Aimed at verifying safety properties and improving simulation coverage for hybrid systems models of embedded control software, we propose a technique that combines numerical simulation and symbolic methods for computing state-sets. We consider systems with linear dynamics described in the commercial modeling tool Simulink/Stateflow. Given an initial state x, and a discrete-time simulation trajectory, our method computes a set of initial states that are guaranteed to be equivalent to x, where two initial states are considered to be equivalent if the resulting simulation trajectories contain the same discrete components at each step of the simulation. We illustrate the benefits of our method on two case studies. One case study is a benchmark proposed in the literature for hybrid systems verification and another is a Simulink demo model from Mathworks.

Abstract. We present a methodology and a toolkit for improving simulation coverage of Simulink/Stateflow models of hybrid systems using symbolic analysis of simulation traces. We propose a novel instrumentation scheme that allows the simulation engine of Simulink/Stateflow to output, along with the concrete simulation trace, the symbolic transformers needed for our analysis. Given a simulation trace, along with the symbolic transformers, our analysis computes a set of initial states that would lead to traces with the same sequence of discrete components at each step of the simulation. Such an analysis relies critically on the use of convex polyhedra to represent sets of states. However, the exponential complexity of the polyhedral operations implies that the performance of the analysis would degrade rapidly with the increasing size of the model and the simulation traces. We propose a new representation, called the bounded vertex representation, which allows us to perform under-approximate computations while fixing the complexity of the representation a priori. Using this representation we achieve a trade-off between the complexity of the symbolic computation and the quality of the under-approximation. We demonstrate the benefits of our approach over existing simulation and verification methods with case studies. 1

In order to increase the flexibility and performance of hydraulically actuated machines there is a demand for more intelligent controllers. This leads to a rapid increase in complexity of the control systems. To manage the complexity and to ensure reliability of these systems, adequate software development methods are needed. In this work, we propose a methodology for structured design of digital hydraulics controllers in Simulink/Stateflow. A model architecture based on mode-automata is introduced to separate control and data processing. Furthermore, design by contract is advocated as a method for system development. The contracts can be used to mathematically reason about correctness of Simulink/Stateflow models and thereby increase the safety and reliability of the developed systems. The usefulness of these concepts are demonstrated on a larger case study from the area of digital hydraulics.

In previous work we have shown how modular code can be automatically generated from a synchronous block diagram notation where all blocks fire at all times. Here, we extend this work to triggered and timed diagrams, where some blocks fire only when their trigger is true, or at statically specified times. We show that, although triggers can be eliminated, this is not desirable since it destroys modularity and may also result in rejecting some diagrams that could be accepted. To avoid this we propose a modular code generation method that directly accounts for triggers. We also propose methods specialized to timed diagrams. Although timed diagrams are special cases of triggered diagrams, treating them directly allows us to obtain efficient code. We achieve this by enriching the interface of a macro block with firing time information and using this information to avoid firing the block unnecessarily. Existing firing time representations are generally conservative, in the sense that they cannot represent the exact set of firing times of a macro block, but a super-set. To remedy this, we devise a novel and accurate (exact) representation. This representation uses finite automata and is amenable to algebraic manipulation and generation of efficient code. 1

Simulink is a popular tool for model-based development of control systems. However, due to the complexity caused by the increasing demand for sophisticated controllers, validation of Simulink models is becoming a more difficult task. To ensure correctness and reliability of large models, it is important to be able to reason about model parts and their interactions. This paper provides a definition of contracts and refinement using the action systems formalism. Contracts enable abstract specifications of model parts, while refinement offers a framework to reason about correctness of implementation of contracts, as well as composition of model parts. An example is provided to illustrate system development using contracts and refinement.

As embedded control systems are becoming more complex, there is a need for new software development and structuring techniques. The combination Simulink/Stateflow has become a popular tool for model-based design for this type of hybrid systems, due to the simulation and analysis tools available. To enable design and validation of large complex systems in Simulink/Stateflow, an appropriate model architecture is needed. Mode-automata is such an architecture, where control is strictly separated from signal processing. In this paper we give a formal definition of mode-automata in Simulink/Stateflow. This gives a precise definition of an architecture that restricts Simulink/Stateflow to a safe and easy to use subset that is easy to verify, but still usable in practice. We propose syntactic rules to check that a given Simulink/Stateflow model complies to our mode-automata architecture and we illustrate the approach with a controller for a digital hydraulics system.

We describe a model-based approach for the automated verification of avionics systems that has been applied in Honeywell for the certification of complex avionics applications, such as flight controls and engine controls. The approach uses a symbolic analysis framework for MATLAB Simulink models, utilizing range arithmetic to represent test cases and equivalence-class transformations within a model diagram. Backwards search from a set of desired test-case values within the diagram is combined with forward-directed simulations from the inputs to resolve constraints and select values in the visited paths, leading to a set of diagram input/output values that produce the test case. Utilizing this approach, Honeywell has achieved 20 − 50× reduction in certification costs compared to traditional analysis and testing methods, while maintaining scalability on complex real-life problems. As an example of the efficiency of this verification method, we describe a common design flaw that was uncovered in the early design phases of avionics software. We argue that finding such designs flaws is extremely hard by alternative methods such as directed or random simulations and traditional model checkers. I.

Due to the increasing abstraction gap between the initial system model and a final implementation, the verification of the respective models against each other is a formidable task. This paper addresses the verification problem by proposing a stepwise application of combined refinement and verification activities in the context of synchronous model of computation. An implementation model is developed from the system model by applying predefined design transformations which are as follows: 1) semantic preserving or 2) nonsemantic preserving. Nonsemantic-preserving transformations introduce lower level implementation details, which are necessary to yield an efficient implementation. Our approach divides the verification tasks into two activities: 1) the local correctness of a refined block is checked by using formal verification tools and predefined properties, which are developed for each nonsemantic-preserving transformation, and 2) the global influence of the refinement to the entire system is studied through static analysis. We illustrate the design refinement and verification approach with three transformations: 1) a communication refinement mapping a synchronous channel to an asynchronous one including a handshake mechanism; 2) a computation refinement, which introduces resource sharing in a combinational computation block; and 3) a synchronization demanding refinement, where an algorithm analyzes the influence of a local refinement to the temporal properties of the entire system and restores the system’s correct temporal behavior if necessary.

c t i v it y e p o r t

MATLAB Simulink is a member of a class of visual languages that are used for modeling and simulating physical and cyber-physical system. A Simulink model consists of blocks with input and output ports connected using links that carry signals. We extend the type system of Simulink with annotations and dimensions/units associated with ports and links. These types can capture invariants on signals as well as relations between signals. We define a type-checker that checks the wellformedness of Simulink blocks with respect to these type annotations. The type checker generates proof obligations that are solved by SRI’s Yices solver for satisfiability modulo theories (SMT). This translation can be used to detect type errors, demonstrate counterexamples, generate test cases, or prove the absence of type errors. Our work is an initial step toward the symbolic analysis of MATLAB Simulink models. 1