Many Embedded Systems are indeed Software Based Control Systems (SBCSs), that is control systems whose controller consists of control software running on a microcontroller device. This motivates investigation on Formal Model Based Design approaches for automatic synthesis of SBCS control software. In previous works we presented an algorithm, along with a tool QKS implementing it, that from a formal model (as a Discrete Time Linear Hybrid System, DTLHS) of the controlled system (plant), implementation specifications (that is, number of bits in the Analog-to-Digital, AD, conversion) and System Level Formal Specifications (that is, safety and liveness requirements for the closed loop system) returns correct-by-construction control software that has a Worst Case Execution Time (WCET) linear in the number of AD bits and meets the given specifications. In this technical report we present full experimental results on using it to synthesize control software for two versions of buck DC-DC converters (single-input and multi-input), a widely used mixed-mode analog circuit.
1. Every T seconds (sampling time) do 2.
Read AD conversionx of plant sensor outputs x
3.
If (x is not in the Controllable_Region)
4.
Then // Exception (Fault Detected):
5.
Start Fault Isolation and Recovery (FDIR) 6. Else // Nominal case: 7. Compute (Control_Law) commandû fromx 8. Send DA conversion u ofû to plant actuators 
Introduction
Many Embedded Systems are indeed Software Based Control Systems (SBCSs). An SBCS consists of two main subsystems: the controller and the plant. Typically, the plant is a physical system consisting, for example, of mechanical or electrical devices whereas the controller consists of control software running on a microcontroller. In an endless loop, the controller reads sensor outputs from the plant and sends commands to plant actuators in order to guarantee that the closed loop system (that is, the system consisting of both plant and controller) meets given safety and liveness specifications (System Level Formal Specifications).
Software generation from models and formal specifications forms the core of Model Based Design of embedded software [2] . This approach is particularly interesting for SBCSs since in such a case system level (formal) specifications are much easier to define than the control software behavior itself. Fig. 1 shows the typical control loop skeleton for an SBCS. Measures from plant sensors go through an AD (analog-to-digital ) conversion (quantization) before being processed (line 2) and commands from the control software go through a DA (digital-to-analog) conversion before being sent to plant actuators (line 8). Basically, the control software design problem for SBCSs consists in designing software implementing functions Control_Law and Controllable_Region computing, respectively, the command to be sent to the plant (line 7) and the set of states on which the Control_Law function works correctly (Fault Detection in line 3).
In [5] we presented an algorithm and a tool QKS that from the plant model (as a hybrid system), from formal specifications for the closed loop system behaviour (System Level Formal Specifications) and from implementation specifications (that is, number of bits used in the quantization process) can generate correct-by-construction control software satisfying the given specifications.
In this technical report we present full experimental results on using it to synthesize control software for two versions of buck DC-DC converters (single-input and multi-input), a widely used mixed-mode analog circuit.
Background
We denote with [n] an initial segment {1, . . . , n} of the natural numbers. We denote with X = [x 1 , . . . , x n ] a finite sequence (list) of variables. By abuse of language we may regard sequences as sets and we use ∪ to denote list concatenation. Each variable x ranges on a known (bounded or unbounded) interval D x either of the reals or of the integers (discrete variables). We denote with D X the set x∈X D x . To clarify that a variable x is continuous (i.e. real valued) we may write x r . Similarly, to clarify that a variable x is discrete (i.e. integer valued) we may write x d . Boolean variables are discrete variables ranging on the set B = {0, 1}. We may write x b to denote a boolean variable. Analogously X r (X d , X b ) denotes the sequence of real (integer, boolean) variables in X. Finally, if x is a boolean variable we writē x for (1 − x).
Predicates
A linear expression over a list of variables X is a linear combination of variables in X with real coefficients. A linear constraint over X (or simply a constraint) is an expression of the form L(X) ≤ b, where L(X) is a linear expression over X and b is a real constant.
Predicates are inductively defined as follows. A constraint C(X) over a list of variables X is a predicate over X. If A(X) and B(X) are predicates over X, then (A(X) ∧ B(X)) and (A(X) ∨ B(X)) are predicates over X. Parentheses may be omitted, assuming usual associativity and precedence rules of logical operators. A conjunctive predicate is a conjunction of constraints. For linear constraints we write:
A valuation over a list of variables X is a function v that maps each variable x ∈ X to a value v(x) in D x . We denote with X * ∈ D X the sequence of values [v(x 1 ), . . . , v(x n )]. By abuse of language, we call valuation also the sequence of values X * . A satisfying assignment to a predicate P over X is a valuation X * such that P (X * ) holds. Abusing notation, we may denote with P the set of satisfying assignments to the predicate P (X). Two predicates P and Q over X are equivalent, notation P ≡ Q, if they have the same set of satisfying assignments.
A variable x ∈ X is said to be bounded in P if there exist a, b ∈ D x such that P (X) implies a ≤ x ≤ b. A predicate P is bounded if all its variables are bounded.
Given a constraint C(X) and a fresh boolean variable (guard) y ∈ X, the guarded constraint y → C(X) (if y then C(X)) denotes the predicate ((y = 0) ∨ C(X)). Similarly, we useȳ → C(X) (if not y then C(X)) to denote the predicate ((y = 1) ∨ C(X)). A guarded predicate is a conjunction of either constraints or guarded constraints.
When a guarded predicate is bounded, it can be easily transformed into a conjunctive predicate, as stated by the following proposition. Proposition 1. For each bounded guarded predicate P (X), there exists an equivalent bounded conjunctive predicate Q(X).
Discrete Time Linear Hybrid Systems
In this section we introduce our class of Discrete Time Linear Hybrid Systems (DTLHS for short). 
We denote with X the sequence of next state variables obtained by decorating with all variables in X.
•
is a finite sequence of auxiliary variables. Auxiliary variables are typically used to model modes (e.g., from switching elements such as diodes) or uncontrollable inputs (e.g., disturbances).
A DTLHS is bounded if predicate N is bounded.
By Prop. 1, any bounded guarded predicate can be transformed into a conjunctive predicate. For the sake of readability, we will use bounded guarded predicates to describe the transition relation of bounded DTLHSs. Note that DTLHSs can effectively model linear algebraic constraints involving both continuous as well as discrete variables. Therefore many embedded control systems may be modeled as DTLHSs.
Single-input Buck DC-DC Converter
The buck DC-DC converter (Fig. 2) is a mixed-mode analog circuit converting the DC input voltage (V in in Fig. 2 ) to a desired DC output voltage (v O in Fig. 2 ). As an example, buck DC-DC converters are used off-chip to scale down the typical laptop battery voltage (12-24) to the just few volts needed by the laptop processor (e.g. [8] ) as well as on-chip to support Dynamic Voltage and Frequency Scaling (DVFS) in multicore processors (e.g. [3, 7] ). Because of its widespread use, control schemas for buck DC-DC converters have been widely studied (e.g. see [3, 7, 8, 9] ). The typical software based approach (e.g. see [8] ) is to control the switch u in Fig. 2 (typically implemented with a MOSFET) with a microcontroller.
Designing the software to run on the microcontroller to properly actuate the switch is the control software design problem for the buck DC-DC converter in our context. 
Such considerations lead to use the following sets of variables to model H:
. Note how H auxiliary variables Y stem from the constitutive equations of the switching elements (i.e. the switch u and the diode D in Fig. 2) . From a simple circuit analysis (e.g. see [4] ) we have the following equations:
where the coefficients a i,j depend on the circuit parameters R, r L , r C , L and C in the following way:
. Using a discrete time model with sampling time T (writing x for x(t + 1)) we have:
The algebraic constraints stemming from the constitutive equations of the switching elements are the following:
The transition relation N of H is given by the conjunction of the constraints in Eqs. (3)-(12) and the following explicit (safety) bounds:
Modelling Robustness on Input V in and Load R
In this section we address the problem of refining the model given in Sect. 4 so as to require a controller for our single-input buck to be robust to foreseen variations in the load R and in the power supply V in . That is, given tolerances ρ R and ρ V in , we want the controller output by QKS for our single-input buck to work for any R ∈ [max{0,
Variations in the power supply are modeled by replacing Eq. (8) in Sect. 4 with the following:
Along the same lines, we may model also variations in the load R. However, since N dynamics is not linear in R, much more work is needed (along the lines of [1] ). To this aim, we proceed as follows.
The only equation depending on R is Eq. (4) of Sect. 4. Consider constants a 2,
as (nonlinear) functions of R. It is easy to see that a 2,1 (R), a 2,2 (R) are monotonically increasing functions for R ∈ R + , while a 2,3 (R) is monotonically decreasing for R ∈ R + . Thus, if signs of i L , v O , v D are known, it is possible to replace Eq. (4) with two inequalities
This leads us to replace Eq. (4) of Sect. 4 with the equations in Fig. 3 . Note that, w.r.t. the model in Sect. 4, in Fig. 3 we add to 
Multi-input Buck DC-DC Converter
A multi-input buck DC-DC converter [6] (Fig. 4) . . , u n , thus a control software for the n-input buck dc-dc converter has to properly actuate the switches u 1 , . . . , u n .
We model our n-input buck DC-DC converter with DTLHS H = (X, U, Y, N ), where
. . , q n−1 ]. As for the predicate N , from a simple circuit analysis (e.g. see [4] ) we have that state variables constraints are the same as Eqs. (3) and (4) of the converter in Sect. 4.
The algebraic constraints stemming from the constitutive equations of the switching elements are the following (where i and j range in [n − 1] and [n] respectively):
Finally, N is given by the conjunction of Eqs. (3) and (4) of Sect. 4, Eqs. (45)-(57) and the following explicit (safety) bounds:
Modelling Robustness on Inputs V i and Load R
In this section we address the problem of refining the model given in Sect. 5 so as to require a controller for our multi-input buck to be robust to foreseen variations in the load R and in the power supplies V i (for i ∈ [n]). As it is explained in Sect. 4.1, given tolerances ρ R and ρ V i (for i ∈ [n]), we want the controller output by QKS for our multi-input buck to work for any R ∈ [max{0,
Variations in the power supplies are modeled by replacing Eqs. (56) and (57) in Sect. 5 with the following (where i ranges in [n − 1]):
As for the robustness w.r.t. the load R, since the only equation depending on R is Eq. (4) of Sect. 4, which also holds for the multi-input buck, the same reasoning of Sect. 4.1 may be applied. Thus, we have to replace Eq. (4) of Sect. 4 with the equations in Fig. 3 .
Experimental Results
In this section we present our experimental results about running QKS [5] on the buck models described in Sects. 4 and 5. Namely, we will present experimental results on the robust model for the single-input buck described in Sect. 4.1 (Sect. 6.1) and on the (non-robust) model for the multi-buck described in Sect. 5 (Sect. 6.2). All experiments run on an Intel 3.0 GHz hyperthreaded Quad Core Linux PC with 8 GB of RAM.
Single-input Buck
We run QKS on the single-input buck model taking into account foreseen variations in the load R and in the power supply V in (see Sect. 4.1). Since QKS also require as input the number of AD bits b (see [5] for details), we run multiple times QKS for different values of b, each time obtaining a controller K b . All other constants introduced in Sect. 4 are fixed as follows:
4 Ω. Tabs. 1, 2 and 3 show our experimental results. Columns in Tab. 1 have the following meaning. Column b shows the number of AD bits (see [5] for details). Columns labeled Control Abstraction show performance for control abstraction computation (see [5] for details) and they show running time (column CPU, in secs), memory usage (MEM, in bytes), the number of transitions in the generated control abstraction (Arcs), the number of self-loops in the maximum control abstraction (MaxLoops), and the fraction of loops that are kept in the minimum control abstraction w.r.t. the number of loops in the maximum control abstraction (LoopFrac).
Columns labeled Controller Synthesis show the computation time (column CPU, in secs) for the generation of K b , and the size of its OBDD representation (OBDD, number of nodes). The latter is also the size (number of lines) of K b C code synthesized implementation. Finally, columns labeled Total show the total computation time (column CPU, in secs) and the memory (MEM, in bytes) for the whole process (i.e., control abstraction plus controller source code generation), as well as the final outcome µ ∈ {Sol, NoSol, Unk} of QKS (see [5] for details).
For each MILP problem solved in QKS (see [5] for details), Tabs. 2 and 3 show (as a function of b) the total and the average CPU time (in seconds) spent solving MILP problem instances, together with the number of MILP Num is the number of times that the MILP problem of the given type is called, Time is the total CPU time (in secs) needed to solve all the Num instances of the MILP problem of the given type, and Avg is the average CPU time (in secs), i.e. the ratio between columns Time and Num. Each row in Tabs. 2 and 3 refer to a type of MILP problem solved, see [5] for details. Finally, in Figs. 5-8 we show the guaranteed operational range (controlled regions, see [5] for details) of the controllers generated for the single-input buck by QKS.
Multi-input Buck
We run QKS on the multi-input buck model described in Sect. 5. Differently from Sect. 6.1, we fix the number of AD bits b for QKS, namely b = 10. On the other hand, we run multiple times QKS by varying the number n Finally, in Figs. 9-12 we show the guaranteed operational range (controlled regions, see [5] for details) of the controllers generated for the multiinput buck by QKS.
Conclusions
We presented experimental results on using the QKS tool [5] , to support a Formal Model Based Design approach to control software. Our experiments have been carried out on two versions of the buck DC-DC converter, namely the single-input and the multi-input versions. We also showed how robust controllers may be generated for such bucks, namely by taking into account also foreseen variations on some important buck parameters such as load and input power supplies. Figure 11: Multi-input buck: controlled region with n = 3 inputs
