Robustness of Model-based Simulations

Georgios E. Fainekos, Sriram Sankaranarayanan, Franjo Ivancic, and Aarti GuptaNEC Laboratories America, 4 Independence Way, Princeton, NJ 08540, USA

Email: {fainekos, srirams, ivancic, agupta}@nec-labs.com

Abstract—This paper proposes a framework for determiningthe correctness and robustness of simulations of hybrid systems.The focus is on simulations generated from model-based designenvironments and, in particular, Simulink. The correctness androbustness of the simulation is guaranteed against floating-point rounding errors and system modeling uncertainties.Toward that goal, self-validated arithmetics, such as intervaland affine arithmetic, are employed for guaranteed simulationof discrete-time hybrid systems. In the case of continuous-timehybrid systems, self-validated arithmetics are utilized for over-approximations of reachability computations.

Keywords-Robustness; Simulation; Hybrid systems; ModelValidation and Analysis; Floating-point arithmetic;

I. INTRODUCTION

Model-based design has vastly simplified the develop-ment of embedded systems. Design tools such as Mat-lab/Simulink, MapleSim and Scade have improved the pro-cess of system design. Tools for automatically generatingsource code from these designs have vastly shorten the timeto market. However, verification of these models remainsjust as complex and costly. Currently, extensive testing underdifferent operating conditions is performed until the designteam is satisfied that their design adheres to some coveragerequirements.

In practice, however, testing does not explore all criticalinputs. In addition, differentiating between an interestingand a non-interesting test-case is not straightforward. Thispaper considers the problem of evaluating tests in order toshowcase failures of the robustness property. That is, wedetermine test trajectories that under some small perturbation– usually due to uncertainty or internal computation errors– could cause the system to diverge significantly from theexpected behavior, and potentially lead to failures. Notethat computational errors due to floating/fixed-points arefrequently ignored by many verification techniques for real-time and hybrid systems. Furthermore, our approach ensuresthat the test cases that exhibit non-robust behavior will beof interest to the system designer.

The Patriot missile defense system failure [5] is a well-known example of the type of bugs that we target in thispaper. Therein, the software, which estimated the futureposition of the incoming missile based on the velocity andthe last position as returned by the radar, modeled timein increments of 0.1 sec. However, 0.1 itself could not beaccurately represented in the underlying 24-bit fixed-point

register. As a result, the accumulated errors caused a driftin the computed times when the system was operational formany hours. Ultimately, this led to a failure to track andintercept incoming missiles.

Another – more subtle – example, is provided by Lohet al. [23] and earlier by Rump [29]. Consider the functionf(a, b) = (333.75−a2)b6+a2(11a2b2−121b4−2)+5.5b8+a2b with a = 77617 and b = 33096. Using round-to-nearestIEEE-754 arithmetic [31], the f function evaluates to (underdifferent precision)

1.172604 (32-bit)1.1726039400531786 (64-bit)1.1726039400531786318588349045201838 (128-bit)

By increasing the precision, we seem to derive more accurateresults. However, this is deceiving since not even the sign iscorrect in the above computations. The actual result, withinone unit of the last digit, is

f(a, b) = −0.827396059946821368141165095479816

These two examples demonstrate that our simulations couldvery well have undetected functional errors without theexistence of any correctness errors (bugs) in the model.

For such computation errors and, also, for model uncer-tainties, our contribution in this paper is a framework fordetecting the robustness of Simulink simulations. In detail,we developed a suit of tools called RobSim in Matlabfor testing the robustness of discrete and continuous-timeSimulink models. The advantage of our approach is thatwe do not have to translate the Simulink model into someother equivalent formalism, but we operate directly on theSimulink model itself. Thus, we remain faithful to Simulinksemantics. Towards this objective, we have also producedthe following results and implementations. First, we havebuilt AALab (Affine Arithmetic Laboratory). AALab is anAffine Arithmetic (AA) [10] toolbox in Matlab that allowsAA object manipulation with floating-point rounding controlin a transparent way to the user. Second, we have refined thetheory of linear system reachability in order to guarantee thecorrectness of Simulink numerical simulations under modeluncertainties and, most importantly, under floating-pointrounding uncertainties. The next section provides furtherdetails on the exact problem that we address in this paper.

2009 30th IEEE Real-Time Systems Symposium

1052-8725/09 $26.00 © 2009 IEEE

DOI 10.1109/RTSS.2009.26

345

2009 30th IEEE Real-Time Systems Symposium

1052-8725/09 $26.00 © 2009 IEEE

DOI 10.1109/RTSS.2009.26

345

II. PROBLEM DEFINITION

Our focus is on the investigation of the robustness ofSimulink model simulations with respect to numerical andfloating-point rounding errors under possible parametricuncertainties. Before proceeding on giving details on theproblem itself and the proposed solutions, we need to definewhat we mean by robustness. The notion of robustness canhave different meanings under different contexts.

Intuitively, in the context of system simulation and testing,a robust trajectory would be one that under small perturba-tions would exhibit the same qualitative behavior [17]. Incertain cases, such questions can be answered by controltheory even under the presence of floating-point rounding orquantization errors [27]. However in general, this problemcannot be addressed analytically in systems where the low-level system dynamics are governed by complex high-levellogic such as in hybrid automata [17].

Thus, we approach the problem from a testing perspec-tive. That is, given a model of a system and some initialconditions and parameter values, we would like to detectpoints in time where the simulation trajectory of the systemdoes not capture the intended behavior. In particular, we firststudy the following problem.

Problem 1: Given a discrete-time Simulink model D withuncertain initial conditions X0 and parameters P , determinepoints in time when the Simulink simulation trajectory isnot robust.

In this problem, the Simulink model D already containsthe initial conditions x0 and parameter values p as well asthe initial t0 and final tn simulation times and sampling step.Formally speaking, system D can be captured by a systemof difference equations fd

j , j ∈ Jd such that

x(k + 1) = fdj (x(k), u(k), p, k) (1)

where k ∈ N is the current point in time, x : N → Rn isthe solution of system (1) (we assume that a unique solutionexists), u : N → R

q is an input to the system and p ∈ P ⊆Rr is a vector modeling the parameters of the system. Here,N denotes the set of the natural numbers and R the set ofreals. In system (1), at each point in time k, the systemdynamics are governed by a unique difference equation fd

j ,i.e., the system is deterministic. Without going into details,the system dynamics fd

j are chosen according to a relationGd

j on x(k), x(k+1) and u(k). Each solution x(·) of system(1) has a corresponding trajectory of indices dx : N → Jd

indicating which system dynamics were active at the currentpoint in time.

Assume that the set of initial conditions as well as theparameters and the inputs to the system are not preciselyknown, that is, x0 ⊆ Rn, p ⊆ P and u ⊆ Rq respectively.Then, theoretically for some k0 ≤ kf ∈ N and a fixed j ∈Jd, we could compute a set of trajectories x : [k0, kf ] →P(Rn), which represent the evolution of the system under

Figure 1. A continuous-time Simulink model.

the system dynamics fdj for all the possible parameter values

and, moreover, take into account computation errors.Now, we can formalize our proposed notion of robustness.Definition 1: A trajectory x of a Simulink model is robust

if all the trajectories x′ under internal (model parameters)and external (input) uncertainties and computation errorshave the same trajectory of indices as x, that is, dx = dx′ .

Informally, the above definition states that the systemshould exhibit the same high-level behavior under all givenconditions and computation errors. Our goal is to ascertainpoints in the system trajectory which are not robust. The fol-lowing example, which is the running example of this paper,presents the basic idea behind simulation non-robustness.

Example 1: As an example consider the discretized sys-tem of the continuous-time model in Fig. 1. The modelcontains a switch block which determines which gain isgoing to be used in the feedback loop. If the switch signal(signal s in figure) is larger than 0.4, then “Gain” is selectedotherwise “Gain1” is selected. In this simple case, we wantto detect situations where the numerical simulation computesa signal with value greater or equal to 4, e.g., for some k,s(k) = 4.2, but the guaranteed simulation gives bounds on swhich include 4, e.g., [s(k)] = [3.9, 4.5]. This means that itcould be the case that at that point in time the system couldexhibit different dynamical behavior from the one used inthe numerical simulation. Such cases are reported to the user.

The solution of Problem 1 is presented in Section IV-A. Inthis paper, we also present some results toward the solutionof the above problem for continuous-time Simulink models.

Problem 2: Given a continuous-time Simulink model Cwith piece-wise continuous dynamics and a set of uncertaininitial conditions X0 and parameters P , determine points intime when the Simulink simulation trajectory is not robust.

Similar to the discrete-time case, system C can be capturedby a system of linear ordinary differential equations (ODEs):

x(t) = Aj(p(t))x(t) + Bj(p(t))u(t) + hj(p(t)) (2)

where j ∈ Jc is a set of indices, t ∈ R+ (non-negativereals) is the current point in time, x : R+ → Rn is thesolution of system (2) (again, we assume that a uniquesolution exists), u : R

+ → Rq is an input to the system,

p : R+ → P ⊆ Rr is a continuous function modeling theparameters of the system and Aj , Bj , hj are appropriately

346346

sized matrices (which are continuous with respect to theparameter vector p). At each point in time t, the systemdynamics are governed by a unique differential equationx = Aj(p(t))x(t) + Bj(p(t))u(t) + hj(p(t)). As before,the system dynamics are chosen according to whether arelation Gc

j on x(t), x(t) and u(t) is true. Each solutionx(·) of system (2) has a corresponding trajectory of indicesdx : R+ → Jc indicating which system dynamics wereactive at each point in time.

Analogous to the discrete-time case, we might want tostudy the behavior of the continuous-time model underuncertain initial conditions x0 ⊆ R

n, parameters p(t) ⊆ Pand/or inputs u(t) ⊆ Rq . Then, theoretically for somet0 ≤ tf and a fixed j ∈ Jc, we could compute a setof trajectories x : [t0, tf ] → P(Rn), which represent theevolution of the system under the system dynamics (2) forall the possible parameter values and, moreover, take intoaccount computation errors.

Definition 1 also holds for continuous-time systems.However, one additional issue that appears in the case ofcontinuous-time systems is the correctness of the computedsimulation trajectory. In detail, the algorithm employed forthe numerical solution of the ODEs affects the quality ofthe resulting simulation and, in some cases, the solutionmight even diverge from the real solution. Therefore, in thecontinuous-time case, we also report such cases. The detailsof the proposed approach appear in Section IV-B.

The solutions to Problems 1 and 2 enable also the robustsimulation of mixed-signal Simulink models. Such modelscontain both continuous and discrete-time components. InSection IV-C, we present some preliminary results towardthe solution of the following problem.

Problem 3: Given a mixed-signal Simulink model Mwith discrete and continuous-time components that satisfythe assumptions of Problems 1 and 2, respectively, and aset of uncertain initial conditions X0 and parameters P ,determine points in time when the Simulink simulationtrajectory is not robust.

As a by-product of the solution to the above problem,we obtain a reachability algorithm for mixed-signal systemsunder input, parameter and computation uncertainties. To thebest of our knowledge, this is the first time that this problemis addressed.

III. THEORETICAL BACKGROUND

In this section, we review some basic results and notationthat are necessary for presenting the results in this paper.

A. Interval Arithmetic

Interval arithmetic (IA) [25] is one of the first computa-tion models that enabled in an efficient way self-validatingcomputations. IA has proven to be a valuable tool in a varietyof engineering applications [16]. More related to our workis the application of IA to reachability problems [14], [28].

In IA every quantity [x] is essentially an interval [x] =[x, x], where the bounds x = inf [x] and x = sup [x] rangeover a particular field and x ≤ x. In this paper, we willconsider the fields of the real numbers R and an “abstract”field of floating point numbers F. The corresponding setsof intervals will be denoted by IR and IF, respectively. Thepurpose of each such interval is to model potential uncer-tainties in the quantities and to capture internal computationerrors such as rounding errors.

All the standard arithmetic operations have a correspond-ing operation in IA. For example, if x, y ∈ IR, then wehave [x, x] +

[y, y]

= [x + y, x + y] and [x, x][y, y]

=[min({xy, xy, xy, xy}), max({xy, xy, xy, xy})]. Wheneverwe perform an operation of an interval with a real numbera, we implicitly assume that the real number is a degenerateinterval, i.e., [a] = [a, a].

In this paper, we will also be using interval vectorsand interval matrices. For example, an n-ordered tuple ofintervals [[x1, x1], . . . , [xn, xn]]T is an interval vector [x].In the following, we will also be using the notation �xto denote the interval vector [−x, x]n for some n ≥ 1.Similarly, we define m×n interval matrices as members ofIR

m×n or IFm×n. The IA operations on vectors and matrices

are the natural extensions over the real arithmetic operations.The concept of norm plays an important role in the

analysis of properties of vectors and matrices. In orderto define the infinity norm for interval matrices, we needto first define the absolute value of an interval number:| [x] | := max({|x|, |x|}). Note that the properties of theabsolute value are preserved, i.e., for x, y ∈ IR, we have| [x] + [y] | ≤ | [x] |+ | [y] | and | [x] [y] | = | [x] || [y] |. Recallthat in the case of matrices, the induced norm for an m×nmatrix A is defined as ‖A‖∞ = max1≤i≤m

∑nj=1 |aij |. The

extension of the definition of the infinity norm to intervalmatrices is simply ‖ [A] ‖∞ = ‖max({|A|, |A|})‖∞, wherethe absolute value and the maximum are considered element-wise. Finally, we should remark that both the absolute valueand the norm are not interval numbers.

In this work, we are particularly interested in using IA inorder to capture floating-point rounding errors. For example,consider the number 0.1 which is not exactly representable inmachine arithmetic. IA allows us to capture this number bydefining an interval [↓(0.1) , ↑(0.1)], where ↓(·) and ↑(·) arethe rounding-down and up operations respectively as definedin IEEE Floating-Point Standard [31]. In the following, wewill also be using the notation (x) = [↓(x) , ↑(x)] in orderto bound the real value of a number. In a slight abuse ofnotation, we will also use (exp) to imply that the operationsin the expression exp are performed using IA even thoughthe operands are floating-point numbers. Moreover, when weperform IA operations over floating-point numbers, we haveto control the rounding mode accordingly in order to enclosethe real value of the operation. For example, if x, y ∈ IF,then we have [x, x] +

[y, y]

= [↓(x + y), ↑(x + y)]. For IA

347347

computations, we use the IntLab library [30] in Matlab.IA exhibits some of the usual properties, i.e., it is associa-

tive and commutative. Moreover, it is inclusion monotone.Namely, if [x′] ⊆ [x] and [y′] ⊆ [y], then [x′] ◦ [y′] ⊆[x] ◦ [y] where ◦ ∈ {+,−,×,÷}. However, IA has someimportant deficiencies. In detail, it is sub-distributive, i.e.,[x] ([y] + [z]) ⊆ [x] [y] + [x] [z] and, also, it has no additiveand no multiplicative inverse. In general, in IA, there isno information maintained concerning the relationship oftwo symbolic values. Consider for example the interval[x] = [−0.1, 0.1], then [x] − [x] = [−0.2, 0.2]. Obviously,this is too coarse an overapproximation. The tightest possiblebound is the interval [0, 0]. In feedback systems, suchoverapproximations will result in a quick divergence ofthe solution enclosure. Fortunately, symbolic computationsusing affine arithmetic can resolve this issue.

B. Affine Arithmetic

Affine Arithmetic (AA) [10] is also a self-validated compu-tation model that permits reasoning over ranges. AA main-tains linear dependencies between AA quantities in order toreduce some of the overapproximation issues that are presentin IA. Linear operations on AA quantities preserve suchlinear dependencies. However, when nonlinear operationsare encountered, for example multiplication, then some smalloverapproximation of the actual range is introduced.

In detail, AA quantities represent ranges over some field.In the following, we will be using angular brackets to denotesymbolic variables that represent ranges in AA. Each AAvariable 〈x〉 is the summation of a central value x0 ∈ R

and a number of affine terms xiεi, where xi ∈ R is acoefficient and εi is a variable that ranges over [−1, 1].Formally, we write 〈x〉 = x0+

∑ki=1 xiεi. The interpretation

of 〈x〉 is that for any x ∈ 〈x〉, for all i = 1, . . . , k,there exist εi ∈ [−1, 1] such that x = x0 +

∑ki=1 xiεi.

Finally, the interval represented by 〈x〉 is simply [〈x〉] :=[x0 −∑k

i=1 |xi|, x0 +∑k

i=1 |xi|] (we should appropriatelycontrol the rounding mode in the case of floating-pointnumbers). For convenience, we will denote the set of all AAquantities over the reals by AR and over the floating-pointnumbers by AF.

As mentioned earlier, linear operations, such as addition,are straightforward to define, e.g., for x, y ∈ AR, we have(x0 +

∑ki=1 xiεi

)+(y0 +

∑ki=1 yiεi

)= (x0 + y0) +∑k

i=1(xi + yi)εi. On the other hand, nonlinear operations,such as multiplication, must be defined in such a way thatthey maintain as many linear terms as possible and, inaddition, overapproximate the nonlinear terms by generatinga new affine term. For example, for x, y ∈ AR, we have〈x〉 〈y〉 = x0y0 +

(∑ki=1(x0yi) +

∑ki=1(xiy0)

)εi + zεk+1,

where z is such that |z| ≥∣∣∣(∑k

i=1 xiεi

)(∑ki=1 yiεi

)∣∣∣.One of the interesting problems in AA is how to computegood bounds on the nonlinear terms [9]. Finally, we should

mention that whenever we mix interval and affine quantitiesin an expression we implicitly assume that the intervalvariable is converted into an affine variable (see [9]).

Similar to IA, we can define affine vectors and matrices aselements of AR

n (AFn) and AR

m×n (AFm×n), respectively.

Furthermore, the infinity norm of an affine matrix is simplythe infinity norm of the corresponding interval matrix, i.e.,‖ 〈A〉 ‖∞ := ‖[〈A〉]‖∞.

Since one of our goals is to account for computationerrors, we must take into account floating-point rounding er-rors. As opposed to IA, considering floating-point roundingerrors in AA is a little bit more involved. We could just roundoutward each of the coefficients in a new affine quantity, butthen the dependencies of the affine quantity on the roundingerrors would be lost. In order to maintain as much informa-tion as possible, we can instead compute the rounding errorsfor each affine term separately and, then, we can accumulatethe errors into a new affine term. For example, for x, y ∈ AR,we have 〈x〉+ 〈y〉 = (x0 + y0)+

∑ki=1(xi + yi)εi + zεk+1,

where εk+1 is a new affine term and z captures all thefloating-point rounding errors.

In other words, we can associate an affine term with thecomputation error that occurs at each operation. These errorsand, also, the affine terms which model uncertain parametersin the system can be tracked along a computation sequence.Therefore, at each point in time, we can be cognizant onhow each uncertainty affects the current state of the system.But more importantly, the propagation of the affine termshelps to avoid the problems of IA due to lost dependenciesbetween the variables. Note, however, that it is not alwaysthe case that AA computes better bounds than IA.

Since there is no publicly available affine arithmetictoolbox for Matlab, we developed our own package AALab(Affine Arithmetic Laboratory). AALab provides a class forAA quantities and overloads most of the standard functionsand operators in Matlab in order to provide AA in a transpar-ent way to the user. In addition, AALab provides the optionto take into account or ignore floating-point rounding errors.It also offers various levels of approximations for non-linear functions (e.g., trigonometric functions) and, finally,it implements several ways of aggregating affine terms whentheir number becomes too large. We should remark that eventhough [32] also studies an implementation of AA in Matlab,that work does not support the aforementioned features.

IV. DETECTING NON-ROBUSTNESS IN SIMULATIONS

In the previous sections, we provided a short overviewon how self-validated computations can be realized withinMatlab. In this section, we use these tools in order to presenta framework for detecting non-robustness in discrete-time,continuous-time and mixed-signal Simulink models.

A. Discrete-Time Simulink Models

The main challenge in trying to perform self-validatedcomputations within the Simulink environment is that

348348

0 5 10 15 20−0.2

0

0.2

0.4

0.6

0.8

1

1.2

Figure 2. Guaranteed simulation of Example 2. The bars indicate thebounds on the guaranteed simulation for each time step of 0.1 sec, whilethe line inside is the result of the Simulink simulation.

Simulink accepts only its built-in data types, e.g., double,signal, int8, fixed-point etc. One way to overcome thisrestriction is by monitoring Simulink during a simulation.Namely, we first instrument Simulink with callback func-tions (listeners) using Simulink’s Application ProgrammingInterface (API). Then, we record the sequence of accessesand the corresponding events (such as “update” or “output”)sent to the blocks during one Simulation step. Also, wemaintain information about the input signals to the blocks. Inthe following, we refer to such sequences as block executiontraces. The advantage of inserting callbacks is that the exe-cution order semantics of Simulink is enforced. Finally, wefollow the block execution trace, but now each mathematicaloperation and all the relation checks are performed usingself-validating computation theories such as IA or AA.

We have implemented the above procedure into the soft-ware toolbox RobSimDt (ROBust SIMulations in Discrete-Time) within the Matlab programming environment. Rob-SimDt takes as input a discrete-time Simulink model D andcan perform guaranteed discrete-time simulation using theparameters provided in D. Since AA provides in generalbetter bounds on the validated solution than IA, the AAcomputation theory is chosen by default. If the user wantsto use uncertain initial conditions, parameters and/or inputs,then she or he can do so by providing them to RobSimDt.In this case, the self-validated computation model employedis the one that corresponds to the data-type of the initialconditions. The output of RobSimDt is the guaranteedsimulation trace and a structure which holds information onwhich Simulink blocks, time and input signal values thecomputation might be non-robust. The following result isimmediate from the properties of self-validated arithmetics.

Theorem 1: Let D be a discrete-time Simulink model asin Problem 1. Let x(k) be the state vector of the Simulinksimulation and 〈x〉 (k) be the state vector enclosure returnedby RobSimDt at sample k. Then, for all samples k of theSimulink simulation, we have x(k) ∈ 〈x〉 (k).

Example 2: Let us consider the continuous-time model ofFig. 1. The model is discretized with the Simulink ModelDiscretizer using zero-order hold (zoh) and a sample step

of 0.1 sec. We would like to determine the robustness of thesimulation with initial conditions [−0.1, 0.1]3 and variationof %1 in the parameter values. The Simulink simulation isperformed with initial conditions [0 0 0]T and the parametervalues as appear in Fig. 1. The result of the computation forthe signal y appears in Fig. 2. RobSimDt detected 5 pointswhere the simulation is non-robust. Below, we present howRobSimDt displays one of the warnings of possible non-robustness (recall that the threshold is 0.4):Warning 5: In the block ’Switch’ at

time 3.6, the value of the input signalto the block was 0.3537 while the rangeof the input signal computed by RobSimis [ 0.2948, 0.4126].

Next, we demonstrate how self-validated computationsand robustness checks are performed. Due to space limita-tions, we are only going to discuss briefly the proceduresof two blocks of our running example: the discrete-timeintegrator and the switch. Also, the following presentationfocuses on the use of affine arithmetic as the underlyingcomputation model which is the default option in RobSimDt.However, the application of other self-validating computa-tion models is immediate.

Discrete-Time Integrator. In the current version, Rob-SimDt supports only the forward Euler integration (or accu-mulation) method (see the on-line Simulink help documen-tation). When a discrete-time integrator is accessed throughan “update” event, it returns the value of the expression〈x〉 (k) + 〈K〉 (dt) 〈u〉 (k) which is evaluated using self-validated arithmetics. Here, 〈x〉 (k) is the (guaranteed) stateof the integrator at time k, 〈u〉 (k) is the (guaranteed) inputto the block at time k, K is the gain parameter of the blockand dt is the sample step size. Note that we enclose the realvalue of dt using interval arithmetic. This is important sincethe exact value of dt might not be representable in machinearithmetic and, thus, if floating-point rounding errors arenot accounted for, they could cause major inaccuracies inthe subsequent computations (recall the case of the Patriotmissile incident in the introduction). The same holds forthe gain K . However, we also allow for the case that thevalue of the gain K is uncertain and, moreover, it might bedependent on other system parameters. Such dependenciescan be modeled by letting 〈K〉 share affine terms with othersystem parameters. Finally, in the case where an “output”event is received, the discrete-time integrator simply returnsthe current state 〈x〉 (k).

Switch Block. The switch block can only be accessedthrough an “output” event. Let us assume that the thresholdoption in the block has been set to the option “u2 >=Threshold”. This option means that the input signal u2should be greater or equal to the threshold and that if thisis true, then the upper input signal “u1” is allowed to passthrough, otherwise the lower input signal “u3” is allowedto pass through. Now, if the formula φs(k) = (〈u2〉 (k) ≥

349349

Threshold) ∨ (〈u2〉 (k) < Threshold) evaluates to false(note that this is not a tautology since the comparisons arein IA or AA), then a robustness violation has occurred. Thisis a violation since either input signal 〈u1〉 (k) or 〈u3(k)〉could have been chosen by the switch as output. Thus, in thiscase, we record the time, block and signal values. Moreover,since we are trying to study the robustness of a particularSimulink simulation, we let the switch chose the outputsignal according to the value of the non-guaranteed inputsignal u2(k). On the other hand, if either subformula ofφs is true at time k, then the corresponding input signal isallowed to pass through.

B. Continuous-Time Simulink Models

Problem 2 is substantially more challenging then Prob-lem 1. The main obstacle is that replacing the floating-point arithmetic with self-validating methods is not enough.Namely, the model of the system does not consist any moreof ordinary difference equations, but of ordinary differentialequations which are solved using a numerical integrationalgorithm. Numerical integration algorithms can only solvethe system of equations approximately and, moreover, theyare also themselves bound to the problem of floating-pointround errors. One way to address this problem is by resortingto a guaranteed integration method [24], [6]. However, theseintegration methods require in turn the explicit representa-tion of the underlying differential equations of the system.

In general, such a system of mathematical equationscannot be derived automatically due to the complex natureof the Simulink models, e.g., switch and saturation blocks,nonlinearities etc. Moreover, linearization methods do notalways extract an exact representation of the linear systemeven if such an exact representation exists. In order tocircumvent the deficiencies of any linearization method,we symbolically compute the derivatives of a Simulinkmodel whose dynamics are affine for a given operating pointand time. For that purpose, we use our toolbox SL-Trace,which was initially developed for the symbolic executionand systematic testing of Simulink models.

Another problem that prevents us from directly employingguaranteed integrators for the solution of Problem 2 is thefact that these methods only apply to state vectors repre-sented in interval arithmetic. However, in feedback systemsit is paramount to use state vectors with symbolic numbersin affine arithmetic. Thus, in general, the dependenciesbetween the different variables during computation are pre-served and, in turn, we reduce overapproximations throughcancellations. We addressed the problem of integration bydeveloping RobSimCt.

RobSimCt (Robustness of Simulations in Continuous-time) is a toolbox built in Matlab programming environmentwhich addresses Problem 2. Similar to RobSimDt, it instru-ments the input Simulink model with listeners in order torecord the sequence of accesses to Simulink blocks in the

model. Then, it executes the Simulink simulation with thedefault parameters of the model in order to produce a blockexecution trace. Note that for the simulation itself, Simulinkcan use any built-in numerical integration method. This isimportant since we don’t have to restrict our analysis onlyto fixed-step algorithms.

For every time step Δti = ti+1 − ti in the simulation, wepass the corresponding part of the block execution trace toSL-Trace. In turn, SL-Trace returns the symbolic derivativesof the linear (or affine) system for that particular time stepand, also, the constraints on the state space of the model thatmust be satisfied (see [18] for a related approach on derivingsymbolic traces). Using the symbolic derivatives, we cancompute an enclosure of the state vector for all time betweenthe two sampling points. Then, the enclosure is comparedwith the constraints to detect possible non-robustness pointsin the simulation.

Now, let us assume that the system dynamics as returnedby SL-Trace are given by the interval matrices [A], [B] and[h]. The interpretation of these matrices is that there existsa parameter function p : [ti, ti+1] → P such that for allt ∈ [ti, ti+1], we have A∗(t) = A(p(t)) ∈ [A], B∗(t) =B(p(t)) ∈ [B] and h∗(t) = h(p(t)) ∈ [h]. Then, for anyu : [ti, ti+1] → U , the behavior of the system for the timeinterval [ti, ti+1] is defined by the solution of the equation

x(t) = A∗(t)x(t) + B∗(t)u(t) + h∗(t) (3)

Recall that our goal in this section is twofold. First,we need to verify that the Simulink simulation at timeti+1 starting from time ti is not false. Second, we haveto check that between time ti and time ti+1 there wasno potential violation of the current model invariants. Theformer requires a method that computes an inclusion of thestate of system (3) at any time t for all possible systemparameters and inputs.

Correctness of Integration. Let us first consider the casewhere there are no external inputs to the system, i.e., thestate-space representation of the system reduces to x(t) =A∗(t)x(t). Then, the solution is x(t) = Φ(t, ti)x(ti), where

Φ(t, ti) = I+∫ t

ti

A∗(s1)ds1+∫ t

ti

A∗(s1)∫ s1

ti

A∗(s2)ds2ds1+. . .

is the Peano-Baker series for the transition matrix. Here, I isthe identity matrix. Since each entry in A∗ is continuous withrespect to t and the interval [ti, t] is compact, by repeatedapplications of the mean value theorem for integrals, thereexist matrices A∗

1, A∗21, A

∗22, . . . ∈ [A] such that

Φ(t, ti) = I + A∗1(t − ti) + A∗

21A∗22

(t − ti)2

2+ . . .

Note that the mean value theorem cannot be applied to A∗,but to each of its entries. Hence, by the properties of IA, wederive the inclusion

Φ(t, ti) ∈ I + (t − ti) [A] +(t − ti)2

2[A]2 + . . . . (4)

350350

Moreover, in Section IV in [26], it was proven that the aboveseries converges to the exponential of the interval matrix:

e[A](t−ti) � I + (t − ti) [A] +(t − ti)2

2[A]2 + . . . . (5)

Thus, we haveΦ(t, ti) ∈ e[A](t−ti). (6)

Of course, we are now faced with the computation of theexponential of an interval matrix. Unfortunately, the expo-nential of an interval matrix cannot be computed exactly.In order to overapproximate the range of the exponential ofa matrix, we use the Taylor expansion in a way similar to[1] and [26] such that it also takes into account floating-point rounding errors. Let A ∈ IR

n×n, then the exponentialcan be obtained by the Taylor series e[A] = I + [A] +12 [A]2 + 1

3 [A] + . . .. In order to compute a bound on thesolution of e[A], we must first compute a number m of Taylorterms and then conservatively bound the remainder term. Inthis work, we bound the reminder term using the relationprovided in [21] (which was also employed in [1] and [26]).The next theorem, which is immediate from the propertiesof IA, provides an overapproximation of the exponential ofthe interval matrix.

Theorem 2: Given A ∈ IRn×n, an overapproximation of

the matrix exponential e[A] of order m can be obtained by:⌈e[A]

⌉= I +

m∑k=1

(

1k!

)[A]k + � sup (E([A])) (7)

where E([A]) = ‖[A]‖m+1∞

(m+1)!1

1−ε and ε = ‖[A]‖∞m+2 < 1.

Remark 1: The condition that ε < 1 is an important one.If it is not satisfied, then we should increase the order ofthe Taylor terms m. Since we are actually concerned withthe product of the system dynamics [A] with the integrationstep Δti, we can alternatively decrease the size of Δti.

Thus, a safe inclusion of the unforced propagation of thestate under rounding errors can be computed as:

〈x〉 (t) =⌈e[A]�(t−ti)

⌉〈x〉 (ti) (8)

If the state vector x computed by the numerical integrationalgorithm at time ti+1 is not contained in 〈x〉 (ti+1), i.e.,x(ti+1) �∈ 〈x〉 (ti+1), then we know that an integration erroroccurred. On the other hand, if x(ti+1) ∈ 〈x〉 (ti+1), thenwe cannot be sure whether the integration is correct or not.

Remark 2: Both numbers ti and ti+1 are machine rep-resentable floating-point numbers since they are computedduring the Simulink simulation. Nevertheless, their differ-ence Δti = ti+1 − ti might not be representable in machinearithmetic, hence in (8) we bound t − ti using IA.

Next, we have to take into account the influence ofpotential inputs or noise to the system, i.e., the case whereB∗, h∗ �= 0:

x(t) = Φ(t, ti)x(ti) +∫ t

ti

Φ(t, s)(B∗(s)u(s) + h∗(s))ds

For any s ∈ [ti, t], we have B∗(s) ∈ [B], h∗(s) ∈[h], u(s) ∈ [u] and, also, from (6) and (7) by ig-noring rounding control, we have Φ(t, s) ∈ ⌈

e[A](t−s)⌉.

By a change of variables, σ = t − s, we getdσ = −ds and

∫ t

tiΦ(t, s)(B∗(s)u(s) + h∗(s))ds ∈∫ t−ti

0

⌈e[A]σ

⌉dσ([B] [u]+[h]). From (7), we also get (again,

no rounding control)∫ t−ti

0

(I +

m∑k=1

1k!

[A]k σk + �E([A] σ)

)dσ =

= I(t − ti) +m∑

k=1

(t − ti)k+1

(k + 1)![A]k +

∫ t−ti

0

�E([A] σ)dσ

As it was indicated in [1], E([A] σ) is monotone (increasing)with respect to σ. Thus,

∫ t−ti

0 �E([A] σ)dσ ⊆ �E([A] (t−ti))

∫ t−ti

0 dσ = �E([A] (t − ti))(t − ti). Therefore, wecan compute a conservative enclosure for the effect of theexternal input u and the affine term h: [Γ]m (Δti) = I (Δti) +

∑mk=1

(Δtk+1

i

(k+1)!

)[A]k + �E([A] (Δti)) (Δti).

Constraint Violation. Next, we need to address the prob-lem of possible violation of the location invariant constraints.This step is straightforward. Along with the symbolic deriva-tives, SL-Trace also returns the invariant constraints thathold at each point in time in the simulation. More formally,for each time step [ti, ti+1], we have a set of constraintsΠi = {αjx + βju + γj ≤ 0}j∈J , which is indexed by theblock id where the relation check took place. All we needto do then is to check that for all t ∈ [ti, ti+1] and for allj ∈ J , the relation αjx(t) + βju(t) + γj ≤ 0 is satisfied.From the computation of 〈x〉 (ti+1), it is obvious that wecannot perform these checks analytically. Therefore, oncemore we must conservatively bound the state of the systembetween times ti and ti+1, that is, we have to compute a setR such that 〈x〉 (t) ⊆ R for all t ∈ [ti, ti+1].

Toward that goal, we consider an initial state x(ti) ∈〈x〉 (ti) and the final value of the trajectory at time ti+1,i.e., x(ti+1) = Φ(ti+1, ti)x(ti). Similar to [11], for any t ∈[ti, ti+1], we consider the approximation of Φ(t, ti)x(ti) bythe linear approximation x(ti) + t−ti

ti+1−ti(Φ(ti+1, ti)x(ti) −

x(ti)). Let as denote the difference between the actual valueand its approximation by δ(t), that is,

δ(t) = Φ(t, ti)x(ti)−x(ti)− t−ti

ti+1−ti(Φ(ti+1, ti)x(ti)−x(ti))

Using relation (6), the fact that x(ti) ∈ 〈x〉 (ti) and theproperties of AA, we get

δ(t) ∈(e[A](t−ti) − I − t−ti

ti+1−ti(e[A](ti+1−ti) − I)

)〈x〉 (ti)

=∞∑

k=2

(t−ti)((t−ti)k−1−(ti+1−ti)

k−1)k! [A]k 〈x〉 (ti)

Now, we are in position to adapt Theorem 3 from [1] in orderto conservatively enclose δ(t) in the set [Δ]m (Δti) 〈x〉 (ti),

351351

where [Δ]m (Δti) =∑m

k=2[λ(k, Δti), 0] [A]k + �E([A] (Δti)) and λ(k, Δti) = inf

((k

−kk−1 − k

−1k−1 )Δtk

i

k!

).

Up to now, we saw how to compute a bound on thedivergence of x(t) from the line that connects x(ti) andx(ti+1). In order to account for all such trajectories between〈x〉 (ti) and 〈x〉 (ti+1), we simply have to compute theconvex hull of the sets 〈x〉 (ti) and 〈x〉 (ti+1). Such aset cannot be computed, thus previous authors [11], [1],who have worked with zonotope representations of the statevector, have over-approximated the convex hull with a newzonotope (for details see [11]). In our work, we insteadcompute the interval convex hull (CH) of the two symbolicsets. This gives us a quick, but conservative, enclosure of theconvex hull. Thus, the resulting set enclosure for the statevector between times ti and ti+1 is

[R] = CH([〈x〉 (ti)], [〈x〉 (ti+1)]) + [Δ]m (Δti)[〈x〉 (ti)],(9)

where for some x, y ∈ IR, we have CH([x] , [y]) =[min(x, y), max(x, y)]. Now that we have an over-approximation of the reachable set between samples ti andti+1, we can perform the check for guard violation by simplychecking whether αj [R] + βj [u] + γj ≤ 0 for all j ∈ J .As mentioned before, if any of these checks fails, then wekeep the corresponding information.

Summary. The above discussion can be summarized inthe following theorem where internal computation errors arealso taken into account.

Theorem 3: Consider the time interval Ti = [ti, ti+1]and a continuous parameter function p : Ti → P suchthat for all t ∈ Ti the matrices A∗(t) = A(p(t)) ∈ [A]and B∗(t) = B(p(t)) ∈ [B] and the vector h∗(t) =h(p(t)) ∈ [h] are continuous in each of their entries withrespect to t. Moreover, let Δti = ti+1 − ti and m be theorder of the Taylor terms. Then, for any continuous inputfunction u : Ti → U such that for all t ∈ Ti we haveu(t) ∈ [u], the system (3) with initial conditions in 〈x〉 (ti)has a solution at time ti+1 which is guaranteed to lie in affineset 〈x〉 (ti+1) =

⌈e[A]�(Δti)

⌉ 〈x〉 (ti) + [Γ]m (Δti) underfloating-point arithmetic. Moreover, for any t ∈ Ti, from(9), we have 〈x〉 (t) ∈ [R] under floating-point arithmetic.

Example 3: Consider the model of Fig. 1 with parametervalues as in Example 2. For the numerical integration, weuse the stiff ODE 15 solver with variable step size with max-imum step size 0.05 sec. The constraint on the step size isnecessary in order to compute a better approximation on thereachable set. The order for the Taylor approximation usedwas 40. RobSimCt reported 317 possible constraint violationwarnings and 0 integration errors. Out of the warnings, 17were at the Switch block. The warnings generated at theAbs block can be safely ignored since the output of the Absblock in all these cases is always less than 0.4. Thus, it doesnot affect the behavior of the Switch.

0 0.5 1 1.5 2 2.50

0.2

0.4

0.6

0.8

1

Figure 3. Guaranteed simulation of Example 4. The bars indicate thebounds on the guaranteed simulation at each time step, while the line withthe circles is the result of the Simulink simulation.

C. Mixed-Signal Simulink Models

In this section, we present our recent progresses in solvingProblem 3. That is, we briefly review the integration ofRobSimDt and RobSimCt into a single toolbox, RobSim,which can test the robustness of mixed-signal models.

Currently, RobSim accepts models which have contin-uous and discrete-time components separated by Zero-Order Hold blocks. This is necessary both theoretically andimplementation-wise. Zero-Order Hold blocks enforce therequirement that the discrete-time signals have a constantcontinuous value for the duration of the respective sample,while at the same time they act as translators betweensymbolic and self-validated computations.

As before, RobSim starts by first computing the blockexecution sequence of the given Simulink model. Then, thesymbolic derivatives are derived or the discrete-time blocksare processed using self-validated arithmetics depending onwhich part of the model is updated. The process is repeatedfor each time step in the simulation.

Example 4 (Example 10-13 from [19]): Considera discrete-time controller connected to the processGp(s) = 50

s(s+10) . The transfer function of the controller

is D(z) = 5z2−6z+2z2 and the sampling rate is 10 Hz.

Note that the model has 4 states: 2 continuous-time and 2discrete-time state variables. We would like to study thecorrectness of the numerical integration. For the Simulinksimulation, we use the ODE45 solver with no constraintson the step size. The resulting trajectory has 63 points (seeFig. 3). RobSim reports that the integration is not correctat 57 points. Note, though, that the graph (Fig. 3) indicatesthat the qualitative behavior of the simulation is correct.Therefore, the user might want to further relax the boundsin order to tolerate some of the integration errors as longas the qualitative behavior is correct.

V. RELATED RESEARCH AND DISCUSSION

Our work spans and adapts results from several (distinct)research areas. In the previous sections, we have cited

352352

several papers which are related to the discussion in eachsection. Here, we summarize and discuss some works whichare directly related to our proposed framework.

Affine arithmetic (AA) [10] has been a popular compu-tation model for capturing floating-point rounding errors. In[13], the authors present a framework for the analysis offloating-point rounding errors in embedded control softwareand the corresponding toolbox FLUCTUAT. In brief, theunderlying theory in [13] is based on abstract interpretationand on AA. Our work has different scope and goals from[13]. Besides the apparent differences in the systems thatcan be handled (e.g., discrete-time vs continuous-time), ouraim is to study the robustness of a particular simulationwith respect to internal and external uncertainties in thesystem, whereas FLUCTUAT computes system invariantsand demonstrates how rounding errors propagate throughthe computation.

Another related research area is the reachability analysis[28] and verification [4] of dynamical systems with uncertainsystem parameters. Along this line of research, the workswhich are the closest related to ours appear in [15], [11]and [2]. In [15], the authors present a framework forperforming simulation of discrete-time dynamical systemswith uncertain parameters using semi-symbolic simulations.The systems are given in SystemC-AMS and the underlyingcomputation model for the symbolic simulations is AA. Themain difference between [15] and RobSimDt is that in [15]the authors compute the reachable set of a dynamical systemwithout switching dynamics while RobSimDt determines therobustness of a trajectory of a discrete-time hybrid system.Moreover, RobSimDt can account for computation errors.

The papers [11] and [2] deal with the reachability analysisof continuous-time hybrid systems based on zonotope rep-resentations of the state vector. Zonotopes can be regardedas a special case of symbolic quantities in AA. In detail,[11] presents a reachability algorithm for linear (and hybrid)systems which do not have any uncertain system param-eters. On the other hand, in [2], the authors extend theirprevious work in [1] to address the reachability problemof continuous-time hybrid systems with uncertain systemparameters. Even though, our work in this paper subsumesthe existence of a solution for the reachability problem ofcontinuous-time uncertain hybrid systems, our results differin two subtle points. That is, we have to take into accountthe possible numerical drift in the computation of time and,also, to model and capture computation errors. Finally, thegoal of our work is different when compared to [2] and[1]. RobSimCt studies the robustness and correctness of aparticular simulation.

Reachability analysis of mixed-signal circuits is addressedin [22] and [7]. However, these approaches do not handleuncertain parameters or computation errors. Finally, similarin spirit – but different in underlying theory – are the robusttesting methods [12], [17], [20], [8]. In this line of work, a

numerical simulation is performed which is representative ofa neighborhood of trajectories of the system. Nonetheless,all the above approaches ignore computation errors.

VI. CONCLUSIONS

In this paper, we have presented a framework for reportingpoints where a simulation might not be robust. Our solutioncan model and capture both uncertainties in the modeland internal computation errors. In addition, in the caseof continuous-time Simulink models with piecewise affinedynamics, we can also detect points where the numericalintegration is not correct.

One of the main advantages of our approach is that it is anon-intrusive, i.e, we let the simulation execute and, then, weanalyze the resulting trajectories (both the Simulink trajec-tory and the block execution trace). Therefore, we overcomethe key challenge of deciphering Simulink semantics and,moreover, we avoid translating the model into a formalismsuch as a hybrid automaton. To the best of our knowledge,this is the first time that robust simulations under manydifferent sources of uncertainty are considered in Simulinkand, most probably, in any model based development suite.

Even though our framework could be extended to performbounded-time reachability computations for hybrid systemsin Simulink, our goal is different. The RobSim suite ismeant to be used as an analysis tool on top of a Simulinksimulation and provide guarantees that the computation itselfis correct against modeling uncertainties and floating-pointrounding errors. Especially, the latter types of errors can bequite stealthy as we have indicated in the introduction. Inaddition, possible points of non-robustness in the simulationcan be further explored by some lightweight method suchas Monte-Carlo simulations. Beyond testing and verification,our framework could have other applications, too. For exam-ple, an efficient implementation could be used for detectingnon-robust points for code generation frameworks as in [3].

Future research is targeting three problems. First, weare working on extending the framework to non-linearcontinuous models. This essentially requires a method tocompute symbolically the derivatives of the system at eachpoint in time. Second, we are going to provide full supportfor mixed-signal systems in RobSim and port our prototypeMatlab implementation into C for more efficient computa-tion. Currently, Matlab speed is a bottleneck for scaling theRobSim framework into larger systems. Finally, we plan toadd methods for exploring the points of non-robustness inthe simulations.

REFERENCES

[1] M. Althoff, O. Stursberg, and M. Buss. Reachability analysisof linear systems with uncertain parameters and inputs. In46th IEEE Conference on Decision and Control, pages 726–732, Dec. 2007.

353353

[2] M. Althoff, O. Stursberg, and M. Buss. Verification ofuncertain embedded systems by computing reachable setsbased on zonotopes. In Proc. of the 17th IFAC WorldCongress, 2008.

[3] M. Anand, S. Fischmeister, J. Kim, and I. Lee. Generatingsound and resource-aware code from hybrid systems models.In Model-Driven Development of Reliable Automotive Ser-vices,, volume 4922 of LNCS, pages 48–66. Springer, 2008.

[4] G. Batt, C. Belta, and R. Weiss. Temporal logic analysis ofgene networks under parameter uncertainty. IEEE Transac-tions on Automatic Control, 53:215–229, Jan. 2008.

[5] M. Blair, S. Obenski, and P. Bridickas. Patriot missilesoftware problem. Technical Report GAO/IMTEC-92-26,United States General Accounting Office, 1992.

[6] O. Bouissou and M. Martel. Grklib: a guaranteed rungekutta library. In Scientific Computing, Computer Arithmeticand Validated Numerics, International Symposium on, LosAlamitos, CA, USA, 2006. IEEE Computer Society.

[7] T. Dang, A. Donze, and O. Maler. Verification of analogand mixed-signal circuits using hybrid system techniques. InFormal Methods in Computer-Aided Design, volume 3312 ofLNCS, pages 21–36. Springer, 2004.

[8] T. Dang, A. Donze, O. Maler, and N. Shalev. Sensitive state-space exploration. In Proc. of the 47th IEEE Conference onDecision and Control, pages 4049–4054, Dec. 2008.

[9] L. H. de Figueiredo and J. Stolfi. Self-Validated NumericalMethods and Applications. Brazilian Mathematics Collo-quium monographs. IMPA/CNPq, Brazil, 1997.

[10] L. H. de Figueiredo and J. Stolfi. Affine arithmetic: Conceptsand applications. Numerical Algorithms, 37(1-4):147–158,Dec. 2004.

[11] A. Girard. Reachability of uncertain linear systems usingzonotopes. In Hybrid Systems: Computation and Control,volume 3414 of LNCS, pages 291–305, 2005.

[12] A. Girard and G. J. Pappas. Verification using simulation. InHybrid Systems: Computation and Control (HSCC), volume3927 of LNCS, pages 272 – 286. Springer, 2006.

[13] E. Goubault, S. Putot, P. Baufreton, and J. Gassino. Staticanalysis of the accuracy in control systems: Principles andexperiments. In FMICS, volume 4916 of LNCS, pages 3–20.Springer, 2007.

[14] T. A. Henzinger, B. Horowitz, R. Majumdar, and H. Wong-Toi. Beyond hytech: Hybrid systems analysis using intervalnumerical methods. In Hybrid Systems: Computation andControl, pages 130–144, London, UK, 2000. Springer-Verlag.

[15] W. Heupke, C. Grimm, and K. Waldschmidt. Applicationsof Specification and Design Languages for SoCs, chapterModeling Uncertainty in Nonlinear Analog Systems withAffine Arithmetic, pages 155–169. Springer, 2006.

[16] E. P. Hofer and A. Rauh. Applications of interval algorithmsin engineering. In Proceedings of the 12th International Sym-posium on Scientific Computing, Computer Arithmetic andValidated Numerics, page 1, 2006. IEEE Computer Society.

[17] A. A. Julius, G. E. Fainekos, M. Anand, I. Lee, and G. J.Pappas. Robust test generation and coverage for hybridsystems. In Hybrid Systems: Computation and Control,number 4416 in LNCS, pages 329–342. Springer, 2007.

[18] A. Kanade, R. Alur, F. Ivancic, S. Ramesh, S. Sankara-narayanan, and K. C. Shashidhar. Generating and AnalyzingSymbolic Traces of Simulink/Stateflow Models. In CAV,pages 430–445. Springer, 2009.

[19] B. C. Kuo. Digital Control Systems. Oxford University Press,Inc., New York, NY, USA, 1992.

[20] F. Lerda, J. Kapinski, E. M. Clarke, and B. H. Krogh. Veri-fication of supervisory control software using state proximityand merging. In Hybrid Systems: Computation and Control,volume 4981 of LNCS, pages 344–357. Springer, 2008.

[21] M. Liou. A novel method of evaluating transient response.Proceedings of the IEEE, 54(1):20–23, Jan. 1966.

[22] S. Little, N. Seegmiller, D. Walter, C. Myers, and T. Yoneda.Verification of analog/mixed-signal circuits using labeled hy-brid petri nets. In Proceedings of the 2006 IEEE/ACM CAD,pages 275–282. ACM, 2006.

[23] E. Loh and G. W. Walster. Rumps example revisited. ReliableComputing, 8:245248, 2002.

[24] K. Makino and M. Berz. Cosy infinity version 9. NuclearInstruments and Methods in Physics Research Section A:Accelerators, Spectrometers, Detectors and Associated Equip-ment, 558(1):346 – 350, 2006.

[25] R. E. Moore, R. B. Kearfott, and M. J. Cloud. Introductionto Interval Analysis. SIAM, 2009.

[26] E. P. Oppenheimer and A. N. Michel. Application of intervalanalysis techniques to linear systems. ii. the interval matrixexponential function. IEEE Transactions on Circuits andSystems, 35(10):1230–1242, Oct 1988.

[27] C. Phillips. Instabilities caused by floating-point arithmeticquantization. IEEE Transactions on Automatic Control,,17(2):242–243, Apr 1972.

[28] N. Ramdani, N. Meslem, and Y. Candau. Reachability ofuncertain nonlinear systems using a nonlinear hybridization.In Proceedings of the 11th international workshop on HybridSystems, pages 415–428, 2008. Springer.

[29] S. Rump. Algorithms for verified inclusions: Theory andpractice. In R. E. Moore, editor, Reliability in Computing: TheRole of Interval Methods in Scientific Computing, chapter 1,pages 109–126. Academic Press, 1988.

[30] S. Rump. INTLAB - INTerval LABoratory. In T. Csendes,editor, Developments in Reliable Computing, pages 77–104.Kluwer Academic Publishers, Dordrecht, 1999.

[31] D. Stevenson. IEEE standard for binary floating-point arith-metic. Technical report, IEEE, August 1985.

[32] T. Yokozeki. An implementation of affine arithmetic onMatlab. Master’s thesis, Waseda University, 2004.

354354