Control software analysis, Part I Open-loop properties

As the digital world enters further into everyday life, questions are raised about the increasing challenges brought by the interaction of real-time software with physical devices. Many accidents and incidents encountered in areas as diverse as medical systems, transportation systems or weapon systems are ultimately attributed to “software failures”. Since real-time software that interacts with physical systems might as well be called control software, the long litany of accidents due to real-time software failures might be taken as an equally long list of opportunities for control systems engineering. In this paper, we are interested only in run-time errors in those pieces of software that are a direct implementation of control system specifications: For well-defined and well-understood control architectures such as those present in standard textbooks on digital control systems, the current state of theoretical computer science is well-equipped enough to address and analyze control algorithms. It appears that a central element to these analyses is Lyapunov stability theory, which translate into invariant theory in computer implementations.

💡 Research Summary

The paper opens by highlighting the growing prevalence of digital control software in everyday life and the alarming number of accidents in domains such as medicine, transportation, and weaponry that can be traced back to software failures. It argues that many of these incidents involve real‑time code that directly implements control‑system specifications, and therefore they present an opportunity for control‑systems engineering to apply its rigorous analytical tools to software verification.

The authors focus exclusively on open‑loop properties of standard textbook digital control architectures—sampling, discrete‑time filters, state‑space representations, and basic feedback‑free controllers. They observe that the current state of theoretical computer science, particularly formal methods and invariant‑based program verification, is well‑suited to analyze such implementations. The central technical contribution is a systematic translation of Lyapunov stability conditions into program invariants that can be checked by static analysis tools.

First, the paper formalizes the open‑loop dynamics as a discrete‑time state transition model. It then derives a Lyapunov function V(x) that must decrease (or remain non‑increasing) at each step for the system to be stable. By interpreting V(x) ≤ c as a safety invariant, the authors map the mathematical condition onto code‑level pre‑ and post‑conditions. This mapping accommodates the integer and fixed‑point arithmetic typical of embedded controllers, explicitly modeling overflow, underflow, and quantization errors as part of the invariant. Consequently, any violation of the invariant corresponds to a potential run‑time error that could jeopardize system safety.

To make the approach practical, the authors propose an automated pipeline: (1) extract the control algorithm from source code, (2) synthesize a discrete Lyapunov function using standard control‑theoretic techniques, (3) generate invariant annotations for each program statement, and (4) feed the annotated code to an SMT‑based verifier (e.g., Z3) that checks the invariants across all reachable states. The paper presents experimental results on several benchmark systems ranging from a first‑order integrator to a three‑state multivariable plant. In every case, the formal verification uncovered edge‑case failures—such as rare overflow conditions—that were missed by conventional simulation‑based testing.

The authors also discuss why the paper limits itself to open‑loop analysis. Introducing feedback creates nonlinear coupling between state variables and control inputs, dramatically increasing the complexity of invariant generation. Existing static analysis tools struggle with the resulting high‑dimensional, non‑convex state spaces. As a pragmatic compromise, the authors suggest a staged verification strategy: first, fully verify the open‑loop controller; then, incrementally add feedback gains and re‑verify only the new interactions, leveraging the previously established invariants as a foundation.

In the concluding sections, the paper outlines two major avenues for future work. The first is the integration of hardware‑software co‑design, where timing constraints, sensor noise, and actuator dynamics are modeled jointly with the software invariants. The second is extending the Lyapunov‑invariant framework to data‑driven or machine‑learning‑based controllers, whose stability proofs are currently less mature. By bridging control theory and formal methods, the authors aim to provide a mathematically rigorous safety net for real‑time control software, moving the industry from empirical testing toward provable correctness.