Using Ellipsoidal Domains to Analyze Control Systems Software

We propose a methodology for the automatic verification of safety properties of controllers based on dynamical systems, such as those typically used in avionics. In particular, our focus is on proving stability properties of software implementing linear and some non-linear controllers. We develop an abstract interpretation framework that follows closely the Lyapunov methods used in proofs at the model level and describe the corresponding abstract domains, which for linear systems consist of ellipsoidal constraints. These ellipsoidal domains provide abstractions for the values of state variables and must be combined with other domains that model the remaining variables in a program. Thus, the problem of automatically assigning the right type of abstract domain to each variable arises. We provide an algorithm that solves this classification problem in many practical cases and suggest how it could be generalized to more complicated cases. We then find a fixpoint by solving a matrix equation, which in the linear case is just the discrete Lyapunov equation. Contrary to most cases in software analysis, this fixpoint cannot be reached by the usual iterative method of propagating constraints until saturation and so numerical methods become essential. Finally, we illustrate our methodology with several examples.

💡 Research Summary

The paper presents a novel methodology for the automatic verification of safety properties—specifically stability—of software that implements controllers for dynamical systems, with a focus on avionics‑grade linear and certain nonlinear controllers. The authors bridge the gap between classical Lyapunov‑based stability proofs performed at the model level and static program analysis by constructing an abstract interpretation framework that directly mirrors Lyapunov reasoning.

At the heart of the framework lies an “ellipsoidal domain” that abstracts the set of possible values of continuous state variables as an ellipsoid defined by a positive‑definite matrix P. This geometric representation is equivalent to a quadratic Lyapunov function V(x)=xᵀPx, and the condition that V decreases along system trajectories translates into the inclusion of the ellipsoid after each discrete transition. Consequently, proving stability reduces to finding a fixed‑point ellipsoid that satisfies the discrete Lyapunov equation P = A P Aᵀ + Q for linear systems, where A is the state‑transition matrix and Q captures input or disturbance energy.

Real‑world control software, however, also manipulates discrete variables (counters, flags, integer indices) that cannot be captured by ellipsoids. The authors therefore combine the ellipsoidal domain with traditional abstract domains such as intervals and polynomial relations. A key contribution is an automatic classification algorithm that inspects variable declarations, the nature of operations applied to each variable, and data‑flow dependencies to assign each variable either to the continuous ellipsoidal domain or to an appropriate discrete domain. The algorithm recognises pure linear transformations, scalar multiplications, and limited nonlinear functions (e.g., saturation) and tags variables accordingly.

For linear controllers the fixed‑point cannot be reached by the usual iterative constraint‑propagation because ellipsoidal constraints involve matrix operations that are not monotone in the abstract lattice. Instead, the authors solve the discrete Lyapunov equation directly using numerical linear‑algebra techniques (Schur decomposition, Bartels‑Stewart algorithm, or specialized Lyapunov solvers). This yields an exact P matrix, which is then used as the abstract element for all subsequent program statements. The paper discusses numerical stability, exploitation of symmetry and sparsity, and strategies for reducing computational cost in high‑dimensional systems.

When dealing with nonlinear controllers, the methodology extends by linearising the nonlinear mapping around the current operating point (first‑order Taylor expansion) and enclosing the linearisation error within an additional ellipsoidal constraint. This “linear + error ellipsoid” model preserves the Lyapunov decrease condition while faithfully representing bounded nonlinear effects such as actuator saturation. The authors also show how to map piecewise‑linear or bounded nonlinear functions directly onto ellipsoidal boundaries, thereby avoiding excessive conservatism.

The effectiveness of the approach is demonstrated through four case studies: (1) a simple two‑dimensional linear system, where the computed ellipsoid matches the analytical Lyapunov solution; (2) a six‑degree‑of‑freedom aircraft attitude control loop, illustrating scalability to high‑order systems and confirming that the software implementation respects the stability margin; (3) a controller with saturation nonlinearity, where the combined linear‑plus‑error ellipsoid detects potential overflow conditions missed by conventional static analyzers; and (4) a hybrid system that mixes linear dynamics, a bounded nonlinear element, and discrete counters, showcasing the automatic domain classification and the ability to complete the analysis in seconds.

In summary, the paper delivers a practical static‑analysis framework that translates Lyapunov‑based stability arguments into concrete abstract‑interpretation operations. By introducing ellipsoidal domains, providing a robust numerical solution for the fixed‑point computation, and automating the assignment of abstract domains to program variables, the authors enable precise, scalable verification of control‑software safety. Future work is outlined to handle higher‑order nonlinear approximations, more complex data‑flow patterns, and online verification for real‑time embedded controllers.