UvA-DARE (Digital Academic Repository) An interface group for process components

. We take a process component as a pair of an interface and a behaviour. We study the composition of interacting process components in the setting of process algebra. We formalize the interfaces of interacting process components by means of an interface group. An interesting feature of the interface group is that it allows for distinguishing between expectations and promises in interfaces of process components. This distinction comes into play in case components with both client and server behaviour are involved


Introduction
Component interfaces are a practical tool for the development of all but the most elementary architectural designs. In [9], interface groups have been proposed as a means to formalize the interfaces of the components of financial transfer architectures. The interface groups introduced in that paper concern component behaviours of a special kind, namely financial transfer behaviours of units of an organization. In this paper, we introduce an interface group which concerns behaviours of a more general kind, namely behaviours that can be viewed as processes specifiable in the process algebra known as ACP [5,11]. The behaviours in question are made up of actions. In the case at issue, the intended purpose of the interface of a component is that it allows interaction of other components with that component only through fixed actions.
An interface group is a commutative group intended for describing and analysing interfaces. The interface group introduced in this paper concerns interfaces of process components that request other components to carry out methods and grant requests of other components to carry out methods. The interfaces in question represent the abilities to grant requests that are expected from other components and the abilities to make requests that are promised to other components. The ability to make a certain request and the ability to grant that request are considered to cancel out in interfaces. Thus, having an empty interface is a sufficient condition on a process component for being a closed system. Interfaces as modelled by the interface group introduced in this paper have less structure than the signatures used as interfaces in module algebra [6]. However, module algebra does not allow for distinguishing between expectations and promises in interfaces of components. In point of fact, it has a bias towards composing components whose interfaces concern promises only.
We also present a theory about process components of which the interface group introduced forms part. Like any notion of component, the notion of process component underlying this theory combines interface with content: a process component is considered a pair of an interface and a behaviour. Processes as considered in ACP are taken as the behaviours of process components. Therefore, the theory concerned is a development on top of ACP. However, additional assumptions are made about the actions of which the processes are made up. Three kinds of actions are distinguished: the acts of making requests referred to above, the acts of granting requests referred to above, and the acts of carrying out methods which result from making a request and granting that request at the same time. The use of the presented theory about process components is illustrated by means of examples. A model of the theory is constructed, using a notion of bisimilarity for process components.
In the presented theory about process components, composition of process components is in general not associative. Little can be done about this because turning a process into a component by adding an interface to it inevitably results in encapsulation of the process. However, composition of process components is associative when a certain condition on the process components in question is fulfilled. We couch this in a special associativity axiom for component composition.
In the presented theory about process components, processes reside at places, called loci, and requests and grants are addressed to the processes residing at a certain locus. If the processes that are taken as the behaviours of process components are looked at in isolation, it may be convenient to abstract from the loci at which they reside. This abstraction gives rise to another kind of processes. We treat this kind of processes, referred to as localized processes, as well.
A system composed of a collection of process components is a closed system if the actions that make up its behaviour include neither acts of making requests nor acts of granting requests. It is generally undecidable whether a system composed of a collection of process components is a closed system. This state of affairs forms part of the motivation for developing the theory about process components presented in this paper. In the presented theory, having an empty interface is a sufficient condition for being a closed system and it is decidable whether an interface is empty.
The structure of this paper is as follows. First, we review ACP (Section 2) and guarded recursion in the setting of ACP (Section 3), and present the actions that make up the processes being considered in later sections (Section 4). Next, we introduce a theory about integers (Section 5) and a theory about interfaces (Section 6). Then, we extend ACP, using the theories just introduced, to a theory about process components (Section 7). Following this, we go into the matter that component composition is in gen-eral not associative (Section 8) and discuss the connection between empty interfaces and closed systems (Section 9). After that, we give two examples of the use of the presented theory about process components (Sections 10 and 11). Thereupon, we introduce a notion of bisimilarity for process components (Section 12) and construct a model of the presented theory about process components using this notion of bisimilarity (Section 13). Following that, we extend the theory about process components developed so far with localized processes (Section 14). Finally, we make some concluding remarks (Section 15).

Algebra of Communicating Processes
In this section, we shortly review ACP (Algebra of Communicating Processes), the algebraic theory about processes that was first presented in [7]. For a comprehensive overview of ACP, the reader is referred to [11]. Although ACP is one-sorted, we make this sort explicit. The reason for this is that we will extend ACP to a theory with four sorts in Section 7.
In ACP, it is assumed that a fixed but arbitrary finite set of actions A, with δ ∈ A, has been given. We write A δ for A ∪ {δ}. It is further assumed that a fixed but arbitrary commutative and associative communication function | : A δ × A δ → A δ , with δ | a = δ for all a ∈ A δ , has been given. The function | is regarded to give the result of synchronously performing any two actions for which this is possible, and to be δ otherwise.
ACP has one sort: the sort P of processes. To build terms of sort P, ACP has the following constants and operators: • the deadlock constant δ : P; • for each a ∈ A, the action constant a : P; • the binary alternative composition operator + : P × P → P; • the binary sequential composition operator · : P × P → P; • the binary parallel composition operator : P × P → P; • the binary left merge operator ⌊⌊ : P × P → P; • the binary communication merge operator | : P × P → P; • for each H ⊆ A, the unary encapsulation operator ∂ H : P → P.
Terms of sorts P are built as usual for a one-sorted signature (see e.g. [22,19]) Throughout the paper, we assume that there are infinitely many variables of sort P, including x, y, z, x ′ , y ′ and z ′ .
We use infix notation for the binary operators. The following precedence conventions are used to reduce the need for parentheses. The operator + binds weaker than all other binary operators to build terms of sort P and the operator · binds stronger than all other binary operators to build terms of sort P.
Let P and Q be closed terms of sort P, a ∈ A, and H ⊆ A. Intuitively, the constants and operators to build terms of sort P can be explained as follows: • δ can neither perform an action nor terminate successfully; • a first performs action a and then terminates successfully; • P + Q behaves either as P or as Q, but not both; Table 1. Axioms of ACP • P · Q first behaves as P and on successful termination of P it next behaves as Q; • P Q behaves as the process that proceeds with P and Q in parallel; • P ⌊⌊ Q behaves the same as P Q, except that it starts with performing an action of P ; • P | Q behaves the same as P Q, except that it starts with performing an action of P and an action of Q synchronously; • ∂ H (P ) behaves the same as P , except that actions from H are blocked.
We write i∈I P i , where I = {i 1 , . . . , i n } and P i 1 , . . . , P in are terms of sort P, for P i 1 + . . . + P in . The convention is that i∈I P i stands for δ if I = ∅.
The axioms of ACP are the axioms given in Table 1. CM2-CM3, CM5-CM7, C1-C3 and D1-D4 are actually axiom schemas in which a, b and c stand for arbitrary constants of sort P (keep in mind that also the deadlock constant belongs to the constants of sort P) and H stands for an arbitrary subset of A.
For the main models of ACP, the reader is referred to [5].

Guarded Recursion
In this section, we shortly review guarded recursion in the setting of ACP. Not all processes in a model of ACP have to be interpretations of closed terms of sort P. Those processes may be definable over ACP. A process in some model of ACP is definable over ACP if there exists a guarded recursive specification over ACP of which that process is the unique solution.
A recursive specification over ACP is a set of recursion equations {X = t X | X ∈ V } where V is a set of variables of sort P and each t X is a term of sort P from the language of ACP that only contains variables from V . Let E be a recursive specification over ACP. Then we write V(E) for the set of all variables that occur on the left-hand side of an equation in E. A solution of a recursive specification E Let t be a term of sort P from the language of ACP containing a variable X. Then an occurrence of X in t is guarded if t has a subterm of the form a · t ′ where a ∈ A and t ′ is a term containing this occurrence of X. Let E be a recursive specification over ACP. Then E is a guarded recursive specification if, in each equation X = t X ∈ E, all occurrences of variables in t X are guarded or t X can be rewritten to such a term using the axioms of ACP in either direction and/or the equations in E except the equation X = t X from left to right. We are only interested in models of ACP in which guarded recursive specifications have unique solutions.
For each guarded recursive specification E and each variable X ∈ V(E), we introduce a constant of sort P standing for the unique solution of E for X. This constant is denoted by X|E . We often write X for X|E if E is clear from the context. In such cases, it should also be clear from the context that we use X as a constant.
The additional axioms for recursion are given in Table 2. In this table, we write t X |E for t X with, for all Y ∈ V(E), all occurrences of Y in t X replaced by Y |E . Both RDP and RSP are axiom schemas. Side conditions are added to restrict the variables, terms and guarded recursive specifications for which X, t X and E stand. The equations X|E = t X |E for a fixed E express that the constants X|E make up a solution of E. The conditional equations E ⇒ X = X|E express that this solution is the only one. RDP and RSP were first formulated in [8].
We write ACP+REC for ACP extended with the constants standing for the unique solutions of guarded recursive specifications and the axioms RDP and RSP.

ACP for Cooperating Components
In this paper, we consider process components that cooperate by making and granting requests to carry out methods. The processes that are taken as the behaviours of these components are not made up of arbitrary actions. In this section, we introduce the instance of ACP that is restricted to the intended actions. This instance is called ACP CC (ACP for Cooperating Components).
Three kinds of actions are distinguished in ACP CC : active actions, passive actions and neutral actions. The active actions may be viewed as requests to carry out some method and the passive actions may be viewed as grants of requests to carry out some method. Making a request to carry out some method and granting that request at the same time results in carrying out the method concerned. The initiative in carrying out the method is considered to be taken by the process making the request. This explains why the request is called an active action and its grant is called a passive action. The neutral actions may be viewed as the results of making a request to carry out some method and granting that request at the same time. A process that can perform active actions only behaves as a client and a process that can perform passive actions only behaves as a server.
In ACP CC , it is assumed that a fixed but arbitrary finite set L of loci and a fixed but arbitrary finite set M of methods have been given. A locus is a place at which processes reside. Intuitively, a process resides at a locus if it is capable of performing actions in that locus. The same process may reside at different loci at once. Moreover, different processes may reside at the same locus at once. Therefore, we do not necessarily refer to a unique process if we refer to a process residing at a given locus.
Because processes may be composed of other processes, it needs no explaining that different processes may reside at the same locus at once. Taken for processes themselves, as usual in process algebra, protocols in which processes at different loci are involved are obvious examples of processes that may reside at different loci at once.
In ACP CC , the set of actions A consists of: • for each f, g ∈ L and m ∈ M, the active action f.m@g; • for each f, g ∈ L and m ∈ M, the passive action ∼f.m@g; • for each f, g ∈ L and m ∈ M, the neutral action f.m@g.
Intuitively, these actions can be explained as follows: • f.m@g is the action by which a process residing at locus g requests a process residing at locus f to carry out method m; • ∼g.m@f is the action by which a process residing at locus f grants a request of a process residing at locus g to carry out method m; • f.m@g is the result of performing f.m@g and ∼g.m@f at the same time.
In ACP CC , the communication function | : A δ × A δ → A δ is such that for all f, g ∈ L and m ∈ M: • f.m@g | ∼g.m@f = f.m@g; • f.m@g | a = δ for all a ∈ A \ {∼g.m@f }; • a | ∼g.m@f = δ for all a ∈ A \ {f.m@g}; The receive actions and send actions commonly used for handshaking communication of data, see e.g. [5], can be viewed as requests to carry out some communication method and grants of such requests, respectively. However, the current set-up requires that it is made explicit what are the loci at which the sender and receiver involved reside.
Performing an active action f.m@g and a passive action ∼g.m@f simultaneously is not an instance of CCS-like communication: the prefixing of ∼ to g.m@f does not make it the complementary action of g.m@f .
The chosen forms of active actions and passive actions is among other things connected with the fact that actions of the forms f.m and ∼f.m will be introduced in Section 14 to permit abstraction from the loci at which processes reside if they are looked at in isolation.

Integers
In this section, we present an algebraic theory about integers which will be used in later sections. The presented theory is called INT.
INT has one sort: the sort Z of integers. To build terms of sort Z, INT has the following constants and operators: • the constant 0 : Z; • the constant 1 : Z; • the binary addition operator + : Z × Z → Z; • the unary additive inverse operator − : Z → Z; • the unary signum operator sg : Z → Z.
Terms of sort Z are built as usual for a one-sorted signature. Throughout the paper, we assume that there are infinitely many variables of sort Z, including k, l and n.
As usual, we use infix notation for the binary operator + and prefix notation for the unary operator −. The following additional precedence convention is used to reduce the need for parentheses. The operator + binds weaker than the operator −.
The constants and operators of INT are adopted from integer arithmetic and need no further explanation. The operator sg is useful where a distinction between positive integers, negative integers and zero must be made.
The axioms of INT are the axioms given in Table 3. Axioms INT1-INT4 are the axioms of a commutative group. Axioms SG1-SG4 are the defining axioms of sg.
The initial model of INT is considered the standard model of INT.

Interface Group for Cooperating Components
In this section, we present an algebraic theory about interfaces. The presented theory is called IFG CC . In Section 7, we will consider process components which are taken as pairs of an interface and a process that is made up of active actions, passive actions, and neutral actions. Interfaces are built from two kinds of interface elements. The set of interface elements consists of: • for each f, g ∈ L and m ∈ M, the active interface element f.m@g; • for each f, g ∈ L and m ∈ M, the passive interface element ∼f.m@g.
We write IFE for the set of all interface elements. Obviously, IFE is a proper subset of A. The interface elements are those actions that are allowed to occur in interfaces. The interface part of a process component consists of the active and passive actions that the process part of that process component may be capable of performing. Thus, the interface part of a process component serves its intended purpose: it allows interaction of other process components with that process component only through the active and passive actions occurring in it. The interface elements f.m@g and ∼g.m@f are considered each other inverses. That is, if both occur in an interface, they cancel out.
Active interface elements are usually included in the interface of a process component to couch that it expects the ability to grant certain requests from the environment in which it is put. Passive interface elements are usually included in the interface of a process component to couch that it promises the ability to make certain requests to the environment in which it is put. The environment in which the process component is put may be composed of different process components. To couch that it expects an ability from a number of process components or it promises an ability to a number of process components, the relevant interface element is included the number of times concerned in the interface of the process component.
In Section 7, we shall see that the choice to permit multiple occurrences of interface elements fits in very well with our intention to arrive at process components that are always composable. In work on components, it is common that components are not always composable. This is generally caused by the exclusion of multiple occurrences of interface elements (cf. [2]). An example of the need for multiple occurrences of interface elements in interfaces of process components is found in Section 11.
The distinction between active interface elements and passive interface elements made here is a case of distinction between expectations and promises because interface elements are actions that process components may be capable of performing. If the interface elements would be actions that process components must be capable of performing, it would be a case of distinction between requirements and provisions.
Interfaces can be considered multisets over the set of all active interface elements in which multiplicities of elements may be negative too, since occurrences of passive interface elements in an interface can be counted as negative occurrences of their inverses.
IFG CC has the sort Z from INT and in addition the sort I of interfaces. To build terms of sort I, IFG CC has the following constants and operators: • the empty interface constant 0 : I; • for each e ∈ IFE, the interface element constant e : I; • the binary interface combination operator + : I × I → I; • the unary interface inversion operator − : I → I.
To build terms of sort Z, IFG CC has the constants and operators of INT and in addition the following operator: • for each f, g ∈ L and m ∈ M, the unary multiplicity operator # f.m@g : I → Z.
Terms of the sorts I and Z are built as usual for a many-sorted signature (see e.g. [22,19]). Throughout the paper, we assume that there are infinitely many variables of sort I, including i, j and h.
We use infix notation for the binary operator + and prefix notation for the unary operator −. The following precedence convention is used to reduce the need for parentheses. The operator + binds weaker than the operator −.
Let I and J be closed terms of sort I, f, g ∈ L, and m ∈ M. Viewing interfaces as multisets with multiplicities from Z, the constants and operators of IFG CC to build terms of sort I can be explained as follows: • 0 is the interface in which the multiplicity of each active interface element is 0; • f.m@g is the interface in which the multiplicity of f.m@g is 1 and the multiplicity of each other active interface element is 0; • ∼f.m@g is the interface in which the multiplicity of g.m@f is −1 and the multiplicity of each other active interface element is 0; • I + J is the interface in which the multiplicity of each active interface element is the addition of its multiplicities in I and J; • −I is the interface in which the multiplicity of each active interface element is the additive inverse of its multiplicity in I.
The operators # f.m@g , one for each f, g ∈ L and m ∈ M, can simply be explained as follows: • # f.m@g (I) is the multiplicity of f.m@g in I.
We write i∈I I i , where I = {i 1 , . . . , i n } and I i 1 , . . . , I in are terms of sort I, for I i 1 + . . . + I in . The convention is that i∈I I i stands for 0 if I = ∅.
The axioms of IFG CC are the axioms of INT and the axioms given in Table 4. IFG5 and M1-M5 are actually axiom schemas in which f and g stand for arbitrary members of L and m stands for an arbitrary member of M. Axioms IFG1-IFG4 are the axioms of a commutative group and axiom IFG5, called the reflection law, states that ∼g.m@f is taken as the inverse of f.m@g. Axioms M1-M5 are the defining axioms of # f.m@g .
The initial model of IFG CC is considered the standard model of IFG CC . Other interface groups for cooperating components are conceivable. For example, adding i + i = 0, or equivalently i = −i, to the axioms of IFG CC yields an interface group with torsion. This addition means that no distinction is made between an active interface element and the passive interface element that is its inverse. This is not unfamiliar. IFG CC without torsion goes with the observable actions of CCS [17], whereas IFG CC with torsion goes with the events of CSP [13].

Algebra of Cooperating Components
In this section, we take up the extension of ACP CC to a theory about process components. The result is called ACC (Algebra of Cooperating Components).
Recall that active actions may be viewed as requests to carry out some method, passive actions may be viewed as grants of requests to carry out some method, and making a request to carry out some method and granting that request simultaneously may be viewed as carrying out the method concerned.
Passive actions, active actions and neutral actions correspond with input actions, output actions and internal actions in formalisms based on I/O automata [14]. In those formalisms, an active action, its matching passive action, and the neutral action resulting from performing them simultaneously are viewed as the same action in different roles. Moreover, an action cannot have different roles in the same component and two components are only composable if, for each action shared by them, the role of the action is active in one and passive in the other. By viewing an action in its different roles as different actions and using the interface group introduced in Section 6, we can dispose of these restrictions on components and their composition in ACC.
In the preceding sections, we have already been gone into some of the general ideas that underlie the design of ACC. Those ideas, which concern the interfaces and behaviours of process components, can be summarized as follows: • behaviours of process components are processes made up of three kinds of actions: active actions, passive actions and neutral actions; • for each active action, there is a unique passive action with which it can be performed synchronously, and vice versa; • interfaces of process components consist of active and passive actions that the process components may be capable of performing; • looked upon as an interface element, each active action has the passive action with which it can be performed synchronously as its inverse, and vice versa; • in interfaces of process components, there may be elements with multiple occurrences.
The remaining general ideas concern the process components by themselves: • if a process is turned into a process component by adding an interface to it, the process is restricted by the interface with respect to the active and passive actions that it can perform to force that the behaviour of the process component complies with its interface; • if two process components are composed, the interface of the composed process component is the combination of the interfaces of the two process components and the behaviour of the composed process component is the parallel composition of the behaviours of the two process components restricted by the combination of the interfaces of the two process components.
The point of view on the composition of two process components implies that every interaction between the composed process components amounts to performing an active action occurring in the interface of one and a matching passive action occurring in the interface of the other simultaneously. It also implies that, if all occurrences of an (active or passive) action in the interface of a process component are cancelled out by composition with another process component, this action is blocked in the behaviour of the composition of these process components. The blocking of the action takes place even if its inverse is not included in the actions that make up the behaviour of the other process component. It is possible that the inverse is not included because the interfaces concern expectations and promises instead of requirements and provisions (see also Section 6). The way in which is dealt with this possibility can be explained as follows: (i) if a promised ability to make a request is not provided, making the request is blocked and (ii) if an expected ability to grant a request is not required, granting the request is blocked. Notice further that, if not all occurrences of an action in the interface of a process component are cancelled out by composition with another process component, this action is not blocked in the behaviour of the composition of these process components. A similar effect is achieved by the constraints from the component model presented in [20].
ACC has the sort P from ACP CC , the sorts I and Z from IFG CC , and in addition the sort C of components. To build terms of sort C, ACC has the following operators: • the binary basic component operator c : I × P → C; • the binary component composition operator : To build terms of sort P, ACC has the constants and operators of ACP CC and in addition the following operator: • the binary interface compliant encapsulation operator ∂ : I × P → P.
To build terms of sort I, ACC has the constants and operators of IFG CC to build terms of sort I. To build terms of sort Z, ACC has the constants and operators of IFG CC to build terms of sort Z.
Terms of the different sorts are built as usual for a many-sorted signature. Throughout the paper, we assume that there are infinitely many variables of sort C, including u, v, u ′ and v ′ .
We use infix notation for the binary operator . We write ∂ I (P ), where I is a term of sort I and P is a term of sort P, for ∂ (I, P ).
Let C and D be closed terms of sort C, P be a closed term of sort P, and I be a closed term of sort I. Viewing interfaces as multisets with multiplicities from Z, the operators of ACC to build terms of sort C can be explained as follows: • c(I, P ) is the process component of which the interface is I and the behaviour is P , except that active actions of which the multiplicity in I is not positive and passive actions with an inverse of which the multiplicity in I is not negative are blocked; • C D, is the process component of which the interface is the combination of the interfaces of C and D and the behaviour is the parallel composition of the behaviours of C and D, except that active actions of which the multiplicity in the combination of the interfaces of C and D is not positive and passive actions with an inverse of which the multiplicity in the combination of the interfaces of C and D is not negative are blocked.
The operator ∂ can be explained as follows: • ∂ I (P ) behaves the same as P , except that active actions of which the multiplicity in I is not positive and passive actions with an inverse of which the multiplicity in I is not negative are blocked.
The operator ∂ is an auxiliary operator used in the axioms concerning process components. The axioms of ACC are the axioms of ACP, the axioms of IFG CC , and the axioms given in Table 5. E1-E7 are actually axiom schemas in which f and g stand for arbitrary members of L and m stands for an arbitrary member of M. Axioms CC1 and CC2 are axioms concerning process components and axioms E1-E10 are the defining axioms of the auxiliary operator ∂ . Together they formalize the intuition about process components given above in a direct way. It is only because they are used in axioms E1-E6 that the multiplicity operators # f.m@g are included in the theory IFG CC and the signum operator sg is included in the theory INT.
Guarded recursion can be added to ACC as it is added to ACP in Section 3. We write ACC+REC for ACC extended with the constants standing for the unique solutions of guarded recursive specifications and the axioms RDP and RSP.
In Section 13, we will construct a model of ACC+REC using a notion of bisimilarity for process components.

On the Associativity of Component Composition
In this section, we show that component composition is in general not associative and couch in a special axiom that component composition is associative when a certain condition on its operands is fulfilled.
Hence, we have that ( The associativity axiom for component composition is given in Table 6. It is not known to us whether the condition in this axiom is a necessary condition for associativity of component composition. We remark that the condition in this axiom is always fulfilled if the composition concerns components that are composable in the sense that is found in formalisms based on I/O automata.
Below, we will sketch the justification of the associativity axiom. For that purpose, we first shortly introduce the approximation induction principle, which has been introduced before in the setting of ACP.
Guarded recursion gives rise to infinite processes. In ACC+REC, closed terms of sort P that denote the same infinite process cannot always be proved equal by means of the axioms of ACC+REC.
To remedy this, we can add the approximation induction principle to ACC+REC. The approximation induction principle, AIP in short, was first formulated in the setting of ACP in [8]. It formalized the idea that two processes are identical if their approximations up to any finite depth are identical. The approximation up to depth n of a process behaves the same as that process, except that it cannot perform any further action after n actions have been performed. Approximation up to depth n is phrased in terms of the unary projection operator π n . For a comprehensive treatment of projections and AIP, the reader is referred to [5].
We proceed with the justification of the associativity axiom given in Table 6. It can be proved that all closed substitution instances of this axiom are derivable from the axioms of ACC+REC, the axioms for the projection operators and AIP. Moreover, the model B ACC+REC of ACC+REC that will be constructed in Section 13 can be expanded with operations for the projection operators such that the axioms for the projection operators and AIP hold in the expansion. Because all elements of the sets associated with the sorts P, I and C in B ACC+REC are interpretations of closed terms, it follows that the associativity axiom holds in B ACC+REC .

Closed Systems and Interfaces of Process Components
In this short section, we discuss the connection between closed systems and empty interfaces. The intuition is that a system is a closed system if the actions that make up its behaviour include neither active actions nor passive actions.
We first shortly introduce the alphabet operator, which has been introduced before in the setting of ACP.
The set of actions that can be performed by a process is called the alphabet of the process. We can add the unary alphabet operator α to ACC+REC to extract the alphabet from a process. The alphabet operator was first added to ACP+REC in [3]. To deal with infinite processes, the projection operators occur in the axioms for this operator. For a comprehensive treatment of alphabets, the reader is referred to [5].
Let I be a closed term of sort I and P be a closed term of sort P. Then c(I, P ) is a closed system if α(∂ I (P )) ⊆ {f.m@g | f, g ∈ L, m ∈ M}.
It can be proved that, for each closed term I of sort I and closed term P of sort P, the following is derivable from the axioms of ACC+REC, the axioms for the alphabet operator, the axioms for the projection operators and AIP: It is generally undecidable whether c(I, P ) is a closed system. However, it is decidable whether I = 0. This illustrates the usefulness combining a process with an interface in the way presented in this paper.

An Example
In this section, we illustrate the use of ACC by means of an example concerning buffers with capacity one. We assume a finite set D of data with e ∈ D and, for each d ∈ D, a method c d for communicating datum d. We take the element e ∈ D for an improper datum.
We consider the three buffer processes B f , B g , and B h that are defined by the guarded recursion equations ∼g.c d @h · (r.c d @h + r.c e @h) · B h , respectively. The processes B f , B g and B h always reside at the loci f , g and h, respectively. B f is able to pass data from a process residing at locus s to a process residing at locus g, B g is able to pass data from a process residing at locus f to a process residing at locus h, and B h is able to pass data from a process residing at locus g to a process residing at locus r. B f , B g and B h are faulty in the sense that they may deliver an improper datum instead of the datum to be delivered. We turn these three buffer processes into process components by adding interfaces to them. To be exact, we turn the processes B f , B g , and B h into the process components c(I f , B f ), c(I g , B g ), and We have a look at the component composition c( by the associativity axiom for component composition. It follows from axioms CC1 and CC2 that Moreover, it follows from axioms IFG1-IFG5 that ∼s.c d @f + g.c e @f + h.c e @g + d∈D r.c d @h and from axioms INT1-INT4, SG1-SG4, IFG5, M1-M5, E1-E10, and RSP that Hence, we have by axiom CC1 that It can further be shown by means of the axioms of ACP+REC that the behaviour of c(I f , B f ) (c(I g , B g ) c(I h , B h )) is essentially a buffer with capacity three. This buffer process, which resides alternately at the loci f , g and h, is able to pass data from a process residing at locus s to a process residing at locus r. It is faulty in the sense that it may deliver an improper datum instead of the datum to be delivered. Moreover, the improper datum may be delivered at the locus g or the locus h instead of the locus r.
The process component c(I f , B f ) (c(I g , B g ) c(I h , B h )) does not have an empty interface. It follows from axioms IFG1-IFG5 that composing it with a process component whose interface is d∈D\{e} f.c d @s + ∼f.c e @g + ∼g.c e @h + d∈D ∼h.c d @r would result in an empty interface. This shows that an empty interface requires composition with a process component that promises to handle the delivery of an improper datum at the loci g, h and r.

Another Example
In this section, we illustrate the use of ACC by means of an example in which a single buffer with capacity one is used to pass data between three components. We assume a finite set D of data, a function F : D → D and, for each d ∈ D, a method c d for communicating datum d. We also assume methods wa 1 , wa 2 , wa 3 , sl 1 , sl 2 and sl 3 for controlling the cooperation of the three components that share the buffer.
We consider the processes P 1 , P 2 and P 3 that are defined by the guarded recursion equations ∼s.c d @f · g.c d @f · ∼h.sl 1 @f · P 1 , P 2 = ∼h.wa 2 @f · d∈D ∼g.c d @f · g.c F (d) @f · ∼h.sl 2 @f · P 2 , P 3 = ∼h.wa 3 @f · d∈D ∼g.c d @f · r.c d @f · ∼h.sl 3 @f · P 3 , respectively. All three processes always reside at locus f . P 1 is able to pass data from a process residing at locus s to a process residing at locus g, P 2 is able to apply an operation to data hold by a process residing at locus g, and P 3 is able to pass data from a process residing at locus g to a process residing at locus r. The processes P 1 , P 2 and P 3 are called the entry process, the main process and the exit process, respectively. We also consider the buffer process B and the control process C defined by the guarded recursion equations respectively. The processes B and C always reside at the loci g and h, respectively. B is able to pass data from a process residing at locus f to a process residing at locus f and C is able to control the cooperation of three processes residing at locus f such that they take turns in doing a number of steps. We turn all these processes into process components by adding interfaces to them. To be exact, we turn P 1 , P 2 , P 3 , B and C into the process components c(I 1 , P 1 ), c(I 2 , P 2 ), c(I 3 , P 3 ), c(J, B) and c(H, C), where I 1 = d∈D (∼s.c d @f + g.c d @f ) + ∼h.wa 1 @f + ∼h.sl 1 @f , (∼g.c d @f + g.c d @f ) + ∼h.wa 2 @f + ∼h.sl 2 @f , , H = f.wa 1 @h + f.wa 2 @h + f.wa 3 @h + f.sl 1 @h + f.sl 2 @h + f.sl 3 @h .
Notice that g.c d @f occurs once in both I 1 and I 2 and ∼g.c d @f occurs once in both I 2 and I 3 , whereas their inverses occur twice in J.
We have a look at c(I 1 , P 1 ) (c(I 2 , P 2 ) (c(I 3 , P 3 ) (c(J, B) c(H, C)))). It follows from the axioms of ACC+REC that This would not be case if ∼f.c d @g and f.c d @g would occur only once in J. The behaviour of c(I 1 , P 1 ) (c(I 2 , P 2 ) (c(I 3 , P 3 ) (c(J, B) c(H, C)))) is essentially a process that is able to receive data from a process residing at locus s, apply F to the received data, and send the results to a process residing at locus r. Each cycle of the process is accomplished as follows: first P 1 receives a datum and puts it in buffer B, then P 2 gets the datum from buffer B, applies F to it and put the result back in buffer B, and finally P 3 gets the result from buffer B and sends the result. C controls that P 1 , P 2 and P 3 do not start their part of the cycle prematurely.

Bisimilarity of Process Components
In this section, we give a structural operational semantics for ACC+REC and define a notion of bisimilarity based on it. This notion of bisimilarity will be used in Section 13 to construct a model of ACC+REC.
Henceforth, we will write T S , where S ∈ {P, I, C}, for the set of all closed terms of sort S from the language of ACC+REC. Moreover, we will write T INT Z for the set of all closed terms of sort Z from the language of INT.
The following relations are the primary relations used in the structural operational semantics of ACC+REC: • a unary relation a − → p √ ⊆ T P , for each a ∈ A; • a binary relation a − → p ⊆ T P × T P , for each a ∈ A; • a unary relation f.m@g ⊏ − N ⊆ T I , for each f, g ∈ L, m ∈ M and N ∈ T INT Z ; • a binary relation hasIF ⊆ T C × T I ; • a unary relation a − → c √ ⊆ T C , for each a ∈ A; • a binary relation The relations can be explained as follows: • P a − → p √ : process P is capable of first performing a and then terminating successfully; • P a − → p P ′ : process P is capable of first performing a and then proceeding as process P ′ ; • f.m@g ⊏ − N I: f.m@g occurs N times in interface I; • C hasIF I: the interface of component C is I; • C a − → c √ : component C is capable of first performing a and then terminating successfully; • C a − → c C ′ : component C is capable of first performing a and then proceeding as component C ′ .
The following relations are auxiliary relations used in the structural operational semantics of ACC+ REC: • a unary relation f.m@g ⊏ − + ⊆ T I , for each f, g ∈ L and m ∈ M; • a unary relation f.m@g ⊏ − − ⊆ T I , for each f, g ∈ L and m ∈ M; • a unary relation f.m@g ⊏ − + IF ⊆ T C , for each f, g ∈ L and m ∈ M; • a unary relation f.m@g ⊏ − − IF ⊆ T C , for each f, g ∈ L and m ∈ M.
We write f.m@g ⊏ − + I and f.m@g ⊏ − − I instead of I ∈ f.m@g ⊏ − + and I ∈ f.m@g ⊏ − − , respectively. We write f.m@g ⊏ − + IF(C) and f.m@g ⊏ − − IF(C) instead of C ∈ f.m@g ⊏ − + IF and C ∈ f.m@g ⊏ − − IF, respectively. The relations can be explained as follows: The structural operational semantics of ACC+REC is described by the rules given in Tables 7 and 8.
The following uniqueness property of the relations f.m@g ⊏ − N will be used in Section 13 to construct a model of ACC+REC.

Proof:
Straightforward, by induction on the structure of I.

⊓ ⊔
A bisimulation B is a triple of symmetric binary relations B P ⊆ T P × T P , B I ⊆ T I × T I , and B C ⊆ T C × T C such that: • if B P (P 1 , P 2 ) and P 1 a − → p P ′ 1 , then there exists a P ′ 2 ∈ T P such that P 2 a − → p P ′ 2 and B P (P ′ 1 , P ′ 2 ); • if B I (I 1 , I 2 ) and f.m@g ⊏ − N 1 I 1 , then there exists an N 2 ∈ T INT Z such that f.m@g ⊏ − N 2 I 2 and N 1 = N 2 ; • if B C (C 1 , C 2 ) and C 1 hasIF I 1 , then there exists an I 2 ∈ T I such that C 2 hasIF I 2 and B I (I 1 , I 2 ); Table 8. Additional rules for operational semantics of ACC+REC Let S ∈ {P, I, C}, and let t 1 , t 2 ∈ T S . Then t 1 and t 2 are bisimilar, written t 1 ↔ t 2 , if there exists a bisimulation B such that B S (t 1 , t 2 ).
The following congruence property of bisimilarity will be used in Section 13 to construct a model of ACC+REC.

Theorem 12.1. (Congruence)
Bisimilarity is a congruence with respect to the operators of ACC+REC to build terms of sort P, I or C.

Proof:
In the terminology of [16], Z is a given sort and the relations f.m@g ⊏ − N , one for each N ∈ T INT Z , constitute a relation parametrized by closed terms of the sort Z. Because Z is a given sort, we can safely identify closed terms of sort Z that are semantically equivalent and replace the third property of bisimulations given above to: Because the relations f.m@g ⊏ − N constitute a relation parametrized by closed terms of a given sort, we can safely replace the rules for the operational semantics with the conclusions f.m@g ⊏ − + i and f.m@g ⊏ − − i by the rules where N stands for an arbitrary closed term from T INT Z . By these replacements, bisimilarity becomes an instance of bisimilarity by the definition given in [16] and the rules for the operational semantics of ACC+REC become a complete transition system specification in panth format by the definitions given in [16]. Hence, it follows by Theorem 4 from [16] that bisimilarity is a congruence with respect to all operators of ACC+REC to build terms of sort P, I or C. ⊓ ⊔

A Bisimulation Model of ACC+REC
In this section, we construct a model of ACC+REC using the notion of bisimilarity defined in Section 12. It is a model in which all processes are finitely branching, i.e. they have at any stage only finitely many alternatives to proceed. Henceforth, we will write I INT for the initial model of INT, and Z for the set associated with the sort Z in I INT .
The bisimulation model B ACC+REC is the expansion of I INT , the initial model of INT, with • for each sort S ∈ {P, I, C}, the set T S / ↔ ; • for each constant ♦ 0 : S of ACC+REC with S ∈ {P, I, C}, the element ♦ 0 ∈ T S / ↔ defined by • for each operator ♦ 1 : S → S ′ of ACC+REC with S, S ′ ∈ {P, I, C}, the operation ♦ 1 : • for each operator ♦ 2 : S × S ′ → S ′′ of ACC+REC with S, S ′ , S ′′ ∈ {P, I, C}, the operation • for each operator # f.m@g :I → Z with f, g ∈ L and m ∈ M, the operation # f.m@g : The well-definedness of the operations associated with the operators of ACC+REC in B ACC+REC follows immediately from Theorem 12.1, except for the operations associated with the operators # f.m@g . The well-definedness of the operations associated with the operators # f.m@g in B ACC+REC follows immediately from Lemma 12.1 and the definition of bisimilarity.
We have the following soundness result.

Theorem 13.1. (Soundness)
Let S ∈ {Z, P, I, C} and let t, t ′ ∈ T S . Then t = t ′ is derivable from the axioms of ACC+REC only if t = t ′ holds in B ACC+REC .

Proof:
It is sufficient to prove the soundness of each axiom separately. Because B ACC+REC is an expansion of I INT , it is not necessary to prove the soundness of the axioms of INT. For each of the remaining axioms except M1-M5, soundness is easily proved by constructing a witnessing bisimulation (for the witnessing bisimulations for the axioms of ACP+REC, see e.g. [4]). What remains are the proofs for axioms M1-M5. The soundness of these axioms follow immediately from the definition of # f.m@g and the rules of the operational semantics.

⊓ ⊔
We have a completeness result in the case where only finite guarded recursive specifications are used in which the right-hand sides of the equations are linear. Linearity of terms of sort P is inductively defined as follows: • δ is linear; • if a ∈ A, then a is linear; • if a ∈ A and X is a variable, then a · X is linear; • if t and t ′ are linear, then t + t ′ is linear.
A linear recursive specification over ACP is a guarded recursive specification {X = t X | X ∈ V } over ACP in which each t X is linear. We write T flin S , where S ∈ {Z, P, I, C}, for the set of all closed terms of sort S from the language of ACC+REC with the constants for solutions of guarded recursive specifications restricted to the ones for solutions of finite linear recursive specifications.

Theorem 13.2. (Completeness)
Let S ∈ {Z, P, I, C}, and let t, t ′ ∈ T flin S . Then t = t ′ is derivable from the axioms of ACC+REC if t = t ′ holds in B ACC+REC .

Proof:
B ACC+REC is an expansion of the initial model of INT and, for each S ∈ {P, I, C} and t, t ′ ∈ T S , t = t ′ holds in B ACC+REC iff t ↔ t ′ . Therefore, it is sufficient to prove that, for each S ∈ {P, I, C} and t, t ′ ∈ T flin S , t = t ′ is derivable from the axioms of ACC+REC if t ↔ t ′ . We will only give a brief outline of the proof.
Assume that the axioms of IFG CC , the axioms of ACP+REC, and the axioms of ACC+REC have the following properties: 1. for each t ∈ T flin C from the language of ACC+REC, there exist a t ′ ∈ T flin I from the language of IFG CC and a t ′′ ∈ T flin P from the language of ACP+REC such that t = c(t ′ , t ′′ ) is derivable from the axioms of ACC+REC; 2. for each S ∈ {P, I, C} and t, t ′ ∈ T flin S from the language of ACC+REC, t = t ′ is derivable from the axioms of ACC+REC only if t ↔ t ′ ; 3. for each t ′ , s ′ ∈ T flin I from the language of IFG CC and t ′′ , s ′′ ∈ T flin P from the language of ACP+REC, 5. for each t, t ′ ∈ T flin P from the language of ACP+REC, t = t ′ is derivable from the axioms of ACP+REC if t ↔ t ′ .
Then, for each S ∈ {P, I, C} and t, t ′ ∈ T flin S from the language of ACC+REC, t = t ′ is derivable from the axioms of ACC+REC if t ↔ t ′ . 1 Hence, in order to prove the theorem, properties 1 to 5 have to be proved yet. It is straightforward to prove property 1, and property 2 is a corollary of Theorem 13.1. Owing to operational conservativity, which is easily proved using Theorem 8 from [16], both bisimilarity as induced by the rules for the operational semantics with regard to the terms from the language of IFG CC and bisimilarity as induced by the rules for the operational semantics with regard to the terms from the language of ACP+REC agree with bisimilarity as induced by the rules for the operational semantics with regard to the terms from the language of ACC+REC. Using this and known results such as Theorem 4.4.1 from [11], it is straightforward to prove property 3, 4 and 5.

Localized Processes
If processes are looked at in isolation, it is convenient to abstract from the loci at which they reside. This brings us to consider processes made up of actions of the forms f.m and ∼f.m. These processes are called localized processes. In this section, we extend ACC with localized processes. The resulting theory is called ACC lp .
Henceforth, actions from A will also be called non-localized actions, and processes made up of actions from A will also be called non-localized processes.
In ACC lp , we have, in addition to the set A of non-localized actions, the set LA of localized actions consisting of: • for each f ∈ L and m ∈ M, the active localized action f.m; • for each f ∈ L and m ∈ M, the passive localized action ∼f.m.
Intuitively, these localized actions can be explained as follows: • f.m is the action by which a localized process requests a process residing at locus f to carry out method m; • ∼f.m is the action by which a localized process grants a request of a process residing at locus f to carry out method m.
It is not possible to perform localized actions synchronously. Different from ACC, ACC lp has two sorts of processes. That is, ACC lp has the sorts C, P, I and Z from ACC, and in addition the sort LP of localized processes. To build terms of sort C, ACC lp has the constants and operators of ACC to build terms of sort C. To build terms of sort P, ACC lp has the constants and operators of ACC to build terms of sort P and in addition the following operators: • for each f ∈ L, the unary placement operator @ f : LP → P.
To build terms of sort LP, ACC lp has the following constants and operators: • the deadlock constant δ : LP; • for each a ∈ LA, the localized action constant a : LP; • the binary alternative composition operator + : LP × LP → LP; • the binary sequential composition operator · : LP × LP → LP; • the binary parallel composition operator : LP × LP → LP; • the binary left merge operator ⌊⌊ : LP × LP → LP; • for each H ⊆ A, the unary encapsulation operator ∂ H : LP → LP.
To build terms of sort I, ACC lp has the constants and operators of ACC to build terms of sort I. To build terms of sort Z, ACC lp has the constants and operators of ACC to build terms of sort Z.
Terms of the different sorts are built as usual for a many-sorted signature. We assume that there are infinitely many variables of sort LP, including r, s, r ′ and s ′ .
The constants and operators to build terms of sort LP need no further explanation. They differ from the constants and operators to build terms of sort P in that: (i) the (non-localized) action constants are replaced by the localized action constants and (ii) the communication merge operator | is removed. Table 9. Axioms for placement of localized processes Let L be a closed term of sort LP. Intuitively, the operators @ f can be explained as follows: • @ f (L) behaves as L with each action g.m replaced by g.m@f and each action ∼g.m replaced by ∼g.m@f .
In other words, @ f turns localized processes into non-localized processes by placing them as a whole in locus f . The axioms of ACC lp are the axioms of ACC, the axioms given in Tables 9 and 10, and copies of axioms A1-A7, CM2-CM4 and D1-D4 from Table 1 with x, y and z replaced by different variables of sort LP, a standing for an arbitrary constant of sort LP and H standing for an arbitrary subset of LA. Axioms P1-P5 are the defining axioms of @ f . Axiom M1 replaces axiom CM1. The latter axiom is not suited for the localized case because it is not possible to perform localized actions synchronously.
Guarded recursion can be added to ACC lp as it is added to ACP in Section 3. We write ACC lp +REC for ACC lp extended with the constants standing for the unique solutions of guarded recursive specifications and the axioms RDP and RSP.
As an example of a localized process, we give the localized buffer process B ′ defined by the guarded recursion equation If g and h are different loci, then the processes @ g (B ′ ) and @ h (B ′ ) reside at different loci, but apart from that they are the same. The connection between B ′ and the buffer process B defined in Section 11 is couched in the equation B = @ g (B ′ ), which is derivable from the axioms of ACC lp +REC. The placement operators are primarily useful in cases where 'copies' of the same process coexist at different loci. However, they are also useful otherwise to obtain more terse descriptions of processes. Much more complicated processes than buffers with capacity one are needed to illustrate this. In the structural operational semantics of ACC lp +REC, the following relations are used in addition to the ones used in the structural operational semantics of ACC+REC: • a unary relation a − → lp √ ⊆ T LP , for each a ∈ LA; • a binary relation a − → lp ⊆ T LP × T LP , for each a ∈ LA.  • L a − → lp √ : localized process L is capable of first performing a and then terminating successfully; • L a − → p L ′ : localized process P is capable of first performing a and then proceeding as localized process P ′ .
The structural operational semantics of ACC lp +REC is described by the rules for the operational semantics of ACC+REC, the rules given in Table 11, and copies of the rules without the side-condition a | b = c from Table 7

Conclusions
In this paper, we have built on earlier work on ACP and earlier work on interface groups. ACP was first presented in [7] and interface groups were proposed in [9]. We have introduced an interface group for process components and have presented a theory about process components of which that interface group forms part. The presented theory is a development on top of ACP. We have illustrated the use of the theory by means of examples, and have given a bisimulation semantics for process components which justifies the axioms of the theory.
Two interesting properties of the interface group for process components introduced in this paper are: (i) the interface combination operator + is not idempotent and (ii) for each f, g ∈ L and m ∈ M, the interface element constants f.m@g and ∼g.m@f are each other inverses. Property (i) allows for expressing that a process component expects from a number of process components an ability or promises a number of process components an ability. Property (ii) allows for establishing on the basis of its interface that a process component composed of other process components is a closed system.
The distinction between active interface elements and passive interface elements made in this paper corresponds to the distinction between import services and export services made in [18]. Adaptations of module algebra [6] that allow for this kind of distinction are investigated in [10]. However, interface groups are not considered in those investigations. Processes as considered in ACP have been combined with interfaces before in µCRL [12] and PSF [15], two tool-supported formalisms for the description and analysis of processes with data. However, in µCRL and PSF, interfaces serve for determining whether descriptions of processes are well-formed only.
The intended purpose of the interface of a process component is that it allows interaction of other process components with that process component only through fixed actions. For that reason, we de-liberately refrained from including behavioural information in component interfaces. In recent work on components whose behaviours are similar to the behaviours considered in process algebra, behavioural information is included in component interfaces. The most well-known representative of a formalism for such rich interfaces is the formalism of interface automata [2]. In interface automata, the purpose of the behavioural information is to decide, given the interfaces of two components, whether there exists an environment in which the composition of those components is free of deadlock. In the case of the behaviours considered in the theory developed in this paper, this make no sense because it would require the inclusion of a complete description of the behaviour of a process component in its interface.
Several issues on which much work on component-based design focusses, such as compatibility and refinement between components, have not been considered in this paper. An interesting option for future work is to investigate those issues in the setting presented in this paper. We expect that the technique to make use of redundancy in a context introduced in the setting of ACP in [21] can be useful for checking whether two components are compatible. We expect that an extension of the theory developed in this paper with abstraction, in a way similar to the extension of ACP with abstraction in [5], is needed for verifying whether one component refines another component. The extension in question makes it possible to make use of the algebraic verification techniques that exist for ACP with abstraction.