Meeting a Powertrain Verification Challenge

We present the verification of a benchmark powertrain control system using the hybrid system verification tool C2E2. This model comes from a suite of benchmarks that were posed as a challenge problem for the hybrid systems community, and to our knowledge, we are reporting its first verification. For this work, we implemented the algorithm reported in [9] in C2E2, to automatically compute local discrepancy (rate of convergence or divergence of trajectories) of the model. We verify the key requirements of the model, specified in signal temporal logic (STL), for a set of driver behaviors. 1 A Challenge Problem As the targets for fuel efficiency, emissions, and drivability become more demanding, automakers are becoming interested in pushing the design automation and verification technologies for automotive control systems.The benchmark suite of powertrain control systems were published in [11,10] as challenge problems that capture some of the difficulties that arise in verification of realistic systems. It consists of a sequence of SimulinkTM/StateflowTM models of the engine with increasing levels of sophistication and fidelity. At a high-level, the models take inputs from a driver (throttle angle) and the environment (sensor failures), and define the dynamics of the engine. The key controlled quantity is the air to fuel ratio which in turn influences the emissions, the fuel efficiency, and torque generated. The requirements for the system are stated in signal temporal logic (STL). A typical property, for example, 3t(x ∈ [xeq − , xeq + ]), states that after t units of time, the continuous variable x is within the range xeq ± . Breach [3] and STaliro [2] have been used for finding counterexamples (or falsifying) models in [13,11,12,4]. These techniques can show the presence of executions that violate a requirement, but not their absence. The technique used in this paper proves that all the executions from a given set of initial states and a set of switching signals satisfies (or violates) the requirement. To the best of our knowledge, this is the first time a model in the powertrain control benchmark is verified. The model we consider in this paper is polynomial hybrid automata model (Model 3, Section 3.3) of [11]. Although this model is given as a SimulinkTM diagram with switch blocks, it can be transformed to a hybrid automaton with 4 locations and 5 continuous variables. The dynamics of the system is given by