We present a method of translating discrete-time Simulink models to Lustre programs. Our method consists of three steps: type inference, clock inference and hierarchical bottom-up translation. In the process, we formalize typing and timing mechanisms of Simulink. The method has been implemented in a prototype tool called S2L. The tool has been used to translate part of an industrial automotive controller provided by Audi. 1

Embedded control systems typically comprise continuous control laws combined with discrete mode logic. These systems are modeled using a hybrid automaton formalism, which is obtained by combining the discrete transition system formalism with continuous dynamical systems. This paper develops automated analysis techniques for asserting correctness of hybrid system designs. Our approach is based on symbolic representation of the state space of the system using mathematical formulas in an appropriate logic. Such formulas are manipulated using symbolic theorem proving techniques.

Embedded systems are often modeled using Matlab’s Simulink and Stateflow (MSS), to simulate plant and controller behavior but these models lack support for formal verification. On the other hand verification techniques and tools do exist for models based on the notion of Hybrid Automata (HA) but there are no tools that can convert Simulink/Stateflow models into their semantically equivalent Hybrid Automata models. This paper describes a translation algorithm that converts a well-defined subset of the MSS modeling language into an equivalent hybrid automata. The translation has been specified and implemented using a metamodel-based graph transformation tool. The translation process allows semantic interoperability between the industry-standard MSS tools and the new verification tools developed in the research community.

Abstract. Control diagrams are routinely used by engineers in the design of control systems. Yet, currently the formal verification of programs that implement the diagrams is a challenge. We present a strategy to translate block diagrams to Circus, a notation that combines Z, CSP, and a refinement calculus. This work is based on existing tools that produce Z and CSP specifications from discrete-time block diagrams. By using a combined notation, we provide a specification that considers both functional and behavioural aspects of the diagrams, and can cover a wider range of blocks. Moreover, the Circus refinement calculus can be used to derive or verify implementations, and reason about the block diagrams.

Aimed at verifying safety properties and improving simulation coverage for hybrid systems models of embedded control software, we propose a technique that combines numerical simulation and symbolic methods for computing state-sets. We consider systems with linear dynamics described in the commercial modeling tool Simulink/Stateflow. Given an initial state x, and a discrete-time simulation trajectory, our method computes a set of initial states that are guaranteed to be equivalent to x, where two initial states are considered to be equivalent if the resulting simulation trajectories contain the same discrete components at each step of the simulation. We illustrate the benefits of our method on two case studies. One case study is a benchmark proposed in the literature for hybrid systems verification and another is a Simulink demo model from Mathworks.

This paper presents an application of the mode-automata based design method to Stateflow/Simulink. The observation we make is two fold. First, we realized that modeautomata, being one of the most convincing proposition made recently to separate control from signal processing, is only starting to be applied to industrial tools. Second, although the separation of control and signal processing is somehow effective in Stateflow/Simulink, the lack of formal definition does not lead to a valuable interpretation. The goal of the work presented in this paper is to make these two approaches converge. We introduce a formalisation of Stateflow/Simulink where the language has been reduced so that to fit the mode-automata approach and thus restrict the expressive power of Stateflow in a way still suitable to real-life application. We then illustrate the approach with a small application in digital hydraulics controller development.

Abstract. An increasing number of industrial strength software design tools come along with verification tools that offer some property checking capabilities. On the other hand, there is a large number of general purpose model checking tools available. The question whether users of the industrial strength design tool preferably use the built-in state space exploration tool or a general purpose model checking tool arises quite naturally. Using the case study of an AUTOSAR compliant memory management module we compare the Simulink Design Verifier and the SPIN model checking tool in terms of their suitability to verify important correctness properties of this module. The comparison is both functional in that it analyzes the suitability to verify a set of basic system properties, and quantitative in comparing the computational efficiency of both tools. 1

As embedded control systems are becoming more complex, there is a need for new software development and structuring techniques. The combination Simulink/Stateflow has become a popular tool for model-based design for this type of hybrid systems, due to the simulation and analysis tools available. To enable design and validation of large complex systems in Simulink/Stateflow, an appropriate model architecture is needed. Mode-automata is such an architecture, where control is strictly separated from signal processing. In this paper we give a formal definition of mode-automata in Simulink/Stateflow. This gives a precise definition of an architecture that restricts Simulink/Stateflow to a safe and easy to use subset that is easy to verify, but still usable in practice. We propose syntactic rules to check that a given Simulink/Stateflow model complies to our mode-automata architecture and we illustrate the approach with a controller for a digital hydraulics system.

Abstract—Stateflow has been widely used in industry to specify and simulate control systems. Unfortunately, the lack of formal descriptions of Stateflow and its limited verification capability become an obstacle to handle complex systems working in safety-critical environment. In this paper, we apply a novel model checker named PAT to improve the reliability of Stateflow. We rigorously model the execution semantics of Stateflow in PAT’s expressive specification language. PAT’s simulation ability provides a means to validate our formal definitions of Stateflow. During the formalization procedure, we have discovered and corrected subtle flaws of Stateflow. Based on the PAT models of Stateflow, we can use PAT’s automatic reasoning power to verify complex systems against important requirements such as safety and liveness requirements. Keywords-Formal Methods, Model Checking, Stateflow I.

1.2 Modeling with timed and hybrid automata................... 3