Verifying Simulink Diagrams Via A Hybrid Hoare Logic Prover

Liang Zou, Naijun Zhan and Shuling Wang
State Key Lab. of Comp. Sci.
Institute of Software
Chinese Academy of Sciences
{zoul,znj,wangsl}@ios.ac.cn
2nd. author

Martin Fränzle
Department of Information
Oldenburg University
fraenzle@informatik.uni-oldenburg.de

Shengchao Qin
School of Computing
Teesside University
s.qin@tees.ac.uk

ABSTRACT

Simulink is an industrial de-facto standard for building executable models of embedded systems and their environments, facilitating validation by simulation. Due to the inherent incompleteness of this form of system validation, complementing simulation by formal verification would be desirable. A prerequisite for such an approach is a formal semantics of Simulink’s graphical models. In this paper, we show how to encode Simulink diagrams into Hybrid CSP (HCSP), a formal modelling language encoding hybrid system dynamics by means of an extension of CSP. The translation from Simulink to HCSP is fully automatic. We furthermore discuss how to utilize a Hybrid Hoare Logic Prover to verify the translated HCSP models. We demonstrate our approach on a combined scenario originating from the Chinese High-speed Train Control System at Level 3 (CTCS-3).

Categories and Subject Descriptors

D.2.2 [Software Engineering]: Design Tools and Techniques; I.6.4 [Simulation and Modeling]: Model Validation and Analysis

General Terms

Formal methods, Language transformation, Verification

Keywords

Simulink models, formal methods, Hybrid CSP, theorem proving

1. INTRODUCTION

Simulink (www.mathworks.com/products/simulink/) is an environment for the model-based analysis and design of signal-processing systems and embedded control systems. Being based on a large palette of individually simple function blocks and on their composition by continuous-time synchronous data-flow, it offers an intuitive graphical modeling language reminiscent of circuit diagrams and thus appealing to the practicing engineer. As the circuit analogy renders reasoning about large numbers of concurrently operating, intertwined signal paths relatively easy —compared to, e.g., programming-like notations—, Simulink-based modeling, analysis, and design has become a de-facto standard in the embedded systems industry. Abstracting from the necessary iterations for bug fixing, a prototypical design flow here involves (1.) building the model of environment and embedded system (ES) functionality over abstract (mostly continuous) time, (2.) simulating the model, (3.) analyzing the simulation results, (4.) refining the time model of the ES by adding sampling times, phase delays, (de-)activation conditions, etc., (5.) redoing simulation and interpretation of simulation results, (6.) code generation and deployment, involving decisions on the actual amount of concurrency to be employed.

As analysis and validation within this flow is primarily based on simulation, Simulink offers a comprehensive range of numerical simulation algorithms, reflecting different compromises between system classes tackled, accuracy, and performance. Nevertheless, all of them are prone to the limitations of validation by (classical, i.e. unverified) numerical simulation, which are the intrinsically incomplete coverage of open systems and the possible unsoundness of analysis results due to numerical error. Statistical model checking (SMC, cf. e.g. [5]) deals with the first problem by means of a rigorous statistical interpretation of the simulation results without, however, addressing the soundness issue of numerical simulation. The latter could in principle be resolved by set-based verified simulation, but methods dealing with non-smooth derivatives, as frequently encountered in Simulink models, are only emerging [14] and far from able to cover realistic Simulink models. Furthermore, their performance, both wrt. runtime of simulation and conclusiveness of the conservatively overapproximate, set-valued results obtained, is likely to become prohibitive in an SMC context, leaving the issue of open systems unresolved.

The only technique currently being able to reconcile the above two issues is formal verification. The usual approach here is to translate the Simulink model into the input language of a formal verification tool for hybrid discrete-continuous systems, be it an automaton-based language [2] or a sym-
bolic description [8], and employ the corresponding verification engines. These engines pursue an exhaustive search of the state space, thus providing certificates which cover all input stimuli possible in an open system, and do increasingly apply verified arithmetic, rendering them resistant against numerical error. Given Simulink’s modeling paradigm of connecting numerous concurrently executing small blocks via continuous-time synchronous dataflow, the translated models are generally characterized by tightly coupled, fine-granular concurrency, which unfortunately is detrimental to analyzability.

In this paper, we do therefore investigate translation of Simulink into a process calculus with its richer set of composition primitives. We present an encoding of Simulink’s semantics in terms of hybrid CSP (HCSP) [10], a formal modelling language encoding hybrid system dynamics by means of an extension of CSP [9]. As analysis of HCSP models is supported by the interactive verification tool Hybrid Hoare Logic Prover, this provides a gateway to mechanized verification, which we demonstrate on a combined scenario originating from the Chinese High-speed Control System at Level 3 (CTCS-3).

Related Work.

There have been a range of work on translating Simulink into other modelling formalisms, for which analysis and verification tools are being developed. Tripakis et al [16] presents an algorithm of translating discrete-time Simulink models to Lustre, a synchronous language developed with formal semantics and a number of tools for validation and analysis. Cavalcanti et al [3] present a semantics for discrete-time Simulink diagrams using Circus, a combination of Z and CSP. Meenakshi et al [12] present an algorithm that translates a subset of Simulink into input language of model checker NuSMV. Among all the works mentioned above, continuous time models of Simulink are not considered. The most related work by Chen et al [4], translates Simulink models to a real-time specification language Timed Interval Calculus (TIC), which can directly represent and analyze continuous Simulink diagrams, and to the end, validates TIC models by a theorem prover, however, the translation is limited as it can only handle continuous blocks whose outputs can be represented explicitly by a mathematical relation on inputs. Our approach can handle all continuous blocks by using the notion of differential equations and invariants; and on the other hand, our target language is a process language, with more intuitivity and compositionality in both construction and verification.

A Simulink model can include a stateflow block, which reacts to events triggered in the Simulink model and changes the states accordingly. The formalization of such Simulink/Stateflow models has also been studied recently. Hamon et al [6] propose an operational semantics of Stateflow, which serves as a foundation for developing tools for formal analysis of Stateflow designs. As mentioned previously, Agrawal et al [2] proposes a method to translated Simulink/Stateflow models in to hybrid automata using graph translation. The target models represented by hybrid automata can then be submitted to related model checkers for formal analysis and verification, and thus get involved with the state space exploration. Tiwari [15] describes the formal semantics of Stateflow using communicating pushdown automata, for which differential equations for representing continuous are discretized by difference equations.

The reminder of this paper is organized as follows: Sec. 2 introduces Simulink graphical modelling language, and the target language HCSP, including its syntax, specification language and prover; Sec. 3 and Sec. 4 present our algorithms for translating Simulink to HCSP, and the implementation respectively; Sec. 5 illustrates our approach by verifying a combined scenario of CTCS-3; Finally, Sec. 6 draws the conclusion and the future work.

2. SIMULINK AND HYBRID CSP

In this section, we introduce Simulink, HCSP, Hybrid Hoare Logic (HHL) and its prover. For Simulink, we highlight those features that are relevant to this work, and for more details please refer to [1].

2.1 Simulink

A Simulink model contains a set of blocks, subsystems, and wires, where blocks and subsystems cooperate by sending messages through the wires between them. Figure 1 gives an example on train movement, where rounded rectangles a_in, v_out, and s_out in the figure are in-ports and out-ports for sub-systems, and represent the acceleration, velocity, and trajectory of the train respectively. The two rectangular blocks v and s are integrator blocks of the Simulink library, each of which contains a parameter to represent the initial value of the output. An integrator block outputs its initial value at the beginning and the integration of the input signal afterwards. Hence, the block v outputs the velocity of the train, which is the integration of the input acceleration a_in; and on the other hand, the block s outputs the trajectory of the train, which is the integration of the input velocity v.

![Figure 1: The plant of a train control system](image-url)
if we consider each block as a predicate relating inputs to outputs, the behavior of the whole diagram is simply specified by the conjunction of the predicates of all the blocks in the diagram. To make this idea clear, several basic rules of Simulink need to be given.

- Logical loops among discrete blocks (except for delay blocks that output the past value of a signal) are not allowed. This rule prevents the zeno phenomena, i.e., a sequence of infinite many computations that take no time.
- The outputs of a block purely depend on the inputs and parameters set by users. Hence, the outputs of a block are never used to determine its own outputs. For instance, \( x := x + 1 \) is not implementable in Simulink. However, \( y := x + 1 \) can be easily implemented in Simulink. (This rule can be seen as a special case of the previous one.)

Because of the rules mentioned above, each signal for a wire in a diagram can be specified by a timed trace which is a function from time domain (modeled as non-negative reals \( \mathbb{R}^{\geq 0} \)) to the respective values.

The behavior of each block can be divided into a set of subbehaviors, each of which is guarded by a condition. Moreover, these guards are disjoint and complete, i.e., the conjunction of any two of these guards is not satisfied and the disjunction of all of them is valid. So, each sub-behavior can be further specified as a predicate over input and output signals. For example, a kind of blocks named ‘Switch’ in Simulink has three input signals received from in-ports 1, 2, and 3 respectively and one output signal. The input signal at in-port 2 is a boolean condition, and when it is true, the output signal will be equal to the input signal at in-port 1, otherwise the one at in-port 3. Hence, blocks can be interpreted by the following semantic function \( \text{Sem}_B \):

\[
\text{Sem}_B(\text{init}, ps) \equiv \text{out}(0) = \text{init} \land \bigwedge_{k=1}^m (B_k \Rightarrow P_k(ps, \text{in}, \text{out})),
\]

where \( \text{init} \) stands for the initial output value set by user, \( ps \) are the rest user-set parameters that may change the function of the block, \( \text{in} \) and \( \text{out} \) are resp. the timed traces corresponding to input and output signals, \( \text{out}(0) \) is the value of \( \text{out} \) at the time 0. In the definition we assume that the block’s behavior is split into \( m \) cases by \( B_k \) and in each case the behavior is specified by the corresponding predicate \( P_k \).

Notice that different types of blocks, i.e., continuous and discrete blocks, have different definitions for \( B_k \) and \( P_k \) because the input signals for discrete blocks only refer to the value of the closest sample time point, i.e., the value of input signals at time \( t \) should refer to the time \( (t - (t \mod st)) \) where \( st \) represents the sample time of the block.

Therefore, the semantics of a Simulink diagram is defined by

\[
\text{Sem}_D \equiv \bigwedge_{j=1}^n \text{Sem}_B(\text{init}_j, ps_j),
\]

where \( n \) is the number of blocks in the diagram, \( \text{init}_j \) and \( ps_j \) are the initial output value and parameters of the \( j \)-th block.

### 2.2 Hybrid CSP (HCSP)

HCSP [7, 20] is a formal language for describing hybrid systems, which is an extension of CSP by introducing timing constructs, interrupts, and differential equations for representing continuous evolution. Exchanging data among processes is described solely by communications, no shared variable is allowed between different processes in parallel, so each program variable is local to the respective sequential component. We write \( \mathcal{V} \) and \( \mathcal{E} \) for the sets of variables and channel names, respectively. The syntax of HCSP is given as follows:

\[
P := \text{skip} \mid x := e \mid \text{ch} \langle \dot{e} \rangle \mid \text{ch} \langle e \rangle \mid P; Q \mid B \rightarrow P \mid P \cup Q \mid P^*
\]

Here \( \text{io} \) stands for a communication event, i.e., either \( \text{ch} \langle \dot{e} \rangle \) or \( \text{ch} \langle e \rangle \), \( P, Q, \text{io} \) are HCSP processes, \( x \) and \( s \) stand for variables, and \( \text{ch} \) for channel name. \( B \) and \( e \) are Boolean and arithmetic expressions and \( d \) is a non-negative real constant.

The intended meaning of the individual constructs is as follows:

- \( \text{skip} \), \( x := e \), \( \text{ch} \langle \dot{e} \rangle \), \( \text{ch} \langle e \rangle \) and \( P, Q \) can be understood in a standard way.
- \( B \rightarrow P \) behaves as \( P \) if \( B \) is true, otherwise it terminates immediately.
- \( P \cup Q \) denotes internal choice. It behaves as either \( P \) or \( Q \), and the choice is made by the process.
- \( P^* \) executes \( P \) for some finite number of times.
- \( \langle F(s, \dot{s}) = 0 \rangle \) is the continuous evolution statement (hereafter shortly continuous). It forces the vector \( s \) of real variables to continuously evolve according to the differential equations \( F \) as long as the boolean expression \( B \), which defines the domain of \( s \), holds, and terminates when \( B \) turns false.
- \( \langle F(s, \dot{s}) = 0 \rangle \cup \langle \text{io} \rightarrow Q_i \rangle \) behaves like \( \langle F(s, \dot{s}) = 0 \rangle \), except that the continuous is preempted as soon as one of the communications \( \text{io} \) occurs. That is followed by the respective \( Q_i \). However, if the continuous part terminates before a communication from among \( \{\text{io}_i\}_{i=1}^k \) occurs, then the process terminates directly.
- \( P \cup Q \) behaves as if \( P \) and \( Q \) run independently except that all communications along the common channels connecting \( P \) and \( Q \) are to be synchronized. The processes \( P \) and \( Q \) in parallel can share neither variables, nor input nor output channels.

The other constructs of HCSP in [7, 20] are derivable from the above syntax, e.g., \( \text{wait} \) \( d = t := 0; (t = 1\& t < d) \), \( \text{stop} \) \( d = t := 0; (t = 1\& ttrue) \Rightarrow (t_i \rightarrow Q_i) \), and the time-out \( \langle F(s, \dot{s}) = 0 \rangle \cup Q \) can be defined by \( d \geq \langle F(s, \dot{s}) = 0 \rangle \cup Q \).

### 2.2.1 Hybrid Hoare Logic (HHL)

HHL [10] is an extension of Hoare logic for specifying and reasoning about HCSP processes. In HHL, each specification for a sequential process \( P \) takes the form \( \{ \text{Pre} \} \ P \{ \text{Post} \} \{ \text{H} \} \), where \( \text{Pre} \), \( \text{Post} \) represent pre-/post-conditions, expressed
by first-order logic, to specify discrete properties of variables held at starting and termination of the execution of \( P \); and \( HF \) history formula, expressed by DC [18, 17], to record the execution history of \( P \), including real-time and continuous properties. The effect of discrete processes will be specified by the pre-/post-conditions, but not be recorded in the history. The specification for a parallel process is then defined by assigning to each sequential component of it the respective pre-/post-conditions and history formula, that is

\[ \{ \text{Pre}_1, \text{Pre}_2 \} \parallel \{ \text{Post}_1, \text{Post}_2; \text{HF}_1, \text{HF}_2 \} \]

In HHL, each of HCS process constructs is axiomatized by a set of axioms and inference rules, for example, the continuous is axiomatized by the following rule:

\[
\begin{align*}
\text{Init} & \Rightarrow \text{Inv} \\
\{ \text{Init} \land \text{Pre} \} \{ F(s, s) = 0 \land \text{B}\} \{ A \land \text{Cl}(\text{Inv}) \land \text{Cl}(\neg B); \\
& (l = 0) \lor \{ \text{Inv} \land \text{Pre} \land B \} \}
\end{align*}
\]

where \( \text{Init} \) stands for the initial condition on continuous variables, \( \text{Inv} \) is a continuous invariant corresponding to the dynamical system\(^1\), \( \text{Cl}(G) \) stands for the closure of \( G \), e.g. when \( G \) is constructed by polynomial inequalities through \( \land \) and \( \lor \), \( \text{Cl}(G) \) can be obtained from \( G \) by replacing \(< \) and \( \geq \) with \( \leq \) and \( \geq \) in \( G \). \( \text{Pre} \) does not contain \( s \), and \( l = 0 \) in the history is to record the behaviour when the initial values satisfy \( \neg B \) at very beginning. The full explanation of HHL can be found in [10].

DC is a real extension of Interval Temporal Logic (ITL) [13] for specifying and reasoning about real-time systems. Like ITL, the only modality in DC is the chop \( \lceil \) to divide a considered interval into two consecutive sub-intervals such that its first operand is satisfied on the first sub-interval, while the second operand is satisfied on the second sub-interval. Besides, DC extends ITL by introducing durations of state expressions \( [S] \), and the temporal variable \( \ell \) to denote the length of the considered interval, i.e. \( \ell \).

Here, we will adopt the notion of point formula introduced in [19], denoted by \([S]^0\), to mean that \( S \) holds at the considered point interval. Then the formula \([S] \) is defined as \( \ell > 0 \land \neg (\ell > 0) \land [S]^0 \land \ell > 0 \), meaning that the state expression \( S \) holds at each point of the reference interval which is not a point interval.

### 2.2.2 HHL Prover

For tool support, we have mechanized the verification architecture of HCS process specifications based on deductive reasoning, and implemented a theorem prover for HHL [21] in proof assistant Isabelle/HOL. By applying the prover, we can verify if an HCS process is correct with respect to a specification written in HHL in a machine checkable way.

The mechanization in a proof assistant adopts the general approach: first, encode the process language (i.e. HCS), assertion language (i.e. first-order logic and DC), and then the specification logic (i.e. HHL) in Isabelle/HOL; second, based on the proof system of HHL, design a verification condition generator, which reduces an annotated HCS process to a verification condition, a combination of first-order formula and a DC formula, that is valid if the original HCS process conforms to the annotated assertions, i.e. the specification; finally, check the validity of the verification condition, which can be proved either by interactive theorem proving in Isabelle/HOL, or for some decidable sub-formulas among it, by automated theorem proving by designing corresponding decision procedures. The current version of the HHL prover mainly focuses on the interactive approach.

We illustrate how to use the HHL prover by verifying a simple process that models train movement. Let \( s \) be trajectory, \( v \) velocity, \( a \) acceleration, and \( v_{\text{max}} \) the speed limit of the train respectively. As modelled by the following process

\[
\langle s = v, \dot{v} = a \& v < v_{\text{max}} \rangle
\]

the train moves with velocity \( v \) and acceleration \( a \), but with constraint \( v \leq v_{\text{max}} \) always held. Denote the encoding of this process in HHL prover by \( \text{train_part} \), we can prove easily a lemma, which says that starting with initial velocity 0 and positive acceleration \( a \), the train will always move with velocity within \([0, v_{\text{max}}]\):

\[
\text{lemma} \colon \{ v = 0 \land a > 0 \} \text{ train part} \{ 0 < v < v_{\text{max}}, \quad \text{high} \{ 0 < v < v_{\text{max}} \} \} \\
\text{by (continuous_theorem)} \\
\text{by (FOL axiom)}^* \\
\text{by (DC axiom)}^* \\
\text{done}
\]

where \( \text{high} (S) \) encodes \([S]\). The proof can be divided to three steps: first, apply the axiom \text{continuous_theorem} which corresponds to the application of \text{continuous rule} presented in the previous part, and as a result, the specification to be proved is reduced to a first-order formula and a DC formula; then secondly and thirdly, prove the validity of the two logical formulas by applying a sequence of axioms of first-order logic and DC respectively, which we have already encoded in HHL prover.

### 3. FROM SIMULINK TO HCS PROCESS

In this section, we consider how to define a formal semantics for Simulink by encoding it into HCS Process.

#### 3.1 Translating Blocks

From the semantics we discussed in Sec.2.1, Simulink blocks behave as a formula of the form (1), but the definitions \( B_k \) and \( P_k \) for continuous and discrete blocks are different. Therefore, we encode continuous and discrete blocks into two different process patterns.

Regarding a continuous block, its initialization is simply encoded as an assignment. A continuous block uses its \( B_k \) as a partition of the whole state space, and continuously evolves following some differential equation \( F_k \) such that the corresponding formula \( B_k \) is satisfied. During the continuous evolution, the block is always ready for receiving new signals from in-ports, and sending the respective signals to out-ports (represented by \( i_{0,i} \)). Based on the continuous sample time, the blocks which receive signals from the continuous block via out-ports can always get the latest values. So, a continuous block can be encoded into the following process pattern:

\[
P_C(\text{init}, ps) \equiv \text{out} := \text{init}; P^* \\
P \equiv \{ F_1(\text{out}, \text{out}, ps) = 0 \& B_1(\text{in}, ps) \geq i_{\text{out}}(i_0, \text{skip}); \\
\ldots; \\
F_m(\text{out}, \text{out}, ps) = 0 \& B_m(\text{in}, ps) \geq i_{\text{out}}(i_0, \text{skip})\}
\]
Given a continuous block $cb$ with the above structure, we define $getInit(cb)$ and $getComms(cb)$ to represent the initial process $out := init$ and the communications $\{\omega_i\}_{i \in I}$ respectively; and $getDiffs(cb)$ to represent the set of differential equations occurring in $cb$.

For a discrete block, its initialization is also encoded as an assignment. However, a discrete block with sample time $st$ only computes output signals at the time points whose values minus the initial time are divided by $st$, i.e. once every $st$ time units. At the beginning of each period, it updates the input signal by receiving a new one from in-port, and after the computation, sends the new produced output signal to the out-port. Thus, the blocks which receive signals from the discrete block can always get the values of the last nearest time units. At the beginning of each period, it updates the computation, sends the new produced output signal to the out-port. Thus, the blocks which receive signals from the discrete block can always get the values of the last nearest period. Finally, a discrete block can be encoded as follows:

\[
P\mathcal{D}(init, ps, n) \equiv out := init; P^*
\]

$P$ \equiv $cin\?in; P_{comp}; cout\!out; wait\!st$ $P_{comp} \equiv B_1(in, ps) \rightarrow P_{comp}(in, out, ps)$

$\ldots$ $B_n(in, ps) \rightarrow P_{comp}(in, out, ps)$

Given a discrete block $db$ with the above structure, we define $getInit(db)$ similar as continuous; and $getCin, getCout$ to represent the input $cin\?in$ and output $cout\!out$ respectively; and $db.st, db.comp$ to represent the sample time $st$ and computation process respectively.

### 3.2 Translating Diagrams

This section presents our algorithms for translating Simulink diagrams, including discrete blocks, continuous diagrams, and arbitrary diagrams constructed out of them. Before giving the translation, some notations and basic pre-processing of diagrams are introduced first.

#### 3.2.1 Computing Inherit Sample Times

A Simulink diagram may contain blocks with unspecified sample time, which is called inherit and is indicated with value $-1$. An inherit sample time of a block is decidable when the sample times of all the input signals of the block are known, and then it is computed as the greatest common divisor (GCD) of the sample times of these input signals.

#### Algorithm 1 Computing inherit sample times

**Require:** A diagram $diag$

**Ensure:** Calculate all decidable sample times in $diag$

1: for $(flag \leftarrow false; flag; skip)$ do
2: for all $b$ in $diag$ do
3: if $\text{known}(b)$ and $\text{allKnown}(b, srcBlocks())$ then
4: $b.st \leftarrow \text{GCD}(b, srcBlocks());$
5: $flag \leftarrow true;$
6: end if
7: end for
8: end for

Algorithm 1 calculates the sample times of all the blocks of a given diagram recursively and terminates when all of the decidable ones are known. Specially, function $\text{known}$ checks whether the sample time of a block is known or not, and $\text{allKnown}$ checks whether the sample times of all input signals of the block in consideration are known or not. From now on, we only consider diagram for which the sample time of any block in them is computed and thus known.

#### 3.2.2 Translating Wires

In general, wires in Simulink diagrams can be considered as a special form of signals, and thus can be represented as variables. On the other hand, as seen from below, when a diagram is partitioned into a set of sub-diagrams, we will model each wire between any two sub-diagrams as a pair of input and output channels for transmitting values.

#### 3.2.3 Separating Diagrams

We introduce the most important step in the translation of a Simulink diagram: separating the diagram to a set of connected sub-diagrams. We classify wires to three different kinds and then partition a diagram according to the following strategy: (1) Wires between continuous blocks are modelled as shared variables, and meanwhile, the two continuous blocks are put into one partition; (2) Wires between a continuous block and a discrete block are modelled as channels, and meanwhile, these two blocks are put into two disjoint partitions, and will transmit values via the channels; (3) Wires between discrete blocks are hard to model because the control represented by the blocks may be centralized or distributed. In our approach, a control is assumed as centralized by default, and in this case, the wires between the discrete blocks are modelled as shared variables; and meanwhile, the two blocks are put in one partition. The general case in which the user options for control are allowed will be discussed in subsection 3.2.7.

#### Algorithm 2 Separating a diagram

**Require:** A diagram $diag$

**Ensure:** Return a partition partition of the diagram

1: new partition
2: for all block in $diag$ do
3: if !visited(block) then
4: new $sc; sc.add(block);$ setVisited(block);
5: new $bs; bs.add(block);$;
6: while !bs.empty() do
7: $b \leftarrow bs.top();$
8: for all $cb$ in $b.getConBlocks()$ do
9: if isShared($b, cb)\!\!\!\!$ then
10: $bs.add(cb); sc.add(cb);$ setVisited($cb);$;
11: end if
12: end for
13: bs.remove();
14: end while
15: partition.add($sc;$)
16: end if
17: end for

Algorithm 2 is given according to the strategy presented above. At the beginning, an empty list $partition$ is allocated. Then the algorithm applies depth-first search to find out all connected components with the same type as a partition recursively. Thus, for each block $block$ that has not been visited yet, a list $sc$ is allocated to store the names of blocks of the whole connected sub-diagram that is reachable from $block$. It first adds $block$ to a local list $bs$ and sets this block visited. If $bs$ is not empty, then pops the top element from $bs$ to $b$; then for any un-visited block $cb$ that is connected to $b$, if the wires between $cb$ and $b$ are shared variables, denoted by isShared, then according to our strategy, we put $cb$ to the same partition as $b$, and set $cb$ as visited; after all the connected blocks of $b$ are visited, $b$ is removed from $bs$ and
the new top element of $bs$ will be considered recursively, till $bs$ becomes empty. Finally, $scc$ is added into $partition$, and another un-visited block starts recursively, till all the blocks of the diagram are visited.

On termination, each element of $partition$ is a list of names of connected blocks with the same type.

### 3.2.4 Translating Continuous Diagrams

**Algorithm 3** Translating a continuous diagram

**Require:** A continuous diagram $diag$

**Ensure:** Return an HCSP process $proc$

1. $odiag.setEmpty();$
2. $comms.setEmpty()$
3. for all block in $diag$
   4. $init ← init + getInit(block)$
5. $end for$
6. $procR.setEmpty()$
7. $newDiffs ← Cartesian(diag, getDiffs())$
8. for all $(dq, b)$ in $newDiffs$
9. $procR ← procR + (dq & b) ⊓ \{ io \in \text{comms} \} → \text{skip}$
10. $end for$
11. $proc ← init + (procR)^*$

Algorithm 3 translates a continuous diagram to an HCSP process, which is represented by a string here. We introduce two variables $init$ and $comms$ to represent the initial process and the interrupting communications of the final HCSP process respectively. At the beginning, both of them are set to be empty strings. For any continuous block of this diagram, we extract its initial process and interrupting communications by using $getInit()$ and $getComms()$ defined in Sec. 3.1 respectively. Because the variables and input/output channels of different continuous blocks are disjoint, the initial process and communications of the whole process can be defined by sequential composition and the union of those of all blocks, both represented by $+$ in lines 3 and 4.

We then construct the process $procR$ for repetition. The function $getDiffs(diag)$ returns the tuple consisting of the sets of differential equations of all blocks in $diag$. The set of differential equations for the diagram can then be defined as the Cartesian of the tuple. For instance, assume there are two blocks and the sets of differential equations of them are $\{f1k1b1, f2k2b2\}$ and $\{g1k1c1, g2k2c2\}$ resp., then

$$\text{Cartesian}(\{f1k1b1, f2k2b2\}, \{g1k1c1, g2k2c2\}) \overset{\text{def}}{=} \{f1g1k1b1 \land c1, f1g2k2b1 \land c2, f2g1k1b2 \land c1, f2g2k2b2 \land c2\}$$

For each differential equation in the resulting Cartesian set, we interrupt the communications to it in line 9. The process $procR$ can finally be defined as the sequential composition of all differential equations with interrupting communications.

### 3.2.5 Translating Discrete Diagrams

Algorithm 4 translates a discrete diagram to an HCSP process. Based on the restriction that there is no logic loop of discrete blocks, thus we can find an order of discrete blocks of the diagram such that a block can only rely on the blocks previous to it. The ordered blocks are denoted by $odiag$. We introduce $init$, $cin$ and $cout$ to represent the initial process, the input and output of the final HCSP process respectively. All of them are initialized to be empty strings, and calculated as the sequential composition of those of the blocks in $odiag$ respectively in line 3-7. We use $bc$ to represent the sample time of the final process, and is defined as the greatest common divisor of the sample times of all blocks.

We then construct the process $procR$ for repetition, which will be taken every $bc$ time units. Starting from time $temp$ (whose value in the first period is 0), for all blocks $block$, if the time $temp + bc$ is divided by the sample time of $block$, represented by $\langle block.st \rangle (temp + bc)$, then the computation of block, i.e. $block.comp$ will be performed in this period. Finally, we reach the process $procR$ by adding input and output processes before and after the computation respectively.

### 3.2.6 Translating Subsystems

So far we have presented the translation of Simulink diagrams. In this section, we will define how to translate Simulink subsystems, that are composed of a set of blocks, diagrams, and other subsystems. The subsystems can be classified to three different types: normal subsystems, triggered subsystems, and enabled subsystems. For simplifying the presentation, we consider the un-nested subsystems, i.e. the ones which do not contain other subsystems inside. The nested subsystems can be translated by applying the following methods recursively.

**A. Normal subsystems.**

We call subsystems that contain neither triggered nor enabled blocks inside as normal subsystems. For this case, we flatten the subsystem directly by connecting the in-ports and out-ports attached to it to the corresponding in-ports and out-ports attached to the blocks inside it. The subsystem plus the outside blocks connected to it will then be translated to a diagram, the translation of which has been presented above.

**B. Triggered subsystems.**

A triggered subsystem contains a triggered block inside it, and meanwhile, there is a corresponding input triggering signal targeting at the subsystem. The sample times of all the other input signals of the subsystem are equal to the one of
Finally reach the process for the triggered subsystem: with a little modification to line 13 as shown below, and for the triggering signal and the triggered block, and then once. We flatten the rest of the triggered subsystem except all the normal blocks inside the subsystem will be performed once. Whenever a triggering event occurs, the change of the triggering signal, there are three types of block (called as normal blocks below) inside the subsystem. All the blocks except for the triggered block and the other target block. Assume the sample times of the source and target blocks are \( p \) and \( q \) respectively. When \( p \) is not equal to \( q \), we need to negotiate about the values output from source and input to target. Assume the set of wires between these two blocks is \( I \), and for each wire \( i \in I \), the signal transmitted along it is \( s_i \). For constructing the process for the distributive blocks, we first cut all the

**C. Enabled subsystems.**

An enabled subsystem contains an enabled block inside it, and meanwhile, there is a corresponding input enabling signal targeting at the subsystem. The blocks except for the enabled block (i.e., normal blocks) inside the enabled subsystem can be continuous or discrete, and whenever the input signal is greater than 0, they will be activated. In the following, to avoid complicated or even unexpected behavior of enabled subsystems, we assume that all normal blocks inside the enabled subsystem and the input signals of it have the same sample time with the enabling signal. For some works in this area, e.g. [16] and [4], the same restriction is assumed.

For both continuous and discrete cases, we model the wire connecting the block that outputs the enabling signal and the enabled subsystem as a shared variable \( \text{en} \). When both the enabling signal and the enabled subsystem are continuous, first of all, for each normal block inside the subsystem, we add \( \text{en} > 0 \) as a conjunction with the domains of all its differential equations, and meanwhile, an extra differential equation \( (\text{out} = 0 \& \text{en} < 0) \) (meaning that the output is not changed when the signal is not enabled) to the block, thus the new domains for the block will be complete; then flatten the enabled subsystem, the resulting diagram plus the outside output block will constitute a new continuous diagram, which can be translated according to Algorithm 3.

On the other hand, when both the enabling signal and the enabled subsystem are discrete and have the sample time, first of all, for each normal block inside the subsystem, we add the enabling condition \( \text{en} > 0 \) as a conjunction with the guards of the computation of the block; then flatten the enabled subsystem, the resulting diagram plus the outside output block will constitute a new discrete diagram, which can be translated according to Algorithm 4.

**3.2.7 User Options for Translation.**

**A. Options in Separating the Diagram.**

As defined in Sec. 3.2.3, when separating a diagram, we assume that the control represented by discrete blocks is centralized, thus we put all connected discrete blocks into one partition. We loose the restriction here and allow users to decide whether the control is centralized or distributed. When the control represented by two connected discrete blocks is distributed, then we need to separate the two blocks and put them to two different partitions. We say a control option made by user is valid, if and only if after separating the diagram, the two ends of wires connecting any two distributive discrete blocks must reside in two different sub-diagrams.

Now we define how to translate two distributive discrete blocks. For ease of presentation below, according to the direction of transmitting signals, we call one of them source block and the other target block. Assume the sample times of the source and target blocks are \( p \) and \( q \) respectively. When \( p \) is not equal to \( q \), we need to negotiate about the values output from source and input to target. Assume the set of wires between these two blocks is \( I \), and for each wire \( i \in I \), the signal transmitted along it is \( s_i \). For constructing the process for the distributive blocks, we first cut all the
wires in $I$ and define a buffer $Buf$ in between,

$$Buf := \parallel_{i \in I} (fun(ch_{in};s_i, ch_{out};s_i, p, q))^*$$

where $ch_{in}$, $ch_{out}$ are added to represent the input and output channels transmitting signal $s_i$ from source block and to the target block respectively, and $fun$ is defined for negotiation. The definition of $fun$ makes sure that for each input signal, the target block always gets its newest value in the last nearest period of the source block. To achieve this, we need to record the occurrence of input and output processes $ch_{in};s_i, ch_{out};s_i$ in the time interval equal to the least common multiple of sample times $p$ and $q$. For example,

$$fun(ch_{in};s, ch_{out};s, 2, 3) \equiv ch_{in};s; ch_{out};s; ch_{in};s; ch_{out};s; ch_{in};s$$

After $Buf$ is defined, we translate the source and target blocks according to our method presented in Sec.3.1, and then by putting the resulting processes in parallel composition with $Buf$, we reach the process for the distributive discrete blocks finally.

On the contrary, to be more flexible, for any two blocks that are not reachable from each other, we provide user an option to add a wire between them, which will not affect the semantics but only for translation purpose. With the addition of the wire, we can partition these two blocks into one group, and do the translation accordingly.

B. Options in Abstraction.

Details may help us to figure out what actually happens, however sometimes too much of them may stop us to find the truth. We provide options for users to abstract away the details of Simulink blocks when the translation is being done. Instead of translating directly the actual block, we ask user to define the semantics of the block manually and use the semantics for translation. The format of the semantics must conform to two rules: for a continuous block, a list of differential equations with domains must be provided; for a discrete block, the sample time and computation must be provided.

4. IMPLEMENTATION

We implement the above translation algorithms in a prototype, called S2H\footnote{Both the tool and the proof of the case study in next section can be found at https://www.github.com/submission/emsoft2013}. The tool S2H takes a Simulink model from MATLAB (in xml format) as input and generates an annotated HCSP model as output, which is written in the input syntax of HHL prover. The generated HCSP model consists of four files for variable definitions, process definitions, assertion definitions, and a goal to be proved, respectively. Before verifying the model in HHL prover, we need to refine the definitions of assertions and goal, to make them more precise to reflect the actual requirement we expect to prove. But it should be pointed out that modification to the files for variable and process definitions are not allowed. Finally, we submit the refined HCSP model, that is in the form of HHL specifications, to our HHL prover for static verification, i.e. whether the model conforms to the refined goal or not. The whole verification architecture is shown in Fig. 2.

For using the tool S2H, user should install Java Runtime Environment on the machine first, and then set two environmental variables for the paths of Isabelle and HHL prover respectively.

5. CASE STUDY

In this section, we illustrate our approach by modelling and verifying a combined operational scenario of Chinese Train Control System level 3 (CTCS-3) with respect to its System Requirement Specification (SRS). The operating behavior of CTCS-3 is specified by 14 basic scenarios, all of which cooperate with each other to constitute normal functionality of train control system. The combined scenario considered here integrates movement authority, level transition, and mode transition of CTCS-3.

The movement authority (MA) scenario is the basis to guarantee trains not to collide with each other. In this scenario, a train applies for MA from Radio Block Center (RBC) in CTCS-3 or Train Control Center in the backup system CTCS-2, and if the application succeeds, the train gets the permission to move but only within the MA it owns. An MA is composed of a sequence of segments. For each segment $seg$, we use $seg;v_1$ and $seg;v_2$ to represent the speed limits for which the train must implement emergency brake and normal brake (thus $v_1 \geq v_2$), $seg;e$ the end point of the segment, and $seg;mode$ the operating mode of the train in the segment. Two modes are considered in this case study: Full Supervision (FS), for which a train knows the complete information including its MA, line and train data, thus it can move with normal speed; Calling On (CO), for which a train cannot confirm cleared routes, thus it must move with limited speed. Especially, for safety consideration, for a train under CTCS-3, RBC can only grant it the MAs before a CO segment, and the train needs to ask the permission of the driver before moving into the CO segment. Thus, both the speed limits for CO segments are initialized to be 0 in CTCS-3.

Given an MA, we define for each segment $seg$ the static speed profile as the region formed by the two speed limits of the segment, i.e. $v \leq seg;v_1$ and $v \leq seg;v_2$, and the dynamic speed profile as the one by calculating down to the higher speed limit of next segment (i.e. next($seg$)) taking into account the train’s maximum deceleration (i.e. $b$), i.e. $v^2 + 2bs \leq next(seg).v^2 + 2bseg.e$. It is required that the
The Combined Scenario.

The combined scenario is shown in Fig. 3, which occurs under the following situation: the train has got enough MA to complete the combined scenario; there are two adjacent segments in the MA, divided by location $x_2$, and at $x_2$, the level transition from CTCS-2 to CTCS-3, and the mode transition from FS to CO, will occur simultaneously; the train stops initially at location $x_1$, and has got an agreement from RBC to start level transition at $x_1$ and complete the level transition at $x_2$.

Under these conditions, the level transition scenario occurs as follows: when the train moves between location $x_1$ and $x_2$, it will be co-supervised by CTCS-2 and CTCS-3 (for this case we will model the level of the train as 2.5). One consequence is that the train must conform to the speed profiles for both control systems. Thus, $x_2$ as the starting point of the CO segment, both the speed limits for it will be 0; and then when the train reaches location $x_2$, the level of the train is set to 3 and the level transition completes. The mode transition scenario behaves as follows: if the train moves under level 2, it can update the mode to CO directly at location $x_2$; otherwise if it moves under level 3, it needs to ask the permission from the driver to enter the CO segment.

If the driver says true, the speed limits of the CO segment will be reset to be 40 km/h and 45 km/h respectively, and as a consequence, the train updates its mode to be CO and passes $x_2$ with a positive speed.

5.1 Modeling in Simulink

Fig. 4 shows the top-level view of the Simulink model for the combined scenario, with the following explanations:

- A set of constants and variables are defined and initialized. Constants $v_{11}$ and $v_{22}$ represent the speed limits for FS segment, with values 105 and 100, and $x_2$ and $v_{oo}$ locations for transition and the end of MA, with values 10 and 20; variables $s, v, a, level$ and $mode$ represent the trajectory, velocity, acceleration, level, and mode of the train respectively, and $v_{21}$ and $v_{22}$ the speed limits for CO segment. In blocks IC1-IC4, variables $level, mode, v_{21}$ and $v_{22}$ are initialized to 2.5, 0 (for representing FS), 0, 0 respectively.

- The continuous plant is defined by a sub-system in Simulink, and it models the movement of train using differential equation $\langle \dot{s} = v, \dot{v} = a \rangle$, with initial values 0, 0 for $s, v$ respectively. $a$ is initialized to 1 by block IC5.

- Blocks $B0 - B5$ act like sensors, and observes the states of the train periodically (we set the period to be 0.125s). $b0 - b5$ are logical formulas for monitoring movement of the train, and are modelled using MATLAB functions. For instances, the train is required to move forward (with non-negative speed), and move within the static profile, the dynamic profile of the segment, and as soon as they are violated, $b0, b1, b2$ will be activated respectively; moreover, when the train completes level and mode transitions, $b3, b4$ will be activated respectively; and when the train gets the permission from the driver to enter CO segment, $b5$ will be activated.

- The controller is also defined by a sub-system in Simulink, and it models the discrete computation that must be taken to the train whenever $b0 - b5$ become true. For instances, if the train reaches the speed profile, a need to be reset to be negative; when the train performs mode transition in CTCS-3, if it gets permission from the driver to enter the CO segment, $v_{21}$ and $v_{22}$ will be reset to 40 and 45 respectively; if the level transition and mode transition succeed, $mode$ and $level$ will be reset to 1 (for representing CO) and 3 respectively.

After the related variables for the train are reset by the controller, they are translated to the train plant as inputs, and a new period starts.

Results.

After setting the constants and initial values for variables, we get the simulation result, shown in Fig. 5, which indicates that the train will stop at location $x_2$. Following this, we translate the Simulink model for the combined scenario into HCSP model using tool S2H, which in detail consists of...
four files \texttt{varDef}, \texttt{procDef}, \texttt{assertDef} and \texttt{goal}, 488 lines of code in all \(^3\). We refine the assertions in \texttt{assertDef} and the goal in \texttt{goal} according to the property to be proved, and then verify the refined model in HHL prover. The verification is more general than simulation: the simulation asks for the exact (initial) values of the constants and variables, e.g. normal acceleration and brake acceleration; however, during verification, we abstract the values away by the method introduced in Sec. 3.2.7, i.e. from \([-1,1]\) and \([-1,0]\) respectively.

Using HHL prover, we finally prove the following goal as a lemma:

\texttt{lemma goal : "(True, True) P \{plant\_s\_1 <=(Real 10), True; (l = Real 0) \& (high (plant\_s\_1 <=(Real 10))) \& (True)"}

where the postcondition together with the history formula indicate that the train never moves across location \(x_2\), i.e. 10 here.

\begin{figure}[h]
\centering
\includegraphics[width=0.5\textwidth]{costimg}
\caption{The result of simulation}
\end{figure}

\section{Conclusion and future work}

This paper presents an automatic translation from Simulink models to HCSP processes. The resulting HCSP processes can not only provide a formal semantics for Simulink models, but also they can be verified by an HHL prover we have implemented in proof assistant Isabelle/HOL. We demonstrate our approach by considering a case study on a combined scenario of Chinese Train Control System at Level 3. Both the simulation result in Simulink and the verification result in HHL prover indicate a design error in CTCS-3.

For future work, we will investigate the use of HHL to formalize Simulink/Stateflow models with flexible control flow diagrams; and on the other hand, to apply our approach to more practical hybrid systems, especially the other scenarios of CTCS-3 and their combinations, for safety analysis and verification.

\section{References}

\begin{thebibliography}{10}
\end{thebibliography}
\footnote{For reference, we present the variable and process definitions of the generated model in appendix.}
APPENDIX

In the appendix, we present the annotated HCSP model that is translated from the Simulink model of the case study on the combined scenario in CTCS-3 by using tool S2H. The model consists of two files: varDef for variable definitions, procDef for process definitions. For page limit, we cannot list the proof of the model, the full version can be found at https://www.github.com/submission/emsoft2013

A. VARIABLE DEFINITIONS

This part shows the definition of variables for the case study, which are separated into several kinds: channel names, local variables, receiving and sending variables, and predicates.

theory varDefinition

imports "home/liang/hcsptool/new_verifier/HHL"

begin

(*Define channel names.*)
definition Ch_b3_1_1 :: cname where
"Ch_b3_1_1 == 'Ch_b3_1_1'"
definition Ch_b5_1_1 :: cname where
"Ch_b5_1_1 == 'Ch_b5_1_1'"
definition Ch_control_a2_1_0 :: cname where
"Ch_control_a2_1_0 == 'Ch_control_a2_1_0'"
definition Ch_b4_1_1 :: cname where
"Ch_b4_1_1 == 'Ch_b4_1_1'"
definition Ch_IC1_1_0 :: cname where
"Ch_IC1_1_0 == 'Ch_IC1_1_0'"
definition Ch_IC3_1_0 :: cname where
"Ch_IC3_1_0 == 'Ch_IC3_1_0'"
definition Ch_b12_1_1 :: cname where
"Ch_b12_1_1 == 'Ch_b12_1_1'"
definition Ch_b12_2_1 :: cname where
"Ch_b12_2_1 == 'Ch_b12_2_1'"
definition Ch_IC2_1_0 :: cname where
"Ch_IC2_1_0 == 'Ch_IC2_1_0'"
definition Ch_IC4_1_0 :: cname where
"Ch_IC4_1_0 == 'Ch_IC4_1_0'"

(*Define receiving variables.*)
definition b3_1_1 :: exp where
"b3_1_1 == BVar 'b3_1_1'"
definition b5_1_1 :: exp where
"b5_1_1 == BVar 'b5_1_1'"
definition control_a2_1_0 :: exp where
"control_a2_1_0 == RVar 'control_a2_1_0'"
definition b4_1_1 :: exp where
"b4_1_1 == BVar 'b4_1_1'"
definition IC1_1_0 :: exp where
"IC1_1_0 == RVar 'IC1_1_0'"
definition IC3_1_0 :: exp where
"IC3_1_0 == RVar 'IC3_1_0'"
definition b12_1_1 :: exp where
"b12_1_1 == BVar 'b12_1_1'"
definition b12_2_1 :: exp where
"b12_2_1 == BVar 'b12_2_1'"
definition IC2_1_0 :: exp where
"IC2_1_0 == RVar 'IC2_1_0'"
definition control_mode_1 :: exp where
"control_mode_1 == RVar 'control_mode_1'"
definition IC5_1_0 :: exp where
"IC5_1_0 == RVar 'IC5_1_0'"
definition IC4_1_0 :: exp where
"IC4_1_0 == RVar 'IC4_1_0'"

(*Define local and sending variables.*)
definition t1 :: exp where
"t1 == RVar 't1'"
definition temp1 :: exp where
"temp1 == RVar 'temp1'"
definition plant_v_1 :: exp where
"plant_v_1 == RVar 'plant_v_1'"
definition a0_1 :: exp where
"a0_1 == RVar 'a0_1'"
definition b3_1 :: exp where
"b3_1 == BVar 'b3_1'"
definition b5_1 :: exp where
"b5_1 == BVar 'b5_1'"
definition control_level_1 :: exp where
"control_level_1 == RVar 'control_level_1'"
definition control_v21_1 :: exp where
"control_v21_1 == RVar 'control_v21_1'"
definition control_v22_1 :: exp where
"control_v22_1 == RVar 'control_v22_1'"
definition plant_s_1 :: exp where
"plant_s_1 == RVar 'plant_s_1'"

(*Definitions in comments.*)
definition T :: exp where
"T == Real 1/8"
definition B0 :: exp where
"B0 == if formT( plant_v_1 <= Real 0 
& IC5_1 <= Real 0) 
then Bool True else Bool False"
definition B1 :: exp where
"B1 == if formT ( (plant_s_1 <= Real 10) 
& plant_v_1 >=(Real 100) 
& [1] (plant_s_1[1] Real 10) 
& [1] (plant_v_1[1] IC4_1_0)) 
then Bool True else Bool False"
**definition B2 :: exp where**
*B2 == if formT( ((plant_s_1[<=](Real 10) & plant_v_1[>=](Real 105)) | (plant_s_1[>](Real 10) & plant_v_1[>=]IC3_1_0) | ((Real 2)*[plant_v_1[*]T[+]*]T[*]T) > IC3_1_0[+](Real 2) & (Real 2)) then Bool True else Bool False"

**definition B3 :: exp where**
*B3 == if formT( IC1_1_0[=](Real 2.5) & plant_s_1[>](Real 10)) then Bool True else Bool False"

**definition B4 :: exp where**
*B4 == if formT( plant_s_1[>](Real 10) & IC2_1_0[=](Real 0)) then Bool True else Bool False"

**definition B5 :: exp where**
*B5 == if formT( IC1_1_0[=](Real 3) & plant_s_1[<=](Real 10) & (Real 10) - plant_s_1[<=](Real 300)) then Bool True else Bool False"

---

**B. PROCESS DEFINITIONS**

This part shows the definition of annotated processes of the case study, e.g. the ones for modelling train plant, the control, the communications between them, and so on.

theory processDefinition
imports "assertionDefinition"
begin
(*Define continuous processes*)
definition PC1_1 :: proc where
"PC1_1 == plant_v_1:=(Real 0);assertion1; IC5_1:=(Real 1);assertion2; plant_s_1:=(Real 0)"

definition domain1 :: fform where
"domain1 == (IC5_1[=]a0_1[&]b0_1[=]B0[&]b12_1[=]B1[&]b12_2[=]B2[&]b0_1[=](Bool True)[&]a0_1[=](Real 0)[&]b3_1[=]B3[&]b4_1[=]B4[&]b5_1[=]B5)"

definition commI1 :: proc where
"commI1 == (Ch_IC3_1_0??IC3_1_0[&]Ch_b12_1_1!!b12_1[&]Ch_b12_2_1!!b12_2[&]Ch_IC4_1_0??IC4_1_0[&]Ch_control_a2_1_0??control_a2_1_0[&]Ch_b3_1_1!!b3_1[&]Ch_b4_1_1!!b4_1[&]Ch_IC2_1_0??IC2_1_0[&]Ch_b5_1_1!!b5_1[&]Ch_IC1_1_0??IC1_1_0)"

definition PC1_2 :: proc where
"PC1_2 == (<inv1 && domain1>:rg1)[&](commI1)"

definition domain2 :: fform where
"domain2 == (IC5_1[=]a0_1[&]b0_1[=]B0[&]b12_1[=]B1[&]b12_2[=]B2[&]b0_1[=](Bool True)[&]a0_1[=](Real 0)[&]b3_1[=]B3[&]b4_1[=]B4[&]b5_1[=]B5)"

definition commI2 :: proc where
"commI2 == (Ch_IC3_1_0??IC3_1_0[&]Ch_b12_1_1!!b12_1[&]Ch_b12_2_1!!b12_2[&]Ch_IC4_1_0??IC4_1_0[&]Ch_control_a2_1_0??control_a2_1_0[&]Ch_b3_1_1!!b3_1[&]Ch_b4_1_1!!b4_1[&]Ch_IC2_1_0??IC2_1_0[&]Ch_b5_1_1!!b5_1[&]Ch_IC1_1_0??IC1_1_0)"

definition PC1_3 :: proc where
"PC1_3 == (<inv2 && domain2>:rg2)[&](commI2)"

definition PC1_init :: proc where
"PC1_init == PC1_1"

definition PC1_rep :: proc where
"PC1_rep == PC1_2;assertion3;PC1_3"

definition PC1 :: proc where
"PC1 == PC1_init;assertion4;(PC1_rep)*"

(*Define discrete processes*)
definition PD1_1 :: proc where
"PD1_1 == t1:=(Real 0);assertion5; IC4_1:=(Real 0);assertion6; IC3_1:=(Real 0);assertion7; (NON R ''varR_l'' : ((Real -1)[<=](RVar ''varR_l'') & (RVar ''varR_l'')[<=](Real 0)) control_c2_1:=(RVar ''varR_l''))"

definition PD1_2 :: proc where
"PD1_2 == (NON R ''varR_l'' : ((Real -1)[<=](RVar ''varR_l'') & (RVar ''varR_l'')[<=](Real 1)) control_c1_1:=(RVar ''varR_l''));assertion8; IC1_1:=(Real 2.5);assertion9;IC2_1:=(Real 0)"

definition PD1_3 :: proc where
"PD1_3 == Ch_IC1_1_0!!IC1_1;assertion10; Ch_IC2_1_0!!IC2_1;assertion11; Ch_IC3_1_0!!IC3_1;assertion12; Ch_IC4_1_0!!IC4_1;assertion13; Ch_b5_1_1??b5_1_1;assertion14; Ch_b12_1_1??b12_1_1;assertion15; Ch_b3_1_1??b3_1_1;assertion16; Ch_b4_1_1??b4_1_1"

definition PD1_4 :: proc where
"PD1_4 == Ch_b12_2_1??b12_2_1"

definition PD1_5 :: proc where
"PD1_5 == IF (b5_1_1[=](Bool False)) (control_v22_1:=(Real 0));assertion17; IF (b5_1_1[=](Bool True)) (control_v22_1:=(Real 35));assertion18; IC4_1:=(control_v22_1);assertion19; IF (b5_1_1[=](Bool False)) (control_v21_1:=(Real 0))"

definition PD1_6 :: proc where
"PD1_6 == Ch_b12_2_1??b12_2_1"
"PD1_6 == IF (b5_1_1=[] (Bool True))
  (control_v21_1:=(Real 40));assertion20;
  IC3_1:=control_v21_1;assertion21;
  (NON R ' 'varR_1'':
   ((Real -1)[<=](RVar ' 'varR_1'))
  )
  control_c2_1:=(RVar ' 'varR_1'))" definition PD1_7 :: proc where
"PD1_7 == (NON R ' 'varR_1'':
   ((Real -1)[<=](RVar ' 'varR_1'))
  )
  control_c2_1:=(RVar ' 'varR_1'))" IC3_1:=control_v21_1;assertion21;
  (NON R ''varR_l'' :
   ((Real -1)[<=](RVar ''varR_l'')
   [&] (RVar ''varR_l'')[<=](Real 0))
  )
  control_c2_1:=(RVar ''varR_l''))
  assertion22;
"PD1_8 == IF (b12_1_1=[] (Bool False))
  (control_a1_1:=control_c1_1)
  IC1_1:=control_level_1;assertion23;
  IF (b12_2_1=[] (Bool False))
  (control_a2_1:=control_a1_1);assertion28;
  IF (b12_2_1=[] (Bool True))
  (control_a2_1:=(Real -1))" definition PD1_10 :: proc where
"PD1_10 == IF (b12_2_1=[] (Bool False))
  (control_a2_1:=control_a1_1);assertion28;
  IF (b12_2_1=[] (Bool True))
  (control_a2_1:=(Real -1))" definition PD1_14 :: proc where
"PD1_14 == IF (b5_1_1=[] (Bool False))
  (control_v22_1:=(Real 0));assertion30;
  IC4_1:=control_v22_1;assertion31;
  IF (b5_1_1=[] (Bool True))
  (control_v22_1:=(Real 35));assertion34;
  IC4_1:=control_v22_1;assertion35;
  assertion36;
  IF (b5_1_1=[] (Bool False))
  (control_v21_1:=(Real 0))" definition PD1_15 :: proc where
"PD1_15 == IF (b5_1_1=[] (Bool True))
  (control_v21_1:=(Real 40));assertion37;
  IC3_1:=control_v21_1;assertion38;
  (NON R ' 'varR_1'':
   ((Real -1)[<=](RVar ' 'varR_1'))
  )
  control_c2_1:=(RVar ' 'varR_1'))" definition PD1_16 :: proc where
"PD1_16 == (NON R ' 'varR_1'':
  ((Real -1)[<=](RVar ' 'varR_1'))
  )
  control_c2_1:=(RVar ' 'varR_1'))"
(*Define the whole process.*)
definition P :: proc where
    "P == PC1||PD1"
end