Keywords
 A2. Software
 A2.1. Programming Languages
 A2.1.1. Semantics of programming languages
 A2.1.5. Constraint programming
 A2.1.9. Synchronous languages
 A2.1.10. Domainspecific languages
 A2.2. Compilation
 A2.2.1. Static analysis
 A2.2.8. Code generation
 A2.3. Embedded and cyberphysical systems
 A2.3.1. Embedded systems
 A2.3.2. Cyberphysical systems
 A2.3.3. Realtime systems
 A2.4. Formal method for verification, reliability, certification
 A2.4.1. Analysis
 A2.4.3. Proofs
 A2.5. Software engineering
 A2.5.1. Software Architecture & Design
 A2.5.2. Componentbased Design
 A6. Modeling, simulation and control
 A6.1. Methods in mathematical modeling
 A6.1.1. Continuous Modeling (PDE, ODE)
 A6.1.5. Multiphysics modeling
 A6.3. Computationdata interaction
 A6.3.4. Model reduction
 A8. Mathematics of computing
 A8.4. Computer Algebra
 B4. Energy
 B4.4. Energy delivery
 B4.4.1. Smart grids
 B5.1. Factory of the future
 B5.2. Design and manufacturing
 B5.2.1. Road vehicles
 B5.2.2. Railway
 B5.2.3. Aviation
 B5.9. Industrial maintenance
 B8. Smart Cities and Territories
 B8.1. Smart building/home
 B8.1.1. Energy for smart buildings
 B8.2. Connected city
 B8.3. Urbanism and urban planning
1 Team members, visitors, external collaborators
Research Scientists
 Benoit Caillaud [Team leader, INRIA, Senior Researcher, HDR]
 Albert Benveniste [INRIA, Emeritus, HDR]
 Khalil Ghorbal [INRIA, Researcher]
PhD Students
 Maxime Bridoux [INRIA, from Oct 2022]
 Christelle Kozaily [INRIA, until Sep 2022]
 Joan Thibault [UNIV RENNES I]
Technical Staff
 Mathias Malandain [INRIA, Engineer, fulltime in Hycomes until Sep 2022; Halftime in Hycomes since Dec 2022]
Interns and Apprentices
 Carybe Bégué [ENS Rennes, Intern, until Jun 2022]
 Íñigo Íncer Romeo [University of California, Berkeley, Intern, until May 2022]
Administrative Assistant
 Armelle Mozziconacci [CNRS]
2 Overall objectives
Hycomes was created a local team of the Rennes  Bretagne Atlantique Inria research center in 2013 and has been created as an Inria ProjectTeam in 2016. The team is focused on two topics in cyberphysical systems design:
 Hybrid systems modeling, with an emphasis on the design of modeling languages in which software systems, in interaction with a complex physical environment, can be modelled, simulated and verified. A special attention is paid to the mathematical rigorous semantics of these languages, and to the correctness (wrt. such semantics) of the simulations and of the static analyses that must be performed during compilation. The Modelica language is the main application field. The team aims at contributing language extensions facilitating the modeling of physical domains which are poorly supported by the Modelica language. The Hycomes team is also designing new structural analysis methods for hybrid (aka. multimode) Modelica models. New simulation and verification techniques for large Modelica models are also in the scope of the team.
 Contractbased design and interface theories, with applications to requirements engineering in the context of safetycritical systems design. The objective of our research is to bridge the gap between systemlevel requirements, often expressed in natural, constrained or semiformal languages and formal models, that can be simulated and verified.
3 Research program
3.1 Hybrid Systems Modeling
Systems industries today make extensive use of mathematical modeling tools to design computer controlled physical systems. This class of tools addresses the modeling of physical systems with models that are simpler than usual scientific computing problems by using only Ordinary Differential Equations (ODE) and Difference Equations but not Partial Differential Equations (PDE). This family of tools first emerged in the 1980's with SystemBuild by MatrixX (now distributed by National Instruments) followed soon by Simulink by Mathworks, with an impressive subsequent development.
In the early 90's control scientists from the University of Lund (Sweden) realized that the above approach did not support component based modeling of physical systems with reuse 1. For instance, it was not easy to draw an electrical or hydraulic circuit by assembling component models of the various devices. The development of the Omola language by Hilding Elmqvist was a first attempt to bridge this gap by supporting some form of Differential Algebraic Equations (DAE) in the models. Modelica quickly emerged from this first attempt and became in the 2000's a major international concerted effort with the Modelica Consortium. A wider set of tools, both industrial and academic, now exists in this segment 2. In the Electronic Design Automation (EDA) sector, VHDLAMS was developed as a standard 64 and also enables the use of differential algebraic equations. Several domainspecific languages and tools for mechanical systems or electronic circuits also support some restricted classes of differential algebraic equations. Spice is the historic and most striking instance of these domainspecific languages/tools 3. The main difference is that equations are hidden and the fixed structure of the differential algebraic results from the physical domain covered by these languages.
Despite these tools are now widely used by a number of engineers, they raise a number of technical difficulties. The meaning of some programs, their mathematical semantics, is indeed ambiguous. A main source of difficulty is the correct simulation of continuoustime dynamics, interacting with discretetime dynamics: How the propagation of mode switchings should be handled? How to avoid artifacts due to the use of a global ODE solver causing unwanted coupling between seemingly non interacting subsystems? Also, the mixed use of an equational style for the continuous dynamics with an imperative style for the mode changes and resets, is a source of difficulty when handling parallel composition. It is therefore not uncommon that tools return complex warnings for programs with many different suggested hints for fixing them. Yet, these “pathological” programs can still be executed, if wanted so, giving surprising results — See for instance the Simulink examples in 31, 21 and 22.
Indeed this area suffers from the same difficulties that led to the development of the theory of synchronous languages as an effort to fix obscure compilation schemes for discrete time equation based languages in the 1980's. Our vision is that hybrid systems modeling tools deserve similar efforts in theory as synchronous languages did for the programming of embedded systems.
3.2 Background on nonstandard analysis
NonStandard analysis plays a central role in our research on hybrid systems modeling 21, 31, 23, 22, 29, 3. The following text provides a brief summary of this theory and gives some hints on its usefulness in the context of hybrid systems modeling. This presentation is based on our paper 2, a chapter of Simon Bliudze's PhD thesis 37, and a recent presentation of nonstandard analysis, not axiomatic in style, due to the mathematician Lindström 71.
Nonstandard numbers allowed us to reconsider the semantics of hybrid systems and propose a radical alternative to the superdense time semantics developed by Edward Lee and his team as part of the Ptolemy II project, where cascades of successive instants can occur in zero time by using ${\mathbb{R}}_{+}\times \mathbb{N}$ as a time index. In the nonstandard semantics, the time index is defined as a set $\mathbb{T}=\{n\partial \mid n\in {}^{*}\mathbb{N}\}$, where $\partial $ is an infinitesimal and ${}^{*}\mathbb{N}$ is the set of nonstandard integers. Remark that (1) $\mathbb{T}$ is dense in ${\mathbb{R}}_{+}$, making it “continuous”, and (2) every $t\in \mathbb{T}$ has a predecessor in $\mathbb{T}$ and a successor in $\mathbb{T}$, making it “discrete”. Although it is not effective from a computability point of view, the nonstandard semantics provides a framework that is familiar to the computer scientist and at the same time efficient as a symbolic abstraction. This makes it an excellent candidate for the development of provably correct compilation schemes and type systems for hybrid systems modeling languages.
Nonstandard analysis was proposed by Abraham Robinson in the 1960s to allow the explicit manipulation of “infinitesimals” in analysis 82, 56, 52. Robinson's approach is axiomatic; he proposes adding three new axioms to the basic ZermeloFraenkel (ZFC) framework. There has been much debate in the mathematical community as to whether it is worth considering nonstandard analysis instead of staying with the traditional one. We do not enter this debate. The important thing for us is that nonstandard analysis allows the use of the nonstandard discretization of continuous dynamics “as if” it was operational.
Not surprisingly, such an idea is quite ancient. Iwasaki et al. 65 first proposed using nonstandard analysis to discuss the nature of time in hybrid systems. Bliudze and Krob 36, 37 have also used nonstandard analysis as a mathematical support for defining a system theory for hybrid systems. They discuss in detail the notion of “system” and investigate computability issues. The formalization they propose closely follows that of Turing machines, with a memory tape and a control mechanism.
3.3 Structural Analysis of DAE Systems
The Modelica language is based on Differential Algebraic Equations (DAE). The general form of a DAE is given by:
where $F$ is a system of ${n}_{e}$ equations $\{{f}_{1},\cdots ,{f}_{{n}_{e}}\}$ and $x$ is a finite list of ${n}_{v}$ independent realvalued, smooth enough, functions $\{{x}_{1},\cdots ,{x}_{{n}_{v}}\}$ of the independent variable $t$. We use ${x}^{\text{'}}$ as a shorthand for the list of firstorder time derivatives of ${x}_{j}$, $j=1,\cdots ,{n}_{v}$. Highorder derivatives are recursively defined as usual, and ${x}^{\left(k\right)}$ denotes the list formed by the $k$th derivatives of the functions ${x}_{j}$. Each ${f}_{i}$ depends on the scalar $t$ and some of the functions ${x}_{j}$ as well as a finite number of their derivatives.
Let ${\sigma}_{i,j}$ denote the highest differentiation order of variable ${x}_{j}$ effectively appearing in equation ${f}_{i}$, or $\infty $ if ${x}_{j}$ does not appear in ${f}_{i}$. The leading variables of $F$ are the variables in the set
The state variables of $F$ are the variables in the set
A leading variable ${x}_{j}^{\left({\sigma}_{j}\right)}$ is said to be algebraic if ${\sigma}_{j}=0$ (in which case, neither ${x}_{j}$ nor any of its derivatives are state variables). In the sequel, $v$ and $u$ denote the leading and state variables of $F$, respectively.
DAE are a strict generalization of ordinary differential equations (ODE), in the sense that it may not be immediate to rewrite a DAE as an explicit ODE of the form $v=G\left(u\right)$. The reason is that this transformation relies on the Implicit Function Theorem, requiring that the Jacobian matrix $\frac{\partial F}{\partial v}$ have full rank. This is, in general, not the case for a DAE. Simple examples, like the twodimensional fixedlength pendulum in Cartesian coordinates 79, exhibit this behaviour.
For a square DAE of dimension $n$ (i.e., we now assume ${n}_{e}={n}_{v}=n$) to be solved in the neighborhood of some $({v}^{*},{u}^{*})$, one needs to find a set of nonnegative integers $C=\{{c}_{1},\cdots ,{c}_{n}\}$ such that system
can locally be made explicit, i.e., the Jacobian matrix of ${F}^{\left(C\right)}$ with respect to its leading variables, evaluated at $({v}^{*},{u}^{*})$, is nonsingular. The smallest possible value of ${max}_{i}{c}_{i}$ for a set $C$ that satisfies this property is the differentiation index 45 of $F$, that is, the minimal number of time differentiations of all or part of the equations ${f}_{i}$ required to get an ODE.
In practice, the problem of automatically finding a ”minimal” solution $C$ to this problem quickly becomes intractable. Moreover, the differentiation index may depend on the value of $({v}^{*},{u}^{*})$. This is why, in lieu of numerical nonsingularity, one is interested in the structural nonsingularity of the Jacobian matrix, i.e., its almost certain nonsingularity when its nonzero entries vary over some neighborhood. In this framework, the structural analysis (SA) of a DAE returns, when successful, values of the ${c}_{i}$ that are independent from a given value of $({v}^{*},{u}^{*})$.
A renowned method for the SA of DAE is the Pantelides method; however, Pryce's $\Sigma $method is introduced also in what follows, as it is a crucial tool for our works.
3.3.1 Pantelides method
In 1988, Pantelides proposed what is probably the most wellknown SA method for DAE 79. The leading idea of his work is that the structural representation of a DAE can be condensed into a bipartite graph whose left nodes (resp. right nodes) represent the equations (resp. the variables), and in which an edge exists if and only if the variable occurs in the equation.
By detecting specific subsets of the nodes, called Minimally Structurally Singular (MSS) subsets, the Pantelides method iteratively differentiates part of the equations until a perfect matching between the equations and the leading variables is found. One can easily prove that this is a necessary and sufficient condition for the structural nonsingularity of the system.
The main reason why the Pantelides method is not used in our work is that it cannot efficiently be adapted to multimode DAE (mDAE). As a matter of fact, the adjacency graph of a mDAE has both its nodes and edges parametrized by the subset of modes in which they are active; this, in turn, requires that a parametrized Pantelides method must branch every time no modeindependent MSS is found, ultimately resulting, in the worst case, in the enumeration of modes.
3.3.2 Pryce's Sigmamethod
Albeit less renowned that the Pantelides method, Pryce's $\Sigma $method 80 is an efficient SA method for DAE, whose equivalence to the Pantelides method has been proved by the author. This method consists in solving two successive problems, denoted by primal and dual, relying on the $\Sigma $matrix, or signature matrix, of the DAE $F$.
This matrix is given by:
where ${\sigma}_{ij}$ is equal to the greatest integer $k$ such that ${x}_{j}^{\left(k\right)}$ appears in ${f}_{i}$, or $\infty $ if variable ${x}_{j}$ does not appear in ${f}_{i}$. It is the adjacency matrix of a weighted bipartite graph, with structure similar to the graph considered in the Pantelides method, but whose edges are weighted by the highest differentiation orders. The $\infty $ entries denote nonexistent edges.
The primal problem consists in finding a maximumweight perfect matching (MWPM) in the weighted adjacency graph. This is actually an assignment problem, for the solving of which several standard algorithms exist, such as the pushrelabel algorithm 63 or the EdmondsKarp algorithm 58 to only give a few. However, none of these algorithms are easily parametrizable, even for applications to mDAE systems with a fixed number of variables.
The dual problem consists in finding the componentwise minimal solution $(C,D)=(\{{c}_{1},\cdots ,{c}_{n}\},\{{d}_{1},\cdots ,{d}_{n}\})$ to a given linear programming problem, defined as the dual of the aforementioned assignment problem. This is performed by means of a fixpoint iteration (FPI) that makes use of the MWPM found as a solution to the primal problem, described by the set of tuples ${\left\{(i,{j}_{i})\right\}}_{i\in \{1,\cdots ,n\}}$:
 Initialize $\{{c}_{1},\cdots ,{c}_{n}\}$ to the zero vector.
 For every $j\in \{1,\cdots ,n\}$,$${d}_{j}\leftarrow \underset{i}{max}({\sigma}_{ij}+{c}_{i})$$
 For every $i\in \{1,\cdots ,n\}$,$${c}_{i}\leftarrow {d}_{{j}_{i}}{\sigma}_{i,{j}_{i}}$$
 Repeat Steps 2 and 3 until convergence is reached.
From the results proved by Pryce in 80, it is known that the above algorithm terminates if and only if it is provided a MWPM, and that the values it returns are independent of the choice of a MWPM whenever there exist several such matchings. In particular, a direct corollary is that the $\Sigma $method succeeds as long as a perfect matching can be found between equations and variables.
Another important result is that, if the Pantelides method succeeds for a given DAE $F$, then the $\Sigma $method also succeeds for $F$ and the values it returns for $C$ are exactly the differentiation indices for the equations that are returned by the Pantelides method. As for the values of the ${d}_{j}$, being given by ${d}_{j}={max}_{i}({\sigma}_{ij}+{c}_{i})$, they are the differentiation indices of the leading variables in ${F}^{\left(C\right)}$.
Working with this method is natural for our works, since the algorithm for solving the dual problem is easily parametrizable for dealing with multimode systems, as shown in our recent paper 44.
3.3.3 Block triangular decomposition
Once structural analysis has been performed, system ${F}^{\left(C\right)}$ can be regarded, for the needs of numerical solving, as an algebraic system with unknowns ${x}_{j}^{\left({d}_{j}\right)}$, $j=1\cdots n$. As such, (inter)dependencies between its equations must be taken into account in order to put it into block triangular form (BTF). Three steps are required:
 the dependency graph of system ${F}^{\left(C\right)}$ is generated, by taking into account the perfect matching between equations ${f}_{i}^{\left({c}_{i}\right)}$ and unknowns ${x}_{j}^{\left({d}_{j}\right)}$;
 the strongly connected components (SCC) in this graph are determined: these will be the equation blocks that have to be solved;
 the block dependency graph is constructed as the condensation of the dependency graph, from the knowledge of the SCC; a BTF of system ${F}^{\left(C\right)}$ can be made explicit from this graph.
3.4 ContractBased Design, Interfaces Theories, and Requirements Engineering
System companies such as automotive and aeronautic companies are facing significant difficulties due to the exponentially raising complexity of their products coupled with increasingly tight demands on functionality, correctness, and timetomarket. The cost of being late to market or of imperfections in the products is staggering as witnessed by the recent recalls and delivery delays that many major car and airplane manufacturers had to bear in the recent years. The root causes of these design problems are complex and relate to a number of issues ranging from design processes and relationships with different departments of the same company and with suppliers, to incomplete requirement specification and testing.
We believe the most promising means to address the challenges in systems engineering is to employ formal design methodologies that seamlessly and coherently combine the various viewpoints of the design space (behavior, time, energy, reliability, ...), that provide the appropriate abstractions to manage the inherent complexity, and that can provide correctbyconstruction implementations. The following issues must be addressed when developing new approaches to the design of complex systems:
 The overall design flows for heterogeneous systems and the associated use of models across traditional boundaries are not well developed and understood. Relationships between different teams inside a same company, or between different stakeholders in the supplier chain, are not supported by precise mathematical specifications of the components each party is expected to deliver.
 System requirements capture and analysis is in large part a heuristic process, where informal text and natural languagebased techniques in use today are facing significant challenges 67. Formal requirements engineering is in its infancy: mathematical models, formal analysis techniques and links to system implementation must be developed.
 Dealing with variability, uncertainty, and lifecycle issues, such as extensibility of a product family, are not welladdressed using available systems engineering methodologies and tools.
The challenge is to address the entire process and not to consider only local solutions of methodology, tools, and models that ease part of the design.
Contractbased design has been proposed as a new approach to the system design problem that is rigorous and effective in dealing with the problems and challenges described before, and that, at the same time, does not require a radical change in the way industrial designers carry out their task as it cuts across design flows of different types. Indeed, contracts can be used almost everywhere and at nearly all stages of system design, from early requirements capture, to embedded computing infrastructure and detailed design involving circuits and other hardware. Intuitively, a contract captures two properties, respectively representing the assumptions on the environment and the guarantees of the system under these assumptions. Hence, a contract can be defined as a pair $C=(A,G)$ of assumptions and guarantees characterizing in a formal way 1) under which context the design is assumed to operate, and 2) what its obligations are. Assume/Guarantee reasoning has been known for a long time, and has been used mostly in software engineering 77. However, contractbased design is not limited to types and values in a piece of software. It can also be used to capture its performances (time, memory consumption, energy) and reliability. This amounts to enrich a component's interface with, on one hand, formal specifications of the behavior of the environment in which the component may be instantiated and, on the other hand, of the expected behavior of the component itself. To leverage contractbased reasoning as a technique of choice for system engineers, we aim to develop:
 mathematical foundations of contracts, that enable the design of formal verification frameworks;
 System engineering methodologies and tools, that focus on requirements modeling, contract specification and verification, at multiple abstraction levels.
A detailed bibliography on contract and interface theories for embedded system design can be found in 4. In a nutshell, contract and interface theories fall into two main categories:

Assume/guarantee contracts.
By explicitly relying on the notions of assumptions and guarantees, A/Gcontracts are intuitive. This makes them appealing for the engineer. In A/Gcontracts, assumptions and guarantees are just properties regarding the behavior of a component and of its environment. The typical case is when these properties are formal languages or sets of traces. This includes the class of safety properties 68, 48, 76, 20, 50. Contract theories were initially developed as specification formalisms able to refuse some inputs from the environment 57. A/Gcontracts were advocated in 26 and are is still a very active research topic, with several contributions dealing with the timed 35 and probabilistic 40, 41 viewpoints in system design, and even hybrid systems design 78.

Automata theoretic interfaces.
Interfaces combine assumptions and guarantees in a single, automata theoretic specification. Most interface theories are based on Lynch's Input/Output Automata 75, 74. Interface Automata 16, 15, 17, 46 focus primarily on parallel composition and compatibility: two interfaces are compatible if there exists at least one environment where they can work together. The idea is that the resulting composition exposes as an interface the needed information to ensure that incompatible pairs of states cannot be reached. This can be achieved by using the possibility, for an Interface Automaton, to refuse some inputs from the environment in a given state. This amounts to the implicit assumption that the environment will never produce any of the refused inputs, when the interface is in this state. Modal Interfaces 81 inherit from both Interface Automata and the originally unrelated notion of Modal Transition System 70, 19, 38, 69. Modal Interfaces are strictly more expressive than Interface Automata by decoupling the I/O orientation of an event and its deontic modalities (mandatory, allowed or forbidden). Informally, a must transition is offered in every component that realizes the modal interface, while a may transition is optional. Research on interface theories is still very active. For instance, timed 18, 32, 34, 54, 53, 33, probabilistic 40, 55 and energyaware 47 interface theories have been proposed recently.
Requirements Engineering is one of the major concerns in large systems industries today, particularly so in sectors where certification prevails 83. Most requirements engineering tools offer a poor structuring of the requirements and cannot be considered as formal modeling frameworks today. They are nothing less, but nothing more than an informal structured documentation enriched with hyperlinks.
We see ContractBased Design and Interfaces Theories as innovative tools in support of Requirements Engineering. The Software Engineering community has extensively covered several aspects of Requirements Engineering, in particular:
 the development and use of large and rich ontologies; and
 the use of Model Driven Engineering technology for the structural aspects of requirements and resulting hyperlinks (to tests, documentation, PLM, architecture, and so on).
Behavioral models and properties, however, are not properly encompassed by the above approaches. This is the cause of a remaining gap between this phase of systems design and later phases where formal model based methods involving behavior have become prevalent. We believe that our work on contractbased design and interface theories is best suited to bridge this gap.
3.5 Efficient Symbolic Computation for Sparse Systems
This project consists in exploiting the parsimony of sparse systems to accelerate their symbolic manipulation (quantifiers elimination 51, differentialalgebraic reductions 84 etc.). Let us cite two typical examples as a motivation: Boolean functions ($a\vee b\wedge \neg c$) and polynomial systems with inequalities (${x}^{2}+y\le 1\wedge x+y=0$). We seek precisely to decompose these systems, automatically, in order to be able to manipulate them at an advantageous computational cost (in time and in memory) by attacking the pieces thus obtained rather than considering the system as a single monolithic block.
The current algorithms suffer from a theoretical complexity that is at best exponential (in the size of the input) limiting their use to instances of very modest size. The classic approach to overcome this problem is to develop/use numerical methods (with their limits and intrinsic problems) when possible of course. We aim to explore a different avenue.
In this project, we wish to exploit the structure of sparse systems to push the symbolic approach beyond its theoretical limits (for this class). The a priori limited application of our methods for dense systems is compensated by the fact that in practice, the problems are very often structured (in this regard, let us content ourselves with quoting the SAT solvers which successfully tackle industrial instances of a theoretically NPcomplete problem).
The idea of exploiting the structure to speed up calculations that are a priori complex is not new. It has notably been developed and successfully used in signal processing via Factor Graphs 73, where one restricts oneself to local propagation of information, guided by an abstract graph which represents the structure of the system overall. Our approach is similar: we basically seek to use expensive algorithms sparingly on only subsystems involving only a small number of variables, thus hoping to reduce the theoretical worst case. One could then legitimately wonder why it is not enough to apply what has already been done on Factor Graphs? The difficulty (and the novelty for that matter) lies in the implementation of this idea for the problems that interest us. Let's start by emphasizing that the propagation of information has a significantly different impact depending on the operator (or quantifier) to be eliminated: a minimization or a summation do not look like a projection at all! This will obviously not prevent us from importing good ideas applicable to our problems and vice versa.
More related to symbolic computation, to our knowledge, at least two recent attempts exist: chordal networks 49 which propose a representation of the ideals of the ring of polynomials (therefore algebraic sets), and triangular block shapes 86, initiated independently and under development in our team and which tackle Boolean functions, or, if you will, the algebraic sets over the field of Booleans. The similarity between the two approaches is striking and suggests that there is a common way of doing things that could be exploited beyond these two examples. It is this unification that interests us in the first place in this project.
We identify three research problems to explore:

T1.
Unify several optimization problems on graphs as a single problem parameterized by a cost function.

T2.
Adapt (and possibly improve) the algorithm of 85 to WAP and consequently to all instances of the single problem detailed in T1.

T3.
Propose a unified and modular method consisting of: (1) an elimination algorithm, (2) a data structure and (3) an efficient algorithm to solve the problem (with a cost function adequate).
The work on chordal networks and our work on Boolean functions immediately become special cases. For example, for Boolean functions, one could use Binary Decision Diagrams (BDDs) 39 to represent each piece of the initial system thus obtained. In fact, the final representation will no longer be a single monolithic BDD as is currently the case, but rather a graph of BDDs. In the same way, an algebraic set will be represented by a graph where each node is a Gröbner basis (or any other data structure used to represent systems of equations).
The structure of the system becomes thus apparent and is exploited to optimize the used representation, opening the way to a better understanding and therefore to a more efficient and better targeted manipulation. Let's remember a simple fact here: symbolic manipulation often solves the problem exactly (without approximation or compromise). Therefore, pushing the limits of applicability of these techniques to scale them can only be appreciated and will undoubtedly have a significant impact on all the areas where they apply and the list is as long as it is varied. (compilation, certification, validation, synthesis, etc.).
4 Application domains
The Hycomes team contributes to the design of mathematical modeling languages and tools, to be used for the design of cyberphysical systems. In a nutshell, two major applications can be clearly identified: (i) our work on the structural analysis of multimode DAE systems has a sizeable impact on the techniques to be used in Modelica tools; (ii) our work on the verification of dynamical systems has an impact on the design methodology for safetycritical cyberphysical systems. These two applications are detailed below.
4.1 Modelica
Mathematical modeling tools are a considerable business, with major actors such as MathWorks, with Matlab/Simulink, or Wolfram, with Mathematica. However, none of these prominent tools are suitable for the engineering of large systems. The Modelica language has been designed with this objective in mind, making the best of the advantages of DAEs to support a componentbased approach. Several industries in the energy sector have adopted Modelica as their main systems engineering language.
Although multimode features have been introduced in version 3.3 of the language 60, proper tool support of multimode models is still lagging behind. The reason is not a lack of interest from tool vendors and academia, but rather that multimode DAE systems poses several fundamental difficulties, such as a proper definition of a concept of solutions for multimode DAEs, how to handle mode switchings that trigger a change of system structure, or how impulsive variables should be handled. Our work on multimode DAEs focuses on these crucial issues 30.
Thanks to our IsamDAE software 44, 43, a larger class of Modelica models are expected to be compiled and simulated correctly. This should enable industrial users to have cleaner and simpler multimode Modelica models, with dynamically changing structure of cyberphysical systems. On the longer term, our ambition is to provide efficient codegeneration techniques for the Modelica language, supporting, in full generality, multimode DAE systems, with dynamically changing differentiation index, structure and dimension.
4.2 Dynamical Systems Verification
In addition to welldefined operational semantics for hybrid systems, one often needs to provide formal guarantees about the behavior of some critical components of the system, or at least its main underlying logic. To do so, we are actively developing new techniques to automatically verify whether a hybrid system complies with its specifications, and/or to infer automatically the envelope within which the system behaves safely. The approaches we developed have been already successfully used to formally verify the intricate logic of the ACAS X, a midair collision avoidance system that advises the pilot to go upward or downward to avoid a nearby airplane which requires mixing the continuous motion of the aircraft with the discrete decisions to resolve the potential conflict 66. This challenging example is nothing but an instance of the kind of systems we are targeting: autonomous smart systems that are designed to perform sophisticated tasks with an internal tricky logic. What is even more interesting perhaps is that such techniques can be often "reverted" to actually synthesize missing components so that some property holds, effectively helping the design of such complex systems.
5 Social and environmental responsibility
5.1 Impact of research results
The expected impact of our research is to allow both better designs and better exploitation of energy production units and distribution networks, enabling largescale energy savings. At least, this is what we could observe in the context of the FUI ModeliScale collaborative project (2018–2021), focused on electric grids, urban heat networks and building thermal modeling.
The rationale is as follows: system engineering models are meant to assess the correctness, safety and optimality of a system under design. However, system models are still useful after the system has been put in operation. This is especially true in the energy sector, where systems have an extremely long lifespan (for instance, more than 50 years for some nuclear power plants) and are upgraded periodically, to integrate new technologies. Exactly like in software engineering, where a software and its model coevolve throughout the lifespan of the software, a coevolution of the system and its physical models has to be maintained. This is required in order to maintain the safety of the system, but also its optimality.
Moreover, physical models can be instrumental to the optimal exploitation of a system. A typical example are modelpredictive control (MPC) techniques, where the model is simulated, during the exploitation of the system, in order to predict system trajectories up to a boundedtime horizon. Optimal control inputs can then be computed by mathematical programming methods, possibly using multiple simulation results. This has been proved to be a practical solution 62, whenever classical optimal control methods are ineffective, for instance, when the system is nonlinear or discontinuous. However, this requires the generation of highperformance simulation code, capable of simulating a system much faster than realtime.
The structural analysis techniques implemented in IsamDAE 44 generate a conditional block dependency graph, that can be used to generate highperformance simulation code : static code can be generated for each block of equations, and a scheduling of these blocks can be computed, at runtime, at each mode switching, thanks to an inexpensive topological sort algorithm. Contrarily to other approaches (such as 61), no structural analysis, blocktriangular decompositions, or automatic differentiation has to be performed at runtime.
6 Highlights of the year
Members of the Hycomes team have contributed to two journal papers in 2022:
 An extended version of our three Modelica'21 papers 28, 27, 42 has been assembled and published as a 63 pages long journal paper 7 —more details in Section 8.1. This paper also details the use of CoSTreD 14 (see also Section 8.2), a messagepassing technique, decomposing the resolution of constraint systems into the resolution of several, smaller systems, and that turns out to be instrumental to reduce the empirical computational complexity of the multimode Pryce indexreduction method, implemented in the IsamDAE software (Section 7.1.1). An opensource implementation of CoSTreD is available in the Snowflake OCaml library (Section 7.1.2).
 Two characterizations of positive invariance of sets for systems of ordinary differential equations are proposed in 8. Although these characterizations are essentially equivalent, they lead to different decision procedures for polynomial differential equations —see Section 8.4.
7 New software and platforms
7.1 New software
7.1.1 IsamDAE

Name:
Implicit Structural Analysis of Multimode DAE systems

Keywords:
Structural analysis, Differential algebraic equations, Multimode, Scheduling, Consistent initialization, Code generation

Scientific Description:
Modeling languages and tools based on Differential Algebraic Equations (DAE) bring several specific issues that do not exist with modeling languages based on Ordinary Differential Equations. The main problem is the determination of the differentiation index and latent equations. Prior to generating simulation code and calling solvers, the compilation of a model requires a structural analysis step, which reduces the differentiation index to a level acceptable by numerical solvers.
The Modelica language, among others, allows hybrid models with multiple modes, modedependent dynamics and statedependent mode switching. These Multimode DAE (mDAE) systems are much harder to deal with. The main difficulties are (i) the combinatorial explosion of the number of modes, and (ii) the correct handling of mode switchings.
The IsamDAE software aims at providing a compilation chain for mDAEbased modeling languages that make it possible to efficiently generate correct simulation code for multimode models. Novel structural analysis methods for mDAE systems were designed and implemented, based on an implicit representation of the varying structure of such systems. Several standard algorithms, such as J. Pryce's Sigmamethod and the DulmageMendelsohn decomposition, were adapted to the multimode case, using Binary Decision Diagrams (BDD) to represent the modedependent structure of an mDAE system.
IsamDAE determines, as a function of the mode, the set of latent equations, the leading variables and the state vector. This is then used to compute a conditional dependency graph (CDG) of the system, that can be used to generate simulation code with a modedependent scheduling of the blocks of equations. The software is also fit for generating simulation code for the hybrid dynamical system simulation tool Siconos, as well as handling the structural analysis of the multimode consistent initialization problem associated with an mDAE system.

Functional Description:
IsamDAE (Implicit Structural Analysis of Multimode DAE systems) is a software library implementing new structural analysis methods for multimode DAE systems, based on an implicit representation of incidence graphs, matchings between equations and variables, and block decompositions. The input of the software is a variable dimension multimode DAE system consisting in a set of guarded equations and guarded variable declarations. It computes a modedependent structural index reduction of the multimode system and is able to produce a modedependent graph for the scheduling of blocks of equations in long modes, check the structural nonsingularity of the associated consistent initialization problem, or generate simulation code for the nonsmooth dynamical system simulation tool Siconos.
IsamDAE is coded in OCaml, and uses the following packages: GuaCaml by Joan Thibault, MLBDD by Arlen Cox, Menhir by François Pottier and Yann RégisGianas, Pprint by François Pottier, Snowflake by Joan Thibault, XMLLight by Nicolas Cannasse and Jacques Garrigue.

Release Contributions:
New features:
* XML representations of the structure of a multimode DAE model are accepted as inputs by the IsamDAE tool, in order to enable weak coupling with tools based on existing DAEbased languages. IsamDAE distinguishes between MEL and XML inputs based on the extension of the input file (.mel versus .mdae.xml).
Bug fixes:
* A better handling of the model structure for consistent initialization prevents subtle bugs that were observed for a few models and initial events. Specific error messages are returned when initial equations involve variables that are not active in the corresponding modes.
Performance improvement:
* Better handling of sets of equations/variables labeled with propositional formulas, thanks to an adapted data structure.
Various:
* Verbosity option v now takes as a parameter an integer ranging from 0 ("quiet") to 5 ("deep debug"). The detailed output of CoSTreD is only available in "deep debug" mode.

News of the Year:
XML inputs representing the modedependent structure of a multimode DAE system are now handled by IsamDAE, enabling for the weak coupling with existing modeling and simulation tools for DAEbased languages such as Modelica.
 URL:
 Publications:

Contact:
Benoit Caillaud

Participants:
Benoit Caillaud, Mathias Malandain, Joan Thibault, Alexandre Rocca, Bertrand Provot
7.1.2 snowflake

Name:
Snowflake : A Generic Symbolic Dynamic Programming framework

Keywords:
Ocaml, Symbolic computation, Binary decision diagram

Scientific Description:
Complex systems (either physical or logical) are structured and sparse, that is, they are build from individual components linked together, and any component is only linked to rather small number of other components with respects to the size of the global system.
RBTF exploits this structure, by overapproximating the relations between components as a tree (called decomposition tree in the graph literature) each node of this tree being a set of components of the initial systems. Then, starting from leaves, each subsystem is solved and the solutions are projected as a new constraints on their parents node, this process is iterated until all subsystems are solved. This step allows to condensate all constraints and check their satisfiability. We call this step the **Forward Reduction Process** (FRP).
Finally, we can propagate all the constraints back into their initial subsystem by performing those same projection in the reverse direction. That is, each subsystem update its set of solution given the information from its parent then send the information to its children subsystems (possibly none, if its a leaf). We call this step the **Backward Propagation Process** (BPP).

Functional Description:
Snowflake interfaces a WAPsolver (Weighted Adjacency Propagation problem), a functorbased implementation of CoSTreD (Constraint System Tree Decomposition), along with a minimalist MLBDD (Arlen Cox's BDD package) toolbox.

Release Contributions:
2022/07 : published Research Report 9478 (https://hal.archivesouvertes.fr/hal03740562/) 2022/06/30 : renamed RBTF into CoSTreD 2022/06/19 : added basic constraint system export 2022/06/02 : add small graphviz interface 2022/06/02 : added small graphviz interface 2022/06/02 : added sorted test on input to MlbddUtils.subst
 URL:

Authors:
Joan Thibault, Joan Thibault

Contact:
Joan Thibault
8 New results
8.1 Handling Multimode Models and Mode Changes in Modelica
Participants: Albert Benveniste, Benoît Caillaud, Mathias Malandain, Joan Thibault.
Since version 3.3, the Modelica language offers the possibility of specifying multimode dynamics, by describing state machines with different DAE dynamics in each different state 59. This feature enables describing large complex cyberphysical systems with different behaviors in different modes.
While being undoubtedly valuable, multimode modeling has been the source of serious difficulties for nonexpert users of the current generation of Modelica tools. Indeed, while many largescale Modelica models are properly handled, some physically meaningful models do not result in correct simulations with most Modelica tools. As such problematic models are actually easy to construct, the likelihood of such bad cases occurring in large models is significant.
It is unfortunately unclear which multimode Modelica models will be properly handled, and which ones will fail. As a consequence, quite often, end users have to ask Modelica experts, or even tool developers themselves, to tweak their models in order to make them work as expected. While it is accepted that physical modeling itself requires expertise, requiring expertise in how to get around tool idiosyncrasies is not desirable. This situation hinders the dissemination of Modelica tools among a larger class of users, such as Simulinktrained engineers.
Several examples, presented in 7 reveal that this problem is due to an inadequate structural analysis, performed during compilation. As far as we know, no industrialstrength Modelica tool implements a modedependent structural analysis. Worse, it is not even understood what kind of structural analysis should be associated with mode change events.
Some years ago, we started a project aiming at addressing all the above issues 25, 24, 30. In 7, we cast our approach in the context of the Modelica language, by illustrating it on two simple yet physically meaningful examples that current Modelica tools fail to properly simulate. The use of nonstandard analysis allows us to perform the analysis of both modes and mode changes in a unified framework, including the handling of transient modes and that of impulsive mode changes. Standardization techniques are then used in order to generate effective code for restarts at mode changes.
As an efficient implementation of such methods in Modelica compilers would greatly expand the class of multimode models amenable to reliable numerical simulation, multimode DAE structural analysis algorithms are also detailed in 7. This extends previous work presented in 44: mode enumeration is avoided thanks to the use of an implicit, BDDbased symbolic representations of the structure of a multimode DAE system. However, the scalability of the algorithm is greatly improved thanks to the use of CoSTreD 14, a messagepassing technique, that allows to decompose the resolution of the primal problem of the multimode Pryce method into a set of smaller parametric optimization problems —more details in Section 8.2.
A compiletime calculus that evaluates the impulse order of algebraic variables is also detailed in 7. Finite impulse orders can be used to renormalize impulsive variables when implementing a numerical scheme that approximates the restart values for each state variable of the system. We also detail in this paper, a systematic way of rewriting a multimode Modelica model, based on the results of a multimode structural analysis. The rewritten Modelica model is guaranteed to have a reduced index and a modeindependent structure. This suffices to guarantee correctly compiled by stateoftheart Modelica tools. Simulation results are presented on a simple, yet meaningful, physical system whose original Modelica model is not correctly handled by stateoftheart Modelica tools.
We demonstrate how the results of this multimode structural analysis can be used for transforming a multimode Modelica model into its RIMIS (Reduced Index ModeIndependent Structure) form, which is guaranteed to yield correct execution on stateoftheart Modelica tools.
8.2 Constraint System Decomposition
Participants: Joan Thibault.
Various classical problems in computer science can be formulated as Constraint Solving Problems (CSP), consisting in a query on a conjunction of constraints. Typical instances of such queries are satisfiability problems, optimization under constraints, model enumeration, model counting and normalization. Constraint systems can be Conjunctive Normal Form (CNF) formulas, as well as Integer Linear Programs (ILP), and, in its most generic form, Constraint Programs (CP). In both industrial and academic contexts, instances are generally structured and, in most cases, sparse: each constraint involves only a small set of variables, and variables are only involved in a small set of constraints. Moreover, large practical instances tend to have a treelike structure, which can efficiently be captured by the notion of treewidth, as commonly considered in the fixedparameter tractability community. Using dynamic programming to solve problems for which a "good" tree decomposition is available is well known, and has been rediscovered many times in the history of computer science, under various names: message passing in factor graphs, belief propagation in belief networks, arc consistency in constraint networks, etc. In 14, we introduce the CoSTreD (Constraint System Tree Decomposition) method, based on symbolic representations and operators on them to improve the scalability of CSP solving. CoSTreD is based upon two operators: a projection operator which allows to deal with satisfiability and canonicalization locally on the tree decomposition, and a coprojection operator, extending the method to optimization queries. We establish sufficient conditions under which these operators preserve the semantics of the CSP. Finally, CoSTreD is extended to deal with parameter (or mode) variables, mostly by (i) adapting the notion of tree decomposition to deal with parameter variables, (ii) using symbolic representations to avoid the combinatorial explosion of mode enumeration, and (iii) mitigating the contamination of constraints by parameter variables during message passing.
8.3 Characterizing Qmatrices
Participants: Khalil Ghorbal, Christelle Kozaily.
In 13, we provide a geometric equivalent reformulation of a relatively old, yet unsolved, problem that originated in the optimization community: under which conditions on the $n\times n$ matrix $M$ , does the so called linear complementarity problem given by $wMz=q$, $w,z\ge 0$, and $w.z=0$, have a solution $(w,z)$ for all vectors $q\in {\mathbb{R}}^{n}$. If the latter property holds, the matrix $M$ is said to be a Qmatrix. We have shown that the existence of solutions amounts to a covering (not necessarily a partition) of the entire space by a set of finite cones defined by the involved vectors as well as the standard basis. We give a full characterization in dimension 3 by reducing the problem to several similar (and wellunderstood) problems on dimension 2.
8.4 Characterizing Positively Invariant Sets: Inductive and Topological Methods
Participants: Khalil Ghorbal.
In 8, we present two characterizations of positive invariance of sets for systems of ordinary differential equations. The first characterization uses inward sets which intuitively collect those points from which the flow evolves within the set for a short period of time, whereas the second characterization uses the notion of exit sets, which intuitively collect those points from which the flow immediately leaves the set. Our proofs emphasize the use of the real induction principle as a generic and unifying proof technique that captures the essence of the formal reasoning justifying our results and provides cleaner alternative proofs of known results. The two characterizations presented in this article, while essentially equivalent, lead to two rather different decision procedures (termed respectively LZZ and ESE) for checking whether a given semialgebraic set is positively invariant under the flow of a system of polynomial ordinary differential equations. The procedure LZZ improves upon the original work by Liu, Zhan and Zhao 72. The procedure ESE, introduced in this article, works by splitting the problem, in a principled way, into simpler subproblems that are easier to check, and is shown to exhibit substantially better performance compared to LZZ on problems featuring semialgebraic sets described by formulas with nontrivial Boolean structure.
9 Partnerships and cooperations
9.1 International research visitors
9.1.1 Visits of international scientists
Participants: Albert Benveniste, Íñigo Íncer Romeo.
Íñigo Íncer Romeo, PhD student at UC Berkeley (CA, USA), visited the Hycomes team from December 2021 until May 2022. His internship has been funded by a Chateaubriand grant of the French Consulate in San Francisco. During his stay, he worked with Albert Benveniste on topics related to Contractbased Design method and more particularly on Hypercontracts 10.
10 Dissemination
10.1 Promoting scientific activities
10.1.1 Scientific events: selection
Member of the conference program committees
 Khalil Ghorbal . PC Member. Hybrid Systems: Computation and Control (HSCC) 2022.
 Khalil Ghorbal . PC Member. International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS) 2023.
 Benoît Caillaud has served on the program committee of the FDL'22 conference (Forum on specification & Design Languages, Linz, Austria, September 2022).
Reviewer
 Benoît Caillaud has evaluated collaborative project proposals for the ANR (French national research funding agency).
 Benoît Caillaud has reviewed an application for the Caseau EDF / French Academy of Technologies Best PhD Award 2022.
 Benoît Caillaud has reviewed papers for the following conferences and workshops: TACAS’22, WODES’22.
10.1.2 Journal
Member of the editorial boards
 Benoît Caillaud has been appointed member of the editorial boards of the Cambridge University Press, Research Directions: CyberPhysical Systems and of the MDPI Computation journals.
Reviewer  reviewing activities
 Benoît Caillaud has reviewed a paper for the ACM TECS (Transactions on Embedded Computing Systems) journal.
 Khalil Ghorbal has reviewed a paper for the Journal of Automated Reasoning (JAR).
 Khalil Ghorbal has reviewed a paper for the Journal of Theoretical Computer Science (TCS).
10.2 Teaching  Supervision  Juries
10.2.1 Teaching
 Master : Khalil Ghorbal , Category Theory, Monads, and Computation, M2, (enseignant principal), 30h EqTD, ENS Rennes, France
 Agregation informatique : Khalil Ghorbal , oraux blancs et preparations de cours. 20h EqTD, ENS Rennes, France.
10.2.2 Supervision
 Maxime Bridoux is a 1st year PhD student (AEx Backbone) supervised by Khalil Ghorbal and Benoît Caillaud . He is currently working on effective data structures for storing and querying polynomials systems.
 Christelle Kozaily is a 4th/5th year PhD student, supervised by Khalil Ghorbal . She is currently writing her thesis. Christelle Kozaily worked on a particular class of hybrid systems known as linear complementarity systems and was primarily interested in the nonsmoothness of they underlying spaces (Section 8.3).
 Joan Thibault is a 3rd/4th year PhD student, supervised by Benoît Caillaud and Khalil Ghorbal . His research is on efficient and scalable datastructures for solving constraint systems and some optimization problems on them (Section 8.2), with applications in multimode DAE systems structural analysis (Section 8.1).
10.3 Popularization
Joan Thibault participated to MT180 (Ma these en 180s) in February 2022.
10.3.1 Internal or external Inria responsibilities
Khalil Ghorbal is the main organizer of 68NQRT, the seminar of the Language and Software Engineering department of the IRISA UMR (Rennes).
The programs of the previous years are available online (abstract, slides, and playbacks). For instance the program from October 2020 till June 2021 can be found here. The seminar's frequency (on average over the academic year) is twice a month.
11 Scientific production
11.1 Major publications
 1 articleBuilding a Hybrid Systems Modeler on Synchronous Languages Principles.Proceedings of the IEEE1069September 2018, 15681592
 2 articleNonstandard semantics of hybrid systems modelers.Journal of Computer and System Sciences783This work was supported by the SYNCHRONICS large scale initiative of INRIA2012, 877910
 3 articleThe mathematical foundations of physical systems modeling languages.Annual Reviews in Control502020, 72118
 4 articleContracts for System Design.Foundations and Trends in Electronic Design Automation12232018, 124400
 5 articleA Formally Verified Hybrid System for Safe Advisories in the NextGeneration Airborne Collision Avoidance System.International Journal on Software Tools for Technology Transfer196November 2017, 717741
 6 articleOperational Models for PiecewiseSmooth Systems.ACM Transactions on Embedded Computing Systems (TECS)165sOctober 2017, 185:1185:19
11.2 Publications of the year
International journals
 7 articleAlgorithms for the Structural Analysis of Multimode Modelica Models.Electronics1117September 2022, 163
 8 articleCharacterizing Positively Invariant Sets: Inductive and Topological Methods.Journal of Symbolic ComputationNovember 2022
Scientific book chapters
 9 inbookFrom Hybrid Automata to DAEBased Modeling.13660Principles of Systems DesignLecture Notes in Computer ScienceSpringer Nature SwitzerlandDecember 2022, 320
 10 inbookHypercontracts.13260NASA Formal MethodsLecture Notes in Computer ScienceSpringer International PublishingMay 2022, 674692
Reports & preprints
 11 reportExact Structural Analysis of Multimode Modelica Models: Towards the Generation of Correct Simulation Code.RR9459Inria Rennes  Bretagne AtlantiqueFebruary 2022, 146
 12 reportMixed NondeterministicProbabilistic Automata: Blending graphical probabilistic models with nondeterminism.RR9447Inria Rennes  Bretagne AtlantiqueJanuary 2022, 152
 13 miscOn Covering Smooth Manifolds with a Qarrangement of Simplicies: An inductive Characterization of Qmatrices.2022
 14 reportConstraint System Decomposition.RR9478Inria RennesJuly 2022, 168
11.3 Cited publications
 15 inproceedingsGame Models for Open Systems.Verification: Theory and Practice2772Lecture Notes in Computer ScienceSpringer2003, 269289
 16 inproceedingsInterface automata.Proc. of the 9th ACM SIGSOFT International Symposium on Foundations of Software Engineering (FSE'01)ACM Press2001, 109120
 17 inproceedingsInterfacebased design.In Engineering Theories of Software Intensive Systems, proceedings of the Marktoberdorf Summer SchoolKluwer2004
 18 inproceedingsTimed Interfaces.Proc. of the 2nd International Workshop on Embedded Software (EMSOFT'02)2491Lecture Notes in Computer ScienceSpringer2002, 108122
 19 article20 Years of Modal and Mixed Specifications.Bulletin of European Association of Theoretical Computer Science1942008, URL: https://dblp.org/rec/journals/eatcs/AntonikHLNW08.bib
 20 bookPrinciples of Model Checking.MIT Press, Cambridge2008, URL: https://mitpress.mit.edu/9780262026499/principlesofmodelchecking/
 21 articleBuilding a Hybrid Systems Modeler on Synchronous Languages Principles.Proceedings of the IEEE1069September 2018, 15681592
 22 miscA TypeBased Analysis of Causality Loops In Hybrid Systems Modelers.Deliverable D3.1_1 v 1.0 of the Sys2soft collaborative project ''Physics Aware Software''December 2013
 23 miscSemantics of multimode DAE systems.Deliverable D.4.1.1 of the ITEA2 Modrio collaborative projectAugust 2013
 24 incollectionMultiMode DAE Models  Challenges, Theory and Implementation.Computing and Software Science: State of the Art and Perspectives10000Lecture Notes in Computer ScienceSpringerOctober 2019, 283310
 25 inproceedingsStructural Analysis of MultiMode DAE Systems.Proceedings of the 20th International Conference on Hybrid Systems: Computation and Control, HSCC 2017Pittsburgh, PA, United StatesApril 2017
 26 inproceedingsMultiple Viewpoint ContractBased Specification and Design.Proceedings of the Software Technology Concertation on Formal Methods for Components and Objects (FMCO'07)5382Revised Lectures, Lecture Notes in Computer ScienceAmsterdam, The NetherlandsSpringerOctober 2008
 27 inproceedingsCompileTime Impulse Analysis in Modelica.MODELICA 2021  14th International Modelica ConferenceLinköping, SwedenSeptember 2021, 111
 28 inproceedingsHandling Multimode Models and Mode Changes in Modelica.Modelica 2021  14th International Modelica ConferenceLinköping, SwedenSeptember 2021, 111
 29 techreportStructural Analysis of Multimode DAE Systems: summary of results.RR9387Inria Rennes  Bretagne AtlantiqueJanuary 2021, 27
 30 articleThe mathematical foundations of physical systems modeling languages.Annual Reviews in Control502020, 72118
 31 inproceedingsA typebased analysis of causality loops in hybrid modelers.HSCC '14: International Conference on Hybrid Systems: Computation and ControlProceedings of the 17th international conference on Hybrid systems: computation and control (HSCC '14)Berlin, GermanyACM PressApril 2014, 13
 32 inproceedingsA Compositional Approach on Modal Specifications for Timed Systems..11th International Conference on Formal Engineering Methods (ICFEM'09)5885LNCSRio de Janeiro, BrazilSpringerDecember 2009, 679697
 33 articleModal eventclock specifications for timed componentbased design.Science of Computer Programming772012, 12121234
 34 inproceedingsRefinement and Consistency of Timed Modal Specifications..3rd International Conference on Language and Automata Theory and Applications (LATA'09)5457LNCSTarragona, SpainSpringerApril 2009, 152163
 35 inproceedingsA proposal for realtime interfaces in SPEEDS.Design, Automation and Test in Europe (DATE'10)IEEE2010, 441446
 36 articleModelling of Complex Systems: Systems as Dataflow Machines.Fundamenta Informaticae9122009, 251274
 37 phdthesisUn cadre formel pour l'étude des systèmes industriels complexes: un exemple basé sur l'infrastructure de l'UMTS.Ecole Polytechnique2006
 38 articleGraphical versus logical specifications.Theoretical Computer Science10611992, 320URL: https://www.sciencedirect.com/science/article/pii/030439759290276L
 39 articleGraphBased Algorithms for Boolean Function Manipulation.IEEE Trans. Comput.358August 1986, 677691URL: http://dx.doi.org/10.1109/TC.1986.1676819
 40 inproceedingsCompositional design methodology with constraint Markov chains.QEST 2010Williamsburg, Virginia, United StatesSeptember 2010, URL: http://hal.inria.fr/inria00591578/en
 41 articleConstraint Markov Chains.Theoretical Computer Science41234May 2011, 43734404URL: http://hal.inria.fr/hal00654003/en
 42 inproceedingsA Reduced Index ModeIndependent Structure Model Transformation for Multimode Modelica Models.MODELICA 2021  14th International Modelica ConferenceLinköping, SwedenSeptember 2021, 111
 43 miscDemo: IsamDAE, an Implicit Structural Analysis Tool for Multimode DAE Systems.PosterApril 2020, 1
 44 inproceedingsImplicit structural analysis of multimode DAE systems.HSCC 2020  23rd ACM International Conference on Hybrid Systems: Computation and ControlSydney New South Wales Australia, FranceACMApril 2020, 111
 45 articleThe index of general nonlinear DAEs.Numerische Mathematik722dec 1995, 173196URL: http://dx.doi.org/10.1007/s002110050165
 46 phdthesisA Framework for Compositional Design and Analysis of Systems.EECS Department, University of California, BerkeleyDec 2007, URL: http://www.eecs.berkeley.edu/Pubs/TechRpts/2007/EECS2007174.html
 47 inproceedingsResource Interfaces.Embedded Software, Third International Conference, EMSOFT 2003, Philadelphia, PA, USA, October 1315, 2003, Proceedings2855Lecture Notes in Computer ScienceSpringer2003, 117133
 48 inproceedingsCharacterization of Temporal Property Classes.ICALP623Lecture Notes in Computer ScienceSpringer1992, 474486
 49 articleChordal Networks of Polynomial Ideals.SIAM J. Appl. Algebra Geom.112017, 73110URL: https://doi.org/10.1137/16M106995X
 50 bookModel Checking.MIT Press1999, URL: https://mitpress.mit.edu/9780262038836/modelchecking/
 51 articlePartial Cylindrical Algebraic Decomposition for Quantifier Elimination.J. Symb. Comput.1231991, 299328
 52 bookN. J.N. J. CutlandNonstandard analysis and its applications.Cambridge Univ. Press1988
 53 inproceedingsECDAR: An Environment for Compositional Design and Analysis of Real Time Systems.Automated Technology for Verification and Analysis  8th International Symposium, ATVA 2010, Singapore, September 2124, 2010. Proceedings2010, 365370
 54 inproceedingsTimed I/O automata: a complete specification theory for realtime systems.Proceedings of the 13th ACM International Conference on Hybrid Systems: Computation and Control, HSCC 2010, Stockholm, Sweden, April 1215, 20102010, 91100
 55 inproceedingsAbstract Probabilistic Automata.Verification, Model Checking, and Abstract Interpretation  12th International Conference, VMCAI 2011, Austin, TX, USA, January 2325, 2011. Proceedings6538Lecture Notes in Computer Science2011, 324339
 56 bookAnalyse non standard.Hermann1989, URL: https://www.editionshermann.fr/livre/analysenonstandardfrancinediener
 57 bookTrace Theory for Automatic Hierarchical Verification of SpeedIndependent Circuits.ACM Distinguished DissertationsMIT Press1989
 58 articleTheoretical improvements in algorithmic efficiency for network flow problems.Journal of the ACM1921972, 248264URL: http://dx.doi.org/10.1145/321694.321699
 59 inproceedingsState Machines in Modelica.Proc. of the Int. Modelica ConferenceModelica AssociationMunich, Germany09 2012, 3746
 60 inproceedingsModelica extensions for MultiMode DAE Systems.Proceedings of the 10th International Modelica Conference, March 1012, 2014, Lund, SwedenLinköping University Electronic Pressmar 2014
 61 inproceedingsModiadynamic modeling and simulation with julia.Juliacon'18University College London, UKAugust 2018, URL: https://elib.dlr.de/124133/
 62 inproceedingsSurvey of industrial applications of embedded model predictive control.2016 European Control Conference (ECC)2016, 601601
 63 inproceedingsA new approach to the maximum flow problem.Proceedings of the eighteenth annual ACM symposium on Theory of computing (STOC'86)1986, URL: http://dx.doi.org/10.1145/12130.12144
 64 miscIEEE Standard VHDL Analog and MixedSignal Extensions, Std 1076.11999.1999, URL: http://dx.doi.org/10.1109/IEEESTD.1999.90578
 65 inproceedingsModeling Time in Hybrid Systems: How Fast Is ``Instantaneous''?IJCAI1995, 17731781URL: https://www.ijcai.org/Proceedings/952/Papers/097.pdf
 66 inproceedingsFormal verification of ACAS X, an industrial airborne collision avoidance system.2015 International Conference on Embedded Software, EMSOFT 2015, Amsterdam, Netherlands, October 49, 2015Amsterdam, NetherlandsIEEE2015, 127136
 67 phdthesisPrincipe de transduction sémantique pour l'application de théories d'interfaces sur des documents de spécification.Université Rennes 1 ; Rennes 1April 2021
 68 articleProving the Correctness of Multiprocess Programs.IEEE Trans. Software Eng.321977, 125143
 69 inproceedingsOn Modal Refinement and Consistency.Proc. of the 18th International Conference on Concurrency Theory (CONCUR'07)Springer2007, 105119
 70 inproceedingsA Modal Process Logic.Proceedings of the Third Annual Symposium on Logic in Computer Science (LICS'88)IEEE1988, 203210
 71 incollectionAn Invitation to Nonstandard Analysis.Nonstandard Analysis and its ApplicationsCambridge Univ. Press1988, 1105
 72 inproceedingsComputing semialgebraic invariants for polynomial dynamical systems.Proceedings of the 11th International Conference on Embedded Software, EMSOFT 2011, part of the Seventh Embedded Systems Week, ESWeek 2011, Taipei, Taiwan, October 914, 2011ACM2011, 97106URL: https://doi.org/10.1145/2038642.2038659
 73 articleAn introduction to factor graphs.IEEE Signal Processing Magazine2112004, 2841
 74 inproceedingsInput/Output Automata: Basic, Timed, Hybrid, Probabilistic and Dynamic.CONCUR 2003  Concurrency Theory, 14th International Conference, Marseille, France, September 35, 2003, Proceedings2761Lecture Notes in Computer ScienceSpringer2003, 187188
 75 articleA Proof of the Kahn Principle for Input/Output Automata.Inf. Comput.8211989, 8192
 76 bookTemporal verification of reactive systems: Safety.Springer1995
 77 articleApplying "Design by Contract".Computer2510October 1992, 4051URL: http://dx.doi.org/10.1109/2.161279
 78 articleMethodology for the Design of Analog Integrated Interfaces Using Contracts.IEEE Sensors Journal1212Dec. 2012, 33293345
 79 articleThe consistent initialization of differentialalgebraic systems.SIAM J. Sci. Stat. Comput.921988, 213231
 80 articleA Simple Structural Analysis Method for DAEs.BIT Numerical Mathematics412March 2001, 364394URL: http://dx.doi.org/10.1023/a:1021998624799
 81 articleA Modal Interface Theory for Componentbased Design.Fundamenta Informaticae108122011, 119149URL: http://hal.inria.fr/inria00554283/en
 82 bookNonStandard Analysis.Princeton Landmarks in Mathematics1996, URL: https://press.princeton.edu/books/paperback/9780691044903/nonstandardanalysis
 83 articleIndustry needs and research directions in requirements engineering for embedded systems.Requirements Engineering172012, 5778URL: http://link.springer.com/article/10.1007/s007660110144x
 84 inproceedingsThe Ritt–Kolchin theory for differential polynomials.Differential Algebra and Related Topics2002, 170
 85 articlePositiveinstance driven dynamic programming for treewidth.J. Comb. Optim.3742019, 12831311
 86 articleLeveraging Structural Analysis for Quantified Boolean Formulae.Summer School on Modelling and Verification of Parallel Processes, Grenoble, France6http://khalilghorbal.info/assets/pdf/papers/RBTF_movep.pdf2020