trees(t)\��v 6= ;, �trees(t)\��v 6= ;, trees(t)�\��v 6= ; and trees(t)�\��v 6=;.

Proposition 3.7. Let t; u 2 Tvnew. Then�t \ �u 6= ; () �trees(t) \ �trees(u) 6= ; _ (�v \ v� 6= ; ^ (Inet ^ Inxu _ Inxt ^ Ineu))�t \ u� 6= ; () �trees(t) \ trees(u)� 6= ; _ (�v \ v� 6= ; ^ (Inet ^Outxu _ Inxt ^Outeu))t� \ �u 6= ; () trees(t)� \ �trees(u) 6= ; _ (�v \ v� 6= ; ^ (Outet ^ Inxu _ Outxt ^ Ineu))t� \ u� 6= ; () trees(t)� \ trees(u)� 6= ; _ (�v \ v� 6= ; ^ (Outet ^Outxu _ Outxt ^Outeu)):Proof: Suppose that p 2 �t \ �u. Then, by proposition 3.6, there are q 2 treesv(p) \ �trees(t) andr 2 treesv(p)\�trees(u). If q = r then �trees(t)\�trees(u) 6= ;. Otherwise, treesv(p) = fq; rg and, withoutloss of generality, q 2 ��v and r 2 ��v (and so Inet ^ Inxu). Moreover, jtreesv(p)j > 1 implies �v \ v� 6= ;.Hence the (=)) implication holds. The reverse implication ((=) follows from propositions 3.4(4) and3.6.The other three equivalences can be shown in the same way. Similar remarks apply to the proofs ofthe next two propositions. utThus, for the example in �gure 4, we obtain:w�2 \ �w3 6= ; since ft21g� \ �ft22g = fq22g \ fq22g 6= ;:Proposition 3.8. Let t 2 Tvnew and u 2 Twnew. Then�t \ �u 6= ; () (Inet ^ Ineu ^ �v \ �w 6= ;) _ (Inxt ^ Ineu ^ v� \ �w 6= ;) _(Inet ^ Inxu ^ �v \w� 6= ;) _ (Inxt ^ Inxu ^ v� \w� 6= ;)�t \ u� 6= ; () (Inet ^ Outeu ^ �v \ �w 6= ;) _ (Inxt ^ Outeu ^ v� \ �w 6= ;) _(Inet ^ Outxu ^ �v \w� 6= ;) _ (Inxt ^ Outxu ^ v� \w� 6= ;)t� \ �u 6= ; () (Outet ^ Ineu ^ �v \ �w 6= ;) _ (Outxt ^ Ineu ^ v� \ �w 6= ;) _(Outet ^ Inxu ^ �v \w� 6= ;) _ (Outxt ^ Inxu ^ v� \w� 6= ;)t� \ u� 6= ; () (Outet ^ Outeu ^ �v \ �w 6= ;) _ (Outxt ^ Outeu ^ v� \ �w 6= ;) _(Outet ^ Outxu ^ �v \w� 6= ;) _ (Outxt ^ Outxu ^ v� \w� 6= ;)Proof: Suppose that p 2 �t\�u. Then, by the de�nition of net re�nement, there is s 2 (�v[v�)\(�w[w�)such that p 2 SPsnew. Hence the (=)) implication holds by proposition 3.6. The reverse implication ((=)follows directly from propositions 3.5 and 3.6. utThus, for the example in �gure 4, we obtain:w�1 \ �w4 6= ; since 8>><>>:ft11; t12g� \��v1 = fq13; q14g \ fq13; q14g 6= ; (i.e., Outxw1)�ft31g \ ��v3 = fq31g \ fq31g 6= ; (i.e., Inew4 )v�1 \ �v3 = fs3g \ fs3; s4g 6= ;:Proposition 3.9. Let t 2 Tvnew. Then�t \ �(�) 6= ; () (Inet ^ �v \ � 6= ;) _ (Inxt ^ v� \ � 6= ;)t� \ �(�) 6= ; () (Outet ^ �v \ � 6= ;) _ (Outxt ^ v� \ � 6= ;)t� \(�)� 6= ; () (Outet ^ �v \� 6= ;) _ (Outxt ^ v� \� 6= ;)�t \(�)� 6= ; () (Inet ^ �v \� 6= ;) _ (Inxt ^ v� \� 6= ;)Proof: Suppose that p 2 �t\ �(�). Then, by the de�nition of net re�nement, there is s 2 �\ (�v[v�)such that p 2 SPsnew. Hence the (=)) implication holds by proposition 3.6. The reverse implication ((=)follows directly from propositions 3.4 and 3.6. utThus, for the example in �gure 4, we obtain:�w2 \ �0(�) 6= ; since ( �ft21g \ ��v2 = fq21g \ fq21g 6= ; (i.e., Inew2)�v2 \ �0 = fs2g \ fs1; s2g 6= ;:

3.3 Markings of composite netsWe now will show that the marking of any net obtained by applying an operator box to a tuple of boxesin its domain is safe and clean. This will be preceded by two auxiliary results clarifying the relationshipbetween the marking of the re�ned net (�) and the markings of the re�ning nets �. The results stemfrom an observation that although in the general formulation of net re�nement a token in a newly createdplace can be contributed by any of the places which were used to construct that place, the restrictionsimposed on an operator box and on the tuples of boxes in its domain mean that at most one such boxcan actually contribute tokens.Let be an operator box and � 2 dom be an {tuple of boxes with the factorisation �, �xed forthe rest of this section. For every transition v in , we de�ne the set mar�(v) of places of (�) whichare markable by v, in the following way:mar�(v) = 8>>>>><>>>>>:SP(�v)new if v 2 �eSP(�v[v�)new [ STvnew if v 2 �dSP(v�)new if v 2 �x; if v 2 �s: (8)That is, mar�(v) comprises all places into which the box �v re�ning v can possibly insert tokens6 (andso, in particular, mar�(v) is empty for a static �v). From proposition 2.2(4) it follows that a given placeis markable by at most one transition, i.e., for all transitions v and w in ,v 6= w =) mar�(v) \mar�(w) = ;: (9)Notice also that if p 2 mar�(v) then treesv(p) is always non-empty. For our running example in �gure 4,we will assume also that � = (fv1g; fv2g; ;; fv3g), which is the factorisation of the tuple � of �gure 4, isthe running factorisation. Then, we have: mar�(v1) = fp1; p2g, mar�(v2) = fp5; p6; p7g and mar�(v3) = ;.Using the notion of markable places, we can relate the marking of (�) to those of the nets in �.Lemma 3.10. Let p be a place in (�). ThenM(�)(p) = (Tot(M�v ; treesv(p)) if p 2 mar�(v) for some v0 if there is no v such that p 2 mar�(v): (10)where Tot(M;R) =Ps2RM (s) is the total number of tokens on a �nite set of places R.Proof: First note that (10) is well formed due to (9). If p 2 STvnew, for some v, then (10) follows directlyfrom the de�nition of net re�nement and (8). Suppose that p 2 SPsnew. If there is v such that p 2 mar�(v)then, by proposition 2.2(4) and (8),w 2 �(�s [ s�) \ (�e [ �d [ �x)�nfvg =) s 2 �w nw� ^ w 2 �xwhich in turn implies that Tot(M�w ; treesw(p)) = 0, for all w 2 (�s[s�)nfvg. This andM(s) = 0 yieldsM(�)(p) = Tot(M�v ; treesv(p)). If there is no v such that p 2 mar�(v) then Tot(M�w ; treesw(p)) = 0,for all w 2 �s [ s�. This and M(s) = 0 means that p is unmarked. utApplying the above lemma to the places p3 and p6 in �gure 4, we obtain M0(�)(p3) = 0, sincep3 62 mar�(v1) [mar�(v2) [mar�(v3), andM0(�)(p6) = Tot(�v2 ; treesv2(p6)) =M�v2 (q22) = 1:6 In other words, �v cannot insert a token into places other than mar�(v).

Lemma 3.11. Let s be a place in . Then all the places of SPsnew are marked in (�) if and only ifs 2 ��e [ ��x.Proof: (=)) By lemma 3.10 and SPsnew 6= ;, there is v such that mar�(v) \ SPsnew 6= ;. If v 2 �s n s� and�v 62 Boxx then there is r 2 ��v such that M�v (r) = 0. By proposition 3.4(3), there is a place p in SPsnewsuch that treesv(p) = frg. Hence, by lemma 3.10, p is unmarked atM(�), a contradiction. Thus v 2 �x.For v 2 s� n �s the argument is symmetric, yielding v 2 �e.Suppose now that v 2 �s \ s�. Then, by the ex-exclusiveness of �v (by (Dom1)) and without loss ofgenerality, we may assume that ��v\M�v = ;. If �v 62 Boxx then there is r 2 ��v such thatM�v (r) = 0.By proposition 3.4(4), there is a place p in SPsnew such that treesv(p) = fq; rg, where q is a place in ��v.Hence, by lemma 3.10, p is unmarked at M(�), a contradiction. Thus v 2 �x.((=) If s 2 ��e [ ��x then all the places in SPsnew are marked, which follows from (8), lemma 3.10,and the de�nition of net re�nement. utTheorem 3.12. The marking of (�) is safe and clean.Proof: The marking is safe by lemma 3.10, the safeness of the boxes in �, and the ex-exclusiveness of theboxes �v such that �v\v� 6= ; (by (Dom1)). To show that it is also clean, suppose that �(�) �M(�).From lemma 3.11 it follows that � � ��e[��x. Hence, by proposition 2.2(5), �d = ; and � = ��e[��x.It then follows from the safeness of M(�), (8) and lemmata 3.10 and 3.11, that �(�) = M(�). Thecase (�)� �M(�) is symmetric. utA useful corollary of the results proved in this section is the following closed formula for the safe andclean marking of (�):M(�) = SP(��e[��x)new [ [v2�d np 2 �SP(�v[v�)new [ STvnew� ��� treesv(p) \M�v 6= ;o: (11)Applying it to the re�nement in �gure 4 yields the marking of 0(�) (recall that the factorisation of �is (fv1g; fv2g; ;; fv3g)):M0(�) = SP(�v1)new [ np 2 �SP(�v2[v�2 )new [ STv2new� ��� treesv2(p) \M�v2 6= ;o= SPs1new [ np 2 �SPs2new [ SPs4new [ STv2new� ��� treesv2(p) \ fq22g 6= ;o= fp1; p2g [ np 2 fp5; p7; p6g ��� treesv2(p) \ fq22g 6= ;o= fp1; p2; p6g:4 Structured operational semantics of composite boxesThe generic rules of the operational semantics of a process algebra (see, for instance, [20]) specify howthe behaviour of a compound process term is related to the behaviour of its sub-terms. We will now takethis idea and apply to the domain of compositional nets de�ned using operator boxes.Let be an operator box and � be an {tuple in its domain, dom. When dealing with theoperational semantics of the compositional box (�), we shall use the notation� : �� U�����! � : �� (12)to mean that the boxes � can individually make moves which, when combined, yield step U and lead tonew boxes �. By de�nition, this will be the case whenever U is a �nite set of transitions of (�) and,for every transition v in , U \ Tvnew = fu1; : : : ; ukg is a �nite set of transitions such that�v h trees(u1) + � � �+ trees(uk) E �v: (13)Consider, for example, the boxes of the running example depicted in �gure 4. Then�0 : �� fw1;w3g�����! �0 : ��

where � is the tuple of boxes shown in �gure 5. Indeed, by setting U = fw1; w3g we obtain U \ Tv1new =fw1g, U \ Tv2new = fw3g and U \ Tv3new = ;. Moreover, trees(w1) = ft11; t12g and trees(w3) = ft22g. And,�nally, �v1 hft11; t12gE �v1 ; �v2 hft22gE �v2 and �v3 h;E �v3 :Notice that fw1; w3g is also a valid step for the box 0(�) and 0(�) [fw1; w3gi 0(�). We shall soonsee that this is not accidental.Each multiset trees(ui) in (13) is in fact a set of mutually independent transitions of �v, and trees(ui)and trees(uj) are disjoint sets, for all distinct i and j. Both properties follow from the safeness of theboxes in � and proposition 2.1(2). We can therefore denote the multiset sum in (13) as the disjoint unionof k sets, trees(u1) �[ � � � �[ trees(uk). Notice also that U \ Tvnew 6= ; (and so �v 6= �v) only for �nitelymany v, since U is �nite. Assuming that U is a multiset rather than a set would not add any new moves(12) since Tvnew \ Twnew = ; for v 6= w, and all boxes in � are safe. The above de�nition of operationalsemantics does not involve the redo/skip transitions, which are not re�ned but added only afterwards toobtain transition system semantics of boxes.Instead of expressing behaviours in terms of transitions, it is also possible to express them usingactions, through the labelling function�(�)(U ) = Xu2Uf�(�)(u)g: (14)This returns multisets rather than sets since di�erent transitions may have the same label. For theexample above, this would yield the multiset �0(fw1; w3g) = ff; dg, which is also here, by chance, a set.Finally, we need to observe that although each derivation (12) is underpinned by the derivations (13) forthe boxes in �, not all possible moves of the �v's do correspond to a derivation captured by (12). Forexample, if we again take the running example, then�v1 hft11gE �0v1 ; �v2 h;E �0v2 = �v2 and �v3 h;E �0v3 = �v3 :Yet there is no move (0 : �) U 0�! (0 : �0) corresponding to it because there is no transition w inTv1new such that trees(w) = ft11g. This is due to the fact that the � of �gure 4 leads to a synchronisationof t11 and t12.4.1 SoundnessWhat now follows is the (easier) half of the SOS rule for boxes.Theorem 4.1. Let � be a tuple in the domain of an operator box and� : �� U�����! � : ��:Then � is also a tuple in the domain of and (�) [U i (�).Proof: Let � be the factorisation of � and V ��0 = fv 2 �� j �v 2 Box�0g, for �; �0 2 fe; d; xg. Then�0 = ��en(V ed[V ex)[ (V de[V xe) ; �dn(V de[V dx)[ (V ed[V xd) ; �xn(V xe[V xd)[ (V ex[V dx) ; �s�is the factorisation of �. Moreover, by multiple applications of all parts of proposition 2.2(3) we obtainthat �0 2 fact (note that V ed [ V ex [ V de [ V dx [ V xe [ V xd is a �nite set since U is �nite, and ifv 2 V xe[V xd then �v is non-x-directed and therefore, by (Dom2), v is reversible). We also observe that(Dom1) and (Dom2) are satis�ed by � since they were satis�ed by �. Hence � 2 dom.Let Uv = U \ Tvnew, for every v 2 T (recall that both Uv and each trees(u), for u 2 Uv, is a set). Itfollows from the de�nition of U�! and the enabling and execution rules, that there is an {tuple of boxes

� such that b�c = b�c and, for every v 2 T and every q 2 S�v ,M�v (q) =M�v (q) + Xu2Uv Xx2trees(u)W�v(q; x) (15)M�v (q) =M�v (q) + Xu2Uv Xx2trees(u)W�v(x; q): (16)(To see this, simply subtract one equation from the other.) We then observe that, since M�v �M�v forevery v 2 T, and (�) is de�ned, (�) is a well-de�ned application of net re�nement (although it isnot necessarily the case that � 2 dom, since it could happen, for instance, that M�v = ; while v 2 �d).Moreover, for every p 2 S(�), M(�)(p) =M(�)(p) +Xu2UW(�)(p; u) (17)M(�)(p) =M(�)(p) +Xu2UW(�)(u; p): (18)We only show that (17) holds, the proof for (18) being similar. For p = v�q 2 STvnew we have, bytreesv(p) = fvg and (2,4,15) and trees(u) being sets:M(�)(p) =M�v (q)=M�v (q) + Xu2Uv Xx2trees(u)W�v(q; x)=M�v (q) + Xu2UvW(�)(p; u)=M(�)(p) + Xu2UvW(�)(p; u):We then observe that from treesz(p) = ; (for z 6= v) and (4) it follows that W(�)(p; u) = 0, for everyu 2 UnUv, so (17) holds for this p. For p = s � (fv�xvgv2�s + fw�ewgw2s�) 2 SPsnew we proceed asfollows: M(�)(p) = Xv2�sM�v (xv) + Xw2s�M�w (ew)= Xv2�sM�v (xv) + Xv2�s Xu2Uv Xx2trees(u)W�v (xv; x) +Xw2s�M�w(ew) + Xw2s� Xu2Uw Xx2trees(u)W�w(ew ; x)=M(�)(p) + Xh2�s[s� Xu2Uh Xz2treesh(p) Xx2trees(u)W�h (z; x)=M(�)(p) + Xh2�s[s� Xu2UhW(�)(p; u)where the �rst equality follows from (2) and M(s) = 0; the second from (15); the third from (2) andM(s) = 0 and xv 6= ew (for v = w 2 �s [ s�); and the last from (4) and trees(u) being sets. Wethen observe that from treesz(p) = ; (for z =2 �s [ s�) and (4) it follows that W(�)(p; u) = 0, for everyu 2 UnSh2�s[s� Uh, so (17) holds also for this p.Since U is �nite, by (17), it is enabled at M(�). Let � be the box such that (�) [U i �. Then, by(17), (18) and U being a set, for every p 2 S� = S(�) = S(�),M�(p) = M(�)(p) �Xu2UW(�)(p; u) + Xu2UW(�)(u; p) = M(�)(p):This and b(�)c = b�c means that (�) = �, which completes the proof. ut

4.2 Similarity relation on tuples of boxes� = 0BBBBBBBBBBBBBBB@ ; ;e ex x ei x exa b cd e 1CCCCCCCCCCCCCCCA = 0BBBBBBBBBBBBBBB@ ; ;e ex x eix e xa b cd e 1CCCCCCCCCCCCCCCA0(�) e ei ix

ei if w1 ew4 c w2d w3Figure 5. Another application of 0.A direct converse of theorem 4.1 does not in general hold true. For consider the tuple of boxes � in�gure 5 and the box 0(�), shown in �gure 5. We have 0(�) [fw4gi , yet no nonempty move of theform �0 : �� U�����! �0 : �0�is possible. This is so because, when composing the nets, the tokens contributed by �1 and �2 areinserted into the composed net in such a way that they could all have been contributed by �3 as well.More precisely, we have (�) = (), where is the tuple of boxes depicted in �gure 5. And the

situation is now di�erent since a move�0 : � fw4g�����! �0 : 0�is possible with 01 = 1, 02 = 2 and 03 = 3. A conclusion to be drawn from this example is that themarkings in a tuple of boxes � may need to be rearranged before attempting to derive a move which isadmitted by their composition (�). Such a rearrangement is formalised by a similarity relation � on{tuples of boxes de�ned next.Let be an operator box and � and � be {tuples of static and dynamic boxes whose factorisationsare respectively � and �. Then � � � if � and � are factorisations of the same complex marking of and b�c = b�c and �v = �v, for every v 2 �d = �d. The last requirement is added because, as wewill see, the rearrangement of tokens concerns only the complete extry and exit interfaces of the re�ningnets. It is clear that � is an equivalence relation. We can further strengthen this by showing that it isclosed in the domain of application of , and that it relates tuples which yield the same boxes throughre�nement.Proposition 4.2. If � is a tuple in the domain of an operator box and � � �, then � is also atuple in the domain of and (�) = (�). Moreover, if � and � are tuples in the domain of suchthat b�c = b�c and (�) = (�), then � � �.Proof: Let � and � be respectively the factorisations of � and �.By the de�nition of�, b�c = b�c, which implies that� satis�es (Dom1) and (Dom2) since � satis�esboth conditions and �v = �v, for every v 2 �d = �d. Hence � 2 dom. The claim that (�) = (�)follows from b(�)c = (b�c) = (b�c) = b(�)c, the fact that � and � are factorisations of the samemarking of and (11). The second part can be shown thus.Let Rev = ��v = ��v and Rxv = ��v = ��v and Rv = ��v = ��v, for every v 2 T . We �rst observethat, for every v 2 T, M�v \Rv = M�v \Rv: (19)Indeed, let q 2 Rv. By proposition 3.4(1), there is p 2 S(�) = S(�) such that treesv(p) = fqg and so,by (11) and q being an internal place, M�v (q) = M(�)(p) = M(�)(p) = M�v (q). We next show thatfor all v 2 T and � 2 fe; xg, (M�vnM�v ) \R�v 6= ; =) v 2 ��: (20)Suppose that � = e (the proof is symmetric for � = x). Assume that q 2 (M�vnM�v ) \ Rev 6= ; (whichmeans that v 2 �e [ �d) and v 62 �e. The latter means that there is q0 2 ��v such that M�v (q0) = 0.Take any s 2 �v (notice that SPsnew � mar�(v)). If s 62 v� then de�ne Z = fqg and Z 0 = fq0g. If s 2 v�then de�ne Z = fq; rg and Z 0 = fq0; rg where r is any place in ��v (note that since �v is ex-exclusive insuch a case, we have M�v (r) = 0).By proposition 3.4(2,4), there is p 2 SPsnew such that treesv(p) = Z. Moreover, by (2), p 2 M(�).Thus, by (�) = (�) and (8) and lemma 3.10, there must be a transition w 2 �s [ s� such thatp 2 SPsnew � mar�(w). We now consider two cases:Case 1: w = v. Then there is p0 2 SPsnew such that treesv(p0) = Z 0. We then observe thatM(�)(p0) = 0. All these leads, by lemma 3.10, to Tot(M�v ; Z) = Tot(M�v ; Z) = 1 and Tot(M�v ; Z 0) =Tot(M�v ; Z 0) = 0 which is in contradiction with M�v (q) = 1 and M�v (q0) = M�v (q) = 0, as one caneasily verify.Case 2: w 6= v. Then there is p0 2 SPsnew such that treesv(p0) = Z 0 and treesw(p0) = treesw(p).By lemma 3.10, M(�)(p0) = M(�)(p). Yet M(�)(p) = 1 6= 0 = M(�)(p0), a contradiction with(�) = (�).Thus (20) holds.Suppose now that v 2 �d and M�v 6=M�v . We have, by (19), M�v \Rv =M�v \Rv. Moreover, if(M�vnM�v ) \ (Rev [Rxv) 6= ;then, by (20), v 2 �e [ �x, contradicting v 2 �d. We thus have M�v �M�v and M�v \Rv =M�v \Rvand M�v 6=M�v , so it must be the case that, for some � 2 fe; xg,(M�vnM�v) \R�v 6= ;:

Hence, by the symmetric version of (20) (which clearly holds), we obtain v 2 ��. If � = e then, by (11),SP(�v)new � M(�) = M(�). This and lemma 3.11 means that �v � ��e [ ��x, contradicting v 2 �d andproposition 2.2(4). If � = x then, by (11), SP(v�)new �M(�) =M(�) which, again by lemma 3.11, meansthat v� � ��e [ ��x, contradicting v 2 �d and proposition 2.2(4). Hence �v = �v and so also v 2 �d. Ina similar way, we can show that v 2 �d implies v 2 �d and �v = �v. Hence �d = �d and �v = �v, forevery v 2 �d = �d.To complete the proof of � � �, we still need to show that ��e [ ��x = ��e [ ��x. This, however,follows directly from lemma 3.11 and (�) = (�). utThe condition b�c = b�c in the second part of the last result cannot be omitted. For example,with our running example in �gure 4, if we take �0 to be �v1 with the label of t11 changed to b,and �00 to be �v1 with the label of t12 changed to a, then 0(�0; �v2 ; �v3) = 0(�00; �v2; �v3), yet(�0; �v2; �v3) � (�00; �v2; �v3) clearly does not hold.4.3 CompletenessWe are now ready to prove the second half of the SOS rule for boxes. Together with theorem 4.1, this willmean that for the class of operator boxes, the standard step sequence semantics of compositionally de�nednets obeys a variant of the SOS rule introduced originally for process algebras. The result is precededby an auxiliary lemma which provides a characterisation of the enabling relation for the transitions in are�ned net. Below, � is a tuple in the domain of an operator box , and � is the factorisation of �.Lemma 4.3. Let v be a transition in and U = fu1; : : : ; ukg � Tvnew be a nonempty set of tran-sitions which is enabled in (�). For every l � k, let trees(ul) = fxl1; : : : ; xlmlg. Moreover, letX = fx11; : : : ; x1m1 ; : : : ; xk1; : : : ; xkmkg.(1) For all x 2 X and q 2 �x, W�v (q; x) = 1.(2) For all xli; xhj 2 X, if (l; i) 6= (h; j) then �xli \ �xhj = ; and xli 6= xhj .(3) If v 2 �d then �X �M�v .(4) If v 2 �e [ �s [ �x then either �X � ��v and SP(�v)new �M(�), or �X � ��v and SP(v�)new �M(�).Proof: (1,2) We observe that if (1) does not hold for x = xli, or if �xli \ �xhj = ; (in (2)) does not holdfor l = h then, by the de�nition of net re�nement, there is a place p in (�) such that W(�)(p; ul) � 2,contradicting the safeness of M(�) (see theorem 3.12) and fulg being enabled in (�). For l 6= h in(2), we also have �xli \ �xhj = ; since M(�) is safe, U is enabled in (�), and (the �rst part of)proposition 3.7 holds. Moreover, in (2), xli 6= xhj follows from �xli \ �xhj = ; (which we have alreadyshown) and the T-restrictedness of �v.Before proving the rest of the proposition, we observe thatq 2 ��v \ �X =) M�v (q) > 0 (21)which follows from the fact that for such a q, by proposition 3.6 and lemma 3.10, we have p = v�q 2 �Uand M(�)(p) =M�v (q).(3) By (21), we only need to show that if q 2 �X \ (��v [ ��v ) then M�v (q) > 0. To the contrary,assume that M�v (q) = 0 and, without loss of generality, that q 2 ��v. Then, since v 2 �d and �v isclean, there must be r 2 ��v such that M�v (r) = 0. It now follows from proposition 3.4(4) that there isp 2 mar�(v) such that treesv(p) = fq; rg. We then notice that, by (8) and lemma 3.10, M(�)(p) = 0.Moreover, by proposition 3.6, p 2 �U , producing a contradiction with U being enabled in (�).(4) By (21), we have �X � ��v [��v . We will �rst show that �X \ ��v 6= ; implies SP(�v)new �M(�).By lemma 3.11, the latter always holds if v 2 �e, so we may assume that v 2 �s [ �x and q 2 �X \ ��v.To the contrary, suppose that M(�)(p) = 0, for some s 2 �v and p 2 SPsnew. Let q0 2 ��v be such thatq0 2 treesv(p) (note that it may happen that q = q0, but it is always the case that 0 =M�v (q) �M�v (q0)).Then, by the de�nition of net re�nement, there is p0 2 SPsnew such that treesv(p0) = treesv(p) n fq0g [ fqgand treesw(p0) = treesw(p), for all w 6= v. Thus, by (2), M(�)(p0) � M(�)(p) = 0. This, however,contradicts U being enabled in (�) and p0 2 �U (by (4)).In a similar way, we may show that if �X \��v 6= ; then SP(v�)new �M(�).

Thus we only need to prove is that it is impossible to have �X \ ��v 6= ; 6= �X \��v . Indeed, if thiswas the case, then by what we have already shown, SP(�v[v�)new � M(�) which, by lemma 3.11, wouldmean that �v [ v� � ��e [ ��x. Moreover, �v \ v� = ; since otherwise, by proposition 3.4(4) and (4),there would be p 2 SP(�v\v�)new such thatPu2U W(�)(p; u) � 2, contradicting U being enabled at the safemarking M(�). Thus, since is a box (and so is safe) we obtain that v� = ;, a contradiction with being T-restricted. utThe above lemma characterises two cases where a step U derived from the net re�ning a transition vcan be executed in (�). The �rst is that the step is made possible by the marking of �v and thus canbe deduced using the rule (12); this is captured by part (3), and by part (4) with (�X � ��v ^ v 2 �e)or (�X � ��v ^ v 2 �x). The second case characterises those situations when (12) cannot be used; thisis captured by part (4) with v 2 �s or (�X � ��v ^ v 2 �x) or (�X � ��v ^ v 2 �e). Notice thatit applies to the tuple � in �gure 5 and U = fw4g � Tv3new. Indeed, U is a step enabled in 0(�) (see�gure 5), �v3 2 Boxs, �trees(w4) = fq31g � ��v3 andSP(�v3)new = SPs3new [ SPs4new = fp3; p4; p7g =M0(�):Theorem 4.4. Let (�) [U i �0. Then there are � and in dom such that � � �, () = �0 and� : �� U�����! � : �:Proof: For every v 2 V , let Uv = U \ Tvnew and Xv = Su2Uv trees(u). Moreover, let V = fv j Uv 6= ;gand (M;Q) be the marking of whose factorisation is the factorisation � of �. Finally, for � 2 fe; x; sg,let Y� = fv 2 V \ �� j �Xv � ��vg and Z� = fv 2 V \ �� j �Xv � �v�g. From lemma 4.3(3,4),proposition 3.8, and U being enabled in the safe markingM(�), it follows thatR = �Sv2Ye�v �[ �Sv2Yx�v �[ �Sv2Ys�v �[ �Sv2Zev� �[ �Sv2Zxv� �[ �Sv2Zsv� � M: (22)Hence, by proposition 2.2(2) and (Dom2) (where the latter implies that each transition v 2 Ze [Zx [Zsis reversible which guarantees that (M nv�; Q[fvg) is a marking reachable from � or �) we have that(M 0; Q0) = (M nR ; Q [ Ye [ Yx [ Ys [ Ze [ Zx [Zs)is a marking reachable from � or �. Thus there is a factorisation � 2 fact of (M 0; Q0). It is then easyto see that � = (�e [ Ye [ Yx [ Ys ; �d ; �x [ Ze [ Zx [ Zs ; �s)is a valid factorisation of (M;Q). Let � be the {tuple of boxes such that b�c = b�c, � is the factorisationof � and, for every v 2 �d = �d, �v = �v. Then, by lemma 4.3(1,2,3), we have that� : �� U�����! � : �for some . Thus, by theorem 4.1, (�) [U i () and, by proposition 4.2, (�) = (�). As a result,�0 = (). utVarious important consequences may be derived from theorems 4.1 and 4.4. In particular,Theorem 4.5. (�) is a static or dynamic box.Proof: By theorem 3.12, to show that all the markings reachable fromM(�) are safe and clean, it su�cesto show that if U is a step such that (�) [U i �0 then there is a tuple in the domain of such that�0 = (), which holds by theorem 4.4 and proposition 4.2. To deal with the markings reachable from�(�) or (�)�, it su�ces to observe that:9�;�0 2 dom : (�) = (�) ^ (�0) = (�): (23)To show that such a � does indeed exist, we �rst observe that, since is an operator box and proposi-tion 2.2(5) holds, there is a factorisation � of the entry marking such that ��e [ ��x = � and �d = ;.De�ne � as the {tuple of boxes such that b�c = b�c and � is the factorisation of �. It follows directlyfrom (11) that (�) = (�). The existence of �0 can be shown similarly. utAnd, by inspecting the last proof, we obtain

Corollary 4.6. Let �0 be a net derivable from (�) or (�). Then there is a tuple � in the domainof such that �0 = (�). utAs a summary, sos-compositionality in the domain of nets can be rendered by a rule similar to thatcommonly formulated for process algebras:� : �� U�����! � : �(�) hUE �0 � � � ; () = �0 (24)Theorem 4.1 together with proposition 4.2 verify its soundness, whereas theorem 4.4 veri�es its complete-ness.A useful corollary is a su�cient condition for a re�nement to be ex-exclusive.Theorem 4.7. Let be an ex-exclusive operator box and � 2 dom be a tuple of boxes such that,for every v 2 T satisfying �v \ � 6= ; 6= v� \ � or v� \ � 6= ; 6= �v \ �, it is the case that �v isex-exclusive. Then (�) is an ex-exclusive box.Proof: Let (M;Q) be the marking of with the same factorisation � as �. From (23), theorem 4.4 andproposition 4.2, it follows that it su�ces to show that �(�) \M(�) = ; or (�)� \M(�) = ;. Tothe contrary, suppose that there are p 2 �(�) and p0 2 (�)� such that p; p0 2 M(�). Then, by thede�nition of net re�nement, there are s 2 � and s0 2 � such that p 2 SPsnew and p0 2 SPs0new. Moreover,by lemma 3.10, there are v and v0 such that p 2 mar�(v) and p0 2 mar�(v0). We now consider two cases:Case 1: v = v0. If v 2 �e [ �x then s; s0 2 ��e [ ��x, contradicting being ex-exclusive. If v 2 �dand s; s0 2 �v _ s; s0 2 v� then, by proposition 2.2(3), we again obtain a contradiction with beingex-exclusive. If neither s; s0 2 �v nor s; s0 2 v�, we may assume without loss of generality, that s 2 �vand s0 2 v�. Let q 2 ��v and q0 2 ��v be such that q 2 treesv(p) and q0 2 treesv(p0). Then, since neithers; s0 2 �v nor s; s0 2 v�, fqg = treesv(p) and fq0g = treesv(p0). Hence q; q0 2M�v , contradicting �v beingex-exclusive.Case 2: v 6= v0. Then, by proposition 2.2(2), there is a marking (M 0; Q0) reachable from � or �such that s; s0 2M 0, contradicting being ex-exclusive. ut5 Behavioural conditionsIn the previous section, we have seen how the behaviour of a compositionally de�ned net can be computedfrom the behaviour of its components, and conversely. So far, however, this is unrelated to any processalgebraic considerations, except that the shape of the SOS rule is inspired by process algebra theory.Starting with this section, we shall investigate relationships between operations on nets (incarnatedby operator boxes) and process algebraic operators. In the present section, we address a behaviouralconsistency issue that pertains to such an investigation.Consider the operator box � on the left hand side of �gure 6, whose terminated behaviours aremodelled by the expression v�2v1 (in other words, any number of repetitions of the net re�ning v2 followedby a behaviour of the net re�ning v1). Allowing operator boxes like � raises the danger of creatingcomposite nets which are not in agreement with an intuitive behavioural meaning of operations speci�edby operator boxes. For consider an expression such as (N�; �(N� ;N )) (using the boxes in �gure7), whose behaviour is, intuitively: do either �, or �� . According to our intuition about the operationspeci�ed by �, one might expect that the net corresponding to this expression could be constructed by�rst applying � to N� and N , and then putting the result in a choice with N�, yielding the net shownon the right-hand side of �gure 6. This net, however, allows evolutions such as f�gf�gf�g, which donot correspond to what one expects from a choice construct. This phenomenon is not particular to ourapproach, nor to Petri nets in general (cf. [1, 13])If we imposed ex-directedness on all boxes, then the problem would disappear. However, such astrict solution is not always desirable, because boxes such as � are useful in modelling guarded while-loops in programming languages (basically, v1 corresponds to the negation of the guard(s), and v2 tothe repetitive behaviour). On the other hand, if it is ascertained that a loop does not occur initially in

an enclosing choice, or in an enclosing loop, then the problem also disappears, and ex-directedness is nolonger required. To our experience, in practical programming languages such a case (i.e., a loop occurringinitially in enclosing loops or choices) does not arise, and we therefore formulate a set of conditions insuch a way that it is excluded, and � still is an allowed operator box.� e�id v1 �id v2x (N�; �(N�;N )) e� � xFigure 6. Operator box � and a net modelling (tentatively) (N�; �(N� ;N )).N� e e�� v�x x� e e�id v1 �id v2x xFigure 7. Plain box N� and operator box for choice, .In all, we formulate �ve additional conditions on an {tuple � in the domain of application of anoperator box ; below, v and w are transitions in . The example discussed above will be excluded by(Beh1), when v and w are instantated by v1 and v2, respectively, since �(N� ;N ) is not e-directed.- If v 6= w and �v \ �w 6= ;, then �v; �w 2 Boxedir . (Beh1)- If v 6= w and v� \w� 6= ;, then �v; �w 2 Boxxdir . (Beh2)- If v� \ �w 6= ;, then �v 2 Boxxdir or �w 2 Boxedir . (Beh3)- If �v \� 6= ;, then �v 2 Boxedir . (Beh4)- If v� \ � 6= ;, then �v 2 Boxxdir . (Beh5)In the rest of this section, we will argue that indeed, (Beh1){(Beh5) guarantee that behaviours of acomposite net are composed from behaviours of its components. It is limited to the (relevant) case ofoperator boxes with one single token, of which both and � are special instances.The appropriateness of the conditions (Beh1){(Beh5) Let us consider an operator box such that eachmarking reachable from � or � has at most one token (in other words, we may assume that is a statemachine which means that j�j = j�j = 1 as well as j�vj = jv�j = 1, for every v 2 T) and that eachtransition of is labelled by the identity relabelling, �id . Furthermore, let (�) be a valid applicationof satisfying (Beh1){(Beh5), and U1 : : :Uk be a nonempty step sequence composed of nonempty setsof transitions such that (�) [U1 : : :Uki : (25)We aim at showing that the execution (25) can be seen as a combination of valid executions of andthe �v's. To this end, we �rst observe that, by theorem 4.4 and (23), there are -tuples �1; : : : ;�k and�1; : : : ;�k in dom such that b�ic = b�ic = b�c, for every 1 � i � k, and81 � i � k : � : �i� Ui�����! � : �i� (26)

81 < i � k : (�i) = (�i�1) (27)(�1) = (�) and (�k) = : (28)Below, we will denote by �i and �i the factorisations of respectively �i and �i. Notice that, by (27) andproposition 4.2, for every 1 < i � k, the �i and �i�1 are factorisations of the same complex marking of ,Mi = (Mi; Qi); moreover, we will denote by M1 = (M1; Q1) and Mk+1 = (Mk+1; Qk+1), the complexmarkings of whose factorisations are respectively �1 and �k.Our next observation is that since is a state machine, for every 1 � i � k, there is a uniquetransition vi 2 T which belongs to �ie [ �id [ �ix. Hence, each marking Mi, for 1 � i � k + 1, is suchthat jMij+ jQij = 1: (29)Moreover, for every 1 � i � k, there is a nonempty set of transitions Vi � T�vi such thatUi = f (vi; ��vi (t))�t j t 2 Vi g:The nonemptiness of Vi follows from Ui 6= ;. We �nally observe that, by Vi 6= ; and (26) and theT-restrictedness of boxes,81 � i � k : (vi 2 �ix ) �vi =2 Boxxdir) ^ (vi 2 �ie ) �vi =2 Boxedir): (30)Lemma 5.1. With the above notations, the following hold.(1) �v1 = � and �1v1 = �v1 .(2) For every 1 � i < k, we have either(a) vi = vi+1 and �ivi = �i+1vi+1 , or(b) v�i = �vi+1 and �ivi = �vi and �i+1vi+1 = �vi+1 .7(3) = (�) if and only if �kvk = �vk and v�k = �.Proof: (1) We have M(�1) = SPsnew where fsg = �. Hence, by lemma 3.11 and (29), M1 = (fsg; ;)and v1 2 �1e [ �1x. If v1 2 �1x then, by (30), �v1 =2 Boxxdir which, together with v�1 = fsg, yields acontradiction with (Beh5).8 Thus v1 2 �1e and �v1 = fsg = �.(2) We consider two cases.Case 1: vi 6= vi+1. Then �i+1 and �i are two di�erent factorisations of Mi+1. Hence, by (29), thereis s 2 S such that Mi+1 = (fsg; ;), which in turn means that vi 2 �ie [ �ix and vi+1 2 �i+1e [ �i+1x . Wenow consider four sub-cases.Case 1(i): vi 2 �ie and vi+1 2 �i+1e . Then, by (30), �vi =2 Boxedir . On the other hand, �vi = fsg = �vi+1,producing a contradiction with (Beh1).9Case 1(ii): vi 2 �ix and vi+1 2 �i+1x . Then, by (30), �vi+1 =2 Boxedir . On the other hand, v�i = fsg = v�i+1,producing a contradiction with (Beh2).10Case 1(iii): vi 2 �ie and vi+1 2 �i+1x . Then, by (30), �vi =2 Boxedir and �vi+1 =2 Boxxdir . On the otherhand, �vi = fsg = v�i+1, producing a contradiction with (Beh3).11Case 1(iv): vi 2 �ix and vi+1 2 �i+1e . Then v�i = fsg = �vi+1, and so (b) holds.Case 2: vi = vi+1(= v). If �iv = �i+1v then (a) holds, so we assume that �iv 6= �i+1v . Then �i+1 and�i are two di�erent factorisations of Mi+1. Hence, by (29), there is s 2 S such that Mi+1 = (fsg; ;),7 We do not exclude the possibility that vi = vi+1.8 Thus (Beh5) excludes the situation whereby, from the entry marking of the composed net, we can execute abehaviour originating from ��v1 which bears no relationship to any possible behaviour of (this intuitivelycorresponds to the backward reachability in , which is not allowed).9 Thus, with (Beh1), it is not possible to start the execution of �vi and later, without �nishing it, to enter �vi+1for a con icting vi+1 because the initial state of �vi was reached.10 (Beh2) prohibits to �nish the execution of �vi and afterwards to enter �vi+1 from the rear.11 (Beh3) excludes a situation, combining the previous two problems, where we start the execution of �vi+1 andlater, without �nishing it, come back to the initial state and (re)enter the (supposedly �nished) �vi from therear.

which in turn means that v 2 (�ie [ �ix) \ (�i+1e [ �i+1x ) and �v = fsg = v�. Since �iv 6= �i+1v we onlyneed to consider two sub-cases.Case 2(i): v 2 �ie \ �i+1x . Then, by (30), �v =2 Boxedir [ Boxxdir . On the other hand, �v = v�, producinga contradiction with (Beh3).Case 2(ii): v 2 �ix \ �i+1e . This and �v = v� means that (b) holds.(3) If = (�) then M(�k) = SPsnew where fsg = �. Hence, by lemma 3.11 and (29), Mk+1 =(fsg; ;) and vk 2 �ke [ �kx. If vk 2 �ke then, by (30), �vk =2 Boxedir which, together with �vk = fsg, yieldsa contradiction with (Beh4).12 Thus vk 2 �kx and v�k = fsg = �.The reverse implication follows directly from (11). utIt is always possible to partition (in a unique way) the sequence of steps V1 : : :Vk into the longestnonempty sub-sequences �1; : : : ; �l so that V1 : : :Vk = �1 : : :�l, and, for every i � l, if�i = VpVp+1 : : :Vqthen it is the case that vp = vp+1 = � � � = vq(= wi) and �jwi = �j+1wi , for every p � j < q. Finally,Theorem 5.2. With the above notations, the following hold.(1) For every i < l, �wi [�ii �wi , and �wl [�li �kvk.(2) If �kvk = �vk then M1 [fw1g : : :fwl�1gfwlgi Mk+1; otherwise M1 [fw1g : : :fwl�1gfwlg+i Mk+1.(3) � = (�) if and only if Mk+1 = �.Proof: Follows with lemma 5.1. utThis result shows that, as was claimed, the original sequence U1 : : :Uk can (even uniquely) be decom-posed into a behaviour of (i.e., the fw1g : : : in part (2) of the theorem), such that each wi { exceptpossibly the last one { corresponds to a full behaviour, �i, of �wi (cf. part (1) of the theorem). Part (3)of the theorem states that full behaviours of (�) and full behaviours of correspond to each other.6 A process algebra and its semanticsWe now introduce an algebra of process expressions, called the box algebra, which is based on the classof operator boxes de�ned in the previous section. The box algebra is in fact a meta-model parameterisedby two non-empty, possibly in�nite, sets of Petri nets: a set ConstBox of static and dynamic plain boxesproviding a denotational semantics of simple process expressions, and a disjoint set OpBox of operatorboxes providing interpretation for the connectives.The only assumption made about the operator boxes in OpBox and the static boxes in ConstBox isthat they have disjoint sets of simple root-only trees as their place and transition names, i.e., for alldistinct static and/or operator boxes � and � in OpBox [ ConstBox,S� [ T� � Proot [ Troot and S� \ S� = T� \ T� = ;: (31)The above will be useful in de�ning a global independence relation on transitions in nets associated withprocess expressions. We do not require that the boxes in OpBox and ConstBox be �nite.Signature We consider an algebra of process expressions over the signatureConst [ n(:); (:)o [ nop ��� 2 OpBoxo (32)where Const is a �xed non-empty set of constants which will be modelled through the boxes in ConstBox,(:) and (:) are two unary operators, and each op is a connective of the algebra indexed by an operator12 (Beh4) excludes the situation where we reach the exit marking, start the execution of �vi and return to theexit marking without �nishing �vi , so that a completed history is not composed out of completed histories ofthe components corresponding to a completed history of .

box taken from the set OpBox.13 The set of constants is partitioned into the static constants, Consts, anddynamic constants, Constd; moreover, there are two distinct disjoint subsets of Constd, denoted by Consteand Constx, and respectively called the entry and exit constants. We also identify three further, notnecessarily disjoint subsets of Const, namely: Constxcl , Constedir and Constxdir , called the ex-exclusive,e-directed and x-directed constants, respectively.Although we use the symbols (:) and (:) to denote both operations on boxes and process algebraconnectives, it will always be clear from the context what is the intended interpretation.Syntax There are four classes of process expressions corresponding to previously introduced classes ofplain boxes: the entry, dynamic, exit and static expressions, denoted respectively by Expre, Exprd, Exprxand Exprs. Collectively, we will refer to them as the box expressions, Exprbox . We will also use acounterpart of the notion of the factorisation of a tuple of boxes. For an operator box and an {tupleof box expressions D, we de�ne the factorisation of D to be the quadruple � = (�e; �d; �x; �s) such that�� = fv j Dv 2 Expr�g, for � 2 fe; x; sg, and �d = fv j Dv 2 Exprdn(Expre [ Exprx)g. The syntax for thebox expressions Exprbox is given by:Exprs E ::= cs ��� op(E)Expre F ::= ce ��� op(F) ��� EExprx G ::= cx ��� op(G) ��� EExprd H ::= cd ��� op(H) ��� F ��� G (33)where c� 2 Const� , for � 2 fe; x; sg, and cd 2 Constdn(Conste [ Constx) are constants; 2 OpBox isan operator box; and E, F, G and H are {tuples14 of box expressions. These tuples have to satisfysome conditions determined by the domain of application of the net operator induced by , and so thefactorisations of E, F and G are respectively factorisations of the complex empty, entry and exit markingof , and the factorisation of H is a factorisation of a marking reachable from the entry or exit markingof di�erent from � and �.The above syntax only re ects the �rst part of the de�nition of the domain of an operator box, dom,which stipulates that an {tuple of boxes should have a factorisation belonging to fact. The remainingtwo conditions, (Dom1) and (Dom2), are not captured and their treatment will be given separately below.There are two reasons why we decided to proceed in this way. The �rst is that in many cases (Dom1) and(Dom2) are already satis�ed because of the speci�c properties of the operator boxes which parameterisethe box algebra;15 in particular, this is true of the extended PBC syntax de�ned in [7]. And, in all suchcases, (33) will be exactly what is needed. The second reason is that introducing (Dom1) and (Dom2)through a BNF-like notation would involve a signi�cant number of syntactic classes. We will insteadintroduce them through explicit conditions imposed on expressions satisfying the syntax (33).Syntactic restrictions resulting from (Dom1) and (Dom2) We need to de�ne syntactic counterparts ofex-exclusive, e-directed and x-directed boxes.Let Exprwf , Exprxcl , Expredir and Exprxdir be the largest sets of expressions in Exprbox { called respec-tively the well formed, ex-exclusive, e-directed and x-directed box expressions { such that the followinghold:- All ex-exclusive, e-directed and x-directed expressions are well formed. (Expr1)- If op(D) 2 Exprwf then, for every v 2 T:(i) Dv 2 Exprwf(ii) if �v \ v� 6= ; then Dv 2 Exprxcl13 The number of transitions in a �nite operator box is often called the arity of the operator it de�nes.14 We allow operators with in�nitely many transitions, which may lead to a notational problem to specify such{tuples explicitly when expressions are viewed as strings. This problem may be solved by viewing expressionsas (syntax) trees rather than strings, and we will show how these can be de�ned.15 More precisely, if all the operators are pure and have all transitions reversible.

(iii) if v is not reversible then Dv 2 Exprxdir . (Expr2)- If op(D) 2 Exprxcl then is ex-exclusive and, for every v 2 T satisfying�v \ � 6= ; 6= v� \� or v� \ � 6= ; 6= �v \�;it is the case that Dv 2 Exprxcl . (Expr3)- If op(D) 2 Expredir then is e-directed and, for every v 2 (�)�, Dv 2 Expredir . (Expr4)- If op(D) 2 Exprxdir then is x-directed and, for every v 2 �(�), Dv 2 Exprxdir . (Expr5)- If E 2 Expr� or E 2 Expr� then E 2 Expr�, for � 2 fwf ; xcl ; edir ; xdirg. (Expr6)- Const � Exprwf and Const� = Const \ Expr�, for � 2 fxcl ; edir ; xdirg. (Expr7)In the above, (Expr2)(ii) and (Expr2)(iii) encode (Dom1) and (Dom2), respectively; (Expr3) encodestheorem 4.7; and (Expr4-5) encode proposition 3.2. Moreover, (Expr6-7) serve as a means for syntacticinduction.If all the operator boxes in OpBox are pure and have only reversible transitions, then (Expr2)(ii) and(Expr2)(iii) are vacuously satis�ed and thus Exprwf is the entire set of box expressions de�ned by thesyntax (33), i.e., Exprwf = Exprbox . It is interesting to observe that this is the case for the extended PBCsyntax de�ned in [7], as well as to the DIY algebra introduced in the next section.Though the above de�nition of Exprwf , Exprxcl , Expredir and Exprxdir is not syntactic, one can modify(33) in such a way that all these classes of expressions are properly captured; such a full syntax wouldhave 24 di�erent classes of expressions.Notice that the assumption that Expr� , for � 2 fwf ; xcl ; edir ; xdirg, are the largest sets satisfying(Expr1){(Expr7) means that, for example, if E is a well formed static expression then E is a well formedentry expression (see [7]).6.1 A running example: the DIY algebraWe will continue to use the running example based on the boxes depicted in �gure 4, in order to constructa simple algebra of process expressions. More precisely, we will consider the Do It Yourself (DIY) algebrabased on the following two sets of boxes:OpBox = f0g and ConstBox = f�1; �11; �12g [ f�2; �21; �22; �23g [ f�3gwhere b�ijc = �i = b�vic, for all i and j, and the following hold:M�11 = fq11; q14g and M�12 = fq13; q12g and M�2k = fq2kg (for k = 1; 2; 3):The constants of the DIY algebra correspond to the boxes in ConstBox:Conste = fc21g Consts = fc1; c2; c3gConstx = fc23g Constd = fc11; c12; c21; c22; c23g:Moreover, Const = Constxcl = Constedir = Constxdir .The syntax of the DIY algebra is obtained by instantiating (33) with concrete constants and operatorintroduced above. After taking into account the factorisations in fact0 (see (5)), we obtain:Exprs E ::= op0(E;E;E) ��� c1 ��� c2 ��� c3Expre F ::= op0(F; F;E) ��� c21 ��� EExprx G ::= op0(E;E;G) ��� c23 ��� EExprd H ::= op0(F; eH;E) ��� op0( eH;F;E) ��� c11 ���op0(F;G;E) ��� op0(G;F;E) ��� c12 ���op0(G; eH;E) ��� op0( eH;G;E) ��� c22 ���op0( eH; eH;E) ��� op0(G;G;E) ��� F ���op0(E;E; F ) ��� op0(E;E; eH) ��� G

where eH stands for an arbitrary expression in Exprdn(Expre [ Exprx). For instance, the �rst syntacticclause in the line starting with F comes about because (fv1; v2g; ;; ;; fv3g) factorises the entry marking(fs1; s2g; ;) of 0. Using the syntax we can see, for example, that op0(c1; c22; c3) is a valid dynamicexpression of the DIY algebra. As we shall see, it corresponds to the net re�nement 0(�) of �gure 4discussed extensively earlier on.The syntax for Exprd can be simpli�ed. For example, we can replace op0(E;E; F ) and op0(E;E; eH)by op0(E;E;H) since op0(E;E;G) is part of the syntax for G, and G itself occurs in the syntax forExprd. This and other similar observations lead to:Exprd H ::= c11 ��� c12 ��� c22 ��� F ��� G ��� op0(H;H;E) ��� op0(E;E;H):In fact, the syntax (33) can always be presented so that Exprd does not refer to eH.6.2 In�nite operatorsIn the case that each operator box in OpBox has �nitely many transitions, the meaning of the syntax(33) is clear; it simply de�nes four sets of �nite strings, or terms. In the general case, however, we needto take in account 's with in�nite transition sets (possibly uncountable, as allowed by the generalisedparallel and choice composition), and one should ask what is meant by the syntax (33) and the expressionsit generates. A possible answer is that expressions can, in general, be seen as trees and the syntaxde�nition above as a de�nition of four sets of such trees, in the following way.We will de�ne such trees not just for the syntax (33), but even for a more general set of processexpressions over the signature (32), denoted by Expr and referred to simply as expressions. They arede�ned by: C ::= c ��� C ��� C ��� op(C) (34)where c 2 Const is a constant, and C is an {tuple of expressions, for 2 OpBox. For instance, thisallows one to write expressions such as �, (�) and �; �. Clearly, Exprbox de�nes a subset of Expr. (34) isused will be done because we shall need a richer set of expressions later on, in the de�nition of a similarityrelation on process expressions and their operational semantics.To give meaning to expressions de�ned by this syntax, we consider the set ExprTrees of all �nite andin�nite labelled trees � , satisfying the following.- Each node of � is labelled by an element of the signature (32); moreover, each x 2 Const is identi�edwith a single node tree in ExprTrees whose only node is labelled by x.- If a node � is labelled by a constant then � is a leaf.- If a node � is labelled by (:) or (:), then � has exactly one child node to which it is connected by anunlabelled arc.- If a node � is labelled by op , for some 2 OpBox, then its child nodes are f�v j v 2 Tg and each�v is connected to � by an arc labelled by v.Then (:), (:) and op(:) can be seen as mappings yielding trees in ExprTrees. For example,(:) : ExprTrees! ExprTreesis given by C = (:) � C. The domain (2ExprTrees;�) forms a complete lattice, with the set intersection asthe `meet' operation, and the set union as the `join' operation. Consider now the syntax (34). It can beseen as de�ning a mapping expr : 2ExprTrees ! 2ExprTreessuch that, for every T � ExprTrees,expr(T ) = Const [ T [ T [ T [ [2OpBoxnop(C) ��� C is {tuple with values in Const [ T o:

Clearly, expr is monotonic, hence it has a unique least �xpoint, denoted by Expr. Moreover, thereis a (possibly trans�nite) ordinal � such that Expr = expr�(;), where for every ordinal � � � andT � ExprTrees, expr�(T ) = (T if � = 0expr (S <� expr (T )) if � > 0:The above implies, in particular, that no tree in Expr has an in�nite path from the root. It is then possibleto associate with each expression C in Expr its rank, denoted by rank(C), which is the smallest ordinal �such that C 2 expr�(;). It follows that the rank of all constants is 1, rank(C) = rank(C) = 1+rank(C), andrank(op(C)) is the least ordinal � such that rank(Cv) < �, for every v 2 T . The principle of trans�niteinduction means that we may use induction based on the rank of expressions. Such an inductive argumentreduces to the standard induction on the depth of an expression if all the operator boxes in OpBox have�nitely many transitions since then the rank of every expression is a natural number (a �nite ordinal).The meaning of the syntax (33) can now be explained thus. Consider its �rst line, i.e., the syntacticde�nition of a static expression. What it de�nes is the minimal set Exprs of expressions E 2 Expr suchthat E is either a static constant or E = op(E) where E � Exprs. By the trans�nite induction argument,such a set exists and is unique. The de�nitions of Expre, Exprx and Exprd follow the same pattern.Properties One can show, by induction on the rank of expressions, that each subexpression16 of anexpression in Expr�, for � 2 fbox ; s;wf g, is also an expression in Expr� . Moreover, it follows directly fromthe syntax (33) andConsts \ Constd = Conste \ Constx = ; and Conste [ Constx � Constdthat Expre and Exprx are disjoint subsets of Exprd; and that the static and dynamic expressions aredisjoint sets, i.e.,Exprs \ Exprd = Expre \ Exprx = ; and Expre [ Exprx � Exprd: (35)These can be compared to similar relationships in the domain of boxes:Boxs \ Boxd = Boxe \ Boxx = ; and Boxe [ Boxx � Boxd: (36)Notice that (35) implies that the factorisation of an {tuple of box expressions is always a partition ofthe set T of transitions of .As in the domain of boxes and PBC expressions, it is convenient to have a notation for turning anexpression in Expr into a corresponding static one. We again use b:c to denote such an operation. Toachieve the desired e�ect, we assume that: (i) for each dynamic constant c there is a unique static constantbcc satisfying c 2 Const� () bcc 2 Const� , for � 2 fxcl ; edir ; xdirg; and (ii) if C is an expression, thenbCc is the static expression obtained by removing all occurrences of (:) and (:), and replacing everyoccurrence of each dynamic constant c by the corresponding static constant bcc. Formally,b:c : Expr! Expris a mapping de�ned by induction on the rank of expressions thus. If rank(C) = 1 then bCc = bccfor C = c 2 Constd, and bCc = C otherwise. Moreover, for expressions with ranks higher than 1,bCc = bCc = bCc and bop(C)c = op(bCc).The operators (:), (:) and b:c can be applied in the usual way (i.e., elementwise) to sets as well as tuplesof expressions. The same will be true of the semantical mapping box de�ned in the next section, and thenalso of the structural similarity relation �. In what follows, the expressions in Const [ Consts [ Consts,i.e., those not involving any connective op, will be called at. Notice that all at expresions are wellformed box expressions.Example In the DIY algebra, op0(c1; c2; op0(c1; c2; c3)) is a well formed exit expression with rank 3.Moreover, we set bcijc = ci, for every dynamic constant cij . Thus, for example, bop0(c1; c22; c3)c =op0(c1; c2; c3).16 Where, in general, a subexpression is a subtree of a tree in ExprTrees.

7 Denotational semantics of box expressionsWhen dealing with the denotational semantics of the box algebra we will �rst de�ne the semantics ofconstants, and then of compound box expressions. The semantics is given in the form of a mapping fromwell formed box expressions to boxes, box : Exprwf ! Box, de�ned by induction on the rank of boxexpressions.Constants Constant expressions are mapped onto constant boxes of corresponding types, i.e., for everyconstant c and � 2 fe; d ; x ; s; xcl ; edir ; xdirg,c 2 Const� () box(c) 2 Box� \ ConstBox: (37)We also make some additional assumptions which are not an inherent part of the de�nition of thedenotational semantics. Their role is to ensure a consistency between the box semantics of dynamicconstants and the corresponding static constants, as well as to guarantee that there is enough constantsto model internal states of evolving static or dynamic constants.Formally, it assumed that, for every dynamic constant, the underlying box is the same as that for thecorresponding static constant, and that it is reachable from the entry or exit marking of the latter; i.e.,for every c in Constd,jbox(c)k = box�bcc� and box(c) 2 hbox(bcc)E [ hbox(bcc)E : (38)Moreover, for every non-entry and non-exit dynamic box reachable from an initially or terminally markedconstant box, there is a corresponding dynamic constant, i.e., for every c in Consts,� hbox(c)E [ hbox(c)E � n nbox(c); box(c)o � box�Constd�: (39)Notice that for every entry or exit constant c, it is the case that box(c) = bbox(c)c or box(c) = bbox(c)c,respectively.Compound expressions The de�nition of the semantical mapping box is completed by considering all theremaining static and dynamic well formed expressions, following the syntax (33). The box mapping is ahomomorphism; hence, for every static or dynamic expression op(D) and every static expression E,box(op(D)) = (box(D))box(E) = box(E)box(E) = box(E): (40)The above formulae are well formed since the ranks of the expressions appearing on the right hand sidesof the equality sign have strictly smaller ranks than the corresponding expressions on the left hand sides.Example In the case of the DIY algebra, we de�ne the box mapping by setting, for every static constantci, box(ci) = �i, and for every dynamic constant cij, box(cij) = �ij. Other than that, we follow thegeneral de�nitions. Thus, for example, the box in �gure 4 can be derived in the following way:box�op0(c1; c22; c3)� = (by line 1 of (40))0�box(c1); box(c22); box(c3)�= (by line 2 of (40) and def. of constants)0�box(c1); �22; �3�= (by def. of constants)0��1; �22; �3�= (by def. of the �vi 's)0��v1 ; �v2 ; �v3�= (by def. of �, cf. �gure 4)0���:Properties The semantical mapping always returns a box. Moreover, the assumed type consistencybetween constants and their denotations, (37), carries over to the remaining box expressions. Essentially,this means we have been able to capture syntactically the property of being a static, dynamic, entry orexit box.

Theorem 7.1. Let D be a well formed box expression.(1) box(D) is a static or dynamic box.(2) For every � 2 fe; d ; x ; sg, D 2 Expr� if and only if box(D) 2 Box�.(3) For every � 2 fxcl ; edir ; xdirg, if D 2 Expr� then box(D) 2 Box�.Proof: The proof will proceed by induction on the rank of D. Using (Expr2,6), one can see that D 2Exprwf implies that all subexpressions of D are well formed.The base step corresponds to D being a constant. Then (1,2,3) follow directly from (35), (36), (37)and (Expr7). In the inductive step, we consider three cases.Case 1: D = E, for some static expression E. Then, by (33) and (35), D 2 Expre � Exprd and D 62Exprx [ Exprs. Moreover, by the induction hypothesis and (40), box(D) = box(E) 2 Boxs = Boxe � Boxdand, by (36), box(D) 62 Boxx [ Boxs. Thus (1) and (2) are satis�ed. Moreover, (3) also is satis�ed, bybox(E) = bbox(D)c, (Expr6) (which implies that E 2 Expr�) and the induction hypothesis. Hence theresult holds in this case.Case 2: D = E, for some static expression E. Then we proceed similarly as in Case 1.Case 3: D = op(D). Let � be the factorisation of D. By the induction hypothesis, for every v 2 T,box(Dv) is a static or dynamic box; moreover, for all � 2 fe; d ; x ; sg and v 2 ��,box(Dv) � Box� (41)which means that � is also the factorisation of box(D). Furthermore, by (Expr2) and the inductionhypothesis, box(D) is an {tuple satisfying (Dom1) and (Dom2). This and � 2 fact means thatbox(D) 2 dom and so, by (40), well formedness and theorem 4.5, we obtain that box(D) is a static ordynamic box. We then consider subcases depending on the type of marking of whose factorisation is�. If � is the factorisation of the empty marking then �e = �d = �x = ;. Thus D 2 Exprs and, by(41) and (40) and (11), box(D) 2 Boxs. Moreover, by (35) and (36), D 62 Expr� and box(D) 62 Box� , for� 2 fe; d; xg. Hence (1) and (2) are satis�ed.If � is a factorisation of � then, by (33) and (35), D 2 Expre � Exprd and D 62 Exprx [ Exprs.Moreover, by proposition 2.2(4), ��e [��x = � and �d = ;. Hence, by (11) and (40) and (41), box(D) 2Boxe � Boxd. The latter and (36) further implies box(D) 62 Boxx [Boxs. Hence (1) and (2) are satis�ed.If � is a factorisation of �, we proceed in a similar way.If � is a factorisation of a complex marking reachable from � or �, but di�erent from � and�, then, by (33) and (35), D 2 Exprdn(Expre [ Exprx) and D 62 Exprs. Clearly, by (40) and (41),box(D) 62 Boxs. Suppose box(D) 2 Boxe [ Boxx. Then, by (40) and (41) and lemma 3.11, � � ��e [ ��xor � � ��e [ ��x. Hence, by proposition 2.2(4), � is a factorisation of � or �, a contradiction. Thusbox(D) 2 Boxdn(Boxe [ Boxx), and so (1) and (2) are satis�ed.We have shown that (1) and (2) are satis�ed. We then observe that (3) follows from (Expr3){(Expr5),the induction hypothesis, box(D) = (box(D)), theorem 4.7 and proposition 3.2. utThe semantic translation commutes with removing of the over- and underbars and replacing dynamicconstants by static ones. Moreover, in a box generated from an expression, either all transitions aresingle-node trees, or none is.Proposition 7.2. Let D be a dynamic and E static well formed box expression.(1) bbox(D)c = box(bDc).(2) Exactly one of the following holds:(a) Tbox(E) � Troot and E 2 Consts.(b) Tbox(E) \ Troot = ; and E = op(E), for some and E.Proof: The �rst part follows from proposition 3.3, (38) and by a straightforward induction on the rankof D. The second part follows from (31) and (37). ut

8 Operational semantics of box expressionsIn this section, we will introduce two kinds of structured operational semantics for box expressions, basedrespectively on the transitions of the corresponding boxes, and the actions labelling these transitions.8.1 Structural similarity relation on expressionsWe �rst de�ne a structural similarity relation on box expressions, �. It identi�es expressions which canbe shown denotationally equal by purely syntactic means. The way in which it will be de�ned resemblesto some extent the de�nition of the similarity relation for (tuples of) boxes. This should not be toosurprising since the denotational semantics of the box algebra is essentially derived from the algebra ofboxes presented earlier on.The reason why we introduced, in (34), a larger set of expressions than it was necessary to de�nethe domain of box expressions is that the rules of the structural equivalence (and, later, operationalsemantics) should act as term rewriting rules. That is, whenever a (well formed) box expression canmatch one side of such a rule, then it should be guaranteed that the other side is a (well formed) boxexpression too. To be able to express and prove such a property we need to allow for more generalexpressions, such as �, (�) and �; �.In the de�nition of the structural similarity on box expressions, we need to take into account possiblefactorisations of the operator boxes (since the relation we are going to de�ne can be seen as a counterpartof the similarity relations � on {tuples of boxes). Formally, we de�ne � to be the least binary relationon expressions in Expr such that (42){(49) below hold.Re exivity, symmetry and transitivity For all expressions D, H and J ,D � D D � HH � D D � J ; J � HD � H (42)Flat expressions For all at expressions D and H satisfying box(D) = box(H),D � H (43)Entry expressions For every operator box in OpBox and every factorisation � of �,op(D) � op(H) (44)where D and H are {tuples of expressions17 such that, for every v 2 T: Dv = Hv if v 2 �e; Dv = Hvif v 2 �x; and Dv = Hv otherwise.Exit expressions For every operator box in OpBox and every factorisation � of �,op(D) � op(H) (45)where D and H are as in (44).Equivalent factorisations For every operator box in OpBox, for every complex marking reachable fromthe entry or exit marking of and di�erent from � and �, and for every pair of di�erent factorisations� and � of that marking, op(D) � op(H) (46)where D and H are {tuples of expressions for which there is an {tuple of expressions C such that, forevery v 2 T, Dv =8>><>>:Cv if v 2 �eCv if v 2 �xCv otherwise: and Hv =8>><>>:Cv if v 2 �eCv if v 2 �xCv otherwise: (47)17 Notice that here and later it is not required that D and H be {tuples of box expressions.

Substitutivity For all expressions D and H,D � HD � H D � HD � H (48)and, for every operator box in OpBox, D � Hop(D) � op(H) (49)where D and H are {tuples of expressions.In�nite operators As it was the case for the syntax of the box algebra, the meaning of the similarityrelation � is clear if we only consider operator boxes OpBox with �nite transition sets. However, sincewe also allow in�nite operator boxes, some explanations are needed to clarify what is meant by the `theleast binary relation on expressions such that (42){(49) hold'. We start by observing that the domain(2Expr�Expr;�) forms a complete lattice, with component-wise set intersection as the `meet' operation,and component-wise set union as the `join' operation, and that the rules (42){(49) de�ne a monotonicmapping sim : 2Expr�Expr ! 2Expr�Exprwhere sim(E) is E together with all pairs in Expr � Expr which can be derived from the pairs in E usinga single application of any of the rules (42){(49).By following the same line of reasoning as before, we conclude that sim has a unique least �xpoint,denoted by �, and equal to sim�0(;), for some ordinal �0 (such that sim�0(;) = sim�(;), for any � � �0).And, as before, we can de�ne the rank of a pair (D;H) belonging to �, denoted by rank(D;H), as theleast ordinal � such that (D;H) 2 sim�(;). It follows from the principle of trans�nite induction that wecan apply induction on the rank of elements of � which reduces to the standard induction if all operatorboxes in OpBox have �nite transition sets.The tuple C used in the formulation of (46) intuitively corresponds to the common (and thus un-changing) part of the tuples D and H. For example, in the DIY algebra, since (fv3g; ;; ;; fv1; v2g) and(;; ;; fv1; v2g; fv3g) are factorisations of the same marking reachable from �0, we shall haveop0(c1; c2; c3) � op0(c1; c2; c3) and op0(c1; c2; c3) � op0((c1); (c2); c3):Properties By a straightforward application of (trans�nite) induction on the rank of expressions in Expr,one can see that � is an equivalence relation, and ifE and F are structurally equivalent static expressions,then no derivation for E � F can use the rules (44), (45), (46) and (48). Moreover, the structuralsimilarity relation is closed in the domain of box expressions and preserves their types.Theorem 8.1. Let D and H be expressions such that D � H. Then D 2 Expr� if and only if H 2 Expr�,for every � 2 fe; d ; x ; s;wf ; xcl ; edir ; xdirg.Proof: The proof proceeds by induction on rank(D;H). In the base step, D � H is directly derived fromthe �rst part of (42) or one of (43){(46). If D = H then there is nothing to prove; and for (43) theresult follows from (37) and (Expr7). We will now show that the result holds if D � H has been deriveddirectly from (44) or (46) (the proof for (45) is similar to that for (44)).Suppose that D = op(D) andH = op(H) are as in (44). If D is a box expression then, by the syntax(33), D is an {tuple of box expressions such that the factorisation � of D belongs to fact. Moreover,we have �e � �e and �x � �x, and so � = ��e [ ��x � ��e [ ��x. Hence, by proposition 2.2(5), we have� = �, �d = ;, H is a tuple of static expressions, and D is an entry expression. Thus, by H � Exprs, H isalso an entry expression. Conversely, if H is a box expression then H must be an entry expression and, asbefore, H must be a tuple of static expressions. Thus D is also an entry expression. The part of the resultfor � 2 fwf ; xcl ; edir ; xdirg follows from (Expr2){(Expr6) and Dv 2 fHv; Hv;Hvg, for every v 2 T, andthe fact that the Expr�'s (for � 2 fwf ; xcl ; edir ; xdirg) are the largest sets satisfying (Expr1){(Expr7).Suppose that D = op(D) and H = op(H) are as in (46). Assume that D is a box expression (if His a box expression, the argument is symmetric). Let � be the factorisation of D. By (47), since D is a

box expression and D�e = C�e and D�x = C�x , we have that C is an {tuple of box expressions, �e � �e,�x � �x, C�e [ C�x � Exprs, D�e � Exprs and D�x � Exprs. We now observe that H is a tuple of boxexpressions. Indeed, suppose that Hv is not a box expression. Then, by (47) and C being a tuple of boxexpressions, v 2 �e [ �x. Thus, by C�e [ C�x � Exprs, it must be the case that v 2 �d. On the otherhand, since � and � are factorisations of the same marking, we have (��e [ ��x) \ (�v [ v�) 6= ;. But thiscontradicts 2.2(4). Thus, H is a tuple of box expressions whose factorisation, given by = � (�en�e) [ �e ; �d ; (�xn�x) [ �x ; �s [ (�en�e) [ (�xn�x) �;is a factorisation of the same marking as �. Hence H = op(H) is a box expression and D 2 Expr� if andonly if H 2 Expr�, for every � 2 fe; d ; x ; sg. The part of the result for � 2 fwf ; xcl ; edir ; xdirg followsfrom (Expr2){(Expr6) and Dv;Hv 2 fCv; Cv; Cvg, for every v 2 T, and the fact that the Expr� 's (for� 2 fwf ; xcl ; edir ; xdirg) are the largest sets satisfying (Expr1)-(Expr7).In the inductive step, we consider four cases.Case 1: H � D and rank(H;D) < rank(D;H). Then, by the induction hypothesis, the result holdsfor H � D. Clearly, it then also holds for D � H.Case 2: There is J such that D � J , J � H, and maxfrank(H; J); rank(J;H)g < rank(D;H). Then,by the induction hypothesis, the result holds for both D � J and J � H. Clearly, it then also holds forD � H.Case 3: D = D0, H = H0, D0 � H0, and rank(D0;H0) < rank(D;H). Suppose D is a box expression(if H is a box expression, the argument is symmetric). Then D0 is a static expression. Hence, by theinduction hypothesis, H0 is also a static expression. Thus D;H 2 Expre.If D = D0 and H = H0 the proof is similar.Case 4: D = op(D), H = op(H), D � H and, for every v 2 T , rank(Dv;Hv) < rank(D;H). SupposeD is a box expression (if H is a box expression, the argument is symmetric). Then D is an {tupleof box expressions and, by the induction hypothesis, H is an {tuple of box expressions with the samefactorisation as D. Hence H is a box expression and D 2 Expr� if and only if H 2 Expr�, for every� 2 fe; d ; x ; sg.Finally, we observe for the Cases 1{4, that the part of the result for � 2 fwf ; xcl ; edir ; xdirg followsfrom (Expr2){(Expr5), the induction hypothesis and the fact that the Expr�'s (for � 2 fwf ; xcl ; edir ; xdirg)are the largest sets satisfying (Expr1){(Expr7). utCorollary 8.2. If op(D) and op(H) are well formed box expressions satisfying the conditions in therule for equivalent factorisations, (46), extended to factorisations of � and �,18 then box(D) � box(H).Proof: An inspection of the proof of theorem 8.1 reveals that the factorisations of D and H are fac-torisations of the same marking of . Thus, by theorem 7.1, the factorisations of box(D) and box(H)are factorisations of the same marking of . Moreover, by proposition 7.2(1) and bDc = bHc, we havebbox(D)c = bbox(H)c. Hence box(D) � box(H). utWe now will show that � is a sound equivalence notion from the point of view of the denotationalsemantics. This central property of the structural similarity relation is preceded by two auxiliary lemmata.Lemma 8.3. If D is an entry or exit expression then D � bDc or D � bDc, respectively.Proof: We proceed by induction on rank(D). In the base step, D is a dynamic constant, and D � bDcor D � bDc follows from (37), (38) and (43). In the inductive step we consider four cases.Case 1: D = E and E is a static expression. Then E = bDc and D = E = bDc � bDc since � isre exive.Case 2: D = E and E is a static expression. We then proceed similarly as in Case 1.Case 3: D = op(D) and the factorisation � of the {tuple of box expressions D is a factorisationof the entry marking of and for each v 2 T, rank(Dv) < rank(D). By the induction hypothesis and18 I.e., we here allow � and � to be factorisations of the entry or exit marking of .

(49), we have op(D) � op(H) where, for every v 2 T,Hv = 8>><>>: bDvc if v 2 �ebDvc if v 2 �xbDvc otherwise:Notice that bDvc = Dv for v 62 �e[�x since �d = ; as � is a factorisation of �. We may now apply (44)to conclude that op(H) � op(bDc) which, together with proposition 7.2(1) and (42), yields D � bDc.Case 4: D = op(D) and the factorisation of the {tuple of box expressions D is a factorisation ofthe exit marking of . We then proceed similarly as in Case 3. utLemma 8.4. Let D and H be well formed static expressions such that box(D) and box(H) have thesame sets of places. Then D � H.Proof: We proceed by induction on maxfrank(D); rank(H)g. In the base step, D and H are staticconstants and so, by (31) and the fact that box(D) and box(H) share at least one place, we have box(D) =box(H). Hence, by (43), D � H. In the inductive step, we have D = op(D) and H = op(H). FromS(box(D)) = S(box(H)) and the de�nition of net re�nement, it follows that Sbox(Dv) = Sbox(Hv), for everyv 2 T . Hence, by the induction hypothesis, Dv � Hv. Thus D � H, and so D � H holds by (49). utTheorem 8.5. Let D and H be well formed box expressions. Then D � H if and only if box(D) =box(H).Proof: (=)) The proof proceeds by induction on rank(D;H). In the base step we consider �ve cases.Case 1: D = H, or D and H are at expressions and box(D) = box(H). This case is trivial.Case 2: D = op(D) and H = op(H) where op(D) and op(H) are as in (44). Then H is anentry expression so, by theorem 8.1, D is also an entry expression. Moreover, by proposition 7.2(1) andbDc = bHc, bbox(D)c = box(bDc) = box(bHc) = bbox(H)c. Hence box(D) = box(H) = box(op(H)).Case 3: D = op(D) and H = op(H) where op(D) and op(H) are as in (45). Then we proceedsimilarly as in Case 2.Case 4: D = op(D) andH = op(H) where op(D) and op(H) are as in (46). Then, by corollary 8.2,box(D) � box(H) which, by proposition 4.2, means that box(D) = box(H).In the inductive step, we consider four cases.Case 1: H � D and rank(H;D) < rank(D;H). Then, by the induction hypothesis, box(H) = box(D).Case 2: There is J such that D � J and J � H and maxfrank(D; J); rank(J;H)g < rank(D;H).Then, by the induction hypothesis, box(D) = box(J) = box(H).Case 3: D = D0 and H = H0 and D0 � H0 and rank(D0;H0) < rank(D;H). (If D = D0 and H = H0the proof is similar.) Then, by the induction hypothesis, box(D0) = box(H0). Hence box(D) = box(D0) =box(H0) = box(H).Case 4: D = op(D), H = op(H), D � H, and, for every v 2 T , rank(Dv;Hv) < rank(D;H). Then,by the induction hypothesis, box(D) = box(H). Hence, by (40), box(D) = box(op(D)) = box(op(H)) =box(H).((=) By theorem 7.1 and box(D) = box(H), it su�ces to consider the following four cases.Case 1: D;H 2 Exprs. Then D � H follows from lemma 8.4.Case 2: D;H 2 Expre. Then, by lemma 8.3, D � bDc and H � bHc. By proposition 7.2(1) andbox(D) = box(H), box(bDc) = box(bHc). Thus, by lemma 8.4, bDc � bHc. Hence, by (48) and thesymmetry of �, D � bDc � bHc � H. Thus, by the transitivity of �, D � H.Case 3: D;H 2 Exprx. Then we proceed similarly as in Case 2.Case 4: D;H 2 Exprdn(Expre [ Exprx). Then we proceed by induction on maxfrank(D); rank(H)g. Inthe base step, D and H are dynamic constants, and D � H follows from (43). In the inductive step,we have D = op(D) and H = op(H) where maxfrank(Dv); rank(Hv)g < maxfrank(D); rank(H)g, forevery v 2 T. By proposition 7.2(1) and box(D) = box(H), we have (box(bDc)) = (box(bHc)), soSbDvc = SbHvc, for every v 2 T. Hence, by lemma 8.4, bDc � bHc. Since box(bDc) = box(bHc) andbox(D) = box(H), by proposition 4.2, box(D) � box(H). Let � and � be factorisations of respectively D

and H (note that �d = �d). We have box(D�d ) = box(H�d ) and bD�dc = bH�dc; hence, by the inductionhypothesis, D�d � H�d . Moreover, by lemma 8.3,D�e � bD�ec ; D�x � bD�xc ; H�e � bH�ec and H�x � bH�x c:Then one can show D � H by applying (46), (48) and (49). utExample The DIY algebra gives rise to �ve speci�c rules of the structural equivalence relation (we omithere their symmetric, hence redundant, counterparts):op0(E; F ;G) � op0(E;F;G) c2 � c21op0(E;F;G) � op0(E;F;G) c2 � c23op0(E;F;G) � op0(E;F; G)Using these, one can derive op0(c1; c23; c3) � op0(c1; c2; c3), as shown below:op0(c1; c23; c3) � op0(c1; c2; c3)z }| {op0(c1; c23; c3) � op0(c1; c2; c3) op0(c1; c2; c3) � op0(c1; c2; c3)z }| {c1 � c1 c23 � c2 c3 � c38.2 Transition based operational semanticsIn developing the operational semantics of the box algebra, we will go through the following steps: �rst (inthis section), we introduce operational rules based on transitions of nets which provide the denotationalsemantics of box expressions. Based on these, we will formulate our key consistency result. And, �nally,we will derive from them label based rules and partial order semantics, together with derived consistencyresults.Transition trees Consider the set of all transition trees in the boxes derived through the box mapping:Tboxtree = [D 2 Exprbox Tbox(D) =prop.7.2(1) [E 2 Exprs Tbox(E):Every t 2 Tboxtree has a unique label, lab(t), in all boxes associated with box expressions in which it occurs.More precisely, if t 2 Troot then this follows from (31) and (38), and if t has the form t = (v; �) � Rthen, by the de�nition of net re�nement which underpins the semantical mapping box, lab(t) = �. Tosee that the same transition may belong to di�erent static boxes, consider E = op0(c1; c2; c2) andF = op0(c1; c2; c3) in DIY. Then the transition t = (v1; f) � ft11; t12g belongs to both box(E) andbox(F ), yet box(E) 6= box(F ).Example In the DIY algebra, each transition tree in Tboxtree has one of the following four forms:(vn1 ; aij)� � � �� (vnk ; aij)� tij ; (vm1 ; a)� � � �� (vmk1 ; a)� t11 ; (vl1 ; b)� � � �� (vlk2 ; b)� t12(vn1 ; f) � � � � � (vnk ; f) � (v1; f) � n (vm1 ; a) � � � � � (vmk1 ; a) � t11 ; (vl1 ; b) � � � � � (vlk2 ; b) � t12 owhere k; k1; k2 � 0 and tij 2 ft21; t22; t31g and vni 2 fv1; v2; v3g and vmi ; vli 2 fv2; v3g and a11 = a anda12 = b and a21 = c and a22 = d and a31 = e.

SOS semantics rules The �rst operational semantics has moves of the form D U�! H such that D and Hare box expression and U 2 tlabsr, where tlabsr is the set of all �nite subsets of Tboxtree [ fskip; redog. Theidea here is that U is a valid step for the boxes associated with D and H, after augmenting them withthe skip and redo transitions. We will denote, for every such set,lab(U ) = Xt2Uflab(t)gassuming that lab(skip) = skip and lab(redo) = redo. The derivation system is de�ned in four stages.First, we de�ne the rules for skip and redo, then for the inaction rules, then we treat the at expressionsand, �nally, introduce the derivation rule for each connective op. Formally, we de�ne a ternary relation�! which is the least relation comprising all (D;U;H) 2 Expr � tlabsr � Expr such that (51){(54) belowhold. Notice that we use D U�! H to denote (D;U;H) 2�!.skip and redo There are two basic rules governing the applications of the moves involving skip and redo.For every static expression E, E fskipg�����! E E fredog�����! E (50)Inaction rules There is a single basic inaction rule,D � HD ;�����! H (51)where D and H are box expressions. Moreover, an empty move can be absorbed by the move whichprecedes or follows it, i.e., we have:D ;�����! J U�����! HD U�����! H D U�����! J ;�����! HD U�����! H (52)where D, J and H are expressions. The inaction rules render the view that empty moves do not changethe state of a system, but rather change the view on it.Axioms for at expressions For all at expressions D and H and U 2 tlabsr such that box(D) [U i box(H),D U�����! H (53)Inference rules for operators For every operator box in OpBox, and all{tuples D and H of expressions,there is an inference rule:8 v 2 T : Dv U1v �[��� �[Ukvv����������������������!Hvop(D) U�����! op(H) 8>><>>:8v 2 T 8i � kv : (lab(U iv); �iv) 2 �(v)U = Sv2T �(v; �1v)�U1v ; : : : ; (v; �kvv )�Ukvv U is �nite: (54)The �niteness of U means that �nitely many kv's are non-zero. Notice that for the other ones we do notrequire that Dv = Hv but only that Dv ;�! Hv; it will follow from proposition 8.6 that Dv � Hv.Since skip and redo never occur in any �(v), the last rule will never be applied if any of the sets U ivcontains skip or redo. Similarly, it will never generate any of these two special labels. Thus, if D U�! Hand skip 2 U then U = fskipg, and if D U�! H and redo 2 U then U = fredog.

In�nite operators The meaning of the operational semantics rules is again clear if all boxes in OpBoxhave �nite transition sets; in general, however, we need to treat in�nite operator boxes as well. Followingwhat is now an established practice, we consider the domain (2ExprTrees�tlabsr�ExprTrees;�) which forms acomplete lattice with the \ and [ operations. And the inference rules (50){(54) de�ne a monotonicmapping opsem : 2ExprTrees�tlabsr�ExprTrees ! 2ExprTrees�tlabsr�ExprTreeswhose least �xed point, �!, is equal to opsem�00(;), for some ordinal �00. We also de�ne, for every(D;U;H) 2�!, its rank, denoted by rank(D;U;H), de�ned as the smallest ordinal � such that (D;U;H) 2opsem�(;). Thus we are in a position to apply (trans�nite) induction on the rank of the triples in �!.If all operator boxes in OpBox have �nite transition sets, the standard induction can be used.Properties An empty move always relates two structurally equivalent expressions.Proposition 8.6. If D and H are expressions such that D ;�! H then D � H.Proof: Follows by a straightforward induction on rank(D; ;;H). utA move of the operational semantics transforms a box expression into another box expression withstructurally equivalent underlying static expression, and the move generated is a valid step for the cor-responding boxes. We interpret this as establishing the soundness of the operational semantics of boxexpressions.Theorem 8.7. Let D be a well formed box expression and D U�! H. Then H is a well formed boxexpression and box(D)sr [U i box(H)sr.Proof: The proof proceeds by induction on rank(D;U;H). In the base step, we consider three cases.Case 1: D = E fskipg�����! E = H or D = E fredog�����! E = H where E is a well formed static expression. Thenboth D and H are well formed box expressions andbox(E)sr [fskipgi box(E)sr or box(E)sr [fredogi box(E)srfollows from box(E)sr = box(E)sr and box(E)sr = box(E)sr and the de�nition of �sr.Case 2: D � H and U = ;. Then, by theorems 8.1 and 8.5, H is a well formed box expression andbox(D) = box(H). Hence box(D)sr [;i box(H)sr.Case 3: D and H are at expressions and box(D) [U i box(H). Then there is nothing to prove.In the inductive step we consider two cases.Case 1: There is J such that D ;�! J U�! H and maxfrank(D; ;; J); rank(J; U;H)g < rank(D;U;H).(If D U�! J ;�! H then we proceed similarly.) By the induction hypothesis, both J and H arewell formed box expressions and box(D)sr [;i box(J)sr [U i box(H)sr. Hence, by box(D) = box(J),box(D)sr [U i box(H)sr.Case 2: D = op(D) and H = op(H) where op(D), op(H) and U are as in (54); moreover,for every v 2 T , rank(Dv; Uv;Hv) < rank(D;U;H). From D being a well formed box expression, theinduction hypothesis (which, in particular, implies that for each v, box(Dv) [f(v; �1v) � U1v ; : : : ; (v; �kvv ) �Ukvv gi box(Hv) since no label �iv can belong to skip; redo), and theorem 7.1, it follows that D and H are{tuples of well formed box expressions, box(D) 2 dom, and� : box(D)� U�����! � : box(H)�:Hence, by theorem 4.1, box(H) 2 dom and (box(D)) [U i (box(H)); notice that the �niteness of theset U is needed to reach this conclusion. Moreover, by box(H) 2 dom and theorem 7.1, H is a wellformed box expression. Thus box(D) = box(op(D)) [U i box(op(H)) = box(H). utThe next result states completeness of the operational semantics of box expressions.

Theorem 8.8. Let D be a well formed box expression and box(D)sr [U i �sr. Then there is a well formedbox expression H such that box(H) = � and D U�! H.Proof: If U = ; then, by (51) and � = box(D), the result holds for H = D. If U 6= ; then we �rst recallthat either U = fskipg, or U = fredog, or U � Tboxtree .Suppose U = fskipg (the case U = fredog is similar). Then box(D) 2 Boxe and � = box(bDc). Bytheorem 7.1, D 2 Expre. Hence, by lemma 8.3, D � bDc. Thus, by (50) and (51),D ;�! bDc fskipg�����! bDc:Hence, by (52), D fskipg�����! bDc and we can take H = bDc sincebox(H) = box(bDc) = box(bDc) = box(D) = �:If U � Tboxtree then box(D) [U i � and we proceed by induction on the maximal depth h of the transitiontrees in U (such an inductive argument is valid since U is a �nite set of �nite trees).In the base step (h = 0), by proposition 7.2(2), D is a at expression. Hence, from (38), (39) and (53)it follows that there is an axiom D U�! H, where H is a at expression such that box(D) [U i box(H).The latter further implies that box(H) = �.In the inductive step (h > 0), by proposition 7.2(2)), we may assume that D = op(D), for some and D. Hence, by theorem 7.1, we have box(D) 2 dom and (box(D)) [U i �. From theorem 4.4 itfollows that there are {tuples in the domain of , � and , such that box(D) � � and � = ()and � : �� U�����! � : �: (55)We next observe that there is a well formed box expression op(F) such that op(D) � op(F) andbox(F) = �. That op(F) exists can be shown in the following way. Let � and � be respectively thefactorisations of box(D) and � which are factorisations of the same complex marking of (notice that,by theorem 7.1, � is also the factorisation of D). By lemma 8.3 and (49), we may assume D�e � Exprsand D�x � Exprs. Let C be the {tuple of well formed expressions such that, for every t 2 T : Dv = Cvif v 2 �e; Dv = Cv if v 2 �x; and Dv = Cv otherwise.Then, by (46), op(D) � op(F) where, for every v 2 T: Fv =Cv if v 2 �e; Fv = Cv if v 2 �x; and Fv =Cv otherwise. Hence, by theorem 8.1, op(F) is a well formed box expression which satis�es box(F) = �.Indeed, bbox(F)c = bbox(D)c = b�c, the factorisation of F is �, and, by �d = �d, box(F�d ) = ��d .De�ne, for every v 2 T, Uv = U \ Tvnew = fu1v; : : : ; ukvv g. By (55), we have, for every v 2 T ,�v htrees(u1v) �[ � � � �[trees(ukvv )E vand only �nitely many kv are greater than zero. Thus, by the induction hypothesis and the U = ; case,for every v 2 T , there is a well formed box expression Hv such that box(Hv) = v andFv trees(u1v) �[��� �[trees(ukvv )�����������������������������!Hv:Hence, by (54), op(F) U�! op(H). And, by theorem 8.7, we obtain that H = op(H) is a well formedbox expression such that box(op(F)) [U i box(H). Thus, by theorem 8.5 and D � op(F), we havebox(D) [U i box(H), and so box(H) = �. utExample The operational semantics of at expressions is given in DIY by:c1 ft11g�����! c12 c2 ft21g�����! c22 c1 ft12g�����! c11 c21 ft21g�����! c22 c1 ft11;t12g�����! c1c22 ft22g�����! c2 c12 ft12g�����! c1 c22 ft22g�����! c23 c11 ft11g�����! c1 c3 ft31g�����! c3

and the inference rule for the only operator box, 0, can be formulated in the following way:D ft1;u1;:::;tk;uk;x1;:::;xlg�����������������������������!D0 ; H fy1;:::;ymg��������! H 0 ; G fz1;:::;zng��������! G0op0(D;G;H) U�����! op0(D0; G0;H 0)where k; l;m; n � 0; flab(ti); lab(ui)g = fa; bg, for every i � k; lab(xi) 62 fa; bg, for every i � l; and thestep U is given by: U = n (v1; f) � ft1; u1g ; : : : ; (v1; f) � ftk; ukg o [n (v1; lab(x1)) � x1 ; : : : ; (v1; lab(xl)) � xl o [n (v2; lab(y1)) � y1 ; : : : ; (v2; lab(ym)) � ym o [n (v3; lab(z1)) � z1 ; : : : ; (v3; lab(zn)) � zn oOne can show that if the above rule is applied to a box expression then n � (k + l + m) = 0 (i.e., eithern is equal to zero, or k, l and m are all equal to zero). For example, the following is a valid sequence ofthree movesop0(c1; c2; c3) fw1;w2g�����! op0(c1; c22; c3) fw3g�����! op0(c1; c2; c3) fw4g�����! op0(c1; c2; c3):A derivation for the �rst move is shown below.op0(c1; c2; c3) fw1;w2g�����! op0(c1; c22; c3)z }| {op0(c1; c2; c3) ;�����! op0(c1; c2; c3) ; op0(c1; c2; c3) f (v1;f)�ft11;t12g ; (v2;c)� t21 g�����������������������������! op0(c1; c22; c3)z }| {c1 ft11;t12g�����! c1 c2 ft21g�����! c22 c3 ;�����! c38.3 Consistency of the denotational and operational semanticsThe consistency between the denotational and operational semantics of box expressions will be formulatedin terms of the transition systems they generate. This will be possible since, thanks to theorems 8.7 and8.8, we are now in a position to compare transition systems generated by a well formed box expressionand the corresponding net.Transition systems of box expressions and the corresponding boxes Let G be a well formed dynamicexpression. We will use [Gisr to denote the least set of expressions containing G such that if H 2 [Gisrand H U�! C, for some U 2 tlabsr, then C 2 [Gisr. The full transition system of G is de�ned asftsG = (V; L;A; [G]�) where V = f[H]� j H 2 [Gisrg is the set of states, L = tlabsr is the set of arclabels, and A = f([H]�; U; [C]�) 2 V � tlabsr � V j H U�! Cg is the set of arcs. For a static expressionE, ftsE = ftsE .Let � be a box generated by a well formed dynamic expression. The full transition system of � isde�ned as fts� = (V; L;A; v0) where V = f� j skip; redo 62 T� ^ �sr 2 [�sri g is the set of states, v0 = �is the initial state, L = tlabsr is the set of arc labels, and A = f(�;U; ) 2 V � tlabsr� V j �sr [U i srg isthe set of arcs. In other words, fts� is the reachability graph of �sr with all references to skip and redoin the nodes of the graph erased. For a box � generated by a static expression, fts� = fts�.Consistency result We now state a fundamental result which demonstrates that the operational anddenotational semantics of a well formed box expression capture the same behaviour, in arguably thestrongest sense.

Theorem 8.9. For every well formed box expression D, iso = f([H]�; box(H)) j [H]� is a node of ftsDgis an isomorphism between the full transition systems ftsD and ftsbox(D).Proof: By theorems 8.5 and 8.7, iso is a well de�ned injective mapping. The rest of the result followsfrom theorems 8.7, 8.8 and 7.1. ut8.4 Label based operational semanticsThe operational semantics based on transition names and captured by full transition systems is veryexpressive; in particular, we will see in section 9 that it contains enough information to retrieve partialorder semantics of nets corresponding to box expressions. However, it may often be su�cient to recordonly the labels of executed transitions, in the usual style of process algebras. Such a treatment can beaccommodated within the scheme developed so far. First, we retain the structural similarity relation �on box expressions without any change. Next, we de�ne moves of the form D ��! H where D and Hare expressions as before, and � is a �nite multiset in mlabsr = mult(Lab [ fskip; redog). We keep therules (50), (51) and (52) unchanged (with ; now denoting the empty multiset of labels, fskipg and fredogdenoting singleton multisets, and U being changed to � ), but modify the axioms for at expressions andinference rules for operator boxes. For all at expressions D and H and non-empty � 2 mlabsr such thatbox(D) [� ilab box(H), D ������! H (56)and for every operator box :8v 2 T : Dv �1v+���+�kvv��������������!Hvop(D) ������! op(H) 8>><>>:8v 2 T 8i � kv : (� iv; �iv) 2 �(v)� =Pv2Tf�1vg+ � � �+ f�kvv g� is �nite (57)where D and H are {tuples of expressions.Properties The two types of operational semantics are clearly related; in essence, each label based moveis a transition based move with only transitions labels being recorded.Proposition 8.10. Let D be a well formed box expression and � 2 mlabsr. Then D ��! H if and onlyif there is U 2 tlabsr such that D U�! H and lab(U ) = � .Proof: Both implications can be proved by a straightforward induction on the rank of D ��! H andD U�! H, respectively. utThe results concerning transition based operational semantics directly extend to the label based one.Let D be a well formed box expression. In view of proposition 8.10, the label based operational semanticsof D is faithfully captured by the transition system of D, denoted by tsD and de�ned as ftsD with eacharc label U changed to lab(U ). The consistency result for the label based operational semantics can thenbe formulated thus.Theorem 8.11. For every well formed box expression D, iso = f([H]�; box(H)) j [H]� is a node of tsDgis an isomorphism between the transition systems tsD and tsbox(D).Proof: Follows from theorem 8.9, proposition 8.10, and the fact that the structural similarity relation isthe same for the transition and label based operational semantics. utExample For the DIY algebra, the label based operational semantics of at expressions is given by:c1 fag�����! c12 c2 fcg�����! c22 c1 fbg�����! c11 c21 fcg�����! c22 c1 fa;bg�����! c1c22 fdg�����! c2 c12 fbg�����! c1 c22 fdg�����! c23 c11 fag�����! c1 c3 feg�����! c3

and the inference rule for the only operator box can be formulated in the following way:D1 k�fa;bg+�1��������������!H1 ; D2 �2�����! H2 ; D3 �3�����! H3op0(D1; D2; D3) k�ffg+�1+�2+�3����������������������! op0(H1;H2;H3) a; b 62 �1An application of these rules is illustrated on the move op0(c1; c2; c3) fc;fg�����! op0(c1; c22; c3) for which aderivation looks as follows: op0(c1; c2; c3) fc;fg�����! op0(c1; c22; c3)z }| {op0(c1; c2; c3) ;�����! op0(c1; c2; c3) ; op0(c1; c2; c3) fc;fg�����! op0(c1; c22; c3)z }| {c1 fa;bg�����! c1 c2 fcg�����! c22 c3 ;�����! c39 Partial order semantics of box expressionsProcess expressions do not support an explicit notion of a place. We will therefore use Mazurkiewicztraces | a model of partial order behaviour based solely on transitions.Mazurkiewicz traces Let A be a set and ind � A�A be an irre exive symmetric relation on A. Intuitively,A is meant to represent the set of possible events in a concurrent system, and ind an independence relationwhich identi�es events that can be executed concurrently. With every sequence � = A1 : : :Ak, whereeach Ai is a �nite subset of A such that (a; b) 2 ind for all distinct a; b 2 Ai, one can associate a partialorder, denoted by posetind(�), in the following way.The set of event occurrences of �, occ� , comprises all pairs (a; l) 2 A�N such that a 2 A1 [ : : :[Akand l ranges between 1 and the number of times a occurs within �, 1 � l � jfi j a 2 Aigj. Moreover,we denote by idx(a;l) the index m such that Am contains the l-th occurrence of a, a 2 Am and l = jfi ja 2 Ai ^ i � mgj. We then de�ne a precedence relation on occ�, ��, by stipulating that (a; l) �� (b; n)if (a; b) 62 ind and idx(a;l) < idx(b;n). Then posetind(�) = (occ�;���) where ��� is the re exive transitiveclosure of �� .Consider now a safe labelled net �, and take A to be its transition set, A = T� , and ind to beits independence relation, ind = ind� . Then, with every �nite step sequence � of �, � [�i �, we canassociate a partial order, posetind� (�), in the way described above. One of the crucial properties of thepartial order semantics is that every sequence of sets of transitions consistent with posetind� (�) is alsoa valid step sequence. More precisely, if ! = U1 : : :Uk is a sequence of �nite sets of transitions of �such that (t; u) 2 ind�, for every Ui and all distinct t; u 2 Ui, then posetind� (!) = posetind� (�) impliesthat ! is a valid step sequence for � leading to the same marked net as �, i.e., � [!i �. For example,the step sequence � = ft0; t2g;ft1; t2gft2g; of the labelled net �0 in �gure 1 generates a partial orderposetind�0 (�) whose Hasse diagram, giving the precedence relation, is shown on the left-hand side of�gure 8. This partial order is normally represented as a labelled partial order with nodes being labelledjust by transitions, as shown on the right-hand side of �gure 8.(t0; 1) (t1; 1)(t2; 1) (t2; 2) (t2; 3) t0 t1t2 t2 t2Figure 8. Hasse diagrams of partial orders.

The presence of a path between two nodes in such a graph is interpreted as causality, and the lackof ordering as concurrency. Thus, in the example above, the occurrences of t0 and t1 are causallyrelated, and both are concurrent with the three occurrences of t2. Whenever � [�i �, we will write� [posetind� (�)ipo � to indicate that � can be derived from � by executing the poset within the brackets[: : :ipo .Connectedness properties of transition trees We will now investigate connectedness between transitionsin nets generated by box expressions. It will turn out that the name trees of these transitions contain aninformation as to when two transitions are adjacent to a common place, and the relevant information isindependent of the speci�c net to which the two transitions happen to belong.We now can again take advantage of the assumption made in (31) that the operator and staticconstant boxes have disjoint transition sets. This allows one to identify, for every transition t in theboxes OpBox[ (ConstBox\Boxs), a unique box in OpBox[ (ConstBox\Boxs) to which t belongs; we willdenote it by nett. For example, in the DIY algebra, netv1 = 0 and nett22 = �2.To start with, we can capture the property of `being connected to an entry or exit place'. By de�nition,a transition tree t 2 Tboxtree belongs to the set Cone or Conx, if one of the following hold:19- There is a plain box � 2 ConstBox\ Boxs such that t 2 T� and we have, respectively:(�t [ t�) \ �� 6= ; or (�t [ t�) \�� 6= ;:- There is an operator box 2 OpBox such that t = (v; �) � Q and v 2 T, and we have, respectively:�v \ � 6= ; 6= Q \Cone _ v� \ � 6= ; 6= Q \Conx or�v \� 6= ; 6= Q \Cone _ v� \� 6= ; 6= Q \Conx:Notice also that, by (31), we have: � = nett and = netv: (58)Proposition 9.1. Let E be a static expression and t be a transition in box(E). Then(�t [ t�) \ �box(E) 6= ; () t 2 Cone and (�t [ t�) \ box(E)� 6= ; () t 2 Conx:Proof: We only prove the �rst equivalence, the proofs of the other one being symmetric. We proceed byinduction on the depth h of t. In the base step (h = 0), by proposition 7.2(2) and (31), box(E) = nett 2ConstBox\ Boxs. Hence the equivalence holds by the de�nition of Cone and (58).In the inductive step (h > 0), we may assume that E = op(E), by proposition 7.2(2), which meansthat t = (v; �) � Q; and so, by (31), = netv. By proposition 3.9, (�t[ t�) \ �box(E) 6= ; if and only if�v \ � 6= ; 6= (�Q [Q�) \ �box(Ev) or v� \ � 6= ; 6= (�Q [Q�) \ box(Ev)�:Hence, the equivalence holds by = netv, (58) and the induction hypothesis. utGlobal independence relation By de�nition, a pair of transition trees (t; u) 2 Tboxtree � Tboxtree belongs to theset indbox if one of the following hold:- There is a plain box � 2 ConstBox\ Boxs such that (t; u) 2 ind�.- There is an operator box 2 OpBox such that t = (v; �) � Q and u = (w; �) � R and v; w 2 T,and we have: �v \w� 6= ; =) Q \Cone = ; _ R \Conx = ;v� \ �w 6= ; =) Q \Conx = ; _ R \Cone = ;v 6= w ^ �v \ �w 6= ; =) Q \Cone = ; _ R \Cone = ;v 6= w ^ v� \w� 6= ; =) Q \Conx = ; _ R \Conx = ;:Moreover, if v = w then Q�R � indbox .19 The sets Cone and Cone are well de�ned since transition trees are always �nite.

Notice also that similarly as before, by (31), we have:� = nett and = netv = netw: (59)The relation we just de�ned can be thought of as a global independence relation for the boxes generatedby the denotational semantics of box expressions.Theorem 9.2. For every static expression E, indbox(E) = (Tbox(E) � Tbox(E)) \ indbox :Proof: Let t and u be transition trees in box(E). We proceed by induction on h = maxfdepth(t); depth(u)g.In the base step (h = 0), by proposition 7.2(2) and (31), box(E) = nett = netu 2 ConstBox \ Boxs.Hence, by the de�nition of indbox and (59), (t; u) 2 indbox(E) if and only if (t; u) 2 indbox .In the inductive step (h > 0), we may assume that E = op(E), by proposition 7.2(2). Thust = (v; �) � Q and u = (w; �) � R, and so, by (31), = netv = netw We now consider two cases.Case 1: v = w. We have Q [ R � box(Ev). By proposition 3.7, (t; u) 2 indbox(E) if and only ifQ� R � indbox(Ev) and, moreover, if �v \ v� 6= ; then (also by proposition 9.1):(Q \Cone = ; _ R \Conx = ;) ^ (Q \Conx = ; _ R \Cone = ;):Thus, by = netv = netw and (59) and the induction hypothesis, (t; u) 2 indbox(E) if and only if(t; u) 2 indbox .Case 2: v 6= w. We proceed similarly as in Case 1, using proposition 3.8 in place of proposition 3.7. utConsistency result With the global independence relation indbox , we can introduce partial order be-haviours directly into the box algebra. All we need to do is say what is a partial order executionassociated with a step sequence generated by a box expression. Let D and H be two box expressions,and U1; : : : ; Uk (k � 0) be subsets of Tboxtree such that there are box expressions D0; D1; : : : ; Dk satisfyingD = D0, H = Dk and, for every i < k, Di Ui+1�����! Di+1:We will call � = posetindbox (U1 : : :Uk) a partial order execution from D to H and denote D ��! H. Theconsistency result obtained for transition based operational semantics can be lifted to the level of partialorder executions.Theorem 9.3. Let D and H be box expressions, and � be a partial order.(1) If D ��! H then box(D) [�ipo box(H).(2) If box(D) [�ipo � then there is a box expression H such that box(H) = � and D ��! H.Proof: Follows from theorems 8.7, 8.8 and 9.2, after making an easy observation that for any partialorder � there is at least one step sequence consistent with it (one can simply perform a topological sortand consider singleton steps). ut10 Concluding remarksIn this paper we omitted entirely the treatment of recursion both in the net domain and process expressiondomain. The treatment of the former is contained in a companion paper [8] which deals with recursionin the most general setting. Crucially, it states that any system of recursive equations on boxes has asolution. With the results obtained there, an extension of the results obtained in the present paper torecursive process expressions is straightforward and can be found in [7].The results presented in this paper extend those contained in [18], by allowing non-pure and non-ex-directed operator boxes with possibly in�nitely many transitions. The consistency results have alsobeen strengthened since now they are formulated in terms of transition system isomorphism rather thanbisimulation equivalence.

References1. J.Baeten and W. P.Weijland: Process Algebra. Cambridge Tracts in Theoretical Computer Science 18,Cambridge University Press (1990).2. E.Best and R. Devillers: Sequential and Concurrent Behaviour in Petri Net Theory. Theoretical ComputerScience 55 (1988) 87-136.3. E.Best, R.Devillers and J.Esparza: General Re�nement and Recursion Operators for the Petri Box Calculus.Proc. of STACS 93, 10th Annual Symposium on Theoretical Aspects of Computer Science, P. Enjalbert,A.Finkel and K.W.Wagner (Eds.). Springer-Verlag, Lecture Notes in Computer Science 665 (1993) 130-140.4. E.Best, R. Devillers and J.Hall: The Petri Box Calculus: a New Causal Algebra with Multilabel Commu-nication. In: Advances in Petri Nets1992, G.Rozenberg (Ed.). Springer-Verlag, Lecture Notes in ComputerScience 609 (1992) 21-69.5. E.Best, R. Devillers and M.Koutny: Petri Nets, Process Algebras and Concurrent Programming Languages.In: Advances in Petri Nets. Lectures on Petri Nets II: Applications, W. Reisig and G.Rozenberg (Eds.).Springer-Verlag, Lecture Notes in Computer Science 1492 (1998) 1-84.6. E.Best, R. Devillers and M.Koutny: The Box Algebra - a Model of Nets and Process Expressions. Proc.of ICATPN'99, S.Donatelli and J.Kleijn. Springer-Verlag, Lecture Notes in Computer Science 1639 (1999)344-363.7. E.Best, R.Devillers and M.Koutny: Petri Net Algebra (Working Title). Manuscript (1999).8. E.Best, R.Devillers and M.Koutny: Recursion and Petri Nets. Submitted paper (1999).9. G.Boudol and I.Castellani: Flow Models of Distributed Computations: Event Structures and Nets. Teach-nical Report RR-1484, INRIA, Sophia Antipolis (1991).10. P.Degano, R. De Nicola and U.Montanari: A Distributed Operational Semantics for CCS Based on C/ESystems. Acta Informatica 26 (1988) 59-91.11. R.Devillers: S-invariant Analysis of General Recursive Petri Boxes. Acta Informatica 32 (1995) 313-345.12. R.Devillers and M.Koutny: Recursive Nets in the Box Algebra. Proc. of CSD'98: International Conferenceon Application of Concurrency to System Design, IEEE Press (1998) 239-249.13. U.Goltz: On Representing CCS Programs by Finite Petri Nets. Proc. of MFCS'88, M.P.Chytil, L. Janigaand V.Koubek (Eds.). Springer-Verlag, Lecture Notes in Computer Science 324 (1988) 339-350.14. U.Goltz and R.Loogen: A Non-interleaving Semantic Model for Nondeterministic Concurrent Processes.Fundamentae Informaticae 14 (1991) 39-73.15. M.Hesketh and M.Koutny: An Axiomatisation of Duplication Equivalence in the Petri Box Calculus. Proc.of ICATPN'98, J.Desel and M. Silva (Eds.). Springer-Verlag, Lecture Notes in Computer Science 1420 (1998)165-184.16. C.A.R.Hoare: Communicating Sequential Processes. Prentice Hall (1985).17. R. Janicki and P. E.Lauer: Speci�cation and Analysis of Concurrent Systems - the COSY Approach. EATCSMonographs on Theoretical Computer Science, Springer-Verlag (1992).18. M.Koutny and E. Best: Fundamental Study: Operational and Denotational Semantics for the Box Algebra.Theoretical Computer Science 211 (1999) 1-83.19. A.Mazurkiewicz: Trace Theory. In: Advances in Petri Nets1986, Petri Nets: Applications and Relationshipsto Other Models of Concurrency, Part II, W. Brauer, W.Reisig and G.Rozenberg (Eds.). Springer-Verlag,Lecture Notes in Computer Science 255 (1987) 279-324.20. R.Milner: Communication and Concurrency. Prentice Hall (1989).21. T.Murata: Petri Nets: Properties, Analysis and Applications. Proc. of IEEE 77 (1989) 541-580.22. E.R. Olderog: Nets, Terms and Formulas. Cambridge Tracts in Theoretical Computer Science 23, CambridgeUniversity Press (1991).23. G.D. Plotkin: A Structural Approach to Operational Semantics. Teachnical Report FN-19, Computer Sci-ence Department, University of Aarhus (1981).24. W.Reisig: Petri Nets. An Introduction. EATCS Monographs on Theoretical Computer Science, Springer-Verlag (1985).25. D.Taubner: Finite Representation of CCS and TCSP Programs by Automata and Petri Nets. Springer-Verlag, Lecture Notes in Computer Science 369 (1989).