For hybrid systems described by interconnections of linear discrete-time dynamical systems, automata, and propositional logic rules, we recently proposed the Mixed Logical Dynamical (MLD) systems formalism and the language HYSDEL (Hybrid System Description Language) as a modeling tool. For MLD models, we developed a reachability analysis algorithm which combines forward reach set computation and feasibility analysis of trajectories by linear and mixed-integer linear programming. In this paper the versatility of the overall analysis tool is illustrated on the batch evaporator benchmark process.
Introduction
Hybrid models describe processes which evolve according to dynamic equations and logic rules [2] . The interest in hybrid systems has grown over the last few years not only because of the theoretical challenges, but also because of their impact on applications, for instance in the automotive industry [6] . Although many physical phenomena are hybrid in nature, the main interest here is directed to real-time systems, where physical processes are controlled by embedded controllers. For this reason, it is important to have available tools to guarantee that this combination behaves as desired. Formal verification is aimed at providing such a certification. This amounts to solving the following reachability problem: For a given set of initial conditions and disturbances, guarantee that all possible trajectories never enter a set of unsafe states, or possibly provide a counterexample. Unfortunately, it is well known that formal verification is an undecidable problem [1, 26] , as many other system theoretical problems such as stability [15] and observability [7] analysis of hybrid systems. In spite of this complexity, several tools for formal verification of hybrid systems have been proposed in the literature [4, 14, 20, 22, 35] .
Any verification algorithm needs an abstraction of the real process, namely a mathematical model of the process. The model should not be too complicated in order to efficiently define and run a verification algorithm, but also not too simple, otherwise the results are either too conservative or wrong.
Timed automata and hybrid automata have proved to be successful modeling formalisms for verification, and have been widely used in the literature. In the theory of timed automata [5] , the dynamic part is the continuous-time flow x 1. Timed automata were extended to linear hybrid automata [1] , where the dynamics is modeled by the differential inclusion a x b. On the other side, the control community started studying the so-called hybrid dynamical systems [2, 18, 34] where the switching between different dynamics is governed by a finite state machine. A special case where dynamic equations and switching rules are linear functions of the state are the so-called Piecewise Affine (PWA) systems [38] . These are defined by partitioning the state space into polyhedral regions, and associating with each region a different linear state-update equation. PWA systems can model a large number of physical processes, such as systems with static nonlinearities (for instance actuator saturation), and can approximate nonlinear dynamics via multiple linearizations at different operating points. The study of PWA systems is also motivated by the stability and performance analysis of highperformance controllers [32] . In particular, in [10] the authors showed that a model predictive controller (MPC) for constrained linear systems can be expressed explicitly in closed-form as a continuous and piecewise affine state-feedback law. The resulting closed-loop system is therefore PWA, and the criteria for proving stability and robust stability against disturbances and model uncertainties are of fundamental importance [13] . PWA systems are equivalent to interconnections of linear systems and finite automata, as pointed out by Sontag [38] . Based on different arguments, a similar result was proved constructively for discrete-time hybrid models in [7] and extended in [21] , where the authors show that PWA systems, linear complementarity (LC) and extended linear complementarity (ELC) systems, max-min-plus-scaling (MMPS) systems, and mixed logical dynamical (MLD) systems are equivalent.
In particular, the MLD framework [9] allows specifying the evolution of continuous variables through linear dynamic equations, of discrete variables through propositional logic statements and automata, and the mutual interaction between the two. The key idea of the approach consists of embedding the logic part in the state equations by transforming Boolean variables into 0±1 integers, and by expressing the relations as mixed-integer linear inequalities. Such a translation procedure is the core of the tool HYSDEL (Hybrid Systems Description Language), which automatically generates an MLD model from a high-level textual description of the system [40] .
MLD systems are formulated in discrete time. Despite the fact that the effects of sampling can be neglected in most applications, subtle phenomena such as Zeno behaviors [25] cannot be captured in discrete time. Although reformulating MLD systems in continuous-time would be quite easy from a theoretical point of view, a discrete-time formulation allows one to develop numerically tractable schemes for solving complex analysis and synthesis problems. Several questions related to MLD systems can indeed be suitably formulated as mixed-integer linear/quadratic optimization problems. For feedback control, in [9] the authors propose a model predictive control scheme which is capable of stabilizing MLD systems on desired reference trajectories while fulfilling operating constraints, and possibly take into account previous qualitative knowledge in the form of heuristic rules. Formal verification algorithms were developed in [12] for MLD hybrid systems, extended in [8] for solving scheduling problems using combined reachability analysis and quadratic optimization, and in [13] for stability and performance analysis of hybrid control systems.
In this paper, we review the basics of MLD systems, the specification language HYSDEL, the reachability analysis algorithm described in [12] , and we address the formal verification problem of the batch evaporator benchmark [23, 28, 30] . We model the process in HYSDEL (in particular, the subsystem defined in [29] ) to obtain an MLD system. This consists of three continuous states, and of a finite state automaton representing a programmable logic controller (PLC) control sequence. For formal verification, we adopt the algorithm in [12] , where safety tests and reach set computation are done via linear programming (LP), switching detection via mixed-integer linear programming (MILP), and where the reach sets are approximated by using tools from computational geometry. The overall modeling and verification procedure is depicted in Fig. 1 .
Mixed Logical Dynamical and Piecewise Affine Systems
Several modeling frameworks were proposed in the control literature. Two main categories were successfully adopted for analysis and synthesis [16] : hybrid control systems [1, 3, 9, 33, 34] , which consist of the interaction between continuous dynamical systems Safety Properties Safety Requirements Fig. 1 . The overall tool for verification of hybrid systems: The hybrid dynamic model is specified in HYSDEL, translated into MLD and PWA form, and used by the reachability analysis algorithm for proving safety properties.
and discrete/logic automata (Fig. 2a) , and switched systems [17, 24, 37] , where the state space is partitioned into regions, each one associated with a different continuous dynamics (Fig. 2b) .
Switched systems defined by a polyhedral partition of the state-space and linear dynamic equations are the so-called PWA systems
where
i0 is a polyhedral partition of the sets of states 1 X, the matrices A i , B i , f i , H i , K i are constant and have suitable dimensions, and the inequality H i x K i should be interpreted componentwise. Without additional hypotheses on the continuity of the piecewise affine state-update mapping, definition (1) is not well posed, as the state-update function is twice (or more times) defined over common boundaries of sets g i (the boundaries will also be referred to as guardlines). This is a technical issue which can be avoided as in [37] by dealing with open polyhedra and boundaries separately, but it is not of practical interest for the numerical approach taken in this paper.
In this paper we will adopt the MLD system framework introduced in [9] . MLD systems are hybrid systems defined by the interaction of logic, finite state machines, and linear discrete-time systems, as shown in Fig. 2a . The ability to include constraints, constraint prioritization, and heuristics adds to the expressiveness and generality of the MLD framework.
The MLD modeling framework relies on the idea of translating logic relations into mixed-integer linear inequalities [9, 19, 36, 41, 43, 44] . By following standard notation, we adopt capital letters X i to represent propositions, e.g.``x ! 0'' or``Temperature is hot''. X i is commonly referred to as a literal, and has a truth value of either TRUE or FALSE. Boolean algebra enables propositions to be combined by means of connectives:``'' (AND),``'' (OR),``$ '' (NOT),``3 '' (implies),``6'' (if and only if, IFF),``È'' (exclusive or, XOR). A literal X i can be associated with a logical variable d i P f0, 1g, which has a value of either 1 if X i is TRUE, or 0 otherwise. A propositional logic problem, where a proposition X 1 must be proved to be true given a set of propositions involving literals X 1 , F F F , X n , can be solved by means of a linear integer program by suitably translating the original propositions into linear inequalities involving logical variables d i [19] . Some basic translations are reported in Table 1 .
Such translation techniques can be adopted to model logical parts of processes and heuristic knowledge about plant operation as integer linear inequalities. The link between logic propositions and continuous dynamical variables, in the form of logic propositions derived from conditions on physical dynamics, is provided by properties (analog-to-digital interface (ADI)), (digital-to-analog interface (DAI)) in Table 1 , and leads to mixed-integer linear inequalities, i.e. linear inequalities involving both continuous variables of n and logical (or binary) variables in f0, 1g. Consider, for instance, the proposition X Á a H 1 x b 1 , where x P & n and is a given bounded set, a P n , b P , and let
1 More generally, g i are subsets the of state input space n+m , for instance when the PWA system is obtained as an equivalent representation of an MLD system [7] . 
Discrete-Time Hybrid Modeling and Verification
By associating a binary variable d with the literal X, one can transform X Á a H 1 x b 1 into the pair of mixed-integer inequalities described in (AD1), Table 1 , where is a small tolerance (typically the machine precision), beyond which the constraint is regarded as violated. Note that tolerances could be avoided by defining the second inequality in (AD1) as a H x À b b md. On the other hand, as we are interested in developing numerical tools for MLD models, strict inequalities a H x b b must be approximated by a H x ! b for some b 0, with the assumption that 0`a H x À b` cannot occur due to the finite precision of the computer. Note also that sometimes translations require the introduction of auxiliary variables [44, p. 178] . For instance, according to (DA1), a quantity which is either a
The rules of Table 1 can be generalized for relations involving n literals X 1 , F F F , X n combined by arbitrary connectives. Any Boolean expression of logical variables defined by the grammar
where X is a Boolean variable, can be translated into the conjunctive normal form (CNF)
by using standard methods [40] . As an example, the proposition (L7) X 3 6 X 1 X 2 is equivalent to
Subsequently, the CNF can be translated into the set of integer linear inequalities
For instance, one can verify that the CNF (3) maps to the inequalities reported in Table 1 (L7). The stateupdate law of finite state machines can be described by logic propositions involving binary states, their time updates, and binary signals. The automatized translation mentioned above can be directly applied to translate automata into a set of linear integer inequalities. An example will be provided when modeling the PLC control code of the batch evaporator process benchmark in Section 5. By collecting the equalities and inequalities generated by the translation of the automata, ADI, DAI, and by including the linear dynamic difference equations, we can model the hybrid system depicted in Fig. 2a as the MLD system 
n is a vector of continuous and binary states, u P m c Â f0, 1g m are the inputs,
represent auxiliary binary and continuous variables respectively, which are introduced when transforming logic relations into mixed-integer linear inequalities, and È, q 1À3 , r, h 1À3 , i 1À5 are matrices of suitable dimensions. The inequalities (5c) include the constraints obtained by the D/A and A/D parts of the system, logic, and automata, as well as possible physical constraints on states and inputs. The description (5) seems to be linear, because the nonlinearity is concentrated in the integrality constraints over binary variables. We assume that system (5) is completely well-posed [9] , which means that for all x, u within a bounded set the variables d, z are uniquely determined, i.e. there exist functions F, G such that, at each time
2 . This allows assuming that x(t 1) and y(t) are uniquely defined once x(t), u(t) are given, and therefore that x-and y-trajectories exist and are uniquely determined by the initial state x(0) and input signal u. In light of the transformations of Table 1 , it is clear that the well-posedness assumption stated above is usually guaranteed by the procedure used to generate the linear inequalities (5c), and therefore this hypothesis is typically fulfilled by MLD relations derived from modeling real-world plants. Nevertheless, a numerical test for well-posedness is reported in [9, Appendix 1].
HYSDEL
In the previous sections we have described a technique for transforming the hybrid system into the set of linear mixed-integer equalities and inequalities (5), denoted as MLD system. The language HYSDEL fully automatizes the translation procedure. Given a textual description of the logic and dynamic parts of the hybrid system, HYSDEL returns the matrices È, q 1À3 , r, h 1À3 , i 1À5 of the corresponding MLD form (5) . A full description of HYSDEL is reported in [40] . The compiler is available at http://control.ethz.ch/~hybrid/hysdel.
A HYSDEL description is composed of two parts: The first one, called sxipegi, contains the declaration of all the continuous and binary state, input, and output variables, and parameters. The second part, swviwixesyx, is composed of six specialized sections where the relations among variables are described, as detailed below. An example HYSDEL code is reported in Appendix A.
eh and he Sections
These two sections define the interactions among the continuous and discrete variables. The eh section defines the Boolean variables from linear-threshold conditions over the continuous variables. For instance,
In HYSDEL this condition is represented as:
The expression mxD minD e denotes the upper and the lower bounds of the function for which the threshold is specified, and e is the tolerance mentioned in Section 2. HYSDEL translates the eh section into mixed-integer inequalities as in (AD1), 
HYSDEL translates the he section into mixed-integer inequalities according to the equivalence (AD1), Table 1 .
vyqsg Section
This section specifies arbitrary functions X n fX 1 , X 2 , F F F , X nÀ1 of Boolean variables, where f is a Boolean expression defined by the grammar (2). For example, the formula
represented in HYSDEL as:
and translated into the mixed-integer inequalities by computing the associated CNF and then using (4).
gyxsxy Section
This section describes linear dynamics as difference equations. Consider, for instance, the first-order linear dynamic equation xt Àaxt but and its equivalent discrete-time counterpart xk 1 e ÀaT xk À 1 À e ÀaT aabuk where T is the sampling time. In HYSDEL, this is described as:
eywee Section
This section specifies the state transition equations of automata, under the assumptions that transitions are clocked and synchronous with the sampling time of the continuous dynamical equations, and that the automaton is well-posed according to the definition recalled in Section 2. (Fig. 3) .
The first step is to associate a Boolean representation with each of the n s logic states of the automata (see Fig. 3 ). This can be done by defining a logic state vector x of size dlog 2 n s e (x
in the example). Using standard tools from digital circuit design, one can derive the state transition function for the automaton:
where u l is the vector of Boolean signals defining the transitions of the automaton. Therefore the automaton is equivalent to a nonlinear discrete time system where F is a purely Boolean function. The state transition function is inserted in the HYSDEL section eywee. The Boolean values of the states x that are not associated with any logic state of the automaton can be explicitly ruled out in the w section of the HYSDEL code.
An example is reported later in Section 5, where the PLC code that handles the exceptions in the batch evaporator system is modeled in HYSDEL.
w Section
This section allows to specify linear constraints on continuous variables, and logic constraints of the typè`F
uPYgX
The textual description of the hybrid model is processed by the HYSDEL compiler, which generates the matrices of the MLD system (5) . Once the MLD model is available, its equivalent PWA form (1) is obtained by using the procedure suggested in [7] .
In the next section, we will assume that both the PWA and the MLD forms are available and discuss their complementary role in the reachability analysis algorithm.
Reachability Analysis
The reachability analysis of hybrid dynamical systems allows the verification of safety properties: For a given set of initial conditions and exogenous signals, verify that the set of unsafe states cannot be entered, or provide a counterexample. More precisely, we define the following:
Reachability Analysis Problem Given a hybrid system AE (either in PWA form (1) or MLD (5)), a set of initial conditions 0, a collection of disjoint target sets 1 , 2 , F F F , L , a bounded set of inputs , and a time horizon t T max , determine (i) if j is reachable from 0 within t T max steps for some sequence fu0, F F F , ut À 1g of exogenous inputs; (ii) if yes, the subset of initial conditions j 0 of 0 from which j can be reached within T max steps; (iii) for any x 1 P j 0 and x 2 P j , the input sequence fu0, F F F , ut À 1g , t T max , which drives x 1 to x 2 (Fig 4) .
From now on, we will assume that 0, j , are polyhedral sets, and, without loss of generality, that they are also convex. We will also denote by t, 0 the reach set at time t starting from any x P 0 and
Any Fig. 3 . Example of automaton with n s 3 logic states, represented with 2 dlog 2 n s e logic variables and u u 1 u 2 H P f0, 1g 2 .
by applying any input uk P , 0 k t À 1. The reason for focusing on finite-time reachability is that the time-horizon T max has a clear meaning, namely that states which are not reachable in less than T max steps are in practice unreachable. Although finite time reachability analysis cannot guarantee certain liveness properties (for instance, if i will be ever reached), the reachability problem stated above is clearly decidable [31, 42] . Nevertheless, the problem is x P-hard. To see this, for simplicity consider that system AE is piecewise linear ( f i 0, for all i 0, F F F , s À 1), and autonomous (B i 0 for all i 0, F F F , s À 1). Its evolution is
where ik P f0, F F F , s À 1g is the index such that
The previous questions of reachability can be answered once all the switching sequences IT Á fi0, F F F , iT À 1g, VT T max leading to 1 , or 2 , F F F, or L from 0 are known. In fact, it is enough to check that the reach set at time T, T, 0
satisfies T, 0 j T Y for all admissible switching sequences I(T). However, the number of all possible switching sequences I(T) is combinatorial with respect to T and the number of partitions s, and any enumeration method would be impractical. We recall the verification algorithm proposed in [12] that will be used to avoid such an enumeration (see Table 2 ).
Verification Algorithm
In order to determine admissible switching sequences I(t), we need to exploit the special structure of the PWA system (1). This allows an easy computation of the reach set, as long as the evolution remains within a single region g i of the polyhedral partition. Whenever the reach set crosses a guardline and enters a new region g j , a new reach set computation based on the jth linear dynamics is computed, as shown in Fig. 5a . The Algorithm proposed in [12] is summarized by the pseudo-code reported in Table 2 , where we assume that 0 & g i is a convex polyhedral set (more generally, we can consider all nonempty intersections 0 g i , for all i 1, F F F , s). The algorithm determines the reach set T, 0 for all T T max (i.e., the reachable set). 
Reach Set Computation
The reach set t, R j g i is computed iteratively in steps 4, 7, and 11. Note that the subset S i t, 0 of 0 whose evolution lies in g i for t steps is given by the explicit representation
As St, 0 is a polyhedral set in the augmented space of tuples x, u0, F F F , ut À 1, the reach set t, 0 g i is a polyhedral set as well. A compact representation of t, 0 g i (as inequalities over the final state x(t)) can be computed by projecting St, 0 onto the affine subspace A 
Guardline Crossing Detection
Step 8 requires a switching detection, namely finding all possible new regions g h entered by the reach set at the next time step, or, in other words, all the nonempty sets R h Á t, 0 g h , h T i. Rather than enumerating and checking nonemptiness for all h 0, F F F , i À 1, i 1, F F F , s À 1, we can exploit the equivalence between PWA and MLD, and solve the switching detection problem via mixed-integer linear programming. In fact, switching detection amounts to finding all feasible vectors dt P f0, 1g r which are compatible with the constraints in (5) plus the constraint xt À 1 P t À 1, 0 g i . Such a problem is a mixed-integer linear feasibility test, and can be efficiently solved through standard recursive branch and bound procedures. In the average case, the MLD form (through the branch and bound algorithm) requires a number of feasibility tests which is much smaller than enumerating and solving a feasibility test for all the possible regions of the PWA model.
Approximation of Intersection
The computation of the reach set proceeds in each region g h from each new intersection R h . A new reach set computation is started from R h , unless R h is contained in some larger subset of g h which was already explored. As in principle the number of facets of R h grows linearly with time, we need to approximate R h in step 9, so that its complexity is bounded (and therefore the reach set computation from R h has a limited complexity with respect to the initial region). Hyper-rectangular approximations " R h of R h are the best candidates, as checking for set inclusion between hyper-rectangles reduces to a simple comparison of the coordinates of the vertices. On the other hand, a crude rectangular outer approximation of R h might lead to explore large regions which are not reachable from the initial set 0, as they are just introduced by the approximation itself. In [11] the authors propose an iterative method for inner and outer approximation which is based on linear programming, and approximates with arbitrary precision polytopes by a collection of hyper-rectangles, as depicted in Fig. 5b. 
Termination of Explorations
In Section 4.1.1 we showed how to compute the evolution of the reach set t, R j inside a region g i . The computation is stopped (step 5) once one of the following condition happens:
1. The set t, R j is empty. This means that the whole evolution has left region g i . 2. t, R j j , j 1, F F F , L, the target set j has been reached by all possible evolutions from R j . 3. t b T max .
These conditions can be easily checked through LP. Note that the termination condition 2 implies that once a target set has been reached no further exploration is performed.
Post-processing
The result of the exploration algorithm detailed in the previous sections can be conveniently stored in a graph G. The nodes of G represent sets from which a reach set evolution is computed, and an oriented arc of G connects two nodes if a transition exists between the two corresponding sets. Each arc has an associated weight which represents the time-steps needed for the transition. The graph has initially no arc, and the nonempty initial set 0 and j , j 1, F F F , L as nodes. When a new intersection t, 0 g h is detected, it is approximated by a collection of hyper-rectangles, as described in Section 4.1.3. Each hyper-rectangle becomes a new node in G, and is connected by a weighted arc from 0. In addition, each hyperrectangle is pushed on a stack of sets to be explored.
Before starting a new reach set computation from a set R j extracted from the stack, we check for inclusion of R j in other nodes of G. If this happens, say R j R 1 and R j R 2 , the node associated with R j is removed from G, and the arcs are redirected.
After Algorithm 4.1 terminates, the oriented paths on G from initial node 0 to terminal nodes j , j 1, F F F , L determine a superset of feasible switching sequences It fi0, F F F , it À 1g. In fact, because of the outer approximation " R h of new intersections R h (step 9), not all switching sequences are feasible. Feasibility can be simply tested via LP over the sets of linear inequalities generated by an explicit reach set representation as in (7).
Verification of the Batch Evaporator Process Benchmark
In this section we apply the tools proposed in the previous sections to the benchmark problem proposed within the ESPRIT-LTR Project 26270 VHS (Verification of Hybrid Systems) 3 as Case Study 1. The full system consists of an experimental batch plant [28] . In this paper we will focus only on the evaporator system, as proposed in [29] , which is schematically depicted in Fig. 6 .
The considered subsystem is composed of three parts: the upper tank 1 (labeled as fS in Fig. 6 ), the lower tank 2 (fU) and the condenser (uI). Tank 1 is equipped with a heating system (r), and is connected to tank 2 by a pipe and a valve (IS), while the outlet of tank 2 is controlled by valve IV. Both the heating system and the valves can only have two configurations: on (open) and off (closed). The levels h 1 , h 2 of the solution in the two tanks, and the temperature T of tank 1 are detected by sensors. These provide four logic signals: tank 1 empty, tank 2 empty, alarm, and crystallization. A tank is considered empty when its level is below 1 cm.
During normal operation of the plant, an aqueous solution with a low concentration of salt enters tank 1. The heating is turned on, and when the production of steam begins, the concentration of salt in tank 1 starts to rise. The outgoing steam flows through the condenser and is drained away from the system. When the concentration of salt has reached a certain level, the heating system is switched off, valve IS is opened, and the solution flows to tank 2, for post processing operations. The plant is designed in such a way that more than one batch can be produced at the same time, so that tank 1 and tank 2 can process different batches in parallel.
In this paper we focus on the exception handling required when the condenser does not work properly. Suppose that for some reason (e.g. lack of cooling agent) the condenser malfunctions. In this case, the steam cannot be cooled down and the pressure in tank 1 rises. The heating system should be switched off to prevent damage to the plant due to over-pressure. On the other hand, the temperature in tank 1 should not get lower than a critical temperature T c , otherwise the salt may crystallize and expensive procedures would be needed to restore the original functionality.
A PLC controls the plant according to the finite state machine depicted in Fig. 7 , where the event alarm occurs when T ! T a , and crystallization when T T c .
The control strategy can be explained as follows. When a malfunction of the condenser is detected, the controller enters the alarm mode and immediately opens valve IV to empty tank 2. During this phase, the heater is still in the heating state. When the temperature in tank 1 reaches the alarm level T a (alarm), the heating is switched off and the controller enters the state cooling. Finally, when tank 2 is empty, the controller gets in the state draining, where valve IV is closed and valve IS is opened, and the solution flows from the upper tank to the lower tank. From draining, the controller can either switch to the state won if tank 1 becomes empty, or to lost if the temperature in tank 1 becomes lower than the critical value T c .
The aim is to verify that the controller satisfies the following safety requirements: (i) if a malfunctioning in the cooling system of the condenser occurs, the heater must be turned off quickly enough to prevent damages to the condenser, (ii) the solution in tank 1 is drained to tank 2 before it solidifies, (iii) when the valve V15 is open tank 2 is empty.
Certifying that the PLC code satisfies these specifications amounts to verify that from all the initial states in a given set 0 the system never reaches the state lost, or, equivalently, that the system always reaches the state won.
Modeling CS1 in MLD Form
In order to use the verification tools described in Section 4, we need to obtain a hybrid model of the batch evaporator process in MLD form. We consider the model described in [39] , which only takes into account the dynamics of the levels h 1 , h 2 , and of the temperature T of tank 1. The model developed in [39] is summarized in Table 3 (dynamic equations associated with each logical state of the controller of Fig. 7 ) together with the parameters reported in Appendix B.1, and is based on the following simplifying assumptions: (i) the pressure increase during the evaporation in the heating phase is neglected, (ii) the dynamics during the cooling phase is the same for T b 373 K, (iii) average constants replace ranges of physical parameters.
Continuous Dynamics
The dynamic equations described in Table 3 are nonlinear and continuous-time. As MLD models only deal with hybrid linear discrete-time dynamics, we first approximate the static nonlinearity (square root) with a piecewise linear function, and then sample the resulting system. The nonlinearity arises from Torricelli's law, which models the liquid flow through the outlet of the tank, namely h Àk h p where k depends on the geometry of the tank and outlet pipe, and h is the height of the liquid in the tank.
We partition the operating range of h and approximate the square root by a linear function in three intervals: [0, 0.01], (0.01, h t ] and (h t , h max ], as in Fig. 8 . In the first interval [0, 0.01] the approximation is such that h goes instantaneously to zero when the level is lower that 0.01 (consistent with the PLC, which assumes that the tank is empty if h`0.01). In the other two intervals, a straight line interpolates the extreme points. The parameter h t can be chosen % h max a2. Figure 8 shows the square root and its piecewise linear approximation for h t 0X9 (left plot), and compares the evolution of the original continuous-time system and its sampled (T s 60 s) piecewise linear counterpart (right plot).
The piecewise linear approximation of the nonlinearity can be represented by introducing two logical auxiliary variables l i1 , l i0 , i 1, 2, defined by
where we use the shorthand notation l i1 for l i1 1, and " l i1 for l i1 0. As h it b 0X01, the logic relation " l i1 t " l i0 t TRUE holds Vt, i 1, 2. Then, the piecewise linear approximation of the square root is defined by
where the constants a 1h i , a 2h i , b 1h i , b 2h i are defined in Appendix B.2.
A/D
As mentioned above, the level and temperature sensors provide four logic signals: tank 1 empty, tank 2 empty, alarm, crystallization. We associate a 0/1 variable with each signal, namely l 10 , l 20 introduced in (8) for the tank levels, and t 1 , t 2 , for the temperature, Table 3 . Continuous dynamics associated with the different states of the FSM in Fig. 7 .
Logic state Heating

IS IV
Dynamic behavior and T(t) is the temperature in tank 1. As T a b T c , the logic condition " t 1 t " t 2 t TRUE must be satisfied for all t.
Automaton
The five states of the automaton in Fig. 7 representing the PLC code for exception handling can be represented by the combination of three 0/1 logical states, grouped in the binary vector x , according to the convention are not used, the logic constraint x 1 tx 2 t x 3 t FALSE must hold Vt. The transition map of the automaton is expressed by 0/1 variables in Table 4 .
Each update x i t 1, i 1, 2, 3, can be rewritten as a sum of products (SOP)
by simply collecting all the rows of Table 4 where x i t 1 1 (in (11)±(13) the temporal index (t) on the right hand side has been omitted for brevity). For instance, the update law for x 1 is obtained by collecting the rows where x 1 t 1 is 1 (rows 3 and 5), and rewriting the conditions on lines 3 and 5 as in (11) . The control action produced in each logical state of the controller is ht " x 1 t" x 2 t" x 3 t, 14
and is obtained in a similar way from Table 5 . 
Sampling
Each linear continuous dynamics of the piecewise linear approximations is sampled with sampling time T s 60 s. Because of the resulting discrete-time nature of the model, switches can only occur at sampling steps. Although this clearly introduces a model mismatch, the sampling time is short enough to render the approximation negligible, or at least comparable with the other approximations of the physics of the model.
D/A
The continuous state-update law can be rewritten as the linear set of difference equations Tk 1 z T k, 17
where z T and z h ij are auxiliary continuous variables defined in Table 6 , together with the parameters specified in Appendix B.3. In summary, the state of the MLD system modeling the batch evaporator process is
d P f0, 1g 18 , z P 8 and the corresponding MLD and PWA models are automatically obtained by processing the HYSDEL system description reported in Appendix A. The total number of MLD inequalities is 127. The equivalent PWA system has 13 regions.
Verification Results
We aim to verify that after an exception occurs, the PLC code based on the control logic of Fig. 7 safely shuts down the plant to the won state for any initial condition Table 5 . Output function of the automaton. (lost). The results of the algorithm are plotted in Fig. 9 , where the set evolution in the three-dimensional continuous state space h 1 , h 2 , T from the initial conditions 0 is depicted from different view angles. Algorithm 4.1 was executed in 79 s on a PC Pentium II running interpreted Matlab code. The tool can also easily perform parametric verification if the vector of parameters enters the model linearly, and its range is a polyhedral set Â (e.g. Â is an interval). Constant parameters can in fact be taken into account by augmenting the state vector to x Â Ã , adding constant dynamics (t 1) (t) for the additional state , and setting the set of initial conditions to 0 Â Â. Vice versa, varying parameters with unknown dynamics can be modeled as additional inputs to the system, i.e. as disturbances.
We use parametric verification for checking variations of the alarm temperature T a in the range 383 K`T a 393 K. As T a is a constant parameter of the PLC code, it is treated as an additional state.
The parametric verification produces the following result: for T a ! 390X4902 the controller drives the plant to the terminal state 1 (won) for all the initial heights and temperatures in 0 . The parametric verification requires 82 s of CPU time.
Conclusions
In this paper we have proposed a modeling framework for hybrid systems described by the interaction of discrete-time linear dynamic equations, logic rules, and automata, and a general algorithm for safety analysis based on LP and MILP. The versatility and the computation feasibility of the approach have been tested on the batch evaporator benchmark process. Fig. 9 . Set evolution from 0 to the target set 1 (won) for T a 391 (same evolution, different perspectives).
