Automated Verification of Switched Systems Using Hybrid Identification

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10107)

Abstract

Verification of switched systems has to include the continuous trajectories as well as the discrete states of the system. For strongly interconnected systems with mutual dependencies it is not sufficient to verify the two system parts individually. It is necessary to examine the combined behaviour in such a setting. The approach presented in this paper is based on the well known concept of using system identification methods for verification which is extended to switched systems. The authors introduce the idea to tackle the verification of complex mechatronical systems as hybrid identification problem. Therefore the specification is given by the user in terms of the parameters of linear dynamic systems and a superimposed state machine. The implemented system under test can be transformed into the same representation using input/output measurement data and a recently developed hybrid identification procedure. Finally it is possible to compare the two representations automatically and calculate a formal statement about the consistency between specification and implementation.

Keywords

Test automation Hybrid identification Switched systems 

1 Introduction

Testing is still a time and resources consuming activity based on the expert knowledge of the responsible engineer [22, 32]. While this was a feasible solution in the past, the growing complexity of current and future systems renders the manual approach impossible. Especially the combination of discrete and continuous system parts to systems showing hybrid behaviour leads to verification questions that are not solved today [28, 32]. Even though there is no satisfying solution available, the problem is present in the everyday engineering practice.

The unsolved verification1 question is given as follows: Is the behaviour of a given System under Test (SUT) - composed of a time continuous plant and its controller - consistent with the given specification? Does this consistency hold for all possible excitation signals and during all discrete states of the resulting hybrid system?

One possible solution is to tackle the controller and the plant individually. Focusing on the discrete verification problem of the embedded controller, there are several automatic verification methods available [10, 30]. Those methods are concerned with properties of the controller code (e.g. semantic correctness or determination of loops) [7, 12, 13] or runtime errors (e.g. overflow, divide by zero, out of bounds array access and others) [18, 27]. Some of these properties can be determined automatically using theorem prover or model checker [32].

As the behaviour of the overall system is given by the controller and the plant, focusing on the discrete part is not enough. There are systematic approaches for the verification of hybrid systems based on the so called “state space exploration” principle or “reachability analysis” [3, 4, 9, 12, 13]. A sound review of current state of the art reachability analysis tools is given in [28]. The basic idea is to discretize the regarded space and run simulations using different combinations of the values until a given coverage criterion is fulfilled [12]. To constrain the number of necessary simulations, equivalence classes can be formed [2, 8, 12, 31]. Equivalence classes combine input values that lead to the same result. Thereby is the correct behaviour of one representative used to reason about the correct behaviour of the whole equivalence class. Another possibility is to use additional knowledge about the system or the user of the system to extract excitation signals that are very likely to occur during operation (statistical testing, scenario testing) [13, 19].

When regarding continuous subsystems the discretization has to be very fine over the whole signal range thus prohibiting the use of equivalence classes and increasing the necessary computation time [6, 12]. This is due to the fact that it is not sufficient to check one specific, time constant value of an equivalence class any more. The whole continuous dynamic trajectory has to be taken into account to allow a profound verification [6]. Signal based features like maximum values or static tolerances can be verified using temporal logics as shown in [22].

Other hybrid verification approaches use Simulink models to verify the combined behaviour of controllers and their respective plants [23, 24, 25]. The excitation signals are thereby derived using meta-heuristic search algorithms based on random search, adaptive random search, hill climbing or simulated annealing. The resulting output signals are then analysed with respect to specified signal properties.

A wide range of different methods and theories for hybrid verification was developed in [1]. This paper’s approach to solve the problem is based on the well known concept of using system identification methods for verification as given in [21] which is extended to hybrid systems using the idea presented in [14].

In the engineering society diagnosis methods are used to monitor the correctness of running applications [11, 17]. This is often done using “analytical redundancy” meaning that the real values of a process are compared to the expected values of the process [29]. The needed expected values are calculated using a model of the process and the measured input data.

The concept of analytical redundancy is transferred from monitoring to verification in this paper. The redundancy is thereby achieved by the identification of the dynamical system parameters from input/output data. This is possible because the generating system parameters describe the system behaviour exhaustively. The idea presented in this paper is to use the control engineering notation of hybrid systems and a recently developed hybrid identification procedure to verify complex hybrid systems. The continuous part of the hybrid system is thereby used to describe the system dynamics of the controlled plant. Note that the dynamics of the controlled plant are different from the genuine dynamics of the plant. This is due to the fact that the goal of the controller is to influence - and thus change - the genuine plant dynamics in a desired way. Furthermore note that it is hence not necessary to know or model the genuine dynamics of the plant. The discrete part of the hybrid system is predominantly used to describe the behaviour of the controller. Nevertheless the plant might contain switches in its continuous dynamics that are also modelled in the discrete part.

The necessary specification parameters have to be given directly by the user. The resulting parametrized system description can be used to reason about the consistency between specification and implementation. One advantage of this identification based method is the independence from specific input signals. This is due to the fact that different input/output pairs lead to the same parameters if they were generated using the same system dynamics.

The proposed method is introduced as follows: In Sect. 2 a formal specification consisting of a state machine and respective dynamical systems for each state is defined. Afterwards a method for the identification of data - measured using the SUT - is presented in Sect. 3. The identification can be interpreted as transformation of the SUT in a formal description. After the identification, the specification and the SUT are given in the same form. The automatic comparison is outlined in Sect. 4.

2 Formal Specification

Industrial specifications are often given in natural language or as a table containing a collection of more or less formal requirements [20]. Such a form is not suitable as basis for an automated verification algorithm. To allow the usage of automated methods a formal and strict notation has to be used for the specification. We focus on embedded systems consisting of a time, value and event discrete controller and a time and value continuous plant. We propose to model the resulting system as a hybrid system \(\mathcal {H}\) according to Fig. 1. Thereby the embedded controller as well as the switching part of the physical plant are modelled using the state machine \(\mathcal {Z}\). The controlled dynamics of the continuous plant are represented by a set of linear dynamic systems \(\mathbb {S}\). The input u is applied to the state machine. Based on the resulting state, a switch signal is determined that activates the respective subsystem \(s^{(i)}\in \mathbb {S}\). The continuous input is also applied to this continuous subsystem. The output of the active subsystem is fed to the output of the hybrid system and also used as feedback signal for the generating subsystem.

Please note that this model assumption is different from the real system composition consisting of controller, actuator, plant and measurement device. This is due to the fact that the behaviour of the physical components is split into discrete and continuous dynamics and then combined in the respective model parts. Therefore it is not possible to use this detailed specification for any kind of automatic software generation. In other words, the hybrid system \(\mathcal {H}\) represents what the system should do and not how it can be done. There is no information available whether a specific continuous dynamic \(s^{(i)}\) is a genuine dynamic of the physical plant or if it is synthesised using a specific control strategy. This abstraction allows to describe the SUT by parameters calculated using identification methods, as the identified parameters uniquely describe the observed behaviour. Note that there are several possible combinations of (unknown) physical plant parameters and (unknown) controller parameters that will all show the same observable behaviour described by a unique set of parameters \(\mathbf {\Theta }^{(i)}\).
Fig. 1.

Structure of the hybrid system model \(\mathcal {H}\)

The state machine \(\mathcal {Z}\) is assumed to be given by the 3-Tupel
$$\begin{aligned} \mathcal {Z}=\left( \mathbb {Q},\mathbb {T},q_0\right) , \end{aligned}$$
(1)
with a finite set of states \(\mathbb {Q}\), a finite set of transitions \(\mathbb {T}\), and an initial state \(q_0\).

The state machine \(\mathcal {Z}\) is used to describe the switching behaviour between distinctive states representing operation modes of the specification. Possible operation modes that are available in nearly all systems are for example “start up mode”, “normal mode”, “exception mode” or “shut down mode”. Specific examples will provide even more, task specific operation modes.

The structure of the transitions \(\mathbb {T}\) between the states \(\mathbb {Q}\) of state machine \(\mathcal {Z}\) is given by the adjacency matrix \(\mathbf {A}\). With \(a_{i,j}=1\) if there exists a transition from state i to state j and \(a_{i,j}=0\) otherwise.

The linear dynamic subsystems \(s^{(i)}\) for each state are defined as Auto-Regressive Systems with eXogenous input (ARX system). All subsystems \(s^{(i)}\) use the same fixed sample time \(\varDelta T\). Each state \(q^{(i)}\in \mathbb {Q}\) is linked to one specific dynamic ARX subsystem \(s^{(i)} \in \mathbb {S}\) given by
$$\begin{aligned} s^{(i)}:\ y_{k}=\sum _{j=1}^{n_a^{(i)}}\left( y_{k-j}\right) a_j^{(i)}+\sum _{j=1}^{n_c^{(i)}}\left( u_{k-j}\right) c_j^{(i)}, \end{aligned}$$
(2)
were \(u_k\) and \(y_k\) are the values of the time discretized continuous system input and output at time k, \(c_j^{(i)}\) and \(a_j^{(i)}\) are the input and output coefficients and \(n_c^{(i)}\) and \(n_a^{(i)}\) are the input and output order, all specific for each subsystem.

Note that the specification parameters in \(\mathbb {S}\) are parameters of the overall system (controller and plant) that describe the combined dynamics. Those parameters are different from the needed controller parameters and can thus not be used to parametrize the controller directly. The used controller structure as well as the controller parameters are an important part of the system design which is assumed to be done manually here. Please note that there are several controller structures and respective parametrizations that are suitable to meet the specification [26].

During the measurement time of \(T=\varDelta T K\) seconds the hybrid system shows the behaviour of the different active subsystems. Switches between the subsystems and thus the states of \(\mathcal {Z}\) are often tightly coupled with conditions on the process. These conditions can be used to refine the state machine by the introduction of switching thresholds. The switching thresholds need to be fulfilled to allow the change of the active subsystem. Without switching thresholds, the state machine can switch between states at arbitrary values or after infinitely short dwell times, thus leading to undesired behaviour.

The switching thresholds are user-defined restrictions on a threshold signal \(\varOmega =[\omega _k]_{k=0}^{K}\) that can also be chosen by the user. The specified switching thresholds are given as interval entries of a matrix \(\mathbf {B}\) with \(b_{i,j}=[\underline{l} \ \bar{l}]\) if \(a_{i,j}\ne 0\) and \(b_{i,j}=[-\infty \ \infty ]\) otherwise. Thereby are \(\underline{l}\) and \(\bar{l}\) lower and upper limits of the value of \(\omega _k\). As long as \(\omega _k\ \in \ [\underline{l} \ \bar{l}]\) the state machine is allowed to change the state, i.e. to perform a switch, but not necessarily has to.

When setting up the formal specification the physical signals that are interpreted as input and output of the linear dynamic subsystem have to be chosen. The choice of the signals depends on the objective of the test and the investigated hierarchical level. It is possible to define specifications on different levels and thus map a variety of different goals. Nevertheless, the choice of the input signal \(\mathbf {U}=[u_k]_{k=0}^{K}\) and the output signal \(\mathbf {Y}=[y_k]_{k=0}^{K}\) of all subsystems and levels have to fulfil controllability constraints. The choice of the input and output signal has to be the same for all systems of \(\mathbb {S}\).

To allow precise notation for the remainder of the paper, all variables of the formalized specification \(\mathcal {H}^* = \left[ \mathcal {Z}^*,\mathbb {S}^*\right] \) are marked with an asterisk. All variables belonging to the identified SUT \(\mathcal {H}' = \left[ \mathcal {Z}',\mathbb {S}'\right] \) are marked with a dash. The complete setting is shown in Fig. 2. The specification \(\mathcal {H}^*\), consisting of the state machine \(\mathcal {Z}^*\) and the linear dynamic behaviour \(\mathbb {S}^*\) has to be given by the user. Based on this information an SUT that fulfils the specification is developed. Nevertheless, it is likely that failures are made during the implementation process.

To verify the consistency, the SUT has to be transformed in its hybrid representation. A hybrid identification procedure is used to extract the implemented state machine \(\mathcal {Z}'\) and the implemented system dynamics \(\mathbb {S}'\) from the SUT. The final step is given by the comparison of the different system components as given in the previous section. If the correct subsystems are identified and the state machine is consistent with the specified state machine, the SUT is regarded as consistent with the given specification.
Fig. 2.

Structure of the proposed method

2.1 Example

To set up a formalized specification, the user has to define all elements of the 3-Tupel \(\mathcal {Z}^*\) and all necessary parameters of the ARX systems included in \(\mathbb {S}^*\). An exemplary specification \(\mathcal {H}^*=\left[ \mathcal {Z}^*, \mathbb {S}^*\right] \) is given by the system parameters in Table 1 and the state machine in Fig. 3. The state machine in the given example consists of three states and no switching thresholds for the sake of simplicity. The given system parameters describe three subsystems with \(n_a^{(i)}=n_c^{(i)}=1\ \forall \ i\) leading to
$$\begin{aligned} s^{(i)}:\ y_{k}=y_{k-j}a_j^{(i)}+u_{k-j}c_j^{(i)}. \end{aligned}$$
(3)
Fig. 3.

Exemplary definition of the state machine \(\mathcal {Z}^*\)

Table 1.

Exemplary parameters for the system \(\mathbb {S}^*\) consisting of 3 subsystems with \(n_a^{(i)}=n_c^{(i)}=1 \forall i\)

Subsystem

\(a_1^*\)

\(c_1^*\)

1

1, 000

0, 003

2

0, 975

0, 040

3

1, 020

−0, 040

The implementation of the System under Test \(\mathcal {H}'\) is done based on the given formal specification \(\mathcal {H}^*\). As the implementation is done by one or more human developers, it is likely that there exist inconsistencies in the resulting system \(\mathcal {H}'\). Note that the implemented system \(\mathcal {H}'\) consists of real hard- and software and includes a given plant that can not be changed. Therefore the implemented state machine \(\mathcal {Z}'\) and its dynamical subsystems \(\mathbb {S}'\) are not directly known. Nevertheless it is possible to excite the system and measure its output signal.

3 Identification of the SUT

Now assume the output signal of the system \(\mathbf {Y}'=[y'_k]_{k=0}^{K}\) was measured using a known, suitable and persistent excitation signal \(\mathbf {U}'=[u'_k]_{k=0}^{K}\) lasting for \(T=\varDelta T K\) seconds. It is now possible to calculate the actual generating subsystems \(\mathbb {S}'\) based on the measured data \(\left[ \mathbf {U}',\mathbf {Y}'\right] \) using the identification and segmentation algorithm from [14, 15] which is given as follows:

The algorithm uses an alternating iterative procedure to identify the system parameters as well as the unknown switching times. Thereby the system parameters are calculated using the first \(\max ({n_a^{(i)},n_c^{(i)}})+n_a^{(i)}+n_c^{(i)}\) measurement values as estimation interval \(k_{est}\) and a Least-Squares-Estimator.

The estimated parameters
$$\begin{aligned} \mathbf {\Theta }'_{k_{est}}=\{\left. \mathbf {a}^{(i)}\right. ', \left. \mathbf {c}^{(i)}\right. '\} \end{aligned}$$
(4)
with \(\left. \mathbf {a}^{(i)}\right. '=\{\left. a^{(i)}\right. '\}_{j=0}^{n_a^{(i)}}\) and \(\left. \mathbf {c}^{(i)}\right. '=\{\left. c^{(i)}\right. '\}_{j=0}^{n_c^{(i)}}\) are then used to determine the multi-step replica trajectory \(\tilde{y}_k(\mathbf {\Theta }'_{k_{est}}\)). As long as the calculated mean absolute error
$$\begin{aligned} \epsilon (k_{est},\mathbf {\Theta }'_{k_{est}})=\frac{1}{k_{est}+1}\sum _{k=0}^{k_{est}}\left| y'_k-\tilde{y}_k(\mathbf {\Theta }'_{k_{est}})\right| \end{aligned}$$
(5)
is below a user defined border, the estimation interval \(k_{est}\) is increased. If \(\epsilon (k_{est},\mathbf {\Theta }'_{k_{est}})\) is bigger than the given border, a switch is recognized and the calculated parameters are stored as well as the current value \(\omega _{k_{est}}\) of the threshold signal.
It is well known that only in a noiseless setting with known system orders, the estimation of the parameters yields a direct match with the specified parameters, even for short measurement times. Thus the switching time intervals shrink to a single point. This behaviour can be seen in Fig. 4 where the identification algorithm was applied to the output signal \(\mathbf {Y}'\) generated by the system given in the example and a constant input signal \(u_k=100\ \forall \ k\).
Fig. 4.

Measured trajectory and identified subsystem switches

The resulting parameters of the subsystems are given in Table 2.
Table 2.

Parameters identified from the signal given in Fig. 4

No

Subsystem

\(a_1'\)

\(c_1'\)

1

1

1, 000

0, 003

2

2

0, 975

0, 040

3

3

1, 020

−0, 040

4

2

0, 975

0, 040

5

1

1, 000

0, 003

4 Comparison of SUT and Specification

The results can now be compared with the given specification \(\mathcal {H}^*\). Matching parameters mean that the dynamic behaviour of \(\mathbb {S}'\) is consistent with the specified behaviour \(\mathbb {S}^*\). Manual inspection shows that the identified parameters in Table 2 match the specified parameters in Table 1. The identified state sequence of the signal in Fig. 4 is 1\(\rightarrow \)2\(\rightarrow \)3\(\rightarrow \)2\(\rightarrow \)1 which is consistent with the state machine in Fig. 3. Therefore it can be concluded that the system that produced the signal in Fig. 4 is consistent with the given specification \(\mathcal {H}^*\).

4.1 Automatic Comparison

The comparison of the specification \(\mathcal {H}^*\) and the SUT \(\mathcal {H}'\) can also be done automatically. Therefore it is necessary to check the consistency of the parameters, the consistency of the transitions and the consistency of the switching thresholds. There are three possible results: full consistency, partial consistency and inconsistency for each part.

The consistency of the parameters is determined by setting up the identified set of states \(\mathbb {Q}'\). This is done by comparing the identified parameters to the specified parameters. An identified subsystem \({s^{(i)}}'\) can be assigned to a specified state \(q_j\in \mathbb {Q}^*\) if the parameters of \({s^{(i)}}'\)and \({s^{(j)}}^*\) are the same. The matching state \(q_j\) is added to the identified set of states \(\mathbb {Q}'\). An identified subsystem \({s^{(i)}}'\) without a matching specification is considered to represent an additional dynamic belonging to a state \(q_m\notin \mathbb {Q}^*\). Nevertheless \(q_m\) is added to \(\mathbb {Q}'\).

The consistency can be determined by comparing \(\mathbb {Q}^*\) and \(\mathbb {Q}'\). The set of states is only fully consistent if \(\mathbb {Q}'=\mathbb {Q}^*\). If there are states missing and hence \(\mathbb {Q}'\subset \mathbb {Q}^*\) the states are partially consistent. Otherwise they are inconsistent as \(\mathbb {Q}'\not \subset \mathbb {Q}^*\) indicates that there are unspecified dynamics present in the SUT.

The consistency of the transitions is determined by comparing the adjacency matrices of the specification \(\mathbf {A}^*\in \mathbb {R}^{e\times e}\) and the SUT \(\mathbf {A}'\in \mathbb {R}^{f\times f}\). Therefore it is necessary to reorder the identified states such that they match the order of the specified states. Each specified system dynamic without an identified match leads to zero entries in \(\mathbf {A}'\), each unspecified system dynamic leads to an additional row and an additional column in \(\mathbf {A}'\).

For full consistency between \(\mathbf {A}^*\) and \(\mathbf {A}'\) has to hold:
$$\begin{aligned} \mathbf {A}^*=\mathbf {A}'. \end{aligned}$$
(6)
Meaning that exactly all specified states and all transitions were identified, no state or transition is missing and no additional state or transition was present.
For partial consistency between \(\mathbf {A}^*\) and \(\mathbf {A}'\) has to hold:
$$\begin{aligned} e&=f\end{aligned}$$
(7)
$$\begin{aligned} \underline{0}&\preccurlyeq \mathbf {A}^*-\mathbf {A}' \end{aligned}$$
(8)
with \(\mathbf {A}\succcurlyeq \underline{0}\) meaning \(a_{ij}\ge 0\ \forall \ i,j\). Partial consistency means that all identified states and transitions were specified but not all specified states and transitions were identified. This is due to the fact that any specified system dynamic without an identified match leads to zero entries in \(\mathbf {A}'\). Nevertheless the system might possess full consistency but did not show it due to insufficient excitation.
There is inconsistency between \(\mathbf {A}^*\) and \(\mathbf {A}'\) if:
$$\begin{aligned} e&=f\end{aligned}$$
(9)
$$\begin{aligned} \underline{0}&\not \preccurlyeq \mathbf {A}^*-\mathbf {A}'\end{aligned}$$
(10)
$$\begin{aligned} \text {or}\nonumber \\ e&\ne f. \end{aligned}$$
(11)
The adjacency matrices \(\mathbf {A}^*\) and \(\mathbf {A}'\) are of different dimension if there are additional states that are not specified. Unspecified behaviour leads to additional states and thus an additional row and an additional column in \(\mathbf {A}'\). If there are no unspecified states but unspecified transitions present (9) and (10) hold. As soon as there are unspecified states or transitions present, the transitions are inconsistent with the specification.
For the switching thresholds given in \(\mathbf {B}^*\) the consistency has to be checked for all identified transitions \(\mathbb {T}'\). Therefore the relevant signals have to fulfil
$$\begin{aligned} \omega _{\tau _{i,j}}\in b_{i,j}\ \forall \ \mathbb {T}' \end{aligned}$$
(12)
with \(\tau _{i,j}\) denoting the time when the active state of the state machine changes from state i to state j. The switching thresholds are inconsistent if (12) does not hold. Otherwise they are partially consistent for \(\mathbb {T}'\subset \mathbb {T}^*\) and fully consistent for \(\mathbb {T}'=\mathbb {T}^*\).
The final consistency of \(\mathcal {H}'\) is determined by the combination of the result for all three parts as given in Table 3.
Table 3.

Consistency of \(\mathcal {H}'\)

Consistency of

\(\mathbb {Q}'\)

\(\mathbf {A}'\)

\(\mathbb {T}'\)

\(\mathcal {H}'\)

fully

fully

fully

fully

partially

fully/partially

fully/partially

partially

fully/partially

partially

fully/partially

fully/partially

fully/partially

partially

inconsistent

any

any

inconsistent

any

inconsistent

any

any

any

inconsistent

Thereby \(\mathcal {H}'\) is only fully consistent if all results were fully consistent. If there are fully and partially consistent results, \(\mathcal {H}'\) is partially consistent. Finally \(\mathcal {H}'\) becomes inconsistent with \(\mathcal {H}^*\) if there is at least one part evaluated as inconsistent.

4.2 Example

The states in the example are given by
$$\begin{aligned} \mathbb {Q}'=\{1, 2, 3\}=\mathbb {Q}^* \end{aligned}$$
(13)
and are thus fully consistent. The adjacency matrices are given by
$$\begin{aligned} \mathbf {A}' = \left[ \begin{matrix} 0 &{} 1 &{} 0\\ 1 &{} 0 &{} 1\\ 0 &{} 1 &{} 0\\ \end{matrix} \right] =\mathbf {A}^* \end{aligned}$$
(14)
and are thus also fully consistent. As there are no switching thresholds defined, this part can be omitted. This leads to \(\mathcal {Z}'\) being fully consistent with \(\mathcal {Z}^*\) and in addition \(\mathbb {S}'\) being fully consistent with \(\mathbb {S}^*\) leading to \(\mathcal {H}'\) being fully consistent with \(\mathcal {H}^*\). Which means that the superimposed state machine as well as the linear dynamic subsystems of the system that produced the measurement in Fig. 4 are fully consistent with the specification of \(\mathcal {H}^*\) in Fig. 3 and Table 1.

5 Conclusions and Future Work

5.1 Conclusions

This paper presented the idea of interpreting an automated verification of complex systems task as an identification of hybrid systems setting. Therefore the idea of using a formal hybrid model as specification for the complex system was presented. Each operation mode of the specification is interpreted as state of a state machine. The continuous linear system dynamics that govern the behaviour in every state are modelled as ARX systems and assigned to the respective state. Representing system behaviour as dynamic parameters leads to the advantage of being independent from specific input/output signals.

Knowledge about the implemented SUT is generated by exciting the SUT with a suitable input signal and measuring the resulting output signal. This signal can be generated by the responsible engineer and thus provides the possibility to include expert knowledge in the verification process. The measurement data is analysed by a hybrid identification algorithm that segments and identifies a hybrid system from its input/output behaviour. The resulting system parameters are then compared with the specified parameters. Based on the result, the state machine of the SUT can be set up. If the identified parameters and the identified state machine are consistent with the specification it can be concluded that the SUT itself is consistent with its specification.

5.2 Future Work

The requirement that the user has to define all elements of the 3-Tupel and all necessary parameters of the ARX-System when setting up the formalized specification is rather restricting. This should be improved in future work by providing a more intuitive way of setting up the specification. Therefore a graphical user interface (GUI) can be implemented, providing the user with the ability to define feasible input regions that are linked to their respective feasible output region. The specification parameters could hence be determined by the improved algorithm, based on this user specified input/output trajectories leading to a “specification by example” setting.

The restrictions on the choice of the input and output signal given in Sect. 2 are rather rigorous. Future work will focus on softening these restrictions to allow a wider scope of application.

Furthermore the impact of noise has to be investigated. It is clear that the identified parameters will not perfectly match the specified parameters any more if there is noise present. The general procedure is assumed to be still applicable as [14] already provides the handling of noisy signals. Nevertheless it is not enough to simply introduce tolerances for the parameters, as even minor changes in the parameters might lead to tremendous changes of the system behaviour in some scenarios. On the other hand system identification can provide two distinct sets of parameters even though the input/output behaviour is very similar. Both cases have to be tackled by the introduction of a similarity measure based on the parameters.

Footnotes

  1. 1.

    The term “verification” is used in the control engineering sense throughout this paper which is denoted as “conformance testing” in computer science.

References

  1. 1.
    Transregional collaborative research center “automatic verification and analysis of complex systems (avacs)”. http://www.avacs.org
  2. 2.
    Abel, A., Reineke, J.: Memin: sat-based exact minimization of incompletely specified mealy machines. In: Proceedings of the IEEE/ACM International Conference on Computer-Aided Design, ICCAD 2015, Austin, TX, USA, 2–6 November 2015, pp. 94–101 (2015)Google Scholar
  3. 3.
    Alur, R., Dang, T., Ivančić, F.: Reachability analysis of hybrid systems via predicate abstraction. In: Tomlin, C.J., Greenstreet, M.R. (eds.) HSCC 2002. LNCS, vol. 2289, pp. 35–48. Springer, Heidelberg (2002). doi:10.1007/3-540-45873-5_6 CrossRefGoogle Scholar
  4. 4.
    Alur, R., Dang, T., Ivančić, F.: Predicate abstraction for reachability analysis of hybrid systems. ACM Trans. Embed. Comput. Syst. 5(1), 152–199 (2006)CrossRefMATHGoogle Scholar
  5. 5.
    Anta, A., Majumdar, R., Saha, I., Tabuada, P.: Automatic verification of control system implementations. In: Proceedings of the Tenth ACM International Conference on Embedded Software, pp. 9–18 (2010)Google Scholar
  6. 6.
    Araiza-Illan, D., Eder, K., Richards, A.: Verification of control systems implemented in simulink with assertion checks and theorem proving: a case study. In: 2015 European Control Conference (ECC), pp. 2670–2675, July 2015Google Scholar
  7. 7.
    Badban, B., Fränzle, M., Peleska, J., Teige, T.: Test automation for hybrid systems. In: Proceedings of the 3rd International Workshop on Software Quality Assurance, SOQUA 2006, pp. 14–21. ACM, New York (2006)Google Scholar
  8. 8.
    Balluchi, A., Benvenuti, L., di Benedetto, M.D., Pinello, C., Sangiovanni-Vincentelli, A.L.: Automotive engine control and hybrid systems: challenges and opportunities. Proc. IEEE 88(7), 888–912 (2000)CrossRefGoogle Scholar
  9. 9.
    Bhatia, A., Frazzoli, E.: Incremental search methods for reachability analysis of continuous and hybrid systems. In: Alur, R., Pappas, G. (eds.) HSCC 2004. LNCS, vol. 2993, pp. 142–156. Springer, Berlin Heidelberg (2004)CrossRefGoogle Scholar
  10. 10.
    Broy, M., Jonsson, B., Katoen, J.-P., Leucker, M., Pretschner, A. (eds.): Model-Based Testing of Reactive Systems: Advanced Lectures. LNCS, vol. 3472. Springer, Heidelberg (2005)MATHGoogle Scholar
  11. 11.
    Chen, W., Chen, W.-T., Saif, M., Li, M.-F., Wu, H.: Simultaneous fault isolation and estimation of lithium-ion batteries via synthesized design of luenberger and learning observers. IEEE Trans. Control Syst. Technol. 22(1), 290–298 (2014)CrossRefGoogle Scholar
  12. 12.
    Dang, T.: Model-based testing of hybrid systems. In: Model-Based Testing for Embedded Systems, chap. 14, pp. 383–424Google Scholar
  13. 13.
    Denise, A., Gaudel, M.-C., Gouraud, S.-D.: A generic method for statistical testing. In: 15th International Symposium on Software Reliability Engineering, ISSRE 2004, pp. 25–34 (2004)Google Scholar
  14. 14.
    Diehm, G., Maier, S., Flad, M., Hohmann, S.: An identification method for individual driver steering behaviour modelled by switched affine systems. In: Proceedings of the 52nd IEEE Conference on Decision and Control, pp. 3547–3553 (2013)Google Scholar
  15. 15.
    Diehm, G., Maier, S., Flad, M., Hohmann, S.: Online identification of individual driver steering behaviour and experimental results. In: Proceedings of the IEEE International Conference on Systems, Man and Cybernetics, pp. 221–227 (2013)Google Scholar
  16. 16.
    Föllinger, O., Konigorski, U.: Regelungstechnik: Einführung die Methoden und ihre Anwendung, 11, völlig neu bearb. aufl. edn. VDE-Verl., Berlin (2013)Google Scholar
  17. 17.
    Frank, P.M.: Diagnoseverfahren in der Automatisierungstechnik. at - Automatisierungstechnik, 47–64 (1994)Google Scholar
  18. 18.
    Holling, D., Pretschner, A., Gemmar, M.: 8cage: lightweight fault-based test generation for simulink. In: Proceedings of the 29th ACM/IEEE International Conference on Automated Software Engineering, ASE 2014, pages 859–862. ACM, New York (2014)Google Scholar
  19. 19.
    Kaner, C.: An introduction to scenario testing (2003)Google Scholar
  20. 20.
    Lin, L., Poore, J.H., Eschbach, R., Hierons, R.M., Robinson-Mallett, C.: Augmenting sequence enumeration with string-rewriting for requirements analysis and behavioral specification. In: Cortellessa, V., Varró, D. (eds.) FASE 2013. LNCS, vol. 7793, pp. 179–193. Springer, Heidelberg (2013). doi:10.1007/978-3-642-37057-1_13 CrossRefGoogle Scholar
  21. 21.
    Liu, D., Guo, X., Tang, G., Huang, Z.: Model Validation via System Identification and Hypothesis Test. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  22. 22.
    Maler, O., Nickovic, D.: Monitoring temporal properties of continuous signals. In: Lakhnech, Y., Yovine, S. (eds.) FORMATS/FTRTFT-2004. LNCS, vol. 3253, pp. 152–166. Springer, Heidelberg (2004). doi:10.1007/978-3-540-30206-3_12 CrossRefGoogle Scholar
  23. 23.
    Matinnejad, R., Nejati, S., Briand, L., Bruckmann, T., Poull, C.: Proceedings of the 5th International Symposium on Search based software engineering, SSBSE 2013, St. Petersburg, Russia, 24–26 August 2013, pp. 141–157 (2013)Google Scholar
  24. 24.
    Matinnejad, R., Nejati, S., Briand, L., Bruckmann, T., Poull, C.: Search-based automated testing of continuous controllers: framework, tool support, and case studies. Inf. Softw. Technol. 57, 705–722 (2015)CrossRefGoogle Scholar
  25. 25.
    Matinnejad, R., Nejati, S., Briand, L.C., Bruckmann, T.: Automated test suite generation for time-continuous simulink models, pp. 595–606 (2016)Google Scholar
  26. 26.
    Pajic, M., Park, J., Lee, I., Pappas, G.J., Sokolsky, O.: Automatic verification of linear controller software. In: Proceedings of the 12th International Conference on Embedded Software, EMSOFT 2015, pp. 217–226. IEEE Press, Piscataway (2015)Google Scholar
  27. 27.
    Schneider, J.: Tracking down root causes of defects in simulink models. In: Proceedings of the 29th ACM/IEEE International Conference on Automated Software Engineering, ASE 2014, pp. 599–604. ACM, New York (2014)Google Scholar
  28. 28.
    Schupp, S., Ábrahám, E., Chen, X., Makhlouf, I., Frehse, G., Sankaranarayanan, S., Kowalewski, S.: Current challenges in the verification of hybrid systems. In: Berger, C., Mousavi, M.R. (eds.) CyPhy 2015. LNCS, vol. 9361, pp. 8–24. Springer, Heidelberg (2015). doi:10.1007/978-3-319-25141-7_2 CrossRefGoogle Scholar
  29. 29.
    Simon, S.: Objektorientierte Methoden zum automatisierten Entwurf von modell-basierten Diagnosesystemen. PhD thesis, Berlin, 2015. Zugl.: Kaiserslautern, Techn. Univ., Diss. (2015)Google Scholar
  30. 30.
    Utting, M., Pretschner, A., Legeard, B.: A taxonomy of model-based testing (2006)Google Scholar
  31. 31.
    Yordanov, B., Belta, C.: Formal analysis of discrete-time piecewise affine systems. IEEE Trans. Autom. Control 55(12), 2834–2840 (2010)MathSciNetCrossRefGoogle Scholar
  32. 32.
    Zander-Nowicka, J.: Model-based testing of real-time embedded systems in the automotive domain (2009)Google Scholar
  33. 33.
    Zhao, F., Koutsoukos, X., Haussecker, H., Reich, J., Cheung, P.: Monitoring and fault diagnosis of hybrid systems. IEEE Trans. Syst. Man Cybern. Part B (Cybern.) 35(6), 1225–1240 (2005)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  • Stefan Schwab
    • 1
  • Bernd Holzmüller
    • 2
  • Sören Hohmann
    • 1
  1. 1.Institute of Control SystemsKarlsruhe Institute of TechnologyKarlsruheGermany
  2. 2.ITK-EngineeringStuttgartGermany

Personalised recommendations