Hybrid Simulation Safety: Limbos and Zero Crossings

Physical systems can be naturally modeled by combining continuous and discrete models. Such hybrid models may simplify the modeling task of complex system, as well as increase simulation performance. Moreover, modern simulation engines can often efficiently generate simulation traces, but how do we know that the simulation results are correct? If we detect an error, is the error in the model or in the simulation itself? This paper discusses the problem of simulation safety, with the focus on hybrid modeling and simulation. In particular, two key aspects are studied: safe zero-crossing detection and deterministic hybrid event handling. The problems and solutions are discussed and partially implemented in Modelica and Ptolemy II.

💡 Research Summary

The paper addresses a critical gap in hybrid modeling and simulation: while modern simulation engines can efficiently generate traces for systems that combine continuous dynamics with discrete events, there is little systematic assurance that the results are correct. The authors introduce the notion of simulation safety, defining a safe simulation as one in which no untrapped errors occur, and a safe simulation environment as one that guarantees this property for any model. They focus on two classes of errors that have traditionally been treated as modeling problems but are, in fact, simulation errors: unsafe zero‑crossing detection and accidental determinism.

The first class is illustrated with the classic bouncing‑ball example. A zero‑crossing detector is used to trigger a velocity reversal when the ball contacts the ground. Because most detectors rely on a tolerance threshold and may overshoot the exact crossing, the detector can miss the final impact when the ball’s height becomes extremely small (on the order of 10⁻⁹). The result is a “tunneling” effect where the ball passes through the ground, a purely numerical artifact unrelated to the Zeno behavior of the model. The authors argue that this is an untrapped simulation error and that a safe environment should either raise an exception or abort the simulation before the tunneling occurs.

The second class concerns simultaneous discrete events. Using a Modelica model of three frictionless, perfectly elastic balls that collide at the same instant, the paper shows that the order in which the two when‑clauses (detecting collisions between ball 1‑2 and ball 2‑3) are evaluated determines the post‑collision velocities. Although Modelica is declarative and the order of equations should be irrelevant, the underlying simulation engine processes the when‑blocks sequentially, leading to “accidental determinism”: the same physical situation yields different simulation traces depending on implementation details. When the distances are exactly equal, the simulation produces physically impossible interpenetration and a biased direction for the middle ball, exposing nondeterminism that is hidden by the engine’s deterministic but arbitrary ordering.

To turn these untrapped errors into trapped, manageable ones, the authors propose a “limbo state”. When a potential error is detected (e.g., a zero‑crossing missed or simultaneous events), the simulation immediately transitions to a limbo mode. In this mode the modeler can either define a safe recovery action or allow the environment to abort and report a clear error. This mechanism makes the error explicit, enabling debugging and preventing silent propagation of incorrect results.

The concept is partially implemented in Modelica and Ptolemy II. In Modelica, a limbo block is added to when‑equations; if the crossing condition is not satisfied within the tolerance, the block raises an exception that can be caught by the model. In Ptolemy II, the event scheduler is extended with a check for simultaneous events; if such a situation is detected without an explicit priority, the simulation halts with a deterministic error message. Experimental results show that the bouncing‑ball no longer tunnels and that the three‑ball collision yields consistent, physically plausible outcomes regardless of equation ordering.

Overall, the paper makes a compelling case that simulation safety should be treated as a first‑class concern in hybrid modeling frameworks. By distinguishing simulation errors from modeling errors and providing a concrete mechanism (the limbo state) to trap them, the authors improve the reliability and debuggability of hybrid simulations. Future work is suggested to generalize the limbo concept across more simulation platforms and to integrate it with formal verification tools for hybrid systems.