An Improved Failures Model for C o m m u n i c a t i ng Processes

*, We extend the failures inode] of communicating processes to allow' a more satisfactory treatment of divergence in addition to deadlock. The relationship between the revised model and the old model is discussed, and we make some connections with various models proposed by other authors.

The papers [3,4] introduced the failure sets model for communicating sequential processes. This model, an extension of the traces model of [13], was able to represent nondeterministic behaviour in a simple but effective way. We showed how to use this model to give a denotational semantics to an abstract version of Hoare's language CSP [14], and used it to prove some theorems about the behaviour of programs. The model enjoyed many elegant mathematical properties, which facilitated formal manipulation and derivation of process properties.
The failures model of processes is able to support a formal treatment of deadlock properties. A process is said to deadlock if it reaches a stage where it is unable to participate further in events; this property is captured very simply by the failures model, since a potential deadlock corresponds to the ability to refuse all events and this is reflected directly in the structure of the failure set of a process. However, there are problems associated with the treatment in this model of the phenomenon of divergence. A process diverges when it is engaged in an infinite unbroken sequence of internal actions invisible to its work in a more general context. This section also contains some conclusions and points the way forward to future research.
For obvious reasons the contents of this paper overlaps the material of [3,4] to a substantial degree. In order to avoid too much repetition, and to restrict the length of this paper, much of the material of the earlier papers is assumed.

Notation.
Throughout this paper we will use the following conventions in notation. Given a set E of events, the set of finite sequences or traces over £ will be denoted E*. We use a, 6, c to range over E, and s,t,u to range over E*. The empty sequence is (), and the sequence with elements a\,..., a n in that order is written (a\,..., a n ), although sometimes we may omit the braces and write a\.. .a n . Given traces s and t, we write at for their concatenation. We say 5 < t (s is a prefix of t) if there is a trace u such that su -t; such a trace u is called a suffix of t. The powerset of E is denoted P(E), while v/e uso p(E) for the finite powerset (the set of all finite subsets); of course, if E itself is finite these two powersets coincide. Finally X, Y, Z range over P(E) or p(E), depending on the context.

In this section we begin by recalling the earlier failures model of [3,4] and its use to give a semantics to a version of CSP.
A process is regarded as an agent which communicates with its environment by performing actions or events drawn from an alphabet E. Each event can be thought of as an atomic action. Sequential processes are characterised at least partially by the set of possible sequences of events in which they may participate; this constitutes the socalled trace set of a process [13]. However, since we are going to be modelling processes with nondeterministic behaviour, traces are not enough. The trace set of a process does not indicate the possibility that deadlock might occur as the result of a nondeterministic decision by a process. The effect of a nondeterministic decision by a process is to restrict its ability to communicate on the next step, by choosing a set of events which will not be possible on that step. Accordingly, the concept of a failure suggests itself as a means of modelling the effects of nondeterministic decisions. A failure has the form where s is a finite sequence of events and X is a finite set of events. If a particular failure («s, X) is possible for a process, then the process may perform the sequence of events s and then be unable to perform any of the events in the set X; we say the process can do s then refuse X.
Bearing in mind the intuition behind this notion of failures, the failure set of a process satisfies four simple conditions (Ml)-(M4) below. We therefore define a failure set to be any subset FCSVX p(E) satisfying these conditions: states that an event which is impossible on the next step can be included in a refusal set. It is easy to see that for any trace s of F 9 the set F after s also satisfies the conditions above; this represents the behaviour of the process once it has performed the sequence s.

Since failures represent the results of nondeterministic decisions made by a process,
there is a natural partial ordering on failure sets:

Fx Q F 2 & Fi D F 2 .
We read F± C F 2 as saying that Fi is more nondeterministic than F 2 . The set of all failure sets, ordered by this relation, forms a complete semi-lattice. This means that every non-empty collection of processes has a greatest lower bound (union) and every directed set of processes has a least upper bound (intersection); in particular, the intersection of a chain of processes is again a process.

CSP operations.
Next we recall the abstract syntax given in [3,4] for a version of CSP. We use P, Q to range over (syntactic) processes. The following BNF-style grammar defines the syntax of our process language: P::=STOP j SKIP | (a-* P) | PnQ \ PUQ \ P\\Q I P\\\Q I P)Q I p\* I r l {P) I m \ P I STOP represents a deadlocked process, and SKIP represents a process which terminates successfully. Two forms of parallel composition arc represented by P j| Q and P|||Q; the former is known as synchronous parallel composition, the latter asynchronous. Sequential composition is denoted P;Q, and prefixing a single event is denoted (a ~> P). Two forms of choice are represented by PQQ and P fl Q] the fir3t form is "controllable" and the second "uncontrollable" or purely nondeterministic. The hiding operation P\a conceals all occurrences of the event a. We let / range over a set of alphabet transformations] these are renaming functions /:£-•£ satisfying the finite pre-image property, i.e. that for every a £ £ the set /"" 1 (a) = {6 € £ | f{b) = a} is finite, so that only finitely many events become identified under a renaming. The process f" l {P) can perform an event b whenever P can perform the image event /(&). Conversely, the process /(P) performs /(a) whenever P can perform a. For further explanation of the nature and significance of these syntactic operations see [4], In the final two clauses p ranges over a set of process identifiers and jup.P is a recursive term, corresponding informally to a recursive process definition of the form p -P.
We will denote the set of terms defined by this syntax by TCSP. A term is closed if it has no free process identifiers. In order to interpret terms with free process identifiers we will use an environment, which we take to be a function p from process identifiers to failure sets. Let MEnv be the set of all environments of this type. We use the notation P + [p »-+ F] for the environment which agrees with p except that it maps the process identifier p to the failure set F.
The failures semantics of TCSP is summarized below; these clauses are essentially the same as the definitions given in [3,4], except that we have made explicit use of environments in order to treat the semantics of recursive terms rather more rigorously. In the earlier papers we did not make an explicit distinction between syntax and semantics, preferring rather to blur the distinction and use the same notation for the syntactic as well as semantic operations. Here we are forced to emphasise the separation of syntax and semantics, because we will later have another semantics to discuss.
This semantics is denotational, in that the failure sets of compound processes are definable from the failure sets of their components. We assume familiarity with the basic ideas of denotational semantics, as explained for example in [26]. We define the semantic For an open term the environment explicitly supplies a meaning for free identifiers. In the clause for P|||Q, we use the notation merge(s, t) for the set of all traces obtained by interleaving the traces s and t. The special event >J is used to denote successful termination, and is used in a sequential composition P) Q to signal the starting point of the second process. A trace is tick-free if it does not contain an occurrence of this event, and a trace ending with ^/ represents termination. In the definition of P\a, we use the notation s\a for the result of removing ail occurrences of a from the trace s. Further explanation and intuitions for these definitions will be found in [4].
As mentioned above, the failures model M forms a complete semi-lattice under the superset ordering. This ordering amounts to a measure of the amount of nondeterminism a process can exhibit. All of the failure set operations used in the semantic clauses above are continuous, so we can appeal to the Knaster-Tarski Fixed Point Theorem to justify the existence of least fixed points [26]. We have used the notation fix for the least fixed point operator. Thus, the semantics of a recursively defined process is obtained as the least fixed point of the corresponding function from failures to failures. By continuity, this 7 fixed point can be obtained in the usual way as a limit: the failure set of the process np.P in environment p is generated as the intersection of the sequence As an example, the term /*p.(a -» p) denotes a process which has the ability to perform an unlimited number of a events: In other words, P == M Q when the two processes have identical failure sets (in this model).

Mlw.{a ~> p)lp
When P Cj\,/ Q we say that P is more nondeterministic than Q. This relation induces a pre-ordering on TCSP terms.
In view of the Fixed Point Theorem, a process defined by recursion should satisfy its definition. This is expressed formally in the following way. Let P be a term with free process identifier p. We write [Q\p]P for the term arising by replacing every free occurrence of p in P by Q, with suitable name changes to avoid clashes. Then we have:

WP ssa, [{fip.P)\p]P.
We will often suppress the /i notation and simply define a process by the fixed point equation it is required to satisfy; the implicit understanding when we do this is that we are defining the least fixed point.
The following properties of processes will be assumed. Proofs may be found in the earlier papers [3,4] or else in [19,20]. This is not an exhaustive list or a complete set of true equivalences; [19] contains a complete set of axioms for a significant subset of our language (omitting some of the operators).

The new model.
The failures model is unable to provide an adequate treatment of the phenomenon of divergence. In addition, all refusal sets were taken to be finite. The new model has the same basic structure but with two modifications.

Divergence.
A process is said to diverge at some stage if it is possible for it to engage in an unbounded sequence of internal actions, invisible to its environment. Such behaviour is introduced when hiding an infinite sequence of events; if such a sequence is rendered invisible to the environment of the process, the resulting process diverges. An example of this is provided by the term (/xp.(a -+ p))\a.
Here the recursively defined process is able to perform an unbounded sequence of a events, which become internal actions when the hiding operation is applied. Divergence is also introduced by ill-defined recursive definitions, because we regard the initiation of a recursive call as an internal action; an example is provided by the recursive term jup.p, whose execution results in an infinite sequence of recursive calls. In the failures model Ma, divergence caused by hiding wa3 modelled as CHAOS, although another plausible version of the hiding operation regarded this type of divergence as indistinguishable from deadlock. Some of the properties of this version of hiding were investigated in [2], This alternate form of hiding, which models divergence by STOP and thus identifies divergence with deadlock, does not have such appealing algebraic properties, and the chaotic form was preferred in [3,4]. In particular, the chaotic form of hiding is a continuous operation, unlike the deadlocking version. However, CHAOS is simply the process which can at any stage in its execution refuse any set of events; that is, CHAOS always responds to its environment by either refusing or performing ail event. It can therefore be argued that it is unreasonable to identify divergence with CHAOS, the ability to fail to respond at all to the environment, since divergence is more accurately represented by the inability to respond in any finite time. Indeed, CHAOS does not possess all of the combinational properties we would like to associate with a diverging process. In particular, the following equivalences do not generally hold in the failures model: In each of these cases we would expect divergence of the component process to cause the possibility of divergence in the compound process. Similar problems were encountered by Hennessy and de Nicola [12,19], in trying to axiomatize the failures model, and by Roscoe [23] when trying to make connections between the failures semantics and an operational interpretation of process behaviour. The use of CHAOS for the purpose of modelling divergence does not quite fit properly with operational intuitions. Thus, the failures model alone is insufficiently powerful to give a satisfactory or convincing account of divergence. In order to provide a more pleasing treatment of divergence, we introduce an extra component into the semantic description of a process. In addition to a failure set, a process will be associated with a divergence set this will be a set of traces. If s is a divergence trace of a process we interpret this as saying that the process may be diverging once it has performed the sequence s.

Infinite refusal sets.
Secondly, if E is infinite we will allow refusal sets to be infinite; but we also add a closure condition which makes this change largely cosmetic. Specifically, an infinite set will be a possible refusal if and only if all of its finite subsets are refusable. Thus, infinite refusal sets are determined by their finite subsets being refusable. In this new model, which we will denote N, processes are modelled as pairs D C E*. In such a pair (F, D) the failure set is F and the divergence set is D. We will extract these two components with the functions failures and div. We require the following conditions on F, which should be compared with (M1)-(M4) of the previous section.
The only difference between (N1)-(N4) and the previous conditions is that Y is allowed to be infinite in (N4), whereas from use of (M4) only finite sets of impossible events can be included. (N5) states that a set is refusable if all of its finite subsets are refusable; the converse is implied by (N3).
We also impose a condition on the divergence set, corresponding to the intuition that divergence is a persistent phenomenon: once a process is diverging it diverges forever. Moreover, it is impossible to determine finitely any information about a diverging process, so that we cannot rule out the possibility that it might engage at some stage in some sequence of events. In other words, we regard divergence as catastrophic. These considerations lead us to formulate some conditions relating the divergence set D and failure set F of a process: Condition (Dl) states that the divergence set of a process is suffix-closed. The other condition states the catastrophic or chaotic nature of divergence. A similar argument was used in [3,4] to suggest that the failure set of a diverging process should be the most nondeterministic.
As in the old model, there is a natural partial order on the set of pairs (F, D) : The interpretation of this is that a process Pi is more nondeterministic than P 2 if it can diverge whenever P 2 can diverge and fail whenever P 2 can fail. Again this ordering produces a complete semi-lattice structure; the least element, the most nondeterministic process, denoted J_, has divergence set E* and failure set E* X P(E). Since our model identifies all terms which diverge, we find ifc convenient to abuse notation slightly and introduce a constant term J_to the syntax of TCSP, representing divergence explicirjy.
V/e say that a process is divcrgence-frcz if its divergence sst is empty. The divergencefree processes form a semi-lattice which is clearly isomorphic to the

Semantics.
To give a semantics to our TCSP language we define a mapping M from processes to failure sets and divergence sets, when supplied with an environment for the meanings of free identifiers. Now we need an environment which maps process identifiers to pairs (F, D). Thus, an environment e will be a function c : TCSP -> N. As remarked earlier, we use the functions failures and DIV to extract the two components of a pair {F, D). We* write « + [pH (F 9 D)) for the environment which agrees with e except at p, which is mapped to the given pair. Let NEnv be the set of environments of this type. The type of the semantic function is thus M : TCSP -[NEnv ~> N).
For presentation purposes it is sometimes convenient to factor M into two component functions, by defining auxiliary semantic functions 7 and D such that HPh = (HPk, DIP}*).

Mlw.Ple = Bx(\(F, D).MlPl(e + (p -+ {F, D)])).
For the other syntactic constructs, we define the divergence semantics first and then give the failure sets. For the other syntactic constructs, the divergence semantics  The next result establishes that our semantic definitions make sense. THEOREM

All CSP operations defined above are well defined and continuous.
Proof. Well definedness is easy to show, except for the synchronous parallel operator. In each case we have to establish that the failure set operations and divergence set operations corresponding to the syntactic constructions preserve the properties (Ml)~(N5) and (Dl)~ (D2). Only the proof for the synchronous parallel operator is non-trivial. A full proof may be found in [23] or in the full version of this paper [5]. Continuity proofs are relatively straightforward, along the lines of the proofs given in [4], [2], and [23j. 8 Since all of our operators are continuous, we can justify our use of least fixed points in defining the meaning of recursive definitions, and we know that these fixed points are explicitly constructible, as was the case in the earlier model.

The recursive term \ip.p denotes the most nondeterministic process J_, which can
do anything at all: JJ/ip.pfle = ST X P(X),

Note that our notation implies that •MJMP-PIIP = CHAOS
Mlftp.ple = ±. This is an example in which the two semantics produce distinct results. We should be careful to distinguish between the meanings of terms in the two models. However, we can show that the old semantics and the new essentially coincide except in their treatment of divergence. This is stated precisely as follows. First we need to define an appropriate notion of matching between the environments used in the M semantics and those used in the ft semantics.

Definition.
The operation $ : M N induces a function $ : R Env by:

LEMMA 1. If P is a TCSP term, then for all p,
-VI^I(*P) En *{MIPIP).

THEOREM 2. If P is a TCSP term and p an environment such that
= 0, then ^I^J(*p)«*(A«Ip1p). Table 1 Table 2 reflect this property. An exception is the prefixing operation (a -• P), where divergence of P cannot manifest itself until after the initial occurrence of a; a similar exception is the second argument of a sequential composition, whose divergence cannot come into effect until the first component has terminated. Some further exceptions to strictness will be discussed in the next section, where we define the semantics of some operations introduced in [3,4].

Further operators*
It is possible to devise many useful operations, notably some interesting forms of parallel composition. In this section we revise the delinitions of a few interesting forms of composition ^vhich were described in [3,4], bringing out certain inadequacies in the earlier treatment of divergence and showing that a cleaner treatment is obtained with our new definitions. By redefining the semantics of these operations in this way we achieve a better match with operational intuitions.

Mixed parallel composition.
We can define a parallel composition in which two processes operate with named alphabets and are required to cooperate on events common to both of their alphabets, but may progress independently on events belonging solely to their own alphabet. This mixed parallel composition is less restrictive than the synchronous version and not as generous as the asynchronous form. It is closely related to the ignoring operator of [3,4] and to the mixed parallel composition of [2,23]. When P and Q are to run in parallel, with P using alphabet A and Q using alphabet B, the resulting process is denoted: It is easy to check, given the well-definedness of the synchronous parallel composition [5], that this construction produces a process when applied to processes, i.e. that conditions (N1)-(N5) and (Dl)-(D2) are preserved. The following associativity property.can also be proved; see [2] for details.

LEMMA 3. For all processes P, Q } R, and all sets of events A, B, C, /[PA\\BUC[QB\\CR]) =N [[PA\\BQ]AUB\\CR]*
In view of this result, this notation generalizes to a parallel composition of more than three processes. Given an indexed collection V -{(P^A,) | 1 < i < n} we will write

PAR(V) HI?-! (Pi,Ai)
for the parallel composition. Using this notation the mixed parallel composition [Pa||bQ] may be rendered (P,A) || {Q>B), This type of composition can be useful in analysing the deadlock behaviour of networks of parallel processes, as shown in [6].

This result is important in analysing the effect of hiding internal communications in networks of communicating processes. It enables us to move hiding operators (in some cases) inside a parallel composition. This result is used in [6] to prove some useful results on deadlock analysis.
If we wish to run P and Q in parallel using alphabets A and J3, we use the composition [PA \\B Q] as above; events in the intersection A D B are synchronized and correspond to communications between the two processes. These internal events may be concealed from the environment by applying the hiding operation. Provided this intersection is finite, we can define the process in which these internal communications are hidden as:

{p A \\ B Q}\AnB).
This makes sense because hiding is associative. It is convenient to introduce a notation for this composition: we will denote it [P A & B Q]-Now if we wish to extend this to a network of several processes we may do so. The key associativity property is as follows.

Chaining.
In [3,4] we also defined a form of "chaining", a parallel composition P ^> Q in which all outputs of P are fed into Q as inputs and hidden from their common environment. Assume that all events are communications between processes along named channels. An event consists of two parts m.t, where M is a channel name and t a value. Normally, the channel name "in" is associated with input, and "out" with output. We use the abbreviations (?s:T -> P(x))' for Q eT (in.* -P(i)),

It for (out.* -> SKIP).
It is convenient also to allow' the abbreviated form ?£ to stand for the correspoding event.
In order to cope with a form of channel naming, we also use the abbreviations: The chaining operation can be defined by combining a renaming with the mixed parallel operation and hiding. First we rename the output events of P and the input eveuts of Q so that they become identical events; then we run the renamed versions of P and Q in parallel, using the renamed alphabets. This forces P to synchronize its outputs with the inputs of Q. Finally we hide all events common to these alphabets, which are precisely the internal communications between the two processes. Let a be a label distinct from in and out. Let swap(a, /?) be the alphabet transformation defined:

Then if we put A = in.T U a.T and B = out.T U a.T, we can define (P»Q) = [swap(out, a)(P) A & B swap(in, a)(Q)].
As an example of the use of the chaining operation, the result of chaining two simple buffers Bi together is again a buffer process, Bi B\ } capable of holding at most two values. Several interesting properties of buffer processes built from the chaining operation were discussed in [4]. Most of these carry over without problems to the new model. In particular, we have the identities (B n ^> 2? m ) = J? n + m for all n, m > 0.

Master-slave operation.
In [3,4] we also defined a "master-slave" construction [P || ru:Q], in which the master process P refers to its slave Q by tho name m. The communications between master and slave are hidden in this construction. The definition here is similar to the previous version, except that we do not make the construction strict in the "slave" argument. The reason for this is that we do not want a master-slave pair to diverge unless either the master is diverging or the slave has been asked to perform some action and is diverging. In other words, the master's activity will only be affected by a divergence of the slave if the master is actually waiting for a response from the slave. Let C = T U in.2' 1 U out.T and let m be chosen to be distinct from in and out. We define first, for traces w, Another problem was that in the failures model, the order in which a master process binds his slaves could make a difference in the behaviour of the system. In other words, the following identity does not always hold in the failures model:

[[P || m:Q] || n:R] = M [[P || n:R] || m:Q] (n ^ m).
Again this deficiency appears when divergence can occur between the master and one of the slaves. In the new model the order in which a master process binds his slaves is irrelevant, and we do have
The revised model of processes described here enjoys the mathematical properties of a complete semi-lattice under the componentwise ordering C^v introduced earlier.
All of the techniques used in [4] to specify and prove properties of processes may be adapted with ease to this setting. In particular, it is possible to use the notions of constructivity and non-destructivity in the analysis of recursively defined processes. Thus, with minor modifications to fit with the revised definitions of some of the operators, the examples described in [4] and the proofs of their properties described in that paper can be reformulated in the revised setting.
The failures model of communicating processes was introduced in [3,4]. This model was itself an extension of Hoare's earlier traces model of processes [13], which was incapable of supporting any reasonable treatment of deadlock properties since it is impossible to represent the ability to refuse to perform an action in a model based solely on sequences of possible actions. Our motives in designing the failures model were therefore driven by a desire to model deadlock satisfactorily. Several other authors have also discovered models which can be related to failures. Milner's CCS [18] is founded on a rather different (more discriminating) notion of observation equivalence^ and his synchronization trees provide an alternative framework in which our results can be formulated [2]. Our development of the failures model has clearly been strongly influenced by the work of Milner and his colleagues.
As we observed earlier, a model based on failures alone is inadequate for reasoning about the phenomenon of divergence. Problems related to this fact have been pointed out by [23], [12]. This led to the inclusion in [2] and [23] of an explicit and distinguished representation of divergence in the semantics of processes, producing models isomorphic to the one used in this paper. In a simitar vein, Hennessy and de Nicola have constructed several models based on synchronization trees augmented by. acceptance sets, and they have introduced the noUon of representation trees [11,12,1&,20]. Ilennesay pointed out in [11] that the model known as RTa *s closely related to a submodel of ours based on extra assumptions on finite branching, although there are subtle differences between the treatments of internal actions in their model and ours. In fact, this submodel with finite branching can be thought of as containing all of the denoiable elements of our model. Similar observations were made by de Nicola in [19,20], where he suggested an adjustment to the failures model to handle divergence in a more subtle way than was done in that model: this was the Bounded Refusal Sets model, and again this model can be seen as an alternative presentation of a submodel of ours. The full model JV, as it stands, does allow a (pessimistic) treatment of unbounded nondeterminism, in the sense that many unboundedly nondeterministic processes can be represented in this model but any process will be identified with its closure.
If one focusses solely on the finitely branching submodel of ours, it is largely a matter of taste as to which presentation one prefers, as any theorem provable in one formulation of the model will be adaptable to the alternative settings. This is an observation due to Matthew Hennessy. He has proved in [11] some general results on the congruence of denotational and operational semantics and these can be adapted to our setting to demonstrate that our semantics is indeed in accordance with operational intuitions. It is possible to define an operational semantics for our language based on Milner's synchronization trees, extending the definitions of [2,23] and following the lines of the presentations in [11,12,20,23]. Essentially the idea is that a term denotes a synchronization tree whose arcs are labelled by events or by a special symbol r denoting an internal event. Recursively defined terms will in general denote infinite trees, and divergence corresponds to the presence of an infinite path of r arcs. Each syntactic construct of our language then corresponds to an operation on synchronization trees. There is a natural notion of implementability of operations on these trees, and all of the CSP operations turn out to be iraplementable. Moreover, the denotational semantics of this paper can be shown to agree with the operational semantics, a property that failed for the earlier model because of its inadequate treatment of divergence.
Kennaway [15,16] described a model for processes from which failures can be derived [2], but in which the underlying partial ordering is different because of his decision to regard deadlock as disastrous. The notion of implementation sets, given in [2,4], is closely related to Kennaway's idea of a nondeterministic process as a set of deterministic processes. We defined a notion of implementation for the failures model of CSP. A deterministic process Q is said to implement a process P if P C a,/ Q. For divergence-free processes in the new modei the same ideas can be adapted. A divergence-free process can be identified with its set of deterministic implementations, Similar results hold for unary CSP operations. As stated here, these definitions and results apply only to divergence-free processes. It is possible to extend these results to cover all processes, by redefining the notion of an implementation to include only "minimal" • divergent processes. We will not discuss this issue here.
Darondeau [8] gave an "enlarged definition of observation congruence" for finite processes which essentially coincides with the failure equivalence [2] induced by focussing on failures; Darondeau's paper only considered finite terms. In [25] a model including acceptance sets in addition to refusal sets was discussed, although this seems not to possess such elegant mathematical properties as the failures model and appears as a result to be less well suited to analysis of deadlock. Olderog [21] introduced a model involving "readiness sets", which are analogous to acceptance sets; again there are connections with failure sets, since a readiness set can be regarded as the dual of a refusal set. The readiness model is based on a slightly different notion of equivalence than the one induced by failures. Broy introduces in [7] a somewhat complicated model in which rather more distinctions between processes are possible; in particular, he chooses not to regard the possibility of divergence as necessarily catastrophic (so that, for instance, PO_Lt^ J_in general in his model). His fixed point theory and operator definitions are made more complicated by this and by the intricate structure of his model.
There are several directions in which we want to develop our techniques and results. In the full version of this paper, proofs are given of some of the most interesting theorems. In [6] we discuss some useful results pertaining to the analysis of deadlock behaviour in networks of communicating processes. It is possible to adapt our semantics to imperative communicating processes such as Hoare's original CSP, in which processes have disjoint local states and can perform assignments to update their own state. An example in this vein is provided by Roscoe's semantics for occam [24], which arises from a failure set semantics by adjoining local states and building a "hybrid" semantic model. We plan to adopt similar techniques for CSP in a future paper. This should lead to a semantic model closely related to the linear history model developed by Pnueli, Lehmann and Frances [9], which uses expectation sets rather than refusal sets and is based on a different notion of equivalence. Connections with earlier models such as the one described in [10] should also become apparent. We also believe that this should lead us to a semantics supporting a partial correctness analysis which takes deadlock fully and explicitly into account, unlike many existing CSP semantics which have served as the basis for partial correctness reasoning. We hope to be able to make some connections with existing proof systems for CSP, such as those described in [1,17], and with Plotkin's structural operational semantics for CSP [22].