Model Based Synthesis of Control Software from System Level Formal Specifications

Many Embedded Systems are indeed Software Based Control Systems, that is control systems whose controller consists of control software running on a microcontroller device. This motivates investigation on Formal Model Based Design approaches for automatic synthesis of embedded systems control software. We present an algorithm, along with a tool QKS implementing it, that from a formal model (as a Discrete Time Linear Hybrid System) of the controlled system (plant), implementation specifications (that is, number of bits in the Analog-to-Digital, AD, conversion) and System Level Formal Specifications (that is, safety and liveness requirements for the closed loop system) returns correct-by-construction control software that has a Worst Case Execution Time (WCET) linear in the number of AD bits and meets the given specifications. We show feasibility of our approach by presenting experimental results on using it to synthesize control software for a buck DC-DC converter, a widely used mixed-mode analog circuit, and for the inverted pendulum.

💡 Research Summary

The paper addresses the challenge of automatically synthesizing correct‑by‑construction control software for embedded systems whose controller runs on a microcontroller (Software‑Based Control Systems, SBCS). Traditional design separates control engineering (deriving a control law and a controllable region) from software engineering (implementing the law), which leads to three major drawbacks: (1) the control law is usually derived without accounting for quantization effects introduced by the Analog‑to‑Digital (AD) conversion, so there is no formal guarantee that the closed‑loop system will satisfy safety and liveness specifications after implementation; (2) worst‑case execution time (WCET) of the generated code is only examined after the software is written, often revealing that the code cannot meet the sampling period, forcing costly redesign; and (3) the separation limits design‑space exploration, preventing systematic trade‑offs among AD resolution, memory usage, CPU power, and other resources.

To overcome these issues, the authors model the plant as a Discrete‑Time Linear Hybrid System (DTLHS). A DTLHS consists of continuous and discrete state variables, input variables, auxiliary variables, and a transition relation expressed as a conjunction of linear constraints. System‑level safety and liveness requirements are represented as linear predicates (sets of states). The synthesis problem is: given a DTLHS model, a quantization scheme (i.e., the number of AD bits), and the safety/liveness predicates, automatically generate control software whose WCET grows linearly with the number of AD bits and that provably satisfies the specifications.

The authors prove that, in general, the existence of a controller for a DTLHS (and the existence of a quantized controller) is undecidable. Consequently they propose a semi‑complete algorithm that computes a sufficient condition and a necessary condition for the existence of a solution. The algorithm discretizes the continuous state space according to the chosen AD resolution, builds a finite abstraction (a grid), and performs a backward reachability analysis using Mixed‑Integer Linear Programming (MILP) and Binary Decision Diagrams (BDDs) (via the CUDD library). If the sufficient condition holds, the algorithm constructs two C functions: (i) Control_Law, which implements a Quantized Feedback Controller (QFC) that maps quantized sensor readings to actuator commands, and (ii) Controllable_Region, which decides whether the current quantized state lies inside the region where the controller is guaranteed to work. Both functions have a provably linear WCET with respect to the number of AD bits, and the controller is robust to bounded nondeterministic disturbances in plant parameters.

The implementation, called QKS (Quantized feedback Kontrol Synthesizer), integrates the algorithm with the CUDD package for BDD manipulation and the GLPK MILP solver. QKS takes as input a DTLHS description, the AD bit‑width, and the safety/liveness predicates, and outputs the two C functions together with the computed controllable region. The authors evaluate QKS on two benchmark systems:

1. Buck DC‑DC Converter – a widely used mixed‑mode analog circuit. Using a 10‑bit quantization, QKS synthesizes the controller within roughly 40 CPU‑hours and 100 MB of RAM. The resulting software achieves settling times and voltage ripple comparable to state‑of‑the‑art designs reported in power‑electronics literature, while its WCET (well below 1 µs) comfortably fits a 100 kHz sampling period.

2. Inverted Pendulum – a classic nonlinear control benchmark. QKS successfully generates a robust controller with 8‑bit quantization, demonstrating that the method can handle systems with significant dynamics and disturbances.

Both case studies confirm computational feasibility (reasonable CPU time and memory) and satisfactory closed‑loop performance (fast settling, low ripple, robustness). Moreover, the explicit controllable region provides designers with insight into the admissible operating envelope, facilitating further design‑space exploration.

In summary, the paper contributes a formal model‑based synthesis framework that simultaneously addresses quantization, real‑time execution constraints, and system‑level safety/liveness guarantees. By integrating formal verification techniques (MILP feasibility, BDD abstraction) with automatic code generation, the approach eliminates the need for post‑hoc WCET analysis and redesign, thereby reducing development cost and increasing reliability of embedded control software. Future work is suggested on extending the method to nonlinear hybrid systems, multi‑objective optimization, and tighter integration with compiler‑level optimizations.