Hycomes is a team of the Rennes — Bretagne Atlantique Inria research center since July 2013. The team builds upon the most promising results of the former S4 team-project and of the Synchronics large scale initiative. Two topics in cyber-physical systems design are covered:
Hybrid systems modelling, with an emphasis on the design of modelling languages in which software systems, in interaction with a complex physical environment, can be modelled, simulated and verified. A special attention is paid to the mathematical rigorous semantics of these languages, and to the correctness (wrt. such semantics) of the simulations and of the static analyses that must be performed during compilation. The Modelica language is the main application field. The team aims at contributing language extensions facilitating the modelling of physical domains which are poorly supported by the Modelica language. The Hycomes team is also designing new structural analysis methods for hybrid (aka. multi-mode) Modelica models. New simulation and verification techniques for large Modelica models are also in the scope of the team.
Contract-based design and interface theories, with applications to requirements engineering in the context of safety-critical systems design.
Systems industries today make extensive use of mathematical modeling tools to design computer controlled physical systems. This class of tools addresses the modeling of physical systems with models that are simpler than usual scientific computing problems by using only Ordinary Differential Equations (ODE) and Difference Equations but not Partial Differential Equations (PDE). This family of tools first emerged in the 1980's with SystemBuild by MatrixX (now distributed by National Instruments) followed soon by Simulink by Mathworks, with an impressive subsequent development.
In the early 90's control scientists from the University of Lund
(Sweden) realized that the above approach did not support component
based modeling of physical systems with
reuse
Despite these tools are now widely used by a number of engineers, they raise a number of technical difficulties. The meaning of some programs, their mathematical semantics, can be tainted with uncertainty. A main source of difficulty lies in the failure to properly handle the discrete and the continuous parts of systems, and their interaction. How the propagation of mode changes and resets should be handled? How to avoid artifacts due to the use of a global ODE solver causing unwanted coupling between seemingly non interacting subsystems? Also, the mixed use of an equational style for the continuous dynamics with an imperative style for the mode changes and resets is a source of difficulty when handling parallel composition. It is therefore not uncommon that tools return complex warnings for programs with many different suggested hints for fixing them. Yet, these “pathological” programs can still be executed, if wanted so, giving surprising results — See for instance the Simulink examples in , and .
Indeed this area suffers from the same difficulties that led to the development of the theory of synchronous languages as an effort to fix obscure compilation schemes for discrete time equation based languages in the 1980's. Our vision is that hybrid systems modeling tools deserve similar efforts in theory as synchronous languages did for the programming of embedded systems.
Non-Standard analysis plays a central role in our research on hybrid systems modeling , , , . The following text provides a brief summary of this theory and gives some hints on its usefulness in the context of hybrid systems modeling. This presentation is based on our paper , a chapter of Simon Bliudze's PhD thesis , and a recent presentation of non-standard analysis, not axiomatic in style, due to the mathematician Lindström .
Non-standard numbers allowed us to reconsider the semantics of hybrid
systems and propose a radical alternative to the super-dense
time semantics developed by Edward Lee and his team as part of the
Ptolemy II project, where cascades of successive instants can occur in
zero time by using
Non-standard analysis was proposed by Abraham Robinson in the 1960s to allow the explicit manipulation of “infinitesimals” in analysis , , . Robinson's approach is axiomatic; he proposes adding three new axioms to the basic Zermelo-Fraenkel (ZFC) framework. There has been much debate in the mathematical community as to whether it is worth considering non-standard analysis instead of staying with the traditional one. We do not enter this debate. The important thing for us is that non-standard analysis allows the use of the non-standard discretization of continuous dynamics “as if” it was operational.
Not surprisingly, such an idea is quite ancient. Iwasaki et al. first proposed using non-standard analysis to discuss the nature of time in hybrid systems. Bliudze and Krob , have also used non-standard analysis as a mathematical support for defining a system theory for hybrid systems. They discuss in detail the notion of “system” and investigate computability issues. The formalization they propose closely follows that of Turing machines, with a memory tape and a control mechanism.
System companies such as automotive and aeronautic companies are facing significant difficulties due to the exponentially raising complexity of their products coupled with increasingly tight demands on functionality, correctness, and time-to-market. The cost of being late to market or of imperfections in the products is staggering as witnessed by the recent recalls and delivery delays that many major car and airplane manufacturers had to bear in the recent years. The specific root causes of these design problems are complex and relate to a number of issues ranging from design processes and relationships with different departments of the same company and with suppliers, to incomplete requirement specification and testing.
We believe the most promising means to address the challenges in systems engineering is to employ structured and formal design methodologies that seamlessly and coherently combine the various viewpoints of the design space (behavior, space, time, energy, reliability, ...), that provide the appropriate abstractions to manage the inherent complexity, and that can provide correct-by-construction implementations. The following technology issues must be addressed when developing new approaches to the design of complex systems:
The overall design flows for heterogeneous systems and the associated use of models across traditional boundaries are not well developed and understood. Relationships between different teams inside a same company, or between different stake-holders in the supplier chain, are not well supported by solid technical descriptions for the mutual obligations.
System requirements capture and analysis is in large part a heuristic process, where the informal text and natural language-based techniques in use today are facing significant challenges. Formal requirements engineering is in its infancy: mathematical models, formal analysis techniques and links to system implementation must be developed.
Dealing with variability, uncertainty, and life-cycle issues, such as extensibility of a product family, are not well-addressed using available systems engineering methodologies and tools.
The challenge is to address the entire process and not to consider only local solutions of methodology, tools, and models that ease part of the design.
Contract-based design has been proposed as a new approach to
the system design problem that is rigorous and effective in dealing
with the problems and challenges described before, and that, at the
same time, does not require a radical change in the way industrial
designers carry out their task as it cuts across design flows of
different type.
Indeed, contracts can be used almost everywhere and at nearly all
stages of system design, from early requirements capture, to embedded
computing infrastructure and detailed design involving circuits and
other hardware. Contracts explicitly handle pairs of properties,
respectively representing the assumptions on the environment and the
guarantees of the system under these assumptions. Intuitively, a
contract is a pair
Mathematical foundations for interfaces and requirements engineering that enable the design of frameworks and tools;
A system engineering framework and associated methodologies and tool sets that focus on system requirements modeling, contract specification, and verification at multiple abstraction layers.
A detailed bibliography on contract and interface theories for embedded system design can be found in . In a nutshell, contract and interface theories fall into two main categories:
By explicitly relying on the notions of assumptions and guarantees, A/G-contracts are intuitive, which makes them appealing for the engineer. In A/G-contracts, assumptions and guarantees are just properties regarding the behavior of a component and of its environment. The typical case is when these properties are formal languages or sets of traces, which includes the class of safety properties , , , , . Contract theories were initially developed as specification formalisms able to refuse some inputs from the environment . A/G-contracts were advocated by the Speeds project . They were further experimented in the framework of the CESAR project , with the additional consideration of weak and strong assumptions. This is still a very active research topic, with several recent contributions dealing with the timed and probabilistic , viewpoints in system design, and even mixed-analog circuit design .
Interfaces combine assumptions and guarantees in a single, automata theoretic specification. Most interface theories are based on Lynch Input/Output Automata , . Interface Automata , , , focus primarily on parallel composition and compatibility: Two interfaces can be composed and are compatible if there is at least one environment where they can work together. The idea is that the resulting composition exposes as an interface the needed information to ensure that incompatible pairs of states cannot be reached. This can be achieved by using the possibility, for an Interface Automaton, to refuse selected inputs from the environment in a given state, which amounts to the implicit assumption that the environment will never produce any of the refused inputs, when the interface is in this state. Modal Interfaces inherit from both Interface Automata and the originally unrelated notion of Modal Transition System , , , . Modal Interfaces are strictly more expressive than Interface Automata by decoupling the I/O orientation of an event and its deontic modalities (mandatory, allowed or forbidden). Informally, a must transition is available in every component that realizes the modal interface, while a may transition needs not be. Research on interface theories is still very active. For instance, timed , , , , , , probabilistic , and energy-aware interface theories have been proposed recently.
Requirements Engineering is one of the major concerns in large systems industries today, particularly so in sectors where certification prevails . DOORS projects collecting requirements are poorly structured and cannot be considered a formal modeling framework today. They are nothing more than an informal documentation enriched with hyperlinks. As examples, medium size sub-systems may have a few thousands requirements and the Rafale fighter aircraft has above 250,000 of them. For the Boeing 787, requirements were not stable while subcontractors performed the development of the fly-by-wire and of the landing gear subsystems.
We see Contract-Based Design and Interfaces Theories as innovative tools in support of Requirements Engineering. The Software Engineering community has extensively covered several aspects of Requirements Engineering, in particular:
the development and use of large and rich ontologies; and
the use of Model Driven Engineering technology for the structural aspects of requirements and resulting hyperlinks (to tests, documentation, PLM, architecture, and so on).
Behavioral models and properties, however, are not properly encompassed by the above approaches. This is the cause of a remaining gap between this phase of systems design and later phases where formal model based methods involving behavior have become prevalent—see the success of Matlab/Simulink/Scade technologies. We believe that our work on contract based design and interface theories is best suited to bridge this gap.
Demodocos (Examples to Generic Scenario Models Generator)
Keywords: Surgical process modelling - Net synthesis - Process mining
Scientific Description: Demodocos is used to construct a Test and Flip net (Petri net variant) from a collection of instances of a given procedure. The tool takes as input either standard XES log files (a standard XML file format for process mining tools) or a specific XML file format for surgical applications. The result is a Test and Flip net and its marking graph. The tool can also build a #SEVEN scenario for integration into a virtual reality environment. The scenario obtained corresponds to the generalization of the input instances, namely the instances synthesis enriched with new behaviors respecting the relations of causality, conflicts and competition observed.
Demodocos is a synthesis tool implementing a linear algebraic polynomial time algorithm. Computations are done in the Z/2Z ring. Test and Flip nets extend Elementary Net Systems by allowing test to zero, test to one and flip arcs. The effect of flip arcs is to complement the marking of the place. While the net synthesis problem has been proved to be NP hard for Elementary Net Systems, thanks to flip arcs, the synthesis of Test and Flip nets can be done in polynomial time. Test and flip nets have the required expressivity to give concise and accurate representations of surgical processes (models of types of surgical operations). Test and Flip nets can express causality and conflict relations. The tool takes as input either standard XES log files (a standard XML file format for process mining tools) or a specific XML file format for surgical applications. The output is a Test and Flip net, solution of the following synthesis problem: Given a finite input language (log file), compute a net, which language is the least language in the class of Test and Flip net languages, containing the input language.
Functional Description: The tool Demodocos allows to build a generic model for a given procedure from some examples of instances of this procedure. The generated model can take the form of a graph, a Test 'n Flip net or a SEVEN scenario (intended for integration into a virtual reality environment).
The classic use of the tool is to apply the summary operation to a set of files describing instances of the target procedure. Several file formats are supported, including the standard XES format for log events. As output, several files are generated. These files represent the generic procedure in different forms, responding to varied uses.
This application is of limited interest in the case of an isolated use, out of context and without a specific objective when using the model generated. It was developed as part of a research project focusing in particular on surgical procedures, and requiring the generation of a generic model for integration into a virtual reality training environment. It is also quite possible to apply the same method in another context.
Participants: Aurélien Lamercerie and Benoît Caillaud
Contact: Benoît Caillaud
Publication: Surgical Process Mining with Test and Flip Net Synthesis
Model Interface Compositional Analysis Library
Keywords: Modal interfaces - Contract-based desing
Scientific Description: In Mica, systems and interfaces are represented by extension. However, a careful design of the state and event heap enables the definition, composition and analysis of reasonably large systems and interfaces. The heap stores states and events in a hash table and ensures structural equality (there is no duplication). Therefore complex data-structures for states and events induce a very low overhead, as checking equality is done in constant time.
Thanks to the Inter module and the mica interactive environment, users can define complex systems and interfaces using Ocaml syntax. It is even possible to define parameterized components as Ocaml functions.
Functional Description: Mica is an Ocaml library implementing the Modal Interface algebra. The purpose of Modal Interfaces is to provide a formal support to contract based design methods in the field of system engineering. Modal Interfaces enable compositional reasoning methods on I/O reactive systems.
Participant: Benoît Caillaud
Contact: Benoît Caillaud
Functional Description: TnF-C++ is a robust and portable re-implementation of Flipflop, developed in 2014 and integrated in the S3PM toolchain. Both software have been designed in the context of the S3PM project on surgical procedure modeling and simulation,
Contact: Benoît Caillaud
Differential Algebraic Equation (DAE) systems constitute the mathematical model supporting physical modeling languages such as Modelica or Simscape. Unlike Ordinary Differential Equations, or ODEs, they exhibit subtle issues because of their implicit latent equations and related differentiation index. Multi-mode DAE (mDAE) systems are much harder to deal with, not only because of their mode-dependent dynamics, but essentially because of the events and resets occurring at mode transitions. Unfortunately, the large literature devoted to the numerical analysis of DAEs do not cover the multi-mode case. It typically says nothing about mode changes. This lack of foundations cause numerous difficulties to the existing modeling tools. Some models are well handled, others are not, with no clear boundary between the two classes. In , we develop a comprehensive mathematical approach to the structural analysis of mDAE systems which properly extends the usual analysis of DAE systems. We define a constructive semantics based on nonstandard analysis and show how to produce execution schemes in a systematic way. This work has been accepted for presentation at the HSCC 2017 conference in April 2017.
Explicit hybrid systems modelers like Simulink/Stateflow allow for programming both discrete- and continuous-time behaviors with complex interactions between them. A key issue in their compilation is the static detection of algebraic or causality loops. Such loops can cause simulations to deadlock and prevent the generation of statically scheduled code. In , we addresses this issue for a hybrid modeling language that combines synchronous data-flow equations with Ordinary Differential Equations (ODEs). We introduce the operator last(x) for the left-limit of a signal x. This operator is used to break causality loops and permits a uniform treatment of discrete and continuous state variables. The semantics relies on non-standard analysis, defining an execution as a sequence of infinitesimally small steps. A signal is deemed causally correct when it can be computed sequentially and only changes infinitesimally outside of announced discrete events like zero-crossings. The causality analysis takes the form of a type system that expresses dependences between signals. In well-typed programs, signals are provably continuous during integration provided that imported external functions are also continuous. The effectiveness of this system is illustrated with several examples written in Zélus, a Lustre-like synchronous language extended with hierarchical automata and ODEs.
Jean Hany and Albert Benveniste (together with William Dedzoe) were involved in this project.
CominWeb is a project supported by the Labex CominLabs since 2013. Its original objective was to equip CominLabs with Web infrastructures, tools, and services, that would allow to run the scientific activity of the Labex in an innovative way. Based on a study of the population of the CominLabs researchers, performed in year 2014-15 by the teams of CominLabs involved in social sciences, several services were investigated and prototyped. A short trial addressed the automatic generation of a scientific activity report, for a CominLabs project, from the material available from the publications ot the project team. This was suspended because such a service was not considered very useful by the community. A second trial (nicknamed “NSA”) consisted in monitoring the flows of email exchanges addressed to aliases of the CominLabs projects, with the objective of classifying the mails into: meeting announcements, mails with attachments of interest, and other mails. This would give to the CominLabs head a view on the project's activities without asking for any specific contribution from the researchers. This was more interesting. Still, a difficulty was that researchers did not use the project aliases so much. For priority issues, this development was also suspended.
The main result of this project is thus the service called
LookinLabs, deployed in two different versions:
http://
LookinLabs is deployed in two versions. LookinLabs4HALInria is the one we just described. The other version is in operation since 2016 and addresses the scientific community of CominLabs researchers. The data used are up to 10 standard bibliographical data bases (Dblp, IEEE Explore, Arxiv, HAL, and more) for which links have been collected from the researchers (this was the only data they were asked for). Results are returned in the form of individuals and publications, not teams.
The simulation of system-level models requires synchronizing, at simulation-time, physical models with software models. These models are developed and maintained by different stakeholders: physics engineers, control engineers and software engineers. Models designed by physics engineers are either detailed 3D finite-elements models, with partial differential equations (PDEs), or finite-dimension 0D models (obtained by model reduction techniques, or by empirical knowledge) expressed in modeling languages such as Simulink (with ordinary differential equations, or ODEs), Modelica (with differential algebraic equations, or DAEs), or directly as a C code embedding both the differential equations and its discretization scheme. Control engineers favor Matlab/Simulink, mainly because of its toolboxes and ease of use. Computer scientists program or model real-time reactive software, either with a dedicated language, for instance SCADE, hierarchical state machines or sequence/activity diagrams (as in UML/SysML) or directly in C. Coupling together heterogeneous models and programs, so that they can be co-simulated, is not only a technological challenge, but more importantly raises several deep and difficult questions: Can we trust simulations? What about their reproducibility? Will it be possible to simulate large systems with hundreds to thousands of component models?
The objective of the GLOSE project is to address these objectives, and propose both sound foundations and practical technological solutions to system level modeling and simulation. The GLOSE project has started in December 2017 and is funded by Safran, in the realm of the DESIR joint Safran-Academia research network. The academic teams contributing to GLOSE are the Hycomes, Diverse and Kairos Inria teams, and IRIT/CNRS in Toulouse.
Benoît Caillaud and Aurélien Lamercerie are participating to
the S3PM and SUNSET projects of the CominLabs excellence
laboratory
The project gathers researchers from three Inria teams, and from three other research labs in Grenoble and Paris area.
Name | Team | Inria Center or Laboratory |
Vincent Acary | Bipop | Inria Grenoble Rhône Alpes |
Albert Benveniste | Hycomes | Inria Rennes |
Benoît Caillaud | Bretagne Atlantique | |
Khalil Ghorbal | ||
Marc Pouzet | Parkas | ENS |
Tim Bourke | Inria Paris | |
Goran Frehse | Tempo | Verimag-univ. Grenoble Alpes |
Antoine Girard | L2S-CNRS, Saclay | |
Eric Goubault | Cosynus | LIX, École Polytechnique, |
Sylvie Putot | Saclay |
The main objective of ModeliScale is to advance modeling technologies (languages, compile-time analyses, simulation techniques) for CPS combining physical interactions, communication layers and software components. We believe that mastering CPS comprising thousands to millions of components requires radical changes of paradigms. For instance, modeling techniques must be revised, especially when physics is involved. Modeling languages must be enhanced to cope with larger models. This can only be done by combining new compilation techniques (to master the structural complexity of models) with new mathematical tools (new numerical methods, in particular).
MiodeliScale gathers a broad scope of experts in programming language design and compilation (reactive synchronous programming), numerical solvers (nonsmooth dynamical systems) and hybrid systems modeling and analysis (guaranteed simulation, verification). The research program is carried out in close cooperation with the Modelica community as well as industrial partners, namely, Dassault Systèmes as a Modelica/FMI tool vendor, and EDF and Engie as end users.
Benoît Caillaud has organized the Synchron'17
open workshop on Synchronous Programming
Languages
Khalil Ghorbal served as a PC member in the Repeatability Evaluation Committee of HSCC (Hybrid Systems: Computation and Control) 2017.
Albert Benveniste served as a PC member of the International Modelica Conference 2017.
Benoît Caillaud has served on the Steering and Programme Committees of the ACSD'17 conference.
Khalil Ghorbal reviewed a paper for the IEEE Conference on Decision and Control 2017.
Albert Benveniste reviewed a paper for FoSSaCS (International Conference on Foundations of Software Science and Computation Structures) 2017.
Benoît Caillaud has reviewed one paper for the LICS'17 conference.
Khalil Ghorbal reviewed a journal paper for the IEEE Transactions on Automatic Control.
Albert Benveniste reviewed a journal paper for the Science of Computer Programming journal.
Benoît Caillaud has reviewed papers for th IEEE Transactions on Control Systems Technology.
Khalil Ghorbal was invited by Saman Zonouz. Rutgers University, NJ, USA.
Albert Benveniste gave an invited talk at the Laboratory for Information & Decision Systems, MIT, Cambridge, MA, USA.
Albert Benveniste was a reviewer for the ERC Advanced Grant proposals 2017.
Benoît Caillaud is head of the Language and Software Engineering Department of IRISA (UMR 6074). The department is composed of 9 research teams and about 120 researchers and students, in Brest, Rennes and Vannes.
Master : Benoît Caillaud is teaching with Marc Pouzet a first year master degree course on hybrid systems modeling. The course is open to the students registered to the computer science research and innovation curriculum of the university of Rennes 1 and ENS Rennes, France.
Master : Khalil Ghorbal, Analyse et Conception Formelles, M1, (chargé de TD), 22h EqTD, University Rennes 1 and ENS Rennes, France
Master : Khalil Ghorbal, Solvers Principle and Architectures, M2, (enseignant principal), 30h EqTD, ENS Rennes, France
Master : Khalil Ghorbal, Modeling Physics with Differential-Algebraic Equations, M2, (enseignant principal), 25h EqTD, Ecole Polytechnique, Palaiseau, France
PhD : Ayman Aljarbouh, Accelerated Simulation of Hybrid Systems: Method combining static analysis and runtime execution analysis, University of Rennes 1, defended 13/09/2017, supervised by Benoît Caillaud.
PhD : Guillaume Baudart, A Synchronous Approach to Quasi-Periodic Systems, Ecole Normale Superieure (Paris), defended 13/03/2017, co-supervised by Albert Benveniste.
Benoît Caillaud has been president of PhD defence jury of Mohamed Amine Aouadhi, on 29 September 2017, at LS2N, the University of Nantes, France.
Albert Benveniste participated in the jury of the PhD thesis of Guillaume Baudart.