Hycomes has been created as a new team of the Rennes — Bretagne Atlantique Inria research center in July 2013. The team builds upon the most promising results of the former S4 team-project and of the Synchronics large scale initiative. Two topics in embedded system design are covered:

Hybrid systems modelling, with applications to the design of multi-physics embedded systems, often referenced as cyber-physical systems;

Contract-based design and interface theories, with applications to requirements engineering in the context of safety-critical systems design.

Systems industries today make extensive use of mathematical modeling tools to design computer controlled physical systems. This class of tools addresses the modeling of physical systems with models that are simpler than usual scientific computing problems by using only Ordinary Differential Equations (ODE) and Difference Equations but not Partial Differential Equations (PDE). This family of tools first emerged in the 1980's with SystemBuild by MatrixX (now distributed by National Instruments) followed soon by Simulink by Mathworks, with an impressive subsequent development.

In the early 90's control scientists from the University of Lund
(Sweden) realized that the above approach did not support component
based modeling of physical systems with
reuse

Despite these tools are now widely used by a number of engineers, they raise a number of technical difficulties. The meaning of some programs, their mathematical semantics, can be tainted with uncertainty. A main source of difficulty lies in the failure to properly handle the discrete and the continuous parts of systems, and their interaction. How the propagation of mode changes and resets should be handled? How to avoid artifacts due to the use of a global ODE solver causing unwanted coupling between seemingly non interacting subsystems? Also, the mixed use of an equational style for the continuous dynamics with an imperative style for the mode changes and resets is a source of difficulty when handling parallel composition. It is therefore not uncommon that tools return complex warnings for programs with many different suggested hints for fixing them. Yet, these “pathological” programs can still be executed, if wanted so, giving surprising results — See for instance the Simulink examples in , and .

Indeed this area suffers from the same difficulties that led to the development of the theory of synchronous languages as an effort to fix obscure compilation schemes for discrete time equation based languages in the 1980's. Our vision is that hybrid systems modeling tools deserve similar efforts in theory as synchronous languages did for the programming of embedded systems.

Non-Standard analysis plays a central role in our research on hybrid systems modeling , , , . The following text provides a brief summary of this theory and gives some hints on its usefulness in the context of hybrid systems modeling. This presentation is based on our paper , a chapter of Simon Bliudze's PhD thesis , and a recent presentation of non-standard analysis, not axiomatic in style, due to the mathematician Lindström .

Non-standard numbers allowed us to reconsider the semantics of hybrid
systems and propose a radical alternative to the *super-dense
time semantics* developed by Edward Lee and his team as part of the
Ptolemy II project, where cascades of successive instants can occur in
zero time by using *infinitesimal* and *non-standard
integers*. Remark that 1/ *non-standard semantics*
provides a framework that is familiar to the computer
scientist and at the same time efficient as a symbolic
abstraction. This makes it an excellent candidate for the development
of provably correct compilation schemes and type systems for hybrid
systems modeling languages.

Non-standard analysis was proposed by Abraham Robinson in the 1960s to allow the explicit manipulation of “infinitesimals” in analysis , , . Robinson's approach is axiomatic; he proposes adding three new axioms to the basic Zermelo-Fraenkel (ZFC) framework. There has been much debate in the mathematical community as to whether it is worth considering non-standard analysis instead of staying with the traditional one. We do not enter this debate. The important thing for us is that non-standard analysis allows the use of the non-standard discretization of continuous dynamics “as if” it was operational.

Not surprisingly, such an idea is quite ancient. Iwasaki et al. first proposed using non-standard analysis to discuss the nature of time in hybrid systems. Bliudze and Krob , have also used non-standard analysis as a mathematical support for defining a system theory for hybrid systems. They discuss in detail the notion of “system” and investigate computability issues. The formalization they propose closely follows that of Turing machines, with a memory tape and a control mechanism.

The introduction to non-standard analysis in is very
pleasant and we take the liberty to borrow it. This presentation was
originally due to Lindstrøm, see . Its interest is that it
does not require any fancy axiomatic material but only makes use of
the axiom of choice — actually a weaker form of it. The proposed
construction bears some resemblance to the construction of

System companies such as automotive and aeronautic companies are facing significant difficulties due to the exponentially raising complexity of their products coupled with increasingly tight demands on functionality, correctness, and time-to-market. The cost of being late to market or of imperfections in the products is staggering as witnessed by the recent recalls and delivery delays that many major car and airplane manufacturers had to bear in the recent years. The specific root causes of these design problems are complex and relate to a number of issues ranging from design processes and relationships with different departments of the same company and with suppliers, to incomplete requirement specification and testing.

We believe the most promising means to address the challenges in systems engineering is to employ structured and formal design methodologies that seamlessly and coherently combine the various viewpoints of the design space (behavior, space, time, energy, reliability, ...), that provide the appropriate abstractions to manage the inherent complexity, and that can provide correct-by-construction implementations. The following technology issues must be addressed when developing new approaches to the design of complex systems:

The overall design flows for heterogeneous systems and the associated use of models across traditional boundaries are not well developed and understood. Relationships between different teams inside a same company, or between different stake-holders in the supplier chain, are not well supported by solid technical descriptions for the mutual obligations.

System requirements capture and analysis is in large part a heuristic process, where the informal text and natural language-based techniques in use today are facing significant challenges. Formal requirements engineering is in its infancy: mathematical models, formal analysis techniques and links to system implementation must be developed.

Dealing with variability, uncertainty, and life-cycle issues, such as extensibility of a product family, are not well-addressed using available systems engineering methodologies and tools.

The challenge is to address the entire process and not to consider only local solutions of methodology, tools, and models that ease part of the design.

*Contract-based design* has been proposed as a new approach to
the system design problem that is rigorous and effective in dealing
with the problems and challenges described before, and that, at the
same time, does not require a radical change in the way industrial
designers carry out their task as it cuts across design flows of
different type.
Indeed, contracts can be used almost everywhere and at nearly all
stages of system design, from early requirements capture, to embedded
computing infrastructure and detailed design involving circuits and
other hardware. Contracts explicitly handle pairs of properties,
respectively representing the assumptions on the environment and the
guarantees of the system under these assumptions. Intuitively, a
contract is a pair

Mathematical foundations for interfaces and requirements engineering that enable the design of frameworks and tools;

A system engineering framework and associated methodologies and tool sets that focus on system requirements modeling, contract specification, and verification at multiple abstraction layers.

A detailed bibliography on contract and interface theories for embedded system design can be found in . In a nutshell, contract and interface theories fall into two main categories:

By explicitly relying on the
notions of assumptions and guarantees, A/G-contracts are intuitive,
which makes them appealing for the engineer. In A/G-contracts,
assumptions and guarantees are just properties regarding the
behavior of a component and of its environment. The typical case is
when these properties are formal languages or sets of traces, which
includes the class of safety
properties , , , , . Contract
theories were initially developed as specification formalisms able
to refuse some inputs from the
environment . A/G-contracts were advocated
by the Speeds project . They
were further experimented in the framework of the CESAR
project , with the additional consideration of
*weak* and *strong* assumptions. This is still a very
active research topic, with several recent contributions dealing
with the timed and
probabilistic ,
viewpoints in system design, and even mixed-analog circuit design
.

Interfaces combine assumptions
and guarantees in a single, automata theoretic specification. Most
interface theories are based on Lynch Input/Output
Automata , . Interface
Automata , , ,
focus primarily on parallel composition and compatibility: Two
interfaces can be composed and are compatible if there is at least
one environment where they can work together. The idea is that the
resulting composition exposes as an interface the needed information
to ensure that incompatible pairs of states cannot be reached. This
can be achieved by using the possibility, for an Interface
Automaton, to refuse selected inputs from the environment in a given
state, which amounts to the implicit assumption that the environment
will never produce any of the refused inputs, when the interface is
in this state. Modal
Interfaces inherit from both
Interface Automata and the originally unrelated notion of Modal
Transition
System , , , . Modal
Interfaces are strictly more expressive than Interface Automata by
decoupling the I/O orientation of an event and its deontic
modalities (mandatory, allowed or forbidden). Informally, a
*must* transition is available in every component that realizes
the modal interface, while a *may* transition needs not
be. Research on interface theories is still very active. For
instance,
timed , , , , , ,
probabilistic ,
and energy-aware interface theories have
been proposed recently.

Requirements Engineering is one of the major concerns in large systems industries today, particularly so in sectors where certification prevails . DOORS projects collecting requirements are poorly structured and cannot be considered a formal modeling framework today. They are nothing more than an informal documentation enriched with hyperlinks. As examples, medium size sub-systems may have a few thousands requirements and the Rafale fighter aircraft has above 250,000 of them. For the Boeing 787, requirements were not stable while subcontractors performed the development of the fly-by-wire and of the landing gear subsystems.

We see Contract-Based Design and Interfaces Theories as innovative tools in support of Requirements Engineering. The Software Engineering community has extensively covered several aspects of Requirements Engineering, in particular:

the development and use of large and rich *ontologies*; and

the use of Model Driven Engineering technology for the structural aspects of requirements and resulting hyperlinks (to tests, documentation, PLM, architecture, and so on).

Behavioral models and properties, however, are not properly encompassed by the above approaches. This is the cause of a remaining gap between this phase of systems design and later phases where formal model based methods involving behavior have become prevalent—see the success of Matlab/Simulink/Scade technologies. We believe that our work on contract based design and interface theories is best suited to bridge this gap.

Academic research and industry are currently witnessing several
major revolutions: *Cyber-Physical Systems* (CPS),
*Big-Data* and *Cloud Computing*, just to name a few. The
Hycomes team is focused on CPS, and more precisely on CPS modeling
with two targeted applications: The rigorous design of CPS and the
optimal exploitation of CPS. Despite many
engineers believe that *systems become too complex to be modeled
in a faithfully*, the Hycomes team defends the opposite idea. We believe
in the benefits of modeling, but acknowledge that the communities of
researchers and tool developers are in part responsible for this
defiance. The steep increase in the complexity of systems (e.g., public transportation systems, electric power grids) and of their
models comes from composing smaller subsystems into complex
architectures. As a matter of fact, these architectures are sparse,
and subsystems interactions are confined to immediate surrounding
neighborhoods. Thus, the dimension (number of state variables) of a
system is not the most appropriate characterization of its
complexity. It is rather the structure of a system and its
combinatorics of modes of operation that encapsulate its complexity.

The main objective of the Hycomes team is to advance modeling technologies
(languages, compile-time analyses, simulation techniques) for CPS
combining physical interactions, communication layers and software components.
We believe that mastering CPS comprising thousands to millions of components requires
radical changes of paradigms. For instance, modeling techniques must
be revised, especially when physics is involved. Modeling languages
must be enhanced to cope with larger models. This can only be
done by combining new **compilation** techniques (to master the
structural complexity of models) with new **mathematical** tools
(new numerical methods, in particular).
We identify below the different axis we want to tackle.

Modelica is a component-based modeling language initially designed for
the modeling of multi-physics systems. The
mathematical paradigm underlying Modelica, known as *Differential
Algebraic Equations* (DAE). The key challenge is to be
able to combine algebraic constraints, resulting from the laws of
physics, in interaction with the nonsmooth behavior of some physical
phenomena (e.g., impact laws), the multiple modes of operation of the system, and the
intrinsically discrete behavior of software components.
In essence, Modelica is based on the concept of multi-mode DAE, so
that models can switch from one behavior to another when an event occurs,
typically the crossing of a threshold.
This approach is paramount to the modeling of large CPS.
For instance, EDF has done a thorough modeling of the electric power
grid of the Reunion island

The emergence of the FMI
standard

Many physical science engineers (mechanical, electrical, aeronautic, ...) develop models with the sole objective to simulate them, while it is known that models can be used for a variety of tasks, all contributing towards the safe design and operation of a CPS: validating a design model against a set of requirements, assess the robustness of a model, test implementations against a design model, perform state estimation during system operation, just to name a few.

Early stages of CPS design usually consist in the elicitation of system-level requirements that will be used later on to design detailed models that can be simulated. Most often, the design tasks are split among several suppliers. This calls for precise requirements to be passed to them, so that, as far as feasible, suppliers can work independently. Some of the requirements specify the allowed behavior of the sub-system to be design, while others specify the assumed behavior of the sub-system's environment.

During operation of a CPS, maintenance tasks play an ever-increasing
role, to minimize the downtime of the system and, to maintain an
extremely low probability of occurrence of catastrophic
failures. *Diagnosis* enables to replace some routine inspections
or precautionary replacements of critical parts (that are usually
triggered by the number of hours of operation, or by calendar) by
fewer maintenance operations, triggered by the estimated wear or aging
of those parts. This helps to reduce immobilization times and
maintenance costs.
Design models could be reused to help the development of diagnosis
software that will trigger maintenance operations, based on the output
of *parity check* algorithms , capable of detecting slow or sudden
changes of some parameters. Reusing design models in this context
would be a genuine innovation, in comparison to the established
practice, where diagnosis is designed by hand, from scratch.

Because of severe complexity or undecidability problems, CPS formal
verification can be done only on partial and simplified models. When
applicable, these techniques complement usefully simulations. Despite
of the high level of expertise it requires, formal verification brings
a level of confidence in the analyses that can not be compared with
what can be obtained by simulation. Using formal verification makes
sense only for the most critical parts of a CPS. A fine example is the
formal correctness proof of a new generation of aircraft collision
prevention system, the
ACAS-X . This proof has
facilitated the certification of this system, according to the
established aeronautic standards
(DO-178C

Team members have made a significant step towards the definition of a formal semantics of multimode DAE systems, their strucutral analysis and the generation of simulation code. In particular, impulsive behavior at mode changes are handled correctly (see Section for full details). This semantics has been implemented, in part, in the SunDAE prototype software (Section ).

Structural analysis tool for multimode DAE systems

Functional Description

SunDAE is a multimode DAE (mDAE) structural analysis tool. Structural differentiation index is determined, impulsion analysis is performed and a BTF scheduling of the equations is performed, for each mode of a mDAE system. The input language consists in guarded equations. The output is a state-machine where states define continuous-time dynamics and transitions define resets. Both are defined by scheduled blocks of equations. SunDAE has been developed since 2016 by the Hycomes team and is distributed as an open-source software, under the CeCCIL Free Software Licensing Agreement.

Contact: Benoit Caillaud

Test & Flip Net Synthesis Tool for the Inference of Technical Procedure Models

Functional Description

Flipflop is a Test and Flip net synthesis tool implementing a linear algebraic polynomial time algorithm. Computations are done in the Z/2Z ring. Test and Flip nets extend Elementary Net Systems by allowing test to zero, test to one and flip arcs. The effect of flip arcs is to complement the marking of the place. While the net synthesis problem has been proved to be NP hard for Elementary Net Systems, thanks to flip arcs, the synthesis of Test and Flip nets can be done in polynomial time. Test and flip nets have the required expressivity to give concise and accurate representations of surgical processes (models of types of surgical operations). Test and Flip nets can express causality and conflict relations. The tool takes as input either standard XES log files (a standard XML file format for process mining tools) or a specific XML file format for surgical applications. The output is a Test and Flip net, solution of the following synthesis problem: Given a finite input language (log file), compute a net, which language is the least language in the class of Test and Flip net languages, containing the input language.

Contact: Benoit Caillaud

Model Interface Compositional Analysis Library

Keywords: Modal interfaces - Contract-based desing

Scientific Description

In Mica, systems and interfaces are represented by extension. However, a careful design of the state and event heap enables the definition, composition and analysis of reasonably large systems and interfaces. The heap stores states and events in a hash table and ensures structural equality (there is no duplication). Therefore complex data-structures for states and events induce a very low overhead, as checking equality is done in constant time.

Thanks to the Inter module and the mica interactive environment, users can define complex systems and interfaces using Ocaml syntax. It is even possible to define parameterized components as Ocaml functions.

Functional Description

Mica is an Ocaml library implementing the Modal Interface algebra. The purpose of Modal Interfaces is to provide a formal support to contract based design methods in the field of system engineering. Modal Interfaces enable compositional reasoning methods on I/O reactive systems.

Participant: Benoit Caillaud

Contact: Benoit Caillaud

Differential Algebraic Equation (DAE) systems constitute the
mathematical model supporting physical modeling languages such as
Modelica or Simscape. Unlike Ordinary Differential Equations, or
ODEs, they exhibit subtle issues because of their implicit
*latent equations* and related *differentiation index*.
Multi-mode DAE (mDAE) systems are much harder to deal with, not only
because of their mode-dependent dynamics, but essentially because of
the events and resets occurring at mode transitions. Unfortunately,
the large literature devoted to the numerical analysis of DAEs do
not cover the multi-mode case. It typically says nothing about mode
changes. This lack of foundations cause numerous difficulties to
the existing modeling tools. Some models are well handled, others
are not, with no clear boundary between the two classes.
In , we develop a comprehensive
mathematical approach to the *structural analysis* of mDAE
systems which properly extends the usual analysis of DAE systems. We
define a constructive semantics based on nonstandard analysis and
show how to produce execution schemes in a systematic way. This work
has been accepted for presentation at the HSCC 2017
conference in April 2017.

The *Next-Generation Airborne Collision Avoidance System* (ACAS X) is intended to be installed on all
large aircraft to give advice to pilots and prevent mid-air collisions with other aircraft.
It is currently being developed by the Federal Aviation Administration (FAA).
In , we determine the geometric configurations under which
the advice given by ACAS X is safe under a precise set of assumptions and formally verify these configurations using hybrid systems theorem
proving techniques. We consider subsequent advisories and show how to adapt our formal verification to take them into account.
We examine the current version of the real ACAS X system and discuss some cases
where our safety theorem conflicts with the actual advisory given by that
version, demonstrating how formal hybrid systems proving approaches are helping to ensure the
safety of ACAS X. Our approach is general and could also be used to identify unsafe
advice issued by other collision avoidance systems or confirm their safety.

Chattering is a fundamental phenomenon that is unique to hybrid systems, due to the complex interaction between discrete dynamics (in the form of discrete transitions) and continuous dynamics (in the form of time). In practice, simulating chattering hybrid systems is challenging in that simulation effectively halts near the chattering time point, as an infinite number of discrete transitions would need to be simulated. In , formal conditions are provided for when the simulated models of hybrid systems display chattering behavior, and methods are proposed for avoiding chattering "on the fly" in runtime. We utilize dynamical behavior analysis to derive conditions for detecting chattering without enumeration of modes. We also present a new iterative algorithm to allow for solutions to be carried past the chattering point, and we show by a prototypical implementation how to generate the equivalent chattering-free dynamics internally by the simulator in the main simulation loop.

Ayman Aljarbouh's PhD is partially funded by an ARED grant of the Brittany Regional Council. His doctoral work took place in the context of the Modrio (completed in 2016) and Sys2Soft (completed in 2015) projects on hybrid systems modeling. Ayman Aljarbouh is working on accelerated simulation techniques for hybrid systems. In particular, he is focusing on the regularisation, at runtime, of chattering behaviour and the approximation of Zeno behaviour.

Benoît Caillaud and Aurélien Lamercerie are participating to the S3PM and SUNSET projects of the
CominLabs excellence
laboratory

Program: ITEA2

Project acronym: Modrio

Project title: Model Driven Physical Systems Operation

Duration: September 2012 – May 2016

Coordinator: EDF (France)

Other partners: ABB (Sweden), Ampère Laboratory / CNRS (France), Bielefeld University (Germany), Dassault Systèmes (Sweden), Dassault Aviation (France), DLR (Germany), DPS (France), EADS (France), Equa Simulation (Sweden), IFP (France), ITI (Germany), Ilmenau University (Germany), Katholic University of Leuven (Belgium), Knorr-Bremse (Germany), LMS (France and Belgium), Linköping University (Sweden), MathCore (Sweden), Modelon (Sweden), Pöry (Finland), Qtronic (Germany), SICS (Sweden), Scania (Sweden), Semantum (Finland), Sherpa Engineering (France), Siemens (Germany and Sweden), Simpack (Germany), SKF (Sweden), Supmeca (France), Triphase (Belgium), University of Calabria (Italy), VTT (Finland), Vattenfall (Sweden), Wapice (Finland).

Abstract: Modelling and simulation are efficient and widely used tools for system design. But they are seldom used for systems operation. However, most functionalities for system design are beneficial for system operation, provided that they are enhanced to deal with real operating situations. Through open standards the benefits of sharing compatible information and data become obvious: improved cooperation between the design and the operation communities, easier adaptation of operation procedures wrt. design evolutions. Open standards also foster general purpose technology. The objective of the ITEA 2 MODRIO project is to extend modelling and simulation tools based on open standards from system design to system operation.

Benoî Caillaud has served on the program committee of ACSD
2016 (http://

Benoît Caillaud has reviewed papers submitted to the ACSD 2016 and ACC 2016 conferences.

Khalil Ghorbal reviewed two regular research papers for the Hybrid Systems: Computation and Control Conference.

Khalil Ghorbal reviewed two journal papers for the IEEE Transactions on Automatic Control.

Khalil Ghorbal reviewed a journal paper for the Computer Journal (Oxford Journals, Science and Mathematics).

Khalil Ghorbal reviewed a journal paper for the Information and Computation journal (Elsevier).

Benoît Caillaud has given an invited talk on *Time Domains
in Hybrid Systems Modeling* at the SHARC 2016 workshop and ALROB
meetingthat took place in Brest in June 2016
(http://

In May 13, 2016, Khalil Ghorbal gave an invited talk about the invariant generation for polynomial ordinary differential equations during the Effective Algebraic Geometry Seminar, IRMAR, Rennes, France.

In May 23, 2016, Ayman Aljarbouh presented a talk at the Embassy of Sweden in Tokyo for the first Japanese Modelica Conference (MODELICA2016), May 23-24, 2016, Tokyo, JAPAN.

In July 2016, Ayman Aljarbouh presented a poster during the French-American Doctoral Exchange Seminar (FADEx) 2016: Systèmes Cyber-Physiques, July 04-08, 2016, Grenoble, FRANCE.

In November, 5-12, Albert Benveniste was invited at the Systems Research Center, a center of excellence of the University of Maryland at College Park, USA.

Benoît Caillaud is head of the *Languages and Software
Engineering* department of IRISA
(http://

Master : Benoît Caillaud is teaching with Marc Pouzet a first year master degree course on *hybrid systems modeling*. The course is open to the students registered to the computer science research and innovation curriculum of the university of Rennes 1 and ENS Rennes, France.

Master : Khalil Ghorbal was "Chargé de TD" (20h Eq TD) for the "Analyse et Conception Formelles" module open for students registered to the computer science master degree of the university of Rennes 1 and ENS Rennes, France.

PhD in progress : Ayman Aljarbouh, *Accelerated Simulation of Hybrid Systems*, started january 2014, supervised by Benoît Caillaud. Ayman Aljarbouh is expected to defend his PhD in MArch 2017.

Khalil Ghorbal was reviewer in the PhD defense committee of Sameh Mohamed, "Une Méthode Topologique pour la Recherche d'Ensembles Invariants de Systèmes Continus et á Commutation", defended in October 17th, 2016, Univ. Paris Saclay (ENS Cachan).