Formal Feature Interpretation of Hybrid Systems by da Costa, Antonio Anastasio Bruto et al.
Formal Feature Interpretation of Hybrid Systems
Antonio A. Bruto da Costa
Indian Institute of Technology
Kharagpur, West Bengal, India
antonio.cse.iitkgp@gmail.com
Pallab Dasgupta
Indian Institute of Technology
Kharagpur, West Bengal, India
pallab@cse.iitkgp.ac.in
Goran Frehse
VERIMAG Laboratory
Grenoble, France
goranf@gmail.com
ABSTRACT
In current practice a formal analysis of hybrid system models is
assertion-based. The work presented here is based on features that
look beyond functional correctness towards a quantitative evalua-
tion of behavioural attributes. A feature defines a real-valued eval-
uation function over a specific set of traces. This article describes
an improved method for the interpretation of features over hybrid
automata models. It further demonstrates how Satisfiability Modulo
Theory (SMT) solvers can be used for extracting behavioural traces
corresponding to corner cases of a feature. Results are demonstrated
on examples from the control and circuit domains.
KEYWORDS
Hybrid Automata, Sequence Expressions, Features, Model Checking
1 INTRODUCTION
The theory of Hybrid Automata (HA) has been extensively studied
in the context of designing provably safe designs of embedded hy-
brid systems [5, 9, 14]. The formal safety analysis of hybrid systems
is becoming increasingly significant with wider proliferation of
automated control in circuits and systems.
An important component of any formal verification framework
is the mechanism for formally specifying the design intent. In the
discrete domain, formalisms based on temporal logic have been
widely adopted with the use of standard assertion languages, such
as SystemVerilog Assertions (SVA) [2] and Property Specification
Language (PSL) [1]. Analog Mixed-Signal (AMS) extensions of as-
sertions have been explored as well [22, 23, 27] and provide con-
structs for assertions over real-valued attributes. Assertion based
verification of HA has also been studied [26], while tools such as
SpaceEx [17] have been used to analyze timed and hybrid models
of embedded control systems using reachability analysis and model
checking. However, assertions in these languages, in and of them-
selves limit the information carried by their Boolean outcome. Our
experience is that designers want to understand what the design is
doing and how it behaves, not just the success/fail scenarios. This
is naturally expressed as a quantitative real-valued measure.
Existing literature on quantitative specifications [16, 22, 25] is
assertion based, and uses metrics, with positive values indicating
truth, negative values indicating violations, and robustness being
described as the distance of the quantity from zero. Some metrics
(such as in [20]) are associated with uncertainty. Assertion-based
languages are designed to be flexible with respect to the assertions
written but their quantitative interpretations are restricted. On the
other hand, the language of features, Feature Indented Assertions
(FIA) [4], is designed to be flexible on the definition of the quantity,
with the set of assertions that can be expressed limited to those
that are sequences of predicates and events.
Many properties used in practice concerning system attributes
can be intuitively expressed as features. Related work exists in
learning parameters of Signal Temporal Logic (STL) properties,
such as [19], wherein the authors propose learning tight bounds
on parameters of STL properties from system traces. The approach
can indeed be used to learn those features that can be expressed
as parameters in STL properties. However, note that expressing
a feature to be learned as an STL property can require the use of
additional parameters, thus making the analysis more expensive.
STL property based analysis is implemented in MATLAB tool-
boxes such as Breach [15] and S-Taliro [7]. These can be used for
parameter synthesis, robustness monitoring and parameter sensi-
tivity analysis. The work presented in this manuscript is largely
influenced by the semiconductor industry which finds expressing
properties tedious in temporal logic based languages. As a result,
for digital designs, the IEEE 1800-2012 Standard SVA language is
widely used across the industry for expressing assertions for the
validation and verification of digital circuits. FIA is developed over
the fabric of SVA, which in practice enables the more intuitive
expression of real-valued quantities over system traces.
To understand features, consider the settling time of a DC-DC
Buck Regulator, defined as the time taken for the output voltage x1
to settle to below Vr + ϵ for two successive openings of the capaci-
tor switch; Vr is the rated voltage for the regulator. Booleanizing
the notion of settling of x1 within 100 clock cycles in SVA, using
propositional variables x1_GE_Vr ≡ (x1>=Vr+E), and swOpen to
mean the capacitor switch is open, yields the following sequence:
x1_GT_Vr ##[0:100] first_match(@(posedge swOpen)&&
!x1_GE_Vr ##[0:$] @(posedge swOpen) && !x1_GE_Vr)
The expression represents the regulator’s behaviour of settling,
that is the first time when the regulator’s voltage output x1 is found
to be less than Vr+E for two consecutive openings of the buck
regulator capacitor switch, specified as two successive capacitor
switch open events, after having risen above Vr+E. The semantics
of the assertion depends on a clock and all sequence delays are
in terms of this clock. A change of clock requires re-writing the
assertion with delays consistent with the revised clock, thereby
inviting human error. Additionally, this form of expression requires
Booleanization and is non-intuitive.
The verification of a buck converter model against an expression
like the one above would yield a Boolean outcome. However, the
feature settling time is a real valued artifact. In FIA this is expressed
by overlaying the computation of settling time over a sequence ex-
pressing the behaviour of settling. This is done using the power of
local variables to store state variable values as the sequence matches,
shown below in Example 1. FIA was introduced in [4], wherein
features were used to analyze systems in a simulation environment.
The formal expression of features is based on the syntactic fabric
of assertions, but the definition of assertions is overlayed with real
ar
X
iv
:1
71
1.
00
66
9v
2 
 [c
s.L
O]
  2
2 F
eb
 20
19
valued functions that are computed over matches of underlying
logical expressions. This enables the formal expression of defini-
tions of standard features like rise time, peak overshoot and settling
time, and other design specific features.
Example 1. Settling Time: The local variable st is assigned in the
antecedent and is used to define the feature value settlingTime
in the consequent.
feature settlingTime(Vr,E);
begin
var st;
(x1>=Vr+E) ##[0:$]
@+(state==Open) && (x1<=Vr+E), st=$time
##[0:$] @+(state==Open) && (x1<=Vr+E)
|-> settlingTime = st;
end
The feature in Example 1 has two parameters Vr and E that
are used later in the contained sequence expression. st is an un-
interpreted local variable of the feature that is assigned the real
time at the first opening of the switch after x1>=Vr+E, but when
x1<=Vr+E. The variable settlingTime has the same name as the
feature, and is assigned the value of the local variable when the
entire sequence matches. In the sequence expression of the feature,
the notable differences with SVA are the following:
(1) Predicates over real valued signals (PORVs) [22], such as
(x1>=Vr+E), are allowed. PORVs can be over real variables
or over the special variable state which refers to the name
of the mode of operation of the buck regulator automaton.
(2) @+ is used to denote the positive crossing of PORVs. For a
predicate involving variable state, this indicates that the
state is entered. Similarly @- may be used for negative cross-
ings of PORVs.
(3) All intervals of the form ##[a:b] are treated as real time
intervals, as opposed to intervals countable in terms of the
number of clock cycles in SVA semantics. This avoids rewrit-
ing the property if the clock cycle changes.
The repertoire of work presented in this article is rooted in the
use of features for the verification and analysis of hybrid systems
and consists of the following:
(1) A methodology to compute an over-approximation of the
range of feature values for all possible runs of the system.
(2) A methodology for finding the extremal values of the feature
range through successive refinement using SMT.
Methodology 2 makes its first appearance in this article. Method-
ology 1 was first reported in [10], where a technique for manually
transforming models was outlined, but only for very specific types
of features. A more general technique was later reported in [11, 13]
with its integration into simulation flows in [12]. Here, at the heart
of Methodology 1, we present an improved computation of the
product automaton of [13]. The product in [13] implements con-
servative semantics for the feature’s sequence expression, yield-
ing a feature range that ignores some matches of the sequence-
expression, and also includes matches with broader semantics than
intended. The semantics of the keyword first_match used in the
SVA sequence-expression enforces predictability in the match, by
ensuring that only the earliest observation of the contained sub-
sequence is matched. In this article, we extend the more general
product described in [13] with first match region semantics described
in Section 3.2. In a feature, a combination of first-match and non-
first-match semantics may be used (as in SVA). However, in this
article, for simplicity we assume that all features are evaluated
with first-match region semantics. In the past, Methodology 1 was
primarily used with reachset computation tools like SpaceEx [17]
to compute feature ranges. However, this is not always the best so-
lution because in our experience the results tend to be conservative.
In practice, we find that tighter feature ranges can be computed
using SMT tools, at the price of longer run-times, and possibly
choking if the unfolding is too large. In summary, we propose two
technologies, one which is faster but coarser, and another which is
slower but more precise. We present various case studies on hybrid
systems from the circuit and control domains.
2 PRELIMINARIES
Given a system defined as a HAH , and a feature F , the objective
is to find the range of valuations of F over all possible runs ofH .
This section presents the requisite definitions of HA, and feature
semantics over runs of a HA.
2.1 Hybrid Automata
A hybrid automaton is defined as follows:
Definition 1. Hybrid Automaton
A hybrid automaton [5] is a collectionH = (Q, X , Lab, Init , Dom,
Edд, Act), where:
• Q is the set of discrete states also known as locations; X is
a finite set of real-valued variables. A valuation is a function
ν : X → R. LetV(X ) denote the set of valuations overX ; Lab
is a finite set of synchronization labels; Init ⊆ Q × V(X )
is a set of initial states; Dom(l) : Q → 2V(X ) is a domain.
Dom(l) ⊆ Rn is function that assigns a set of continuous
states to each discrete state l ∈ Q .
• Edд is a set of edges, also called transitions. Each edge
e = (p,a, µ, r ) consists of a source location p ∈ Q , a target
location r ∈ Q , a synchronization label a ∈ Lab, and a transi-
tion relation µ ⊆ V(X ) × V(X ). A transition e is enabled in
state (p,ν ) if for some valuation ν ′ ∈ V(X ), (ν ,ν ′) ∈ µ. We
require that for each location p ∈ Q , there be a stutter tran-
sition of the form (p,κ, µIDX ,p), µIDX = {(ν ,ν )|ν ∈ V(X )}.
• Act is a function that assigns to each location a (possibly
infinite) set of activities, where each activity f : R≥0 →
V(X ) represents an evolution of the variables over time.
The set of activities is usually defined implicitly as the set of
solutions to a system of differential equations or inclusions.
We denote the expression associated with the time derivative
of a variable x ∈ X in location p ∈ Q as f lowxp .
A state ofH is given as (p,ν ) ∈ Q ×V(X ). □
For valuation ν , we use ν↓U as the projection of ν on the set
of variables U ⊆ X . For variable u, ν↓u is the value of variable
u ∈ X in state ν . Similarly for a set of valuations R, R↓U and
R↓u are respectively the projection of R on the variable set U ,
and variable u respectively. For an edge e = (p,a, µ, r ), e ∈ Edд,
G(µ) = {ν |(ν ,ν ′) ∈ µ}. G(µ) is commonly known as the transition
guard and is often represented as a set of predicates over variables in
X . Similarly R(µ,ν ) = {ν ′ |(ν ,ν ′) ∈ µ}, is known as the reset relation,
and most often appears as a function, i.e. R(µ,ν ) = ν ′, (ν ,ν ′) ∈ µ.
2
Open
0 ≤ τ ≤ (1−D)T
τ ≥ (1−D)T
x˙i = Aox+Bo
τ ′ := 0 Closed
0 ≤ τ ≤ DT
x˙i = Acx+Bc
τ ≥ DT
τ ′ := 0
Figure 1: HA model of a DC-DC Buck Regulator [24]
When a system consists of multiple interacting components, we
assume that a parallel composition of automata is available prior
to applying the algorithms presented in this article. The meth-
ods discussed in this article are applied on linear hybrid systems
that have monotonically increasing or decreasing variable dynam-
ics in each location. Non-linear systems can be approximated as
piece-wise affine models using techniques such as hybridization [8].
Furthermore, a location with non-monotonic variable dynamics
can be transformed into an equivalent model with location-wise
monotonic variable dynamics. The constraint of monotonicity is
used in the article to accommodate existing tools (which use may,
non-urgent, semantics on transitions). With tools that use urgent
semantics, this restriction can be lifted.
Definition 2. Run of the hybrid systemH
A run of the hybrid systemH , is a finite or infinite sequence
ρ : σ0 7→t0f0 σ1 7→
t1
f1
σ2 7→t2f2 · · ·
of states σi = (li ,νi ), non-negative reals ti ∈ R+, and activities fi
of location li , such that for all i ≥ 0,
(1) fi (0) = νi ,
(2) For all 0 ≤ θ ≤ ti , fi (θ ) ∈ Dom(li ),
(3) There exists an edge (li ,a, µ, li+1) such that (fi (ti ),νi+1) ∈ µ
and νi+1 ∈ Dom(li+1). □
The HA model for a two location DC-DC Buck Regulator [24],
in Figure 1, presents analysis complexities due to its high location
switching frequency, yet is simple enough to help explain the notion
of feature analysis. It has two variables, the voltage across the
load (x1) and the load current (x2). The dynamics in each mode of
operation may be found in [24]. The notation u ′ in a reset relation
on an edge is the value of u after the transition is taken. This model
is used as a running example in this article along with the feature
Settling Time described in Example 1.
2.2 Feature Semantics for Hybrid Automata
This section presents the semantics of features which are an im-
proved version of [13]. We introduce stricter first-match semantics
for feature matches in Section 3.2, while a more general semantic
for feature-matches is presented here. The language for expressing
features, FIA, uses Predicates Over Real Variables (PORVs)[22]. A
feature is formally defined using the following syntax,
feature Fname (Lp);
begin
var L;
S |-> Fname = F ;
end
where, Fname is the feature name, Lp and L are respectively the
list of parameters and the list of local variables used in the body
of the feature. Fname is a special variable representing the value
of the feature assigned to it in the expression F . S is a sequence
expression of the form,
s1 ## τ1 s2 ## τ2 ... ## τn−1 sn
and F is a linear function overL which assigns the feature value.
τi represents a time interval, also referred to as a delay operator,
and is of the form [a : b], where a,b ∈ R+,a ≤ b, and additionally
b can be the symbol $, representing infinity.
Sub-expressions s1, s2, ..., sn are each of the form "D ∧ E , A",
where D is a Boolean expression of PORVs in disjunctive normal
form, E is an optional event and A is an optional list of comma-
separated local variable assignments. For sub-expression si , we use
Cond(si ) ≡ Di ∧ Ei to represent a Boolean expression of PORVs
and an event, and Ai = [A1i ,A2i , ...,Aki ] is a list of k local variable
assignments in si . The feature expression S |-> F is interpreted
as the computation of F whenever there is a match of sequence
expression S . We use the notation S ji , 1 ≤ i ≤ j ≤ n to denote the
sub-sequence expression si ## τi ... ## τj−1 sj .
Given run ρ of H , the following definitions indicate what it
means for a feature to match ρ.
Definition 3. Event Match: An event E ≡ @+(P) matches in a
run ρ : σ0 7→t0f0 · · · 7→
ti−1
fi−1
σi 7→tifi · · · at index i iff i > 0, ti−1 >
0,∀θ ∈[0:ti−1)(li−1, fi−1(θ )) ⊭ P
∧
σi ⊨ P .
We define @−(P) ≡ @+(¬P) and @(P) ≡ @+(P) ∨@−(P).
We use the notation σi ⊨ρ E to denote the fact that the event E
matches in the run ρ at index i . □
To extend predicates to be evaluated over locations of the HA,
for state σ = (l ,ν ), a predicate P can also take the form, state ==
l , where state is a special variable denoting the location label.
Definition 4. The notation σ ⊨ρ s , where s is treated as Cond(s)
and σ = (l , f (t)), is extended to conjunctions and disjunctions of
PORVs and events recursively, as defined below. Note that s does not
have any delay operators.
• σ ⊨ρ P iff P is a PORV and P is true for signal valuation f (t),
or P ≡ (state == l).
• σ ⊨ρ C , where C = P1 ∧ P2 ∧ ... ∧ Pn , Pi is a PORV iff
∀ni=1 σ ⊨ Pi .• σ ⊨ρ D, where D = C1 ∨C2 ∨ ... ∨Cn , Ci is a conjunction of
PORVs iff ∃ni=1 σ ⊨ Ci .• σ ⊨ρ D ∧E, where D = C1 ∨C2 ∨ ...∨Cn ,Ci is a conjunction
of PORVs and E is an optional event, iff σ ⊨ρ D ∧ σ ⊨ρ E.
For hybrid system H and sub-expression s , we say that l ⊨ s if for
some σ = (l ,ν ), σ ⊨ρ s . For sub-expression sj = D j ∧ Ej , C ji is the
ith conjunct term in D j . ϒ
j
i is the state context for C
j
i , i.e. ϒ
j
i = l
iff (state == l) is a PORV in C ji . Similarly ϒ
j is the state context of
event Ej in sj .1 □
Definition 5. MatchM of Sequence Expression S :A run ρ : σ0 7→t0f0
σ1 7→t1f1 σ2 7→
t2
f2
· · · has a match M = ⟨i1, . . . , in⟩ of the sequence
expression S = s1 ## τ1 s2 ## τ2 ... ## τn−1 sn , n ≥ 1 if ∀n−1j=1 i j ≤ i j+1
and the following conditions hold:
• σi1 ⊨ρ s1,
• σi2 ⊨ρ s2 and ti1 + ... + ti2−1 ∈ τ1,
• and so on ... until,
• σin ⊨ρ sn and tin−1 + ... + tin−1 ∈ τn ,
Local variables associated with sj are assigned values from variable
valuations in state σi j . Note that there can be multiple matches of S
1We assume for simplicity that a conjunct in a sub-expression of the sequence does
not have any contradictory ‘state’ constraints.
3
in ρ, and multiple runs of H that match S . Each match M defines
a feature value, denoted Eval(M, ρ,F ), computed as the value of
feature expression F over values of the local variables assigned during
matchM in run ρ. □
Definition 6. Feature Range of a Hybrid Automaton: Given a
feature sequence expression S and a feature computation function F ,
that computes the value of Fname , the feature range [Fmin ,Fmax ]
of a hybrid automaton H is computed as follows:
• Fmin = min{ Eval(M, ρ,F ) | ρ is a run in H and M is a
match of S in ρ }
• Fmax = max{ Eval(M, ρ,F ) | ρ is a run in H and M is a
match of S in ρ }
max and min are computed over all matches in all runs ρ of H . □
3 METHOD-1: FEATURE TRANSFORMATIONS
The problem of feature analysis can be formally defined as follows:
Given a HA H = (Q,X ,Lab, Init ,Dom,Edд,Act) and a feature F ,
we wish to compute Fmin and Fmax over all runs ρ ofH .
The methodology consists of the three steps shown in Figure 2.
Compared to [13], the Feature Automaton definition is re-written
to better capture the feature intent of Section 2.2, and in Section 3.2
we present an improved construction of the product automaton.
3.1 Feature Automaton Construction
The feature automaton is a monitor automaton which is similar to
a HA, but allows guards to be written with predicates over location
labels and events. Additionally, unlike the HA in Definition 1, a
feature automaton also has an accept location.
Given a HA H = (QH , XH , LabH , InitH , DomH , EdдH , ActH ),
a feature F with local variable set L = {l0, l1, ..., lm }, sequence
expression S = s1 ## τ1 s2 ## τ2 ... ## τn−1 sn and feature compu-
tation expression F that assigns the feature value to Fname , we
construct the feature automaton as follows:
Definition 7. Feature Automaton: A Feature Automaton for HA
H is a collectionMF = (Q,Z ,X ,V ,C,E, Init ,qF), where:
• Q = {q1,q2, ...,qn+1,qF} ∪ Z is the set of feature locations.
Intuitively, location qi is reached when the sequence expres-
sion has matched upto si−1 and it awaits the match of si
within the time interval τi−1. qF is the accept location;
• Z = {qi, j | |Ai | > 1, 1 ≤ i ≤ n, 1 ≤ j ≤ |Ai |−1}∪{qn+1,qF}
is a set of pause locations where time does not progress. If
a subexpression has multiple assignment statements, then
a sequence of pause locations are added corresponding to
all but the first assignment, to capture the order in which
these assignments are made. Pause locations qi, j are added
if |Ai | > 1. State qi, j is reached when the jth assignment of
si has been executed;
• X = XH ; V is the set of feature variables, V = L ∪ {Fname };
C = {t , lt} is a set of timers where t measures cumulative
time along a match, and lt is a location timer, measuring
time spent in every location. All timers are initially 0;
• We augment the assignment list Ai for sub-expression si
with the assignment lt:=0 for the location timer lt .
• An event of the form @∗(x ∼ a) is associated with PORVs
as follows:
– @+(x ≥ a) is associated with (x == a) and f lowxq > 0
Feature
Construction
Automaton
Product
Construction
Automaton
Feature Evaluation
via
MF
HF Fmax
Fmin
F H
Flowpipe Analysis
Figure 2: Methodology-1: Feature Transformations
q1
t˙ = 1
t == 0∧
l˙t = 1
lt == 0
lt := 0
x1 ≥ Vr + E
q2
t˙ = 1
l˙t = 1
x1 ≤ Vr + E
@+(state == Open)∧ q3
t˙ = 1
l˙t = 1
x1 ≤ Vr + E∧
@+(state == Open)
lt := 0q4
t˙ = 1
l˙t = 1
qF true
settleT ime := st
lt := 0, st := t
Figure 3: Feature Automaton for feature Settling Time.
– @−(x ≤ a) is associated with (x == a) and f lowxq < 0
• E ⊆ Q ×V(QH ∪X ∪V ∪C) ×Q is the set of edges defined
by the following rules:
– ∀1≤i≤n (|Ai | = 1) → (qi , µi ,qi+1) ∈ E
– ∀1≤i≤n (|Ai | > 1) → (qi , µi ,qi,1) ∈ E ∧ ∀1≤j< |Ai |−1(qi, j , µi, j ,qi, j+1) ∈ E ∧ (qi, |Ai−1 | , µi, |Ai−1 | ,qi+1) ∈ E.
– ∀1≤i<n µi = (Cond(si ) ∧ (lt ∈ τi ) ∧ A1i ∧ {lt′ == 0});
µn = (Cond(sn ) ∧A1n )
– ∀1≤i<n ∀1≤j≤ |Ai |−1 µi, j = true ∧Aj+1i
– (qn+1, µF ,qF) ∈ E, where µF = {F ′name == F }
– For relation µ, ω denotes the projection of the relation µ
ontoV(X ∪V ∪C) × V(X ∪V ∪C).
• Init = {q1} × [0] |V∪C is the set of initial states.
A state ofMF is given as (q,ν ) ∈ Q ×V(X ∪V ∪C). □
For feature Settling Time of Example 1, the FA is shown in
Figure 3. The FA has two timer variables, t for measuring time
along the entire run, and lt for measuring the time spent in each
location of the FA, indicative of delays separating subexpressions in
the feature sequence expression. Each location of the FA represents
the match of some feature sub-expression. qi represents that the
temporal sequence of events and PORVs leading up to (but not
including) the ith sub-expression has been observed. The transi-
tion between qi and qi+1 is guarded by the Boolean expression of
PORVs and events corresponding to the ith sub-expression; the
associated set of assignments to local variables are computed along
this transition. Progressing along transitions between locations of
the automaton corresponds to matching each sub-expression.When
the nth sub-expression matches, the entire sequence expression
has matched and the automaton transitions to state qn+1. At qn+1,
all local variables hold values assigned to them along the match,
and the feature is computed along the unguarded transition from
qn+1 to qF , the accept location of the automaton.
Definition 8. Acceptance of run ρ ofH byMF : Run ρ : σ0 7→t0f0
σ1 7→t1f1 σ2 7→
t2
f2
· · · of H is accepted by feature automaton MF for
feature F with sequence expression s1 ## τ1 s2 ## τ2 ... ## τn−1 sn iff
∃ σi1 , σi2 , ...,σin , such that i j ≤ i j+1, where, σi1 ⊨ s1;
• σi2 ⊨ s2
∧(lt = ∑i2−1k=i1 tk ) ∈ τ1; . . .
• σin ⊨ sn
∧(lt = ∑in−1k=in−1 tk ) ∈ τn−1 □
Theorem1. Given a feature, F in FIA, for HAH , the feature automa-
tonMF = (Q,Z ,X ,V ,C,E,qF) for F correctly captures the following
feature semantics:
4
A If a run ρ of H yields a match M, then the run ρ is ac-
cepted by feature automaton MF with the same valuation
as Eval(M, ρ,F ).
B If a run ρ of H is accepted by MF with valuation γ , then ρ
has a matchM, such that Eval(M, ρ,F ) = γ .
Proof. We prove the theorem in two parts as follows:
Part A: Let ρ : σ0 7→t0f0 · · · 7→
ti1−1
fi1−1
σi1 7→
ti1
fi1
· · · 7→ti2−1fi2−1 σi2 7→
ti2
fi2
· · ·
be a run ofH that matches the sequence expression S = s1 ##τ1 s2
## τ2 ... ##τn−1 sn , with match M = ⟨i1, . . . , in⟩. Let MF be the
feature automaton constructed for feature F .
The initial location ofMF isq1. In the prefixσ0 7→t0f0 · · · 7→
ti1−1
fi1−1
σi1
of ρ, σi1 ⊨ρ s1 and G(µ1) = s1, hence the state q2 is reachable in
the feature automaton with state σi1 of ρ, with associated assign-
ments to local variable made along the transition. For configu-
ration ⟨qj ,σi j ⟩ reachable in MF , ⟨qj+1,σi j+1 ⟩ is reachable for all
1 ≤ j ≤ n. Given that ⟨qj ,σi j ⟩ is reachable, (qj , µ j ,qj+1) is an edge
in MF , and M is a match, we have σi j ⊨ρ sj and G(µ j ) ≡ sj ∧
(ti j−1 + ...+ti j−1) ∈ τj , ⟨qj+1,σi j ⟩ is reachable, via one or more tran-
sitions through pause states. Now, since σi j 7→
tij
fij
· · · 7→tij+1−1fij+1−1 σi j+1 ,
configuration ⟨qj+1,σi j+1 ⟩ is also reachable. Inductively, when con-
figuration ⟨qn ,σin ⟩ is reached, ⟨qn+1,σin ⟩ is also reachable. Since
G(µn+1) = true , ⟨qF ,σin ⟩ is reachable. Along each transition, resets
corresponding to local variable assignments appropriately update
the values of the local variables which form part of the feature au-
tomaton state. The feature expression is computed on the transition
to location qF .
Part B: The run ρ ofH is accepted byMF . Therefore, ∃ σi1 , σi2 ,
..., σin in ρ such that i j ≤ i j+1 and σi1 ⊨ρ s1, σi2 ⊨ρ s2 ∧ ti1 + ...+
ti2−1 ∈ τ1, and so on ... until, σin ⊨ρ sn ∧ tin−1 + ... + tin−1 ∈ τn .
The feature valuation computed over state σin , on acceptance, is γ .
By Definition 5,M = ⟨i1, i2, ..., in⟩ is a match of F with valuation
Eval(M, ρ,F ) = γ in the feature range of Definition 6. □
3.2 Product Automaton Construction
The product construction of the HA H and the FA MF yields a
special type of automaton. In the classical product construction,
non-determinism present in the component automata carries over
to the product. The more traditional product construction, defined
in [13], is conservative and reports unintentional matches, while at
times missing matches that were otherwise intended. It is thus not
complete. In this article a non-standard product is defined that has
clearer semantics for matches than that described in earlier work.
To accomplish this, we introduce the notion of first-match region
semantics.
We explain this with an example. Consider the designer’s in-
tention to specify the pattern, "P1 is true and thereafter P2 is true",
and measure the time delay between the two. This translates to the
sequence-expression “P1,t1:=$time ##[0:$] P2,t2:=$time”,
where P1 and P2 are PORVs over analog signals x and y respec-
tively, and the feature computation is (t2-t1). The truth intervals
of the PORVs are shown as r1, r2, r3, r4 and r5 in Figure 4. With the
semantics of [13], the maximum feature value would be ∆1 (match-
ing points in r1 with points in r5). But the intent is to match points
where P2 is true immediately subsequent to points where P1 is true,
giving a maximum feature value of ∆2. This cannot be captured by
P1 P1
P2 P2
Signal x
Signal y
Time
r1
r2
r4
r5r3
P2
Figure 4: An illustration of first-match region semantics.
the semantics of [13]. First match region semantics matches r1 only
with r2, giving a maximum feature value of ∆2. Region r4 matches
with r5. Region r3 doesn’t contribute to any match.
Definition 9. First-match Region Semantics
Given a sequence expression, S=s1##τ1 s2##τ2...## τn−1 sn , and
M = {⟨11,12,. . . ,1n⟩,⟨21, 22,. . . , 2n⟩ . . .}, the set of all matches of
S in run ρ : σ0 7→t0f0 σ1 7→
t1
f1
σ2 7→t2f2 · · · of the hybrid system H ,
⟨i1, i2, . . . , in⟩ ∈ M follows first match region semantics iff:
∀nj=2∃θl ∈[0,Tij ] ∃θr ∈[Tij ,∞)
(∀t<θl ⟨i1, . . . ,k⟩ is not a match for S j1,Tk = t) and
(∀θl ≤t ′≤θr ⟨i1, . . . ,k ′⟩ is a match for S j1,Tk ′ = t ′).
where, Tm = Σm−1z=0 tz . □
The product definition presented here ensures that only runs
following first match semantics reach the final location inMF . The
exclusion of other runs that would have matched in a traditional
product is intentional, and imposed to accurately embody first
match semantics for feature computation in FIA in the generated
product. Additionally, the FA doesn’t follow the traditional structure
of an observer automaton for verification. These reasons taken
together motivate the need for a non-standard product construction.
We denote the valuation of variables in the state σ in a run ρ as
η(σ ), and the valuation of the variable v in the state σ as η(σ [v]).
Definition 10. Level Sequenced Hybrid Automaton (LSHA) -
MF ▷◁ H : The product of feature automatonMF = (QS ,Z ,XH ,V ,C,E,
InitS ,qF) and HAH = (QH ,XH , LabH , InitH ,DomH , EdдH ,ActH ),
is defined as the HAHF = (QF ,XF , LabF , InitF , DomF , EdдF ,ActF )
where,
• QF = QH ∪ {qF} ∪ {Z ×QH };
• XF = XH ∪V ∪C ∪ {level};
• LabF = LabH , is the finite set of synchronization labels;
• InitF = InitH × InitS × {level == 0};
• DomF (l) = DomH (l) × R |V∪C |+1 if l ∈ QH ,
= R |XF | if l ∈ {Z ×QH } ∪ {qF}
• EdдF ⊆ QF × LabF × µV(XF )×V(XF ) × QF is defined by
the following rules, where l ∈ QH and qi ,qi′ ∈ QS /Z , µH
and µi are the transition relations µH ⊆ V(XH ) × V(XH )
and µi ⊆ V(QH ∪ XH ∪ V ∪ C) × V(QH ∪ XH ∪ V ∪ C),
with ωi as defined in Definition 7. The relation l ⊨ µi , to be
read µi is applicable in l , is true iff ∃C ij ∈si ϒ
i
j == l ; and for
edge e = (l ,a, µH , l ′), e ⊨ µi iff for si = Di ∧ Ei either
Ei ≡ @−(state == l) or Ei ≡ @+(state == l ′). :
l
a
↪−−→
µH
l ′
l
a
↪−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−→
µH ×µID{V∪C }×{(level==0)∧(level ′:=level )}
l ′
(13.1)
5
qH
G(µf )
in out
qHf
in out
qH
in out
G(µf )
G˜(µf )
G(µf )
in To next
in
G(µf )
level
qH |= G(µf )
At level 6= f − 1At level == f − 1
qf
µf−֒→ q′f
qHf
out
G(µf )
µf has no events
over location labels
G(µf )
G(µf )
qH
level ==
f − 1
level ==
f − 1
level ==
f − 1level ==f − 1
Figure 5: Splitting for location l ∈ QH when l ⊨ G(µi ), in and
out represent incoming and outgoing transitions of qH .
l
a
↪−−→
µH
l ′
∧
qi ↪−→µi qi′
∧
l ⊭ µi
l
a
↪−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−→
µH ×(µID{level }∪V∪C ∩{level==i−1})
l ′
(13.2)
qi ↪−→µi qi′
∧
l ⊨ µi
l ↪−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−→
µIDXH
×ωi×{(level==i−1)∧(level ′:=i )}
l
(13.3)
qi ↪−→µi qi,1
∧ (l ⊨ µi ∨ e ⊨ µi ) ∧ qi,1 ∈ Z
l ↪−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−→
µIDXH
×ωi×{(level==i−1)∧(level ′:=i )}
(qi,1, l ) (13.4)
qi, j ↪−−→µi, j qi, j+1
∧
qi, j , qi, j+1 ∈ Z
(qi, j , l ) ↪−−−−−−−−−−−−−−−−−−→µIDXH ∪{level }×ωi, j
(qi, j+1, l ) (13.5)
qi, j
µi, j
↪−−→ qi′
∧
qi, j ∈ Z ∧ qi′ < Z ∧ e ⊭ µi
(qi, j , l ) ↪−−−−−−−−−−−−−−−−−−→µIDXH ∪{level }×ωi, j
l
(13.6)
qi, j
µi, j
↪−−→ qi′
∧
qi, j ∈ Z ∧ qi′ < Z ∧ e ⊨ µi
(qi, j , l ) ↪−−−−−−−−−−−−−−−−−−→µIDXH ∪{level }×ωi, j
l ′
(13.7)
• The function ActF assigns a set of activities to each location.
The expression associated with the flow f lowF
q
x : R≥0 →
Rn for each x ∈ XF in location l ∈ QF is defined as follows:
f lowF
l
x = 0 for each x ∈ XF if l ∈ Z ×QH ,
= 0 for each l ∈ QF if x ∈ V ,
= 1 for each l ∈ QF if x ∈ C ,
= f lowH lx if l ∈ QH
∧
x ∈ XH
In order to enforce first match semantics, for eachqi ↪−→µi qi′
∧
qH ⊨
µi , qi ,qi′ ∈ QS , i > 1, qH ,q′H ∈ QH , at level i − 1, qH is replaced
in QF according to the transformation in Figure 5. Herein, qHi is
identical to qH and differs only in the invariant as shown. G(µi ) is
the closure of the compliment of conditions satisfying si . □
The behaviour asserted by the feature sequence-expression is
built into the product automaton called a level-sequenced hybrid
automaton (LSHA). In the LSHA, the level is a syntactic structure
derived from the sequence-expression. The value of the variable
level indicates how much of the sequence expression has matched.
The variable level is set to i when sub-expression i matches. Transi-
tions from one level to another assign an appropriate value to level
indicative of the subscript of the sub-expression matched, while
also executing assignments to local variables associated with the
match. Initially, when level is 0, corresponding to location q1 of
MF , the automaton waits for a match of s1. When s1 matches, level
is non-deterministically incremented. Due to first-match seman-
tics, a constrained form of non-determinism is applicable when
level > 0. The non-determinism in the control allows computation
Open
0 ≤ τ ≤ (1−D)T
G1
_xi = Aox+Bo
τ := 0
Closed
0 ≤ τ ≤ DT
_xi = Acx+BcG2
τ := 0
^x1 <= V r + ǫ
x1 >= V r + ǫ x1 >= V r + ǫ
qF true
_xi = 0
level := 1 level := 1
G1 ^ level == 1
τ := 0
G2 ^ level == 1
level := 2; τ := 0; st := ct
G1 ^ level == 2
τ := 0
level := 3; τ := 0
level == 2 ^G2 ^ x1 <= V r + ǫ
settleT := st
level == 3
Figure 6: LSHA for feature Settle Time.G1 andG2 are tran-
sition guards between the locations as in Figure 1.
of a continuum of matches. When the feature has matched (ending
with the match of the last sub-sequence), the feature is computed
and control moves to the final location ofMF .
The use of variable level in HF allows us to avoid the typi-
cal blow-up that results from the standard product construction
used in [13]. Given a HA with N locations and a feature F with K
sub-expressions, ignoring pause locations, the product automaton
in [13] has N × (K + 1) locations, while the one here has atmost
N ×(1+2×(K−1)) locations. Note that in [13] first-match semantics
isn’t used. Also, the number of locations in the LSHA here would
reduce to N +K + 1 if sub-expressions contain events over location
labels, and further to N +1 if restrictions on monotonicity are lifted.
We observe that, although the theoretical worst case bound for the
product defined here is worse than that of a traditional product, in
practice the use of leveling enables faster analysis of features. For
instance without the variable level the vanilla product from [13]
(where location copies are made for each level) when analyzed by
SpaceEx, under equivalent analysis settings, takes 1m:30s and twice
the memory with 7 locations as opposed to the 20s with 3 locations
and the variable level for the Settle Time feature in Example 1.
The LSHA for Settle Time is shown in Figure 6.
3.3 Feature Evaluation
The product automaton is, by construction, a HA. We compute
all values of Fname reachable in location qF of HF = MF ▷◁ H .
Using reachset computation tools onHF , a projection of the entire
reachset R in location qF on Fname gives us an overapproximation
of the reachable range of values for Fname . A reachset computation
tool may computes R in various ways. In this article we use tool
SpaceEx. The feature range [Fmin ,Fmax ] is computed as follows:
Fmin = min∀σ ∈R η(σ [Fname ]);
Fmax = max∀σ ∈R η(σ [Fname ]);
where η(σ [Fname ]) is the valuation of Fname in state σ .
4 METHOD-2: FEATURE ANALYSIS OF
CORNER CASES
Methodology-1 demonstrates how reachability analysis tools are
used to compute estimates on the range of feature values. However,
these tools do not show how extremal values can be reached. Addi-
tionally, due to over-approximation errors, corners of the feature
interval generated by these tools may not be realizable. SMT solvers
can generate reachability proofs for a reachable goal state. For a
feature, this means that a proof of how feature value fˆ is realized
6
Feature dReach
Hybrid
Automaton
(H)
Feature
(F)
Feature Range
Feature Value
Search
Search
Loop
Update Goal
Reachable
(Trace) Not Reachablefmin fmax
Trace Trace
++
3
4
5 5
Transformation
2
Step
+
dReal
(SMT Solver)
1 1
Figure 7: Outline of the Feature Value Search using SMT
is constructed in terms of a concrete trace for which the evaluat-
ing the feature yields fˆ . SMT solvers for reals [18] use decision
procedures that use overapproximation techniques. The analysis
is bounded in the values of SMT variables and in the number of
discrete automaton transitions (a hop bound). Hence the outcome
is an overapproximation of a bounded reachability question. If re-
alistic and sufficiently large bounds are used, the boundedness is
acceptable, since for most realistic systems the domains of vari-
ables in the HA model are bounded. To improve reliance on the
results obtained, bounds used must come from knowledge of the
design and results must be interpreted in terms of these bounds.
Due to overapproximations, the proof of reachability for a goal in
SMT could be fictitious, nevertheless it provides insight to build
simulations to verify the reported scenario. In practice we find that
overapproximations produced by reachset computation tools like
SpaceEx are larger than that produced when using SMT solvers.
It is important to note that application of Methodology 1 in
Section 3 reduces the problem of feature analysis to a reachability
question. The generality of the algorithm allows it to be used with
a variety of reachability analysis tools. SMT solvers, by nature, are
less inclined to perform flow-pipe analysis (which generates an
overapproximation of the state-space) and more inclined towards
finding a single run that satisfies a goal constraint. This therefore
becomes a challenge when we relate the notion of identifying the
interval of values a feature can take for the HA, when using SMT
solvers. We answer the following questions:
(1) Howwould a reachability question for computing the feature
interval be posed as an SMT solver goal?
(2) Any such goal will only yield a single feature value, and not
a range. How would one then compute the extreme feature
values?
Once the range of feature values is identified using SMT, the
SMT solver can provide a satisfying trace, thereby solving the input
selection problem for analyzing corner cases for features.
A summary of the methodology used to compute the feature
range using SMT is shown in Figure 7. The feature to be analyzed
is expressed in FIA. The HA model along with the feature is taken
through the transformation step (Methodology-1). The tuned model
is an implicit representation of all legal executions of the automaton,
biased toward computing the feature attribute.
The SMT question about feature value f is as follows:
Is there a run of the automaton that results in feature value f?
On the other hand, the Feature Range Analysis must answer the
question:
What is the range of feature attribute values forH?
To bridge this gap, we use a two part reduction described in
Sections 4.1 and 4.2.
4.1 SMT based modelling of the Hybrid
Automaton Dynamics
The HA, along with the various model constraints such as locations,
their dynamics and invariants, transitions between locations and
transition guards and resets, are modeled as clauses in SMT. We use
the translator dReach [21], which in turn uses SMT solver dReal [18]
for modeling and analyzing hybrid behaviours over reals. dReal
internally maintains the coupling between HA variables during
its computation steps using these constraints. We now discuss the
caveats of the decision outcomes presented by dReach/dReal. dReal
solves the δ -decision problem, to decide if a given formula is false
or δ -true (dually, whether it is true or δ -false). An SMT formula is
δ -true if it remains true under δ -bounded numerical perturbations
to atomic clauses in the formula [18]. For a feature, this means
that a feature goal is reachable under δ -bounded numerical per-
turbations to the goal, and sentences describing the system [21].
Since realistic hybrid systems interact with the physical world, it
is impossible to avoid slight perturbations. Hence, this is a very
useful result as it gives feature values that are reachable under
reasonable choices for δ [18]. The δ -decision problem has been
shown to be decidable for first order sentences over bounded reals
with arbitrary Type 2 computable functions (real functions that
can be approximated numerically, such a polynomials, trignometric
functions, and Lipchitz-continuous ODEs). dReal guarantees the
result of unsatisfiability of a goal G over K transitions (hops) with
δ perturbations on sentences describing the system.
The model is unrolled in terms of number of transitions, upto
the given bound K . For instance, if our goal were to reach location
qF in the location graph of Figure 6, a minimum of five transitions
would be required, resulting from an unrolling of the model six
times starting with location Closed, to reach location qF , reachable
only when level is 3, as shown below:
〈Closed, level = 0〉 → 〈Closed, level = 1〉 → 〈Open, level = 2〉
〈qF , level = 3〉 ← 〈Open, level = 3〉 ← 〈Closed, level = 2〉
The encoding of a HA as SMT clauses for dReal can be found in
Ref. [21].
4.2 Feature Range Exploration
To compute the extremal feature values and their corresponding
traces, search techniques are used to explore the feasible set of
feature values and progressively refine the corners of the feature
range. SMT solvers take a goal statement, and a hop bound as input
and respond indicating whether or not the goal is reachable. The
feature range computed on a hop-bounded SMT-based search is
therefore an under-approximation of what is obtained using an in-
finite trace length. An increase in the bounds can result in a larger
feature range. A low value of the hop bound K can yield a severely
under-approximated feature range (ignoring feature values reach-
able via transition paths longer than K). In Section 5 we discuss a
heuristic for choosing a value for K . Using an appropriately large K
ensures that the computed feature range safely over-approximates
the reachable interval of feature values.
7
f∗
M
2M
4M
8M
W
2
W
4
W
8
W
Expand
ETS
frfl
Figure 8: Using Expand-Bisect to compute the left corner
To begin, no feature value F is initially known. If a behaviour
contributing to the feature exists, its feature value will either be
positive (including zero), or negative. Therefore, initially the search
uses goals F < 0 and F ≥ 0 as pivots about which to begin. The
algorithm pushes a pivot as far as possible in each direction to find
the corners of the feature range. However, since it is not known
how far to push the pivot, a combination of exponential expansion
and bisection is used to identify the corners of the feature range.
For pivot value f ∗, a goal that trivially checks if F < f ∗ may re-
turn a feature value very close to f ∗ resulting in repeatedly finding
values of f ∗ that are within close proximity of each other. Therefore
the algorithm explores the feature space in steps of size 2i−1 ×M ,
where i is the ith expansion step.M is a search parameter chosen
by the designer. For instance, in the computation of the settling
time for a buck regulator, M = 10−6, because the feature value is
in the order of µs. Expansion tries to find a feature value further
than the current pivot f ∗ by an amount M , and pushes the new
value further by a recursive call to itself on the new pivot with a
step size of 2×M . When no new pivot is found, a bounded interval
search ensues to find a feature value within a distance ofM from
the last known pivot f ∗. The search refines the interval tapering
it towards the corner of the feature range. Figure 8 depicts this
strategy, starting at a pivot f ∗ with boxes indicating steps during
the expansion, red circles are new pivots, and red crosses indicate
no feature value found. The bisection search terminates when the
interval containing the feature corner has a width of ϵ (the error
tolerance) or less.
A bounded interval search for the left corner is now described.
For the intervalW = [fl , fr ], the midpointmid is used as a pivot.
The algorithm looks for a feature value, f ∗, in the leftmost interval
[fl ,mid]. If found, it proceeds to search the interval [fl , f ∗−ϵ]. The
shrinking of the right interval boundary by ϵ is consistent with the
precision requirements of the algorithm and excludes the already
found feature value f ∗ from the search. If no feature value is found
in [fl ,mid], then the search moves to [mid, fr ]. If a feature value is
found in [mid, fr ], then it forms the basis of a new pivot and the
algorithm is recursively called on the interval [mid, f ∗ − ϵ]. Every
interval search uses the last feature value found as the pivot and
excludes it from future searches. If no new feature value is reachable
about the last pivot, then the last known reachable feature value
and its corresponding trace (returned by the SMT solver as evidence
of a satisfiable instance) are returned. The steps of exploration for
the right corner mirror those for the left corner.
Testing if a feature value f ∗ is reachable involves invoking the
SMT solver to answer the question specified as the goal G in the
context of the model HF . A ‘YES’ answer of the solver returns a
trace, ensuring that the dynamics, invariants and guard conditions
NoRods
Tmin ≤ x ≤ Tmax
x˙ = 0.1× x−R0
c˙1 = c˙2 = 1
Rod1
Tmin ≤ x ≤ Tmax
x˙ = 0.1× x−R1
c˙1 = c˙2 = 1
Rod2
Tmin ≤ x ≤ Tmax
x˙ = 0.1× x−R2
c˙1 = c˙2 = 1
Meltdown
Tmin ≤ x
x˙ = 0.1× x−R0
c˙1 = c˙2 = 1
x == 550∧
c1 ≥ 20
x == 590∧
c2 ≥ 20
x == 540, c′1 := 0
c1 ≥ 20
x == 540, c′2 := 0
x > 550∧
c1 < 20∧
c2 < 20
x > 590∧
c2 < 20
ConstantValue
R0 500
R1 540
R2 590
Figure 9: Temperature Control of an Atomic Reactor
ofHF are not violated. A ‘NO’ answer, returns an EMPTY indicating
that no behaviour ofHF yields a feature value specified in G.
If an interval for the feature is known, via a primary reachability
analysis using a coarse overapproximation in a tool like SpaceEx,
then the bounded bisection algorithm can be applied to search for
the feature corners within the known estimate of the feature range.
5 CASE STUDIES AND EXPERIMENTAL
RESULTS
This section discusses the various models we have used in our
analysis, and data from our results, comparing the feature analysis
of HA using the reachability analysis tool SpaceEx versus using the
SMT tool dReach.
We compare the results of analyzing the following models and
features:
(1) Battery Charger [13]: Time for the battery to charge to its
rated voltage; Time for the battery to restore charge while
in its maintenance mode.
(2) Buck Regulator [24]: Time for the output of the Buck regu-
lator to settle; Peak voltage overshoot of the voltage response
curve for the regulator.
(3) Nuclear Reactor Temperature Control [6]: Unsafe Op-
erating Temperature of the reactor.
(4) AdaptiveCruise Control [3]: Time to capture cruise speed
from a specific velocity; Time to capture cruise speed while
in any velocity within a range of velocities.
Here, we pay special attention to the condition of meltdown
for an atomic reactor cooling strategy. The temperature control
strategy for a nuclear reactor [6] is designed to insert a cooling rod
into the reactor with the aim of maintaining the temperature of the
reactor below the threshold for meltdown and above the threshold
for sustaining the nuclear reaction. Mechanical constraints prevent
both rods from being inserted simultaneously, and requires each
rod to be given a resting period of 20 time units before re-insertion.
An adaptation of the HA of [6] is shown in Figure 9. The feature
for analyzing the condition of meltdown is expressed as follows:
Example 2. Unsafe Operating Temperature: Reactor temperatures
that if reached can lead to reactor meltdown.
feature unsafe();
begin
var temp;
(c1<=20 && c2<=20 && x>=550), temp = x
##[0:$] (c2<=20 && x>=590) |-> unsafe = temp;
end
The condition of meltdown occurs when the reactor temperature,
x , rises above the safe threshold, Tsaf e . The reactor can be in a
state in which x < Tsaf e , but has crossed a point-of-no-return, i.e.
8
Figure 10: Unsafe Operation of a dual rod temperature con-
trol in an atomic reactor: an extreme value trace.
neither control rod can be inserted, inevitably leading to a state of
reactor meltdown. A safety property that checks for the safe oper-
ation of the reactor, with a traditional model checking approach,
would only yield one of the many possible failures. However, it is of
greater interest to identify the minimum temperature at which such
a failure can occur. Knowledge of this corner enables a designer to
design a suitable strategy for managing the rods. A feature anal-
ysis, unlike traditional model checking, yields these corner cases.
Furthermore, for such a feature where only boundary events char-
acterizing a failure are known, the second technology proposed
(feature analysis with SMT) can provide the precise event sequence
that yields a feature match, thereby filling the gap specified in the
##[0:$] construct. Figure 10 shows a corner case obtained us-
ing the methodology of Section 4, in which the red vertical line
marks a point-of-no-return. Observe that from this point x rises,
passing through safe temperatures and beyond into the unsafe re-
gion of meltdown. In this scenario, both rod-timers are below their
thresholds, preventing their insertion.
Note that in Examples 1 and 2, both features used a single local
variable, but were able to express very interesting behaviours. How-
ever, in general more local variables may be required to express
complex quantities over more intricate behaviours [4].
A feature based formal analysis was performed on the models
and features outlined, the results of which are described in Table 1.
Table 2 compares the results of using various SpaceEx analysis
parameters for analyzing the Overshoot feature of a 7V Buck
Regulator.We demonstrate the analysis of both strategies for feature
analysis on four systems that cover both the AMS domain and the
control domain. Both strategies have been implemented in a unified
tool-flow. The tool is run on an Intel(R) Core(TM) 2 Duo CPU T6400
having two cores, each running at 2.00Ghz with 4GB of DDR2 RAM.
For each system, the HA model and the features described are
inputs to the tool. The tool then computes the LSHA for feature
analysis. The feature range is then computed using the reachability
tool SpaceEx (with the STC scenario and 8 template directions,
octagons), and the SMT-based search using Methodology-2.
In Table 1, the size of the transformed automata in terms of
the number of locations (in set QF ) and number of variables (in
set XF ) are also shown. The column titled Algorithm indicates
how the feature range was computed, with "Reach" indicating the
use of Methodology-1 with SpaceEx as the compute engine, and
Feature Size of Set Algorithm CPU-Time Feature Range
Name QF XF (mins : secs) Min Max
Test Case: Battery Charger
Charge 9 7 Reach 0m : 10s 1hr 49min 3hr 15min
Time SMT 0m: 20s 2hr 15min 2hr 31min
Restoration 9 7 Reach 0m : 19s 10in 12sec 48min 58sec
Time SMT 0m : 15s 16min 40sec 18min 30sec
Test Case: Cruise Control Model
Speed Capture 10 8 Reach 0m : 18.4s 37.23 sec 48.43sec
Precise (k=40) SMT 1m : 15.2s 41.18 sec 43.68sec
Speed Capture 10 8 Reach 0m : 38.92s 33sec 48.43sec
Range, (k1=20, k2=40) SMT 0m : 24.56s 37.3sec 40.4sec
Test Case: Nuclear Reactor Control
Unsafe Operation 8 6 Reach 0m : 7s 549.9◦ 599.9◦
Temperature SMT 0m : 52s 550◦ 600◦
Test Case: 5V Buck Regulator
Settle Time 4 7 Reach 0m : 16s 94.17µs 124.167 µs
SMT Out of Memory
Overshoot 4 7 Reach 0m : 03s 5V 6.138V
SMT 69m : 45s 5V 5.14V
Table 1: Results for Formal Feature analysis
No. of Template Flow-pipe SpaceEx Iterations CPU-Time Feature Range
Directions Tolerance Algorithm Taken (mins : secs) Min Max
1 STC 37 0.216999 1.76V 12.65V
LGG 11 0.234999 4.41V 9.96V
4 0.1 STC 36 0.212999 5.14V 12.11V
LGG 55 0.620999 6.63V 9.90V
0.01 STC 60 0.517999 6.78V 9.12V
LGG 57 0.814999 6.91V 9.0V
1 STC 85 4.52299 2.00V 12.04V
LGG 11 1.51699 4.41V 9.32V
8 0.1 STC 28 0.65899 5.17V 12.06V
LGG 55 2.74399 6.63V 9.19V
0.01 STC 72 3.76499 6.82V 9.08V
LGG 57 4.77099 6.92V 9.0V
Table 2: SpaceEx analysis of Overshoot: 7V Buck Regulator
"SMT" indicating the use of Methodology-2 to refine the range
computed using the former. For each feature both corners of the
feature range are reported along with the time taken to compute the
range for each methodology. Both SpaceEx and the SMT analysis
are bounded by introducing a global clock with an upperbound
on time. The global clock is a variable that is part of the state
of the LSHA. In SpaceEx, with the STC scenario, given the way
SpaceEx does fix-point computation this variable must be bounded
to achieve termination. Note that the need for the bound comes
from the tool used and is not a limitation of this methodology. For
the SMT analysis, in addition to a bound on the variables, we use a
transition hop bound (K ) of 15 transitions for all test cases except
for the Buck Regulator, for which a bound of 50 transitions was
used. In practice K is incrementally increased until we are satisfied
with the result. We use knowledge of the diameter of the LSHA
graph and the number of subexpressions in the feature sequence
expression to decide on a value for K . We reiterate that K is a
bound on the discrete transitions of the HA. Within a location a
large number of clauses may be generated for the evolution of the
HAs continuous variables. It is important to note that the SpaceEx
tool computes the feature range in one sweep of the reach set;
however, multiple iterations of the SMT tool (between 15 to 20
in our experiments) are involved in computing the feature range
using "SMT". Additionally for the feature computing the Unsafe
Operation Temperatue, the feature ranges produced by SpaceEx and
the SMT tool show errors of 0.1. We attribute this to the precision
of representation for floating-point numbers used by the tools.
Note that for the feature "Settle Time" of the Buck Regulator, the
methodology using SMT exceeds memory bounds on our systems.
9
We attribute this to the fact that the Buck Regulator frequently
switches between locations of the automaton, with more than 50
transitions made within a very short span of time (time from the
perspective of the Buck Regulator). The solver takes an inordinate
amount of time to compute this. Due to the large number of tran-
sitions taken, the number of SMT clauses generated becomes too
large for the solver to handle and leads to the solver running out
of memory. We conclude that for systems having a high switching
frequency, SpaceEx can be used with a resolution smaller that 10−6,
for which it takes in the order of a few seconds to a few minutes to
compute the feature range (depending on the chosen resolution).
For the models used here, it is shown that the feature range
produced by the SMT solver is typically tighter than that obtained
using SpaceEx. Both methodologies were employed using similar
error tolerances. Note that the methodology using the SMT solver
requires more CPU resources as indicated by a higher value in the
column for CPU-Time. The feature transformation methodology
itself scales well with reachability tools and SMT. The time for
analysis is dependent on the tools used. The tool SpaceEx has
been used extensively for the analysis of HA and scales well for
the models on which we have demonstrated the feature analysis
approach. SpaceEx, in benchmarks has shown to be capable of
handling systems with more than 100 variables [17]. The time and
memory to compute a feature range grows exponentially with an
increase in the hop bound when using SMT, and is attributed to a
growth in the number of SMT clauses for larger hop bounds.
6 CONCLUSION
Features help capture the designer’s intent to quantify how the
system behaves. A feature defines a real-valued evaluation function
over a specific set of traces. By design they are more flexible than
assertions (such as in STL) for specifying quantitative measures,
at the cost of being more rigid in their expression of sets of traces
(restricted to sequences of predicates and events).
This article aims to assist designers in generating better designs,
by automating the task of feature analysis and providing useful
feedback of corner case behaviours using SMT. Features are au-
tomatically transformed into feature automata that are composed
with the model and the composition is analyzed by off-the-shelf
reachability solvers. The improved first-match semantics employed
for features in this article more directly reflects the intent of design-
ers and is incorporated into a new product automaton construction.
Although the worst case bounds for the proposed product construc-
tion (using leveling) are worse than those of a more traditional
product, in practice we see a 4x speedup and half the memory uti-
lization during feature analysis with reachability solvers. We also
provide an algorithm for computing ranges of feature values that
uses SMT, which in practice produces tighter feature ranges. In
some cases, typically associated with models having fewer location
switches, the SMT-based algorithm also yields results faster or in
time comparable to SpaceEx. The present work assumes piecewise
monotonic and piecewise affine dynamics to accommodate existing
tools. These assumptions can be lifted as tools mature to support
urgent semantics and more complex dynamics. Efforts for such
extensions [? ] are underway.
REFERENCES
[1] 2010. 1850-2010 - IEEE Standard for Property Specification Language (PSL).
(2010). https://standards.ieee.org/findstds/standard/1850-2010.html
[2] 2012. 1800-2012 - IEEE Standard for SystemVerilog–Unified Hardware Design,
Specification, and Verification Language. (2012). http://standards.ieee.org/
findstds/standard/1800-2012.html
[3] Erika Abraham. 2015. Benchmarks of Continuous and Hybrid Sys-
tems. (2015). http://ths.rwth-aachen.de/research/projects/hypro/
benchmarks-of-continuous-and-hybrid-systems/
[4] A. Ain et al. 2016. Feature Indented Assertions for Analog and Mixed-Signal
Validation. IEEE TCAD 35, 11 (Nov 2016), 1928–1941.
[5] R. Alur et al. 1995. The algorithmic analysis of hybrid systems. Theoretical
Computer Science 138 (1995), 3–34.
[6] Rajeev Alur, Thomas A. Henzinger, and Pei-Hsin Ho. 1996. Automatic Symbolic
Verification of Embedded Systems. 22 (04 1996), 181 – 201.
[7] Yashwanth Annapureddy et al. 2011. S-taliro: A Tool for Temporal Logic Falsifi-
cation for Hybrid Systems. In Proc. of TACAS (TACAS’11/ETAPS’11). 254–257.
[8] Eugene Asarin et al. 2007. Hybridization Methods for the Analysis of Nonlinear
Systems. Acta Inf. 43 (7) (Jan. 2007), 451–476.
[9] A. Chutinan and B. Krogh. 2003. Computational Techniques for Hybrid System
Verification. IEEE TAC 48 (2003), 64–75.
[10] Antonio A. Bruto da Costa and Pallab Dasgupta. 2015. Formal Interpretation of
Assertion-Based Features on AMS Designs. IEEE Design & Test 32, 1 (2015), 9–17.
[11] Antonio A. Bruto da Costa and Pallab Dasgupta. 2017. ForFET: A Formal Feature
Evaluation Tool for Hybrid Systems. In Proc. of ATVA. 437–445.
[12] Antonio A. Bruto da Costa and Pallab Dasgupta. 2017. Generating AMS Behav-
ioral Models with Formal Guarantees on Feature Accuracy. In Proc. of VLSID.
[13] Antonio A. Bruto da Costa, Pallab Dasgupta, and Goran Frehse. 2016. Formal
Feature Analysis of Hybrid Automata. In Proc. of MEMOCODE.
[14] Thao Dang et al. 2004. Verification of Analog and Mixed-Signal Circuits Using
Hybrid System Techniques. In Proc. of FMCAD. LNCS, Vol. 3312. 21–36.
[15] Alexandre Donzé. 2010. Breach, a Toolbox for Verification and Parameter Syn-
thesis of Hybrid Systems. In Proc. of CAV (CAV’10). 167–170.
[16] Alexandre Donzé and Oded Maler. 2010. Robust Satisfaction of Temporal Logic
over Real-valued Signals. In Proc. of FORMATS (FORMATS’10). 92–106.
[17] Goran Frehse et al. 2011. SpaceEx: Scalable Verification of Hybrid Systems. In
Proc. of CAV.
[18] Sicun Gao et al. 2013. dReal: An SMT Solver for Nonlinear Theories over the
Reals. In Automated Deduction - CADE-24. 208–214.
[19] Susmit Jha et al. 2017. TeLEx: Passive STL Learning Using Only Positive Examples.
In Proc. of Runtime Verification 2017. 208–224.
[20] Susmit Jha et al. 2018. Safe Autonomy Under Perception Uncertainty Using
Chance-Constrained Temporal Logic. J. Autom. Reason. 60, 1 (Jan. 2018), 43–62.
[21] Soonho Kong et al. 2015. dReach: δ -Reachability Analysis for Hybrid Systems.
In TACAS. 200–205. https://doi.org/10.1007/978-3-662-46681-0_15
[22] Oded Maler and Dejan Nickovic. 2004. Monitoring temporal properties of con-
tinuous signals. In Proc. of FORMATS-FTRTFT, Vol. 3253. 152–166.
[23] S. Mukherjee and P. Dasgupta. 2009. Incorporating Local Variables in Mixed-
Signal Assertions.. In IEEE Int. Conf. TENCON.
[24] Luan Viet Nguyen and Taylor T Johnson. 2015. Benchmark: DC-to-DC Switched-
Mode Power Converters. In ARCH14-15, Vol. 34. 19–24.
[25] Joël Ouaknine and JamesWorrell. [n. d.]. Some Recent Results in Metric Temporal
Logic. In Proc. of FORMATS (FORMATS ’08). 1–13.
[26] Hendrik Roehm et al. 2016. STL Model Checking of Continuous and Hybrid
Systems. In Proc. of ATVA 2016. 412–427.
[27] Sebastian Steinhorst and Lars Hedrich. 2008. Model Checking of Analog Systems
Using an Analog Specification Language. In Proc. of DATE. 324–329.
10
