upervisory hybrid systems are systems generating a mixture of continuous-valued and discrete-valued signals.

This systems paradigm is particularly useful in modeling applications where high-level decision making is used to supervise process behavior. This occurs, for instance, whenever a network of computers is used to control the physical plant in a decentralized manner, as is found in chemical process control or flexible manufacturing facilities. Hybrid system methodologies are also applicable to switched systems where the system switches between various setpoints or operational modes to extend its effective operating range. Such applications are found in aerospace and power systems. Hybrid systems, therefore, embrace a diverse set

of applications [ 11-[6] ranging from embedded real-time systems to large-scale manufacturing facilities and from aerospace control to traffic control. Over the past five years there has been considerable activity in the area of hybrid systems theory, and this article provides an introduction to some of the basic concepts and trends in this emergent field. The term hybrid refers to a mixing of two fundamentally different types of objects or methods. Hybrid neural networks arise when we combine artificial neural networks with fuzzy logic or with statistical methods. A system modeled by the interconnection of lumped and distributed parameter systems may be referred to as a hybrid system. Sampled data control systems are hybrid in that they combine discrete-time and continuous-time systems. This paper deals with supervisory hybrid systems. Supervisory hybrid systems are systems that combine discreteevent and continuous-valued dynamics. The motivation for introducing the hybrid system framework is the need to consider continuous and discrete dynamics simul-

Lemmon is an associate professor of electrical engineering at the University of Notre Dame, Notre Dame, IN 46556 (lemmon@ maddog.ee.nd.edu). Markovsky and He are Ph.D students at the same institution. The authors gratefully acknowledge the partial financial support of the Army Research Office (DAAHO4-96-10285and DAAG5-98-1-0199).


0272- 1708/99/$10.00O19991EEE

IEEE Control Systems

Congestion control in Fig. therefore. the parts bin) generates a using language theoretic or graph theoretic constructions. A great deal of this interest is driven by the need to test the logic and timing of very large scale integrated digital circuits. and the power distribution grid. I . arms do not enter the parts bin at the same time. Not only must the this computer-supervised system is a hybrid system since it robotic arms complete their repetitively performed tasks.sired system behaviors may also be hybrid. and then gram may be seen as supervising this control loop by selecting returning to the parts bin to fetch another workpiece are pervarious reference inputs or setpoints for the plant. and a set of measurements M . Power distribution involves discrete the analysis and synthesis of supervisory discrete-event systems.cusses specification logics that express system requirements on visory hybrid systems arise when the measurement set M is the both the discrete and continuous states of the system. Super. The hope the study of dynamical systems. In other words. they mixes continuous-valued (the control loop’s state) and discrete. The of the associated discrete-event process are formally modeled introduction of a shared resource (i. In sampled the system have a hybrid character.e. to be used 1:hroughout as a pedameasurement x ( t ) in the set M . The signals are functions between a set of time in. We then discuss modeling frameworlts for hybrid systems. but the specifications on dedata systems the index set I is the Cartesian product of the inte. communication networks. is a consequence of the fact that these systems generate a mixture of conHybrid System Example tinuous-valued and discrete-valued signals. and the dynamics sumed that the parts bin is shared by both robotic arms. which map a time t E I onto a example of a hybrid system. The systems scientist treats the is that hybrid systems theory will provide a systematic framework system as an abstract mathematical mapping between various for system engineers that will greatly reduce the cost of large-scale sets of signals. communication networks is similar in that we are interested in supervising the flow of taneously. Signals.system development with concurrent incret2sesin system reliabildices.of paramount interest to all nations. There is also a theory for quality is optimized. Systems science provides a formal mathematical approach to viding no provable guarantees of safe system operation.Over the past five years there has been considerable interest in supervisory hybrid systems [7]-[ 131. The continuous process may be a closed. Supervisory hybrid systems theory is intended to for the design and analysis of such systems rely heavily on simulation testing. as the Cartesian product of a discrete and continuous set. We First provide a concrete functions of the form x : I + M . are ity. Free floating robotic system. as these systems constitute proached in an ad hoc manner with extensive computer simula. This article is organized as follows. This article also disgers (discrete-time) and real numbers (continuous-time).major components of national infrastructures. are sometimes referred to as discrete-event signals. Another reason for this interest is that rapid advances in computer and networking technology have greatly accelerated the deployment of large-scale supervisory systems. One expaying specific attention to the hybrid automaton. transporting it to the work area. Fig. 1. Current methods tion testing. 1 shows a concrete example of a supervisory hybrid sysA common example of supervisory hybrid systems is found tem. Traffic control is concerned with the supervision (a discrete process) of vehicles (continuous processes). Classical control theory provides tools for analysis: data packets so that some continuous-valued measure of service and synthesis of continuous systems.formed repeatedly. The hybrid nature of supervisory hybrid systems. I . and concludes with a some subset of Euclidean n-space). The figure shows a free-floating robotic vehicle with two whenever a computer is used to supervise the behavior of a contin.articulated arms. Thus mutual exclusion requirement on the system.fetching the workpiece. however. The system is required to obtain components uous-valued process. Hybrid systems arise when they gogical tool illustrating various concepts in hybrid systems thegenerate signals whose index or measurement sets can be treated ory. The article Cartesian product of a discrete set (usually taken to be a finite set continues with a survey of current methods and concepts used to of symbols or integers) and a continuous set (usually taken to be verify or validate desired system behaviors. solutions are ap. it is asgram’s current state evolves over a discrete set. The computer pro. The safe operation of such systems is containing discrete and continuous dynamics. switching to ensure the stable and continuous delivery of electriWe are currently lacking a formal approach to analyze systems! cal power across the grid. August 2999 43 . Not only may ample of a hybrid system is a sampled data system. therefore. a costly and time-consuming method of analysis proprovide automated and guaranteed solutions to such problems. Examples of such large-scale systems include the air traffic control grid.must also be sure to execute the tasks in a way that ensures both event (the program state) variables.from a parts bin and move these components to a work area loop control system whose mathematical representation takes where an assembly operation is to be performed. As illustrated in Fig. The discrete-valued signals survey of current methods for hybrid control system synthesis. The tasks of the form of an ordinary differential equation. This pro..

= 8. The equations of motion for the arms can be expressed by the following ordinary differential equations where0. Transition between discrete states is triggered on entry into or exit from the parts bin. Lec8. we expect the robotic arms (i. (1) This code has four distinct segments. Since these variables take values in a discrete set. the system would deadlock (i. From our earlier discussion. we see that the state of the program can be characterized by three different state variables: the lock variable.. denote the inertial angles of robot arms 1and 2.. be the body angle with respect to an inertial frame.For this example the control law is a proportional feedback law with gain k and with reference inputs r. and J . A candidate solution to the mutual exclusion problem can be readily developed [ 141. it is possible to violate the mutual exclusion constraint without the computer process actually detecting this violation. = 8. the angle between the arm and the parts bin (or work area). ling each arm occupies several distinct states. both computer processes cannot be executing their critical sections at the same time. It may. which represents that code which must be executed mutually exclusively.e. by requiring that the virtual (i. The fact that the a body) and body angle. e. Upon leaving the parts bin. therefore.g. Assuming that a multitasking operating system (O/S) controls the execution of both computer processes. The goal of hybrid systems science is to provide such a formal framework. 1 may need to be studied using a formal framework in which both discrete and continuous system dynamics are examined simultaneously. In other words. Are these discrete states sufficient to represent the behavior of the physical process? For this particular system. From (l). +8. and 8. the physical system) to respect that requirement as well.& + J .. by measuring0. REM: if[arm-not-in-workareal goto-workarea(1. + O b ) . This remainder section checks to see if the arm is in the work area (the function call arm-not-in-workarea) and outputs the command signal to the arm (the function call goto-workarea[]). mutex=l . From this pseudocode. e. Note that the state of the continuous-valued subsystem is not entirely reflected in the discrete-event state of the computer process. are the moments of inertia for the body and arms. Weassume that the computer process for arm 1 can only measure 0. are not directly observable suggests that this system could fail in ways that cannot be predicted by an examination of the controlling computer processes. in a mutually exclusive manner. Due to the Hamiltonian nature of the system. which moves the arm toward the work area. CRlTl : if[arm-not-in-partsbinl goto-partsbincl. If this were to occur.e. - - = 0.. O . There is an entry section (ENTRY) which tests the lock variable mutex to see if the other arm is moving towards the parts bin. Whether or not ensuring mutually exclusive execution of the process’s critical sections is sufficient to guarantee the safe operation of the physical system is not immediately apparent. since the system conserves total system angular momentum. Let 0. These concurrent processes need to coordinate their actions if they are to ensure the physical system (i. the program counter for the first process. the body angle cannot be obtained independr m angle. and8. the supervisory logic embodied in this program is a discrete-event system. Let’s assume that each arm is controlled by a computer process (an instantiation of the arm control program). We have also included an error state (ERR) that aborts the program’s execution if the arm hits its mechanical limits (armlocked evaluates to true). = 8. (relative to the ently from 8. In practice. and r. computer) processes respect the mutual exclusion requirement..e. the program checks to see if the arm is in the parts bin (the function call arm-notin-partsbin) and outputs the command signal to the arm’s motor (the function call goto-partsbinll).. EXIT: mutex=O.e. are the angular positions of arm 1 and arm 2 with respect to the robot’s body axis (see Fig. and this knowledge is determined by explicitly examining the arm’s position with respect to the position of the parts bin (e. with respect to an inertial frame must satisfy J. + J. The pseudocode for one of the computer processes is shown below: ENTRY: if[mutex==ll goto ENTRY.the robotic system needs to treat the parts bin as a criticalsection that both arms access in a mutually exclusive manner. the robotic arms) enters the parts bin in a mutually exclusive manner. In other words. system dynamics imply a subtle coupling between both arms that might make it possible for an arm to enter the parts bin when the controlling computer process is not in its critical section.. from which it commands the arm to move back to the work area. While in the critical section. We therefore know that the body angle 8. The conclusion to be drawn from the preceding discussion is that even relatively simple systems such as that shown in Fig. we can then use O/S control structures such as semaphores or mutexes [ 151to ensure that both processes execute. The following sections discuss what progress has been made to date in this direction. As a result. goto ENTRY. 1)..e. In other cases. Both of these processes execute on the same computer. These reference inputs represent commands that direct the arm to move to the parts bin or work area. we saw that the computer process control- where J . the answer is no. If the lock variable mutex is 0. then the program sets the lock variable to alert the other process that it is heading to the parts bin. the movement of the arms will induce a body rotation so that the system’s total angular momentum is conserved.. the lock variable could be implemented as an O/S semaphore. 44 IEEE Control Systems . respectively. be possible for the system’s body to work itself into a position from which one of the arms cannot reach the parts bin. because there is a subtle coupling between the arm and body dynamics. Under our assumptions. and the program counter for the second process. that section of their code requesting access to the parts bin.. the program would be stuck in one of its discrete states). This process then enters its critical section (CRITI). respectively. ERR: if[arm-lockedl STOP. the process releases the lock variable and then enters its remainder (REM) section. +0. we see that arm motions will induce a body rotation. +e.

nected to a continuous subsystem. The name refers to the classical Zeno's paradox in which the concept of a limit is first informally introduced. q:%" x R + R. Thus the switching action may be ini-. In this case.l)-dimensional involves developing a framework that not only treats continumanifold (a hypersurface). Equation tinuous jumps on the switching boundary [19]. These are systems that can be implicitly modeled by the following set of equations: not absolutely continuous. System scientists. These are very general conditions and are satisfied by most system was viewed as a logical discrete-event supervisor conof the systems of interest. What has become apparent in recent years is that a successful modeling paradigm for hybrid systems must integrate ideas and methodologies from both disciplines in a complementary way. ous-state jumping. Hybrid systems discrete set R. nient way of capturing discrete-event behaviors. and a sufficient condition guaranteeing that such solutions do not exist is to require that state trajectories cross the switching surfaces in a transverse manner. we usually want all of our systems to be non-Zeno.j = q(x. are there any needed for hybrid systems theory to advance is a modeling paracontinuous or discrete trajectories that satisfy these equations? digm providing greater insight into the discrete-event dynamics Conditions for the existence of absolutely continuous trajecto-. The discrete and continuous The existence conditions [17]. In hybrid dynamical systems. ries generally require that a set-valued mapping associated withl An early hybrid system model dealing explicitly with discrete these system equations be upper semicontinuous and convex and continuous dynamics is found in [21]. A good reference to some of It is convenient in switched systems to define a switching se[ these models is found in [20]. These scientists were trying to develop an equational framework capturing a sufficiently rich array of possible hybrid This is the set of all continuous states that enable a transition behaviors (chattering. on the other hand. do not provide a conveA natural question about such equational representations is. of the hybrid system. the hybrid [17]. there is no guarantee that these solutions will be unique. nondeterminism in supervisory decisions. The preceding model assumed solutions in which the continuous state trajectories i(t-) = limi(T) were continuous across the switching boundary. These individual systems are referred to a:. have tended to employ equational models in which system trajectories are represented as functions solving some set of equations. unfortunately. the full range of possible hybrid behaviors. A variety of hybrid system models might transition to is characterized by the discrete transition have been developed to allow the representation of such disconfunction. Early system theoretic models for hybrid systems tended to focus on switched systems [16]. There are. The set of discrete states we change upon hitting the floor. most system scientists. Although we can usually ensure the existence of solutions to such equations.Hybrid systems have been studied extensively by computer scientists and systems scientists. between the ith and jth modes by the following equation: The preceding references to the hybrid system modeling literature refer exclusively to the efforts of traditional system scienfig. do not preclude the systems were interconnected through art interface that transexistence of hybrid system continuous state trajectories that are formed continuous-valued measurements into discrete event sig- Hybrid System Modeling August 1999 45 . We usually assume Q. The dynamics of the discrete state are venient model for many physical systems. Systems capable of exhibiting such chattering solutions are sometimes referred to as Zeno systems. howTTI ever. switching. What is really whether or not they are well-posed. Computer scientists have been interested in the behavior of real-time and multiprocessor programs. Each approach has its strengths and weaknesses. if we Snis the continuous-valued state trajectory and know the system state at timet. The system models developed for such systems are usually based on extensions of traditional finite state machine or Petri net formalisms. Switched syst'emsof the form shown in (2) and (3) are well known to exhibit chattering solutions in which the system switches infinitely fast between two different types of vector fields. The function Such nondeterminism may arise out of the discrete switching bef:S" x R + 3'' represents a set of continuous dynamical sys. x(t). In the limit these chattering solutions become sliding mode solutions. Equational representations familiar to that boundary. In other words. One example of (3) means that the discrete state transitions at time t from state such a system is the bouncing ball where. many systems in which the continuous state makes disconrepresents the right-hand limit of the function i(t) at t. is a key challenge faced by any hybrid system paradigm. "nice" set in the sense that its boundary is an (n .. In supervisory hybrid systems. A from discrete stateito discrete state j .tween various vector fields. or it may arise due to an inherent tems (vector fields). the future behavior of the system where x:X i:% -+ R is a discrete-valued state trajectory taking values in the may take any one of a number of different paths.= (x E 3 ' ' : . the ball's velocity vector makes an instantaneous sign value of the continuous state.i)]. The switched systems represented in (2) and ( 3 ) can also be treated as differential inclusions for which it is well known that nondeterministic solutions may exist. x ( t ) andi(t) denote the values that the continuous commonly exhibit some form of nondiderministic behavior. sliding mode behaviors are often considered undesirable. and autonomous jumping). tinuous or autonomous jumping. however. due to an elastic collii(t-) to i(t). tists. however. respectively. modes. which are frequently found in variable structure systems [ 181. In this equation. The dynamical system used at timet is represented by the The switched system introduced in (2) and (3)provides a condiscrete state i(t)at timet. In other words. and discrete trajectories take at timet. and that this transition is conditioned on the current sion. It is interesting to note that computer scientists also have a term for this chattering behavior. but also captures the switching nature of the tiated whenever the system's continuous state evolves across discrete-event process. but it does not capture embodied in (3).

E '32n. A..C) where N is a marked directed graph called a network.v2. is a continuous one of the mappings (say A) in A.A). Stop. z = (X. Although it provided a very general framework for hybrid systems. a marked vertex is denoted by placing a small solid circle (also called a token) in the marked vertex.VisasetofverticesandA c V xvisasetofdirected arcs between vertices. An open circle is used to represent each vertex of the network. The current state of the system is denoted by marking the network.The obfunction of % taking values in %". An arrow starting at vertex vi and terminating with an arrowhead at vertex v i represents the arc ( v . initial time. is marked. E 3. GoToBin. If p(v) = 1. x:% -+ andx. X . These automata are generalizations of traditional finite state machines in which event transitions are conditioned on the truth value of logical propositions defined over a set of continuous-valued dynamical processes.It can be defined by a three-tuple (N. Graphically. In Fig. The hybrid automaton is closely related to the differential automaton. Otherwise the vertex is unmarked. Extensions of the approach using Petri nets (rather than finite state machines) will be found in [32]-[34]. respectively. ~ . The value that this vector In Fig.. The relationship between these two subsystems is captured by the labeling functionL.. The work was very influential in that it led to the development of automatic verification tools [27]-[29] for real-time and hybrid systems. . and LeaveBin. A framework with significant potential for practical usage was developed by the computer science community [24].. The vertex set is finite with its cardinality denoted as (VI.Networks are often represented graphically. the model in [21] and [23] was of limited utility due to the restrictive nature of the control. the following section presents the hybrid automaton in more detail. Although powerful computational tools were developed for the manipulation of such formal models.v4. This marking vector constitutes the discrete state of the hybrid system.p) where V and A are the network's vertices and arcs. A is a set of Lipschitz continuous vector fields over %'I representing the continuous dynamics of the system. and the arcs Fig. The set A is a finite set of vector fields over 9ln characterized as Each -+ '32" (fori = 1.2. Network for a discrete-event system. The crete states that our robotic a marking indicates that this robotic arm is currently heading toward the parts bin. we've labeled the vertakes at time z is denoted as E(%)). Each of these three components is discussed in greater detail below.e. and C is a mapping from the network's vertices and arcs onto formulae in a propositional logic.V = {v.x. tices of our network with the names of the discrete states that a robot arm can occupy. PartsBin.xo)where X is acterized by the following four-tuple. The network N is a directed graph characterized by the orderedpair(V. The hybrid automaton has been very influential in the study of hybrid systems. The final element of the triple is a function p:V (OJ} that associates either zero or one with each vertex of the network.v3. X " ) are referred to as the continuous state's rate. Computer scientists have long used formal graph theoretic models for concurrent computer processes. The elements of A represent continuous dynamical systems (i. The network N is also called a finite state machine or finite automaton. and initial value. jects in z = ( X . 7. It is common to think of p as a vector in which the value of the ith element of this vector is the marking of the ith vertex. [25]. Network N = (V. which was introduced in [30]. The approach advocated the extraction of an equivalent discreteevent model of the continuous subsystem. ) . it was apparent that in dealing with multiprocessors and real-time applications. modes) which generate state trajectories~:% + %" through the differential equationx(t) = X(x(t)) for any E A. value. which could then be supervised using extensions of the Ramadge-Wonham supervisory control theory [22].A. The network therefore characterizes the various disr m can transition between.nals and vice versa. 46 IEEE Control Systems . Another related version of the hybrid automaton can be found in [311.. 2 illustrates a network with five vertices. 2. Finite state machines and Petri nets represent two well-known examples of such models. the vertexv. . Together these objects form an initial value problem X:nn Hybrid Automaton The hybrid automaton is an extension of the traditional finite state machine [35]. 2. The network models the discrete-event subsystem and the set A represents the continuous dynamics of the hybrid system. This work suggested a logical discrete-event system (DES) approach to hybrid controller synthesis that was reminiscent of traditional approaches to sampled data control. A marked network is the triple (V.The network shown in Fig. The result was a timed [25] and hybrid automaton [24]. respectively. A) enumerates all possible states that a discrete-event system might occupy. WorkArea. then vertex v is marked.v5}. The continuous state of the hybrid system is charzo. and has served as the starting point for much of the recent research in hybrid systems. n ) maps the continuous state space %" back into itself. This realization led to an attempt to extend traditional and highly successful model checking [26] for finite state machines to real-time systems. T ~ . the continuous nature of time would require some extension of these traditional computer science methodologies.

) with the marking vectorp produces the system's hybrid state. both p and q are in P. In addition to this continuous enabling condition.the initial time z . 3. then there is ari arc (w. essentially. The second type of invariant equationhas theform[h(x. We now define the dynamics of the hybrid automaton by characterizing all hybrid trajectories generated by the hybrid system. . therefore.v)) is a guard equation reprcsenting an inequality constraint on the continuous state's value x. In this article we choose the following. If the elements of A are all unity (i.C) if and only if the trajectory D satisfies the following conditions: For all z E ( T ~zZ) . The logical propositions labeling the network nodes and arcs can be defined in a variety of ways. The third type of invariant has the form [T. there are discrete enabling conditions. Thefiring of arc(w. The set of all ordered pairs (z.Therefore.. The labeling function C associates each vertex and arc of the network with a proposition in P. = T]. the continuous state z must be reset so that the rate X. The event 1abelsC form the third component of the hybrid automaton. where h : S n + % are functions of the initial conditions x. Moreover.v)).v) in the network thatfires.and the initial state xg. where X is the rate of the continuous state and A E A. in the continuous part of the hybrid state. one for robot arm 1 and another for robot arm 2. This condition requires. For these predicates to be satisfied.v)) on the arc and when the discrete enabling conditions of the marking vector are satisfied. Such a function will be called a hybrid trajectory. [h(x. 1 and whose discrete dynamics are illustrated in Fig. The system whose Continuousdynamics are illustrated in Fig. Guard equations have the form [g(x) > 01 where g:%" -+ % is a function defined over the continuous-state space.e.e.x.that the function x:[T. therefore.then the hybrid automaton is called a timed automaton. In a similar way. we say that the hybrid stateo satisfies 1p (i. $ consisting of the discrete state and the continuous state z. Two important classes of hybrid automata are obtained by restricting the nature of the objects in the triple. and [T. In other words.) = 01. Invariant equations are equations of three forms. however. C). if p E P. We will be interested in functions D:% + 3-1 of time that take values in the hybrid state space.we say that this trajectory is generhybrid trajectory o:% ated by the hybrid automaton ( N . In this automaton. The labels for the network are shown in Fig. to label arcs (rather than vertices) with invariant formulae resetting the initial state x.We first introduce the following set of atomic equations. then the negation 1 p is also in P. The bindings implied by C determine how the continuous and discrete parts of our hybrid system interact. we see that the vertex label WorkArea has no predicate associatedl with it. Other legal formulae in P are generated recursively by the For instance.. If T is a switching time.x. T.satisfy the equations in L(v). Given an arbitrary + H. if conjunction and negation of other formulae in P. The class of rectungular hybrid automata occurs when elements of A are set valued mappings in Tin characterizingrectangularregions and whein the guard and invariant equations form rectangles in the continuous-state space 3 ' .. The hybrid automaton's state.z. is represented by an ordered pairo = ( z .v) can fire. there exists a marked vertexv such that the hybrid state O(T) bL(v). We define the disjunction as pVq = i ( i p A i q ) . z = (X. that are not switching times and where T. Recall that the label L((w. N . E(T+). m) -+ 31" satisfies for all T > T.) = 01. when the lock August 2999 47 .p)is denoted as H and will be called the hybrid state space. This condition states that at the switching time T. An atomic formula p is said to be satisfied by hybrid stateo if and only if the equation is true when the hybrid state o is substituted into the equation. We say that the hybrid state o satisfies p A q (denoted as o k p A q ) if and only if o k p and o k q. A. Combining the four-tuple. This label.v) such that o(T-)i=L((w... 'The arc fires when the continuous state trajectory x( T) satisfies the guard equation L((w. C is the interface between the discrete subsystem.v) will modify the network's marking vector by rlsmoving a token from w and placing a token in vertex v. P ( W ( T + ) ) = p(w(T-)) -1 = 0 andp(v(z')) = ~ ( v ( T . The automaton consists of two concurrent parts. 2 can be easily modeled using a hybrid automaton. A time T E 3 1 is said to be a switching time if and only if E(z-) # In other words. D k -p) if and only if D does not satisfy p . is a switching time. generating the hybrid system's continuous state x. that between switching times the continuous part of the hybrid system state satisfies the differential equations implied by the vertex predicate L(v). These objects characterize the initial value problem in (4) and ( S ) . a switching time is the instant when the marking of the networkN changes. Let's examine the automaton for arm1 in more detail. The network N is simply the network given earlier and the set A consists of the following vector fields. the switch at time causes the hybrid system to switch the underlying continuous-time dynamics (of the hybrid system. Note that the definition is sufficiently general so that other interpretations can be applied to arc and vertex labels. We denote the satisfaction of p by D as o b p .]. then the conjunction p A q is in P. between WorkArea and GoToBin is labeled with the conditional formula 7[mutex > 01. The final two conditions state that the vertex w must be marked just prior to the switch. For the hybrid automata considered in this article. X = l). All formulae in P can be generated by the recursive application of conjunction (A) and negation (7).there is an arc(w.) )+ 1 = 1. 3. 31". A. = z] and acts to reset the initial time in the continuous state z to the current time. The arc. represents a necessary condition that the continuous state x has to satisfy before the arc (w. we assume that network arcs are labeled with guard equations and network vertices are labeled with invariant equations. Recall that the vertex predicates are invariant equations of the form [X = A ] . for example. It is customary in many applications. The resulting hybrid automaton is shown in Fig. and the continuous subsystems in A. These conditions also tell us what must happen to the marking vector after the switch. The first form of the invariant looks like [ X = A ] . ( N . The event labeling is represented as a mapping L: V U A -+ P from the arcs and vertices of the network onto formulae in a propositional logic P whose atomic formulae are defined with respect to the continuous state z .

We assume that all vertices in this network also have the invariant equations. In practice. = x ( z ) ] and [z. ] Once . the state PartsBin is labeled with the predicate [e. be necessary to condition system performance on the system’s reference signal. Common measures of signal size include signal energy. the arm is out of the bin. 1 48 IEEE Control Systems . 3. more expressive methods must be adopted for capturing the designer’s requirements. 1.. the system begins moving it out ofthe bin: therefore. The conclusion that must be drawn from the preceding observations is that while traditional control theoretic performance measures are valuable. Upon leaving the bin. = f . To meet these more complex and realistic system specifications. 3 is also used to control the second arm of the vehicle.In this case.. Also note that the transition out of discrete state GoToBin has a nondeterministic next state in the sense that we can either transition to PartsBin or Stop. these measures are referred to as signal norms. they do not provide sufficient flexibility to characterize the wide range of desired behaviors our systems need to satisfy. Finally. variable mutex is no longer nonzero. Formal logics can be used to express complex system specifications. r m toward the parts to the vector field that begins moving the a bin. and amplitude. thereby /causing both arms to eventually stop their motion. The condition for transitioning to the Stop state is [e. While in this state.Fig. it should be noted that norm-based performance measures are clearly inappropriate for supervised systems such as the system in Fig. The discrete state GoToBin is labeled with the predicate [mutex = I] A = f. 8. The predicate guarding this transition is $3. 3. A gain scheduled system may need to satisfy one normbounded specification at one of its setpoints. and norm-based measures of system performance represent the starting point for most optimal controller design methods. they are not explicitly noted on the graph in Fig. Note that the preceding discussion stepped through the various discrete states of the automaton controlling the first arm of the vehicle.]A [e. however. < -0. Hybrid automaton for robotic system. we allow the system’s discrete state to transition t o the state LeaveBin. The coupling between these two discrete structures is through the lock variable. the r m can access the system resets the lock variab e so the other a parts bin.]. System Specifications Control theoretic measures of system performance are frequently taken to be the size of some important signals within the control system’s feedback loop.. which turns off the system. Finally. This predicate sets the lock variable to 1. power. the mutual exclusion requirement is a high-level behavioral constraint that is not easily expressed in terms of a signal with bounded norm.or exits to the Stop state if the limit conditions on the arm’s angular position are violated.. The arc connecting GoToBin to the discrete state PartsBin is labeled with the conditional predicate [ 10. A similar automaton shown in Fig. the system either returns to the WorkArea state if the appropriate conditions on the angle are satisfied.11 . > 0. hits its physical stops). and the body angle.741v [e. thereby indicating to arm 2 that the parts bin will be occupied. We have already used a propositional logic to character- [e. .l < 011.This guard condition represents a strip in the continuous state space characterizing the extent of the parts bin for robot a r m 1. the system also sets its timer rate8.]. Once the armis in the parts bin. In a more abstract setting. It is labeled with the predicate [e. for example.. this arc may fire and the system will switch to the logical state GoToBin.171. = z] where z is a switching time. and yet this specification may be relaxed at another setpoint without hurting the system’s ability to satisfactorily meet specified performance goals. = f. = f. This is a safety condition that is triggered if the arm moves too far (i. These invariants ensure that the continuous state trajectories are continuous across switching surfaces.e. hence the predicate on LeaveBin is [mutex = 01. mutex. It may. > 1. a single norm-based measure of performance is rarely adequate to completely characterize what the designer wants the system to do. [x. Since these invariants are common to all vertices. The Stop state is a deadlocked state from which all forward progress in the system ceases. Signal size is measured using a function that maps each signal (a function of time) onto a positive real number.

e. In our case. An easy way to guarantee mutual exclusion is to require that one arm be deadlocked. A system attempting to enforce a mutual exclusion constraint is deadlock-free if each process in its entry section is guaranteed of eventually transitioning into its critical section after a finite waiting time. CTLl allows us to express complex specifications relating the discrete and continuous states of the hybrid system. . In other words. For this reason. The current hybrid state o is said to satisfy this atomic formula if the inequality is true for the given state at timet. This requirement is weak because no finite constraints have been imposed on the amount of tiime before deadlock is broken. The second atomic formula is a specific marking of the network. ando(t. the computer programs controlling both arms will not enter their critical sections at the same time. where F is the frame on which s is defined. Thjis article has only presented some of the basic principles and ideas behind using logics to formally specify hybrid system behavior. A time limit on the duration of deadlock might be imposed by introducing a clock into the system that measures how long the arm has been deadlocked. sI = pVUq w for all hybrid trajectories o(t)such thato(0) = s.U. and the duration caZcuZus [29]. referred to as CTLl. We now turn to the use of formal logics.) k q. in particular temporal logic. if one of the arms stops moving. predicate p is true until predicate q is true. In temporal logics. and considerable work is still being done to investigate specification logics for hybrid systems. discrete states (markings). In particular. e. The formula pVUq can be seen as saying thatfor all hybrid trajectories. Leto(t) be a hybrid system trajectory. such that o(t)b p v q for 0 < t < t . [39] also appears to form a very attractive specification language for hybrid systems. Let x . The syntax and semantics of CTLl are defined below: s +P w p is satisfied by state s w p is not satisfied by state s s I= -p a p and q are satisfied by state s s I= p A q s k p3Uq w there exists a hybrid trajectory o(t)such that o(0)= s and a time t . In cases where the frame is clear. it is also essential to require that the systern be deadlock-free.denote the state of such a clock and let's assume the clock is reset and restarted when the system first marks the vertex WorkArea. The syntax of the logic is the set of rules defining how atomic formulae may be combined to form legal formulae or predicates in the logic. s. which allows us to introduce and reason about several notions of time. the frame states can be ordered (i. The other two formulae. the hybrid state at time t satisfies the predicate if and only if the network's marking at time t equals .I <. CTL1. our hybrid automaton). meaning that there exists a trajectory in which p is true until q is true. 1 . The formula p3Uq is the existential formula. Not all solutions to the mutual exclusion problem are equally desirable. 1. and its semantics. pVUq and p3Uq. ando(t. we drop the subscript F . suchthat o(t)k p v qfor 0 < t < t . the following equation provides a useful characterization of the deadlock-freedom requirement: 1WorkArea]VU[[PartsBin] A [x. then we can always ensure the other arm accesses the parts bin in a mutually exclusive manner. The formulae V'up and 3Up are equi valent to [true]VUpand [ true]3Up. and 1 p represent the logical not operation. The frame is a hybrid automaton and so explicit mention of it is dropped. Thus the formula p A q represents our usual notion of logical conjunction. as introduced in this article. These operators provide a way of describing temporal relationships between predicates. A linear temporal logic assumes all states are strictly ordered and therefore allows us to reason about purely deterministic strings of events. This logic. In the remainder of this section we present some specific examples illustrating the use of CTLl in specifying acceptable behaviors for the robotic system illustrated in Fig. The atomic formulae are a set of elementary formulae or equations. is true with respect to the frame state. The frame is a set of states through which a system might evolve (i.thereexistsatimet. to express requirements on desired system behavior. however. is extremely simple. then the atomic formulae for our specification logic take the form [ g ( x ( t ) )> 01 or [ p ( t )= pol. its syntax.< c]]. in the inertial frame.. A branching temporal logic assumes all frame states are partially ordered and allows us to reason about systems with nondeterministic dynamics. have a special meaning that is specific to temporal logics. we will look at system specifications that can be expressed as formulae in a branching temporal logic since hybrid systems are usually nondeterministic. This particular specificationequation says that for all possible. respectively. In referring to the example in Fig.111. with respect to order of occurrence)..The first atomic formula is the conditional formula used earlier as a guard condition in the hybrid automaton. The particular logic used here. A weak version of deadlock-freedom may be expressed by the CTLl formula. In this case.then we say that s satisfies p and denote this as s k F p. More powerful temporal logics using the hybrid automaton as a frame will be found in 13'71 and [38]. The meaning of logical formulae is then determined by defining the truth values of all logical equations with respect to the frame states.e. is only intended as a pedagogical tool illustrating some of the basic concepts encountered in using temporal logics to express specifications for hybrid dynamical systems. p v q represents logical disjunction. These logics consist of propositions whose truth values are evaluated with respect to norm bounds on the continuous states of the hybrid system. is a subset of the computation tree logic (CTL) [36].I <1 1 A [I e. Th& critical sections are defined by inequality 'constraintson the absqlute value of the arm angles and 8 . We have made no attempt in this article to construct a complete logic. The specification is requiring that all trajectories starting in WorkArea enter PartsBin in less than c time units. A temporal logic specification capturing this desired constraint is VU7[[I 0 . [ WorkArea]V'M[PartsElin]. p . the first requirement is that the system must satisfy a mutual exclusion requirement.ize the labels for a hybrid automaton. if a logical formula. In this case. A logic may be characterized by three things: its atomic formulae.) k q. Recent work in [37] and [38] has augmented CTL to reason about time intervals. The semantics characterize the meaning of the logical predicates with respect to a specifiedfrume. August 1999 49 .

PartsBin}. In this case. we compute all of those discrete states that can reach Q. Modern robust control synthesis involves searching over a parameterization of the feedback control loop to find stabilizing systems satisfying norm bounds on a specified set of objective signals.Verification. The first observation that can be made about this iteration is that it is monotonic.. GoToBin. and Synthesis Given a system model and a design specification. In other words. = R for all k 2 j .consists of all those discrete states for which the predicate p in the CTL formula 3Up is true. This work developed an extension of CTL so that specifications could be Cl = {PartsBin. 50 IEEE Control Systems . the iteration has afixed point. but a simple example will serve to illustrate the basic principle. Traditional model checking [26] assumes that the specification is framed in CTL. fori = 0. We then consider Lyapunov theory approaches for validating hybrid system performance. This figure shows each set of states in the sequence R. Control theorists are very familiar with this approach to system synthesis. In both cases. The next set. SMC [26] is a verification method in which the frame is a finite state machine and the specification language is the branching temporal logic. A hybrid system verification method based on earlier SMC approaches was reported in [24]. although recent efforts have looked at alternative frames such as hybrid Petri nets. Solving this problem involves identifying sufficient or necessary and suficient tests for satisfiability of the specification with respect to the assumed model (a hybrid automaton). or the duration calculus [39]. we see that R. = QouA. How does model checking for hybrid systems work? It is easiest to begin by considering classical SMC for finite state machines and then examining the extensions required for checking hybrid systems. This CTL specification asks us to identify each discrete state from which there exists a state trajectory eventually ending up in the parts bin. The two approaches are compared and their relevance to hybrid system synthesis is discussed. We repeat the above iteration until. Validation methods are frequently used in the control systems community where it is often impractical from a computationalstandpointto verify system properties such as stability and robust performance. Thus the iterative procedures used in symbolic model checking are essentially solving reachability problems over the discrete-event system’s state space. in the ith iteration. R I . and software implementing the approach was also developed [27]. formulated on continuous state variables as well as discrete network states. . By far the best known work has been done for hybrid automata with specification logics based on Emerson’s computation tree logic [41]. [28]. The discussion begins with a look at current verification methods based on extensions of symbolic model checking. the time i.. [27]. This section provides an overview of concepts and methods used in hybrid system analysis and synthesis. The specification 3Up is then verified by comparing this fixed point against the initial starting states for our system. WorkArea. If the starting states are contained within this fixed point. which means that the satisfiability of such formulae can be readily computed by the repeated application of these operators [36]. is generated by the relation Q. PartsBin. The interesting thing about CTL formulae is that they are fixed points of special recursive operators. R I The second observation is that because the state machine has a finite number of vertices. the specification can be considered to have been verified. Early verification work for hybrid systems attempted to duplicate the success of SMC on real-time systems. so the fixed point is computable.2. This body of work assumes that the specification is posed in a temporal logic such as the timed computation tree logic (TCTL). whereas merely sufficient conditions are often referred to as validation tests.. The second problem of interest concerns the synthesis of controllers that enforce a specification on the plant behavior. LeaveBin}. . where the set A consists of the presets of all vertices in R. Let us consider the finite state machine shown in Fig. In this example. the fixed point is the set + Verification Much of the early work in hybrid systems analysis can be found in the computer science literature. p = 3IA[PartsBin]. As a result. The frame for these logics is often taken to be the hybrid automaton. symbolic model checking has become a standard way of checking digital VLSI circuits [42]. 4 illustrates the basic steps in this iteration leading to the final determination of the fixed point. which we denote as SZ. = {PartsBin}. The use of binary decision diagrams (BDD) has made it possible to answer queries posed in CTL in a computationally efficient manner [26]. Synthesis is closely related to analysis in that parameterizing the verification or validation problems may make it possible to effectively search for system parameters that ensure the satisfiability of the specification..The first set. = {GoToBin. this fixed point can be identified after a finite number of iterations. Fig. there are two classes of problems to consider: the analysis and synthesis problems. [37]. Validation. This fixed point represents all the discrete states of the system satisfying the CTL formula 3Up.-calculus [37]. we are concerned with determining whether there exists a set of initial conditions from which there emanate trajectories satisfying the formal specification. since R. In this case. [38] attempts to extend symbolic model checking (SMC) to real-time systems. Moreover... These presets represent those discrete states from each of which there exists at least one trajectory reaching SZ. R. CTL.1. Necessary and sufficient tests are often referred to as verification tests. R. The analysis problem asks whether or not the model satisfies the specification. we see that SZ.. A similar approach has been proposed [40] for using existing verification tools to help synthesize hybrid system controllers. Now consider a sequence of sets. This work [24]. we are guaranteed that there exists some j such that R. This set consists of all discrete states that can reach a discrete state satisfying the predicate p in CTL formula 3Up.. Verificationmethods have been studied extensively by computer scientistsinterested in extending symbolic model checking to real-time systems. A full discussion of symbolic model checking is beyond the scope of this article. 3 and the CTL predicate.

however. however. This last point concerning the nonfinite nature of the computation highlights one of the weaknesses of model-checking methods as applied to hybrid systems. but this fact has not prevented the development of sufficient methods that are istill very useful. An example of a very useful sufficienit test can be found in Lyapunov’ s second method. The use of sufficient conditions in control theory has a long history. Given the importance of Lyapuinov methods. Restricted classes of rectangular hybrid automata. Giiven a dynamical system . To fire the arc between the discrete states GoToBin and PartsBin. The primary obstacle in establishing decidability of hybrid systems rests with the fact that the precursor operation for determining E may not converge.Fig. however. Deductive verification uses automated theorem-proving techniques to deduce the satisfiability of the specification. were so restrictive that it was apparent rectangular hybrid automata were of limitcd utility in modeling many hybrid systems arising in practice. (2) and (3)) sta- August 295’9 51 . however. there is no guarantee that the sequence of continuous state subsets Zt will ever converge to a fixed point after a finite number of steps. Validation In view of the undecidability of verification problems for many hybrid systems. In [49] a single Lyapunov function was useld to determine sufficient tests for switched !system (Eqs. 4. Despite this shortcoming.) = 0. Since the computation may not terminate in a finite number of steps. then the equilibrium point is Lyapunov stable. it is natural to ask whether or not we should relax our demands and settle for validation tests. a larger class of decidable hybrid systems has been identified.x(t)l < E for all t 2 0. The necessary conditions for this transformation. we say that xo is an equilibrium point if and oinly if f’(x. In concurrent systems. In general. it was suggested that the flow-box theorem could be used to straighten out hybrid systems represented by nonlinear differential inclusions into rectangular hybrid automata. These systems are referred to as o-minimal systems [45]. and thus it was important to see how useful that class of systems would prove to be. the computation of these reachable sets is not decidable [35]. it was implied in 1431 that the decidability boundary for hybrid systems may well rest with rectangular hybrid automata. it is not surprising to find a variety of results on the: Lyapunov stability of hybrid systems.Deductive verification. In particular. are also conditioned on satisfaction of the guard equation labeling the arc in question. In [44]. of course. The enabling and firing of arcs in hybrid automata. The hmope. The equilibrium point is stable in the sense of Lyapunov if for all ti > 0 there is a F > 0 such that ]x(O)/< 6 implies l. One way around this limitation is to use deductive verfication tools [46]-[48]. however. however. for rninor perturbations of these restricted classes decidability can be lost [43]. As before. These subsets can be computed using a recursive procedure similar to that used in traditional SMC methods [25]. Recently. These methods search through the state space of the system in order to verify a givein specification. is that the sufficient condition is easier to compute yet is sufficiently tight to be useful. as the basis for a number of analysis and synthesis methods in contrcil theory. verification problems for hybrid automata are undecidable. Lyapunov’s method states that if tlhere exists a positive definite functional V : W + 3 such that V ( x . let us consider the veriffication of the CTL formula 3Up where p = [PartsBin]. algorithmic model-checking methods are frequently impractical for highly concurrent systems. However. have been shown to be decidable [43]. 0 < 01. Lyapunov methods are still an extremely useful tool in the study of nonlinear dynamical systems. Extending SMC methods to hybrid systems involves solving the reachability problem for both continuous and discrete system states. Ex~-] tensions of SMC methods to hybrid systems must therefore determine methods for computing subsets. Model checking iterations. This recursive procedure computes a sequences of discrete sets Q l and continuous sets Ei. el I The significance of this larger class of decidable hybrid systems is still being investigated. Unlike traditional model checking. This method provides a sufficient test for system stability and serves. Recall that validation only requires finding sufficient conditions for a specification’s satisfiability. Lyapunov methods are well known to only provide sufficient tests for system stability (though converse results exist for linear systems). The SMC method described earlier identifies those discrete states that can reach the parts bin solely on the basis of the connectivity between logical states in the network. E. The decidability of the verification problem for hybrid systems has been an important issue driving a great deal of current work. we must also ensure that the continuous state satisfies the guard condition. The preceding discussion has focused on algorithmic verification methods. A number of fundamental control problems can be shown to be undecidable. The symbolic model-checking methods are often referred to as automatic verification methods since they require little user interveintion. ) = 0 and V(x(t):) < 0. of continuous states that allow the firing of the arc. This implies that although connectivity between discrete states is certainly necessary for reachability. often requires some set of heuristics or user input to help guide the proof process. i = f ( x ) with state trajeaories x(t). however. A s aresult. it is by no means sufficient. the number of states grows exponentially with the number of concurrent prociesses.

Examining Fig. Thus by investigating the cycles within the discrete part of the hybrid system. of course.. One such class occurs when the switched modes are linear time invariant and the switching sets are polytopic. This idea was developed more fully in [33] and [57]. However each mode shown in the attached automaton is also associated with a vertex. ( J = 1. 5 illustrates one such hybrid system trajectory and identifies the set of disjoint time intervals over which the first mode is active. This close relationship between the cycles of the discrete-event part of the hybrid system and the Lyapunov-like functions used in the stability analysis represents a fundamental way in which the continuous and discrete dynamics of the hybrid system are coupled together. The decreasing nature of a specific Lyapunov-like function. In [52] and [53]. 52 IEEE Control Systems . the pumping lemma [35] assures us that all traces can be finitely generated by a finite set of discrete-event cycles.. ( x ) that are switched on the basis of some supervisory control logic. It is also possible to use convex programming to compute other types of Lyapunov functions [55]. Fig. which showed that the use of fundamental cycles extracted from the discrete-event subsystem could be used in conjunction with the results of [52] and [53]to provide sufficient conditions for hybrid system stability... It is interesting to note that the use of fundamental cycles and Lyapunov functionals in 1571 is related to earlier studies of cyclic behaviors in hybrid automata. 5.. which the fixed point computation in the SMC iteration attempts to determine. represent approximations to the viability sets =. it was shown that piecewise quadratic Lyapunovlike functions could be determined by checking the feasibility of a certain linear matrix inequality (LMI) [54] based on a modified version of Lyapunov’s equation. Recall that the SMC iteration discussed earlier may converge to a fixed point consisting of a set of discrete states a and a subset of the continuous-state space 2. . we associate afunctionv. The results in [50] provide an important extension of Lyapunov analysis methods for the validation of switched system stability. Fig. The computational methods discussed in [57] identify fundamental cycles of the switching logic and then use LMI techniques to find Lyapunovlike functions. they do not address the role of the switching law on overall system stability. 5 illustrates a set of Lyapunov-like functionals for this particular system. The fixed points S represent viable sets of states associatedwith cycles in the discrete-event dynamics of the hybrid system.(t)between different modes. Switched Lyapunov system. As is usually the case with Lyapunov methods. Assuming there a r e N systems to switch among. the determination of such functions can only be done systematically for special classes of systems. it should be possible to formally establish the role that discrete dynamics play in determining overall hybrid system stability. A hint on how this objective might be accomplished is contained in the results of [50] and 1511. we see that a Lyapunov-like function is associated with each mode. For switching logics generated by finite automata or Petri nets. Neither of these results is constructive. Although these prior results have provided great insight into the Lyapunov stability of switched systems. This is precisely what the Lyapunov analysis discussed above approximatesfor the fundamental cycles of the switching logic.. These sets. is only evaluated when the hybrid system is in mode 1or rather vertex v. It is more practical to use the discrete-event system’s switching logic to directly assess system stability.1561. Because these points are fixed points of the iteration. The level sets of these functions are invariant under the cycle and therefore represent a viabilitykernel for the specified cycle. We say that this family of functionals is Lyupunov-like if V. Assuming that system switching is non-Zeno. say V. then the switched system is stable in the sense of Lyapunov. Such sets are sometimes called viability kernels [58].(x(t)) is decreasing over the intervals in which the jth mode is active. In [50].[5 11 have greatly extended the applicability of Lyapunov analyses for hybrid systems. Related work in [51] has relaxed some of the assumptions in [50] to provide tighter sufficient conditions on hybrid system stability. The cycles are cycles of activated systems that begin and end with the same modes. bility. we can identify a collection of closed bounded time intervals over which that system is active. a sufficient condition for switched system stability using multiple Lyapunov-like functionals was established. The result in [50] states that if there exists such a family of Lyapunov-like functions. Multiple Lyapunov function approaches [50]. 5.Fig. Therefore. for the $h mode. It was assumed that all traces generated by the switching law were available to be tested. Recall that a switched system consists of a collection of continuous systems X = f . The fundamental concept in results such as [50] and [51] is that we only have to consider the behavior of the Lyapunov function over cycles in the switching behavior.they also constitute sets of states that can be revisited repeatedly by the system. the contours of the Lyapunov-like function represent subsets of continuous states to which the system returns whenever the discrete part of the system executes a cycle returning to vertex v. there can be discontinuous jumps in the value of V. Researchers in both cases observed that it is important to check for monotone decreasing behavior of Lyapunov-like functions over cycles within the discrete trace. Note that in this result.N ) with the $h subsystem.

it was argued that an important aspect of hybrid control synthesis was to design interfaces in which the extracted DES plant accurately modeled the behavior of the continuous system [59]. The inondeterministic nature of the supervisor means that continuous-state controllers must be optimized over the worst-case decisions adopted by the supervisor. These objectives are usually conflicting. Summary This article has provided an introduction to many of the concepts and trends in hybrid systems science:. Automatica). Recursive computation of ithe viability kernel is not guaranteed to converge. Much of the work outlined here will be found in a series of workshop proceedings published1by Springer-Verlag [7]-[ 131 as well as numerous other workshops and various special issues of technical journals (Theoretical Computer Science. by way of the Schutzenberger representation theorems [165].e. Another approach for hybrid control system synthesis is based on gain-scheduling ideas [66]. but the automatic Computation of such piecewise continuous Lyapunov functions is just beginning to be studied in detail. For this approach to succeed. is that it pays relatively little attention to the switching logic and how that logic might be used to enhance system stability and performance. and differential geometry in an attempt to produce a unified framework for the synthesis of controlled hybrid systems. no universal agreement his formed August 1999 53 . The method's primary strength is that it draws heavily upon mature results in rnodern linear robust control and thus provides a mechanism by which to actually design controllers that achieve tight normThe weakness of this apbounded performance measures [69]. proach. and the growingbody of recent work dealing with hybrid system synthesis. the optimal controller is viewed as a saddle point in a noncooperative game played between the supervisor and the controller [70]. In this case. and at tlhe same time we need to ensure that the supervisor is as permissive as possible. unfortunately. and that work combines concepts from logic. The synthesisproblem.Hybrid System Synthesis Synthesis methods for hybrid control systems are still at an early stage of development. some work has attempted to define an integrated framework that directly addresses synthesis issues for both continuous and discrete parts of the system. [n contrast to these efforts. Gain scheduling [67]assumes a set of linear controllers that are switched among as the system moves through its operating range. Deductive model represent two checking [46] and hybrid Petri net fiormalisms [33] different directions in addressing the state explosion problem. In most of these works it is essential that some property of the original continuous system (such as controllability or observability) be preserved under the discretization. a computationally efficient method [71] of determining saddle points will need to be found. This subsection identifies some of the major trends in this area. Applications [2] where this method have been applied have relied on computationally intensive approaches for determining the saddle point. This article summarizes a recent synthesis of computlx science and systems science methods. is far from a mature field. The preceding approaches to controller synthesis reduced the hybrid synthesis problem to a well-understood set of continuous or discrete system synthesis problems. International Journal of Control. Precisely what constitutes accurate modeling has been discussed in a variety of paperms [60]-[62]. the extension of Lyapunov methods to hybrid systems. Specifically. Due to the introductory nature of this: article. As noted above. Hybrid systems science. All of these accomplishmentspoint to a science that shows excellent potential for having a profound impact on the way we design and develop the engineering applications of the future. Precisely how such ideas can be used to help in the design and analysis of hybrid control systems remains an open question. and the finite state machine formalism suffers from state explosion problems when dealing with highly concurrent systems. howev'er. The field is still in an early stage of development. Decidability issues also need to be treated. The strength of this apprtoach rested with its attention to the interface between the continuous and discrete subsystems. it was impossible to itemize all of the important work being performed. One method proposed extracting a discrete-event model of the continuous part of the hybrid system and then using discrete-event supervision schemes to synthesize a supervisory controller [21]. System amd Control Letters. Many approaches are being considered to address this problem. established conditions under which switched behavior would result in stable behavior. but computing the saddlepoint is nontrivial.Validation methods are currently based on Lyapunov-based irgumeints. Although a variety of frameworks has been proposed for hybrid control system synthesis. Research in the dynamics o'f switched systems and variable structure systems might be taken as early examples of this continualizationapproach. then. Other open issues in hybrid systems concern synthesis and identification issues. and this conflict leads to the noncooperative nature of the game. and a number of open questions remain. An elementary example illustrating how such switching policies might be synthesized is found in [66]. One of the dominant issues colicems computational complexity. An alternative approach to discretization is to continualize the entire system. Early work in hybrid control synthesis attempted to follow the route of traditional sampled data control design. Current directions inor reclude attempts at extending the decidability boundary [45] laxing our goals to obtain tight sufficient conditions (i. which was of direct interest to the study of hybrid systems. algorithmic model checking can be computationally intensive.Hybrid systems science is an interdisciplinary field requiring a familiarity with methods and concepts from computer science and traditional systems science.. but some important results and discoveries have already been made. Principal milestones in hybrid system science include early work on verificationusing hybrid automata. There have recently been significant applications of these methods in traffic control. model validation) for system safety [50]. Discrete Event Dynamic Systems. Gain scheduling has been studied extensively in the control systems community. and chemical proces control [1]-[6]. The resulting series representations of the controlled systems. This viewpoint of hybrid controller synthesis is very elegant from a theoretical standpoint. automata theory. Early work in this area [68]. automotive systems. involves determining a controller such thit the series representation of the continuous state trajectory satisfies specified safety conditions. IEEE Transactions on Automatic Control. This continualized approach was first discussed in [63]. A very sophisticated approach [63] to continualization was based on the use of formal power series to represent the continuous state trajecto(Lie-Fliess series) [64] ries generated by the hybrid systems.could then be used to extract finite automata generating the desired switching logic for the hybrid sys tem.

[36]E.1987.D. [ 171 J. SpringerVerlag. 1st Euopean Control Con$. Alla. 8. Sastry. “Approximating automata and discrete control for continuous systems: Two examples from chemical process control. Ho. vol. 1273. Conf Fundamentals of Computation Theory. eds. H. Olivero. [20] M.A. “Duration calculii: An overview. Demongodin and N. vol.” Proc. References [I] S.A. 1281 R. Dill. no. P. Theory. Springer-Verlag.A. eds. [21] J. Kowalewski. vol.” in 7th Int. 1999. Antsaklis. 5. and I.” Proc. “Timing-based mutual exclusion.. M. 1997. Additional work is needed in determining the role that Zeno-type or sliding mode control might play in hybrid system supervision. 43.P.W.. F. Nerode. and H.” Theoretical Computer Science. [32] J. and R. 23. no. and S. 1567. 44. Simon. pp.D. 1997. 1981.110. pp.” in Hybrid Systems. A.J. “Variable structure control of nonlinear multivariable systems: A tutorial. 11/12. and P. P. 1995. Shavit. 1187-1208. Meyer. Lecture Notes in Computer Science. 85. 76.S. 43. 104. Springer Verlag. 111. 3-11. M. Lecture Notes in Computer Science. Witsenhausen. M. no. Analysis. Yi. vol. C. 2. pp. Lecture Notes in Computer Science. vol. Nicollin. 1993. W. Sastry. and S.vol. Control and Optimization. Germany. [27] T. no.N. [35] J. France. Automat.M. T. Pottosin. 1994. M.” SIAM J.D. Henzinger. D. [39] C. and A. Introduction to Automata Theory. and S. eds.” Information and Computation. vol. and H. Kohn. “Characterizing properties of algoiithins as fixed points. Sasm. [ 121Hybrid Systems: Control and Computation. Lemmon. 1371 R. O’Reilly and Associates. 16. 569-573. eds. 999. eds. “Differential Petri nets: Representing continuous system in a discrete-event world.” in Nonlinear Analysis. 2-34. 1991. Yovine. Ravn. [ 151 R. vol. Nerode. Antsaklis. Springer-Verlag.P. SangiovanniVincentelli. [6] R. Sastry. “Differential automata and their discrete simulators. 3-34.” in Hybrid Systems: Computation and Control. Contr.M. and Computation. Kohn.L. 1993.. 1995. vol. “The theory of timed automata.G. Contr. Symbolic Model Checking. A. Treseler. Nerode.N. 1381T. ed. A. Automata Languages and Programming. Tittus.” in Theoretical Computer Science. “Hybrid models for motion control systems. and T. Tomlin. X. 1995. M. Alur. “Studies in Hybrid Systems: Modeling. Lecture Notes in Computer Science.J. “Hybrid petri nets.J. 29-53. Lecture Notes in Computer Science. A. Aubin and A. 1999.S. “Symbolic model checking for real-time systems. Dissertation. 1984. [26] K. Henzinger. 1998. pp. Raisch and E. Springer-Verlag. Lecture Notes in Computer Science. 1386. W. 573-578. 1241R. Kohn. vol. it should be noted that very little attention has been paid to the issue of hybrid system identification and event detection. eds. “Conflict resolution for air traffic management: A study in multiagent hybrid systems. no. eds. 1567. Sastry. 206-230. and E. 1999. A. 1996. vol. Lemmon. M... Brockett. Yovine. Lemmon and K.J.. 1993. [29] K.” Control SystemsMagazine. Kluwer Academic. Koussoulas.concerning the best approach to follow. and S. Addison-Wesley. 1386. 1998. Graf. J. Zhou.. 25. “Supervisory control of a class of discrete event processes. verification and control. 1066. Sifjakis. Courcoubetis. R. J. pp. [7] Hybrid Systems.vol. Fritz. “Model checking in dense real time. Wonham. 1995. T. LeBail.A. Kohn. Tavernini. “A user’s guide to HyTech. vol. 665-683. Springer Verlag. Nerode. Automat. vol. “Hybrid systems in process control. Future work is needed in the development of automatic synthesis methods that integrate discrete-event and continuous controllers satisfying complex temporal logic specifications. C.E.N.W. Sastry. Lecture Notes in Computer Science. Sifakis. Henzinger. Lemmon. Lecture Notes in Computer Science. De Benedetto. Ravn. 736. andS.IEEEComputer SocietyPress. Lemmon. 1993. “Modeling hybrid control systems using programmable Petri nets. Reichel. [2] C. no. Methods and Applications. A.. Lecture Notes in Computer Science. and S. March 1988. Finally. Bjorner. 9-10. and H. [31] M. 138. W. He. pp. Ramadge and W. Zak. P. 1995.D. and S.D. B. [ 181R. T. Languages.D.. [9] Hybrid Systems III.N. 45-56. “Hybrid automata: An algorithmic approach to the specification and verification of hybrid systems. Lynch and N. Alur. Pappas. P.” Proc. vol. “A class of hybrid-state continuous time dynamic systems..pp.D. 1993. 736.L. Lecture Notes in Computer Science. [3] B. P. Matthews.T.J.A. Heymann.-H. 965. 1987. Lecture Notes in Computer Science. andS. S...N.. eds. vol. Antsaklis. C. Sontag.O. DeCarlo.1996. H. Lecture Notes in Computer Science. Contr. P. pp.” in Mathematical Computer Modeling.4. Programming for the Real World.D. vol.” in Hybrid Systems V . Lemmon. Wong-Toi. Ph.” Proc. Springer-Verlag. P. 4. eds.” in First Workshop on Tools and Algorithms for the Construction andAnalysis ofSystems: TACAS94. Lecture Notes in Computer Science. Halbwachs. Sastry.” in Essays in Control: Perspectives in the Theory and Its Applications. Broy. [8] Hybrid Systems II.” in Hybrid Systems V. Henzinger. Kohn. X. Lin. Lecture Notes in Computer Science. Ho. and W. [14] N. 1567. Antsaklis.” IEEE Trans. IEEE. Lecture Notes in Computer Science. Larsen. Alur and D.N. McMillan. pp. A. pp. 1331 M.J. vol. A. Nerode. 1998. 1. “The algorithmic analysis of hybrid systems. Differential Inclusions..X. [30] L.1998. A.. POSIX. Springer-Verlag. 735. eds.-H. vol.” Proc. Springer-Verlag. 2. Sastry.J. W. Po.A. 1999. 1979. Courcoubetis. Lecture Notes in Computer Science. vol. O’Young. and M.. Automation. Farina. Sastry. 1995. 3. Springer Verlag. Automat. 1993. Nerode. Gallmeister. Boston: Birkhauser. vol..” in Hybrid Systems V . Berlin. [ l l ] Hybrid Systems V . Nerode. eds. “A case study in tool-aided analysis of discretely controlled continuous systems: The two tanks problem. [4] J. vol. 32.N.P. 11. “A logical DES approach to the design of hybrid control systems. W. Springer-Verlag. [16] H. vol. vol. and D.. “Discrete approximations and supervisory control of continuous systems. Rossi. [22] P. Springer-Verlag. G. Formal Methods in Programming and Their Application. [23] J.Stursberg. R. vol. P.” IEEE Trans. no. Egardt. Dresden. [SI C. Clarke and E. pp. Ullman. Contr.H.” in Information and Computation. Hopcroft and J. 13th IEEEReal-TimeSystewzsSymp. Courcoubetis. vol. Raisch and S.J. Springer-Verlag.. Alur. [25] R. ed. 126. 3. pp. 1966. Preussig. Antsaklis. S. eds. 6. 105-136. R. Klein. Springer-Verlag. T. and Control. P. 1998. pp. Grossman. Henzinger. Dill. loth Int. Balluchi. Henzinger and S. Alur. [13] Hybrid andReal-Time Systems: Hart’97. vol. 1996. and S. Springer-Verlag. LIDS. M. Pinello. 1201.P. [lo] Hybrid SystemsZV. Petterson.1994. vol. pp.A. C. vol. Nicollin. C.T. andG.A. “Towards using hybrid automata for the mission planning of unmanned aerial vehicles. vol. Rischel. 54 IEEE Control Systems . H. Kohn.A. vol. 55-76. M.” in Discrete Event Dynamic Systems: Theory andApplications.” LIDS-TH-2304. “Hybrid control for automotive engine management: The cut-off case. and G. Colloq. Springer-Verlag.” in JESA-European J. Lennartson. Branicky.” IEEE Trans. 1019. Springer-Verlag. J. Cellina..1993. Stiver. Rischel.-H.D.” IEEE Trans.P. Antsaklis. Seibel and J. Grenoble. pp. Maller. no. David. 1998. “Model-Checking for Real-Time Systems. 161-167. S. no. Emerson.D. 1191R. 11.-M. 1567. “Synthesis and viability of minimally interventive legal controllers for hybrid systems. 193-235.4. 193-244. [34] I. no.A. 0. Henzinger and S. Pettersson.W. Grossman. Massachusets Institute of Technology. Antsakis. A. Nerode. Automat. 1999.

Ravn. Cola$ Decision and Control. Clarke and E. 37th IEEE Conf Decison and Control. vol. “Inductively inferring valid logical models of continuous state dynamical systems.” Proc. 32. Dill.D. 1998. [61] P. ’Jaraiya.” Proc. 138.R. Beijing. Lemmon received the B.S. Theory o 1995.O. Stiver. Kobe.A. Japan. Hassibi and S. A. Lemman has been affiliated with the University of Notre Dame where he currently holds the position of associate professor of electrical engineering. Lecture Notes in Computer Science.” Proc. 36th IEEE Cor$ Decision and Control. is an associate editor of thelEEE Transactionson Control Systems Technology. 27. at the Urdversity of Notre Dame. E. [64]A. Dr. May 1998. Univ. Lemmon returned to graduate school and received M S and Ph. vol.” Proc. California. Lennartson. Wellstead. A N Nerode. Control. Manna and H.E. 35th Con$ Decision and Control.A.A. [66] M. Symp. respectively. Ghaoui. 1999. K. 3Sth Con$ Decision and Control. G. 1998. verification and supervision of hybrid systerms. vol. degree in 1995fromTsinghua University. [47] H.” Automatica. Bulgaria. pp. vol. Rantzer. “Deductive model checking. Sastry. Kohn.D. vol. Isidori. Kobe Japan. “Stabilization of orthogonal piecewise linear Lyapunov-like functions.Lecture Notes in Computer Science. 999. Automata Theoretic Aspects of Formal Power Series.E. San Diego. “On controller synthesis for nonlinear hybrid systems. eds. Hwang. A. [57] K.E.B.” Technical report UCB/ERLM98/29. in 1’972.S. 1995. P. A. He currently chairs the IEEE Working Group on Hybrid Dynamcal Systems.” Hybrid Systems: Control and Computation. Automat. [54] S. “Bounded amplitude performance of switched LPV systems with applications to hybrid systems.K. “Asymptotic stability of m-switched systems using Lyapunov like functions.” in HybridSystemsIf. Springer Verlag. 1996. L.” in Hybrid Systems: Computation and Control.” Proc.L. Studies in Applied Mathematics. 1999.D. Michel. Balakrishnan. 43. and S. 1102. A.. 1998. 1997. Antaklis. Springer-Verlag. Vol. N. 131. Shamma and M. 27th Ann. Laffenriere. Dr.J. Lecture Notes in Computer Science. and P. Kopke. Uribe. 1993. 1998. Lemmon. 1996. Tampa. 43. Godbole. Grossman.. [53] M. pp. (1998) degrees in control engineering from Technical University of Sofia. Springer-Verlag.P. Kohn.” Int.L. and P. Muir. “Hierarchically consistent control systems. 15. Berkeley.” in Hybrid Systems. 70. Dr. [70] J. Antsalus. pp 271-288. Pettit. Dec.J. 1996. 37th IEEE Con$ Decision and Control.. - *- Ivan Valentinov Marltovsky was born in Sofia. Lecture Notes in Cornputer Science. Presently he is pursuing hds Ph. Emerson. [67] J.X.S. 1561A. Lecture Notes in Computer Science. Caines and Y. vol. vol. Kevin X. Sastry. San Francisco. Johansson and A. Pappas. (491 P.E. “Synthesis of contollers for linear hybrid automata. China. August 1999 55 . 8th Int.E. and S.E degree in 1998 from the University of Notre Dame. vol. D. 4. and H. [59] J. Wei. Boyd. [63] A. “Straightening OUI rectangular differential inclusions. Manna. Lemmon. “Multiagent hybrid system design using game theory and optimal control. no. [58] A. no. degree in Electrical Engineering at the University of Notre Dame. FL. DeCarlo. Automat. 1711J. Pun.M. “A class of Lyapunov functionals for analyzing hybrid dynamical systems. and Z.J. Lemmon and P. J.R. 2. and the M. Wong-Toi.” Proc.Nonlinear Control Systems. American Contr. Lecture Notes in Control and Information Sciences. Springer-Verlag. P. Springer Verlag. G.S. Pappas. Pnueli. Sastry. June 1990. and S.Berlin. 1981.D. [62] G. J. “What’s decidable f Computing. Lygeros. pp. pp. 1998. Henzinger.L. Hou. Pappas and S. Ye. Lygeros. Yfoulis. “Stability and robustness of hybrid systems. Soittola. C. Nerode. Logic in Computer Science. China. [65] A. Control Using Logic Based Switching. Lemmon’s research mterests focus on the development of high-autonomy control Systems. 736. Currently he is working.” in System and Control Letters.D. 2. 1190-1195.” Proc.” to appear in Automatica. He was born in Tianjin. 1998. 1990.”Proc. eds. Tomlin. 4th Ann.J.”lEEE Trans.J. pp. 1991. Con$.” Proc. Bett and M. 201-210.” Proc. 1998.D.431 T. D. [45] G. 1996. “Viable control of hybrid systems..79-85. Springer-Verlag. and S. [68] A S . “Stability analysis of switched systems. Deshpande and P.” Proc. 1. American Control Con$. Boyd. Feb.S. He obtained the B. andH. “An invariant based approach to the design of hybrid control systems. W A C f 3 t h Triennial World Congress. 2nd ed. Japan. [46] Z. CA. He received the B. McMillan. T. toward his Ph. A.S. Springer-Verlag. Athans. 1996. (1997) and MS. no.S.R. degree in electrical engineering from Stanford University in 1979. 1421 J. 1995.[40] H. Burch. ACM S:imp. P. Con5 Decision and Control.Springer-Verlag. “Multiple Lyapunov functions and other analysis tools for switched and hybrid systems. and T. “Safe implementations of supervisory commands. and S. He and M.N. [44] G. eds.J. about hybrid automata. 257-263. Lemmon. His research interests lie in the modeling. vol. Sipma. Manna and A. 222. “Symbolic model checking: lo2’ states and beyond. no. E. 1386. Michael D. Sipma. 1973. California. J. Sastry.P. Clarke. vol. switched system stability and nonlinear control. “The hierarchical lattices of finite state machines. Peleties and R. vol. “Deductive verification of hybrid systems using STeP. vol.N.M.. “Guaranteed properties of gain scheduled control for linear parameter-varying plants. arid is Program Chair for the 1999 International Symposium on Intelligent Control. Lecture Notes in Computer Science. 1551 C. and M. Springer-Verlag.J. Kischel. 1411 E.” Proc. 4. Temporal Verz3cation o f Reactive Systems: Safety. 1521S. vol. His research interests are optimization methods in control. Bett. “Synthesis of synchronization skeletons for branching time temporal logic. 1994.L.J. pp. Lafferriere.” in Logic ofPrograms: Workshop. Con$ Computer Aided Verljcication. degrees in electrical and computer engineering from Carnegie Mellon University in 1987 and 1990. 1989. 25. Kobe. Conrr. pp. [SlJ L. Sastry.”Systenzand Control Letters. Springer-Verlag. and V. 1679-1684. (501M. Varaiya.N.A. 1998. Dr. 457-472. April 1998. Florida.D. Antsakis. Salomaa and M. The master’s thesis was completed in Delft Unjversity of Technology in 1998. Dec. Nerode and W. Lemmon is a former associate editor of the IEEE Transactionr on Neural Networks and was program chair for the 5th International Workshop on Hybrid Systems (1997). Petterson and B. 1995. Lemmon and C. 1386. Feron.J. “Multiple agent hybrid control architecture. in 1974. “Computation of piecewise quadratic Lyapunov functions for hybrid systems. 1997. “Lyapunov stability of continuous valued systems under the supervision of discrete event transition systems. SIAM. Bulgaria.” Proc. 559564. “0-minimal hybrid systems.E. [69] C.D.” in Theoretical Computer Science. Sep. W.. Branicky. Since 1990.. 1994. Contr. Dec. vol. Dexter and Kozen. 1481 Z. After 7 years as a guidance and control systems engineer in the aerospace industry. Tampa. vol. [60] M. Sastry. P. Morse.” IEEE Trans. LinearMatrixInequalities in System and Control Theory.

Sign up to vote on this title
UsefulNot useful