The extensive use of digital controllers demands a growing effort to prevent design errors that appear due to finiteword length (FWL) effects. However, there is still a gap, regarding verification tools and methodologies to check implementation aspects of control systems. Thus, the present paper describes an approach, which employs bounded model checking (BMC) techniques, to verify fixed-point digital controllers represented by state-space equations. The experimental results demonstrate the sensitivity of such systems to FWL effects and the effectiveness of the proposed approach to detect them. To the best of my knowledge, this is the first contribution tackling formal verification through BMC of fixed-point state-space digital controllers.
MOTIVATION
In real-time systems, digital controllers are algorithms that manipulate digital signals, in order to influence the behavior of a system [1] ; it can be mathematically expressed as difference equations, transfer functions, or state-space equations. In this particular work, the focus is on state-space models, which represent the behavior of a system through a state evolution equationẋ(n + 1) and an instantaneous output equation y(n), as follows:ẋ (n + 1) = Ax(n) + Bu(n) y(n) = Cx(n) + Du(n),
where A, B, C, and D are matrices that fully specify a digital system. Such models can be translated into algorithms and implemented in several kinds of microprocessors (e.g., field programmable gate arrays (FPGA) devices [2] and digital signal processors [3] ). Importantly, each one of these platforms can manipulate and represent numbers using different formats and arithmetics (e.g., number of bits, fixedor floating-point arithmetic), which can directly affect the performance and precision of the digital-control system [4] .
In fact, such systems are vulnerable to finite word-length (FWL) effects [5, 6] , which can cause several quantization problems, such as truncation or round-off errors. Particularly, in such circumstances, the precision of each element from matrices A, B, C, and D will be affected by FWL effects, which can compromise the system's properties (e.g., stability). Additionally, fixed-point processors present high processing speed with reduced cost, which makes them a valuable choice for designing digital controllers; nonetheless, such an approach might lead to more nonlinearities, roundoff errors, and overflows. In order to tackle such problem, this paper proposes a verification methodology based on bounded model checking (BMC) techniques [7] , which verifies properties on statespace digital controllers, by means of a verification tool named as Digital-Systems Verifier (DSVerifier). It is worth noting that this paper extends a previous work [4, 8, 9, 10, 11] . In particular, the major improvement of the DSVerifier version described here relies on the support for state-space models, which allows a better insight about the internal system behavior, enables the verification of new properties (e.g., controllability and observability), and considers initial conditions for system analysis [12] . In addition, DSVerifier now supports two efficient model-checking tools as back-end: ES-BMC [13, 14] (previously supported) and CBMC [15, 16] .
BACKGROUND AND RELATED WORK
In order to deal with FWL effects on digital systems, some approaches suggest special metrics, search algorithms or methodologies to achieve an optimal word-length and avoid FWL effects [17, 18, 19, 20, 21, 22] . There are also simulation tools (e.g., LabVIEW [23] and MATLAB [24] ), which are traditionally used by control engineers. However, such approaches depend on input stimulation to evaluate the Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from Permissions@acm.org. state-space of a system, which might not exploit all possible conditions that a system can exhibit. In contrast, Alur et al. [25, 26] proposed the prior automated verification approaches, regarding model checking, which inspired the development of other verifiers for cyber-physical systems and hybrid automata (e.g., Maellan [27] , Open-Kronos [28] , and UPPAAL [29] ). Nonetheless, differently from the work presented here, such approaches do not tackle system robustness related to implementation aspects [4, 8, 9] .
METHODOLOGY
DSVerifier works as front-end for BMC tools (with support to full ANSI-C verification), in order to verify statespace digital systems. As one can see in Figure 1 , the verification methodology proposed in this paper is split into two main stages as follows: manual (user) and automated (DSVerifier) procedures. In the former, the software engineer manually performs steps 1 to 3.
Step 1 is related to the design process of a digital system, while step 2 to its implementation details, i.e., numerical representation < I, F >, where I is the number of bits for the integer part, and F is the number of bits for the fractional part. Then, in step 3 the user chooses a property φ to be verified (e.g., quantization error), a maximum verification time, a bound k, and a BMC tool. Importantly, all specifications from the previous steps are detailed in an input file using the same syntax as MATLAB code standard.
Step 1 Digital controller design
Step A
Parser

Input file (.ss extension)
Step B Compute a FWL controller model
Step 2 Define numerical representation
Step 3
Configure verification
Step C After that, DSVerifier receives the respective input file and then performs the verification of the desired property φ; it is worth noting that steps A to C are completely automatic. In step A, DSVerifier builds an intermediate ANSI-C code for the digital system implementation. Then, in Step B, it formulates a FWL model using a function F W L[·] : R → Q[R], which applies the FWL effects to a state-space digital system, where Q[R] represents the quantized set of representable real numbers in the chosen implementation format. Finally in the step C, the translation of the resulted ANSI-C code (i.e., the respective quantized state-space digital system) into SAT or SMT formulae is completed, by a highly efficient bounded model-checking tool (e.g., ESBMC or CBMC) [13, 15] . Here, DSVerifier symbolically checks a given property φ w.r.t. digital systems. If any violation is found, then DSVerifier reports a counterexample, which contains system inputs that lead to a failure. A successful verification result is reported if the system is safe w.r.t. φ up to a bound k.
Verify using an available BMC tool
As aforementioned, DSVerifier supports the verification of the following properties regarding quantized digital system: Quantization errorit checks whether the output quantization is inside a tolerable bound; Stabilityit checks digital-system stability using the Eigen Library [30] ; Controllabilityit checks whether a digital system M is controllable, based on the rank of its controllability matrix; and Observabilityit checks whether a digital system M is observable, based on the rank of its observability matrix.
It is worth noting that all numerical operations are performed through fixed-point arithmetic, according to a certain precision set by the user, and all properties are sound and complete. In addition, all aforementioned verifications can be performed in a closed-loop configuration.
PRELIMINARY RESULTS
For the following evaluation, an automatic test-suite was developed, with 25 digital systems 1 extracted from literature [31, 32] . In particular, this study employs CBMC v5.4, with the SAT solver MiniSAT v2.2.0 [33] . All systems are checked against four properties, as described in Section 3, using a 32-bits micro-controller hardware configuration with three precisions (8, 16, and 32-bits) , which results in 300 verifications. Indeed, all components of the test-suite are stable, controllable, and observable; however, based on the experimental results shown in Figure 2 , one may noticed that (i) the properties of a digital system might not be held, once quantization errors affect its representation, (ii) the lower the precision, the higher its sensibility to FWL effects, and (iii) controllability and observability are less sensitive to FWL effects, once they only rely on the system's coefficients. In addition, all 300 verifications were performed in approximately 7 hours. Finally, the failed cases were validated with Simulink [34] , using the respective counterexample.
Contributions. Particularly, this work makes four major contributions: (i) support for state-space representations, (ii) verification of quantization error for single-input and single-output (SISO) systems [1] , (iii) stability (for statespace systems), controllability and observability verifications for SISO and multi-input and multi-output (MIMO) systems [1] , and (iv) closed-loop verification for the aforementioned properties. To the best of my knowledge, this is the first report addressing formal verification through BMC of fixed-point digital controllers, based on the state-space representation. In future, other properties and BMC tools will be integrated into DSVerifier, in addition to support for systems with uncertainties.
