Hybrid Automata: Models and Verification

Updated 4 September 2025

Hybrid automata are formal models that integrate discrete transitions with continuous dynamics, enabling rich representations of cyber-physical systems.
They provide a framework for rigorous analysis and verification, with key methods including timed automata and rectangular abstractions.
Applications span embedded control, automotive systems, and runtime verification, highlighting their practical impact in safety-critical domains.

Hybrid automata are formal models for capturing the interplay between discrete transitions and continuous dynamics, and serve as the primary mathematical abstraction for modeling, analysis, and verification of cyber-physical systems and mixed discrete-continuous behaviors. Since their inception, the hybrid automaton framework has evolved to encompass multiple mathematical representations, computational semantics, and application-driven extensions, forming the backbone of much of contemporary systems verification, embedded control, and automatic synthesis research.

1. Mathematical Structure and Formal Definitions

A hybrid automaton is defined formally as a tuple $H = (M, M_0, \Sigma, X, \Delta, I, F, V_0)$ , where:

$M$ : Finite set of discrete control modes (or locations), each representing distinct qualitative behaviors.
$M_0 \subseteq M$ : Initial modes.
$\Sigma$ : Finite set of actions or events, interpreted as labels on discrete transitions.
$X$ : Finite set of real-valued variables that encode the system’s continuous state.
$\Delta \subseteq M \times pred(X) \times \Sigma \times pred(X \cup X') \times M$ : Transition relation, where each tuple defines a guarded, possibly resetting, jump between modes.
$I: M \to pred(X)$ : Invariant for each mode, restricting continuous evolution within that mode.
$F: M \to \mathcal{F}$ : Flow map, assigning to each mode a system of ordinary differential equations (ODEs) describing $\dot{X} = F(m)(X)$ .
$V_0$ : Set of initial valuations for continuous variables.

This composite structure generalizes finite automata by adding continuous evolution via ODEs inside each mode. The system’s state thus evolves along a “hybrid trace” that alternates between continuous flows (subject to invariants) and discrete jumps (triggered by guards and resets), forming a time-indexed sequence $(m_0, v_0), \ldots, (m_k, v_k)$ . A prototypical example is the bouncing ball automaton, where free-fall and bounce phases are captured in distinct modes, and changes in velocity via resets at ground impact.

2. Dynamics: Continuous Flows and Discrete Transitions

In each mode $m \in M$ , the system follows continuous evolution governed by a flow $F(m)$ , typically ODEs such as $\dot{x} = f(x)$ . This continuous trajectory must remain within the invariant $I(m)$ at all times. When the guard $g \in pred(X)$ of a transition $\delta = (m, g, \sigma, r, m')$ is satisfied (i.e., the continuous state hits the guard set), the system instantaneously switches to mode $m'$ , potentially resetting variables according to $r$ . Discrete transitions may be controlled by actions ( $\Sigma$ ) or by the autonomous dynamics crossing certain boundaries in the state space.

The interaction is formalized by the alternation of "flows" (continuous evolution subject to ODEs/invariants) and "jumps" (discrete transitions dictated by guards and resets), yielding an execution semantics that captures the full spectrum of hybrid behaviors. This structure enables modeling not only physical plants (with continuous evolution) but also control logic (with discrete mode switching).

3. Reachability, Verification, and Undecidability

The principal verification question in hybrid automata is reachability: can a mode (typically encoding an unsafe or goal condition) be reached from some initial state? This problem underpins most safety and liveness specification checking.

For general (nonlinear or unrestricted) hybrid automata, reachability and LTL model-checking are undecidable, as proved by reductions from the halting problem of Minsky machines or piecewise-constant derivatives systems (Krishna et al., 2015). Undecidability arises from the combination of unbounded continuous state spaces, arbitrary ODEs, and the expressive power of the discrete transitions.

Nevertheless, important subclasses render verification tractable:

Timed Automata: Restricting all ODEs to clocks with constant rate (typically $\dot{x} = 1$ ) and guards/invariants to clock comparisons allows finite region abstraction and leads to PSPACE-complete model checking (Krishna et al., 2015, Kamireddy, 2018). Tools like UPPAAL and Kronos exploit these properties.
Constant-rate Multi-mode Systems and WSHA: Singular automata with constant vector fields (possibly restricted by rank ordering and common safety sets) allow NP-complete reachability and PSPACE-complete LTL checking for WSHA—adding even a single unrestricted clock or arbitrary variable resets restores undecidability (Krishna et al., 2013).
Rectangular and Multi-rate Automata: Different variables evolve at different fixed rates but are forced to reinitialize ("reset") when changing modes, enabling the construction of finite bisimulation quotients.

Thus, reachability, safety, and liveness preservation in hybrid automata are highly sensitive to the modeling primitives and restrictions.

4. Modeling Real-world Systems: Cyber-Physical Systems and Applications

Hybrid automata are central to the formal modeling of cyber-physical systems (CPS), which involve tight integration between discrete (cyber) control and analog (physical) processes. Their expressiveness supports:

Real-time and Embedded Systems: E.g., modeling of job-shop scheduling and protocol timing (using clocks and discrete coordination (Kamireddy, 2018)).
Control Systems: Detailed modeling of process plants, as in bouncing ball, thermostat, cruise control, cardiac pacemaker, and valve/tank systems (Krishna et al., 2015, Kleinert et al., 2019, Kamireddy, 2018).
Automotive and Robotics: For instance, ABS or engine timing modules, where both abrupt transitions (valve actuation) and smooth physical evolution coexist (Saberi et al., 2021).
Formal Synthesis: Synthesis of digital controllers enforcing temporal logic specifications can be cast as controller synthesis over hybrid automata (e.g., translating supervisory control problems with CTL/LTL goals into the automaton’s language (Loohuis et al., 2012)).
Plant Emulation and Code Generation: Restriction to suitable HA subclasses (well-formedness) enables code generators such as SHA-based approaches that avoid runtime numerical ODE solvers, supporting real-time "Plant-on-a-Chip" deployment (Malik et al., 2015).
Runtime Verification and Monitoring: Interval analysis and validated simulation (e.g., HySIA (Ishii et al., 2017)) provide formal enclosures for system trajectories and enable reliable on-the-fly monitoring against STL (Signal Temporal Logic) properties.

These applications are supported by scalable tool stacks, including UPPAAL, HyTECH, Kronos, Red, PHAVer, and formal code generators.

5. Extensions, Learning, and Approximation Semantics

The hybrid automaton framework has been generalized and adapted to numerous advanced modeling scenarios:

Approximate Symbolic Semantics: To tackle finite-precision observations and noisy executions, over-approximation (tilde semantics) and under-approximation (ε- and bottom semantics) are developed. They afford robust reachability computations and safety analysis tolerant to uncertainties and measurement errors (Casagrande et al., 2013).
Learning Hybrid Automata from Data: Algorithms for passive online and offline learning synthesize automata from input/output traces using segmentation (e.g., dynamic time warping for nonlinear dynamics (Saberi et al., 2021)), regression for flow conditions, and association of jump conditions via input events or temporal constraints. Active research addresses the learning of both structure (modes and transitions) and continuous dynamics in polynomial or affine forms (Soto et al., 2021).
Invertibility and Explicit Control: Flat Hybrid Automata (FHA) formalize subclasses where both continuous and discrete subsystems admit explicit inversion, allowing for deterministic, schedulable, and reachable constructs—especially useful in fast-reacting control scenarios such as electrical networks or tank systems (Kleinert et al., 2019).
Action Representation and Automated Reasoning: Hybrid automata can be translated into first-order action languages (such as $\mathcal{C}^+$ ), maintaining correspondence between discrete and continuous evolutions and enabling SMT-based automated planning and verification (using tools like dReal in the context of ASPMT) (Lee et al., 2017).

Additionally, hybrid automata have been extended to incorporate richer mathematical structures (e.g., partial differential equations in PDHA for spatially distributed systems (Bao et al., 18 Apr 2024), and max-plus algebra for discrete-event synchronization (Gupta et al., 2021)) and new computation paradigms (e.g., QSHA using dynamic quantum selection for precise simulation (Malik et al., 2018)).

6. Verification Tools, Computational Methods, and Practical Impact

Practical verification and monitoring tools exploit the theoretical properties and subclasses of hybrid automata. For example:

Model Checkers and Simulator Emulators: Tools like UPPAAL, Kronos, and PHAVer implement algorithms for symbolic state exploration via region or zone abstractions, tailored to timed and rectangular automata (Krishna et al., 2015).
Interval and Parallelotope Methods: HySIA utilizes interval arithmetic and parallelotope representation to compute reliable overapproximations of trajectories, and robustly monitors STL properties across entire sets of initial conditions, supporting semi-symbolic validation (Ishii et al., 2017).
Plant Emulation and Code Generation: Synchronous approaches (e.g., SHA realized in WHA) can eliminate the need for numerical ODE solvers and support generation of modular, real-time emulation code, facilitating embedded deployment (Malik et al., 2015).
Computational Complexity: For most expressive classes, verification complexity ranges from NP-complete (WSHA reachability) up to PSPACE-complete (LTL/CTL model-checking in timed automata), with undecidability prevalent for general continuous, nonlinear, or unrestricted jump settings (Krishna et al., 2015, Krishna et al., 2013).

Verification techniques have enabled the safe deployment of hybrid-automaton-modeled controllers in automotive, aerospace, embedded, and industrial systems.

7. Research Directions and Emerging Paradigms

Current and future research directions include:

Extending hybrid automata to fully capture distributed, spatial, or infinite-dimensional systems (e.g., with PDE dynamics (Bao et al., 18 Apr 2024)), or alternative algebraic structures (e.g., max-plus for DES synchronization (Gupta et al., 2021)).
Improving state-space abstraction and reduction techniques, supporting scalable verification for high-dimensional and complex models.
Integration of learning algorithms (passive and active) capable of synthesizing hybrid automata from incomplete, noisy, or high-dimensional observation data (Saberi et al., 2021, Soto et al., 2021, Liu et al., 3 Mar 2025).
Enhanced modular and compositional design, supporting plant and controller code synthesis with formal semantic preservation guarantees.
Bridging the gap between simulation, verification, and code generation (for both embedded software and hardware) and developing runtime verification tools for online safety certification.
Investigation of optimization, game-theoretic control, and probabilistic extensions, capturing more sophisticated real-world behaviors, uncertainty, and adversarial environments.

Hybrid automata continue to serve as a unifying mathematical foundation for the analysis, synthesis, and verification of complex systems operating at the intersection of digital and analog dynamics, underpinning a broad range of applications across science and engineering.