the undamenf tals of hybrid systems modelers...
TRANSCRIPT
The Fundamentals of Hybrid Systems ModelersI
Albert Benvenistea,∗, Benoit Caillauda, Marc Pouzetb
aINRIA-Rennes, Campus de Beaulieu, 35042 Rennes cedex, FrancebUniversité Paris-Sud, LRI, bat. 490, 91405 Orsay, France
Abstract
Hybrid system modelers have become the corner stone of complex embeddedsystem development. Embedded systems include not only control componentsor software, but also physical devices. In this area, Simulink is a de facto stan-dard design framework, and Modelica a new player. However, such tools raiseseveral issues related to the lack of reproducibility of simulations (sensitivity tosimulation parameters and to the choice of a simulation engine).
No comprehensive approach exists that encompasses hybrid systems in theirfull generality (hybrid automata su�er from restrictions and do not provide ane�ective framework for very large systems). In this paper we propose using nonstandard analysis as a semantic domain for hybrid systems. Non standard anal-ysis is an extension of classical analysis in which in�nitesimals (the ε and η inthe celebrated generic sentence ∀ε∃η . . . in college maths) can be manipulatedas �rst class citizens. This allows us to provide a denotational semantics anda constructive semantics for hybrid systems, thus establishing simulation en-gines on a sound but �exible mathematical foundation. These semantics o�er aclean separation of concerns between the numerical analyst (solving di�erentialequations) and the computer scientist (generating execution schemes).
Also, we discuss a number of practical and fundamental issues in hybridsystem modelers that give raise to non reproducibility of results, non determin-ism, and undesirable side e�ects arising from numerical inaccuracy. To addresspart of these problems we propose a simple single assignment language in whichcontinuous time and discrete time are handled as types.
1. Foreword: in memory of Amir Pnueli
When we were invited to contribute to this special issue in honor of AmirPnueli, we �rst felt deeply honored. Then, we asked ourselves what we couldcontribute with, that would best �t the recollection our community has about
IThis work was supported by the INRIA �Action d'envergure� SYNCHRONICS.∗Corresponding authorEmail addresses: [email protected] (Albert Benveniste),
[email protected] (Benoit Caillaud), [email protected] (Marc Pouzet)
Preprint submitted to Elsevier March 24, 2010
him. Amir loved opening new avenues, rich in surprises. While he establishedhimself as a leading �gure in computer science, he had a profound mathematicalbackground. Finally, Amir has been one of the founders of the area of hybridsystems, as seen from the computer science community. These considerations ledus to contributing to this special issue with a brand new work on hybrid systemsmodelers that builts on the heterodox � but we think, nevertheless useful �mathematical area of non-standard analysis.
2. Introduction
Hybrid systems modelers have become in the last two decades the key cornerstone of complex embedded system development, for embedded systems involv-ing physical devices or parts for control. Simulink1 has become the de factostandard for physical system modeling and simulation. Noticeably, by buildingon top of the success of Simulink, TheMathworks was able to take over themarket of embedded systems design, for many sectors. This speaks for itselfregarding the importance of such tools.
Hybrid systems modelers mix discrete time reactive (or dynamical) systemswith continuous time ones de�ned using Ordinary Di�erential Equations (ODE)or their extensions. In this paper we focus on general modelers, aimed at mod-eling and simulation of any type of hybrid system and we refer the reader to [1]for an overview of all tools related to hybrid systems modeling and analysis.
Besides Simulink with its state-based extension State�ow, several such hy-brid systems modelers have been developed. Scicos2 is a freeware developed byRamine Nikoukhah at INRIA. Scicos o�ers the possibility to graphically model,compile, and simulate dynamical systems; combine continuous and discrete-timebehaviors in the same model; select model elements from Palettes of standardblocks; program new blocks in C, Fortran, or Scilab Language; run simulationsin batch mode from Scilab environment; generate C code from Scicos modelusing a Code Generator; run simulations in real time with and real devices us-ing Scicos-HIL; generate hard real-time control executables; use implicit blocksdeveloped in the Modelica language. This long list was recalled to show thetypical services that are expected from such modelers.
As quoted from the web site of its supporting association, Modelica3 isa non-proprietary, object-oriented, equation based language to convenientlymodel complex physical systems containing, e.g., mechanical, electrical, elec-tronic, hydraulic, thermal, control, electric power or process-oriented subcom-ponents. While4 Modelica resembles object-oriented programming languages,such as C++ or Java, it di�ers in two important respects. First, Modelicais a modeling language rather than a true programming language. Modelica
1http://www.mathworks.com/products/simulink/2http://www-rocq.inria.fr/scicos/3http://www.modelica.org/4The following is quoted from Wikipedia
2
classes are not compiled, in the usual sense, but are translated into objectswhich are then exercised by a simulation engine. The simulation engine is notspeci�ed by the language, although certain required capabilities are outlined.Second, although classes may contain algorithmic components similar to state-ments or blocks in programming languages, their primary content is a set ofequations. In contrast to a typical assignment statement, such as x := 2 + ywhere the left-hand side of the statement is assigned a value calculated fromthe expression on the right-hand side, an equation may have expressions onboth its right- and left-hand sides, for example, x + y = 3 × z. Equationsdo not describe assignment but equality. In Modelica terms, equations haveno pre-de�ned causality. The simulation engine may (and usually must) ma-nipulate the equations symbolically to determine their order of execution andwhich components in the equation are inputs and which are outputs. Said dif-ferently, Modelica not only manipulates functions and ODEs, but also equationsand Di�erential Algebraic Equations (DAE) in which variables and their deriva-tives are involved in constraints. Commercial front-ends for Modelica includeDymola5 from the Swedish company Dynasim AB (now part of Dassault Sys-temes), MathModelica6 from the Swedish company MathCore Engineering AB,SimulationX7 from the German company ITI GmbH, and MapleSim8 from theCanadian company Maplesoft. Dassault Systemes selected Modelica for theirproduct CATIA9 (CATIA is one of the major CAD systems). The goal of theOpenModelica10 project is to create complete Modelica modeling, compilationand simulation environment based on free software distributed in source codeform intended for research purposes. The free simulation environment Scicosuses a subset of Modelica for component modeling. Support for a larger part ofthe Modelica language is currently under development.
Hybrid systems modelers raise a number of di�cult issues, both practicaland fundamental. Some major practical issues are the following:
(i) Depending on the considered option, simulation results may di�er. Typ-ically, direct simulations may di�er from simulations performed by usinggenerated C code. Of course, simulation results are sensitive to the choiceof the integration method � we discuss this unavoidable aspect later.Since simulations use a single, global, solver, the choice and tuning of theintegration method is global to the system, which may have strange ef-fects such as undesirable interactions between sub-systems that seeminglyshould not interact. We report in section 8.1 an example of a system con-sisting of an autonomous hybrid system S equipped with an �intelligentobserver� O that collects some signals and process them for exposition to
5http://en.wikipedia.org/wiki/Dymola6http://en.wikipedia.org/wiki/MathModelica7http://en.wikipedia.org/wiki/SimulationX8http://en.wikipedia.org/wiki/MapleSim9http://en.wikipedia.org/wiki/CATIA
10http://www.openmodelica.org/
3
the GUI. Although observer O has in principle no e�ect on S, re-tuningits simulation parameters changes the behavior of S drastically. This iscertainly an unexpected feature from the user's viewpoint.
(ii) Mode changes occur in the considered hybrid systems by means of zero-crossings, which are switching boundaries where the dynamics experiencea sudden change. The handling of zero-crossings is di�cult for two reasons.First, zero-crossings are areas where maximal sti�ness is encountered andthe solvers must be very cautious not to miss them � variable step sizeintegration methods are therefore mandatory. Second, mode changes trig-gered by zero-crossings can involve a combination of complex operationswhose scheduling can be delicate. Indeed, the di�erent simulation enginesfor Modelica sometimes give signi�cantly di�erent results on identical pro-grams. This problem is illustrated in section 8.2.
Other issues exist that are more fundamental:
(iii) How discrete is the semantics of the discrete part of a hybrid systemmodeler? Recall that, in earlier versions, Simulink saw everything as con-tinuous time. In particular, discrete time �ows were seen as piecewiseconstant continuous time signals.
(iv) Activation clocks of blocks in hybrid systems, or clocks attached to signalsto specify when they are de�ned or when they can change, are importantattributes of blocks or signals. To our knowledge, such clocks are nothandled as types in any of the existing hybrid systems modelers. For in-stance, there is no harm in adding, in Simulink, a discrete time signal toa continuous time one: both are seen as being continuous time after dueinterpolation. This design choice obeys the fundamental philosophy that aSimulink diagram should (most) always have a meaning, even though im-plicit conversions or interpretations might be necessary in some cases. Theexample we report in section 8.1 also illustrates some possible undesirableconsequences of this design choice.
(v) Physical systems often obey balance equations resulting from applying �rstprinciples. Such balance equations are better speci�ed using non-directedsystems of DAEs, with no pre-speci�ed roles of inputs and outputs. Thisobservation goes back to the old work on Bond Graphs [2] as a modelingparadigm for physical systems from �rst principles, and lead to the devel-opment of Modelica. How can compilation techniques adapt to this moreconstraint oriented style of speci�cation?
E�orts developed in the community of hybrid systems have improved the situa-tion regarding issue (iii), see, e.g., the e�orts made in the design of Scicos [3, 4].Improvements have reduced the previously existing gaps between the results ofsimulation of a hybrid system and the simulation of its discrete time part inisolation for the purpose of generating code.
4
Issue (v) seems solved in practice. However, discrepancies observed betweendi�erent tools for the execution of a same program of the standardised Modelicalanguage reveal that di�culties still remain. Also, a closer investigation revealsthat the part of Modelica language to handle mode changes is not compositional,which impairs full compositionality of Modelica as a whole.
Overall, we think that no fundamental answer has been provided to thedi�culty raised by the following well justi�ed but nevertheless contradictory re-quirements that underpin the development of a formally sound execution enginefor hybrid systems modelers:
(a) The semantic function, mapping a hybrid systems speci�cation to its exe-cutable mathematical model (its operational semantics), should be stati-cally de�nable � such a mapping is indeed the basis for designing formallysound compilation schemes. In particular, this semantic function shouldnot get polluted by assumptions such as �f shall be Lipschitz over [1, 2]�or �boolean condition b shall not be zeno�, or �the system shall not besti��, etc., as the above are typically value-dependent properties that canonly be handled properly at run time.
(b) Computers can only run according to discrete steps, hence discretizingmust be part of de�ning the semantic map. Indeed, early hybrid systemsmodelers such as MATRIXx 11 in its 90's generation had made the choiceof using �xed step discretization for ODEs in order to achieve a cleancombination of continuous time parts and mode changes or discrete timeparts. Unfortunately, this design choice contradicted the next (essential)requirement.
(c) To achieve high computational quality with high �exibility, the discretiza-tion scheme must be �xed adaptively, at run time. We recall later thebackground for this.
We strongly believe that lack of a theory providing adequate answers to theabove seemingly contradictory requirements has been the cause for some of theproblems faced by hybrid systems modelers today.
The objectives of this work are twofold. First, we want to address the threecontradictory requirements (a)�(c) properly. Second, we want to provide asemantic domain and semantic map that allow for a clean separation betweenthe roles of the two complementary but nevertheless distinct skills of numericalanalyst (in charge of the solvers) and computer scientist (in charge of schedulingactions associated to mode changes or discrete time steps).
Contributions of this paper are the following. First, we propose using nonstandard analysis as a semantic domain for hybrid systems, in order to prop-erly address requirements (a)�(c). Roughly speaking, non standard analysis isan extension of classical analysis in which in�nitesimals (the ε and η in the
11http://www.ni.com/matrixx/
5
celebrated generic sentence ∀ε∃η . . . in college maths) can be manipulated as�rst class citizens. Using non standard analysis proved the right way to ensureclean separation between the roles of numerical analyst and computer scientist.Second, we develop a comprehensive constructive semantics for hybrid systems� the constructive semantics was �rst proposed by G. Berry [5] as a mathe-matical theory on which to build the Esterel compiler in a sound way; it wassubsequently reused and adapted for other synchronous languages [6, 7]. Con-sequences are derived regarding execution schemes for hybrid systems modelers.Third, we discuss issues of clock typing for a simple single assignment language.
In this paper we do not address DAEs such as supported by Modelica. Tosimplify our problem we restrict ourselves to �functional� or �single assignment�hybrid systems, corresponding, e.g., to a hybrid systems extension of Lustreor Scade, or more or less to Simulink. But we believe that the material weintroduce here is powerful enough to allow for a comprehensive and in depthstudy of hybrid systems involving DAEs and constraints.
The paper is organized as follows. We �rst begin with a recall of numericalintegration of ODEs in section 3; this section enlightens why adaptive step sizemethods are needed, what they are, and why it is hopeless to include them aspart of a semantics map. Background on non standard analysis is provided insection 4, including the modeling of ODE; we also detail how we use non stan-dard analysis in our context. Our mathematical formalism for hybrid systemsspeci�cation is introduced in section 5, we call it SimpleHybrid. Section 6 isthe core of our paper; a denotational semantics is given using non standard anal-ysis as a semantic domain; then, a constructive semantics is provided, followingthe approach taken in providing mathematical foundations for the compilation ofSynchronous Languages. From this, execution schemes for SimpleHybrid arederived in section 7. In section 8 problems with existing hybrid systems model-ers are reviewed; these are illustrated with Simulink (section 8.1) and then withModelica (section 8.2). A proposal for a single assignment language is providedin section 9; we equip it with a minimal type system cleanly separating contin-uous from discrete. Related work is analysed in section 10, with an emphasison the important work done by the Ptolemy school. Finally, conclusions anddrawn and future work is suggested.
3. Background on numerical integration of ODEs
To motivate our approach, we �nd it useful to �rst review classical back-ground on numerical integration of ODEs, see [8]. For f : [0, 1]→ R continuous,
we wish to compute∫ 1
0f(t)dt. A k stage quadrature formula is
∫ 1
0
f(t)dt ≈k∑
i=1
bif(ci) (1)
6
where ci are the knots and bi are the weights. Now, with h = (b − a)/N andtj = a+ jh, we have∫ b
a
f(t)dt =N−1∑j=0
∫ tj+1
tj
f(t)dt =N−1∑j=0
h
∫ 1
0
f(tj + th)dt
≈N∑
j=1
h
k∑i=1
bif(tj + cih) (2)
using (1). The quadrature formula is of order p ∈ N+ if equality actually holdsin (1) for f a polynomial of degree at most p − 1. This implies that, if f isq-times di�erentiable, then approximation error in (2) is hmin(p,q). It is knownthat (1) has order p i�
k∑i=1
bicq−1i = 1/q holds for 1 ≤ q ≤ p (3)
Fixing the knots in (3) yields a Vandermonde linear system with a unique so-lution for the bi's, which yields an order p = k. So-called superconvergence canbe, however, reached, meaning that p > k. Techniques based on orthogonalpolynomials allow reaching up to p = 2k (e.g., with Gauss formulas).
Next, consider ODE y = f(t, y), y(t0) = y0 on interval [0, h], which writes
y(t0 + h) = y0 +∫ t0+h
t0
f(u, y(u))du (4)
Runge-Kutta methods for approximating (4) use the following RK formulas:
K1 = f(t0, y0)
K2 = f(t0 + c2h, y0 + ha21K1)
K3 = f(t0 + c3h, y0 + h(a31K1 + a32K2))
. . .
Kk = f(t0 + ckh, y0 + h(ak1K1 + . . .+ ak,k−1Kk−1))
y1 = y0 + h(b1K1 + . . .+ bkKk) ≈ y(t0 + h)
They are obtained by applying quadrature formula (2) when approximating∫ t0+h
t0f(u)du in (4). Multistep methods are also considered. They consist in
using past values of y before t0 in computing (4): (4) is replaced by
y(t0 + h) = y0 +∫ t0+h
t0
p0(u)du (5)
where p0 is a polynomial of degree q − 1 satisfying
p(tj) = f(tj , yj) for j = −1, . . . ,−q. (6)
7
Here, t−q < t−q+1 < . . . < t−1 < t0 are the previous instants where an ap-proximation y−q, . . . , y0 for the ODE has already been computed and thereforethe yj 's are known. RK formulas can then be used in solving (5). In all theabove approximation methods, step size h can be adaptively selected to achievea given accuracy objective. This is done by computing nested approximationswith di�erent values for h and comparing them when solving the ODE over aspeci�ed horizon.
The bottom line is that the generic form for an approximation formula for(4) is
y(t0 + h) = y0 + hF (t0, y−q, . . . , y0) (7)
where h is small, q ≥ 0, and y−q, . . . , y0 are as in (6). In (7), h can varyadaptively, and so does F (particularly if multistep methods are used). Theabove discussion is also valid for systems of ODEs, i.e., when y takes values inRn.
The same happens if, furthermore, zero-crossings must be detected. Zero-crossings cause mode changes in hybrid systems. Their handling is, therefore,central in hybrid systems modelers. Zero-crossings consist in detecting a changeof sign in some quantity g(y) where y is subject to an ODE as above and g takesreal values. The solvers will then reduce their step size as g(y) gets close to zero.Such slow-down by the solver should be performed more cautiously if two (ormore) zero-crossings g(y) and h(y) must be jointly monitored for detection: ifboth g(y) and h(y) become small, then it is important to properly detect whichone crosses zero �rst as this could determine which next mode will get activated.
At this point, it should be clear that it is hopeless to take discretizationschemes of ODE/DAEs as part of our semantics. Adaptive schemes just forbidthis because they are de�ned only at run time. The very question is: does thereexist a semantic domain that addresses contradictory requirements (a)�(c) ofsection 2? Our approach is to use non-standard analysis [9, 10] as a semanticdomain for SimpleHybrid. The key di�culty is to give proper semantics tothe inherently continuous time statement: y = x. In non-standard analysis, thisstatement means, by de�nition of the derivative of a function:
∀∂ ' 0 :yt+∂ − yt
∂' xt (8)
where expression �u ' v� is a non-standard expression that reads: �v − u isin�nitesimal�. The use of the heterodox symbol ∂ in (8) is on purpose. It isintended to pinpoint that the referred real number is non-standard.
4. Background on non-standard analysis
Non-standard analysis has been proposed by Abraham Robinson in the 60'sto allow handling explicitly �in�nitesimals� in analysis [9, 10, 11]. Robinson'sapproach is axiomatic, in that he proposes enriching the basic ZFC (Zermelo-Fraenkel) framework with three more axioms. There has been much debate in
8
the community of mathematicians as to whether it is worth considering non-standard analysis instead of sticking with the traditional one. We won't enterthis debate. One important thing for us, however, is that it allows using non-standard discretization of continuous dynamics �as if� it was operational.
To our surprise, such an idea is indeed not new. Iwasaki et al. [12] have�rst proposed using non standard analysis to discuss the nature of time inhybrid systems. Bliudze and Krob [13, 14] have used non-standard analysis asa mathematical support for de�ning a system theory for hybrid systems. Theydiscuss in detail the notion of �system� and investigate computability issues.The formalization they propose follows closely that of Turing machines, with amemory tape and a control mechanism.
The introduction to non-standard analysis in [14] is very pleasant and wetake the liberty to borrow it. This presentation was originally due to Lindstrøm,see [15]. Its interest is that it does not require any fancy axiomatic materialbut only makes use of the axiom of choice � actually a weaker form of it. Theproposed construction bears some resemblance with the construction of R asthe set of equivalence classes of Cauchy sequences in Q modulo the equivalencerelation (un) ≈ (vn) i� limn→∞(un − vn) = 0.
4.1. Motivation and intuitive introduction
We �rst begin by an intuitive introduction to this construction. The goal isto augment R∪{±∞} by adding, to each x in this set, a bench of elements thatare �in�nitesimally close� to it, call ?R the resulting set. Another requirementis that all operations and relations de�ned on R should extend to ?R.
A �rst idea is to represent such additional numbers as convergent sequencesof reals. For example, elements in�nitesimally close to the real number zeroare the sequences un = 1/n, vn = 1/
√n and wn = 1/n2. Observe that the
above three sequences can be ordered: vn > un > wn > 0 where 0 denotes theconstant zero sequence. Of course, in�nitely large elements (close to +∞)) canalso be considered, e.g., sequences xu = n, yn =
√n, and zn = n2.
Unfortunately, this way of de�ning ?R does not make it totally orderedsince two sequences converging to zero cannot always be compared: if un andu′n are such two sequences, the three sets {n | un > u′n}, {n | un = u′n}, and{n | un < u′n} may even be all in�nite. The beautiful idea of Lindstrøm is toenforce that exactly one of the above sets is important and the other two can beneglected. This is achieved by �xing once and for all a �nitely additive positivemeasure µ over the set N of integers with the following properties:12
1. µ : 2N → {0, 1};2. µ(X) = 0 whenever X ⊂ N is �nite;
3. µ(N) = 1.
Now, once µ is �xed, one can compare any two sequences: for the above case,exactly one of the above three sets must have µ-measure 1 and the other ones
12The existence of such a measure is non trivial and is explained later.
9
have µ-measure 0. Thus, say that u > u′, u = u′, or u < u′, if µ{n | un > u′n} =1, µ{n | un = u′n} = 1, or µ{n | un < u′n} = 1, respectively. The same trickwill indeed work as well for lots of relations or operations on non-standard realnumbers, as we shall see. We now proceed with a more formal presentation.
4.2. Ultra�lters, ultraproducts, and the Transfer Principle
For I an arbitrary set, a �lter F over I is a family of subsets of I such that:
1. the empty set does not belong to F ,2. P,Q ∈ F implies P ∩Q ∈ F , and3. P ∈ F and P ⊂ Q ⊆ I implies Q ∈ F .
Consequently, F cannot contain both a set P and its complement P c. A �lterthat contains at least one of the two for any subset P ⊆ I is called an ultra-�lter.At this point we recall Zorn's lemma, which is known to be equivalent to theaxiom of choice:
Lemma 1 (Zorn's lemma). Any partially ordered set (X,≤) such that anychain in X possesses an upper bound has a maximal element.
It is easily seen that a �lter F over I is an ultra-�lter if and only if it is maximalwith respect to set inclusion. By Zorn's lemma, any �lter F over I can beextended to an ultra-�lter over I. Now, if I is in�nite, the family of sets F ={P ⊆ I | P c is �nite} is a free �lter, meaning it contains no �nite set. It canthus be extended to a free ultra-�lter over I. Thus:
Lemma 2. Any in�nite set has a free ultra-�lter.
Every free ultra-�lter F over I uniquely de�nes, by setting
µ(P ) ={
1 if P ∈ F0 if P 6∈ F
a �nitely additive measure µ : 2I 7→ {0, 1} such that µ(I) = 1 and µ(P ) = 0whenever P is �nite.13
Now, �x an in�nite set I and a �nitely additive measure µ over I as above.Let X be a set and consider the Cartesian product XI = (xi)i∈I . Say that(xi) ∼ (x′i) i� µ{i ∈ I | xi 6= x′i} = 0. Relation ∼ is an equivalence relationwhose equivalence classes are denoted by [xi] and we write
?X = XI/ ∼ (9)
Observe that X is naturally embedded into ?X by mapping every x ∈ X to theconstant tuple such that xi = x for every i ∈ I. Any algebraic structure over
13Observe that, as a consequence, µ cannot be sigma-additive (in contrast to probabilitymeasures or Radon measures) in that it is not true that µ(
Sn An) =
Pn µ(An) holds for an
in�nite denumerable sequence An of pairwise disjoint subsets of N.
10
X (group, ring, �eld) carries over to ?X by almost point-wise extension. Inparticular, if [xi] 6= 0, meaning that µ{i | xi = 0} = 0 we can de�ne its inverse[xi]−1 by taking yi = x−1
i if xi 6= 0 and yi = 0 otherwise. This constructionyields µ{i | yixi = 1} = 1, whence [yi][xi] = 1 in ?X. Observe that the existenceof an inverse for any non-zero element of a ring is stated by the following �rstorder formula: ∀x(x = 0 ∨ ∃y(xy = 1)). More generally:
Lemma 3 (Transfer Principle). Every �rst order formula is true over ?X i�it is true over X.
4.3. The sets ?R and ?N of non-standard reals and integers
We just apply the above general construction to X = R and I = N and wedenote by ?R the result, which is then a �eld according to the transfer principle.By the same principle, ?R is totally ordered by [un] ≤ [vn] i� µ{n | vn > un} = 0.
For u an arbitrary sequence of real numbers, let lim(u) ⊆ R = R∪{−∞,+∞}denote the (possibly empty) set of all limit points of sequence u: for x ∈ lim(u),let vk = unk
be a subsequence of u converging to x. If lim(u) 6= ∅, thereexists exactly one limit point x ∈ lim(u) such that µ{nk} = 1, and any otherlimit point yields a µ-measure 0 for the corresponding subsequence.14 Call xthe standard part of [xn] and we write x = st([xn]). In�nite x ∈ ?R have nostandard part in R.
It is also of interest to apply the general construction (9) to X = I = N, whichresults in the set ?N of non-standard integers. ?N di�ers from N by the additionof in�nite integers, which are equivalence classes of sequences of integers whoseessential limit is +∞.
4.4. Integrals and di�erential equations
Any sequence (gn) of functions gn : R 7→ R point-wise de�nes a function[gn] : ?R 7→ ?R by setting
[gn]([xn]) = [gn(xn)]
A function ?R → ?R which can be obtained in this way is called internal.Properties of and operations on ordinary functions extend point-wise to internalfunctions of ?R → ?R. For g : R→ R, its non-standard version is the internalfunction ?g = [g, g, g, . . .]. The same notions apply to sets. An internal setA = [An] is called hyper�nite if µ{n | An �nite} = 1; the cardinal |A| of A isde�ned as [|An|].
Consider an in�nite number N ∈ ?N and the set
T ={
0,1N,
2N,
3N, . . .
N − 1N
, 1}
(10)
14So far this was a bit of hand waving. To prove this, let x = sup{x ∈ R | [x] ≤ [xn]}, where[x] denotes the constant sequence equal to x. Since [xn] is �nite, x exists and we only needto show that [xn]− [x] is in�nitesimal. If not, then there exists y ∈ R, y > 0 such that either[y] < [xn]− [x] or [y] < [x]− [xn], a contradiction. The unicity of x is clear.
11
By de�nition, if N = [Nn], then T = [Tn] with
Tn ={
0,1Nn
,2Nn
,3Nn
, . . .Nn − 1Nn
, 1}
hence |T | = [|Tn|] = [Nn + 1] = N + 1. Next, consider an internal functiong = [gn] and a hyper�nite set A = [An]. We can then de�ne the sum of g overA by ∑
a∈A
g(a) =def
[ ∑a∈An
gn(a)
]If t is as above and f : R→ R is a (standard) function, we get
∑t∈T
1N
?f(t) =
[ ∑t∈Tn
1Nn
f(tn)
](11)
Now, if furthermore f is continuous, then∑
t∈Tn
1Nnf(tn) −→
∫ 1
0f(t)dt, and,
thus, ∫ 1
0
f(t)dt = st
(∑t∈T
1N
?f(t)
)(12)
Under the same assumptions, for any t ∈ [0, 1],∫ t
0
f(u)du = st
∑u∈T,u≤t
1N
?f(t)
(13)
Now, consider the ODE
x = f(x, t), x(0) = x0 (14)
where f : Rm × [0, 1]→ Rm is bounded and continuous. Rewriting (14) in inte-
gral form x(t) = x0 +∫ t
0f(x(u), u)du and then using (13), we get
x(t) = st
x0 +∑
u∈T,u≤t
1N
?f(x(u), u)
(15)
Set in (15) 1/N = ∂ which is > 0 and in�nitesimal, whence T = {tn = n∂ |n = 0, . . . , N}. Then, the expression in parentheses at the right hand side of(15) is the piecewise constant right continuous function ?x(t), t ∈ [0, 1] such that,for n = 1, . . . , N :{
?x(tn) = ?x(tn−1) + ∂ × f(?x(tn−1), tn−1)?x(t0) = x0
(16)
Formula (16) can be seen as a non-standard operational semantics for the ODE(14). In particular, the following holds:
12
Principle 1 (Standardisation Principle). Non-standard dynamical system(16) can always be considered, for any non-standard function f : ?R 7→ ?R.
If, however, f is internal and ODE (14) has a unique solution, then (15)holds, meaning that the standardisation of dynamical system (16) is solution ofthis ODE.
4.5. Non-Standard Analysis as a semantic domain for hybrid systems
We will use non-standard analysis as a semantic domain for hybrid systemsmodelers. Existing approaches to this end are the following, see [1] for a reviewof frameworks and tools.
The �rst type of approach was developed with the objective or performinganalysis of hybrid systems, see for example [16]. Emphasis is thus on decidabilityand complexity of the class of models, aiming at e�ectiveness of the analysisalgorithms. The typical model is referred to as hybrid automata in its di�erentvariants, see [4] for how to represent hybrid automata in modelers such as Scicos.This is a model in which continuous time dynamics is activated in each state(called location) of a �nite state machine, whose transitions can be guardedand triggered by conditions and events involving variables of the continuousdynamics. This model is too restricted and not �exible enough to serve as asemantic domain for hybrid systems modelers, with its requirements for fullcompositionality, not to speak of the handling of DAEs.
The second type of approach is indeed the current practice in most industrialuses of hybrid systems modelers, by restricting the underlying solvers to workwith �xed step size. Here, the aim is to have guaranteed repeatability of thesimulations, at the price of reduced accuracy. Some modelers in the early timesimplemented only �xed step size discretization schemes; an instance of this wasthe modeler o�ered with Matrixx.
More recently, authors have recognized that none of the above restrictionswas acceptable for a semantic domain for hybrid systems modelers. Indeed,Simulink itself relies on variable step discretization schemes. It is not easilycaptured by hybrid automata [17] and strong restrictions are imposed. Moreinteresting for our purpose is the work developed by the Ptolemy group, andparticularly by Ed Lee and Haiyang Zheng [18, 19]. In this work, the authorsinvestigate semantic issues related to the handling of zero-crossings and transi-tions in hybrid systems. Unfortunately, their work is made complicated by thepollution caused by issues of smoothness, Lipschitzness, existence and unique-ness of solutions, Zenoness, etc. This is particularly evidenced in section 6 of [18]on �Ideal Solver Semantics� and section 7 of [19] on �Continuous Time Models�.
4.5.1. Our approach
The use of non-standard analysis as a semantic domain for hybrid systemswill greatly simplify our task by adopting the following discipline:
1. We will make use of a time set T that is both dense in R and discrete inthat each instant in T possesses a unique previous and next instant, seeformula (16) and section 6.
13
2. Since T is discrete, we will be able to specify dynamical systems over T infull generality, without the need for referring to any kind of smoothnesscondition. Formula (16) is an instance of this. As a result, the non-standard semantics provided in section 6.1 will be extremely simple andelegant.
3. Having a simple operational semantics will allow us to develop a compre-hensive constructive semantics for hybrid systems in their full generality.Constructive semantics is the mathematical basis on which sound execu-tion schemes can be derived.
4. Did the problem with the smoothness condition miraculously disappear?Not quite so. But it is postponed to the very end, at run time, thanks toStandardisation Principle 1: if the considered hybrid system has a uniquesolution in the usual mathematical sense, then the standardisation of ouroperational semantics does compute it.
In other words, the issues of variable step discretization and the like do notinterfere with the generation of execution schemes, and are deferred to run time.Said di�erently, our approach cleanly separates the job of the computer scientist(de�ning a mathematically sound operational semantics and resulting executionschemes), from the job of the numerical analyst (properly con�gurating theODE/DAE solvers with the handling of zero-crossings).
5. A Mathematical Formalism for Hybrid Systems
In this section we develop a small �mathematical language� for hybrid sys-tems, we call it SimpleHybrid. By this we mean a formalism that has thefeatures of a language (a small set of primitive entities and statements, plus acomposition operator), but has an easy manipulation of its mathematics as aprimary target.
In this formalism, we take the point of view that signals are de�ned atany instant of R+. Discrete time signals are captured by signals having theirvalues sustained between the discrete instants where they change. This pointof view matches that of Simulink and other hybrid systems modelers. It is infact equivalent to the point of view of synchronous languages, where signals areabsent outside instants of their clock. Whether or not instants of change arehandled as types is the key issue, which is orthogonal to the choice among theabove two di�erent viewpoints.
Primitive statements of SimpleHybrid are equations of the following form:
Eq1 : y = f(x, x)Eq2 : y = last (x)Eq3 : τ = up(z)Eq4 : y = pre (x) init y0Eq5 : u = [z] every [τ ] init u0
Eq6 : y = x init y0 resetu
(17)
14
In (17) symbols u, x, y, z denote variables taken from an underlying set X ofvariables, and symbol τ denotes a clock variable taken from an underlying setT of clock variables. Symbols y0 and u0 denote values. Finally, dotted variablesx and y indicate derivatives. Equations Eq1�Eq6 de�ne dynamical systems, or,equivalently, sets of behaviors with time index set R+ = (0,+∞). For example,Eq1 means ∀t ∈ R : yt = f(xt, xt). Hybrid systems are speci�ed via sets ofequations of the form Eq1�Eq6, taken conjunctively.
In the following we give an informal explanation of the above primitives,without expliciting the needed continuity or smoothness assumptions for themto make sense. The corresponding mathematical semantics will be given in thenext section.
A clock is a subset of R+. We assume an underlying set T of clock variables,whose domain is the set of all clocks. Elements and subsets of T are genericallydenoted by τ and T , respectively. We identify τ with the boolean predicate itde�nes:
τt = if t ∈ τ then t else f (18)
We assume an underlying set X of variables and, a domain Dx for every x ∈ X .Variables are denoted by the symbols x, y, etc. For X ⊆ X �nite, a state overX is an element s ∈ DX , where DX =
∏x∈X Dx and a behavior over X is an
element σ ∈ R+ → DX . For x ∈ X, let σ(x) ∈ R+ → Dx be the x-coordinate ofσ, we call it a signal. By abuse of notation, and since no confusion will result,we write xt instead of σ → σ(t)(x) and τt instead of σ → σ(t)(τ). We nowbrie�y review the primitives listed in (17).
Eq1: means ∀t ∈ R : yt = f(xt, xt). An interesting instance of Eq1 is when x isa pair of variables (z, b) where b is boolean and f has the form
f(z, b) = if b then g(z) else h(z) (19)
Eq2: means yt = xt− =def lims↗t xs, i.e., yt is the left-limit of xs when sapproaches t from below.
Eq3: de�nes the clock τ such that, using convention (18):
τt = [zt− < 0] ∧ [zt ≥ 0]
Thus τ selects the instants t at which zt crosses zero from below, we callsuch a clock a zero-crossing. We will need to consider tuples (τ1 . . . τk) ofzero-crossings, denoted by the symbol [τ ].
Discrete versus Continuous. For each signal x, we assume a clock τx such thatx is guaranteed constant on the complement of τx. We call τx the clock of x.A signal is typed discrete if either it has been declared so, or if its clock issome zero-crossing. Otherwise it is typed continuous. The rationale for de�ning�discrete� in this way is twofold: 1/ it is a syntactic criterion and thus it can bestatically checked, and 2/ it generally matches the intuition of a discrete clock
15
� of course, property 2/ is not guaranteed in all cases; for tricky signals, setsof zero-crossings may very well be Zeno or even a Cantor set.
Some operators only apply to discrete signals. They de�ne discrete signalsby specifying a value for them at each instant of their clock. This by itself is notenough since it leaves the signal unde�ned before the �rst instant of its clock.An initial value is therefore provided to this end.
Eq4: assumes x discrete and de�nes y as the delayed version of x by settingτy = τx and setting the nth new value for y equal to the n− 1st one of x;an initial condition y0 is provided.
Eq5: For u a signal, u0 ∈ Rn a value, and [τ ] = (τ1 . . . τk) and [z] = (z1 . . . zk)two matching15 tuples of zero-crossings and signals, Eq5 states that u has
clock τ =⋃k
i=1 τi � hence u is discrete � and, for every t ∈ τ , ut = zt
holds, and ut = u0 for t < t1, the �rst instant of τ . Note that we do notrequire that z is discrete.
Eq6: For y, x two signals, y0 a value, and u a discrete signal, Eq6 states thatODE yt = xt holds with initial condition y0 and this ODE is reset to thevalue given by u at each instant of the discrete clock of u.
As said before, hybrid systems are speci�ed in SimpleHybrid via sets of equa-tions of the form Eq1�Eq6, taken conjunctively. As an illustration, composingODE Eq6 with statement x = f(y, v) of the form Eq1, and reset Eq5, yields theODE
y = f(y, v) init y0 reset [z] every [τ ] (20)
which means that ODE yt = f(xt) holds with initial condition y0 and this ODEis reset to a value given by zi each time zero-crossing τi occurs. Furthermore,
y1 = f1(y1, y2, v1) init y1,0 reset [z1] every [τ1]‖ y2 = f2(y2, y1, v2) init y2,0 reset [z2] every [τ2] (21)
where, for j = 1, 2: [τj ] = (τj,1 . . . τj,kj) and similarly for [zj ], can be given again
the form (20). This is achieved as follows, for the simple case where y1 and y2have both their values in R (the general case is handled similarly):
y0 ::=[y1,0
y2,0
], y ::=
[y1y2
], v ::=
[v1v2
]f(y, v) ::=
[f1(y1, y2, v1)f2(y2, y1, v2)
][τ ] ::= ([τ1] , [τ2]) = (τ1,1 . . . τ1,k1 , τ2,1 . . . τ2,k2)
[z] ::= ([z1] , [z2]) = (z1,1 . . . z1,k1 , z2,1 . . . z2,k2)
Thus, the following holds:
15Say that two tuples (u1 . . . uk) and (v1 . . . vl) arematching if they possess identical numberof components: k = l.
16
Lemma 4. Generic form (20) for a SimpleHybrid equation is closed underparallel composition.
Also, combining equations of the forms Eq5, and (20) with the special form (19)for f , allows to encode hybrid automata with their locations. This is developedin section 9.
6. A semantics of SimpleHybrid
Throughout this section we �x a basic in�nitesimal base step ∂. Follow-ing [13], as our universal time base we replace R+ by the non-standard set
T = {tn = n∂ | n ∈ ?N}
For t ∈ T, de�ne
•t = max {s | s ∈ T, s < t}t• = min {s | s ∈ T, s > t} (22)
We thus have •tn = tn−1 and t•n = tn+1. The key fact about T is that for everyu ∈ R+ there exists a unique t ∈ T such that •t < u ≤ t and t−u is in�nitesimal.Thus T is, at the same time, dense in R+, and can still be handled as if it wasdiscrete and totally ordered.
6.1. Non-standard semantics
We �rst repeat some of the material of the previous section with the neededadjustments. Then we give the non-standard semantics.
A clock is a subset of T. We assume an underlying set T of clock variables,whose domain is the set of all clocks. Elements and subsets of T are genericallydenoted by τ and T , respectively. We identify τ with the boolean predicate itde�nes, see (18). We assume an underlying set X of variables and, a domainDx for every x ∈ X . Variables are denoted by the symbols x, y, etc. For X ⊆ X�nite, a state over X is an element s ∈ DX , where DX =
∏x∈X Dx and a
behavior over X is an element σ ∈ T → DX . For x ∈ X, let σ(x) ∈ R+ → Dx
be the x-coordinate of σ, we call it a signal. By abuse of notation, and sinceno confusion will result, we write xt instead of σ → σ(t)(x) and τt instead ofσ → σ(t)(τ).
A hybrid system is a tuple S = (X,T,Σ), where X ⊆ X and T ⊆ T are�nite and Σ is a set of behaviours over X ∪ T . For Y ⊇ X ∪ T , we can lift Σ toY , written Σ↑Y , by taking all behaviours over Y whose projection over X ∪ Tare in Σ. Then, for Si = (Xi, Ti,Σi), i = 1, 2, we de�ne the parallel composition
S1 ‖S2 =(X,T,Σ1
↑X∪T ∩ Σ2↑X∪T
), (23)
where X = X1 ∪X2 and T = T1 ∪ T2.The hybrid systems we shall consider are the parallel composition of a �nite
set of statements of one of the forms Eq1�Eq6. Call Clocks(S) the (�nite)
17
set of all discrete clock variables involved in the speci�cation of S. A clockcon�guration for S is a map
κ : Clocks(S) 7→ {f,t}, (24)
assigning a truth value to each discrete clock variable of S. Clock con�gurationsare used to indicate the presence/absence of each discrete clock of S at a giveninstant t. A clock con�guration κ for S is called reachable if there exists abehavior σ and an instant t such that σ(t)(T ) = κ(T ) for every T ∈ Clocks(S).
The non-standard semantics of SimpleHybrid is given in table 1, secondcolumn. Note the semantics of τ = up(z), which corresponds to a �weak pre-
Eq1 : y = f(x, x)Eq2 : y = last (x)Eq3 : τ = up(z)Eq4 : y = pre (x) init y0Eq5 : u = [z] every [τ ] init u0
Eq6 : y = x init y0 resetuEq7 : S1 ‖S2, S1 = (X1,Σ1) , S2 = (X2,Σ2)
S non-standard semantics of S[[S]]: constructive[[S]]: semantics
Eq1 ∀t ∈ R+ ⇒ yt = f“xt,
xt−x•t∂
”xB y
Eq2 ∀t ∈ R+ ⇒ yt = x•t•xB y
Eq3 τt• = [z•t < 0] ∧ [zt ≥ 0] z B τ•
Eq4
discrete τy = τx
∀t < min(τy) ⇒ yt = y0
∀t ∈ τy ⇒ yt = x•t
discrete τy = τx
on τy : •xB y
Eq5
discrete τu = τ
∀t < min(S
i τui) ⇒ ut = u0
∀t ∈ τui \ (S
j<i τuj ) ⇒ ut = zi,t
on [τ ] : [z] B u
Eq6
∀t 6∈ τu ⇒ yt = y•t + ∂ × x•t∀t ∈ τu ⇒ yt = ut
on τu then uB yon τu else •xB y
Eq7
`X,Σ1
↑X ∩ Σ2↑X´ , X = X1 ∪X2 [[S1]] ‖ [[S2]]
Table 1: Non-standard semantics (mid column) and constructive semantics (right column) ofSimpleHybrid. For completeness, we recall the primitives stated in (17).
emption� in that the change in the sign of z at instant t results in emitting azero-crossing at the next instant t•.
18
The important fact about this semantics is that, unlike �xed step size (stan-dard) semantics, our semantics does not su�er from overshoot problems forzero-crossings or even Zenoness, or any need for mentioning continuity proper-ties, since steps are in�nitesimal but �discrete�. Still, this semantics is staticallyde�ned, as wanted.
As an illustration, the semantics of statement y = f(x, x) reveals that usingx to de�ne another signal is dangerous, since xt may not possess a standardpart if x has a jump at t � this, however, does not come as a surprise, sinceit is well known that taking derivatives of signals is risky, particularly so whensignals are noisy.
6.2. Constructive semantics
As for any synchronous language, the constructive semantics [5] formalizeshow a reaction should be executed, that is, how the di�erent actions should bescheduled at a considered instant. Di�erent approaches have been promoted forthis.
G. Berry [5] has advocated using a Scott domain with an extra value �unde-�ned�, to be interpreted as �not executed yet�; the domain of values is made a�at partial order by setting �unde�ned < any other value�, including the specialstatus absent, which is characteristic of synchronous languages. Using this extravalue, Esterel reactions are encoded as sets of equations in this Scott domain andthe minimal �xpoint is searched for, by iterating from the con�guration whereall variables and signals are unde�ned. If the �xpoint yields all of them uniquelyde�ned, then the program is deterministic and can be executed. An earlier ap-proach was proposed by F. Boussinot [20] based on micro-step automata, whichare automata describing what are the allowed schedules in decomposing a reac-tion into micro-steps supporting atomic operations. The above two approacheswere indeed shown equivalent for Signal [6]. Here we use the Scott semantics.
Scheduling constraints. Let ⊥ be a special value not belonging to any do-main Dx, to be interpreted as �not evaluated yet�.16 De�ne, for any x ∈ X ,D⊥x = Dx ∪ {⊥}. Write x = > to mean that x 6= ⊥. Let B be the followingscheduling constraint relating any two variables u and v with domains D⊥u andD⊥v , respectively:
uB v =def [u = > ∨ v = ⊥] (25)
that is, uBv means [v = > ⇒ u = >]. It formalizes that �v cannot be evaluatedstrictly before u�. In particular, for τ any clock,
∀t ∈ τ ⇒ xt B yt =def [xt = >] ∨ [yt = ⊥] ∨ [τt = f] (26)
16This notation deviates from the historically established use of symbol ⊥ in synchronouslanguages to denote absence. Absence of a signal in a reaction is a well de�ned status thatis the result of evaluating the considered reaction. �Absence� and �not evaluated yet� shouldtherefore not be confused.
19
where τt is de�ned in (18). Observe that statement v = f(u), where f is afunction, abstracts as u B v since v can be substituted by its evaluation f(u)everywhere. Relation B captures causality constraints within a system of equa-tions.
Pre- and post-variables. In writing the constructive semantics, we would like toabstract away dummy time index t. To this end, for each variable x ∈ X of theconsidered system S, we augment X with the two auxiliary variables •x and x•,such that •xt = x•t and x
•t = xt• hold for every t. The same convention applies
for discrete clock variables. Using these auxiliary variables and clock variables,time index t can be abstracted away from the constructive semantics. As anexample, the constructive semantics for statement 2 writes as
•xB y
and the constructive semantics for Eq6 writes as
on τu then uB y else •xB y (27)
Getting the constructive semantics. The constructive semantics is obtained byabstracting, in the non-standard semantics (second column of table 1), anystatement of the form yt = exp where expression exp involves variable xs, us,or τs for s = •t, t, t•, by the scheduling constraints xs B yt, us B yt, or τs B yt,respectively. For example, yt = f(xt) is abstracted as xt B yt, and similarly forthe other equations. Since no clock occurs on any consequent part of a zero-time causality constraint, preconditions such as �∀t ∈ τ ⇒� in the mid columnof table 1 do not impair the validity of the above mentioned abstractions. Theconstructive semantics is given in table 1, last column.
It is tempting to extend SimpleHybrid with the statement x B y, seen asa statement belonging to the generic family in row 1. Performing this makesit possible to express causality analysis of a SimpleHybrid program, and evenadditional scheduling constraints that the programmer may want to enforce, inthe language SimpleHybrid itself. This trick is not new; it was already usedfor the Signal synchronous language [7].
6.3. Various uses of the constructive semantics
In this section we develop various uses of the constructive semantics. Someof them are not very surprising, e.g., the hunting for causality circuits. Othersare less classical and do not appear in the study of synchronous languages.
Avoiding causality circuits. Using the above abstraction, for each given clockcon�guration of S, the transitive closure of relation B is a pre-order on X � byabuse of notation, we call it also B. If S is such that B is a partial order for anyreachable clock con�guration (see (24) and below), this means that no causalitycircuit occurs in S and the di�erent variables can be evaluated according toany order compatible with B. Since no clock occurs on any consequent part ofa zero-time causality constraint, the only possible cause of circuits in relation
20
B is via sets of statements of the form Eq1. We thus formally justify herethe rule that no delay-free, derivative-free, data �ow circuit should exist in theconsidered program. If this condition is satis�ed, topological sorting yields thedue scheduling. In other words, the classical technique used, e.g., for Lustreand SCADE, works here as well. We assume this condition to be in force in theremainder of this section and in section 7.
Single assignment condition. Say that system S obeys the single assignmentcondition if no variable of S sits on the left hand side of two or more equations,except for the following case, where xi, i = 1 . . . k denote di�erent variables:
for i = 1 . . . k ⇒ on τi : y = xi
and∧k
i=1 τi = f(28)
Of course, condition (28) is undecidable in general and approximations must befound instead. The following result holds:
Lemma 5. If S possesses no causality circuit and obeys the single assignmentcondition, then it is deterministic and partial order B at each clock con�gurationspeci�es all correct scheduling for the execution of S.
Bond Graph's causality analysis. Our constructive semantics can be slightlyenhanced to encompass the �causality analysis� performed in Modelica or inBond Graphs [2, 21]. To this end, suppose that Eq1 is replaced by the followingstatement, where we remove the reference to x to simplify the analysis:
Eq1′ : C(X), whereC is solvable for Y ⊂ X (29)
The meaning of (29) is as follows. C(X) denotes a constraint relating the tupleof variables belonging to X. The additional statement means that, for anyvariable belonging to the subset Y of X, this constraint can be re-expressed asa function returning this variable. Typical examples are the constraints de�nedby the series and parallel junctions in Bond Graphs [2, 21], where so-called�e�orts� and ��ows� sum up to zero, respectively, e.g.: x + y + z = 0. Forthis case, we have X = Y = {x, y, z}, since we can rewrite this junction asz = −x − y, etc. Instances of these junctions are given by the Kirchho�'slaws in electrical circuits. Of course, a constraint being solvable relies on theavailability of a suitable rewriting engine. Then, the constructive semantics for(29) is
Eq1′ :∨
y∈Y
(X − {y}) B y (30)
this is, this constructive semantics consists of a disjunction of causality con-straints. Then, the causality analysis �à la Bond Graph� consists in computing,for each clock con�guration, the disjunction of all compatible conjunctions ofcausality constraints selected from each instance of equation of the form Eq1′
21
in the considered SimpleHybrid system. If, furthermore, inputs to the system(called �sources� in the jargon of bond graphs) are speci�ed by the designer,then the subset of solutions compatible with this speci�cation can be inferred,if non-empty.
Managing ODE solvers. Let ./ be the smallest equivalence relation on the setof variables of S such that x ./ y if •x B y and •y B x both hold in the clockcon�guration that is identically f (meaning that the considered instant doesnot belong to any discrete clock). Equivalence classes for ./ are written inbold italics, e.g., [x] , [y]. etc; we regard them as tuples of variables and callthem clusters. Cluster [x] is such that every component of it causally dependson every component of • [x]. By the non-standard and constructive semanticsof SimpleHybrid, variables belonging to a same cluster belong to a systemof interconnected ODEs as in (21). On the other hand, by lemma 4, genericform (20) for a SimpleHybrid equation is closed under parallel composition.Equivalence relation ./ will thus be useful in managing ODE solvers.
Controlling the use of derivatives in expressions. While statement Eq1 alwayshas a meaning according to the non-standard semantics (table 1), it clearlycauses trouble if the quotient (xt−x•t)/∂ cannot be standardised, see principle 1.This is clearly the case if the underlying SimpleHybrid system S makes xnot di�erentiable at st(t), the standard part of t. Di�erentiating signals isknown to be problematic. Of course, one drastic counter-measure would consistin forbidding the presence of derivatives on the right hand side of Eq1. Butthis is not an acceptable solution � indeed, the venerable PID control involvesdi�erentiation (the �D�). Even modern nonlinear control techniques, particularlyfor open-loop control, use derivatives in expressions de�ning the feedback � anexample of this is the control synthesis technique developed for so-called ��at�systems by Michel Fliess [22].
Non di�erentiable (or poorly di�erentiable) signals can occur in case of noisymeasurements. This is a well known fact that must be dealt with using suitablepre-processing of the measured signals, or by only integrating, but not di�eren-tiating, them. This kind of engineering is important but is clearly beyond thescope of this work.
On the other hand, signal x can become non-di�erentiable at some instantt where the equation that produced it was subject to reset; or if x uses, forits de�nition, some other signal z that experienced this situation; or etc, in-ductively. But we have a syntactic characterization of instants of reset (thezero-crossings) and we can keep track of dependencies using the constructive se-mantics. Hence we are fully prepared to warn the designer of a risk of instantsof non-di�erentiability, for a signal, by simply using the constructive semanticsin combination with our discrete/continuous typing for the clocks.
22
7. Execution schemes for SimpleHybrid
7.1. Non-standard schemes
From the previous section we deduce that the set of allowed schedulings forthe causality constraints of the non-standard semantics only depends on theclock con�guration at the considered instant t, that is, the tuple of values of τtfor τ ∈ Clocks(S). The non-standard execution scheme for S follows:
Execution Scheme 1 (non-standard execution scheme).
• Each cluster of variables is assigned a dynamics of the form given in line6, mid column, of table 1.
• At zero-crossings, signals are evaluated according to any scheduling com-patible with the causality constraints in force at the corresponding clockcon�guration.
From the analysis developed in section 6, the following theorem holds:
Theorem 1. Scheme 1 computes all behaviours of the non-standard semantics.
7.2. Standard schemes
From execution scheme 1, the corresponding standard execution scheme isderived (this execution scheme is the one being actually implemented):
Execution Scheme 2 (standard execution scheme).
• Each cluster of variables is assigned an ODE solver, which continues com-puting the solution of the underlying ODE until a zero-crossing occurs.
• At zero-crossings, signals are evaluated according to any scheduling com-patible with the causality constraints in force at the corresponding clockcon�guration.
Observe that this execution scheme uses in general several solvers. Note alsothat theorem 1 does not directly support the standard execution scheme. Thekey point is that, thanks to standardisation principle 1, if suitable smoothnessproperties hold that ensure existence and uniqueness of solutions of ODEs andnon-Zenoness of zero-crossings, then execution scheme 2 will compute the actual(standard) behavior of the considered system.
We have thus been able to generate correct execution schemes for hybridsystems without having the need to consider issues related to numerical analysis.
23
7.3. Sources of non-determinism
Lemma 5 proves that well formed systems (i.e., systems satisfying the as-sumptions of this lemma) are deterministic. This result, however, is not robustagainst numerical approximations due to ODE solvers. The problem is withstatement 6 of table 1, namely the ODE with reset. Depending on which resetevent τi occurs �rst among the tuple [τ ], a di�erent reset signal ui from resettuple [u] will be used to reset the ODE. In case two di�erent zero-crossings τiand τj occur close to each other, the result of the simulation can depend on thediscretization scheme used in the neighborhood of the two zero-crossings. Ofcourse, adaptive discretization schemes are best suited at handling this properly,but no �rm guarantee can be given in general.
This unavoidable source of nondeterminism does not come as a surprise.It already arises with synchronous languages, where nondeterminism occurs atthe boundary between physical time (the real-time) and logical time (of thesynchronous program), except for so-called �endochronous� synchronous pro-grams [6, 23] where the synchronous program itself involves enough rigidity toimpose its internal timing to the physical environment.
In the case of SimpleHybrid, this would correspond to either inferringthrough program analysis or asserting exclusion/inclusion properties betweendi�erent zero-crossings as part of system S. Endochrony and related propertiesfor hybrid systems are left for future investigation.
8. Some problems with hybrid systems modelers
In this section we collect a few representative artifacts encountered in exist-ing hybrid systems modelers.
8.1. A surprising Simulink example
Figure 1 shows a Simulink diagram. This is an example of a system consistingof two subsystems S1 and S2 that are not causally related. Although S1 hasin principle no e�ect on S2, re-tuning its simulation parameters changes thebehavior of S2 drastically.
Observe that, in system S2, we have provided a continuous time signal as aninput to a memory operator and a 1
z operator. Both operators are intended toget discrete time signals as inputs � actually, the warning returned by Simulinkrecommends using memory instead of 1
z when inputs are continuous time. In anycase, since both operators are shift registers, a discrete clock must be assumed.Since no such clock is speci�ed, the simulation engine infers one, seemingly byinferring it from the bandwidth of the input continuous time signal. This de-sign choice obeys the fundamental philosophy that a Simulink diagram should(most) always have a meaning, even though implicit conversions or interpre-tations might be necessary in some cases. This example is typical of realisticsituations where S2 would be a system for monitoring, and S1 an observer forthe open loop inputs of S2.
Figure 2 shows joint plots for the outputs produced by Scope2 of system S2,
24
Unit Delay2
z
1
Unit Delay1
z
1
Sine Wave
Scope2
Scope
Memory
Integrator
1s Add1
Add
Figure 1: The Simulink program Hectic Sampler. It consists of two sub-systems S1, compris-ing the three blocks UnitDelay1, Add, and Scope, and S2 consisting of the blocks UnitDelay2,Add1, Memory, and Scope2.
for di�erent parameter tuning of the operator Delay1 in S1. Results are signif-icantly di�erent, although this is not expected because S1 has no direct e�ect onS2. At simulation, however, S1 has an indirect e�ect on S2 because simulation isperformed globally and thus the solvers adapt their integration schemes on-lineby considering the entire program. For this example, the combination of
• insisting that statuses �discrete time� and �continuous time�, and �activa-tion clocks� of discrete time blocks shall not be handled as types;
• feeding the entire program to a single, global, solver;
has resulted in very hectic simulation results for this Simulink example. In con-trast, we would recommend adopting converse policies for both items, namely:
• to handle statuses �discrete time� and �continuous time�, and �activationclocks� as types. In this paper we propose a �rst step by only consideringdiscrete/continuous as a type, but not the activation clocks.
• to adopt �ne grain management of the ODE/DAE solvers using ExecutionScheme 2 of Section 7.
Of course, we understand that strong typing may at times put an unacceptableburden on the shoulders of the designer. But well sound type inference could
25
1.5 2 2.5 3 3.5 4 4.5 55
0
5
1
0.5
0
0.5
1
1.5
2
2.5
5
0
5
5
0
5
Time offset: 0
3.8 4 4.2 4.4 4.6 4.8 5 5.25
0
5
5
0
5
0.4
0.2
0
0.2
0.4
0.6
0.8
1
5
0
5
Time offset: 0
Figure 2: Simulation plots for di�erent tunings of Hectic Sampler (left - all clocks left to -1)
be formally de�ned and documented, and, for the cases not covered by typeinference, either the problem would be hand over back to the designer, or do-main speci�c inference rules could be invoked that are documented in a speci�cpackage collecting �type inference policies�. Appendix A gives an other exampleof a hectic Simulink with an incorrect use of a discrete delay.
8.2. Modelica: sample problems
Here are some typical examples of di�culties when handling zero-crossings [24].We illustrate them in Modelica but they are generic di�culties. Our �rst ex-ample is (x is given initial condition 0):
equation
x = time * time/2;
der(y) = time;
when (x>2) then
z = pre(z) + 3;
v = u + 1;
end;
when (y>2) then
u = z + 1;
end
Two zero-crossings occur, when x > 2 becomes true and when y > 2 becomestrue. Observe that the two when blocks interact as they both refer to the shared
26
variables u and z. We know that y = x, but, of course, checking for such anequality is undecidable in general. So, one could basically only expect to beable to prove equality or inclusion for two zero-crossings related via a restrictedclass of relations � not covering the above case. Consequently, the two when
blocks would interleave in a non-deterministic way in this case, thus leading tonon deterministic simulation results.
For our second example, we provide two variants:
equation
der(x)=x;
when x>1 then
d=pre(d)+1;
end when;
when d>2,2*d>4 then
a=pre(a)+1 ;
end when;
.
.
.
equation
der(x)=x;
when x>1 then
d=pre(d)+1;
end when;
when x>1 then
e=pre(e)+1;
end when;
when d>2,e>2 then
a=pre(a)+1 ;
end when;
Depending on whether the compiler can prove equalities [d > 2] = [2d > 4]or d = e, counter a will be incremented once or twice. Not surprisingly, dif-ferent Modelica engines would get di�erent results. Such undesirable artifactshave been lengthly discussed and analysed by Ramine Nikoukhah in variousunpublished memos [24].
The very cause of this non determinism is the use of interleaving semantics,which in turn is a consequence of Modelica having an imperative style for itswhen blocks. As we said in our introduction, Modelica su�ers from a schizophre-nia: while it handles equations as constraints, thus supporting DAEs, the whenblocks are imperative in style.
This suggests pushing to its very end the declarative and equational styleof Modelica, by having both equations as well as when blocks being handledas constraints. Of course, the di�culty is then to perform the resulting, moredelicate, causality analysis. Our constructive semantics of Section 6.2 paves theway toward this objective, which remains to be addressed.
9. Proposal for a single assignment language and its type system
In the following section we propose a simple single assignment language,with minimal type system with two types continuous and discrete. This min-imal proposal could be the basis for a typed version of Simulink, where cleandistinction would be made between continuous and discrete.
9.1. A single assignment language
We consider the following programming language kernel. Compared to themathematical language considered previously, it is possible to write complex
27
expressions and to de�ne functions.
d ::= let f(p) = e | d; de ::= x | v | op(e) | e fby e | last(x) | der(e)
| up(e) | f(e) | (e, e) | if e then e else e| p where E
p ::= (p, p) | xh ::= e every e || ... || e every eE ::= x = e | der(x) = e init e reset h
| x = h init e | E and E
A program is a sequence of global declarations (d) of n-ary functions oversignals (let f(p) = e). Expressions are made of variables (x), immediate values(v), the application of an external primitive (op(e)) an initialized delay (e fby e),the left limit of a signal (last(x)), the application of a function to its argument(f(e)), a mux (if e then e else e), a zero-crossing (up(e)) and a local declaration(p where E). p denotes a pattern, that is, a variable (x) or a pair of patterns((p, p)). An expression p where E returns the value of p where variables used inthe pattern p are de�ned among the set of equations in E. A set of equationsE may de�ne a signal which evolves at discrete instants according to a tuple ofzero-crossing (x = h init e). e de�nes the value of x at every instant strictlybefore the very �rst occurrence of a zero-crossing in h. h is a non empty tupleof the form e1 every z1 || ... || en every zn. The zero-crossing z1, ..., zn areconsidered sequentially, that is, if several are considered to be true at the sametime, only the �rst in order is e�ective (as discussed in Section 7.3). x evolvesat discrete instants when a zero-crossing occurs. Otherwise, x keeps its previousvalue. An equation may also de�ne the derivative of a continuous signal witha reset handler (der(x) = e init e reset h). The reset handler h is again alist of pairs of the form ei every zi where zi is a zero-crossing expression. Thecontinuous state variable x is reset with value ei every time zi is true. Finally,(x = e) de�nes the signal x which equals e.
We provides several short-cuts. The equation
der(x) = e init e0
is a short-cut for the equation
der(x) = e init e0 reset e0 every up(0.0)
that is, no reset occurs. We also allow for separating the de�nition of thederivative from its initial value. An initialized equation
der(x) = e init e0 reset h
can also be written
init(x) = e0 and der(x) = e reset h
The interest of this notation will become clear when de�ning hybrid automata.
28
9.2. Translation into SimpleHybrid
Compared to the mathematical language, we write der(x) instead of x.Then, the language can be translated into SimpleHybrid by applying the fol-lowing rules:
1. The delay operator e0 fby e1 and the left-limit last(x) are extracted fromexpressions in order to obtain equations of the form:
py = pre(y) init e or lx = last(x)
Let x = h[e1 fby e2] init e0 and h containing an expression e1 fby e2.The equation is translated into x = h[y] init e0, adding the two equa-tions py = pre(y) init e1 and y = e2 init e1. y and py must be freshvariables.
2. In the same way, any expression e = C[last(y)] is replaced by C[ly],adding the equation ly = last(y) provided ly is a fresh variable.
3. Since the mathematical language consider in previous sections does notconsider user-de�ned functions, these are simply inlined. Every func-tion application of a user-de�ned function f is replaced by its de�nition.Then, the following simpli�cation applies: x = C[e where D] and D′ isrewritten D and x = C[e] and D′ provided the set of variables de�nedin D do not intersect the set of free variables in D′. In the same way,der(x) = C[e where D] and D′ is rewrittenD and der(x) = C[e] and D′.
9.3. A Minimal Type System
As identi�ed in Section 5, certain primitives can only be applied at discreteinstants while others can be applied continuously. Deciding statically whether asignal is discrete or not is out of reach in a realistic programming language. Wehave thus followed a more pragmatic point-of-view: a signal has kind discrete ifit can be proved that it evolves at discrete instants, that is, on the detection of azero-crossing. Otherwise, the signal is non discrete and we say that it is of kindcontinuous. Compared to the mathematical language introduced in Section 5,the programming language is an expression language. This introduces an extradi�culty as expressions such as:
der(x) = 1 + 0 fby 1
would be syntactically correct. It is nonetheless ambiguous since the instantwhere 0 fby 1 is computed is unknown.
We propose a type system where the kind is not associated to a signal but toan expression. When an expression contains a sub-expression v fby e or pre(e)then the expression must necessarily appear under a zero-crossing up(x), thatis, to be activated when up(x) becomes true. We say that v fby e and pre(e)have kind D. Then, a discrete expression must only appear under the control ofa zero-crossing. E.g., the equation:
y = 1 + 0 fby y + 1 every up(x) init 0
29
is valid whereas:y = 1 + 0 fby y + 1 init 0
is rejected. In the same way, the equation:
der(y) = 1 + (0 fby 1 + 1)
is also rejected since the activation clock for the stream 0 fby 1 is unknown.This is �xed by writing, e.g.:
v = 0 fby 1 every up(x) and der(y) = 1 + v
The intuition is to assign a type signature t1k→ t2 to a function f where k
stands for its kind. k = C means that f can be used anywhere in the programwhereas k = D means that f can be used only in a discrete expression underthe control of a zero-crossing. We de�ne the order ⊆ between kinds such that,for any k, k ⊆ k and k ⊆ C. The type language is given below. σ de�nes typesschemes where β1, ..., βn are type variables. A type t can be a pair (t × t), atype variable β or a base type (bt). zero stands for the type of a zero-crossingcondition. By making it abstract, it can be distributed and there is no possibleconfusion between two zero-crossings. If z is the result of a zero-crossing, zis only equal to itself. This is the responsibility of the solver to ensure thisinvariant.
σ ::= ∀β1, ..., βn.tk→ t
t ::= t× t | β | btk ::= D | Cbt ::= real | int | bool | zero
Typing is de�ned by the following four predicates:
G,H `k e : t G,H `k E : H ′ `pat p : t,H G,H ` h : t
where:G ::= [f1 : σ1; ...; fn : σn]H ::= [ ] | H, der(x) : t | H,x : t
The �rst predicate states that under the global environment G and local en-vironment of signals H, expression e executed in context k is given the typet. The second states that the equation E under context k produces the typeenvironment H ′. The third one de�nes the type and environment produced bya pattern p. No kind is necessary for patterns. The last one states that a resethandler h de�nes a value of type t. Here again, no kind is necessary.
A global environmentG assigns type schemes (σ) to global identi�ers whereasH assigns types to variables. We mark continuous state variables whose deriva-tive is de�ned (hence, the link der(x) : t in H). If H1 and H2 are two en-vironments, H1 + H2 is the union of the two, provided their domain do notintersect.
30
Programs are typed under an initial global environment G0. Primitive state-less operators (typically imported from a host language) can be applied in anycontext. We only give the signature of the addition and the equality importedoperations. The unitary delay can only be applied in a discrete context. Theconditional if . then . else . can be used in any context.
(+) : int× intC→ int
(=) : ∀β.β × β C→ bool
der(.) : realC→ real
pre(.) : ∀β.β D→ β
fby . : ∀β.β × β D→ β
up(.) : realC→ zero
if : ∀β.bool× β × β C→ β
9.3.1. Generalization and Instantiation
Types schemes (σ) are obtained from types by generalizing their free vari-ables. Since functions are de�ned globally, type variables can all be generalized.gen .(.) returns the generalization σ of t1 → t2.
gen (t1k→ t2) = ∀β1, ..., βn.t1
k→ t2if {β1, ..., βn} = FV (t1 → t2)
A type scheme can be instantiated by replacing type variables by actual types.
Inst(σ) is the set of all possible instantiations of σ. In doing so, a type t1k→ t2
can be instantiated by replacing its kind k′ by any kind k′ such that k′ ⊆ k.
k′ ⊆ k
(t k′→ t′)[t1/β1, ..., tn/βn] ∈ Inst(∀β1, ..., βn.tk→ t′)
Typing rules are given in Figure 3. The de�nition of the derivative for x iswell typed if e1 and e2 are of type real in a continuous context and h is welltyped (rule (der)). Parallel equations (E1 and E2) are well typed if E1 and E2
are well typed (rule (and)). The overall kind of the system is k if both E1 andE2 are typed with kind k. An equation x = e is supposed to de�ne a continuoussignal x and, hence, e is typed under the kind C (rule (eq-continuous)). Anequation x = h init e activates x at discrete instant only when a zero-crossingfrom the handler h occurs. For that, h must be well-typed producing a valueof type t which is also the type of e. Since e is not guarded by a zero-crossing,its context is k (rule (eq-discrete)). An application f(e) is of type t′ if the
instantiated type of f is tk→ t′ and e1 is of type t. Moreover, the kind of f must
match the kind of the context (rule (app)). As a consequence, it is not possibleto use a function with kind D in a context expecting a kind C. A local de�nitionp where E is well typed if E is well typed, it produces a local environmentH andp is well typed in H (rule (where)). The access to the left limit last(x) is only
31
allowed for continuous state variables (de�ned by a derivative) (rule (last)).The next rule gives on an example the typing rule for a constant (const). If xis de�ned with type t, it can be used in any context with the same type (rule(var)). A pair (e1, e2) is of type t1 × t2 if e1 is of type t1 and e2 is of type t2(rule (pair)). The next two rules build initial environment for patterns (eitherinputs or outputs) (rules (pat-pair) and (pat-var)).A function de�nition for t
receive the type signature t1k→ t2 if its input pattern has type t1 and its result
is typed t2 under context k. The type signature is then generalized (rule (def-
node)). Function de�nitions are typed sequentially and their typing producesa new global environment (rule (def-seq)). Finally, a handler h is well typed ifevery expression ei is of type t and zi is of type zero (rule (handler)). Notethat no kind constraint is imposed on ei since it is activated only when zi istrue.
9.4. Examples
We end this section with a few examples. The usual Lustre counter is written:
let counter(base, x) = o where
o = 0 fby o + if x then 1 else 0
every base init 0
which receive the type signature zero × boolA→ int. The parameter base
de�ne the instants where o is computed and it must be the result of a zero-crossing. For example, base can be instantiated with a periodic condition (-.,*. stand for the unary minus and binary multiplication on �oating point num-bers).
let counter_every_ten_second(x) = o where
der(time) = 1.0 init 0.0 reset 0.0 every z
and
z = up(last time -. 10.0)
and
o = counter(z, x)
The Bouncing Ball with initial position x0,y0 and initial speed x'0,y'0 isde�ned in the following way:
node bouncing(x0,y0,x'0,y'0) = (x,y) where
der(x) = x' init x0
and
der(x') = 0.0 init x'0
and
der(y) = y' init y0
and
der(y') = -. g init y'0 reset -. 0.9 *. last y' every res
and
res = up(y)
Every time the ball hits the ground, its initial speed equals 0.9 *. last y'.
32
(der)
G,H `C e1 : real G,H `C e2 : real G,H ` h : realG,H `k der(x) = e1 init e2 reset h : [der(x) : real]
(and)
G,H `k E1 : H1 G,H `k E2 : H2
G,H `k E1 and E2 : H1 +H2
(eq-continous))
G,H `C e : tG,H `k x = e : [x : t]
(eq-discrete)
G,H ` h : t G,H `k e : tG,H `k x = h init e : [x : t]
(app)
tk→ t′ ∈ Inst(G(f)) G,H `k e1 : t
G,H `k f(e) : t′
(where)
G,H `k E : H G,H ` p : tG,H `k p where E : t
(last)
G,H + [der(x) : t] `k last(x) : t
(const)
G,H `k 4 : int(var)
G,H + [x : t] `k x : t
(pair)
G,H `k e1 : t1 H `k e2 : t2G,H `k (e1, e2) : t1 × t2
(pat-pair)
`pat p1 : H1 `pat p2 : H2
`pat p1, p2 : t1 × t2, Hp1 +Hp2
(pat-var)
`pat x : t, [x : t]
(def-node)
`pat p : t1, Hp G,Hp `k e : t2
G ` let f(p) = e : [f : genG(t1k→ t2)]
(def-seq)
G ` d1 : G1 G,G1 ` d2 : G2
G ` d1; d2 : G1 +G2
(handler)
∀i ∈ {1, .., n} G,H `k ei : t G,H `C zi : zeroG,H ` e1 every z1 || ... || en every zn : t
Figure 3: The Type System
33
9.5. Hybrid Automata
The language is expressive enough to translate hybrid automata. The precisetranscription of hybrid automata would certainly deserve more attention andprecision. The purpose is to give the intuition of the translation on three repre-sentative examples. The syntax we consider is reminiscent to Mode-automataof Lucid Synchrone [25]. We present it only informally through examples.Consider the following two state automaton:
init x = 0.0
and
automaton
| S1 do der(x) = 1.0
until up(x -. 10.0) then S2
| S2 do der(x) = -1.0
until up(-. x +. 10.0) then S1
end
The continuous state variable x is initialized with value 0 and alternatesbetween 10.0 and -10.0. S1 is considered as the initial state. In state S1, xincreases with slope 1.0 (equation der(x) = 1.0) while in state S2, it decreaseswith slope -1.0 (equation der(x) = -1.0). This automaton is translated intothe following set of equations:
init x = 0.0
and
z = if pstate = S1 then x -. 10.0 else -. x +. 10.0
and
der(x) = if pstate = S1 then 1.0 else -1.0
and
nstate = if pstate = S1 then S2 else S1
every up(z)
init S1
and
pstate = pre nstate init S1
The initial value of x is 0.0. The second equation de�nes the signal z on whicha zero-crossing will be tested. The third equation de�nes the state variable x
which is either 1.0 or -1.0 depending on which state is active. Then, whena zero-crossing occurs � z becomes positive � the next state is computed.Finally, pstate stand for the previous value of nstate and is initialized withvalue S1. Observe that nstate is discrete since its modi�cations are guardedby the zero-crossing up(z).
We consider the case where the continuous state must be reset. In exist-ing notations for hybrid automata (e.g., [16]), state variables can be reset ontransitions. Instead, we use the existing feature of Mode-automata in Lucid
Synchrone.
init y = y0
34
and
init y' = y'0
and
automaton
| S1 do der(y) = y' and der(y') = -g
until up(-. y) then S2(-. y')
| S2(yi)
do der(y) = y' and der(y') = 1.0 init yi
until up(y -. 10.0) then S1
end
Without entering into details of the introduced notation, we write S2(yi) tostate that S2 is a parameterized state with an initial value yi. When the targetstate S2 is �red, it is given an initial value yi used to initialize the variable y'.The automaton is translated into:
init y = y0
and
init y' = y'0
and
z = if pstate = S1 then -. y else y -. 10.0
and
der(y) = if pstate = S1 then y' else y'
and
der(y') = if pstate = S1 then -g else 1.0
reset yi every z
and
yi = if pstate = S1 then -. y' else last y
every up(z)
and
nstate = if pstate = S1 then S2 else S1
every up(z)
init S1
and
pstate = pre nstate init S1
The encoding follows the same principle as exposed previously. z gathersthe two zero-crossing expressions. Then, we merge the two de�nitions for y
according to the active state. For y', we must take into account the fact that itis reset when going from state S1 to state S2. The solution is to reset its valuewith yi at every zero-crossing. yi is initialized to -. y' every time there is atransition from state S1 to state S2. Otherwise, yi is initialized with the lastvalue of last y'. Then, as previously, nstate de�nes what is the next activestate while pstate de�nes its previous value.
The last example exposes how a sequence of zero-crossing arriving in a stateare handled. Consider a variant of automata one.
init x = 0.0
and
35
automaton
| S1 do der(x) = 1.0
until up(x -. 10.0) then S2
| up(y) then S3
| S2 do der(x) = -1.0
until up(-. x +. 10.0) then S1
| up(-y) then S1
| S3 do der(x) = -2.0
end
The translation is given below:
init x = 0.0
and
z1 = if pstate = S1 then x -. 10.0
else if pstate = S2 then -. x +. 10.0
else 0.0
and
z2 = if pstate = S1 then y
else if pstate = S2 then -y
else 0.0
and
der(x) = if pstate = S1 then 1.0
else if pstate = S2 then -1.0
else -2.0
and
nstate = (if pstate = S1 then S2
else S1) every up(z1)
| (if pstate = S1 then S3
else S1) every up(z2)
init S1
and
pstate = pre nstate init S1
In this encoding, two zero-crossing variables z1 and z2 have been introduced.Then, they are considered in sequence when changing the value of nstate.
The purpose of the exposed type system is to separate what can be com-puted safely at discrete instant and what can be computed continuously. Thesystem gives the minimal constraints for this separation and is extremely sim-ple to incorporate to an existing type system: the only modi�cation is thekind k added to function types. One characteristic of the language is to attachkinds to equations, not to signals. This leads to a simple separation and theability to implicitly use a discrete signal in a continuous context (vice-versa).This is pretty much what is done in synchronous languages based on activationconditions. The bad consequence is to raise initialization issues, forcing everyequation to be associated to an initial default value. Providing a type-systemwhich eliminate these issues should certainly be considered in the future.
36
10. Related work
Studies on hybrid systems modelers from a semantics point of view are notso numerous. We discuss the few we consider relevant for comparison. Firstof all, we would like to recall the legacy work [26] by one of the authors. Infact, the agenda presented in that paper closely resembles the one we develophere. Except that, in [26] the tool of non-standard analysis was not used. As aconsequence, [26] su�ers from some hand waving, as a careful reader can notice.
10.0.1. The work of the Ptolemy group
Perhaps the closest attempt similar to ours is the work of the Ptolemy group,by Ed Lee and Haiyang Zheng [18, 19]. This work addresses the problem ofhandling discontinuities in hybrid systems modelers. A typical situation wherethis happens is the following. Consider an ODE x = f(x, u), where u is someinput signal and initial condition is discarded. Suppose that, at the �rst instantwhere g(x) ≤ 0 for some real-valued function g, the above ODE is reset tox = h(v) for some other input signal, and then it restarts and the same repeats.Then, in properly handling this resetting mechanism, the following landmarkvalues for x must be considered:
• the �rst x where g(x) ≤ 0 holds in the ODE;
• the resetting value x′ = h(v) at the same instant.
From the mathematical viewpoint, the two values for x occur at the same time,but they are clearly causally ordered. This schizophrenia for x is unavoidable.Following the idea of tagged signals initially proposed by [27], this was solvedin [18, 19] by tagging events with an extended time index taken from index setR+ × N equipped with the lexicographic order, and the above two values forx would get indexed as xt,0 and xt,1 = x′, respectively, where t ∈ R+ is thecommon real instant at which the two events occur. Tag set R+ ×N is referredby the authors as the super-dense time.
Note that this type of multi-dimensional time set was considered earlier fordiscrete time systems models in the area of synchronous languages [7], and inparticular Signal [28]. It was in particular shown in [28] that, if synchronoussystems are de�ned as systems progressing by a sequence of successive reactions,then the index set τx of any signal x (the �clock� of x) must have the followingform:
((((Id ↓ b1) ↑ r1) . . .) ↓ bK) ↑ rK (31)
where 0 < K < ∞ is an integer, Id is the identity clock having its nth tickat discrete base time n, clock τ ↓ b is obtained by keeping, in τ , only thoseinstants t where predicate bt holds true, and clock τ ↑ r inserts 0 ≤ rt < ∞additional, totally ordered, instants right after instant t ∈ τ . Operation ↓ is thedown-sampling operator �when� of synchronous languages, and operation ↑ isthe up-sampling mechanism that is speci�c to Signal. Formula (31) generalizesand re�nes the super-dense time of [18, 19] by making explicit the number of
37
instants used in the additional dimension for time. For our previous example ofODE with resetting, this would correspond to taking the following clock for x,namely:
(Id ↓ [g(x−) > 0 ∧ g(x) ≤ 0]) ↑ 1
where the predicate in brackets [. . .] is the zero-crossing.Our present approach avoids using this mechanism of multi-dimensional or
super-dense time, because non-standard index set T is both discrete and dense.Existence of previous instant •t and next instant t• was used in table 1, replacingthe multi-dimensional instants (t, 0) and (t, 1) of [18, 19]. The operator last (x)of SimpleHybrid in particular uses the previous instant •t. Note that thiscomplies in fact with the integration operator that is provided in Simulink:equation (x, lx) = integr(x0, x
′, r) de�nes x to be the integral of signal x withinitial value x0. In this equation, r is a reset condition. Then, lx stands for theinternal state; lx equals x except at instant where a reset occurs. Internal statelx is used to avoid algebraic loops. It corresponds to last (x) in SimpleHybrid.
Of course, if it is still wanted that the discrete time part of our hybrid systemsformalism subsumes synchronous languages in their full generality, then super-dense time in its full extension (31) will be needed. This would in particularallow for having �nite but not necessarily bounded �for� loops when processingzero-crossings, as advocated in [18, 19].
On another aspect, the work [18, 19] is made complicated by the pollutioncaused by issues of smoothness, Lipschitzness, existence and uniqueness of solu-tions, Zenoness, etc. This is particularly evidenced in Section 6 of [18] on �IdealSolver Semantics� and Section 7 of [19] on �Continuous Time Models�.
In our approach � compare Section 6.1 of this paper with the above men-tioned Sections of [18, 19] � those issues are postponed to the very end, afterexecution schemes have been built and when execution is submitted to solvers.They do not disappear from the whole process, but they are, sort of, postponedto run time, as wished in our introduction. Our job, as computer scientists, isnicely isolated and cleanly separated from that of numerical analysts.
10.0.2. The work performed at The Mathworks
The work performed by P. Mosterman and his co-workers at The Math-works [29] is also very interesting, in its attempt to establish the Simulinkmodeler on a solid semantic basis. The authors start by acknowledging theneed for using variable step solvers. The contribution of the paper is to showhow (a restricted class of) variable step solvers can be given a functional streamsemantics [30].
To achieve this, the class of solvers is �rst restricted to those relying onexplicit schemes, as implicit ones cannot be put in explicit functional form.The second di�culty consists in the use of iterative solving in order to on-line adapt the variable step size � see our discussion following equation (6) inSection 3. This mechanism, again, does not have a functional shape since severalsuccessive integrations with di�erent step sizes are compared, for a same timeinterval, in order to select the appropriate step size. [29] proposes to re-cast the
38
above procedure to a functional form by replacing a repeated integration withsmaller step size, by its increment with respect to the previous integration. Ifexplicit schemes are used, then an explicit form for this increment can be foundand added to the previous integration. Observe that this technique requiresusing the mechanism of super-dense time since a same time interval is processedseveral times until adequate step size is found. The same principle can be appliedto the detection of zero-crossings (zc), but this requires using the counterpartof explicit schemes, namely cautious zc detection by slowing down withoutovershoot.
While this indeed provides a hybrid systems modeler with a stream seman-tics, this semantics is extremely complex since it explicits the discretizationmethod � in particular, changing the latter changes the semantics. This ap-proach forbids using implicit schemes, although they are valuable from the nu-merical analysis point of view. We also believe that this method cannot easilysupport the kind of clock con�guration dependent causality analysis such as theone provided by our constructive semantics.
11. Conclusion
We have proposed a novel approach to give a semantics to hybrid systemsmodelers. Our objectives were the following:
• We wanted to keep the choice of integration method for ODEs totally free,as such a choice must be governed by numerical considerations only.
• We wanted that hybrid systems are a conservative extension of discretetime ones.
• We wanted to give semantic support for the following tasks:
� Scheduling the di�erent actions triggered by zero-crossings;
� Safely typing operators that are only de�ned in a discrete time con-text;
� Warning the designer of the risk of lack of di�erentiability for signalssubject to di�erentiation in expressions;
� Rejecting programs with causality circuits (or, at least, providingprecise warning for them); Supporting a causality analysis à la BondGraph;
� Allowing for the use of several local solvers instead of a single, global,one, with the objective of limiting side e�ects between non-interactingsub-systems, due to step size adjustments.
Achieving these objectives was made possible thanks to the use of non-standardanalysis as our semantic domain. The key point is that non-standard semanticsallows cleanly separating the tasks of the computer scientist (answering theabove questions) from that of the numerical analyst (tuning the solvers). Also,
39
we believe that non-standard semantics is not a fancy thing for math addicts.It is rather a very natural way of viewing continuous time and hybrid systemsfrom the syntactic side, as the computer scientist usually likes. While the �rstauthor was aware of non-standard analysis since the mid eighties, it is only thepresentation [15] by Lindstrøm, as reported in [14], that allowed the authors tobecome familiar with the subject.
The next steps, of course, are the study of DAE compliant hybrid systemsmodelers, such as Modelica, with exactly the same objectives.
Acknowledgment
The authors are indebted to Ramine Nikoukhah and Sébastien Furic for de-tailed discussions regarding Modelica and to Daniel Krob and Simon Bliudze forcomments on their work.
References
[1] L. P. Carloni, R. Passerone, A. Pinto, A. L. Sangiovanni-Vincentelli, Lan-guages and tools for hybrid systems design, Foundations and Trends inElectronic Design Automation 1 (1/2).
[2] Ronald C. Rosenberg and Dean C. Karnopp, Introduction to Physical Sys-tem Dynamics, McGraw-Hill, New York, 1983.
[3] Stephen L. Campbell and Jean-Philippe Chancelier and RamineNikoukhah, Modeling and Simulation in Scilab/Scicos, Springer, 2006,ISBN 0-387-27802-8.
[4] M. Naja�, R. Nikoukhah, Modeling Hybrid Automata in Scicos, in: IEEEMulti-conference on Systems and Control, 2007.
[5] G. Berry, Constructive Semantics of Esterel: From Theory to Practice (Ab-stract), in: AMAST '96: Proceedings of the 5th International Conferenceon Algebraic Methodology and Software Technology, Springer-Verlag, Lon-don, UK, 1996, p. 225.
[6] A. Benveniste, B. Caillaud, P. L. Guernic, Compositionality in data�owsynchronous languages: Speci�cation and distributed code generation, Inf.Comput. 163 (1) (2000) 125�171.
[7] A. Benveniste, P. Caspi, S. A. Edwards, N. Halbwachs, P. L. Guernic,R. de Simone, The synchronous languages 12 years later, Proceedings ofthe IEEE 91 (1) (2003) 64�83.
[8] John C. Butcher, Numerical Methods for Ordinary Di�erential Equations,Wiley, 2003, ISBN 0-471-96758-0.
[9] A. Robinson, Non Standard Analysis, Princeton Landmarks in Mathemat-ics, 1996, ISBN 0-691-04490-2.
40
[10] F. Diener and G. Reeb, Analyse non standard, Hermann, 1989.
[11] N. Cutland (ed.), Nonstandard analysis and its applications, CambridgeUniv. Press, 1988.
[12] Y. Iwasaki, A. Farquhar, V. A. Saraswat, D. G. Bobrow, V. Gupta, Mod-eling Time in Hybrid Systems: How Fast Is "Instantaneous"?, in: IJCAI,1995, pp. 1773�1781.
[13] S. Bliudze, D. Krob, Modelling of complex systems: Systems as data�owmachines, Fundam. Inform. 91 (2) (2009) 251�274.
[14] S. Bliudze, Un cadre formel pour l'étude des systèmes industriels complexes:un exemple basé sur l'infrastructure de l'UMTS, Ph.D. thesis, Ecole Poly-technique (2006).
[15] T. Lindstrom, An invitation to non standard analysis, in: N. Cutland (Ed.),Nonstandard analysis and its applications, Cambridge Univ. Press, 1988.
[16] R. Alur, C. Courcoubetis, N. Halbwachs, T. A. Henzinger, P.-H. Ho,X. Nicollin, A. Olivero, J. Sifakis, S. Yovine, The algorithmic analysis ofhybrid systems, Theor. Comput. Sci. 138 (1) (1995) 3�34.
[17] A. Agrawal, G. Simon, G. Karsai, Semantic Translation ofSimulink/State�ow Models to Hybrid Automata Using Graph Trans-formations, Electr. Notes Theor. Comput. Sci. 109 (2004) 43�56.
[18] E. A. Lee, H. Zheng, Operational semantics of hybrid systems, in: HSCC,2005, pp. 25�53.
[19] E. A. Lee, H. Zheng, Leveraging synchronous language principles for het-erogeneous modeling and design of embedded systems, in: EMSOFT, 2007,pp. 114�123.
[20] F. Boussinot, Une sémantique du langage Esterel , Tech. Rep. 577, INRIA(1986).
[21] L. Ljung, T. Glad, Modeling of Dynamic Systems, Prentice Hall Informa-tion and System Science Series, 1994.
[22] M. Fliess, J. Lévine, P. Martin, P. Rouchon, Flatness and defect of nonlinearsystems: introductory theory and examples, Int. J. Control 61(6) (1995)1327�1361.
[23] D. Potop-Butucaru, B. Caillaud, A. Benveniste, Concurrency in syn-chronous systems, Formal Methods in System Design 28 (2) (2006) 111�130.
[24] R. Nikoukhah, Personal communication (2007).
[25] J.-L. Colaço, G. Hamon, M. Pouzet, Mixing Signals and Modes in Syn-chronous Data-�ow Systems, in: ACM International Conference on Em-bedded Software (EMSOFT'06), Seoul, South Korea, 2006.
41
[26] A. Benveniste, Compositional and uniform modelling of hybrid systems,IEEE Trans. on Automatic Control 43 (4) (1998) 579�584.
[27] E. A. Lee, A. L. Sangiovanni-Vincentelli, A framework for comparing mod-els of computation, IEEE Trans. on CAD of Integrated Circuits and Sys-tems 17 (12) (1998) 1217�1229.
[28] A. Benveniste, P. L. Guernic, Y. Sorel, M. Sorine, A denotational theoryof synchronous reactive systems, Inf. Comput. 99 (2) (1992) 192�230.
[29] Pieter J. Mosterman and Justyna Zander and Gregoire Hamon and BenDenckla, Towards Computational Hybrid System Semantics for Time-Based Block Diagrams, in: 3rd IFAC Conference on Analysis and Design ofHybrid Systems (ADHS'09), Zaragoza, Spain, 2009, pp. 376�385, keynotepaper.
[30] P. Caspi, M. Pouzet, A co-iterative characterization of synchronous streamfunctions, Electr. Notes Theor. Comput. Sci. 11.
Appendix A. An other Simulink example
We end with an other Simulink example to illustrate possible issues whena continuous signal is used where a discrete signal is expected. Consider theblock-diagram depicted in Figure A.4. The output of signals are plotted on theright part of the �gure. The left part of the diagram generates a periodic signalobtained by integrating the constant 2.0 and reseting it every time the outputreach the value 10.0. It computes the derivative of the signal, sum it in twodi�erent ways and compute the di�erence between these two sums. The sampletime in the block Unit Delay is inferred (set to -1) whereas it is set to 0.1 inUnit Delay1. The integration method has little in�uence on output 5 since thesample time of Unit Delay1 is �xed. Nonetheless, changing this sample time(to 0.01, for example) modi�es the result of output 3! That is, the semanticsof the block Unit Delay depends on a part of the diagram which is only anobserver.
This in�uence may even be caused by a non connected diagram. In Fig-ure A.5, we add an extra block made of a sinusoid and a zero-crossing detection(leaving the sampling time of the block Unit Delay1 unchanged). The thirdoutput has changed. By changing the frequency of the sinusoid � thus changingthe number of zero-crossings � the third output also changes.
Note that Simulink is aware that the semantics of the block Unit Delay
depends on the variable step computed by the numerical solver and a warningis emitted by the compiler. Our purpose is to guaranty statically that suchbad behavior never appear at run-time through a set of precisely de�ned typingrules.
42
Unit Delay1
z
1
Unit Delay
z
1
Scope
Integrator
1s
Derivative
du/dt
Constant1
10
Constant
2.0 FiM
Cont
Cont
Cont
FiM
Cont
FiM
D1
Cont
Cont
Cont
0 2 4 6 8 10 12 14 16 18 200
200
400
600
800
1000
0
20
40
60
0
500
1000
1500
−15
−10
−5
0
5x 10
13
0
2
4
6
8
10
Time offset: 0
Figure A.4: A Simulink example with two delays
43
Unit Delay1
z
1
Unit Delay
z
1
Sine Wave
Scope
Integrator
1s
Hit Crossing
Derivative
du/dt
Constant1
10
Constant
2.0 FiM
Cont
Cont
Cont
FiM
Cont
FiM
D1
Cont
Cont
Cont
Cont FiM
0 2 4 6 8 10 12 14 16 18 200
0.5
1
−1
0
1
0
500
1000
0
1000
2000
0
1000
2000
−2
0
2x 10
14
0
5
10
Time offset: 0
Figure A.5: A Simulink example with two delays and an independent block with zero-crossingdetection 44