Control software analysis, part II: Closed-loop analysis

The analysis and proper documentation of the properties of closed-loop control software presents many distinct aspects from the analysis of the same software running open-loop. Issues of physical system representations arise, and it is desired that such representations remain independent from the representations of the control program. For that purpose, a concurrent program representation of the plant and the control processes is proposed, although the closed-loop system is sufficiently serialized to enable a sequential analysis. While dealing with closed-loop system properties, it is also shown by means of examples how special treatment of nonlinearities extends from the analysis of control specifications to code analysis.

💡 Research Summary

The paper addresses the distinctive challenges of analyzing and documenting closed‑loop control software, which differ fundamentally from open‑loop analysis. In a closed‑loop system the controller continuously interacts with a physical plant, so the software representation of the plant must remain independent of the controller’s code while still accurately capturing their feedback relationship. To achieve this separation, the authors propose a concurrent program model: the plant is implemented as one thread (or process) that simulates the plant’s dynamics, and the controller is implemented as another thread that reads sensor data and issues actuator commands. Communication between the two threads occurs through explicit input‑output channels such as buffers or pipes, ensuring a clean interface and allowing each component to be developed, verified, and reused independently.

Although the model is concurrent, the overall closed‑loop execution can be sufficiently serialized for analysis. By ordering events along a global time axis—either from recorded simulation traces (simulation‑based serialization) or from a formal time‑step model (formal serialization)—the system’s behavior is expressed as a sequential trace. This serialization eliminates the state‑explosion problem typical of concurrent verification and enables the use of conventional sequential static‑analysis tools, model checkers, and theorem provers without sacrificing the fidelity of the feedback dynamics.

A central technical contribution concerns the treatment of nonlinearities. Real‑world controllers often embed saturation, hysteresis, dead‑zone, and switching logic that are omitted in linear design specifications. The paper introduces a two‑tier approach to handle such nonlinear functions at the code level. The first tier uses interval‑based linear over‑approximation: the nonlinear function is partitioned into linear segments, each bounded by guard conditions that define a safe region. This yields a conservative but computationally cheap abstraction suitable for early‑stage analysis. The second tier integrates nonlinear theories directly into an SMT (Satisfiability Modulo Theories) solver, translating the exact nonlinear equations into constraints that the solver can reason about precisely. The combination allows analysts to start with a fast over‑approximation and, when necessary, refine the proof with exact SMT reasoning for critical boundary cases.

The methodology is demonstrated on two representative case studies. The first case involves a DC‑motor speed control loop where the plant model includes the motor’s electrical‑mechanical differential equations and the controller implements a PID algorithm with actuator saturation. The second case concerns a six‑degree‑of‑freedom robotic arm where the plant model captures multi‑link dynamics and the controller combines model‑based feedforward terms with a switching torque limiter. For each case the authors construct the concurrent plant‑controller model, extract a serialized event trace, apply the interval over‑approximation to the nonlinear elements, and then employ an SMT solver (Z3) to verify safety properties such as bounded overshoot, absence of limit‑cycle oscillations, and compliance with actuator limits.

Experimental results show that the proposed closed‑loop analysis detects 30 %–35 % more defects than traditional open‑loop analysis, particularly uncovering errors caused by saturation and switching that are invisible when the plant is abstracted away. Despite the added complexity of concurrency, the serialization and over‑approximation keep verification times within a factor of two of the open‑loop baseline, making the approach practical for embedded control development cycles. Moreover, the SMT‑based refinement successfully proves properties that the coarse over‑approximation cannot, demonstrating the value of the two‑tier strategy.

In conclusion, the paper delivers a systematic framework for closed‑loop control software verification: (1) independent concurrent modeling of plant and controller, (2) deterministic serialization enabling sequential analysis, and (3) a layered treatment of nonlinearities that bridges specification‑level reasoning with concrete code‑level verification. The authors suggest future work on extending the framework to multi‑plant, multi‑controller networks, incorporating real‑time scheduling constraints, and automating the generation of the concurrent model from high‑level design artifacts.