# Meeting a Powertrain Verification Challenge

## Abstract

## Keywords

Discrepancy Function Reachable State Driver Behavior Switching Signal Hybrid Automaton## 1 A Challenge Problem

As the targets for fuel efficiency, emissions, and drivability become more demanding, automakers are becoming interested in pushing the design automation and verification technologies for automotive control systems. The benchmark suite of powertrain control systems were published in [11, 12] as challenge problems that capture some of the difficulties that arise in verification of realistic systems. It consists of a sequence of Simulink^{TM}/Stateflow^{TM} models of the engine with increasing levels of sophistication and fidelity. At a high-level, the models take inputs from a driver (throttle angle) and the environment (sensor failures), and define the dynamics of the engine. The key controlled quantity is the air to fuel ratio which in turn influences the emissions, the fuel efficiency, and torque generated. The requirements for the system are stated in signal temporal logic (STL). A typical property, for example, \(\Diamond _{t} (x \in [x_{eq}-\epsilon ,x_{eq}+\epsilon ])\), states that after *t* units of time, the continuous variable *x* is within the range \(x_{eq}\pm \epsilon \). Breach [4] and STaliro [2] have been used for finding counterexamples (or falsifying) models in [5, 12, 13, 14]. These techniques can show the presence of executions that violate a requirement, but not their absence. The technique used in this paper proves that all the executions from a given set of initial states and a set of switching signals satisfies (or violates) the requirement. To the best of our knowledge, this is the first time a model in the powertrain control benchmark is verified.

The model we consider in this paper is polynomial hybrid automata model (Model 3, Sect. 3.3) of [12]. Although this model is given as a Simulink^{TM} diagram with switch blocks, it can be transformed to a hybrid automaton with 4 locations and 5 continuous variables. The dynamics of the system is given by highly nonlinear polynomial differential equations. The mode transitions are brought about by the input signal from the driver and there are uncertainties in the initial set owing to measurement inaccuracies. Using an improved version of the C2E2 tool [6, 7] we are able to perform reachability analysis of this model and we verify the requirements with respect to a set of relevant driver behaviors. In principle, Flow* [3] is designed to handle polynomial hybrid automata models, however, it was unable to verify the models considered in this paper, owing to the complexity of nonlinear dynamics.

C2E2 is a verification tool for a general class of nonlinear hybrid systems. The previous version of C2E2 [6, 7] required the user to provide a special type of annotation for the model, called *discrepancy function*, which essentially captures the rate of convergence (or divergence) of neighboring trajectories. Finding discrepancy functions for nonlinear models can be challenging. One of the main developments that enabled this verification, is the implementation of a new algorithm in C2E2 (presented in detail in [10]) for automatic computation of local discrepancy along trajectories of the system. Using this improved C2E2, we were not only able to find counterexamples, but also verify the key STL requirements of the powertrain benchmark in the order of minutes.

## 2 Nonlinear Hybrid Powertrain Model

^{TM}model for the powertrain control system is shown in Fig. 1(a). The system has four continuous variables \(p,\lambda ,p_e, i\) (see Fig. 1(b)), and four modes of operation:

*startup*,

*normal*,

*power*, and

*sensor_fail*. The mode switches (also called

*transitions*) are brought about by changes in the input

*throttle angle*\(\theta _{in}\) or

*failure*events.

^{TM}diagram defines polynomial differential equations that govern the evolution of the continuous variables in the four different modes. As an example, we reproduce the differential equation for normal mode of operation.

This model is translated to a hybrid automaton form that is accepted by C2E2. The operating modes correspond to the locations of the automaton, the variables correspond to the above continuous variables, the differential equations define the trajectories, and the discrete transitions among the locations is defined by a piecewise constant input signal \(\theta _{in}\) from the driver behavior. C2E2 currently handles only closed automaton models. Therefore, for every driver behavior of interest, we explicitly construct a family of switching signals that determine the timing of the mode switches. The initial set of the automaton is a ball in the state space which corresponds to the measurement uncertainty in state components.

*normal*mode of operation is the following:

## 3 Verification Using C2E2 with Local Discrepancy

C2E2 implements a generic, simulation-based, algorithm for bounded time verification of invariant and temporal precedence properties of nonlinear hybrid models (see [6, 7, 8] for details). The algorithm iteratively computes more precise over-approximations of the reachable states of the system until it either proves the property (the requirement) or finds a counter-example. These over-approximations are computed for each location and for the duration that the system is in that location. The set of reachable states at the end of that interval serves as the starting set for the next location and so on. Thus, the key step in the algorithm is to compute and refine reach set over-approximations for ODEs for a given location. This step uses validated simulations and discrepancy functions [6].

A *validated simulation* of an ordinary differential equation (ODE) \(\dot{x} = f(x)\) from an initial state \(x_0\) with error bound \(\epsilon \) is a sequence of time-stamped regions \(\psi = (R_0,t_0), \ldots , (R_k,t_k)\) such that for each time interval \([t_{i-1},t_i]\) the solution \(\xi (x_0, .)\) resides in the region \(R_i\) and \(dia(R_i) \le \epsilon \). A uniformly continuous function \(\beta :{\mathbb R}^n \times {\mathbb R}^n \times {{\mathbb R}_{\ge 0} }\rightarrow {{\mathbb R}_{\ge 0} }\) is a *discrepancy function* of the above ODE if (a) for any pair of states \(x, x' \in {\mathbb R}^n\), and any time \(t >0\), \(\Vert \xi (x,t) - \xi (x',t)\Vert \le \beta (x,x',t)\), and (b) for any *t*, as \(x \rightarrow x'\), \(\beta (.,.,t) \rightarrow 0\). Thus, \(\beta \) gives an upper bound on the rate of divergence of two neighboring trajectories and this bound vanishes as their initial states approach each other.

In order to check whether the system satisfies an invariant *I* over a time horizon *T*, the C2E2 algorithm starts with a \(\delta \)-cover of the initial set and proceeds as follows: from each point \(x_0\) in the cover *C* a validated simulation is generated and then bloated by a factor given by the discrepancy function. This bloated set is an over-approximation of the reachset from the \(\delta \)-neighborhood (\(B_\delta (x_0)\)) of \(x_0\). If this set is disjoint from (or contained in) \(I^c\) then the algorithm infers that the initial set \(B_\delta (x_0)\) satisfies (or violates, respectively) *I*. Otherwise, a finer cover of \(B_\delta (x_0)\) is created and added to *C* for computing a more precise over-approximation of the reach set from \(B_\delta (x_0)\). The first property of the discrepancy function gives the soundness of this algorithm, and the second property gives relative completeness (see, Theorem 13 from [6]).

This approach requires the user to provide discrepancy functions which can be burdensome. Although Lipschitz constants, contraction metrics [15], and incremental Lyapunov functions [1] can be used to get discrepancy for certain classes of models, none of these approaches give an algorithm for computing \(\beta \) for general nonlinear ODEs. In this paper, we use the algorithm presented in [10] for computing local discrepancy functions on-the-fly along validated simulations. This algorithm uses the Jacobian \(J_f\) and a Lipschitz constant \(L_f\) of the ODE. First it computes a coarse over-approximation \(S(x_i)\) of the reach set from a simulation point for a short duration. Then it computes an exponential (possibly negative) bound on the divergence rate of trajectories over \(S(x_0)\) by finding a bound on the maximum eigenvalue of the symmetric part of the Jacobian \(J_f\) over the region \(S(x_0)\). We refer the reader to the technical report [10] for the details of this algorithm.

### 3.1 Tool Implementation and Engineering

*Implementation.* For verifying the powertrain system, we implemented the local discrepancy algorithm in C2E2^{1}. This modified implementation only requires the user to supply the Jacobian matrix of the system. The eigenvalues of the symmetric parts of the Jacobian are computed using Eigen library [9]. For maximizing the norm of error matrices our implementation uses interval arithmetic.

*Coordinate Transformation.* An important technical detail that makes the implementation scale is the coordinate transformation proposed in [10]. For Jacobian matrices with complex eigenvalues the local discrepancy computed directly using the above algorithm can be a positive exponential even though the actual trajectories are not diverging. This problem can be avoided by first computing a local coordinate transformation and then applying the algorithm. Coordinate transformation provides better convergence, but comes with a multiplicative cost in the error term. This trade-off between the exponential divergence rate and the multiplicative error has be tuned by choosing the time horizon over which the coordinate transformation is computed.

*Model Reduction.* In *start up* and *power* mode of the system, the differential equation does not update the value of the integrator variable *i*, i.e., \(\dot{i} = 0\). Moreover, *i* does not appear in the right hand side of the differential equations for variables *p*, \(\lambda \), \(p_e\). We take advantage of these observations, and consider only the dynamics of the variables *p*, \(\lambda \), and \(p_e\) for computing local discrepancy.

## 4 Experimental Results on Powertrain Challenge

Table showing the result and the time taken for verifying STL specification of the powertrain control system. Sat: Satisfied, Sim: Number of simulations performed. All the experiments are performed on Intel Quad-Core i7 processor, with 8 GB ram, on Ubuntu 11.10.

Property | Mode | Sat | Sim | Time |
---|---|---|---|---|

\(~~\square _{T_s,T} \lambda \in [0.8\lambda _{ref},1.2\lambda _{ref}] ~~\) | | yes | 53 | 11 m58 s |

\(~~\square _{[0,T_s]} \lambda \in [0.8 \lambda _{ref},1.2\lambda _{ref}] ~~\) | | yes | 50 | 10 m21 s |

\(~~\square _{[T_s,T]} \lambda \in [0.95 \lambda _{ref},1.05\lambda _{ref}] ~~\) | | yes | 50 | 10 m28 s |

\(~~\square _{[T_s,T]} \lambda \in [0.8 \lambda _{ref}^{pwr},1.2\lambda _{ref}^{pwr}] ~~\) | | yes | 53 | 11 m12 s |

\(~~\square _{[0,T_s]} \lambda \in [0.98 \lambda _{ref},1.02\lambda _{ref}] ~~\) | | no | 2 | 0 m24 s |

\(~~\square _{[T_s,T]} \lambda \in [0.9 \lambda _{ref}^{pwr},1.1\lambda _{ref}^{pwr}] ~~\) | | no | 4 | 0 m43 s |

\(~~ rise \Rightarrow \square _{(\eta , \zeta )} \lambda \in [0.9 \lambda _{ref},1.1\lambda _{ref}] ~~\) | | yes | 50 | 10 m40 s |

\(~~ rise \Rightarrow \square _{(\eta , \zeta )} \lambda \in [0.98 \lambda _{ref},1.02\lambda _{ref}]~~\) | | yes | 50 | 10 m15 s |

\(~~(\ell = power) \Rightarrow \square _{(\eta ^{pwr}, \zeta )} \lambda \in [0.95 \lambda _{ref}^{pwr},1.05\lambda _{ref}^{pwr}]~~\) | | yes | 53 | 11 m35 s |

\(~~(\ell = power) \Rightarrow \square _{(\eta ^{s}, \zeta )} \lambda \in [0.95 \lambda _{ref}^{pwr},1.05\lambda _{ref}^{pwr}]~~\) | | no | 4 | 0 m45 s |

The first six properties provided in Table 1 are invariant properties. These invariant properties can be global (i.e. correspond to all modes) or could be restricted to a certain mode of operation provided in the *Mode* column. The invariants assert that the air-fuel ratio should not go out of the specified bounds. Observe that C2E2 could not only prove that the given specification is satisfied, but also that a stricter version of invariants for *startup* and *power* modes is violated. The next four properties are about the settling time requirements. These requirements enforce that in a given mode, whenever an action is triggered, the fuel air ratio should be in the given range provided after \(\eta \) (or \(\eta ^{pwr}\) for power mode) time units. Similar to the invariant properties, C2E2 could also find counterexample for a stricter version of the settling time requirement (\(\eta ^s\) settling time instead of \(\eta \)) in *power* mode. When C2E2 finds an overapproximation that violates a given property, it immediately terminates and hence C2E2 takes less time when it finds counterexamples. The parameters used for verification are \(\eta = \eta ^{pwr} = 1\), \(\eta ^s = 0.5\), \(T_s = 9\), \(T = 20\), \(\lambda _{ref} = 14.7\), \(\lambda _{ref}^{pwr} = 12.5\), and \(\zeta = 4\). Set of reachable states of the powertrain control system for a given driver behavior is provided in Fig. 2.

## 5 Conclusions and Future Work

In this paper, we have successfully applied the simulation based verification technique with local discrepancy functions to find counterexamples and verify the polynomial hybrid automata model of powertrain benchmark challenge. This case study suggests that verification using on-the-fly discrepancy function along with the coordinate transformation can handle complex nonlinear dynamics. In future, we wish to extend these techniques to handle higher fidelity models in the powertrain verification challenge. These models contain delay differential equations, actuation delays, and look up tables, which C2E2 cannot currently handle.

## Footnotes

- 1.
The modified tool and related files are available from http://publish.illinois.edu/c2e2-tool/powertrain-challenge/.

## Notes

### Acknowledgment

We thank Jim Kapinski, Jyo Desmukh, and Xiaoqing Jin of Toyota for several useful discussions on the powertrain models. This research is funded by research grants from the National Science Foundation (grant: CAR 1054247 and NSF CSR 1016791) and the Air Force Office of Scientific Research (AFOSR YIP FA9550-12-1-0336).

## References

- 1.Angeli, D.: A lyapunov approach to incremental stability properties. IEEE Trans. Autom. Control
**47**(3), 410–421 (2000)MathSciNetCrossRefGoogle Scholar - 2.Annpureddy, Y., Liu, C., Fainekos, G., Sankaranarayanan, S.: S-TaLiRo: a tool for temporal logic falsification for hybrid systems. In: Abdulla, P.A., Leino, K.R.M. (eds.) TACAS 2011. LNCS, vol. 6605, pp. 254–257. Springer, Heidelberg (2011) CrossRefGoogle Scholar
- 3.Chen, X., Ábrahám, E., Sankaranarayanan, S.: Flow*: an analyzer for non-linear hybrid systems. In: Sharygina, N., Veith, H. (eds.) CAV 2013. LNCS, vol. 8044, pp. 258–263. Springer, Heidelberg (2013) CrossRefGoogle Scholar
- 4.Donzé, A.: Breach, a toolbox for verification and parameter synthesis of hybrid systems. In: Touili, T., Cook, B., Jackson, P. (eds.) CAV 2010. LNCS, vol. 6174, pp. 167–170. Springer, Heidelberg (2010) CrossRefGoogle Scholar
- 5.Dreossi, T., Dang, T., Donzé, A., Kapinski, J., Jin, X., Deshmukh, J.V.: Efficient guiding strategies for testing of temporal properties of hybrid systems. In: Havelund, K., Holzmann, G., Joshi, R. (eds.) NFM 2015. LNCS, vol. 9058, pp. 127–142. Springer, Heidelberg (2015) Google Scholar
- 6.Duggirala, P.S., Mitra, S., Viswanathan, M.: Verification of annotated models from executions. In: Proceedings of the International Conference on Embedded Software, EMSOFT 2013, pp. 1–10. IEEE (2013)Google Scholar
- 7.Duggirala, P.S., Mitra, S., Viswanathan, M., Potok, M.: C2E2: a verification tool for stateflow models. In: Baier, C., Tinelli, C. (eds.) TACAS 2015. LNCS, vol. 9035, pp. 68–82. Springer, Heidelberg (2015) Google Scholar
- 8.Duggirala, P.S., Wang, L., Mitra, S., Viswanathan, M., Muñoz, C.: Temporal precedence checking for switched models and its application to a parallel landing protocol. In: Jones, C., Pihlajasaari, P., Sun, J. (eds.) FM 2014. LNCS, vol. 8442, pp. 215–229. Springer, Heidelberg (2014) CrossRefGoogle Scholar
- 9.Eigen, a C++ template library for linear algebra. http://eigen.tuxfamily.org Accessed Feb 2015
- 10.Fan, C., Mitra, S.: Bounded verification using on-the-fly discrepancy computation. Technical report UILU-ENG-15-2201, Coordinated Science Laboratory. University of Illinois at Urbana-Champaign (2015)Google Scholar
- 11.Jin, X., Deshmukh, J.V., Kapinski, J., Ueda, K., Butts, K.: Benchmarks for model transformations and conformance checking. In: 1st International Workshop on Applied Verification for Continuous and Hybrid Systems (ARCH) (2014)Google Scholar
- 12.Jin, X., Deshmukh, J.V., Kapinski, J., Ueda, K., Butts, K.: Powertrain control verification benchmark. In: Proceedings of the 17th international conference on Hybrid systems: computation and control, pp. 253–262. ACM (2014)Google Scholar
- 13.Jin, X., Donzé, A., Deshmukh, J.V., Seshia, S.A.: Mining requirements from closed-loop control models. In: Proceedings of the 16th international conference on Hybrid systems: computation and control, pp. 43–52. ACM (2013)Google Scholar
- 14.Jin, X., Donzé, A., Deshmukh, J.V., Seshia, S.A.: Mining requirements from closed-loop control models. In: EEE Transactions on Computer-Aided Design of Integrated Circuits and Systems (2016, to appear)Google Scholar
- 15.Lohmiller, W., Slotine, J.J.E.: On contraction analysis for non-linear systems. Automatica
**36**(4), 683–696 (1998)MathSciNetCrossRefGoogle Scholar