Abstract. The Model Based Design approach for Hybrid Systems control software synthesis is particularly appealing since Formal System Level Specifications are usually much easier to define than the control software itself. In this setting, Design Space Exploration has the goal to find a suitable (with respect to costs and performance) choice for system design parameters. Unfortunately, a substantial part of the time devoted to design space exploration is spent trying to solve control software synthesis problems that do not have a solution. We present an on-the-fly algorithm to control software synthesis that enables effective design space exploration by speeding-up termination when no controller is found. Our experimental results show the effectiveness of our approach and how it can support a concrete realizability and schedulability analysis.
Introduction
A Software Based Control System (SBCS) consists of two main subsystems, the controller and the plant that together form the closed loop system. In an endless loop, every T seconds (sampling time), output y from plant sensors go through an analog-to-digital (AD) conversion, yielding a quantized valueŷ to the control software implementing the control law. The control software then computes the commandû to be sent (after a digital-to-analog (DA) conversion) to plant actuators in order to guarantee that the closed loop system satisfies given safety and liveness specifications (System Level Formal Specifications).
Traditionally, the control software is designed using a separation-of-concerns approach. That is, Control Engineering techniques (e.g., see [10] ) are used to design functional specifications (control law) from the closed loop system level specifications, whereas Software Engineering techniques are used to design control software implementing functional specifications.
Motivations In SBCS design the interface between Control Engineering and Software Engineering activities is basically summarized by the choice of: 1) control law, 2) number of quantization bits b, 3) sampling time T . Taking into account that a SBCS is a real-time system, the control software Worst Case Execution Time (WCET) must be less than or equal to T . As a result we have contrasting requirements on the choice of design parameters b and T . Namely, typically performance (e.g., set-up time and ripple) of the closed loop system improves as b increases or T decreases. On the other hand, hardware/software ⋆ This work has been partially supported by the the EC FP7 projects SmartHG (Energy Demand Aware Open Services for Smart Grid Intelligent Automation, 317761) and PAEON (Model Driven Computation of Treatments for Infertility Related Endocrinological Diseases, 600773).
costs decrease when b decreases or T increases (e.g., a faster processor is needed in order to guarantee that the control software WCET is less than T ). In our context, one of the main goals of Design Space Exploration is to find a suitable (with respect to costs and performance) choice for design parameters b and T . The current approach is to define (using Control Engineering techniques) a control law along with values for b and T and then to devise (using Software Engineering techniques) a software implementation for it. Once the software is implemented, its realizability its schedulability must be evaluated. Namely, the software is realizable if it fits in the microcontroller flash memory. Moreover, it is schedulable if its WCET is smaller of the sampling time and small enough to make feasible the schedulability of other periodic processes (as reading quantized values from plant sensors) that run on the same microcontroller (see e.g. [15] for a more-in-depth discussion). Performance of the closed loop system is then evaluated using Hardware In the Loop Simulation (e.g., nicely supported by Model Based tools like Simulink [20] or Reactis [34] ).
One may wish to partially automate design space exploration by using tools like QKS [25] that from the plant model, system level formal specifications for the closed loop system and implementation parameters (namely, number of quantization bits), automatically synthesize correct-by-construction control software meeting the given requirements and with a guaranteed WCET. We note that, for many choices of the design parameters b and T , QKS fails to find control software solving the synthesis problem. As a result, a substantial part of the time devoted to design space exploration will be spent trying to solve control software synthesis problems that do not have a solution. Unfortunately the control software synthesis algorithm presented in [25] takes about the same time both when it finds a solution and when it cannot find one.
This paper investigates control software synthesis algorithms that can support design space exploration by detecting as soon as possible when a solution to the synthesis problem cannot be found.
Our Contributions
We model the plant as a Discrete Time Linear Hybrid System (DTLHS), that is a (discrete time) hybrid system whose dynamics is modeled with linear constraints over a set of continuous as well as discrete variables. Safety and liveness specifications for the closed loop system are defined as linear constraints on state variables. A DTLHS H approximates a continuous time system dynamics by sampling it only at discrete time points multiple of a time step τ chosen on the base of physical considerations. Building on this we can approximate the dynamics of a system sampled each T = nτ seconds by iterating n times the dynamics of H. Using such an approach we can investigate in our DTLHS framework existence of a controller for H for different configurations of b and T = nτ . Our main contributions can be summarized as follows.
On-the-fly control software synthesis algorithm. We present an on-the-fly algorithm for DTLHS control software synthesis, in the same spirit of on-the-fly Model Checking [19] . Such an approach enables effective design space exploration by speeding-up termination of the control software synthesis algorithm in the typical case occurring in the design space exploration phase, namely when no controller is found for the given configuration parameters (b, T ).
Experimental results. We implemented our algorithm within the QKS tool [25] . To assess the effectiveness of our approach we present results on its usage for design space exploration of control software for the inverted pendulum, a challenging and widely studied example (e.g., see [22] ). We carry out such a design space exploration using both the on-the-fly algorithm presented here and the synthesis algorithm presented in [25] . We have considered 18 choices for the design parameters b and T , 10 of which return a control software. Our experimental results (Sect. 6) show that, using our on-the-fly algorithm we have a time saving of nearly 80%. Finally, we show how our Model Based Design approach can effectively support a concrete realizability and schedulability analysis on a specific family of microcontrollers.
Related Work Model based design space exploration for embedded systems (typically modeled as Hybrid Systems [5] ) has been widely studied in the last decades. Many tools and paradigms have been proposed to support designers in this phase. For example, see [6] and citations thereof for a formal (using UP-PAAL [17] ) model based tool and a survey on available tools. In this respect we note that all proposed methods focus on designing the software/hardware system once the control law is given and, in particular, once b (number of quantization bits) and T (sampling time) are given. To the best of our knowledge none of them supports trading between Control Engineering wishes (large b and small T ) and System/Software Engineering wishes (small b and large T ) before the control law is designed. In such a framework our contribution complements the available approaches by enabling trade-offs between the control law, b and T before the control law is designed.
The sampling time T is one of the main requirements to take into account for schedulability analysis. In [24] is proposed a scheduling algorithm that cleverly trades, at run time, T (by delaying execution of control software) and closed loop performances. The main difference with our contribution is that in [24] the control law and b are both given whereas our approach enables exploring (offline) the possibility of changing any of them in order to increase T . It is worth noticing that indeed the approach in [24] could be used to further increase (at run time) the T resulting from our control software synthesis method.
We check performance of the closed loop system after control software synthesis. Methods to synthesize control laws satisfying given performance indexes on the closed loop system have been investigated, for example, in [21] . We differ from such work since our plant model is a DTLHS rather than a multi-modal system for [21] .
Automatic synthesis of software from models has also been widely studied. For example, see [23] and citations thereof. We differ from such approaches since our starting point is the plant model and closed loop specifications for the closed loop system whereas model based software generation (e.g., as the one also available in tools like Simulink) starts from a model based definition (e.g., using Stateflow/Simulink diagrams) of the control law and then generates a software implementation for such a control law model.
Control software synthesis from formal system level specifications for Discrete Time (possibly non Linear) Hybrid Systems has been investigated in [25, 26, 3, 2] . The on-the-fly algorithm presented here improves on the one in [25, 26] by reducing of about 99% the time to terminate when it cannot find a controller, possibly at a price of a 25% time penalty when it can find one. This, in turn, enables, formal model based design space (i.e.: control law, b, T ) exploration.
On-the-fly algorithms for the analysis of Timed Games has been proposed in [12] . Our backward algorithm has to handle linear constraints where both continuous and discrete state variables may appear. In fact, we need to solve many MILP problems to back-propagate a state region. This is quite different from the class of Timed Automata considered in [12] , where constraints have the form x ∼ k, where x is a clock and ∼ is one of <, ≤, ≥, >, =.
In [31] it is presented a semi-automatic method that, taking as input a continuous time linear system and a goal specification, produces a control law (represented as an OBDD) through Pessoa [30, 35] . Such an approach differs from ours as follows. First, our method is fully automatic whereas the one in [31] is not, since it relies on a user provided Lyapunov function, much in the spirit of [22] . Second, [31] does not provide any guarantee on the WCET of the generated software, thus it cannot be used for design space exploration in our context. Verification and control law synthesis for Linear Hybrid Automata (LHA) [4] has been investigated, e.g., in [18, 38, 16, 9] . Control law synthesis for Piecewise Affine Discrete Time Hybrid Systems (PWA-DTHS) has been investigated in [7, 8] . All such approaches, when dealing with control synthesis, do not account for state feedback quantization since they all assume exact (i.e. real valued) state measures and do not generate control software with a guaranteed WCET. As a result they cannot be used for design space exploration in our context, where the number of AD bits b and the software WCET play a crucial role.
Background
We denote with [n] an initial segment {1, . . . , n} of the natural numbers. We denote with X = [x 1 , . . . , x n ] a finite sequence of variables. We may regard X as a set when convenient. Each variable x ranges over a bounded or unbounded interval Γ x , being either Γ x ⊆ R or Γ x ⊆ Z. We say that Γ x is a typing for x and Γ X = x∈X Γ x is a typing for X. If, for all x ∈ X, Γ x is a bounded interval, we say that Γ X is a bounded typing for X.
Predicates A linear expression L(X) over a list of variables X is a linear combination of variables in X with rational coefficients, xi∈X a i x i . A linear constraint over X (or simply a constraint) is an expression of the form L(X) ≤ b, where b is a rational constant. Predicates are inductively defined as follows. A constraint C(X) is a predicate. If A(X) and B(X) are predicates then (A(X) ∧ B(X)) and (A(X) ∨ B(X)) are predicates. Parentheses may be omitted, assuming usual associativity and precedence rules of logical operators. A conjunctive predicate is a conjunction of constraints. For conjunctive predicates we will also write:
A valuation over a list of variables X is a function v that maps each variable x ∈ X to a value v(x) ∈ Γ x . Given a valuation v, we denote with X * ∈ Γ X the sequence of values [v(x 1 ), . . . , v(x n )]. By abuse of language, we call valuation also the sequence of values X * . A satisfying assignment to a predicate P over X is a valuation X * such that P (X * ) holds. If a satisfying assignment to a predicate P over X exists, we say that P is feasible. Abusing notation, we may denote with P the set of satisfying assignments to the predicate P (X). A variable x ∈ X is said to be bounded in P if there exist a, b ∈ Γ x such that P (X) implies a ≤ x ≤ b. A predicate P is bounded if all its variables are bounded. Given a constraint C(X) and a fresh boolean variable (guard) y ∈ X, the guarded constraint y → C(X) (if y then C(X)) denotes the predicate ((y = 0) ∨ C(X)). Similarly, we useȳ → C(X) (if not y then C(X)) to denote the predicate ((y = 1) ∨ C(X)). A guarded predicate is a conjunction of either constraints or guarded constraints. If a guarded predicate P is bounded, then P can be transformed into a (bounded) conjunctive predicate [27] .
A linear predicate P (X) is a (guarded) predicate or an expression of form ∃Z ∈ Γ ZP (X, Z), whereP (X, Z) is a (guarded) predicate and Z is set of auxiliary variables. Note that, ifP (X, Z) is bounded, then P (X) is also bounded.
Mixed Integer Linear Programming A MILP problem with decision variables X is a tuple (max, J(X), A(X)) where: X is a list of variables, J(X) (objective function) is a linear expression on X, and A(X) (constraints) is a conjunctive predicate on
is the optimal value of the MILP problem. A feasibility problem is a MILP problem of the form (max, 0, A(X)). We write also A(X) for (max, 0, A(X)). We write (min, J(X), A(X)) for (max, −J(X), A(X)).
Moore Automata A Nondeterministic Moore Automaton (NMA) [13] is a tuple M = (S, A, O, T, Ω) where: S is a set of states, A is a set of actions, O is a set of outputs, T : S × A × S → B is the transition relation of M, and Ω : S × O → B is the output predicate, such that ∀s ∈ S ∃o ∈ O Ω(s, o) (there is an output for each state). In the following, let s ∈ S, a ∈ A and o ∈ O.
The set of actions enabled in s is denoted by En(M, 
. . of states s t and actions a t such that ∀t ≥ 0 T (s t , a t , s t+1 ). The length |π| of a finite run π is the number of actions in π. We denote with π (S) (t) the t-th state element of π, and with π (A) (t) the t-th action element of π. That is π (S) (t) = s t , and
We call a NMA M = (S, A, O, T , Ω) a Labelled Transition System (LTS) whenever S = O and for all s 1 , s 2 if Ω(s 1 , s 2 ) holds then s 1 = s 2 . In such a case we may write simply M = (S, A, T ).
Output Feedback Control Problem
A controller restricts the dynamics of a system, so that all paths starting in a initial state, eventually reach a state in a goal region (liveness specifications), while keeping the system in the safe region (safety specifications). In this section, we formally define the notion of output feedback control problem and its solutions, by extending to possibly infinite NMAs the definitions in [37, 14] for finite LTSs. With respect to [25] , the output feedback control problem slightly generalize the notion of quantized feedback control problem in order to provide a natural framework for modelling control problems where plant state is not fully observable. In what follows, let M = (S, A, O, T, Ω) be an NMA, and I, Σ, G ⊆ S be, respectively, the initial, the safe, and the goal region.
An output feedback controller for M is a function
We denote with dom(K) the set of states for which a control action is defined. Formally, dom(
. We call a path π fullpath if either it is infinite or its last state π (S) (|π|) has no successors (i.e. Adm(M, π (S) (|π|)) = ∅). We denote with Path(s, a) the set of fullpaths starting in state s with action a, i.e. the set of fullpaths π such that π (S) (0) = s and π (A) (0) = a. Given a path π in M, we define the measure j(M, G, π) on paths as the distance of π (S) (0) to the goal on π. That is, if there exists n > 0 s.t.
We require n > 0 since our systems are nonterminating and each controllable state (including a goal state) must have a path of positive length to a goal state. Taking sup ∅ = +∞, the worst case distance of a state s from the goal region G is J(M, G, s) = sup{j(M, G, π) | π ∈ Path(s, a), a ∈ Adm(M, s)}. Definition 1. An NMA output feedback control problem P is a tuple (M, I, Σ, G). An LTS control problem is an NMA output feedback control problem where M is an LTS and Σ = S, thus it is a triple (M, I, G).
A strong solution (or simply, a solution) to P is a controller K for M Σ such that I ⊆ dom(K), and for all s ∈ dom(K), J(M
An optimal solution to P is a solution K * to P such that for all solutions K to P, for all s ∈ S, we have
The most general optimal (mgo) solution to P is an optimal solutionK to P such that for all other optimal solutions K to P, for all o ∈ O, for all a ∈ A we have that
Intuitively, a strong solution takes a pessimistic view by requiring that for each initial state, all runs in the closed loop system reach the goal, no matter nondeterminism outcomes. I , Σ, G) has no solution, because on output 0 it is not possible to determine if the correct action to enable is 0 (as it is in state (0, 1)), 1 (as it is in state (0, 0)), or −1 (as it is in state (0, 2)).
Let us now consider the set of outputs O 2 = {0, 1, 2} and the output relation
Discrete Time Linear Hybrid Systems
Discrete Time Linear Hybrid Systems (DTLHSs) provide a uniform framework to model both the plant and the closed loop system. In this section, we extend the definition of DTLHSs in [25] by considering outputs in order to model measurements of system state (as usual in Control Theory [36] ).
Definition 2. A Discrete Time Linear Hybrid Systems
1. X is a finite set of real and discrete present state variables. The set X ′ of next state variables is obtained by decorating with ′ all variables in X. 2. U is a finite set of discrete input (controllable) variables. 3. Y is a finite set of discrete output variables.
is a bounded linear predicate defining the transition relation of H. 6. W (X, Y ) is a linear predicate defining the output relation of H. We require that there is always an output associated to any state, formally: ∀x ∈ Γ X ∃y ∈ Γ Y W (x, y). We write W −1 (y) the set of states that has output y.
Observe that Γ U and Γ Y are bounded discrete typings for U and Y . This models the fact that software controllers can only read a finite set of discrete values and can only choose one among a finite set of actions. For this reason we only have discrete outputs. Moreover, our DTLHSs also include the model of the AD conversion (always present in our SBCS setting) via predicate W . 1, 2}, and the transition relation N (x 1 , x 2 
). An output feedback control problem for a DTLHS H is the NMA output feedback control problem induced by the dynamics of H. 
2 ) (rounding of the variable x 2 ), we have that K is a solution also to the control problem (H ′ , I, Σ, G).
A DTLHS Model for the Inverted Pendulum Case Study
In this section, we present the DTLHS model of the inverted pendulum, on which our experiments focus. The inverted pendulum (see Fig. 2 ) is a classical, hard control problem [22] whose DTLHS formulation is far from trivial [2] . The inverted pendulum is modeled by taking the angle θ and the angular velocityθ as state variables and the torquing force u · F as the system input. The variable u models the direction and the constant F models the intensity of the force. Differently from [22] , we consider the problem of finding a discrete controller, whose decisions can be only "apply the force clockwise" (u = 1), "apply the force counterclockwise" (u = −1)", or "do nothing" (u = 0). A linear model can be found by under-and over-approximating the non linear function sin x with piecewise linear functions f 
(being c xi , d xi the lower and upper bound constants for variable x i ), U = {u} is the set of input variables with Γ u = {−1, 0, 1}, Y = {y 1 , y 2 } is the set of output variables (where y 1 is a discretization for x 1 and y 2 for x 2 ) with Γ y1 = Γ y2 = {0, . . . , 2 b − 1}, and the transition relation N (X, U, X ′ ) is the following linear predicate (m is the pendulum mass, l is the pendulum length, and g is the gravitational acceleration):
On-the-Fly Control Software Synthesis
Given a DTLHS output control problem P = (H, I, Σ, G), a typical approach to the automatic synthesis of controllers consists of building a suitable finite state representationĤ Σ of the plant H, computing an abstractionÎ (resp.Ĝ) of the initial (resp. goal) region I (resp. G) so that any solution to the control problem (Ĥ Σ ,Î,Ĝ) is a finite representation of a solution to P. For example, this can be done by giving conditions ensuring that the abstract system satisfies some equivalence relation with respect to the concrete system (e.g. see [33, 1, 25] ). To avoid useless computation, our on-the-fly control synthesis algorithm (Sect. 5.2) simultaneously computes the finite abstractionĤ Σ and the solution to the control problem (Ĥ Σ ,Î,Ĝ). To make the algorithm description clear, we first present in Sect. 5.1 the notion of output abstraction that adapts the notion of control abstraction [25] to the output model considered in this paper.
Output Abstraction
In our setting [25] , the finite state representation induced by the output relation of a DTLHS is a design constraint rather than a methodological tool, since it models the finite precision of sensor measurements. Definition 5. Let H = (X, U, Y, N, W, Γ ) be a DTLHS and (H, I, Σ, G) be a DTLHS control problem. The output abstraction of H is the LTSĤ Σ = (S, A, T Σ ) such that S = Γ Y , A = Γ U , and for all s, s ′ ∈ S, a ∈ A we have T Σ (y, a, y ′ ) iff a is an admissible transition in y and there exists x,
The output abstraction could be a highly non-deterministic LTS, thus making problematic the existence of a strong solution to the output feedback control problem. In particular, for small values of the sampling time, the output abstraction may contain a large number of self-loops: for any output y that is not in the goal region, a self-loop (y, a, y) ofĤ Σ prevents the action a to be enabled in y in any strong solution to the output control problem. On the other hand, if by repeatedly performing an action a in an abstract state y, it is guaranteed that the system will leave the region W −1 (y) represented by the output y after a finite number of steps, a self-loop (y, a, y) ofĤ Σ can be eliminated and the action a can be enabled by a strong controller in the state y. Definition 6. Let H = (X, U, Y, N, W, Γ ) be a DTLHS, (H, I, Σ, G) be a DTLHS control problem and letĤ Σ = (S, A, T Σ ) be its output abstraction.
A self-loop (y, a, y) ofĤ Σ is non-eliminable if there exists at least an infinite run π = x 0 ax 1 ax 2 . . . in H such that ∀t ∈ N x t ∈ W −1 (y). Otherwise, a self-loop (y, a, y) ofĤ Σ is said to be an eliminable self-loop.
We call adequate output abstraction any LTSĤ ′ ⊑Ĥ Σ that omits some eliminable self-loops.
Example 4. Let P = (H, I, Σ, G) be the control problem in Ex. 3. An adequate output abstraction of H is the automaton considered in Ex. 1. Observe that, for all z ∈ Γ y2 , the self-loops ((0, z), 0, (0, z)) are non-eliminable self-loops. In fact, N ((0, z), 0, (0, z)) holds, and hence there are runs of H which infinitely cycle on (0, z) with action 0. Thus self-loops ((0, z), 0, (0, z)) belong to the output abstraction and to all adequate output abstractions. On the contrary, the output abstraction contains, for all (z 1 , z 2 ) ∈ Γ Y , self-loops ((z 1 , z 2 ), 1, (z 1 , z 2 )) and ((z 1 , z 2 ), −1, (z 1 , z 2 )), as well as self-loops ((z 1 , z 2 ), 0, (z 1 , z 2 )) where z 1 = 0. It is easy to see that all such self-loops are eliminable, thus adequate output abstractions (as the one in Ex. 1) may not contain them. Finally, observe that, for all z 1 ∈ Γ y1 , action 1 is not admissible in (z 1 , 2), since for example N ((z 1 , 2), 1, (z 1 , 2 + T )) holds and Σ((z 1 , 2 + T )) does not hold. Similarly, for all z 1 ∈ Γ y1 , action −1 is not admissible in (z 1 , 0).
The following theorem [25] states that it is correct to consider output adequate abstractions when looking for a strong solution to a output feedback DTLHS control problem. 
On-the-Fly computation of output abstraction
Stemming from Theorem 1, the solution of a output control problem (H, I, Σ, G) can be found as the solution to the finite LTS control problem (Ĥ Σ ,Î,Ĝ). In [25] , we presented a MILP-based approach to the computation of the output abstractionĤ Σ . The solution to the finite LTS control problem is computed by adapting the symbolic algorithm in [14] . Starting from goal states, the most general optimal controller is found looping backward, adding at each step to the set of states D controlled so far, the strong preimage of D, i.e. the set of states for which there exists at least an action a that drives the system to D, regardless of possible nondeterminism.
In order to determine as soon as possible if a solution to a given output control problem cannot be found, and actually compute the solution otherwise, Alg. 1 implements an incremental approach to control software synthesis, in the same spirit of on-the-fly Model Checking [19] . Instead of first fully computingĤ Σ , and then solving the finite LTS control problem (Ĥ Σ ,Î,Ĝ), function strongCtrInc incrementally and simultaneously computes the abstractionĤ Σ and the solution K to the control problem (Ĥ Σ ,Î,Ĝ) in such a way that, at the i-th iteration, the computed abstractionĤ i is large enough to correctly determine the set of states that can be driven to the goal in at most i steps.
Function strongCtrIncr in Alg. 1. uses Ordered Binary Decision Diagrams (OBDD) to represent sets and relations over sets. In Alg. 1, variableK is the OBDD representing the computed controller so far,D is the domain ofK,F ⊆ D ∪Ĝ is the set of outputs which have been added toD in the last iteration, and N is the transition relation ofĤ Σ computed so far. To save useless computation, the OBDDÊ stores the set of pairs (y, u) ∈ Γ Y × Γ U already considered in the construction ofN .
Algorithm 1 Incremental Controller Synthesis
for all y ∈F , u ∈ ΓU do 6.P ←overCounterImage(y, u) 7.
for allỹ ∈P do 8.
if (ỹ, u) ∈Ê then 9.Ê ←Ê ∪ {(ỹ, u)} {mark (ỹ, u) as "examined"} 10.
if admissible(Σ,ỹ, u) then
Function strongCtrIncr first computes a finite underapproximationĜ of the goal region G (line 1), and a finite overapproximationÎ of the initial region I (line 2). Then, in line 3, the controllerK, the controllable regionD, the setÊ, and the transition relationN are initialized to the empty set (i.e. the empty OBDD) andF is initialized to the set of abstract goal statesĜ.
After this initialization phase, function strongCtrIncr enters a loop (lines 4-18) in which, at iteration i, all states which may be strongly controlled in at most i steps are added toK. To this aim, a nested loop (lines 5-15) is performed where, at each iteration, the algorithm computes the part of the transition relationN that is necessary to find all states that a controller can drive in one step to the controllable regionD computed so far. To this end, for any output y ∈F and for any action u, it is computed an overapproximationP of the set of outputs that can reach y in one step by performing action u (line 6). The overapproximation P is computed by function overCounterImg which, for each variable y i ∈ Y , computes the minimum and maximum value that y i can assume in a satisfying assignment of N (x, a, x ′ ) ∧ W (x, y) ∧ W (x ′ , y ′ ) (thus 2|Y | MILP problems are set up and solved). Since the setÊ contains all the output-action pairs already considered in the construction ofN so far, to avoid the same part ofN to be recomputed, only state-action pairs not inÊ will be considered (line 8).
As prescribed by the definition of adequate output abstraction, a transition (y, u, y ′ ), with y = y ′ , is added toN whenever u is an admissible action in y and there exist x ∈ W −1(y) , x ′ ∈ W −1 (y ′ ) such that N (x, u, x ′ ) (lines 10-15). As for self-loops (y, u, y), we want to add them toN only if they are non-eliminable (line 11). Since self-loop elimination is an undecidable problem [29] , we employ function selfLoop [25] to check a sufficient gradient based condition for self-loop elimination that in practice turns out to be very effective. Namely, for each variable x i , selfLoop tries to establish if x i is either always increasing or always decreasing inside W −1 (y) by performing action u. If this is the case, we have that, being W −1 (y) a compact set, no Zeno-phenomena may arise, thus executing action u it is guaranteed thatĤ Σ will eventually leave the region W −1 (y). Lines 16-17 update the controllerK (and its domainD) computed so far. The setF is updated with the set of new controlled states. Finally, the outermost repeat-until loop (lines 4-18) is performed until no more new controlled states have been found. Finally, the actual control software (i.e., C code) for the DTLHS is synthesized by translatingK as it is described in [28] . The guaranteed WCET (worst case execution time) TK of the synthesized control software is also computed.
Experimental Results
In this section we present our experiments that aim at evaluating the effectiveness of our control software synthesis technique. We implemented strongCtrInc in the C programming language using the CUDD package for OBDD based computations and GLPK for solving MILP problems. The resulting tool, QKS otf , extends the tool QKS by adding the possibility of using the on-the-fly approach described in Alg. 1.
The objective of our experiments is threefold. First, in Sect. 6.1 and 6.2 we evaluate, on a meaningful case study, the speedup obtained with the on-the-fly algorithm with respect to the exhaustive method presented in [25] in the context of design space exploration. Second, in Sect. 6.3 we show how our on-the-fly algorithm can be used for realizability and schedulability analysis issues [11] for control software in design space exploration. Finally, in Sect. 6.4 we assess the quality of our controllers, by evaluating their system level performances, such as ripple and set-up time.
Experimental Setting: Design Space Exploration
In our experiments, we consider the inverted pendulum case study introduced in Sect. 4.1. To this aim, we model the inverted pendulum with the DTLHS I b = (X, U , Y , N , W b , Γ ) defined in Sect. 4.1, where the state variables bounds are fixed as follows: c x1 = −1.1π radiants, d x1 = 1.1π radiants, c x2 = −4 radiants per second, d x2 = 4 radiants per second. As for pendulum parameters, we set F = 0.5 N and, as in [22, 2, 3] , we set l and m in such a way that g l = 1 (i.e. l = g) and 1 ml 2 = 1 (i.e. m = 1 l 2 ). Finally, the DTLHS control problem is (I b , Σ, I, G),
That is, the goal is to turn the pendulum nearly steady to the upright position, starting from nearly any possible initial position and without going out of the state variables bounds.
Our aim here is to carry out experiments for different values of the number of quantization bits b and of the sampling time T , i.e., the time between two samples of the system state in the closed loop system. On the other hand, the DTLHS I b approximates the continuous time pendulum dynamics by discretizing the corresponding differential equations with a time step τ (τ = 0.05 seconds in our experiments). T is typically greater than τ . If we directly set τ = T in I b , we would obtain a not accurate model, since τ depends on physical considerations [36] (such considerations are not our focus here). Building on this, we approximate the dynamics of the pendulum with sampling time T by iterating n = T τ times the transition relation N of I b . Namely, we consider the tran-
. . ,X (n) sets of variables not occurring in N (note that N n is a linear predicate). Namely, N n (x, u, x ′ ) holds if, by holding action u for n transitions of step τ , the systems goes from x to x ′ . This allows us to have a sampling time (at least) T , while retaining model accuracy. In the following, we will use n instead of T , with the understanding that T = nτ . Thus, the DTLHS reference model for our experiments is I b n = (X, U , Y , N n , W b , Γ ), and the DTLHS control problem is (I b n , I, Σ, G). In order to experimentally show that function strongCtrInc of Alg. 1 effectively supports design space exploration, we will run both QKS otf and QKS on I b n for (b, n) ∈ {8, 9, 10} × {10, 8, 6, 4, 2, 1}, and then compare the corresponding computation times.
Experimental Results for Design Space Exploration
All experiments have been carried out on an Intel(R) Xeon(R) CPU @ 2.27GHz, with 23GiB of RAM, Kernel: Linux 2.6.32-5-686-bigmem, distribution Debian GNU/Linux 6.0.3 (squeeze).
Results of QKS and QKS otf are in Table 1 . Columns meaning in Table 1 are as follows. Columns b and n have the same meaning as in Sect. 6.1. Columns CPU exh (resp., CPU otf ) shows the computation time in seconds of QKS (resp., QKS otf ). Columns RAM exh (resp., RAM otf ) shows the RAM memory usage peak in bytes for QKS (resp., QKS otf ). Column |K| shows the generated controller size, i.e. the number of nodes in the OBDD representingK. Column Speedup shows the speedup obtained by using QKS otf instead of QKS, that is CPU exh CPU otf . Table 1 shows the sum of all computation times for QKS and QKS otf , the maximum RAM memory usage peak for QKS and QKS otf , and the overall computation time gain of QKS otf w.r.t QKS. From Table 1 we note that, as expected, QKS otf obtain a huge speedup (near to 100%) for the cases in which a control software is not found, while it requires approximately the same time of QKS otherwise. This is due to the fact that the on-the-fly algorithm introduces both an overhead (mainly due to counterimages computations at line 6 of Alg. 1 and OBDDÊ management) and a speedup (even when the control software is found, the adequate output abstractionN may be not fully computed). Summing up, our approach obtain an overall gain of nearly 80% when performing design space exploration, with an acceptable memory usage overhead. This shows effectiveness of QKS otf for design space exploration.
Control software realizability and schedulability
In order to verify if the control software works properly on a given microcontroller, two issues must be taken into account: realizability and schedulability.
A control software is realizable on a given microcontroller if the whole control software fits in the microcontroller flash memory. Since our approach directly outputs the C code for the control software, it is sufficient to compile the C code on the given microcontroller architecture, obtain the hex file to be copied on the microcontroller flash, and check if its size fits in the microcontroller flash.
As for schedulability, we note that the real-time requirement T W ≤ T = nτ must hold, being T W an upper bound for the control software WCET. Since our approach also outputs the synthesized control software guaranteed WCET, we are able to directly check if this requirement is fulfilled. Namely, since 2b (resp. 2) bits are needed to encode pendulum states (resp. actions), in all our experiments the WCET is T W ≤ 4bT B , being T B an upper bound for the time needed to compute an if-then-else C block of a given known structure [28] . More in detail, by directly looking at the assembly code generated for such an if-then-else C block on a candidate microcontroller (an example is shown in Fig. 3) , and by considering the number of clock cycles needed for each assembly instruction, we obtain the upper bound for the number of microcontroller clock cycles A needed to compute such a block. Thus, given the microcontroller frequency F = 1 TC , we have that T B ≤ AT C . In order to complete the schedulability analysis of the control software, we need to consider that other processes need to run with given periods together with the controller itself. Namely, the controller computation (which in this setting is a process with period nτ ) must be preceded by processes reading quantized values from plant sensors (one process per plant state variable) and must be followed by a process sending the computed action to plant actuators. Moreover, other processes may be needed, e.g. to accept keyboard input for debugging. In the following, we will assume each of such processes to require at most 100 clock cycles, and to have a period of 10 −3 seconds (which is less than nτ for all n). In order to determine beforehand (i.e., without having to actually copy the control software in the microcontroller and test it) if all such periods may be met in the given microcontroller architecture, we employ the schedulability test for the Rate-Monotonic Scheduling (RMS, see e.g. [11] ), that is
, being C i the WCET and T i the period for process i and k the number of processes running together with the controller. Supposing the controller to be the process with index (k + 1), we have that the schedulability test is implied by 4bATC nτ + k 100TC 10 −3 < 0.69.Again, being all the required measures either known or computed by our model-based approach, we are able to determine beforehand if the control software is schedulable in the given microcontroller.
Our experimental results on control software schedulability and realizability are shown in Table 2 . Columns meaning in Table 2 are as follows. Columns b and n have the same meaning as in Sect. 6.1. Column |K hex | shows the generated controller size, as the number of bytes to be written in the target microcontroller flash memory. Column Arch shows the microcontroller having the smallest fit flash memory for |K hex |. Namely, we consider the following microcontrollers of the Atmel family [32] : atmega8 (8K of flash), atmega16 (16K of flash) and at91sam (1MB of flash). For both atmega8 and atmega16, the clock frequency F is 4MHz (i.e., each clock tick needs T C = 250 nanoseconds), and the upper bound of the number of clock cycles needed to compute the greatest if-then-else C block in the software implementingK is A = 16. For at91sam, which, being ARM-based, is shown as ARM in Table 2 , F = 50 MHz, T C = 250 nanoseconds and A = 12. Column WCET shows an upper bound for the control software WCET, i.e., 4bAT C . Column α shows the ratio between the WCET and the period of the controller process (note that this is part of the schedulability test for RMS), i.e., α = WCET nτ . Let β be an upper bound for the ratio between WCET and period for all other possible processes as computed in our strengthened RMS schedulability test, i.e., β = 0.69 − α (β ≈ 0.69 in all cases of Table 2 ). Column k shows a lower bound for the maximum number of processes which may be run together with the controller on the given microcontroller, under the hypothesis that each process requires 100 clock cycles and has a period of 10 −3 seconds. Namely, following again the RMS schedulability test, k = ⌊ 10 −3 β 100TC ⌋. Note that k must be at least 3 for the inverted pendulum case study, since 2 processes are required to read the quantized value plant state from sensors and a third process is needed to send the computed action to the actuators. Indeed, in all cases we have k ≥ 27.
Summing up, our on-the-fly approach allows us to directly obtain the final microcontroller implementation, by using a model-based methodology.
Control Software Performances
For the sake of completeness, though it is not the scope of our paper, we evaluate performances of the generated control software for different values of b and n.
Namely, we simulate I b n (K) , that is the pendulum closed loop system. In order to show impact of parameter n, in Figs. 4 and 5, we show simulations (on setup time and ripple) for a fixed value of b (namely, b = 10) and for n ∈ {1, 6}. Finally, in order to show impact of parameter b, in Figs. 6 and 7, we show simulations (on setup time and ripple) for a fixed value of n (namely, n = 6) and for b ∈ {8, 10}.
Conclusion
In this paper, we address correct-by-construction control software synthesis from Formal System Level Specifications for Discrete Time Linear Hybrid Systems. Since in our approach the control software has a WCET known in advance, a concrete schedulability analysis can be easily carried out. We present an on-thefly algorithm for control software synthesis that detects as soon as possible if it can not find a solution to a given control problem. This property turns out to be very useful in design space exploration. Looking for an optimal choice of design parameter, it is typical to try to solve control software synthesis problems that do not have a solution. As confirmed by our experimental results, our algorithm effectively supports design space exploration. On the inverted pendulum benchmark, using our on-the-fly algorithm we get a time saving of about 80% with respect to an exhaustive approach.
