Integrating runtime validation and hardware-in-the-loop (HiL) testing with V & V in complex hybrid systems

This study addresses the problem of assuring provably safe and correct behaviour of safety-critical complex hybrid systems (CHS) throughout their life-cycles when physical system dynamics tend to change due to natural causes. Model-based development methods are needed that integrate formal specification, verification, implementation level testing and runtime validation. Scalability limitations of available algorithms/methods dictate a modular approach, but this poses conflicting issues of compositionality, falsetransitivity, soundness and completeness. In this paper a compositional solution approach based on the decomposition and hybridisation of statechart models (into hybrid automata HA) is demonstrated. Specifically, a compositional formal verification methodology developed earlier for discrete event dynamic systems (DEDS) was elevated to hybrid dynamics, successfully overcoming the risk of false transitivity common to direct abstraction methods of continuous state-space. It was then used to develop a scalable strategy to generate sound and complete (relative to coverage criteria) tests, and configure corresponding compositional HiL tests for different abstraction and functional levels. The same decomposition was used to derive compositional runtime validation tests based on discrete invariants and differential invariants. The study formally proves that (1) the proposed HA based formal verification method is compositional, sound and complete relative to first-order logic of differential equations, (2) the modular tests are compositional and (3) the HA based test generation method is compositional, sound and complete relative to firstorder logic of differential equations. To reduce complexity compositionality is rendered parallel than sequential to perform the simpler tasks concurrently. The claims have been validated experimentally on a full scale experimental rig.


INTRODUCTION
The underlying problem addressed is assurance of provably safe and correct behaviour according to requirement specifications, in real-scale non-terminating (repeatedly looping) safety-critical complex hybrid systems (CHS) throughout their life-cycles when physical system dynamics and the environment tend to change due to natural causes. These systems have interacting continuous-variable dynamics (CVDS; position, velocity, friction, etc., expressed by differential equations or difference equations based on the model of time used: discrete time or continuous time) and discreteevent dynamics (DEDS; on/off, collision, etc., expressed by transition systems, formal languages or abstract algebras); hence called hybrid systems.
A model-based solution (the dominant paradigm (Alur, 2011)) requires expressing the requirement specifications in a formal model where the correctness and safety properties could be verified, enabling a faithful translation of the verified model into a control programme to be coded into software/hardware. specifications. Methods employed in verifying draw heavily from methods for DEDS and CVDS: for DEDS, classically, model checking (for temporal and first-order logic specifications) on transition systems and theorem proving on formal language models and process algebras have been extensively discussed (Aceto et al., 2007). CVDS specifications were classically limited to overshoot, rise-time, etc. (Belta et al., 2017). Verification of nontrivial behavioural specifications (based on temporal and differential dynamic logics) using model checking has now been made possible by providing them with transition structures through the abstraction of the state-space into affine partitions (based on observational equivalence relations -bisimilarity-). This becomes states of timed or hybrid automata with discrete transitions defined for affine boundaries (Belta, 2017;Sloth & Wisnieski, 2011), albeit with a risk of over-approximation and false-transitivity.
The core problem in model checking methods is image computation (Platzer & Clarke, 2007). For DEDS, symbolic computations help in abstracting the reachability space (the image) on a transition system, particularly for first-order logic specifications which require quantifier elimination. HA may have specifications with quantification over reals (first-order logic on reals), which would require real quantifier elimination (RQE) for model checking: RQE is impossible when modalities are present; some differential equations do not support RQE; even otherwise, complexity of RQE in real-closed fields is doubly exponential in the number of quantifier alternations. In numerical or approximation approaches, approximation errors can cause unsoundness in model checking. Platzer (2010) proposes methods based on differential induction for differential invariants to address this situation. Local invariants are found in a fixed-point algorithm for each continuous evolution D^H, with differential equation system D and evolution domain H. The local invariants are then composed into global invariants using closure properties.
However, these verification approaches are designed for hybrid systems with centralised sequential control, a limitation arising from models of computation (MoC) used here: (e.g. hybrid automata). An approach suitable for distributed systems (with, for instance, networked control, as in automobiles or aircrafts) needs MoC with richer semantics: permitting parallel composition of sequential components, thus concurrent computation.
Our MoC of choice for DEDS has been statecharts (Harel, 1987) for these reasons and it was extended to capture CVDS.
Some currently used correct-by-design model-based development approaches for reactive systems, notably the B-method and Event-B-method (Abrial, 1996;Moreira, 2015) too prescribe conducting formal verification and validation (V&V) throughout the design process: a progressive refinement process with a theorem proving system for proof obligations at each refinement stage. The premise is that detailed models cannot be built at the beginning of a development process. Event-B has been extended to handle hybrid dynamics by adding simple differential dynamic logic (dL) operations and defining a refinement calculus for differential events (Liu et al., 2014).
However, without compositional strategies for complex systems, development processes can quickly become computationally intractable and unsound/ incomplete: the case with current decomposition and refinement strategies (theoretical or commercial) (Abrial, 1996;, including the Event-B method. Disappointingly, guaranteeing completeness in compositional proofs is difficult (Namjoshi et al., 2010).
In Platzer (2010) a decomposition of hybrid systems into a sequential composition of hybrid programme (HP: their preferred MoC) components is presented; HP being extensions of conventional discrete programmes (Harel, 1979), the programmes of subsystems can be composed using logical operators in a compositional manner. However, this approach does not support parallel composition of the sequential components. Further, hybrid textual programmes lack the familiar structure and expressive power of graphical HA. Chaochen et al. (2005) realised compositionality of parallel components in hybrid systems by introducing continuous statements into process algebraic models, CSP (Hoare, 1985) to be precise, defining hybrid CSP. However, verification methods for hybrid CSP are yet to be developed.
In this paper we demonstrate our compositional approach to formal verification and test design, which supports parallel composition of sequential HA: statecharts (Harel, 1987) modelling discrete-event dynamics of a hybrid system are decomposed into a set of automata (language generators) communicating through port-structures using a decomposition we introduced previously (Dewasurendra, 2006;Vidanapathirana et al., 2011) based on Drusinsky and Harel (1989). Differential equations/constraints are embedded into automata states representing real actions in the physical system. As will be seen in our development, such states are few in numbers in these modules and ports. The generated architecture is unique, permitting efficient compositional verification of hybrid dynamics.
In addition to design verification, testing a CHS implementation is mandatory: for instance, ISO 26262-6 requires back-to-back testing of a model and an implementation derived from the model. Testing needs to be sound and complete, while avoiding redundant coverage. Sound and exhaustive tests are generated in (Tretmans, 2008) for a given specification in the limited context of an ioco (input-output conformance) labelled transition system. In complex systems, modularity needs to be exploited, but there is not much reported on compositionality in test design: (Bijl et al., 2003;Daca et al., 2014) are exceptions, treating ioco labelled transition systems. These are still open problems for more general configurations.
In Ferrante et al. (2016) formal models of the system (simulink blocks and stateflow) are translated to NuSMV programmes, which are then run against negations of CTL formulas representing individual test objectives to generate counter-examples that become tests covering the required test criteria. The approach is not compositional, nor does it support continuous dynamics, and may not scale up. Time partition testing by Bringmann and Kramer (2006), targets continuous behaviour testing, extendable to hybrid components using stream-processing functions of Müller and Scholz (1997). However, their tests do not derive from or relate to formal verification models.
Finally, variations in physical system dynamics and environment not captured in the modelling phase require runtime validation to ensure continued safety.
Hence, test design and runtime validation need to be contemplated from early stages of modelling for formal verification and validation (V&V) (ARTEMIS, 2005;Namjoshi & Trefler, 2010;Nielsen, 2014;CRYSTAL, 2016) as required by standards such as EN50128, DO-178C, IEC 61508, IEC 60880 and ISO 26262. Formal validation of model-based development at instrumentation level is still poorly supported (Bringmann & Kramer, 2008). De Matos (2015) and Nielsen (2014) help comparing a strict formal modelbased development and a combination of formal and traditional unit-test based methods. (Malik & Roop, 2015) discuss code generation from method-B. We do not cover formal verification of automated code generators in this paper.
We address the issues raised above through compositional integration of these functions on statechart models. This paper provides details on, the design, setup and results of hardware-in-the-Loop (HiL) tests, and runtime validation carried out on a fully functional prototype CHS.
Specific contributions of the paper are the following: (a) Elevating compositional formal verification from DEDS to hybrid dynamics by converting simpler automata modules from our statechart decomposition into HA: the graphical models facilitating collaborative development. Kim and Lee (2003) and Malik and Roop (2019) discuss code generation from HA. We overcome over-approximation and risk of false transitivity common to direct abstraction methods of continuous state-space.
(b) Use of the decomposition from (a) to configure compositional HiL tests and MiL tests (reported earlier) for testing at different abstraction and functional levels of the CHS.
(c) A scalable strategy to generate sound and complete (relative to coverage criteria) tests for CHS using (a), reducing the possibility of error introduction.
(d) Deriving compositional runtime validation tests from specifications in (a).
Some implementation -level faults of the integrated system could be identified and corrected in this approach.
A fully functional passenger elevator was built with safety features as CHS test-bed. The elevator controller, designed and implemented first on PLC was easily migrated to FPGA hardware, demonstrating the flexibility of our approach. Control implementation is distributed: the discrete-event control, modularly in an FPGA and the continuous-variable control of motors as Simulink blocks on a PC.

Compositional modelling of hybrid dynamics
In hybrid dynamical systems (Alur et al., 1995;Henzinger, 1996;Chaochen et al., 2005), states change 396 S.D. Dewasurendra et al. December 2019 Journal of the National Science Foundation of Sri Lanka 47 (4) instantaneously (possibly discontinuously) for discrete transitions and following differential equations, subject to defined restrictions resulting from physical circumstances or the interaction of continuous dynamics with discrete control. Continuous-variables pose the greatest challenge in verifying hybrid systems. The state spaces become infinite with infinite time actions.
We demonstrate how hybrid automata (HA) (Henzinger, 1996) can model hybrid dynamical systems, through a simple example.
The HA in Figure 1(a) models hybrid dynamics of a moving object. When it is in acceleration mode the node ACCLN is active. The continuous acceleration of Runtime Validation and Hardware in the Loop (HiL) Testing of Complex Hybrid Systems 7 set of differential equations � = and � = , where is the distance travelled. When it attains a speed of = 1 the ACCLN is deactivated and node DCCLN becomes active: it starts to decelerate with = − , > 0. When the speed falls below = 2 the state DCCLN is deactivated and ACCLN becomes active again.
aton for controlled linear motion of an object (b) Cabin Controller with discrete-event brid augmentation of statechart state 'UP' of the cabin controller.
utomata and hybridization of Statecharts.
is the distance travelled. When it attains a speed of Runtime Validation and Hardware in the Loop (HiL) Testing of Complex Hybrid Systems 7 set of differential equations � = and � = , where is the distance travelled. When it attains a speed of = 1 the ACCLN is deactivated and node DCCLN becomes active: it starts to decelerate with = − , > 0. When the speed falls below = 2 the state DCCLN is deactivated and ACCLN becomes active again.  the ACCLN is deactivated and node DCCLN becomes active. It starts to decelerate with Runtime Validation and Hardware in the Loop (HiL) Testing of Complex Hybrid Systems 7 set of differential equations � = and � = , where is the distance travelled. When it attains a speed of = 1 the ACCLN is deactivated and node DCCLN becomes active: it starts to decelerate with = − , > 0. When the speed falls below = 2 the state DCCLN is deactivated and ACCLN becomes active again.  . When the speed falls below  this process is shown in Fig. 1(b). The or the states, 'Cabin Controller' and 'UP', igs.2(a, b and c), respectively. The portbility check on interaction specification surendra S.D., 2006) and to impose local expresses that the object always has a positive velocity. In general, Validation and Hardware in the Loop (HiL) Testing of Complex Hybrid Systems 8 l specifications on the system can now be defined on this model: e.g., the l Dynamic Logic (dL) (Platzer A., 2010) formula [object](  0) expresses that the ys has a positive velocity. In general, [ ] specifies that property ' ' holds in all cutions of hybrid system ' '. A control objective could be to determine ing parameter constraints that guarantee the validity of such a formula and a objective could be to ascertain the satisfaction of those constraints in ations.
however, cannot be decomposed into sub graphs, αi such that the formula � ] � becomes equivalent to [ ] , because of the loose connecting edges between phs � (Platzer A., 2010). For instance, the automaton in Fig. 1 D., 2006;2013;2017;2013) we gradually developed a compositional formal verification strategy ex Reactive Systems starting from statechart based specifications for DEDS. Our ecomposition results in sequential components (finite state automata) that accept position when the plant possesses concurrently evolving subsystems (AND states hart). Previously we were more concerned about compositionally verifying the of the decomposition and using the decomposition for distributed supervisory plementation. More importantly, however, this decomposition potentially reduces xity of the image computation problem in model checking.
or-Cabin Controller module developed in this process is shown in Fig. 1(b). The enerators (LG) developed in this process for the states, 'Cabin Controller' and 'UP', rt-structure between them are given in Figs.2(a, b and c), respectively. The portas been developed to perform a controllability check on interaction specification e two hierarchically adjacent states (Dewasurendra S.D., 2006) and to impose local specifies that property ' me Validation and Hardware in the Loop (HiL) Testing of Complex Hybrid Systems 8 ural specifications on the system can now be defined on this model: e.g., the tial Dynamic Logic (dL) (Platzer A., 2010) formula [object](  0) expresses that the lways has a positive velocity. In general, [ ] specifies that property ' ' holds in all executions of hybrid system ' '. A control objective could be to determine nding parameter constraints that guarantee the validity of such a formula and a tion objective could be to ascertain the satisfaction of those constraints in entations.
, , however, cannot be decomposed into sub graphs, αi such that the formula [ � ] � becomes equivalent to [ ] , because of the loose connecting edges between graphs � (Platzer A., 2010). For instance, the automaton in Fig. 1 D., 2006;2013;2017;2013) we gradually developed a compositional formal verification strategy plex Reactive Systems starting from statechart based specifications for DEDS. Our rt decomposition results in sequential components (finite state automata) that accept composition when the plant possesses concurrently evolving subsystems (AND states techart). Previously we were more concerned about compositionally verifying the ess of the decomposition and using the decomposition for distributed supervisory implementation. More importantly, however, this decomposition potentially reduces plexity of the image computation problem in model checking.
vator-Cabin Controller module developed in this process is shown in Fig. 1(b). The e generators (LG) developed in this process for the states, 'Cabin Controller' and 'UP', port-structure between them are given in Figs.2(a, b and c), respectively. The porte has been developed to perform a controllability check on interaction specification the two hierarchically adjacent states (Dewasurendra S.D., 2006) and to impose local ' holds in all future executions of hybrid system ' Runtime Validation and Hardware in the Loop (HiL) Testing of Complex Hybrid Systems 8 Behavioural specifications on the system can now be defined on this model: e.g., the Differential Dynamic Logic (dL) (Platzer A., 2010) formula [object](  0) expresses that the object always has a positive velocity. In general, [ ] specifies that property ' ' holds in all future executions of hybrid system ' '. A control objective could be to determine corresponding parameter constraints that guarantee the validity of such a formula and a verification objective could be to ascertain the satisfaction of those constraints in implementations.
An HA, , however, cannot be decomposed into sub graphs, αi such that the formula because of the loose connecting edges between the sub graphs � (Platzer A., 2010). For instance, the automaton in Fig. 1

VERIFICATION OF ELEVATOR CONTROL
In (Dewasurendra S.D., 2006;2013;2017;Vidanapathirana A.C. et al., 2011;2013) we gradually developed a compositional formal verification strategy for Complex Reactive Systems starting from statechart based specifications for DEDS. Our statechart decomposition results in sequential components (finite state automata) that accept parallel composition when the plant possesses concurrently evolving subsystems (AND states in a statechart). Previously we were more concerned about compositionally verifying the correctness of the decomposition and using the decomposition for distributed supervisory control implementation. More importantly, however, this decomposition potentially reduces the complexity of the image computation problem in model checking.
The Elevator-Cabin Controller module developed in this process is shown in Fig. 1(b). The language generators (LG) developed in this process for the states, 'Cabin Controller' and 'UP', and the port-structure between them are given in Figs.2(a, b and c), respectively. The portstructure has been developed to perform a controllability check on interaction specification between the two hierarchically adjacent states (Dewasurendra S.D., 2006) and to impose local '. A control objective could be to determine corresponding parameter constraints that guarantee the validity of such a formula and a verification objective could ascertain the satisfaction of those constraints in implementations. owever, cannot be decomposed into sub graphs, αi such that the formula � becomes equivalent to [ ] , because of the loose connecting edges between s � (Platzer A., 2010). For instance, the automaton in Fig. 1 -Cabin Controller module developed in this process is shown in Fig. 1(b). The erators (LG) developed in this process for the states, 'Cabin Controller' and 'UP', structure between them are given in Figs.2(a, b and c), respectively. The portbeen developed to perform a controllability check on interaction specification , however, cannot be decomposed into sub graphs, α i such that the formula Runtime Validation and Hardware in the Loop (HiL) Testing of Complex Hybrid Systems 8 Behavioural specifications on the system can now be defined on this model: e.g., the Differential Dynamic Logic (dL) (Platzer A., 2010) formula [object](  0) expresses that the object always has a positive velocity. In general, [ ] specifies that property ' ' holds in all future executions of hybrid system ' '. A control objective could be to determine corresponding parameter constraints that guarantee the validity of such a formula and a verification objective could be to ascertain the satisfaction of those constraints in implementations.
An HA, , however, cannot be decomposed into sub graphs, αi such that the formula because of the loose connecting edges between the sub graphs � (Platzer A., 2010). For instance, the automaton in Fig. 1

VERIFICATION OF ELEVATOR CONTROL
In (Dewasurendra S.D., 2006;2013;2017;Vidanapathirana A.C. et al., 2011;2013) we gradually developed a compositional formal verification strategy for Complex Reactive Systems starting from statechart based specifications for DEDS. Our statechart decomposition results in sequential components (finite state automata) that accept parallel composition when the plant possesses concurrently evolving subsystems (AND states in a statechart). Previously we were more concerned about compositionally verifying the correctness of the decomposition and using the decomposition for distributed supervisory control implementation. More importantly, however, this decomposition potentially reduces the complexity of the image computation problem in model checking.
The Elevator-Cabin Controller module developed in this process is shown in Fig. 1(b). The language generators (LG) developed in this process for the states, 'Cabin Controller' and 'UP', and the port-structure between them are given in Figs.2(a, b and c), respectively. The portstructure has been developed to perform a controllability check on interaction specification between the two hierarchically adjacent states (Dewasurendra S.D., 2006) and to impose local becomes equivalent to Validation and Hardware in the Loop (HiL) Testing of Complex Hybrid Systems 8 al specifications on the system can now be defined on this model: e.g., the l Dynamic Logic (dL) (Platzer A., 2010) formula [object](  0) expresses that the ays has a positive velocity. In general, [ ] specifies that property ' ' holds in all ecutions of hybrid system ' '. A control objective could be to determine ing parameter constraints that guarantee the validity of such a formula and a n objective could be to ascertain the satisfaction of those constraints in tations.
, however, cannot be decomposed into sub graphs, αi such that the formula � ] � becomes equivalent to [ ] , because of the loose connecting edges between phs � (Platzer A., 2010). For instance, the automaton in Fig. 1 urendra S.D., 2006;2013;2017;2013) we gradually developed a compositional formal verification strategy lex Reactive Systems starting from statechart based specifications for DEDS. Our decomposition results in sequential components (finite state automata) that accept mposition when the plant possesses concurrently evolving subsystems (AND states hart). Previously we were more concerned about compositionally verifying the s of the decomposition and using the decomposition for distributed supervisory plementation. More importantly, however, this decomposition potentially reduces exity of the image computation problem in model checking.
tor-Cabin Controller module developed in this process is shown in Fig. 1(b). The enerators (LG) developed in this process for the states, 'Cabin Controller' and 'UP', rt-structure between them are given in Figs.2(a, b and c), respectively. The portas been developed to perform a controllability check on interaction specification e two hierarchically adjacent states (Dewasurendra S.D., 2006) and to impose local , because of the loose connecting edges between the sub graphs Runtime Validation and Hardware in the Loop (HiL) Testing of Complex Hybrid Systems 8 Behavioural specifications on the system can now be defined on this model: e.g., the Differential Dynamic Logic (dL) (Platzer A., 2010) formula [object](  0) expresses that the object always has a positive velocity. In general, [ ] specifies that property ' ' holds in all future executions of hybrid system ' '. A control objective could be to determine corresponding parameter constraints that guarantee the validity of such a formula and a verification objective could be to ascertain the satisfaction of those constraints in implementations.
An HA, , however, cannot be decomposed into sub graphs, αi such that the formula because of the loose connecting edges between the sub graphs � (Platzer A., 2010). For instance, the automaton in Fig. 1

VERIFICATION OF ELEVATOR CONTROL
In (Dewasurendra S.D., 2006;2013;2017;Vidanapathirana A.C. et al., 2011;2013) we gradually developed a compositional formal verification strategy for Complex Reactive Systems starting from statechart based specifications for DEDS. Our statechart decomposition results in sequential components (finite state automata) that accept parallel composition when the plant possesses concurrently evolving subsystems (AND states in a statechart). Previously we were more concerned about compositionally verifying the correctness of the decomposition and using the decomposition for distributed supervisory control implementation. More importantly, however, this decomposition potentially reduces the complexity of the image computation problem in model checking.
The Elevator-Cabin Controller module developed in this process is shown in Fig. 1(b). The language generators (LG) developed in this process for the states, 'Cabin Controller' and 'UP', and the port-structure between them are given in Figs.2(a, b and c), respectively. The portstructure has been developed to perform a controllability check on interaction specification between the two hierarchically adjacent states (Dewasurendra S.D., 2006) and to impose local (Platzer, 2010). For instance, the automaton in Figure 1 An HA, , however, cannot be decomposed into sub graphs, αi such that the formula because of the loose connecting edges between the sub graphs � (Platzer A., 2010). For instance, the automaton in Fig. 1

VERIFICATION OF ELEVATOR CONTROL
In (Dewasurendra S.D., 2006;2013;2017;Vidanapathirana A.C. et al., 2011;2013) we gradually developed a compositional formal verification strategy for Complex Reactive Systems starting from statechart based specifications for DEDS. Our statechart decomposition results in sequential components (finite state automata) that accept parallel composition when the plant possesses concurrently evolving subsystems (AND states in a statechart). Previously we were more concerned about compositionally verifying the correctness of the decomposition and using the decomposition for distributed supervisory control implementation. More importantly, however, this decomposition potentially reduces the complexity of the image computation problem in model checking.
The Elevator-Cabin Controller module developed in this process is shown in Fig. 1(b). The language generators (LG) developed in this process for the states, 'Cabin Controller' and 'UP', and the port-structure between them are given in Figs.2(a, b and c), respectively. The portstructure has been developed to perform a controllability check on interaction specification between the two hierarchically adjacent states (Dewasurendra S.D., 2006) and to impose local , since the trigger events between the nodes cannot be accommodated in the decomposed components. Hence, HA are not directly compositional.

Statechart with hybrid augmentation for compositional verification of elevator control
In our previous studies (Dewasurendra, 2006;2013;2017;Vidanapathirana et al., 2011;2013), we gradually developed a compositional formal verification strategy for complex reactive systems starting from statechart -based specifications for DEDS. Our statechart decomposition results in sequential components (finite state automata) that accept parallel composition when the plant possesses concurrently evolving subsystems (AND states in a statechart). Previously we concerned more about the compositional verifying of the correctness of decomposition and using the decomposition for distributed supervisory control implementation. More importantly, this decomposition potentially reduces the complexity of the image computation problem in model checking.
The elevator-cabin controller module developed in this process is shown in Figure 1(b). The language generators (LG) developed in this process for the states, 'Cabin Controller' and 'UP', and the port-structure between them are given in Figures 2 a, b and c, respectively. The port-structure has been developed to perform a controllability check on interaction specification between two hierarchically adjacent states (Dewasurendra, 2006) and to impose local supervisory control. In this paper we augment states representing real actions of the formal language generators and corresponding port-structures with continuous-variable dynamics to build HA. Figure 1(c), explains what would be obtained if instead, the continuous-variable dynamics were included in the statechart itself. In developing the hybrid control we closely follow the strategy used in the cooperation protocols of European Train Control System (ETCS) (Platzer, 2010).
Elevator-cabin movements consist of discrete-event dynamics, continuous variable dynamics (differential or difference equations), and their hybrid interactions. The elevator cabin control system, (CCS), was designed for the hybrid control and runtime validation of the cabin. The CCS consists of two concurrent controllers as shown in Figure 1(c): the movement update controller, (MUC), and the cabin controller, (CC). The MUC gives movement updates (MU) to CC based on the current state of the cabin dynamics. Cabin is allowed to move within its current MU, which can be updated dynamically by the MUC. Hence CC needs to regulate the movement of the cabin such that it always remains within its MU given by the MUC. The expected cabin speed profile is predetermined, specifying comfort levels of passengers inside: smooth acceleration, constant speed and deceleration before the cabin stops at a requested floor.
To illustrate our approach, we expanded the discrete sub states of 'UP' state of Figure 1(b) as HA in Figure 1(c) and introduced a control interface to represent the MUC to obtain the HA -based statechart state CCS (Cabin-Control-System) in Figure 1 (c). The discrete events of Figure 1(b,c) are described in Table 1.

MU is a vector
Runtime Validation and Hardware in the Loop (HiL) Testing of Com 9 supervisory control. In this paper we augment states representing rea language generators and corresponding port-structures with continuou build HA. For ease of explanation, we demonstrate in Fig. 1(c), wha instead, the continuous-variable dynamics were included in the statecha the hybrid control we closely follow the strategy used in cooperation Train Control System (ETCS) (Platzer A., 2010).
Elevator-cabin movements consist of discrete-event dynamics, continu  Table I supervisory control. In this paper we augment states representing real actions of the formal language generators and corresponding port-structures with continuous-variable dynamics to build HA. For ease of explanation, we demonstrate in Fig. 1(c), what would be obtained if instead, the continuous-variable dynamics were included in the statechart itself. In developing the hybrid control we closely follow the strategy used in cooperation protocols of European Train Control System (ETCS) (Platzer A., 2010).
Elevator-cabin movements consist of discrete-event dynamics, continuous variable dynamics CC based on the current state of the cabin dynamics. Cabin is allowed to move within its current MU, which can be updated dynamically by the MUC. Hence CC needs to regulate the movement of the cabin such that it always remains within its MU given by the MUC. The expected cabin speed profile is predetermined, specifying comfort levels of passengers inside: smooth acceleration, constant speed and deceleration before the cabin stops at a requested floor.
To illustrate our approach, we expanded the discrete sub-states of 'UP' state of Fig Table I. MU is a vector = ( , , ), a dL constraint as follows: beyond the latest updated end point . along the hoist way, the cabin is not permitted by the MUC to have a velocity greater than the desired velocity, . . The cabin should try not to exceed the recommended velocity . during the move, while short periods of slightly higher values are allowed.  Table I. MU is a vector = ( , , ), a dL constraint as follow point .
along the hoist way, the cabin is not permitted greater than the desired velocity, . . The cabin should try velocity . during the move, while short periods of slight 2(d) shows an example of a possible cabin speed profile in c of that changes over time due to the control actions of CC as mi.ep, mi.dv, mi.rv, for periods i = 1, 2,., n. The comp explained in Ch. III.

MOVEMENT-UPDATE CONTROL MUC
during the move, while short periods of slightly higher values are allowed.  Table I MOVEMENT-UPDATE C that changes over time due to the control actions of CC. The moving vectors are updated as m i .ep, m i .dv, m i .rv, for periods i = 1, 2,., n. The computation of these constraints are explained later.

Movement-update control MUC
Given the required speed profile of the cabin along the hoist way, the MUC provides timely information to the CC to regulate the velocity of the cabin by comparing the actual and recommended speed values (see output transitions from the state, MOVING, in Figure 1(c)).
Getting back to the construction proposed in this paper, we start off from language generators in Figures. 2(a) and (b). The states representing real actions in the physical system are, UP, DOWN, ARRIVED, CAR_STOP and UP_ON.
These are the states to be augmented by embedding HA: we embed the UP_ON hybrid automaton from the statechart in Figure 1(c) in the UP_ON state of the language generator in Figure 2(b). For states in Figure 2(b) corresponding to basic states of Figure 1(c), the differential equations from the latter are embedded in the former.  The next step is to embed the HA, MUC. This has to go into a state of the port-structure in Figure 2(c). Since the conditions specified for continuous-variables in MUC are valid in state '0' of the port-structure, we embed MUC in state '0'.
The collapsed versions (in which embedded hybridautomata/differential equations are removed from their states) of these hybrid embedded language generators and port structures were used to perform discreteevent based compositional verification of the control (Dewasurendra, 2006;Vidanapathirana et al., 2011Vidanapathirana et al., , 2013. Distributed verification of continuous variable dynamics carried out using embedded HA is described next. In latter verification we closely follow the work of Platzer in ETCS (Platzer, 2010) using dL.

Differential dynamic logics for verification of continuous-variable dynamics
A proof calculus for Differential Dynamic Logic (dL) (first order dynamic logic for reals) and its temporal extension, developed by Harel (1979) and Platzer (2010) uses discrete/ differential induction on differential invariants/variants for compositional verification of HDS. The proof of calculus is complete relative to handling differential equations. To achieve scalability, the invariants/variants are compositionally computed in proof loops: dL is closed under logical operators (Chaochen et al., 2005). However, the use of sequential HP to express system dynamics limits this to sequential composition. We elevate this to parallel composition.
In dL the model formula [α]ɸ expresses that all states reachable by the hybrid system, α satisfy the dL formula Φ and Runtime Validation and Hardware in the Loop (HiL) Testing of Complex Hybrid Systems 11 Getting back to the construction proposed in this paper, we start off from language generators in Figs. 2(a) and 2(b). The states representing real actions in the physical system are, UP, DOWN, ARRIVED, CAR_STOP and UP_ON. These are the states to be augmented by embedding HA: we embed the UP_ON hybrid automaton from the statechart in Fig. 1(c) in the UP_ON state of the language generator in Fig.2(b). For states in Fig.2(b) corresponding to basic states of Fig. 1(c), the differential equations from the latter are embedded in the former. The next step is to embed the HA, MUC. This has to go into a state of the Port-structure in Fig.   2(c). Since the conditions specified for continuous-variables in MUC are valid in state '0' of the port-structure, we embed MUC in state '0'.
The collapsed versions (with embedded hybrid-automata/differential equations removed from their states) of these hybrid-embedded language generators and port-structures were used to perform discrete-event based compositional verification of the control (Vidanapathirana A.C. et al., , 2013Dewasurendra S.D., 2006). Distributed verification of continuous-variable dynamics carried out using embedded HA is described next. In this latter verification we closely follow the work of Platzer in ETCS (Platzer A., 2010) using dL.

CONTINUOUS-VARIABLE DYNAMICS
A proof calculus for Differential Dynamic Logic (dL) (first-order dynamic logic for reals) and its temporal extension, developed in (Harel D., 1979;Platzer A., 2010), uses discrete/ differential induction on differential invariants/variants for compositional verification of HDS.
The proof calculus is complete relative to handling differential equations. To achieve scalability the invariants/variants are compositionally computed in proof loops: dL is closed under logical operators (Chaochen Z. et al., 2005). However, their use of sequential HP to express system dynamics limits this to sequential composition. We elevate this to parallel composition.
In dL the modal formula [α]ɸ expresses that all states reachable by the hybrid system α satisfy the dL formula Φ and 〈α〉ɸ , that at least one state reachable by α satisfies  . Typically, in first-order dL, where quantifiers over reals are allowed, ∃ [ ]〈 〉∅ says that there is a choice of parameter p (denoted ∃ ) such that, for all possible (future) behaviours of system α (denoted that at least one state reachable by α satisfies φ . Typically, in first order dL, where quantifiers over reals are allowed, Runtime Validation and Hardware in the Loop (HiL) Testing of Complex Hybrid Systems 11 Getting back to the construction proposed in this paper, we start off from language generators in Figs. 2(a) and 2(b). The states representing real actions in the physical system are, UP, DOWN, ARRIVED, CAR_STOP and UP_ON. These are the states to be augmented by embedding HA: we embed the UP_ON hybrid automaton from the statechart in Fig. 1(c) in the UP_ON state of the language generator in Fig.2(b). For states in Fig.2(b) corresponding to basic states of Fig. 1(c), the differential equations from the latter are embedded in the former. The next step is to embed the HA, MUC. This has to go into a state of the Port-structure in Fig.   2(c). Since the conditions specified for continuous-variables in MUC are valid in state '0' of the port-structure, we embed MUC in state '0'.
The collapsed versions (with embedded hybrid-automata/differential equations removed from their states) of these hybrid-embedded language generators and port-structures were used to perform discrete-event based compositional verification of the control (Vidanapathirana A.C. et al., , 2013Dewasurendra S.D., 2006). Distributed verification of continuous-variable dynamics carried out using embedded HA is described next. In this latter verification we closely follow the work of Platzer in ETCS (Platzer A., 2010) using dL.

CONTINUOUS-VARIABLE DYNAMICS
A proof calculus for Differential Dynamic Logic (dL) (first-order dynamic logic for reals) and its temporal extension, developed in (Harel D., 1979;Platzer A., 2010), uses discrete/ differential induction on differential invariants/variants for compositional verification of HDS.
The proof calculus is complete relative to handling differential equations. To achieve scalability the invariants/variants are compositionally computed in proof loops: dL is closed under logical operators (Chaochen Z. et al., 2005). However, their use of sequential HP to express system dynamics limits this to sequential composition. We elevate this to parallel composition.
In dL the modal formula [α]ɸ expresses that all states reachable by the hybrid system α satisfy the dL formula Φ and 〈α〉ɸ , that at least one state reachable by α satisfies  . Typically, in first-order dL, where quantifiers over reals are allowed, ∃ [ ]〈 〉∅ says that there is a choice of parameter p (denoted ∃ ) such that, for all possible (future) behaviours of system α (denoted Getting back to the construction proposed in this paper, we start off from language generators in Figs. 2(a) and 2(b). The states representing real actions in the physical system are, UP, DOWN, ARRIVED, CAR_STOP and UP_ON. These are the states to be augmented by embedding HA: we embed the UP_ON hybrid automaton from the statechart in Fig. 1(c) in the UP_ON state of the language generator in Fig.2(b). For states in Fig.2(b) corresponding to basic states of Fig. 1(c), the differential equations from the latter are embedded in the former. The next step is to embed the HA, MUC. This has to go into a state of the Port-structure in Fig.   2(c). Since the conditions specified for continuous-variables in MUC are valid in state '0' of the port-structure, we embed MUC in state '0'.
The collapsed versions (with embedded hybrid-automata/differential equations removed from their states) of these hybrid-embedded language generators and port-structures were used to perform discrete-event based compositional verification of the control (Vidanapathirana A.C. et al., , 2013Dewasurendra S.D., 2006). Distributed verification of continuous-variable dynamics carried out using embedded HA is described next. In this latter verification we closely follow the work of Platzer in ETCS (Platzer A., 2010) using dL.

CONTINUOUS-VARIABLE DYNAMICS
A proof calculus for Differential Dynamic Logic (dL) (first-order dynamic logic for reals) and its temporal extension, developed in (Harel D., 1979;Platzer A., 2010), uses discrete/ differential induction on differential invariants/variants for compositional verification of HDS.
The proof calculus is complete relative to handling differential equations. To achieve scalability the invariants/variants are compositionally computed in proof loops: dL is closed under logical operators (Chaochen Z. et al., 2005). However, their use of sequential HP to express system dynamics limits this to sequential composition. We elevate this to parallel composition.
In dL the modal formula [α]ɸ expresses that all states reachable by the hybrid system α satisfy the dL formula Φ and 〈α〉ɸ , that at least one state reachable by α satisfies  . Typically, in first-order dL, where quantifiers over reals are allowed, ∃ [ ]〈 〉∅ says that there is a choice of parameter p (denoted ∃ ) such that, for all possible (future) behaviours of system α (denoted Getting back to the construction proposed in this paper, we start off from language generators in Figs. 2(a) and 2(b). The states representing real actions in the physical system are, UP, DOWN, ARRIVED, CAR_STOP and UP_ON. These are the states to be augmented by embedding HA: we embed the UP_ON hybrid automaton from the statechart in Fig. 1(c) in the UP_ON state of the language generator in Fig.2(b). For states in Fig.2(b) corresponding to basic states of Fig. 1(c), the differential equations from the latter are embedded in the former. The next step is to embed the HA, MUC. This has to go into a state of the Port-structure in Fig.   2(c). Since the conditions specified for continuous-variables in MUC are valid in state '0' of the port-structure, we embed MUC in state '0'.
The collapsed versions (with embedded hybrid-automata/differential equations removed from their states) of these hybrid-embedded language generators and port-structures were used to perform discrete-event based compositional verification of the control (Vidanapathirana A.C. et al., , 2013Dewasurendra S.D., 2006). Distributed verification of continuous-variable dynamics carried out using embedded HA is described next. In this latter verification we closely follow the work of Platzer in ETCS (Platzer A., 2010) using dL.

CONTINUOUS-VARIABLE DYNAMICS
A proof calculus for Differential Dynamic Logic (dL) (first-order dynamic logic for reals) and its temporal extension, developed in (Harel D., 1979;Platzer A., 2010), uses discrete/ differential induction on differential invariants/variants for compositional verification of HDS.
The proof calculus is complete relative to handling differential equations. To achieve scalability the invariants/variants are compositionally computed in proof loops: dL is closed under logical operators (Chaochen Z. et al., 2005). However, their use of sequential HP to express system dynamics limits this to sequential composition. We elevate this to parallel composition.
In dL the modal formula [α]ɸ expresses that all states reachable by the hybrid system α satisfy the dL formula Φ and 〈α〉ɸ , that at least one state reachable by α satisfies  . Typically, in first-order dL, where quantifiers over reals are allowed, ∃ [ ]〈 〉∅ says that there is a choice of parameter p (denoted ∃ ) such that, for all possible (future) behaviours of system α (denoted [α]) there is some reaction of system β (denoted〈 〉) that ensures ∅.

) that ensures
the Loop (HiL) Testing of Complex Hybrid Systems 11 sed in this paper, we start off from language generators resenting real actions in the physical system are, UP, d UP_ON. These are the states to be augmented by hybrid automaton from the statechart in Fig. 1(c) in the or in Fig.2(b). For states in Fig.2(b) corresponding to l equations from the latter are embedded in the former.
. This has to go into a state of the Port-structure in Fig. r continuous-variables in MUC are valid in state '0' of tate '0'. d hybrid-automata/differential equations removed from language generators and port-structures were used to ional verification of the control (Vidanapathirana A.C. , 2006). Distributed verification of continuous-variable A is described next. In this latter verification we closely latzer A., 2010) using dL.

S-VARIABLE DYNAMICS
mic Logic (dL) (first-order dynamic logic for reals) and (Harel D., 1979;Platzer A., 2010), uses discrete/ ariants/variants for compositional verification of HDS.    For elevating their sequential composition to admit parallel composition using parallel HA, consider systems α and β above as resulting from the decomposition of an AND state of a statechart model: this permits concurrent evaluation of  . In addition, when model-checking for these properties, the granularity of decomposition products of the statechart can be kept as fine as desired, thus making real quantifier elimination manageable in practice: cf. classical state-space abstraction of CVDS into convex polytopes. This extends our compositional formal verification methodology from DEDS to CVDS.

Differential dynamic logic for runtime validation
Still using the hybrid augmented statechart in Figure 1(c) the current state, 12 statechart model: this permits concurrent evaluation of ∃ [ ]∅ and ∃ [ ]∅. In addition when model-checking for these properties, the granularity of decomposition products of the statechart can be kept as fine as desired, thus making real quantifier elimination manageable in practice: cf. classical state-space abstraction of CVDS into convex polytopes. This extends our compositional formal verification methodology from DEDS to CVDS.

DIFFERENTIAL DYNAMIC LOGIC FOR RUNTIME VALIDATION
Still using the hybrid augmented Statechart in Fig. 1(c) the current state, = ( , , ) is given by the current position p, speed v and acceleration a, which is updated in real-time by the interaction of parallel statechart states, CC, and MUC controlling and monitoring cabin movement along the hoist way. In order to meet the speed specifications, m, posed on the cabin ( Fig.2(d)), we need to determine sufficient conditions that force . to always respect its current MU, satisfying The requirement (c1)  is given by the current position p, speed v and acceleration a, which is updated in real-time by the interaction of parallel statechart states, CC, and MUC controlling and monitoring cabin movement along the hoist way. In order to meet the speed specifications, m, posed on the cabin [ Figure 2(d)], we need to determine sufficient conditions that force 12 statechart can be kept as fine as desired, thus making real quantifier elimination manag practice: cf. classical state-space abstraction of CVDS into convex polytopes. This exte compositional formal verification methodology from DEDS to CVDS.

DIFFERENTIAL DYNAMIC LOGIC FOR RUNTIME VALIDATION
Still using the hybrid augmented Statechart in Fig. 1(c) the current state, = ( , , ) by the current position p, speed v and acceleration a, which is updated in real-time interaction of parallel statechart states, CC, and MUC controlling and monitorin movement along the hoist way. In order to meet the speed specifications, m, posed on t ( Fig.2(d)), we need to determine sufficient conditions that force . to always res current MU, satisfying The requirement (c1) Fig. 1(c) the curre by the current position p, speed v and acceleration a, which i interaction of parallel statechart states, CC, and MUC contr movement along the hoist way. In order to meet the speed specifi ( Fig.2(d)), we need to determine sufficient conditions that for current MU, satisfying The requirement (c1) expresses that the cabin velocity . The requirement (c1) expresses that the cabin velocity 12 For elevating their sequential composition to admit parallel composition using parallel HA, consider systems α and above as resulting from the decomposition of an AND state of a statechart model: this permits concurrent evaluation of ∃ [ ]∅ and ∃ [ ]∅. In addition when model-checking for these properties, the granularity of decomposition products of the statechart can be kept as fine as desired, thus making real quantifier elimination manageable in practice: cf. classical state-space abstraction of CVDS into convex polytopes. This extends our compositional formal verification methodology from DEDS to CVDS.

DIFFERENTIAL DYNAMIC LOGIC FOR RUNTIME VALIDATION
Still using the hybrid augmented Statechart in Fig. 1(c) the current state, = ( , , ) is given by the current position p, speed v and acceleration a, which is updated in real-time by the interaction of parallel statechart states, CC, and MUC controlling and monitoring cabin movement along the hoist way. In order to meet the speed specifications, m, posed on the cabin ( Fig.2(d)), we need to determine sufficient conditions that force . to always respect its current MU, satisfying The requirement (c1) expresses that the cabin velocity . does not exceed the desired speed limit . after passing the latest updated end point .
(i.e., . ≥ . model-checking for these properties, the granularity of decomposition products of the statechart can be kept as fine as desired, thus making real quantifier elimination manageable in practice: cf. classical state-space abstraction of CVDS into convex polytopes. This extends our compositional formal verification methodology from DEDS to CVDS.

DIFFERENTIAL DYNAMIC LOGIC FOR RUNTIME VALIDATION
Still using the hybrid augmented Statechart in Fig. 1(c) the current state, = ( , , ) is given by the current position p, speed v and acceleration a, which is updated in real-time by the interaction of parallel statechart states, CC, and MUC controlling and monitoring cabin movement along the hoist way. In order to meet the speed specifications, m, posed on the cabin ( Fig.2(d)), we need to determine sufficient conditions that force . to always respect its current MU, satisfying The requirement (c1) expresses that the cabin velocity . does not exceed the desired speed limit . after passing the latest updated end point .
(i.e., . ≥ . ). The . . In addition when model-checking for these properties, the granularity of decomposition products of the statechart can be kept as fine as desired, thus making real quantifier elimination manageable in practice: cf. classical state-space abstraction of CVDS into convex polytopes. This extends our compositional formal verification methodology from DEDS to CVDS.

DIFFERENTIAL DYNAMIC LOGIC FOR RUNTIME VALIDATION
Still using the hybrid augmented Statechart in Fig. 1(c) the current state, = ( , , ) is given by the current position p, speed v and acceleration a, which is updated in real-time by the interaction of parallel statechart states, CC, and MUC controlling and monitoring cabin movement along the hoist way. In order to meet the speed specifications, m, posed on the cabin ( Fig.2(d)), we need to determine sufficient conditions that force . to always respect its current MU, satisfying The requirement (c1) expresses that the cabin velocity . does not exceed the desired speed limit . after passing the latest updated end point .
and . values are determined for the current MU by MUC based on state information received from CC. For example, in tall buildings a high speed cabin needs to reduce the velocity while arriving at designated points close to the destination. Our model captures this by updating the speed component . of MU, , appropriately to achieve the predetermined speed appropriately to achieve the predetermined speed profile. Unlike collision with other trains in the case of high speed train control in ETCS, here the principle issues concern handling the sudden requests for embarkation, debarkation, emergency stoppages, between-level arrests of movement due to failure, malfunctioning of doors and evacuation of a running lift cabin. Depending on the current state of the cabin, the requests are either accommodated or ignored. If accommodated, then a new MU which can satisfy all the pending accommodated requests is computed by MUC and corresponding information shared with CC.
Coming back to the operational mode depicted in Figure 1(c), when user requests are made for upward movement, the CC initiates the relevant upward movement under the current MU. In parallel, the MUC starts its execution. With the user request for upward movement (up_req = on) the following state transitions take place at the CC super-state:

Runtime Validation and Hardware in the Loop (HiL) Testing of Complex Hybrid Systems
profile. Unlike collision with other trains in the case of high speed train control in ETCS, here the principle issues concern handling the sudden requests for embarkation, debarkation, emergency stoppages, between-level arrests of movement due to failure, malfunctioning of doors and evacuation of a running lift cabin. Depending on the current state of the cabin, the requests are either accommodated or ignored. If accommodated, then a new MU which can satisfy all the pending accommodated requests is computed by MUC and corresponding information shared with CC.
Coming back to the operational mode depicted in Fig. 1(c) " to ensure correct alignment of the cabin at a given floor. In operation, solving a set of differential equations (Perko L., 2006) is done using real-time clocks with appropriate time steps ∆t. Necessary actual position information to derive the . and . is supplied by the encoder attached to the cabin motor.
The cabin motor control is supervised by the hybrid controller to stay within the performance specification, ensuring stress free and accurate cabin control. Whenever the runtime system parameters deviate due to un-modelled factors or physical system degradation, MUC, provides timely feed-back to CC to do necessary regulation; hence, formally,

MUC and CC being independently distributed hybrid components running in parallel. '∪'
represents nondeterministic choice and '*', repetition. We now make the following claim: Proposition 1. Our HA based formal verification method is compositional, sound and complete relative to first-order logic of differential equations.
the controller enters either ACCLN or DCCLN. Upon arriving at the state CONDITION, brakes have to be applied if Fig. 1(c), when user requests are made for upward movement under the current MU. In ser request for upward movement (up_req = e CC super-state. . The point SB (start braking) is the point at which brake has to be applied, indicated by the action, 'brake' to ensure correct alignment of the cabin at a given floor. In operation, solving a set of differential equations (Perko, 2006) is done using real-time clocks with appropriate time steps ∆t. Necessary actual position information to derive the 13 C initiates the relevant upward movement under the current MU. In ts execution. With the user request for upward movement (up_req = nsitions take place at the CC super-state. is supervised by the hybrid controller to stay within the performance ress free and accurate cabin control. ystem parameters deviate due to un-modelled factors or physical , provides timely feed-back to CC to do necessary regulation; hence, ependently distributed hybrid components running in parallel. '∪' tic choice and '*', repetition. We now make the following claim: sed formal verification method is compositional, sound and complete ic of differential equations.
is supplied by the encoder attached to the cabin motor.
The cabin motor control is supervised by the hybrid controller to stay within the performance specification, ensuring stress free and accurate cabin control. Whenever the runtime system parameters deviate due to un-modelled factors or physical system degradation, MUC provides timely feed-back to CC to do necessary regulation; hence, 13 parallel, the MUC starts its execution. With the user request for upward movement (up_req = on) the following state transitions take place at the CC super-state. " to ensure correct alignment of the cabin at a given floor. In operation, solving a set of differential equations (Perko L., 2006) is done using real-time clocks with appropriate time steps ∆t. Necessary actual position information to derive the . and . is supplied by the encoder attached to the cabin motor.
The cabin motor control is supervised by the hybrid controller to stay within the performance specification, ensuring stress free and accurate cabin control. Whenever the runtime system parameters deviate due to un-modelled factors or physical system degradation, MUC, provides timely feed-back to CC to do necessary regulation; hence, formally,

MUC and CC being independently distributed hybrid components running in parallel. '∪'
represents nondeterministic choice and '*', repetition. We now make the following claim: Proposition 1. Our HA based formal verification method is compositional, sound and complete relative to first-order logic of differential equations. ' represents nondeterministic choice and '*', repetition. We now make the following claim:

MUC and CC being independently
Proposition 1. Our HA -based formal verification method is compositional, sound and complete relative to first-order logic of differential equations.
HA are embedded in a subset of automata representing real actions of this decomposition [see Figure 2 Whereas the discrete-event dynamics are represented by collapsing the embedded HA, the continuous variable dynamics are represented by the interaction of HA distributed among DEDS states.
Since the HA can be translated unambiguously to HP, Platzer's first-order logic of differential equations (FOD) analysis can be directly applied to continuous-variable dynamics embedded in HA to provide a verification complete, relative to FOD (Theorem 2.3 of Platzer, 2010).
Given that dL calculus is sound (Theorem 2.1 of Platzer, 2010), we now have a sound and complete verification system that is compositional and still based on HA. QED This lays the foundation for us to develop the remaining results in this paper.
Getting back to determining sufficient conditions that force 13 upward movement, the CC initiates the relevant upward movement under the current MU. In parallel, the MUC starts its execution. With the user request for upward movement (up_req = on) the following state transitions take place at the CC super-state. " to ensure correct alignment of the cabin at a given floor. In operation, solving a set of differential equations (Perko L., 2006) is done using real-time clocks with appropriate time steps ∆t. Necessary actual position information to derive the . and . is supplied by the encoder attached to the cabin motor.
The cabin motor control is supervised by the hybrid controller to stay within the performance specification, ensuring stress free and accurate cabin control. Whenever the runtime system parameters deviate due to un-modelled factors or physical system degradation, MUC, provides timely feed-back to CC to do necessary regulation; hence, formally,

≡ ( ∪ ) *
MUC and CC being independently distributed hybrid components running in parallel. '∪' represents nondeterministic choice and '*', repetition. We now make the following claim: Proposition 1. Our HA based formal verification method is compositional, sound and complete relative to first-order logic of differential equations.
to always respect (c1), whereas the actual control of components (e.g., motors) is based on detailed models in the verification and parameter discovery process for runtime validation, it is difficult to use highly detailed plant models, and hence, following the approach in Platzer (2010), we approximate plant dynamics by a ranged choice for effective cabin acceleration between its lower and upper bounds, -b and A, respectively: cf. Figure 1(c).
We find constraints that ensure the safety of the system in operation (discrete and continuous invariants) using iterative refinement process of Platzer (2010).
This process is explained on language generator for the state UP [ Figure 2(b)].
The formula F D is found as a discrete invariant of 14 (see Fig.2(b)).
Whereas the discrete-event dynamics are represented by collapsing the embedded HA, the continuous-variable dynamics are represented by the interaction of HA distributed among DEDS states.
Since the HA can be translated unambiguously to HP, Platzer's FOD (first-order logic of differential equations) analysis can be directly applied to continuous-variable dynamics embedded in HA to provide a verification complete relative to FOD (Theorem 2.3 of (Platzer A., 2010).
Given that dL calculus is sound (Theorem 2.1 of (Platzer A., 2010), we now have a sound and complete verification system that is compositional and still based on HA.

QED
This lays the foundation for us to develop the remaining results in this paper.
Getting back to determining sufficient conditions that force . to always respect (c1), whereas the actual control of components (e.g., motors) is based on detailed models, in the verification and parameter discovery process for runtime validation, it is difficult to use highly detailed plant models, and hence, following the approach in (Platzer A., 2010), we approximate plant dynamics by a ranged choice for effective cabin acceleration between its lower and upper bounds, -b and A, respectively: cf. Fig. 1(c). Now we find constraints that ensure safety of the system in operation (discrete and continuous invariants) using iterative refinement process of (Platzer A., 2010).
We will explain this process on language generator for the state UP ( Fig. 2(b)).
The formula FD is found as a discrete invariant of → [ * ]∅, where, for instance, we want to give the safety specification, ∅ =  to be true in all executions, , of the state UP if it is true in the initial state = .
. Here is the coding of the Kripke structure derived from Fig. 2(b).
Whereas the discrete-event dynamics are represented by collapsing the embedded HA, the continuous-variable dynamics are represented by the interaction of HA distributed among DEDS states.
Since the HA can be translated unambiguously to HP, Platzer's FOD (first-order logic of differential equations) analysis can be directly applied to continuous-variable dynamics embedded in HA to provide a verification complete relative to FOD (Theorem 2.3 of (Platzer A., 2010).
Given that dL calculus is sound (Theorem 2.1 of (Platzer A., 2010), we now have a sound and complete verification system that is compositional and still based on HA.

QED
This lays the foundation for us to develop the remaining results in this paper.
Getting back to determining sufficient conditions that force . to always respect (c1), whereas the actual control of components (e.g., motors) is based on detailed models, in the verification and parameter discovery process for runtime validation, it is difficult to use highly detailed plant models, and hence, following the approach in (Platzer A., 2010), we approximate plant dynamics by a ranged choice for effective cabin acceleration between its lower and upper bounds, -b and A, respectively: cf. Fig. 1(c).
Now we find constraints that ensure safety of the system in operation (discrete and continuous invariants) using iterative refinement process of (Platzer A., 2010).
We will explain this process on language generator for the state UP ( Fig. 2(b)).
The formula FD is found as a discrete invariant of → [ * ]∅, where, for instance, we want to give the safety specification, ∅ =  to be true in all executions, , of the state UP if it is true in the initial state = .
. Here is the coding of the Kripke structure derived from Fig. 2(b).
to be true in all executions, 14 DEDS states.
Since the HA can be translated unambiguously to HP, Platzer's FOD (first-order logic of differential equations) analysis can be directly applied to continuous-variable dynamics embedded in HA to provide a verification complete relative to FOD (Theorem 2.3 of (Platzer A., 2010).
Given that dL calculus is sound (Theorem 2.1 of (Platzer A., 2010), we now have a sound and complete verification system that is compositional and still based on HA.

QED
This lays the foundation for us to develop the remaining results in this paper.
Getting back to determining sufficient conditions that force . to always respect (c1), whereas the actual control of components (e.g., motors) is based on detailed models, in the verification and parameter discovery process for runtime validation, it is difficult to use highly detailed plant models, and hence, following the approach in (Platzer A., 2010), we approximate plant dynamics by a ranged choice for effective cabin acceleration between its lower and upper bounds, -b and A, respectively: cf. Fig. 1(c).
Now we find constraints that ensure safety of the system in operation (discrete and continuous invariants) using iterative refinement process of (Platzer A., 2010).
We will explain this process on language generator for the state UP ( Fig. 2(b)).
The formula FD is found as a discrete invariant of → [ * ]∅, where, for instance, we want to give the safety specification, ∅ =  to be true in all executions, , of the state UP if it is true in the initial state = .
. Here is the coding of the Kripke structure derived from Fig. 2(b).
, of the state UP if it is true in the initial state 14 (see Fig.2(b)).
Whereas the discrete-event dynamics are represented by colla continuous-variable dynamics are represented by the interact DEDS states.
Since the HA can be translated unambiguously to HP, Platze differential equations) analysis can be directly applied to embedded in HA to provide a verification complete relative to F A., 2010).
Given that dL calculus is sound (Theorem 2.1 of (Platzer A.,20 complete verification system that is compositional and still base This lays the foundation for us to develop the remaining results Getting back to determining sufficient conditions that force . t the actual control of components (e.g., motors) is based on deta and parameter discovery process for runtime validation, it is d plant models, and hence, following the approach in (Platzer A. dynamics by a ranged choice for effective cabin acceleration bounds, -b and A, respectively: cf. Fig. 1(c). Now we find constraints that ensure safety of the system in oper invariants) using iterative refinement process of (Platzer A.,201 We will explain this process on language generator for the state The formula FD is found as a discrete invariant of → [ * ]∅, w give the safety specification, ∅ =  to be true in all exe is true in the initial state = . . Here is the coding o from Fig. 2(b).
Whereas the discrete-event dynamics are represented by collapsing the embedded HA, the continuous-variable dynamics are represented by the interaction of HA distributed among DEDS states.
Since the HA can be translated unambiguously to HP, Platzer's FOD (first-order logic of differential equations) analysis can be directly applied to continuous-variable dynamics embedded in HA to provide a verification complete relative to FOD (Theorem 2.3 of (Platzer A., 2010).
Given that dL calculus is sound (Theorem 2.1 of (Platzer A., 2010), we now have a sound and complete verification system that is compositional and still based on HA.

QED
This lays the foundation for us to develop the remaining results in this paper.
Getting back to determining sufficient conditions that force . to always respect (c1), whereas the actual control of components (e.g., motors) is based on detailed models, in the verification and parameter discovery process for runtime validation, it is difficult to use highly detailed plant models, and hence, following the approach in (Platzer A., 2010), we approximate plant dynamics by a ranged choice for effective cabin acceleration between its lower and upper bounds, -b and A, respectively: cf. Fig. 1(c).
Now we find constraints that ensure safety of the system in operation (discrete and continuous invariants) using iterative refinement process of (Platzer A., 2010).
We will explain this process on language generator for the state UP ( Fig. 2(b)).
The formula FD is found as a discrete invariant of → [ * ]∅, where, for instance, we want to give the safety specification, ∅ =  to be true in all executions, , of the state UP if it is true in the initial state = .
. Here is the coding of the Kripke structure derived from Fig. 2(b).
is the coding of the Kripke structure derived from Figure 2(b).
Using discrete induction to find F D : F D is a discrete invariant of FD is sufficiently strong if � → ∅ is valid.     FD is sufficiently strong if � → ∅ is valid. FD is sufficiently strong if � → ∅ is valid. FD is sufficiently strong if � → ∅ is valid.
FD can be obtained as � ≥ 0, where � is the actual motor speed in ca The state '3' (UP_ON) in Fig.2(b) corresponds to the state UP_ON in F hybrid automaton in the latter gets embedded in the former. Let 'CONTINUOUS' in Fig.1(c).
The formula FDif is found as a continuous invariant of → [ ˄ ]∅, w want to give the safety specification as ∅ = ( . ≥ .
As in the discrete case, FDif is sufficiently strong if ��� → ∅ is valid.
Here, = ( ) defines the domain of continuous varia differential equations, is the actual motor speed in cabin upward motion. FD is sufficiently strong if � → ∅ is valid.
FD can be obtained as � ≥ 0, where � is the actual motor speed in cabin upward motion.
The state '3' (UP_ON) in Fig.2(b) corresponds to the state UP_ON in Fig.1(c), and hence the hybrid automaton in the latter gets embedded in the former. Let us consider the state 'CONTINUOUS' in Fig.1(c).
As in the discrete case, FDif is sufficiently strong if ��� → ∅ is valid.
Here, = ( ) defines the domain of continuous variation and is the set of differential equations, , when, for instance, we want to give the safety specification as FD is sufficiently strong if � → ∅ is valid.
FD can be obtained as � ≥ 0, where � is the actual motor speed in cabin up The state '3' (UP_ON) in Fig.2(b) corresponds to the state UP_ON in Fig.1(c hybrid automaton in the latter gets embedded in the former. Let us co 'CONTINUOUS' in Fig.1(c). FD is sufficiently strong if � → ∅ is valid.
FD can be obtained as � ≥ 0, where � is the actual motor speed in cabin upward motion.
The state '3' (UP_ON) in Fig.2(b) corresponds to the state UP_ON in Fig.1(c), and hence the hybrid automaton in the latter gets embedded in the former. Let us consider the state 'CONTINUOUS' in Fig.1(c).
As in the discrete case, FDif is sufficiently strong if ��� → ∅ is valid.
Here, = ( ) defines the domain of continuous variation and is the set of differential equations, , if the following formulas are valid: Journal of the National Science Foundation of Sri Lanka 47 (4) December 2019 1.
As in the discrete case, FDif is sufficiently strong if ��� → ∅ is valid.
During runtime, the relevant parameter values are fitted into the invariants, FD and FDif, to perform an automatic validation of the verification proof.

IV COMPOSITIONALITY OF MODULAR X-IN-THE-LOOP (XIL) TESTING
Our architecture permits both function based decomposition (subsystems in plant control: cabin movements, cabin door movements, plant inputs, displays etc.) and abstraction based (initialisation) and 2.
As in the discrete case, FDif is sufficiently strong if ��� → ∅ is valid.
During runtime, the relevant parameter values are fitted into the invariants, FD and FDif, to perform an automatic validation of the verification proof.

IV COMPOSITIONALITY OF MODULAR X-IN-THE-LOOP (XIL) TESTING
Our architecture permits both function based decomposition (subsystems in plant control: cabin movements, cabin door movements, plant inputs, displays etc.) and abstraction based (induction step). Here, 15 'CONTINUOUS' in Fig.1(c).
As in the discrete case, FDif is sufficiently strong if ��� → ∅ is valid.
During runtime, the relevant parameter values are fitted into the invariants, FD and FDif, to perform an automatic validation of the verification proof.

IV COMPOSITIONALITY OF MODULAR X-IN-THE-LOOP (XIL) TESTING
Our architecture permits both function based decomposition (subsystems in plant control: cabin movements, cabin door movements, plant inputs, displays etc.) and abstraction based defines the domain of continuous variation and D is the set of differential equations, 15 ton in the latter gets embedded in the former. Let us consider the state S' in Fig.1(c).
e, the relevant parameter values are fitted into the invariants, FD and FDif, to omatic validation of the verification proof.

POSITIONALITY OF MODULAR X-IN-THE-LOOP (XIL) TESTING
re permits both function based decomposition (subsystems in plant control: cabin abin door movements, plant inputs, displays etc.) and abstraction based The differential saturation algorithm of Platzer et al. (2009) is used to progressively refine the domain, H, by differential invariants, 15 hybrid automaton in the latter gets embedded in the former. Let us consider the state 'CONTINUOUS' in Fig.1(c).
As in the discrete case, FDif is sufficiently strong if ��� → ∅ is valid.
During runtime, the relevant parameter values are fitted into the invariants, FD and FDif, to perform an automatic validation of the verification proof.

IV COMPOSITIONALITY OF MODULAR X-IN-THE-LOOP (XIL) TESTING
Our architecture permits both function based decomposition (subsystems in plant control: cabin movements, cabin door movements, plant inputs, displays etc.) and abstraction based becomes itself an invariant strong enough (reaches a fixed point, 15 ' (UP_ON) in Fig.2(b) corresponds to the state UP_ON in Fig.1(c), and hence the omaton in the latter gets embedded in the former. Let us consider the state OUS' in Fig.1(c). . ′ = . ; . ′ = ; .  0.

Compositionality of modular X-in-the-loop (XiL) testing
Our architecture permits both function -based decomposition (subsystems in plant control: cabin movements, cabin door movements, plant inputs, displays, etc.) and abstraction -based decomposition (Vidanapathirana et al., 2013), thus facilitating modular integration testing in addition to function -based (XiL) testing performed separately, if compositionality can be proven. We now demonstrate the compositionality and soundness of modular tests, and that they are complete relative to coverage objectives.

A. Modularity and compositionality of tests
Observation 1: Modular HiL tests were done for an FPGA, which carried the complete controller for elevator operations: interfacing necessary for the tests was done by selecting only the relevant input/output ports of the module concerned, as different from testing an isolated control module (ECU) implemented on dedicated hardware.
Observation 2: Real-time simulation was done by selecting the inputs/outputs for the relevant module on a complete plant simulator; not for a separate module.
Now we make the claim on compositionality of our modular tests.
Proposition 2: The control modules implemented on the system controller can be tested compositionally.
Proof: Event communication protocols between adjacent FSA in the semantics preserving translation of statecharts to a set of communicating FSA have been modelled as port automata in Dewasurendra (1986); Each FSA composed of prioritised synchronous composition with its respective port structures constitute a component in the decomposition. They can in turn be composed to retrieve the original statechart. Hence, the components are compositional in their semantics.
We have formally verified the system controller of our target system using a compositional modular verification methodology developed for the MoC used (Dewasurendra, 2006(Dewasurendra, , 2013Vidanapathirana, 2019).
Hence observations 1 and 2 above permit to conclude that the tests are in fact compositional under the same assumptions made in specifying and verifying the system control model using the MoC of choice.

B. Soundness and completeness of tests
Proposition 3: Our HA -based test generation method is compositional, sound and complete relative to first-order logic of differential equations.

Proof:
By Proposition 1 in the previous section, our HA based formal verification method is compositional, sound and complete relative to first-order logic of differential equations.
Case 1: Tests for discrete dynamics Following Ferrante et al. (2016), we run NuSMV (Cimatti et al., 2015) programmes of language generators resulting from our statechart decomposition (after collapsing embedded HA) against negations of CTL (Harel, 1979) formulas representing individual test objectives (criteria) to generate counter-examples that become tests covering required test criteria, thereby overcoming the limitations of directly translating statecharts as input for algorithms 1 and 2 of Ferrante et al., (2016).
Tests are sound because the verification based on these models is sound.
Since the decomposition products can be brought down as close as desired to basic states, the counter-examples are guaranteed to be found in finite runs of NuSMV.
Hence, the tests are guaranteed to be complete by coverage criteria.
Case 2: Tests for continuous dynamics In this case we generate tests by translating the HA we extract from language generators [e.g., Figure 2(b)] into the input language HYDI (an extension of the language of NuSMV) of the model checker HYCOMP (Cimatti et al., 2015). The rest of the process is parallel to that of Case 1 and the proof follows the same arguments therein.

QED
In order to conduct CHS research, a prototype passenger elevator with 150 Kg payload was built inside the laboratory . Essential operational and safety mechanisms were integrated to the elevator, with sensors and actuators that are invoked in different operational modes and a number of interacting sub systems operating in parallel to make it sufficiently complex, yet simple enough to serve as a test-bed.
We will now give details of configuring hardware-in the-loop tests (Dufor et al., 2005) for integration with V&V on this test-bed.

Configuring hardware-in-the-loop (HiL) tests for integration with V&V
Elevator controller modelled using statecharts in Matlab/Simulink/Stateflow was converted to equivalent HDL code Verilog and implemented in Xilinx Spartan 3AN FPGA (ECU)  with 3.6 V DC i/o interface circuits. For HiL tests the ECU was wired to receive user inputs and dSPACE hardware signals: interface circuits were used between ECU and dSPACE hardware platforms to achieve electrical isolation and voltage level shifting.
HiL testing (Dufor et al., 2005) requires physical connections between the ECU and the simulated plant to ensure that communication with the ECU is the same as in real system. The decomposition of Simulink/ Stateflow control specification of the system done for compositional formal verification  helped in configuring compositional HiL tests: to compile build and simulate in real-time only a part of the system model at a time and isolating the inputs and outputs corresponding to the module being tested (the cabin module) from the complete system controller (implemented on the ECU).
The passenger cabin is driven by a three-phase induction-motor. Dynamic models of the cabin motor, the inverter based speed/torque control system and the floor sensor operation in the elevator were implemented in Matlab/Simullink with real-time workshop using a fixed time step and uploaded to the TMS 320F DSP processor -based dSPACE platform as the plant model.
Matlab/Simulink/dSPACE and Controldesk software running on a PC were connected to the dSPACE hardware for online monitoring and regulation of realtime simulations.

A. Test generation using NuSMV
The tests for required test coverage criteria were generated using the process described earlier as follows: Case 1: Test for discrete dynamics: Consider state coverage criterion with respect to the 'UP' language generator [ Figure 3(b)] for discrete dynamics: for each state 'S i ' of 'UP', ∃ at least one run covering S i . Let S i = <UP_OFF>, which corresponds to responding to a stop request made while the cabin is moving up.
The Kripke structure (which is used as input format to model-checker NuSMV) corresponding to 'UP' has a run covering 'S i ' if (i) the state 'S i ' is reachable from the initial state, 'UP_ Idle' and (ii) ∃ a state 'S j ' which is reachable from 'S i ', at which 'stable' is satisfied. This is expressed in the CTL formula, EF(reachable(S i )˄EF stable).
We proceed now to translate 'UP' to a NuSMV programme and then run it against (¬EF(reachable(S i ) ˄EF stable)).
Then a counter example is generated, which serves as a sound test sequence for the coverage criterion considered.
Since we only convert to NuSMV programmes, individual language generators (finite automata) resulting from our decomposition, which are several degrees of magnitude smaller in size and complexity than the parent statechart, the counter examples would always be found Journal of the National Science Foundation of Sri Lanka 47 (4) December 2019 in a finite run, hence our method of test generation is complete (by the coverage criteria).

Case 2: Test for continuous dynamics
The development is similar to the discrete case, except that UP language generator augmented with continuous dynamics to make it a HA, as explained earlier.
We then translate the resulting 'UP hybrid ' to an HYDI programme and run it against the negation of c1, (), to generate a counter example that serves as a test sequence.
While running the tests, plant control parameters inside dSPACE real-time simulation were examined using dSPACE Control desk software running in PC. The real-time simulation was controlled through online adjustment of motor parameters using the same.
A fixed time step was required for the real-time simulation on dSPACE hardware platform. Overrun situations for the processor could arise when the allowed time gap is not adequate for the execution of a complete programme cycle and updating the data registers. Larger time steps may not clearly describe the plant dynamics.
We selected 1 ms time step for the plant simulations after trying 0.2, 0.4, 0.6, 0.8, 1.0, 2.0, 3.0 and 4.0 ms. This choice had to be compatible with the permitted reaction latency, ϵ, in Figure 1(c).

Induction-motor dynamic model
To analyse variable speed drives, a dynamic motor model was developed using 'space vector' analysis (Ogbuka 2009;Shah et al., 2012). For fast dynamic response, precise speed regulation and good dynamic performance, field oriented control was used for the cabin (induction) motor (Ogbuka, 2009;Vidanapathirana et al., 2013).
Details of Matlab/Simulink model for IM vector control drive, speed controller design and current controller design, are given in Vidanapathirana (2019).
When the cabin moves along the elevator shaft, respective floor sensors give control signals to the controller.
The motor shaft rotational angle, θ f , required to travel a linear distance between two adjacent floors for the prototype elevator, was computed as 10,085 deg.
The speed reference input to the controller for a linear distance between two adjacent floors is shown in Figure 3 For speed regulation, maximum motor speed was set to 100 rad/s to achieve a linear speed for the cabin; acceleration and deceleration were set at 8.9 rad/sec 2 .

Runtime Validation and Hardware in the Loop (HiL) Testing of Complex Hybrid Systems
While running the tests, plant control parameters inside dSPACE real-time simulation were examined using dSPACE Control desk software running in PC. The real-time simulation was controlled through online adjustment of motor parameters using the same.
A fixed time step was required for the real-time simulation on dSPACE hardware platform.
Overrun situations for the processor could arise when allowed time gap is not adequate for the execution of a complete program cycle and updating the data registers. Larger time steps may not clearly describe the plant dynamics. We selected 1ms time step for the plant simulations after trying 0.2, 0.4,0.6, 0.8, 1.0, 2.0, 3.0 and 4.0 ms. This choice had to be compatible with the permitted reaction latency, , in Fig. 1(c).

VI. INDUCTION-MOTOR DYNAMIC MODEL
To analyse variable speed drives, a dynamic motor model was developed using "space vector"

HiL test results
During testing, an arbitrary load torque was applied to the motor during cabin upward movement. Reference inputs were the passenger car speed, acceleration and deceleration. Variation of key system parameters during the test are shown in Figures 4 (a) to (f).
The test results revealed that the actual speed followed the reference speed closely; so did the load torque and the generated torque as shown in Figures 4(e) and (f).
In comparison to HiL tests, for MiL tests (Vidanapathirana et al., 2013) both ECU and plant models were implemented in Matlab/Simulink: simulation parameters could be selected with a greater degree of liberty and time step could be either variable or fixed, variable time steps giving a faster simulation.

Rectifying implementation level faults
Formal verification confirmed logical conformity to specifications, HiL tests validated the verification, but the observed behaviour in the controlled elevator plant at the implementation level differed sharply from specifications.
Avoiding a detailed examination of the installed software/hardware logic, focus shifted quickly to electrical/electronic installation.
An EMI problem was discovered: FPGA inputs rated at 3.6 V DC are sensitive even for electrical interferences as small as 0.5 ~ 1 V DC. The 24 V DC power lines and 3.3 V DC FPGA control lines were in close proximity. When the 24 V DC relays used to step-down the sensor voltage to 3.6 V DC and activate FPGA input ports were switched on and off, electrical interference caused spurious outputs from the FPGA, producing erratic behaviour.
The 24 V DC relays were replaced by an optical trigger circuit with electrical isolation. FPGA control signal wiring was rearranged by minimising the effect from the power lines. FPGA control wiring was replaced by shielded fieldbus cables with adequate grounding to overcome electrical interference. This corrected the EMI problem.
This would have been discovered in power-HiL tests. This also justifies runtime validation for monitoring crucial system properties (closed-loop stability, robustness margins, or underlying theoretical assumptions), violation of which could compromise safety of operation in CHS.

CONCLUSION
A compositional model-based strategy for designing and maintaining correct-by-design controllers for CHS was developed and demonstrated. The complexity of the design, formal verification, test design, testing and runtime validation has been reduced to levels usable in industrial practice by providing a problem decomposition that permits the full exploitation of parallelism inherent in the physical system, thus enabling concurrent computation. Soundness of the strategy is maintained by using consistent formal models at each stage and completeness of solutions relative to the specifications is guaranteed up to the levels of abstraction used. t_pf While car is moving up it is stopped at a given floor due to a stop request  With minimal additional work, system parameters for degraded performance could be computed based on an online simulation of the currently configured system as in (Vinczea et al., 2006;Pugi, 2007), or using the runtime validation system as an online monitoring system (Davydov and Keyno 2016).