Abstract-A verification methodology is described and evaluated to formally determine uncertain linear systems stability in digital controllers with considerations to the implementation aspects. In particular, this methodology is combined with the digital-system verifier (DSVerifier), which is a verification tool that employs Bounded Model Checking based on Satisfiability Modulo Theories to check the stability of digital control systems with uncertainty. DSVerifier determines the control system stability, considering all the plant interval variation set, together with the Finite Word-length (FWL) effects in the digital controller implementation; DSVerifier checks the robust non-fragile stability of a given closed-loop system. The proposed methodology and respective tool are evaluated considering non-fragile control examples from literature. Experimental results show that the approach used in this study is able to foresee fragility problems in robust controllers, which could be overlooked by other existing approaches due to underestimating of FWL effects.
INTRODUCTION
THERE has been a gap between two research fields: control theory and formal methods [1] , [2] . There is clearly a substantial difference between hierarchy level and specifications, which are considered by both areas. Formal methods ensure that all types of specifications for relatively (high-level) systems are represented by finite (or infinite) states transition systems, while control theory treats dynamical systems using mathematically grounded techniques. However, both areas aim at achieving reliable systems, in order to check whether implementation meets specification. The diversification and flexibility of verification tools and introduction of hybrid automata to represent hybrid systems (HS) have allowed a close convergence of both research areas.
Hybrid systems and cyber-physical systems (CPS), which are the two important parts of the actual industrial evolution trends, are usually represented by hybrid automata, for which several formal verification methods have been proposed. Alur et al. [3] present the earliest application of model checking for timed automata using the Timed Computation Tree Logic (TCTL) as an extension of CTL model checking for real-time systems. Those initiatives inspired the development of formal methods and model checking tools for verifying timed automata and for representing any control system by finite state machines; notable model checking tools include UPPAAL and HyTech [4] .
Although formal methods provide applicability to check highlevel specifications in all sorts of CPS, there is not much application of model checking for verifying different control goals, which are related to robust stability, robust performance, and non-fragility. Previous related work [5] , [6] , [7] , [8] developed symbolic execution methods for control systems to check the closed-loop performance and safety properties violations in hybrid systems. In recent work [9] , [10] , [11] , formal robustness verification for CPS is proposed, considering continuous and discrete disturbance (no model uncertainty).
The main goal here is to propose a comprehensive model checking procedure, which is able to formally verify stability, fragility, and robustness of closed-loop systems without employing hybrid automata. Bounded Model Checking (BMC) based on Satisfiability Modulo Theories (SMT), showed to be suitable for investigating the fragility problem in control systems. In particular, the stability verification method does not demand the execution/simulation of the plant behavior and simultaneously considers the controllers' fragility and the closed-loop robustness to exogenous disturbances and to plant model uncertainties.
As a result, a verification methodology and respective tool implementation to deal with stability verification of closed-loop system using an SMT-based approach are proposed. The present approach considers finite-word length (FWL) effects over controllers and also parameter uncertainties in the context of verifying the (so-called) robust non-fragile stability. This approach extends previous studies in which the digital control design is verified and readjusted iteratively until it reaches a digital controller, which is safe w.r.t. implementation problems, such as overflows, limit cycles, round-off errors, poles and zeros sensitivity [12] .
The proposed verification methodology is implemented in the digital-system verifier (DSVerifier) tool 1 that uses the Efficient SMT-Based Context-Bounded Model Checker (ESBMC) as a verification engine for checking digital system properties [13] , [14] . DSVerifier builds a closed-loop model, associating the controller model with FWL effects and the plant model with non-deterministic coefficients related to model uncertainties. DSVerifier then performs a symbolic analysis to verify certain properties, e.g., stability, for all the plant family defined by the uncertainties. If there is a property violation, then DSVerifier indicates a failure and presents a counterexample, a plant model belonging to the plant family, which violates the property.
This work makes two major contributions. First, a new methodology for verifying closed-loop linear time-invariant systems is presented considering FWL effects for non-fragile control studies. In particular, a stability verification algorithm of uncertain systems considering FWL effects to aid control system designers in validating (digital) controllers is described. Second, the efficiency and effectiveness of the verification methodology and respective tool using control system benchmarks from literature are evaluated.
PRELIMINARIES

Transfer Function for Discrete Systems
There are various mathematical representations for discrete-time systems, e.g., difference equations, state-space, and transfer functions (or matrices). Here, linear time-invariant (LTI) systems with single-input and single-output (SISO) are discussed and represented by transfer functions as
where the roots of numerator are called zeros of GðzÞ and the roots of denominator are called poles of GðzÞ. For convenience, a vector notation for the coefficients of HðzÞ will be used, where a vector h, called coefficient vector of HðzÞ, is built by the numerator coefficients followed by the denominator coefficients as described by
Stability of Discrete Systems
A discrete-time system as (1) is said to be (asymptotic) stable if every pole lies inside the unit circle, i.e., a circle in z complex plane with unitary radius and center in origin [15] . Additionally, a discrete-time linear system is said to be Bounded-Input and Bounded-Output (BIBO) stable if and only if every pole of its transfer function lies inside the unit circle. Another important concept about stability is the internal stability. A system is internally stable if all its internal variables are bounded in addition to the stability of the closed-loop transfer function itself [15] .
As an example, consider the standard configuration described in Fig. 1 and choose as outputs Y ðzÞ, the closed-loop system output and UðzÞ, the controller output; and as inputs RðzÞ, the reference input, DðzÞ, input disturbance, and W ðzÞ, measurement noise, then Y U ¼
GðzÞCðzÞ 1þGðzÞCðzÞ
GðzÞ 1þGðzÞCðzÞ 1 1þGðzÞCðzÞ CðzÞ 1þGðzÞCðzÞ
ÀGðzÞCðzÞ 1þGðzÞCðzÞ
ÀCðzÞ 1þGðzÞCðzÞ
Definition 1 [15] . If all transfer functions, which relate the system inputs to the possible system outputs are BIBO stable, then the system is said to be internally stable, i.e., the system outputs UðzÞ and W ðzÞ are still bounded (stable) for any RðzÞ, DðzÞ, and W ðzÞ.
Theorem 1 [15] . The system in Fig. 1 A conclusion of Theorem 1 is the Lemma 1.
Lemma 1 [15] . A feedback digital control system as shown in Fig. 1 Throughout this paper, all controllers CðzÞ are supposed to be asymptotic stable and they are not susceptible to overflow and limit cycles oscillation.
Digital Control System Design and Implementation
A notable issue related to digital control systems is concerned with their computational implementation, which should be considered in addition to the control performance. Issues related to digital control systems design are: sample period, quantization, computer arithmetic, word-length, memory usage, delays, controllers' realization, anti-windup action, and bumpless transfer.
Model Uncertainty
As control systems are usually based on linear models, referred to as approximate real-world plants, then control design should comply with uncertainties (parametric variations, non-modeled dynamics, and nonlinearities) and check properties related to robustness. Among the different strategies to represent uncertainties, the usual additive uncertain representation was adopted so that the transfer function of the plant GðzÞ in Fig. 1 can be expressed in its uncertain version
where DGðzÞ is a bounded additive uncertain,ĜðzÞ is the uncertain model of GðzÞ, andĝ is the coefficient vector ofĜðzÞ.
Digital Controllers Implementation and Fragility
Among the several issues related to digital controller implementation, FWL effects due to round-offs and quantization should be carefully considered since they might lead to (small) imprecision and even instability. A realistic model to deal with FWL effects must include the quantization of every numerical value, including each arithmetic result (sums and products), input signals, and system coefficients. A notable effect is that the error accumulation might affect the representation of the digital controller poles and zeros [16] and possibly leading to closed-loop instability or performance degradation. This system sensitivity with respect to its implementation is called fragility. Keel and Bhattacharyya show that some robust and optimum controllers might present fragility characteristics and under some conditions might destabilize the closed-loop system [17] . Several techniques to deal with non-fragility control design (or reliable control) have been described [18] , [19] , [20] . Some non-fragile techniques describe FWL effects in the digital controller implementation as a perturbation such that it can be modeled as an uncertainty. Thus, the same representation of uncertain systems given in Eq. (5) can be used with the controller transfer function represented aŝ
where DCðzÞ is a bounded additive uncertain,ĈðzÞ is the FWL model of CðzÞ, andĉ is the coefficient vector ofĈðzÞ. In contrast to the uncertain model presented before, the controller perturbation due to FWL effects might be precisely computed if the implementation characteristics are known. Indeed, a more realistic model should neither consider FWL effects as a non-deterministic perturbation nor the plant model as a discrete model, once FWL effects may be predicted and most plants are analog.
An important contribution of this study is to consider FWL effects in digital controllers. In this study, it is assumed that the implementation aspects are well-known (e.g., number of bits, realization form, and sample time), and for each implementation of CðzÞ, there exists a function FWL½Á : R n ! Q½R n , which applies the FWL effects to a digital-system, where Q½R represents the quantized set of representable real numbers in the chosen implementation format. Therefore,ĉ might be appropriately computed by means of c ¼ FWL½CðzÞ:
Stability Verification as a Decision Problem
A robust non-fragile decision problem about the stability of a hybrid control system, with a digital controller that suffers from FWL effects and a plant with an uncertain model is resolved. Problem Description. Given a nominal plant model GðzÞ, an additive uncertainty over this model DGðzÞ, a nominal digital controller CðzÞ, and a FWL function FWL½Á implementation, decide about the internal stability of a closed-loop system constituted by GðzÞ and CðzÞ. has the coefficient vector given by (7), and considering Lemma 1, the decidability can be summarized as a decision problem about the roots computation of
where the closed-loop control system is stable if and only if all the roots of SðzÞ are inside the unit circle. The Jury's criteria represent a necessary and sufficient condition to ensure that all polynomial roots are inside the unit circle [15] ; the non-fragile robust stability verification consists in verifying, by means of SMT queries, the fulfillment of that condition by checking its satisfiability. In this paper, DSVerifier [13] , which is an SMTbased BMC tool used for verifying digital systems, is employed in order to check the satisfiability of the Jury criteria.
Model Checking Digital Systems with DSVerifier
SMT-based BMC was successfully applied to verify single-and multi-threaded programs [21] . However, the application of BMC to ensure correctness of discrete-time systems considering FWL effects (i.e., verifying system robustness related to implementation aspects) is somewhat recent [12] , [22] , [23] . The basic idea behind BMC is to check the negation of a given property at a given depth.
Definition 2 [24] . Given a transition system M, a property f, and a bound k; BMC unrolls the system k times and translates it into a verification condition (VC) c, which is satisfiable if and only if f has a counterexample of depth less than or equal to k.
One prominent BMC tool is ESBMC [14] , which is an SMTbased context-bounded model checker for C/Cþþ programs. DSVerifier uses ESBMC as its verification engine to check a digitalsystem [13] . In ESBMC, the associated problem is formulated by constructing the logical formula
where f is a property (e.g., overflow and limit cycle) and S 0 is a set of initial states of M, and gðs j ; s jþ1 Þ is the transition relation of M between time steps j and j þ 1. Hence, IðS 0 Þ^V iÀ1 j¼0 gðs j ; s jþ1 Þ represents the executions of a transition system M of length i. The above VC, c, can be satisfied if and only if, for some i k there exists a reachable state at time step i in which f is violated. If the logical formula (9) is satisfiable (i.e., returns true), then the SMT solver provides a satisfying assignment, from which the values of the digital controller's variables can be extracted to construct a counterexample.
STABILITY VERIFICATION OF CLOSED-LOOP DIGITAL CONTROL SYSTEMS WITH UNCERTAINTY
The proposed methodology for verifying the stability of closed-loop digital control systems with uncertainty is described as follows. The plant model must be represented by a parametric uncertain model, i.e., plant intervals. Suppose that the digital controller CðzÞ and the plant model are given as in (10) and (11), respectively
and c and g, respectively, are the parameter vectors of CðzÞ and GðzÞ. The uncertain plantĜðzÞ expressed by (5), whose uncertain parameters vectorĝ can be expressed as follows: 
where Dg represents plant uncertainties and Dg percent corresponds to maximum variation coefficients percentage vector of g, where 0 i M G and 0 j N G such that
Dp% ¼ 
The possible values polynomial set of g is denoted by P. The DSVerifier verification process is shown in Fig. 2 . Steps from 1 to 5 are performed by users and Steps A to D are 
, implementation details should also be incorporated into this symbolic analysis, which contain the FWL format, e.g., number of bits, computational realization, and sample time.
In Step 1, the user provides inputs g and Dg percent, which contain the plant model and the uncertainty interval. In Step 2, a digital controller must be designed with any preferred method, where c is obtained. The controller numerical representation and realization form are chosen in Steps 3 and 4, respectively. In Step 5, the user finally configures the verification parameters, choosing verification time, properties to be verified, model checker, and SMT solver, and the verification engine is finally invoked.
DSVerifier performs an automatic verification of the desired property f. In Step A, DSVerifier builds a non-deterministic model to represent the plant family P using g and Dg percent, which are provided in Step 1. DSVerifier then formulates FWL½Á in Step B using implementation details provided from Steps 2 and 3, and then computes FWL½CðzÞ (that is equivalent toĉ in Step C). Additionally, DSVerifier symbolically checks a given property w.r.t. closed-loop systems, which are composed of FWL½CðzÞ and a nondeterministic p 2 P, using a BMC tool. If any violation is found, then DSVerifier reports a counterexample, which contains system inputs or the uncertain parameter vectorĝ percent, which leads to a failure. A successful result is reported if the system is safe w.r.t. f up to the bound k.
Note that the verification performed by DSVerifier can produce false alarms due to rounding effects or it can miss a bug due to the (chosen) loop unwinding bound k. For the robust non-fragile stability verification, there is no need for loop unwinding, so the chosen bound k does not influence the verification result. Thus, the internal stability verification of closed-loop system is valid for any time-varying disturbances, and it does hold for an unbounded execution trace. However, in this paper, stability verification method is incomplete, given that false alarms can be produced due to the rounding effects, which are accumulated along the chain of arithmetic machine operations. Since DSVerifier employs a fixed-point format with 64 bits, of which 32 are precision bits (i.e., precision of 10 À10 ), no false alarm is observed throughout the experimental evaluation.
Closed-Loop Stability Verification Algorithm
To obtain a decision about the internal stability (Theorem 1), the characteristic polynomial SðzÞ given in (4) is used. There are two different algorithms in DSVerifier that can be used for stability verification, one based on Schur's decomposition and another one based on Jury's criteria [12] ; here, the Jury's method is chosen due to its efficiency.
Due to the interest in ensuring the stability for any model inside uncertain intervals and considering also the FWL effects, the basic steps of the verification algorithm are as follows: the application of FWL effects on the numerator and denominator of the controller and the use of the Jury's criteria to determine the stability of the characteristic polynomial SðzÞ given in (4). Algorithm 1 presents the steps of the closed-loop stability verification process.
SMT Encoding of Jury's Criteria
Jury's algorithm is used to check the stability in the z-domain for a given characteristic polynomial of the form
In particular, Jury stability test is already explained in the control system literature (e.g., [15] 
where k 2 Z, such that 0 < k < N À 2. SðzÞ is the characteristic polynomial of a stable system if and only if the following four propositions hold: The stability property is then encoded by creating a constraint using the fixed size bit-vector theory, typically supported by stateof-the-art SMT solvers [25] f stability , ðR 1^R2^R3^R4 Þ; (20) where the literal f stability represents the validity of the stability condition; in particular, the SMT-solver checks whether Jury criteria hold for the characteristic polynomial coefficients.
In the robust non-fragile verification presented in this study, SðzÞ is computed by (8) and coefficients ofN G ðzÞ andD G ðzÞ are non-deterministic fixed-point values within the range defined by (12) , (13) and (14) . If the system is unstable, i.e., if :f stability is satisfiable for SðzÞ, then the SMT-solver provides values for each coefficients ofN G ðzÞ andD G ðzÞ, which make the closed-loop system into unstable.
The present closed-loop stability verification is suitable for discrete LTI systems. The plant and the digital controller models have to be linear. The verification result is unsound if nonlinearities are considered. Although most real-world plants are nonlinear, a simplified linear model is often sufficient to describe the system dynamics and behavior in its operating region. However, the digital controller might present various nonlinearities due to FWL effects, e.g., saturation and wrap-around due to overflow; limit cycle oscillation (LCO) due to successive round-offs; and truncation due to underflow. The verification is considered to be sound if controllers are not susceptible to both overflow and LCO. Underflow does not affect the system stability, since it only occurs for small control actions, i.e., low-level signals from the digital controller output. Round-offs are serious problems only if they affect poles and zeros position; our verification algorithms check for that effect type. Actually, DSVerifier is able to check the occurrence of overflow and LCO in digital controllers implementations; despite successfully preventing many FWL effects in digital controllers using the methodology presented in [12] , DSVerifier cannot ensure the absence of overflow and LCO, unless some induction technique is used.
EXPERIMENTAL EVALUATION
To evaluate the proposed verification methodology and the respective tool performance, classical examples previously presented in [17] and [26] regarding fragility, stability, and inter-sample response of hybrid systems are considered.
Example A
Consider the following description for the plant G 1 ðsÞ with the controller C 1 ðsÞ:
The DSVerifier must receive the discrete model of plant and controller. The plant sampled model with zero-order hold was employed (Step 1) and the controller was discretized using Tustin method with seven different sample times (0.5, 0.1, 0.05, 0.03, 0.01, 0.005, 0.001, 0.00001, and 0.000001 seconds) ( Step 2) and implemented using three different FWL formats, 4, 8, and 12-bits (Step 3), and direct-form I realization (Step 4). The DSVerifier was configured using the ESBMC model checker with Z3 solver (Step 5). 2 First, FWL effects are considered over stability. Algorithm 1 is applied to this closed-loop system despite the plant uncertainties, i.e., considering Dp% ¼ 0 (Step 1). Hence, the stability verification is repeated for every combination of FWL format and sample time. In this experiment, DSVerifier generates the verification results presented in Table 1 for controller C 1 ; the verification time takes less than 1 s .
The results confirm the conclusions in [26] , which claims that this hybrid system becomes unstable for high sample times (e.g., T s ¼ 0:5 s) and presents low stability margins for lower sample times. As a result, it presents fragility and may easily loss the stability for numerical reasons, e.g., quantization noise caused by a FWL format with small precision due to insufficient number of bits. Note that the experimental results also show instability for T ¼ 0:5 s and even worse results for less bits representations with low sample periods (e.g., T s 0:01). Fig. 3 shows the FWL effect in the controller stability, the same control system, composed by the plant G 1 ðsÞ and digital controller C 1 ðsÞ discretized with a sample period of 0.01 s, which is stable for a digital controller implementation of a 12-bit (right frame), but it is unstable for a 4-bit implementation (left-frame). If the controller implementation uses 8 bits, then the system is still stable but it presents a greater settling time.
The verification for a different scenario can also be considered. Controller C 1 implemented with 12-bits of precision and sample time of 0.03 s produced a stable behavior in the previous tests, as shown in Table 1 . However, if a maximum deviation of AE0:25 percent is considered in each coefficient of GðsÞ, then DSVerifier shows that this controller cannot ensure robustness, given that it presents as counterexample 
The closed-loop step response in Fig. 4 confirms the results provided by DSVerifier; this closed-loop system is stable for nominal 
DSVerifier is called as: dsverifier <filename> --realization DFI
--property STABILITY_CLOSED_LOOP --bmc ESBMC --solver z3
parameters, but it is unstable for the parametric variation given by the counterexample in (23).
Example B
Consider the plant and controller given by
C 2 ðsÞ ¼ À124:5s 3 À 364:95s 2 À 360:45s À 120 Table 2 presents the verification results without uncertainties and is in compliance with the conclusions in [26] . Fig. 5 shows the step responses of the closed-loop system with G 2 ðsÞ and C 2 ðsÞ discretized with sample time of 0.5 s. The FWL implementation with higher number of bits (12-bits) is stable, but the same closed-loop system with 4-bits implementation is unstable. The implementation with 8-bits is also stable; however, it presents a greater overshooting if compared to the 12-bits implementation.
Note further that for the controller in the FWL format of 8-bits, assuming a sample time of 0.5 s and each coefficient for plant G 2 varying AE1 percent, DSVerifier determines that the system is unstable, returning the following counterexample: 
Fig. 6 compares the step response for the closed-loop system with nominal parameters and with variation given in (26) . Note that a digital controller, apparently non-fragile (i.e., it stabilizes the closed-loop system even in the face of FWL effects), may not work properly for uncertain systems.
These examples show that a specific FWL implementation of a control system may not affect the stability and performance for a nominal system with well-known parameters; however, a small deviation in these parameters may fatally affect the system behavior. DSVerifier may consider simultaneously plant uncertainties and controllers fragility for providing an efficient diagnosis about the stability of closed-loop systems for a specific FWL format by means of the verification methodology presented.
RELATED WORK
The symbolic verification of closed-loop system had an important advance in the last decades. Relevant studies (e.g., [5] , [7] , [8] , [27] ) about the performance and safety verification of closed-loop systems propose verification methods based on symbolic execution of a plant model. As example, the Closed-Loop Symbolic Execution (CLSE) [8] performs a bounded-time symbolic execution of the plant dynamic, which is represented by ordinary difference equations (ODEs) combined with a concolic execution of the controller software. Additionally, a robustness analysis is also performed in [8] , where the deviation on the plant states is computed due to a deviation on the sensor signals (measurement noise). The approach used in this study differs from CLSE given that its internal stability analysis does not require the system execution; it is based on Jury's Criteria, which is applied to the plant and controller model.
Costan [28] verifies the stability of closed-loop systems on an embedded C code controller, comparing the Simulink implementation of the control system with the code generated by Mathworks Fixed-Point Advisor and Real-Time Workshop [29] . One notable feature of Costan is the error calculation by means of static analysis in the controller code for bounded loops unrolling. The deviations are compared to a pre-computed error bound, which indicates the maximum admissible error for what the closed-loop system remains stable. If any violation is found, then Costan provides a concrete test input that leads the system to the failure. In contrast, DSVerifier computes the quantization effects and checks the stability in the closed-loop function for all the plant family without handling the usual stability margin concept; this makes DSVerifier slower than Costan, but DSVerifier presents an improved accuracy, which is suitable for systems that require a correct-by-design approach [30] .
SAHVY simulates the systems execution, solving ODEs represented by Taylor models, for a range of initial states, and performs SMT-based BMC inside of this range, to check safety properties expressed by CTL formulas. The BMC tool is similar to the verification engine used by DSVerifier, but SAHVY is limited to hybrid systems with zero order holding sampling and not taking into account FWL effects in the controller, in contrast to Costan and DSVerifier. Barnat et al. [31] , [32] present a very promising approach, which uses Simulink diagrams to open up new possibilities towards verification properties beyond the standard stability tests for first-order system. This approach, however, is still under development; there are limitations mainly related to the theorem's proof (Why3). The use of Why3 can solve problems of previous studies related to the state-space explosion [31] ; however, differently from model checking tools, Why3 is not fully automatic, i.e., the user has to manually change parameters to produce new proofs; additionally, there is neither counterexample nor error trace generation. Any comparison to their work may not be seen as an easy task since the verification is over Simulink models, while in this study, the focus is on the controller C code.
A drawback of DSVerifier, if compared to aforementioned tools, is the limited class of systems that it can actually verify, i.e., only linear systems represented by transfer functions, but that can describe a huge amount of real-world systems. DSVerifier is a unique tool since it is the only one to consider simultaneously the model uncertainties and FWL effects in the controller. In particular, DSVerifier is able to verify the robust non-fragile properties, while other existing approaches are unable to handle them. Additionally, other model checking tools are not capable of performing robust analysis and deal with FWL effects together. DSVerifier uses model checking techniques and presents the advantages of these tools, e.g., higher reliability and precision, counterexamples for failures, and it is completely automated.
Recently, some studies presented SMT applications for the verification of control software and correct-by-design controller synthesis. Pajic et al. use input-output invariants that allow the representation of inexact controllers representation. Bessa et al. [12] employed DSVerifier to find FWL problems in controllers implementations in direct-and delta-form realizations. Recent studies [10] , [33] , [34] apply SMT-based verification to controllers synthesis.
Finally, Tabuada et al. [11] establish the important notion of robustness for CPS and propose a methodology for verifying the robust input-output stability for those systems. It is a first step towards the application of formal verication to ensure the CPS robustness. In contrast to the present robustness verication, Tabuada et al. consider only the robustness to exogenous continuous and discrete disturbances. The present methodology ensures the internal stability, which includes the robustness to exogenous signals, considering plant model uncertainties and the fragility issue.
CONCLUSION
A verification methodology for checking stability of uncertain linear control systems is described and evaluated, considering FWL effects in fixed-point digital controllers. This methodology offers an alternative approach to check the fragility problem, which computes the exact effect of the FWL implementation and investigates the robustness maintenance under FWL effects. A suitable verification tool (DSVerifier) to support this methodology is also presented.
A few previous studies proposed the investigation of FWL effects in the stability of closed-loop systems; all those studies incorporate FWL noise as uncertainties or perturbations, but none of them presented a verification methodology and respective tool to verify simultaneously the systems fragility and robustness. This study, in turn, presents a verification methodology supported by a formal verification tool, which considers the FWL as deterministic effects and determines the stability maintenance for the plant interval represented by non-deterministic coefficients.
The experimental results show that the proposed methodology is efficient and effective for verifying robustness and fragility of closed-loop systems, with automatism and correctness provided by model checking techniques. Further studies include the extension of this verification approach for different classes of systems, performance requirements verification, and controller implementation synthesis.
