Modeling and Simulating Cyber-Physical Systems

using CyPhySim

Edward A. Lee Mehrdad Niknami

EECS Department EECS Department
UC Berkeley UC Berkeley
Berkeley, CA, USA Berkeley, CA, USA
[email protected] [email protected]
Thierry S. Nouidui Michael Wetter
Lawrence Berkeley Lawrence Berkeley
National Laboratory National Laboratory
Berkeley, CA, USA Berkeley, CA, USA
[email protected] [email protected]

ABSTRACT Section 4, we explain how to use modal models to construct

This paper describes an open-source simulator for cyber- hybrid systems. In Section 5, we switch to discrete-event
physical systems called CyPhySim that is based on Ptolemy models, and introduce the notion of smooth tokens, which
II. This simulator supports classical (Runge-Kutta) and permit modeling continuous dynamics using discrete events.
quantized-state simulation of ordinary differential equations, Section 6 leverages this discrete-event approach to show that
modal models (hybrid systems), discrete-event models, the quantized-state solvers can be very effective for certain kinds
Functional Mockup Interface (FMI) for model-exchange and of continuous dynamics and particularly for cyber-physical
co-simulation, discrete-time (periodic) systems, and alge- dynamics where digital controllers affect an analog physi-
braic loop solvers. CyPhySim provides a graphical editor, cal plant. Section 7 shows how algebraic loop solvers can
an XML file syntax for models, and an open API for pro- be cleanly mixed with the other types of solvers described
grammatic construction of models. It includes an innovation here. Section 8 concludes with a summary of other issues
called smooth tokens, which allow for a blend of numerical not covered and open issues.
and symbolic computation, and for certain kinds of system
models, dramatically reducing the computation required for 2. CONTINUOUS DYNAMICS
simulation.
To model the physical side of cyber-physical systems, we
need to represent dynamics, the evolution of the state of
Categories and Subject Descriptors a system in time. Continuous-time dynamics is typically
I.6 [Simulation and Modeling]: General modeled using ordinary differential equations (ODEs)
or differential algebraic equations (DAEs).
An example of a nontrivial nonlinear continuous dynamics
1. INTRODUCTION given by a system of ODEs is the well-known Lorenz attrac-
The heterogeneity of cyber-physical systems presents con- tor, a chaotic system defined by the following equations,
siderable challenges to software simulation techniques. Cy-
PhySim is a new open-source software simulator (BSD li- x1 (t) = (x2 (t) x1 (t)),
cense) that supports the most promising combination of x2 (t) = ( x3 (t))x1 (t) x2 (t),
technologies. The core of the system is a discrete-event sim-
x3 (t) = x1 (t)x2 (t) bx3 (t),
ulation engine, continuous-time solvers, and state machine
modeling infrastrcture from the open source Ptolemy II sys- with given initial conditions x(t0 ) = x0 and t [t0 , ).
tem [23]. A Ptolemy II implementation of this system is shown in
The paper begins in Section 2 with an analysis of the com- Figure 1, in this case constructed graphically using the Vergil
putational aspects of modeling continuous dynamics using graphical editor for Ptolemy II models. A plot produced by
numerical solvers. In Section 3, we review models of time a simulation is shown in Figure 2. Note that this is a
that are well suited to modeling cyber-physical systems. In chaotic system, so arbitrarily small perturbations can yield
This work was supported in part by the iCyPhy Research arbitrarily large consequences.
Center (Industrial Cyber-Physical Systems, supported by In this paper, we are most interested in how to model
IBM and United Technologies), by the Assistant Secretary such continuous dynamics in combination with discrete phe-
for Energy Efficiency and Renewable Energy, Office of Build- nomena such as digital controls, abrupt mode changes, and
ing Technologies of the U.S. Department of Energy, under sampling. Moreover, we are interested in the computational
Contract No. DE-AC02-05CH11231, and by the Center for aspects of the model. Even though the model refers to con-
Hybrid and Embedded Software Systems (CHESS) at UC
Berkeley (supported by the National Science Foundation, tinuous dynamics, where both time and values exist in a
#1446619 (Mathematical Theory of CPS) and the following continuum, the model is a computational artifact. It is
companies: Denso, National Instruments, and Toyota. executable on a computer, and hence has an intrinsically

Proc. of EMSOFT 15 Oct 4-9, 2015, Amsterdam

 Figure 3: Integrator in Ptolemy II.

instead of an integral as
d
x(t) = x(t),
dt
where x is the input signal and x is the output. (The rela-
tionship between these representations is the fundamental
theorem of calculus.)
Note that x(t) does not depend on the value of x at time
t. This is a key causality property of the actor, and it
ensures that the feedback loops of Figure 1 are construc-
tive [11]. At each time t, there is no cyclic dependency in
a feedback loop. The values of the signals at time t can be
determined without knowing the inputs to the integrators at
time t. Once these are known, the inputs to the integrators
at time t become known. But these inputs will only affect
Figure 1: Graphical model of the Lorenz attractor. future outputs of the integrators. This is an example of a
computational property of these models.
Computers perform discrete calculations. How can they
integrate a continuous-time signal? Numeric integration
discrete semantics. Let us begin with a careful examination
techniques include implicit methods (e.g. backward Eu-
of the most primitive element in such models, the integrator.
ler, which computes x(tk+1 ) = x(tk ) + x(tk+1 ) (tk+1 tk ))
and explicit methods (e.g. forward Euler, which com-
2.1 Integrators putes x(tk+1 ) = x(tk ) + x(tk ) (tk+1 tk )). Implicit methods
The Integrator actors in Figure 1 have a derivative input sacrifice the causality property, requiring that at time t, the
and a state output, as shown in Figure 3. At time t, the input x(t) be known in order to determine the output x(t).
state output is Implicit methods, therefore, change the causality properties
of fundamental calculus, and create causality loops when
Z t
x(t) = x0 + x( )d, used in feedback systems. Causality loops can also arise
t0 when models are given by DAEs rather than ODEs. We
will say more about this below, but for now, we assume that
where x0 is the initialState, a parameter of the actor, t0 is only explicit solvers will be used.
the start time of the model execution, and x is the deriva- An ordinary differential equation (ODE) can be writ-
tive input. Note that this can be written using a derivative ten as
x(t) = f (x(t), u(t), t), (1)
Strange Attractor where x is the state variable (or vector), u is the input,
25 t is time, and f is a function giving the derivative in terms
20
of the state, the input, and the time. If x and u are scalars,
f has the form f : R3 R. Given an initial condition
15
x0 = x(t0 ), this is equivalent to
10 Z t Z t
5 x(t) = x0 + x( )d = f (x( ), u( ), )d.
t0 t0
x2

0
The general structure of such a system is shown in Figure 4.
-5

-10
2.2 Classical ODE Solvers
-15
Under certain circumstances, the value of a continuous
-20
signal at a future time t + h can be given by a Taylor se-
ries, which expresses that value in terms of the value and
-15 -10 -5 0 5 10 15
x1 derivatives at the current time t,
h2
Figure 2: Plot of signals for the Lorenz attractor. x(t + h) = x(t) + hx(t) + x(t) +
2!
 solution provides a semantic benchmark against which any
numerical solver can be evaluated for accuracy. This seman-
tic benchmark is called the ideal solver semantics in [15].
This is the third example of computational property. Just as
it is useful to have a theory of real numbers against which to
evaluate the accuracy of floating-point numbers, it is useful
to have an ideal solver semantics against which to evaluate
the accuracy of numerical solvers.

Figure 4: Pattern of ODE problems. 2.3 Differential Algebraic Equations

A more general form of differential equations imposes al-
gebraic constraints as
The function f in (1) is said to be analytic at t if all the
derivatives exist (the function is smooth), and this sum x(t) = f (x(t), u(t), y(t), t),
converges to x in some neighborhood of t. I.e., there exists 0 = g(x(t), y(t), t),
a > 0 s.t. the Taylor series converges to x(t + h) for all h
where x(t) Rn , u(t) Rm , and y(t) Rk for some
in (, ).
n, m, k 1. These are supported by Bond graphs [22],
Various classical ODE solvers are based on truncating
Modelica [25], and SPICE [20]. The two equations have
and approximating this series. If the series converges, the
cycles, in that x depends on y and vice versa, but these cycles
terms become small quickly, enabling accurate approxima-
do not automatically lead to causality loops. In particular,
tions with a finite summations, and also enabling estimating
given a system of DAEs, a Modelica compiler will attempt to
the local approximation error (i.e., for the current time step)
remove apparent causality loops through a process known as
by examining the terms just beyond the truncation. Such
index-order reduction, using for example the Pantelides
local error estimates can be used to design variable step
algorithm [21]. When this process is successful, the model
solvers, which adjust the time offset h to keep the error suit-
becomes an ODE. CyPhySim currently requires ODEs for
ably small.
modeling continuous dynamics. The conversion from DAEs
CyPhySim provides by default classical Runge-Kutta
to ODEs is not automatic, as it is in Modelica, but we be-
(RK) solvers, which are widely used variable-step-size ex-
lieve that open source Modelica compilers such as JModelica
plicit solvers [6]. RK solvers improve the accuracy in part
can be leveraged sometime in the future.
by evaluating the function f at multiple points in time be-
tween t and t + h. Upon completing the calculation, these
solvers estimate the error, and if it is too high, reject the 3. MODEL OF TIME
step size h and redo the step with a smaller step size. In For models that mix discrete and continuous behaviors, it
an executable model, of course, the function f is realized is well established that the model of time that is used must
by software. RK solvers require being able to speculatively support sequences of causally-related instantaneous events
evaluate f at various times in the model without commit- [11, 3]. CyPhySim uses a superdense time model [16,
ting to a step size. Hence, the software implementation of 13]. In this model, a time stamp is a pair (t, n), where
the function f must either be free of side effects (evaluating model time t is a digital approximation to a real number,
it does not change any state), or the software must support and the microstep (or index) n N is a non-negative
rolling back to a previously stored state in order to redo integer. Two time stamps (t1 , n1 ) and (t2 , n2 ) are weakly
the step. Such rollback is also generally required when the simultaneous it t1 = t2 and strongly simultaneous if
model must respond to unpredictable events such as a zero t1 = t2 and n1 = n2 .
crossing of a continuous signal. This is another example of For the real number t, CyPhySim uses a representation
a computational property of models. that has a fixed precision valid throughout a model (the
In Simulink and Ptolemy II, actors are realized using two precision is a parameter of the model). Unlike floating point
distinct procedures, one that calculates outputs based on numbers, addition of times is associative, and the precision
inputs but has no side effects (called mdl_output in Simulink does not vary with the magnitude of the number. For details,
and fire in Ptolemy), and another that updates the state of see [23].
the actor based on the inputs (called mdl_update in Simulink One key benefit of the superdense model of time is that
and postfire in Ptolemy). FMI for model exchange [19] it enables better semantics for discontinuous signals. One
provides a function fmi2CompletedIntegratorStep that can mechanism that is widely used to model discontinuities in
serve the same role as mdl_update and postfire. otherwise continuous dynamics relies on generalized func-
In principle, the external input u of Figure 4 can be ab- tions like the Dirac delta function, a function : R R+
sorbed into the definition of the function f , in which case given by
the problem reduces to an initial value problem, which is
t R, t 6= 0, (t) = 0, and
to find a function x satisfying
Z
x(t) = f 0 (x(t), t), x(t0 ) = x0 ( )d = 1.

0
over some interval t [t0 , t0 + ], where f (x(t), t) =
That is, the signal value is zero everywhere except at t = 0,
f (x(t), u(t), t). If f is Lipschitz continuous in its first ar-
but its integral is unity. Suppose a signal w has a Dirac
gument and continuous in the second, then the Picard-
delta function with weight K occurring at t1 as follows,
Lindelof theorem states that there exists an  > 0 such
that there is a unique solution to this problem. This unique w(t) = w1 (t) + K(t t1 ), (2)
 Position of The Ball
10

position
0

-5

0 2 4 6 8 10 12 14
time

x10 -5 Position of The Ball

Figure 5: Newtonian model of a mass with impulsive 4

forces. 2

position
0

-2
-4
-6
-8
12.820 12.825 12.830 12.835 12.840
time

Figure 7: Bouncing ball position vs. time.

an impulsive force to reverse the direction of the ball upon

collision with a surface. Such a model is shown in Figure 6.
Here, a LevelCrossingDetector actor detects a falling zero
crossing, which then triggers a calculation of an impulsive
force that is fed back to the impulsive force input of the ball
Figure 6: Model of a bouncing ball. model. To prevent a causality loop, a MicrostepDelay actor
is inserted into the feedback loop. This is valid because no
(real) time elapses between the detection of the zero crossing
where w1 is an ordinary continuous-time signal. Then and application of the impulsive force.
Z t ( Rt As we have already mentioned, detecting level crossings
w ( )d
R 1
t < t1 of continuous signals is semantically problematic. Compu-
w( )d = t
K + w1 ( )d t t1 tational models cannot directly deal with either time or
space continuums. Level-crossing detection ultimately de-
The Dirac delta causes an instantaneous increment in the pends on numerical approximations to real numbers. It can
integral by K at time t = t1 . For an integrator, at time t, only be done up to some precision. In this particular imple-
the state output is mentation, a level-crossing is asserted when the signal value
Z t matches or passes the level, and if it passes the level, it is
x(t) = x0 + x( )d. still within a specified tolerance of the level. Figure 7 shows
t0 that this policy inevitably results in the ball traversing the
Suppose that x = w, given in (2). The integrator, Figure 3, surface in such a way that when the bounce occurs, the im-
has an impulse input to provide the Dirac impulse at time t1 . pulsive force is insufficient to cause the ball to rise above the
At time t1 , the effect of the impulse is to add immediately to surface again. This results in the ball tunneling through the
x(t). The output at time t depends on the impulse input at surface.
time t, but not on the derivative input. This explains why One could, of course, solve this problem with much more
the CyPhySim Integrator provides two distinct input ports, detailed modeling of the physics. Collisions between rigid
impulse and derivative. It is imperative that the impulsive objects, for example, involve localized plastic deformation,
input be segregated from the derivative input because the viscous damping in the material, and acoustic wave propa-
causality properties of these inputs are different. gation. Much experimental and theoretical work has been
Consider for example modeling a physical object, such as done to refine models of such phenomena, leading to consid-
a billiard ball, subject to Newtonian mechanics, F = ma, erable insight into the underlying physical phenomena. Such
but also subject to collisions. Collisions can be (and should detailed modeling rarely helps in developing insight about
be, for most purposes [11]) modeled using impulsive forces, macroscopic system behavior, however [11]. A better ap-
specifically the Dirac delta function. A model constructed proach is to recognize that every model is valid only within
in CyPhySim of such a physical object is shown in Figure some circumscribed regime of operation, and that outside
5. The output v depends immediately on the input Fi , if it that regime, it is inappropriate to use that model. When
is present. Subtle issues that arise when modeling discrete the height of the bounce is small, the model of Figure 6 is
phenomena such as collisions this way are considered in [11]. invalid, and we should switch to a new model. Such switch-
To illustrate the use of such impulsive forces, consider ing is described below in Section 4.
the classic bouncing ball problem, which models a ball in
free fall (using Figure 5), a level-crossing detector, and
3.1 Piecewise Continuity
So that we can leverage standard, well-understood numer-
ical integration methods, we require signals to be piecewise-
continuous in a specific technical sense. Consider a real-
valued superdense-time signal x : R N R. At each real-
time t R, we require that x(t, n) settle to a final value and
stay there. Specifically, we require that for all t R, there
exist an m N such that
n > m, x(t, n) = x(t, m). (3)
A violation of this constraint is called a chattering Zeno
condition. The value of the signal changes infinitely often at
a time t. Such conditions would prevent an execution from
progressing beyond real time t, assuming the execution is
constrained to produce all values in chronological order.
Assuming x has no chattering Zeno condition, then there
is a least value of m satisfying (3). We call this value of m
the final microstep and x(t, m) the final value of x at t.
We call x(t, 0) the initial value at time t. If m = 0, then x Figure 8: Structure of a modal model.
has only one value at time t.
Define the initial value function xi : R R by
4. MODAL MODELS
t R, xi (t) = x(t, 0).
CyPhySim imports the modal models of Ptolemy II [12],
Define the final value function xf : R R by which provide hierarchical combinations of state machines
and continuous and discrete event (DE) subsystems. This
t R, xf (t) = x(t, mt ),
combination supports hybrid system modeling with rigorous
where mt is the final microstep at time t. Note that xi and deterministic semantics [13]. Modal models can generally be
xf are conventional continuous-time functions. A piece- used to solve the problem that every model is invalid outside
wise continuous signal is defined to be a function x of the some regime of operation. Typically, the simpler the model,
form x : R N R with no chattering Zeno conditions that the smaller the regime. Keeping models simple has much
satisfies three requirements: value, however, so we are incentivized to build models for
more regimes.
1. the initial value function xi is continuous on the left The schematic structure of a modal model is shown in
at all t R; Figure 8. A top-level actor, labeled ModalModel, is a com-
2. the final value function xf is continuous on the right ponent with inputs and outputs. Inside, it contains a state
at all t R; and machine, shown here with two states, with guarded transi-
tions between the states. Each state represents a mode of
3. x has only one value at all t R\D, where D is a operation. The model for each mode is given as a refinement
discrete subset of R. of the states. When the state machine is in mode1, for ex-
ample, then the behavior of the top-level actor is given by
The last requirement is a subtle one that deserves further the refinement of mode1. Each refinement has its own di-
discussion. First, the notation R\D refers to a set that con- rector, implying that its internal model of computation can
tains all elements of the set R except those in the set D. D be different from that of its environment.
is constrained to be a discrete set, defined to be one where A solution to the tunneling phenomenon of the bouncing
there exists an order embedding f : D N, where N is the ball problem is shown in Figure 9. Here, a much simpler
set of natural numbers.1 Intuitively, D is a set of time values model of the ball is used when the velocity and position of
that can be counted in temporal order. It is easy to see that the ball are both close to zero. Specifically, the mode re-
if D = (the empty set), then xi = xf , and both xi and xf finement for the sitting mode simply shows the ball standing
are continuous functions. Otherwise each of these functions still. The guards on the state machine transition govern the
is piecewise continuous. switching between modes.
Such piecewise-continuous signals coexist nicely with stan-
dard ODE solvers. At the time of a discontinuity or discrete
event, the final value signal provides the initial boundary 5. DISCRETE-EVENT SIMULATION
condition for the solver. The solver then works with an In the style of discrete-event (DE) modeling realized in
ordinary continuous signal until the time of the next discon- CyPhySim, a model is a network of actors with input and
tinuity or discrete event, and the solver provides the initial output ports. The actors send each other time-stamped
value of the signal at the time of that next event. events, and the simulation processes these events in time
Carsdoso et al. [4] give techniques for constructing mod- stamp order. This style of DE is widely used for simulation
els that produce only piecewise-continuous signals. For our of large, complex systems [5, 27, 7]. CyPhySim builds on
purposes here, it is sufficient to note that modal models, as the particular implementation in Ptolemy II, which has a
defined below, always produce piecewise-continuous signals. sound, deterministic semantics [10, 17].
1
An order embedding is a one-to-one monotonic f : X
Y , for partially ordered sets X, Y .
 example, if a signal is piecewise smooth instead of every-
where smooth, then at the point in time where it is not
smooth, a new smooth token will need to be conveyed, as
shown in Figure 10.
Note that if two smooth tokens are added or subtracted,
then the derivatives also add or subtract. If the times of the
two tokens that are added or subtracted are not the same,
then the one with the lesser time is extrapolated to the larger
time, and the result will be the sum at the later time.
If a smooth token is multiplied by a smooth token, then
the product rule of calculus is used to determine the deriva-
tives of the product. The product rule stipulates that
(xy)0 = x0 y + xy 0 . (4)
Again, if the times of the two tokens are not equal, then the
one with the lesser time will be extrapolated to the larger
time before being multiplied, and the time of the result will
be the larger time.
Division works similarly:
(x/y)0 = x0 /y + x(1/y)0 = x0 /y xy 0 /y 2 (5)
where the last equality follows from the reciprocal rule of
Figure 9: Modal model for the bouncing ball. calculus. The second derivative of a multiplication or di-
vision is obtained by applying the above rules to x and y
rather than to x and y. Higher-order derivatives are similarly
5.1 Smooth Tokens obtained.
A key innovation in CyPhySim is the introduction of a You can construct an instance of this token in the Ptolemy
smooth token, which is a discrete event that represents a expression language using the smoothToken(double, dou-
change in a continuous signal. A smooth token is a time- ble, {double}) function, as illustrated in Figure 10. The
stamped event that has a real value (approximated as a dou- first argument specifies the value, and the second argument
ble) that represents the current sample of a smooth signal. specifies the time, and the third specifies the derivatives.
But in addition to the sample value, the smooth token con- In a practical implementation, instances of smooth token
tains zero or more derivatives, representing the value of a will need to be truncated to have no more than some number
function of time at a particular time. N of derivatives. In our CyPhySim realization, this defaults
In mathematical analysis, smoothness has to do with how to N = 3.
many derivatives a function possesses. A smooth function is
one that has derivatives of all orders everywhere in its do- 6. QUANTIZED-STATE SYSTEMS
main. A smooth token represents a sample of a function at a A relatively recent development in numerical simulation of
point in time together with some finite number of derivatives ordinary differential equations is the emergence of so-called
of the function at that same point. quantized-state systems (QSS) [26, 9, 6, 8, 1]. In a classi-
This token will be treated exactly like a real value by any cal ODE simulator, a step-size control algorithm determines
actor or operation that does not specifically support it, and sample times, and a sample value is computed at those times
it is represented in the Ptolemy II type system as a double. for all states in the model. In a QSS simulator, each state
But it can (potentially) carry additional information giving has its own sample times, and samples are processed using a
one or more derivatives of the function from which it is a DE simulation engine in time-stamp order. The sample time
sample and giving the time at which it represents a sample of each state is determined by quantizing the value of each
of the signal. This token, therefore, gives a way for actors state and producing samples only when the value changes
that either generate or use this derivative information to by a pre-determined tolerance, called the quantum. Higher-
make that information available to other actors that can order variants incorporate knowledge of higher-order deriva-
use it. tives of a state to predict trajectories and produce samples
An illustration of the implications is shown in Figure 10, only when these higher order prediction differs by more than
where a signal on the left, x is piecewise constant as follows, the quantum [18]. For some systems, QSS yields efficient

1 0t<2 simulation by producing samples only when predicted state
x(t) = trajectories exceed the quantum. Moreover, state events can
1 2 t < 4
be scheduled using an explicit equation, avoiding iteration
Upon integrating this signal, we get the signal in the middle, in time.
which again can be represented by just two smooth tokens.
Upon integrating the middle signal, we get the signal on the 6.1 QSS Integrator
right. Inputs to the QSS integrator are discrete events that in-
When a signal is actually smooth over some interval, use dicate significant changes in the input signal, and output
of a smooth token makes it unnecessary to convey additional events indicate significant changes in the output signal. The
samples until something changes so that the extrapolation value of the input signal is the derivative of the output.
implied by a Taylor series expansion is no longer valid. For Here, for the integrator output, significant means that the
 x q, x, y r, y
smoothToken(2, 2, {2, -1})
4 4 4

3 3 3

smoothToken(2, 2, {-1})
2 2 2

smoothToken(1, 0, {0})
1 1 1

2
0 t 0 t 0 t
1 3 4 1 2 3 4 1 2 3 4

1 1 1
smoothToken(1, 2, {0}) smoothToken(0, 0, {1}) smoothToken(0, 0, {0, 1})

Figure 10: Illustration of smooth tokens representing piecewise-constant, -affine, and -quadratic signals.

signal has changed by more than the specified quantum, as Hence, the next quantization happens at = t0 +
p
defined by the selected solver, explained in detail below. 2 q/|u(t0 )|, at which time an output will be produced, un-
Three types of solvers are provided: less the function u changes earlier.
For QSS3, a quantization event occurs when a piecewise
1. QSS1: Input u is assumed to be piecewise constant.
quadratic approximation of the state trajectory deviates
2. QSS2: Input u is assumed to be piecewise affine. from a piecewise cubic approximation by the quantum.
When an output is produced, its value will be the current
3. QSS3: Input u is assumed to be piecewise quadratic. state of the integrator. In addition, it may contain derivative
An input event can be a smooth token, which carries not information. For QSS1, the input is semantically piecewise
only a value, but also zero or more derivatives of the input constant, so the output is piecewise affine; hence each out-
signal at that time. To provide a piecewise affine input to a put event will be a smooth token that is piecewise affine,
QSS2 integrator, for example, you can specify an input with with a first derivative equal to the most recently received
the expression smoothToken(2, 0, {1}), which specifies a input value (see Section 6.4 below for an elaboration of this
value of 2 at time 0 with a first derivative of 1. All other behavior). For QSS2, the output will have a first and second
derivatives are assumed to be zero. A QSS1 integrator will derivative obtained from the input. For QSS3, the output
ignore all derivatives on the input. A QSS2 integrator will will have first, second, and third derivatives.
ignore all but the first derivative on the input. A QSS3
integrator will ignore all but the first and second derivatives 6.2 Quantums
on the input. The frequency with which the output q of this integrator
The integrator produces an output whenever a quantiza- is produced depends on the solver choice and the absolute-
tion event occurs. For QSS1, a quantization event occurs Quantum and relativeQuantum parameter values. These
when the state of the integrator changes by the quantum determine when a quantization event occurs, as explained
(see below for an explanation of the quantum). For exam- above. The quantum is equal to the larger of absolute-
ple, if the input is a constant 1 and the quantum is 0.1, then Quantum and the product of relativeQuantum and the cur-
an output will be produced every 0.1 seconds, because the rent state value. The simplest case is where the solver is
input specifies that the state has slope 1, so it will increase QSS1 and relativeQuantum is zero. In this case, a quantiza-
by the quantum every 0.1 seconds. tion event occurs whenever the integral of the input signal
For QSS2, a quantization event occurs when a piecewise changes by the absoluteQuantum. For QSS1, the input is
linear approximation of the state trajectory deviates from assumed to be piecewise constant. If the input is a smooth
a piecewise quadratic approximation by the quantum. For token, the derivatives of the input are ignored.
example, suppose we have t = t0 , input u(t), current state When an impulse input is received, the value of that event
x(t0 ) and quantum q > 0, for some q R. Then, the piece- is added to the current state of this integrator (any deriva-
wise linear approximation to the state trajectory is tives provided on the impulse input are ignored). Then an
output event is produced and the integrator is reinitialized
l(t) = x(t0 ) + x(t0 ) (t t0 ) (6) so that the next output quantum is relative to the new state
on t [t0 , ] for some, yet to be determined , whereas the value.
piecewise quadratic approximation is
6.3 Performance and Accuracy
x(t) = x(t0 ) + x(t0 ) (t t0 ) + x(t0 ) (t t0 )2 /2. (7) In our implementation in CyPhySim, the Lorenz attrac-
We seek tor of Figure 1 executes approximately 2.5 times faster using
QSS3 integrators vs. an RK 2-3 solver. However, since this
arg min{t > t0 | q = |l(t) x(t)|} system is chaotic, it is not really meaningful to compare
= arg min{t > t0 | q = |u(t0 ) (t t0 )2 /2|}. (8) accuracy. Chaotic systems often have the property that ar-
 points in time, as illustrated in the upper plot in Figure
12. At each of these points, a smooth token is produced.
The zero crossings are predictable from these points, so no
rollback is needed to identify the points in time where the
collisions occur. The lower plot is created by sampling the
position signal with a sample interval of 0.01. The samples
between computed points of the upper plot are extrapolated
automatically from the smooth tokens. In the RK 2-3 model,
computation is performed at 14,072 time points, not count-
ing rejected time points due to rollback that is caused by the
zero-crossing detector. On a Mac Powerbook Pro, the RK
2-3 simulation completes in 3.3 seconds, whereas the QSS
simulation completes in 0.085 seconds, on average, so the
QSS simulation is approximately 38 times faster.
As discussed above in Section 2.2, most classical ODE
solvers require rollback to adjust step sizes based on error
Figure 11: QSS version of a bouncing ball model. estimates and to iterate to the time of events such as for
zero crossings. QSS solvers have the interesting property
Actual Points Computed that if the QSS1, 2, and 3 assumptions about the integrator
10 inputs, given above in Section 6.1, are indeed valid, then
rollback is never required. If these assumptions are valid,
5 then there is no error due to numerical approximation of
position

the integration, and events such as zero crossings are pre-

0
dictable in advance. The bouncing ball example illustrates
-5 this well. Fortunately, for certain cyber-physical systems,
these assumptions are indeed valid. Most digital actuators
0 2 4 6 8 10 12 14 do, in fact, produce piecewise-constant outputs, so if the
time physical reaction to these actuations is sufficiently simple,
Interpolated Values then computationally exact simulation is possible, where
10 the only source of errors is numerical roundoff errors. There
is no error due to numerical integration. When the QSS1,
5
2, and 3 assumptions are not satisfied, then truncating the
position

0
derivatives does, in fact, introduce errors in the numerical
integration. Management of these errors appears to be a rel-
-5
atively unstudied problem, at least to the knowledge of these
authors, except for asymptotically stable linear time invari-
0 2 4 6 8 10 12 14
time ant systems for which the global error can be computed [6].

Figure 12: Position vs. time for the QSS bouncing 6.4 Derivative Propagation
ball. Mathematically, integration is an operation that always
occurs over a measurable interval. Semantically, this means
that integration always introduces an (infinitesimal) delay
bitrarily small perturbations can have arbitrarily big conse- between its input and output. In CyPhySim, this means
quences, a phenomenon known as the butterfly effect. that the output of an integrator can be only based on pre-
Consider again the bouncing ball model of Figure 6. This vious inputs up to, but not including, the current times-
problem is ideally suited to QSS because the force on the ball tamp. Semantically, QSS integrator is a composition of an
is piecewise constant, and accuracy comparisons are more ordinary integrator with a hysteretic quantizer, the latter of
meaningful. The velocity of the ball is therefore piecewise which suppresses changes in its output until it has deviated
affine, and the position is piecewise quadratic. A QSS model from its old value by one quantum. However, since a QSS
in CyPhySim is shown in Figure 11, and a plot of its execu- integrator outputs derivative information inside its smooth
tion is shown in Figure 12. The upper plot shows the actual tokens, and the derivative is precisely the input itself, one
points in time computed by the simulation. may ask whether the output should propagate changes in
The model in Figure 6 uses an RK 2-3 solver with an error the input instantaneously at the following microstep, rather
tolerance of 104 . Figure 11 uses a QSS2 solver for the left than suppress them until a quantum is reached at a future
integrator (which outputs the velocity) and a QSS3 solver time.
for the right integrator (which outputs the position).2 Both While propagating derivative information instantaneously
simulations are run for 14 seconds, taking the model just alters QSS semantics slightly, it can only increase the accu-
past the point of tunneling. racy of the model, since downstream components are noti-
In the QSS model, computation is performed only at 46 fied earlier of the changes than they otherwise would be.
2
This highlights another advantage QSS, which is that the Of course, it would also come at a computational cost, as
choice of QSS order can be optimized for each state vari- the model is now evaluated much more frequently than the
able independently, although in this case, there is very little quantum size would otherwise suggest. Preliminary results,
observable difference if QSS3 is used throughout. however, seem to suggest that it is possible for the accu-
Figure 13: RLC circuit requiring an algebraic loop
solver (after Figure 12.8 in [6]). Figure 14: Model of the RLC circuit of Figure 13.

racy improvement to compensate for the performance loss Mockup Interface (FMI) is a standard for model exchange
by causing the model to correct its errors sooner rather than and co-simulation of dynamical models [19]. CyPhySim sup-
later, and hence do so less often. Therefore, to allow for the ports importing FMUs designed for model exchange or co-
potential benefits of such behavior, a QSS integrator in Cy- simulation. For FMU for model-exchange, it provides a QSS
PhySim has a propagateInputDerivatives parameter that simulation engine for numerical integration. This strategy
dictates whether changes in the input should be propagated also enables co-simulation of DE models with FMI, a com-
to the output at the current model time. bination also described in [24].
Many CPS applications include sampled-data subsystems
7. ALGEBRAIC LOOP SOLVERS with regular, periodic sample rates. CyPhySim leverages the
CyPhySim includes a mechanism for specifying alge- synchronous-reactive (SR) domain of Ptolemy II to provide
braic loop solvers, including a simple successive substitu- such models, which permits specification of a sample rate
tion mechanism, a Newton-Raphson solver, and a homotopy and enables structured multi rate systems. Such SR mod-
method. The model builder is given explicit control over the els interoperate well with DE, QSS, and Continuous models
solution method and initial guesses in order to ensure deter- [14]. CyPhySim incorporates a new innovation that enables
ministic results. arbitrary hierarchical nesting of these models. Sampled data
Figure 13 shows the electrical circuit with an algebraic systems can contain continuous or DE subsystems and vice
loop, which is the problem shown in Figure 12.8 in [6]. For versa.
this system, an algebraic loop needs to be solved whenever Nevertheless, much work remains to be done. The ap-
a QSS integrator changes its output, or when VoltageSource proach used to handle algebraic loops in Section 7 is seman-
triggers an event. Figure 14 shows the CyPhySim imple- tically sound, but the graphical syntax of such models is
mentation. The actor labeled AlgebraicLoop implements not satisfactory. The requirement that algebraic loops be
the algebraic loop that needs to be solved. It has an input factored out into a different level of hierarchy in the model
for the voltage source, and two pairs of inputs and outputs leads to good separation of concerns, but it makes the mod-
that connect the algebraic loop to the capacitor and the in- els considerably less readable. A better approach would be
ductor, each having a state variable. to graphically or textually describe the structure of the mod-
els in the most natural way, including where appropriate
using acausal ports as in Modelica, and then to automat-
8. FURTHER WORK ically transform the model for analysis and execution into
Some of the capabilities of CyPhySim are beyond the a form that separates concerns and implements the correct
scope of this paper. For example, CyPhySim includes semantics.
the ability to import functional mockup units (FMUs), The operations on derivatives that are described in Section
which are components designed in some foreign modeling 5.1 are particularly convenient to implement in CyPhySim,
language or tool (such as Modelica), and exported with because in the underlying Ptolemy II system, arithmetic op-
an interface defined by the FMI standard. The Functional erations on tokens exchanged between actors are polymor-
phic, which means that the token itself defines what addi- design of embedded systems. In EMSOFT (Salzburg,
tion, multiplication, division, etc. mean. An interesting pos- Austria, 2007), ACM, pp. 114 123.
sibility, which is not so trivial to implement in the software, [15] Liu, J., and Lee, E. A. On the causality of
would extend the manipulation of derivatives to transcen- mixed-signal and hybrid models. In 6th International
dental functions and other common operations on signals. In Workshop on Hybrid Systems: Computation and
effect, this would endow a numerical solver with a measure Control (HSCC 03) (Prague, Czech Republic, 2003),
of symbolic computation capability, creating an interesting O. Maler and A. Pnueli, Eds., vol. LNCS 2623,
blend of symbolic and numerical simulation. Springer-Verlag, pp. 328342.
[16] Maler, O., Manna, Z., and Pnueli, A. From timed
9. REFERENCES to hybrid systems. In Real-Time: Theory and Practice,
[1] Bliudze, S., and Furic, S. An operational semantics REX Workshop (1992), Springer-Verlag, pp. 447484.
for hybrid systems involving behavioral abstraction. In [17] Matsikoudis, E., and Lee, E. A. On fixed points of
Modelica Conference (2014). QSS. Quantizing signals strictly causal functions. In International Conference
rather than time. on Formal Modeling and Analysis of Timed Systems
[2] Broman, D., Brooks, C., Greenberg, L., Lee, (FORMATS) (Buenos Aires, Argentina, 2013),
E. A., Masin, M., Tripakis, S., and Wetter, M. vol. LNCS 8053, Springer-Verlag, pp. 183197.
Determinate composition of fmus for co-simulation. In [18] Migoni, G., Bortolotto, M., Kofman, E., and
International Conference on Embedded Software Cellier, F. E. Linearly implicit quantization-based
(EMSOFT) (2013), IEEE. integration methods for stiff ordinary differential
[3] Broman, D., Greenberg, L., Lee, E. A., Masin, equations. Simulation Modelling Practice and Theory
M., Tripakis, S., and Wetter, M. Requirements 35 (2013), 118136.
for hybrid cosimulation standards. In Hybrid Systems: [19] Modelica Association. Functional mock-up
Computation and Control (HSCC) (2015). interface for model exchange and co-simulation.
[4] Cardoso, J., Lee, E. A., Liu, J., and Zheng, H. Report Version 2.0, July 25 2014.
Continuous-time models. In System Design, Modeling, [20] Nagel, L. W., and Pederson, D. O. SPICE
and Simulation using Ptolemy II, C. Ptolemaeus, Ed. (simulation program with integrated circuit emphasis).
Ptolemy.org, Berkeley, CA, 2014. Technical memorandum, Electronics Research
[5] Cassandras, C. G. Discrete Event Systems, Laboratory, University of California, Berkeley, April
Modeling and Performance Analysis. Irwin, 1993. 1973.
[6] Cellier, F. E., and Kofman, E. Continuous System [21] Pantelides, C. C. The consistent initialization of
Simulation. Springer, 2006. differential-algebraic systems. SIAM Journal of
[7] Fishman, G. S. Discrete-Event Simulation: Modeling, Scientific and Statistical Computing 9, 2 (1988),
Programming, and Analysis. Springer-Verlag, 2001. 213231.
[8] Floros, X., Cellier, F. E., and Kofman, E. [22] Paynter, H. M. Analysis and Design of Engineering
Discretizing time or states? a comparative study Systems. The M.I.T. Press, Cambridge, MA, 1961.
between dassl and qss - work in progress paper -. In [23] Ptolemaeus, C., Ed. System Design, Modeling, and
Workshop on Equation-Based Object-Oriented Simulation using Ptolemy II. Ptolemy.org, Berkeley,
Modeling Languages and Tools (EOOLT) (2010), CA, 2014.
Linkoping University. [24] Savicks, V., Butler, M., and Colley, J.
[9] Kofman, E., and Junco, S. Quantized-state Co-simulating Event-B and continuous models via
systems: A DEVS approach for continuous system FMI. In Summer Simulation Multi-Conference
simulation. Transactions of The Society for Modeling (SummerSim) (2014), pp. 259256.
and Simulation International 18, 1 (2001), 28. [25] Tiller, M. M. Introduction to Physical Modeling with
[10] Lee, E. A. Modeling concurrent real-time processes Modelica. Kluwer Academic Publishers, 2001.
using discrete events. Annals of Software Engineering [26] Zeigler, B. P., and Lee, J. S. Theory of quantized
7 (1999), 2545. systems: Formal basis for DEVS/HLA distributed
[11] Lee, E. A. Constructive models of discrete and simulation environment. In SPIE Conference on
continuous physical phenomena. IEEE Access 2, 1 Enabling Technology for Simulation Science (1998),
(2014), 125. vol. SPIE Vol. 3369, pp. 4958.
[12] Lee, E. A., and Tripakis, S. Modal models in [27] Zeigler, B. P., Praehofer, H., and Kim, T. G.
Ptolemy. In 3rd International Workshop on Theory of Modeling and Simulation, 2nd ed. Academic
Equation-Based Object-Oriented Modeling Languages Press, 2000.
and Tools (EOOLT) (Oslo, Norway, 2010), vol. 47,
Linkoping University Electronic Press, Linkoping
University, pp. 1121.
[13] Lee, E. A., and Zheng, H. Operational semantics of
hybrid systems. In Hybrid Systems: Computation and
Control (HSCC) (Zurich, Switzerland, 2005),
M. Morari and L. Thiele, Eds., vol. LNCS 3414,
Springer-Verlag, pp. 2553.
[14] Lee, E. A., and Zheng, H. Leveraging synchronous
language principles for heterogeneous modeling and