Invisible Formal Methods for Embedded Control Systems

Ashish Tiwari, N. Shankar, and John Rushby

© Copyright Proceedings of the IEEE . This paper appears in the Special issue on Modeling and Design of Embedded Software.

Abstract

Embedded control systems typically comprise continuous control laws combined with discrete mode logic. The Simulink graphical environment of MathWorks' tool suite is a popular choice for modeling and designing embedded controllers. Mode logic in Simulink models is described in terms of hierarchical state machines specified in a variant of Statecharts called Stateflow. The semantics of Stateflow is quite complex and it is valuable if these designs can be formally analyzed for both early error detection and positive assurance. It is important that formal analysis should be unobtrusive and acceptable to engineering practice. We motivate a methodology called ``invisible formal methods'' that provides a graded sequence of formal analysis technologies ranging from extended typechecking, through approximation and abstraction, to model checking and theorem proving. As an instance of invisible formal methods, we describe the formal semantics of a fragment of Stateflow based on a modular representation called {\em communicating pushdown automata}. We show how this semantics can be used to analyze simple properties of Stateflow models.

pdf

BibTeX Entry


@article{TiwariShankarRushby02,
	TITLE = {Invisible formal methods for embedded control systems},
	AUTHOR = {A. Tiwari and N. Shankar and J. Rushby},
	JOURNAL = {Proceedings of the {IEEE}},
	EDITOR = {Sastry, S. and Sztipanovits, J. and Bajcsy, R. and Gill, H.},
	PAGES = "29--39",
	VOLUME = 91,
	NUMBER = 1,
	MONTH = jan,
	YEAR = 2003
}


Return to the Formal Methods Program home page
Return to the Computer Science Laboratory home page