Formal Methods for the Analysis of Critical Control Systems Models: Combining Non-linear and Linear Analyses

  • Adrien Champion
  • Rémi Delmas
  • Michael Dierkes
  • Pierre-Loïc Garoche
  • Romain Jobredeaux
  • Pierre Roux
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8187)


Critical control systems are often built as a combination of a control core with safety mechanisms allowing to recover from failures. For example a PID controller used with triplicated inputs and voting. Typically these systems would be designed at the model level in a synchronous language like Lustre or Simulink, and their code automatically generated from these models. We present a new analysis framework combining the analysis of open-loop stable controllers with safety constructs (redundancy, voters, ...). We introduce the basic analysis approaches: abstract interpretation synthesizing quadratic invariants and backward analysis based on quantifier elimination and convex hull computation synthesizing linear invariants. Then we apply it on a simple but representative example that no other available state-of-the-art technique is able to analyze. This contribution is another step towards early use of formal methods for critical embedded software such as the ones of the aerospace industry.


Formal Method Abstract Interpretation Proof Obligation Policy Iteration Abstract Domain 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Adjé, A., Gaubert, S., Goubault, E.: Coupling policy iteration with semi-definite relaxation to compute accurate numerical invariants in static analysis. In: Gordon, A.D. (ed.) ESOP 2010. LNCS, vol. 6012, pp. 23–42. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  2. 2.
    Champion, A., Delmas, R.: Stuff: Stuff is the ultimate formal framework.,
  3. 3.
    Champion, A., Delmas, R., Dierkes, M.: Generating property-directed potential invariants by backward analysis. In: FTSCS, pp. 22–38 (2012)Google Scholar
  4. 4.
    Collins, G.E.: Hauptvortrag: Quantifier elimination for real closed fields by cylindrical algebraic decomposition. In: Brakhage, H. (ed.) GI-Fachtagung 1975. LNCS, vol. 33, pp. 134–183. Springer, Heidelberg (1975)Google Scholar
  5. 5.
    Cousot, P., Cousot, R.: Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints. In: POPL, pp. 238–252. ACM (1977)Google Scholar
  6. 6.
    Cousot, P., Halbwachs, N.: Automatic discovery of linear restraints among variables of a program. In: POPL, pp. 84–97. ACM Press (1978)Google Scholar
  7. 7.
    Dierkes, M.: Formal analysis of a triplex sensor voter in an industrial context. In: Salaün, G., Schätz, B. (eds.) FMICS 2011. LNCS, vol. 6959, pp. 102–116. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  8. 8.
    Feron, E., Brat, G.: Formal methods for areospace applications. In: FMCAD 2012 Tutorial (2012)Google Scholar
  9. 9.
    Garoche, P.-L., Roux, P.: SMT-AI: SMT abstract interpreter,
  10. 10.
    Gawlitza, T.M., Seidl, H.: Computing relaxed abstract semantics w.r.t. Quadratic zones precisely. In: Cousot, R., Martel, M. (eds.) SAS 2010. LNCS, vol. 6337, pp. 271–286. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  11. 11.
    Gawlitza, T., Seidl, H., Adjé, A., Gaubert, S., Goubault, E.: Abstract interpretation meets convex optimization. J. Symb. Comput. 47(12) (2012)Google Scholar
  12. 12.
    Kästner, D., Wilhelm, S., Nenova, S., Cousot, P., Cousot, R., Feret, J., Miné, A., Mauborgne, L., Rival, X.: Astrée: Proving the absence of runtime errors. In: ERTSS (2010)Google Scholar
  13. 13.
    Miné, A.: A new numerical abstract domain based on difference-bound matrices. In: Danvy, O., Filinski, A. (eds.) PADO 2001. LNCS, vol. 2053, pp. 155–172. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  14. 14.
    Miné, A.: The octagon abstract domain. In: AST (satt. of WCRE), pp. 310–319. IEEE (2001)Google Scholar
  15. 15.
    Monniaux, D.: Quantifier elimination by lazy model enumeration. In: Touili, T., Cook, B., Jackson, P. (eds.) CAV 2010. LNCS, vol. 6174, pp. 585–599. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  16. 16.
    Roux, P., Jobredeaux, R., Garoche, P.L., Féron, E.: A generic ellipsoid abstract domain for linear time invariant systems. In: HSCC. ACM (2012)Google Scholar
  17. 17.
    Rowell, D.: Dicrete time observers and lqg control. MIT, Dpt. of Mechanical Engineering – 2.151 Advanced System Dynamics and Control (2004),
  18. 18.
    Souyris, J., Favre-Flix, D.: Proof of properties in avionics. In: Building the Information Society, vol. 156, pp. 527–535. Springer (2004)Google Scholar
  19. 19.
    Tarski, A.: A decision method for elementary algebra and geometry: Prepared for publication with the assistance of j.c.c. mckinsey. Technical report, RAND Corporation (1951)Google Scholar
  20. 20.
    Tinelli, C.: Foundations of satisfiability modulo theories. In: WoLLIC, p. 58 (2010)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Adrien Champion
    • 1
    • 2
  • Rémi Delmas
    • 1
  • Michael Dierkes
    • 2
  • Pierre-Loïc Garoche
    • 1
  • Romain Jobredeaux
    • 4
  • Pierre Roux
    • 1
    • 3
  1. 1.Onera – The French Aerospace Lab.France
  2. 2.Rockwell Collins FranceFrance
  3. 3.ISAEUniversity of ToulouseFrance
  4. 4.Georgia Institute of TechnologyUnited States

Personalised recommendations