Formal Analysis of Hybrid-Dynamic Timing Behaviors in Cyber-Physical
  Systems by Huang, Li & Kang, Eun-Young
Formal Analysis of Hybrid-Dynamic Timing
Behaviors in Cyber-Physical Systems
Li Huang∗ and Eun-Young Kang†
∗School of Data & Computer Science, Sun Yat-Sen University, Guangzhou, China
huangl223@mail2.sysu.edu.cn
†The Maersk Mc-Kinney Moller Institute, University of Southern Denmark, Denmark
eyk@mmmi.sdu.dk
Abstract—Ensuring correctness of timed behaviors in cyber-
physical systems (CPS) using closed-loop verification is challeng-
ing due to the hybrid dynamics in both systems and environments.
SIMULINK and STATEFLOW are tools for model-based design
that support a variety of mechanisms for modeling and analyzing
hybrid dynamics of real-time embedded systems. In this paper, we
present an SMT-based approach for formal analysis of the hybrid-
dynamic timing behaviors of CPS modeled in SIMULINK blocks
and STATEFLOW states (S/S). The hierarchically interconnected
S/S are flattened and translated into the input language of SMT
solver for formal verification. A translation algorithm is provided
to facilitate the translation. Formal verification of timing con-
straints against the S/S models is reduced to the validity checking
of the resulting SMT encodings. The applicability of our approach
is demonstrated on an unmanned surface vessel case study.
Index Terms—Cyber-physical system, SIMULINK/STATEFLOW,
dReal, Timing constraints, Formal verification
I. INTRODUCTION
Cyber-Physical Systems (CPS) are real-time embedded sys-
tems in which the software controllers continuously interact
with physical environments. The continuous timed behaviors
of CPS often involve complex dynamics as well as stochas-
tic characteristics. Formal verification and validation (V&V)
technologies are indispensable and highly recommended for
development of safe and reliable CPS [1], [2]. Ensuring
correctness of timing properties in CPS using closed-loop
system verification is challenging due to the continuous timed
behaviors (described using ordinary differential equations) as
well as non-linear dynamics (e.g., trigonometric and expo-
nential functions) in CPS. SIMULINK and STATEFLOW (S/S)
[3] are widely-used industrial tools for model-based design of
real-time embedded systems, which provide a variety of mech-
anisms for modeling and analyzing hybrid dynamic behaviors.
SIMULINK is a block-diagram based formalism that models
time-continuous dynamics while STATEFLOW specifies control
logic and state-based system behaviors. The latest release
of S/S provides a new type of formalism, called Simulink-
based state (sl-state) [4], for descriptions of hybrid dynamic
behaviors. sl-state allows to embed various SIMULINK blocks
inside STATEFLOW states. A STATEFLOW chart consisting of
a set of sl-states is a graphical hybrid automaton (GHA) [5].
One of the solution to enable formal analysis of S/S models
is to transform the models into satisfiability modulo theory
(SMT) [6] formulas and perform bounded model checking
using SMT solvers. However, the hybrid dynamics of real-time
CPS modeled in S/S usually involve differential equations and
non-linear functions, making the satisfaction problems of these
formulas undecidable. To alleviate this problem, the approach
of δ-complete decision procedures [7] is proposed to check
the satisfiability of such formulas under a tolerable numerical
perturbation δ > 0. dReal [8] is an SMT solver that implements
the δ-complete decision procedures, which is able to analyze
real-valued non-linear functions.
In our earlier works [9], [10], we have provided the ap-
proaches for formal analysis of timing constraints in CPS
modeled in S/S using Simulink Design Verifier (SDV) [11],
which, however, are limited to discrete-time S/S models with
no non-linear functions. To enable the formal analysis of the
continuous-time behaviors in CPS involved with non-linear
dynamics, in this paper, we propose an SMT-based approach
for analyzing CPS modeled in GHA using dReal: 1) Formal
definitions of Simulink-based state and GHA are provided;
2) The hierarchical GHA is flattened and translated into the
input language of dReal; 3) A translation algorithm is provided
to facilitate the translation; 4) Formal analysis of timing
constraints against GHA is reduced to the validity checking
of the resulting SMT encodings. Our approach is demonstrated
on an unmanned surface vessel (USV) case study.
The paper is organized as follows: Sec. II presents an
overview of S/S, GHA and dReal. The translation from GHA
to SMT language is presented in Sec. III. The applicability of
our approach is demonstrated by performing verification on
the USV in Sec. IV. Sec. V and Sec. VI present related works
and conclusion.
II. PRELIMINARY
Simulink and Stateflow (S/S) [3] is a synchronous data flow
language that provides supports for modeling and simulation
of real-time embedded systems, as well as code generation.
An S/S model represents a diagram composed of various types
of blocks (e.g., Sum, Product) interconnected via lines
and I/O ports. A hierarchical S/S model of an arbitrary depth
can be achieved using composite blocks, i.e., subsystems. The
recent version of S/S has provided a new type of formalism,
called Simulink based state (sl-state), specialized for mod-
eling hybrid behaviors incorporating both discrete and time-
continuous dynamics. An sl-state has a subsystem embedded
inside, which describes the dynamical behaviors when the sl-
ar
X
iv
:1
91
0.
14
30
6v
1 
 [c
s.S
E]
  3
1 O
ct 
20
19
state is active. A STATEFLOW chart that consists of a set of
sl-states is called a graphical hybrid automaton (GHA) [5].
SMT and dReal Solver: Satisfability (SAT) problem is the
problem to determine whether a set of propositional formulas
can be true by assigning true/false values to the constituent
variables. Satisfability Modulo Theories (SMT) [6] is an ex-
tension of SAT, in which the symbols of the input formulas
are given with background theories (e.g., arithmetic, array).
SMT-based bounded model checking is to check whether a
given requirement φ (encoded as a logical formula) is valid
over a model M (represented by a set of SMT formulas) by
querying whether M ∧ ¬φ is unsatisfiable. dReal [8] is an
SMT solver that employs the δ-complete decision procedures
[7], which allows users to check satisfiability of formulas
with non-linear real-valued functions. Given a set of formulas,
dReal checks whether the formulas are satisfied up to a given
precision δ (i.e., a user-defined parameter that represents the
maximum tolerable numerical errors). The input language of
dReal follows SMT-LIB standard [12] and includes extended
formalisms expressing ordinary differential equations (ODEs)
and non-linear functions.
III. TRANSLATION OF GHA INTO DREAL
In this section, we investigate how to translate GHA models
into the input language of dReal. We first show how to
flatten the hierarchical sl-states in GHA and then give the
formal definitions of the sl-state and GHA, followed by brief
descriptions of a translation algorithm.
In GHA, a hierarchical sl-state is achieved by using subsys-
tems, i.e., composite blocks that encapsulate a set of atomic
SIMULINK blocks and possibly other subsystems. A subsystem
can be flattened by replacing it with the set of interconnected
blocks originally embedded in it. By recursively flattening the
subsystems at arbitrary nesting levels, the hierarchy of sl-state
can be eliminated. An example of GHA is shown in Fig. 1,
in which the behaviors of the two sl-states S0 and S1 are
described by a set of SIMULINK blocks (e.g., Product,
Integrator) embedded in the states.
Fig. 1. An example of GHA: 1) when S0 is active: y1 =
∫
(x1 + x2); 2) when
the transition S0 → S1 is taken: y1 = 0; 3) when S1 is active: y1 = ∫ x1,
y2 = x2 +
∫
x1.
To present the mapping from GHA to SMT formulas, the
syntactic definitions of sl-state and GHA are provided.
Definition 1: (Simulink-based State (sl-state)) An sl-state
is a tuple 〈ν, B, L〉, where
• ν is a finite set of variables (or signals);
• B is a finite set of atomic blocks that represent various
mathematical/logical functions. A block b ∈ B is a tuple
〈vin, vout, p, f〉, where vin, vout are the input/output
variables of b. p is a set of internal parameters. f
represents the update function that changes the value of
vout based on vin and p, i.e, f : vin × p 7→ vout;
• L is a finite set of lines that connect blocks in B. A line
l propagates the data flow of a variable from the source
block to the destination block(s).
Definition 2: (Graphical Hybrid Automaton (GHA)) A
GHA is a transition system 〈Vin, Vout, S, T 〉, where
• Vin and Vout are the sets of input/output variables;
• S is a set of sl-states;
• T is a set of transitions between different sl-states in S.
A transition t ∈ T is a tuple 〈ν, src, dst, cond, act〉,
where
– ν is a set of variables on the transition;
– src, dst ∈ S are the source/destination states of the
transition;
– cond is the condition (i.e., a propositional formula or
a temporal logic expression) that should be evaluated
as true when the transition is taken;
– act represents a set of actions executed when the
transition is activated.
Let M = 〈Vin, Vout, S, T 〉 be a GHA. ∀i ∈ N, 1 ≤ i ≤ k,
si denotes the active state ofM at the ith step and ti represents
the ith transition (i.e., transition from si to si+1). An execution
of M with k steps (i.e., k transitions) can be defined as the
following sequence of states:
s0
t0−→ s1 t1−→ · · ·si ti−→ si+1 ti+1−−→ · · ·sk
Let v ∈ Vout be an output variable of M. For each step
i, two variables v◦i and v
∗
i are utilized to denote the values
of v at the beginning and end of the ith step, respectively.
The variation of v at the ith step can be represented by the
relation between v◦i and v
∗
i : (1) v /∈ si.ν =⇒ v∗i = v◦i ; (2) v ∈
si.ν =⇒ v∗i = Φvsi . Here Φvsi is the formula that represents
the functions or operations updating the value of v when M
stays in the state si. Similarly, the variation of v at transition
ti can be described as the relation between v∗i and v
◦
i+1: (1)
v /∈ ti.ν =⇒ v◦i+1 = v∗i ; (2) v ∈ ti.ν =⇒ v◦i+1 = Πvti . Here,
Πvti is the action that updates the value of v when the transition
ti is taken.
We call the formulas Φvsi and Π
v
ti the formula representation
(FR) of variable v in state si and at transition ti, respectively.
For instance, in the GHA depicted in Fig. 1, the FR of the
output variable y2 in state S1 is Φy2S1 = x2 +
∫
x1.
To perform the bounded model checking on the GHA model
using dReal, we first derive the FRs of the output variables
of M and then specify the relations between the variables and
the corresponding FR at each step using SMT assertions.
The FRs of the output variables in an sl-state can be derived
based on the dynamic behaviors of the sl-state, described by
a set of embedded SIMULINK blocks. These blocks include
computational blocks (e.g., Sum, Product) and time-
continuous blocks (e.g., Integrator). The FR of the output
variable of an atomic computational block can be derived
based on its inputs, parameters and transfer function. In dReal,
the continuous-time integral functions (i.e., ODEs) are defined
using flow declarations and flow conditions, which specify the
derivatives and inputs/outputs of the integrals. To represent the
semantics of the Integrator blocks in dReal, the derivatives
of the integrals are define using flow declarations, and the
relations between the input and output variables of the integrals
can be specified by flow conditions. After the FRs of the output
variables of all atomic blocks are derived, the FRs of the output
variables of sl-state can be derived. Given an output variable
v in an sl-state s, the FR of v in s (represented by Φvs) can
be deduced by recursively replacing the constituent variables
of Φvsi with their corresponding FRs.
Based on the FRs of the output variables of GHA, the
behaviors of GHA can be represented in dReal using SMT
assertions. The translation from GHA into SMT encodings can
be summarized in Algorithm 1, in which Vcin (Vcout) denotes
a set of input (output) variables of Integrator blocks in
GHA. The SMT encodings that contain the k-step behaviors
of GHA can be generated by the following steps:
1. For each variable v, add the assertions that describe the
relation between the values of v at the beginning and at the
end of each step (line 4–9). If v is an output variable of an
integral, then v is updated based on the corresponding ODE
(denoted fls). Otherwise, v can either be updated based on
the FR of v in the current state or remain unchanged.
2. Add the SMT assertions to specify the behaviors of each
transition and the changes of values of variables involved in
the transitions (line 11–14).
Algorithm 1: Translation from GHA to SMT language
Input: GHA model represented by
〈Vin, Vout, Vcin, Vcout, S, T 〉, verification bound k
Output: SMT encodings
1 for i=0, i<k, i++ do
2 for each v in Vout
⋃
Vcin
⋃
Vcout do
3 for each s ∈ S do
4 if v ∈ Vcout ∧ v ∈ s.ν then
5 Assert(si = s =⇒ (v∗i = v◦i +
∫
fls))
6 else if v /∈ Vcout ∧ v ∈ s.ν then
7 Assert(si = s =⇒ v∗i = Φsiv )
8 else
9 Assert(si = s =⇒ v∗i = v◦i )
10 for each t ∈ T do
11 if v ∈ t.ν then
12 Assert((si = t.src ∧ t.cond) =⇒ (si+1 =
t.dst ∧ v◦i+1 = Πtv))
13 else
14 Assert((si = t.src ∧ t.cond) =⇒ (si+1 =
t.dst ∧ v◦i+1 = v∗i ))
IV. CASE STUDY
Our approach is demonstrated on an unmanned surface
vessel (USV) [13], which is a propeller-driven vessel that
can automatically adjust its movements to reach the user-
defined target location. USV can replace human operators to
transport to hard-to-reach places or hazardous sites, which
avoids to expose humans to risks and reduces operational
costs. Equipped with four sensors (i.e., GPS, compass, speed
sensor and accelerometer), USV is able to obtain the informa-
tion of its position, heading direction, speed and acceleration.
USV is capable of changing its position (represented “(x, y)”)
by moving forward/backward (surge) or left/right (sway) in
two perpendicular axes. The orientation (heading direction) of
USV can be changed through rotation. A set of representative
timing constraints on USV are listed below.
R1. USV can finally arrive at the target location and stop
within a given time, e.g., 20 seconds.
R2. If the heading error exists, i.e., the heading direction is
different with the desired direction to the target location, USV
should decelerate and adjust the heading direction within a
certain time, e.g., 500ms.
R3. The GPS component should capture the position of USV
periodically with period 50 ms and jitter 10ms.
R4. The accelerometer component should be triggered every
[20, 30]ms, i.e., a periodic acquisition of accelerometer must
be carried out to update the acceleration of USV.
We construct a GHA model that describes the hybrid-
dynamic behaviors of USV, which consists of four sl-states
with 188 blocks distributed in the sl-states. The stochastic
behaviors of the physical environments (i.e., unpredictable
speeds of wind and current) are represented by a set of pre-
generated random parameters, which remain unchanged after
initialized. To enable the formal analysis of the continuous-
time behaviors in USV with non-linear functions, we translate
the USV GHA model into SMT formulas. According to the
translation process described in the previous section, we first
extract the information of the relations between inputs and
output variables of the USV GHA model, as well as the for-
mulas that represent integral functions. Based on the extracted
information/formulas, assertions that describe those relations
and functions are generated. Bounded model checking of the
timing constraints on the resulting SMT encodings is perform
by dReal. The target location is configured as (50, 50). The
verification results are illustrated in Table I.
TABLE I
VERIFICATION RESULTS OF USV IN dReal (k = 20, δ = 0.001)
Req SMT
Time
(Min)
R1 s20=stop∧(50−x∗20 ≤ 0.8)∧(50−y∗20 ≤0.8)∧runT ≤ 20 89.46
R2
20∧
i=1
(hError∗i >0.01 =⇒ dec◦i+1=true∧ reactT ≤ 0.5) 415.68
R3
20∧
i=1
{(gps ti+1−gps ti ≥0.04)∧(gps ti+1−gps ti ≤0.06)} 57.16
R4
20∧
i=1
{(acc ti+1−acc ti ≥0.02)∧(acc ti+1−acc ti ≤0.03)} 49.30
V. RELATED WORK
Considerable efforts have been made in the integration of
S/S and formal techniques for analysis of CPS. Approaches
for formal analysis of CPS behaviors modeled in S/S using
the integrated tool SDV were investigated in several works
[10], [14], [15], which are only applicable for verification of
discrete-time S/S models constructed by a restricted set of
SIMULINK blocks. To perform formal analysis using other
tools, transformations of S/S models into other verifiable for-
malisms have been investigated in the earlier studies [16]–[18].
Minopoli et al. [17] translated S/S models into the formats
recognized by the verification platform SpaceEx and Tripakis
et al. [16] translated S/S into the synchronous data flow
language Lustre. Reicherdt et al. [18] presented a theorem-
proving approach by translating S/S models into the input
language of Boogie tool. However, in those works, neither
formal definitions of S/S (with respect to the updated modeling
formalisms) nor analysis support for S/S models containing
non-linear hybrid dynamics were provided. Robert et al. [19]
presented an SMT-based analysis approach via transforma-
tion from S/S into the input language of UCLID verifier.
However, the non-linear functions were over-approximated
during the translation, which reduces the preciseness of the
approach. Filipovikj et al. [20] generated execution paths of
hybrid system models in S/S and encoded the paths into
SMT formulas amenable to formal analysis using Z3 solver,
whereas, our work focuses on enabling formal analysis of
hybrid system behaviors modeled in GHA formalism and
provides the approach to translate GHA into SMT formulas
recognized by dReal solver.
VI. CONCLUSION
We present an SMT-based approach for formal analysis of
hybrid-dynamic timing behaviors in cyber-physical systems
(CPS) modeled as graphical hybrid automaton (GHA). To
enable formal analysis of GHA, the formal definitions of
Simulink-based state and GHA are provided. The hierarchi-
cal GHA is flattened and translated into formulas amenable
to SMT solving. The formal verification of (non)-functional
requirements of CPS is reduced to validity checking of the
translated SMT formulas using dReal solver. Moreover, a
translation algorithm is provided to facilitate the translation.
The feasibility of our approach is demonstrated by performing
formal verification on an unmanned surface vessel case study.
Although, we have shown that translating GHA models into
dReal formula is sufficient to verify continuous timing behav-
iors involved with non-linear dynamics, the computational cost
of the verification in terms of time is rather expensive. Thus,
we continuously investigate complexity-reducing design for
CPS to improve effectiveness and scalability of system design
and verification. As our ongoing work, we plan to develop
the tool support for automatic translation. Furthermore, to
formally analyze stochastic environmental behaviors in CPS,
representing those behaviors CPS using advanced mathemat-
ical formalisms (e.g., stochastic differential equations) and
enabling SMT-based analysis of those formalisms are further
investigated.
Acknowledgment. This work is supported by the EASY
project funded by NSFC, a collaborative research between Sun
Yat-Sen University and University of Southern Denmark.
REFERENCES
[1] “ISO 26262-6: Road vehicles functional safety part 6. Product develop-
ment at the software level. International Organization for Standardiza-
tion, Geneva,” 2011.
[2] “IEC 61508: Functional safety of electrical electronic programmable
electronic safety related systems. International Organization for Stan-
dardization, Geneva,” 2010.
[3] “Simulink and Stateflow,” https://www.mathworks.com/products.html.
[4] “Simulink subsystems as states,” https://mathworks.com/help/stateflow/
ug/about-simulink-states.html.
[5] A. Rajhans, S. Avadhanula, A. Chutinan, P. J. Mosterman, and F. Zhang,
“Graphical modeling of hybrid dynamics with Simulink and Stateflow,”
in International Conference on Hybrid Systems: Computation and Con-
trol (HSCC). ACM, 2018, pp. 247–252.
[6] L. De Moura and N. Bjørner, “Satisfiability modulo theories: An appe-
tizer,” in Brazilian Symposium on Formal Methods (SBMF). Springer,
2009, pp. 23–36.
[7] S. Gao, J. Avigad, and E. M. Clarke, “Delta-decidability over the reals,”
in IEEE/ACM Symposium on Logic in Computer Science (LICS). IEEE
Computer Society, 2012, pp. 305–314.
[8] S. Gao, S. Kong, and E. M. Clarke, “dreal: An smt solver for nonlinear
theories over the reals,” in International Conference on Automated
Deduction (CADE). Springer, 2013, pp. 208–214.
[9] E. Y. Kang, D. Mu, L. Huang, and Q. Lan, “Verification and valida-
tion of a cyber-physical system in the automotive domain,” in IEEE
International Conference on Software Quality, Reliability and Security
Companion (QRS). IEEE, 2017, pp. 326 – 333.
[10] E. Y. Kang and L. Huang, “Probabilistic analysis of timing constraints in
autonomous automotive systems using simulink design verifier,” in In-
ternational Symposium on Dependable Software Engineering: Theories,
Tools, and Applications (SETTA). Springer, 2018, pp. 170–186.
[11] “Simulink Design Verifier,” https://www.mathworks.com/help/sldv.
[12] C. Barrett, P. Fontaine, and C. Tinelli, “The SMT-LIB standard:
version 2.7,” Department of Computer Science, The University of
Iowa, Tech. Rep., 2017. [Online]. Available: http://smtlib.cs.uiowa.edu/
papers/smt-lib-reference-v2.6-r2017-07-18.pdf
[13] P. Duranti, “Catone, multitask unmanned surface vessel for hydro-
geological and environment surveys,” in Engineering Geology for Soci-
ety and Territory - Volume 3. Springer, 2015, pp. 647–652.
[14] E. Y. Kang, L. Huang, and D. Mu, “Formal verification of energy and
timed requirements for a cooperative automotive system,” in ACM/SI-
GAPP Symposium On Applied Computing (SAC). ACM, 2018, pp.
1492 – 1499.
[15] E. J. J-F. Etienne, S. Fechter, “Using Simulink Design Verifier for
proving behavioral properties on a complex safety critical system in
the ground transportation domain,” Science of Computer Programming,
vol. 77, no. 10, pp. 1151 – 1177, 2010.
[16] S. Tripakis, C. Sofronis, P. Caspi, and A. Curic, “Translating discrete-
time Simulink to Lustre,” Transactions on Embedded Computing Sys-
tems (TECS), vol. 4, no. 4, pp. 779–818, 2005.
[17] S. Minopoli and G. Frehse, “SL2SX translator: from Simulink to
SpaceEx models,” in International Conference on Hybrid Systems:
Computation and Control (HSCC). ACM, 2016, pp. 93–98.
[18] R. Reicherdt and S. Glesner, “Formal verification of discrete-time
MATLAB/Simulink models using Boogie,” in International Conference
on Software Engineering and Formal Methods (SEFM). Springer, 2014,
pp. 190–204.
[19] P. Herber, R. Reicherdt, and P. Bittner, “Bit-precise formal verification
of discrete-time MATLAB/Simulink models using SMT solving,” in
International Conference on Embedded Software (EMSOFT). IEEE,
2013, p. 8.
[20] P. Filipovikj, G. Rodriguez-Navas, and C. Seceleanu, “Bounded invari-
ance checking of Simulink models,” in ACM/SIGAPP Symposium on
Applied Computing (SAC). ACM, 2019, pp. 2168–2177.
