Automated Verification of Standalone Solar Photovoltaic Systems
Abstract
With declining costs and increasing performance, the deployment of renewable energy systems is growing faster. Particular attention is given to standalone solar photovoltaic systems in rural areas or where grid extension is unfeasible. Tools to evaluate electrification projects are available, but they are based on simulations that do not cover all aspects of the design space. Automated verification using model checking has proven to be an effective technique to program verification. This paper marks the first application of software model checking to formally verify the design of a standalone solar photovoltaic system including solar panel, charge controller, battery, inverter, and electric load. Case studies, from real photovoltaic systems deployed in five different sites, ranging from 700W to 1,200W, were used to evaluate this proposed approach and to compare that with specialized simulation tools. Data from practical applications show the effectiveness of our approach, where specific conditions that lead to failures in a photovoltaic solar system are only detected by our automated verification method.
I Introduction
According to Coelho et al. [1], there are presently 1.3 billion people with no access to electricity worldwide. Only a niche market a few years ago, solar photovoltaic (PV) systems are now becoming a mainstream electricity provider. There was an increase of approximately 50% from 2016 to 2017 in terms of new installations of PV all over the world [2]. That scenario brings the need for design validation – ensuring the correctness of the design at earliest stages – which is a major challenge in any responsible system development process, and the activities intended for its solution occupy an ever increasing portions of the development cycle cost and time budgets [3].
In order to model, simulate, or evaluate a PV system, there are a myriad of specialized tools available in the market such as RETScreen, HOMER, PVWatts, SAM, and Hybrid2 [4, 5, 6, 7, 8]; and even general purpose simulation tools such as PSpice, Saber, or MATLAB/Simulink package [9, 10]. However, those tools are based on running experiments in simulation models. Simulation has the advantage of being cheap (if compared to test in real systems) and can be employed before the system design is concluded but it has the drawback of an incomplete coverage since the verification of all possible combinations and potential failures of a system is rarely possible or even unfeasible [3] to be achieved in practice.
Formal methods based on model checking offer a great potential to obtain a more effective and faster verification in the design process [3]. Any kind of system can be specified as computer programs using mathematical logic, which constitutes the intended (correct) behavior; then, one can try to give a formal proof or otherwise establish that the program meets its specification. User or project requirements can be added during the creation of the formal model to be verified. Model checking algorithms can then verify the system model by systematically exploring all its states to check whether the requirements are met by the given system. In this study, a mathematical model of each component of a standalone PV system, as panel solar, charge controller, batteries, inverter, and electrical load are created. The behavior of each system component can be analyzed and observed with the support of those formal models, as a joint operation of the components, which in this case represents the operation of the solar PV system itself. A key benefit to this approach is that it helps in the detection of flaws in the design phase of system development, thereby considerably improving system reliability [11].
Related to solar PV systems, the project requirements, as battery autonomy and power demand, besides weather conditions, as solar irradiance and ambient temperature, are translated as part of the computer program and automatically verified during the formal process. The model checking tool reports in which conditions a system does not meet the user requirements or whether it will fail due to weather conditions, which aids to improve the project itself. The implementation of the proposed tool is carried out by means of the efficient SMTbased bounded model checker (ESBMC) [12], which allows one to incrementally verify a PV system as an imperative program using a fragment of decidable firstorder theories [13].
In prior studies, the evaluation of PV systems w.r.t. user requirements were performed by software simulation tools using MATLAB/Simulink [10, 14, 15], or HOMER Pro [16]. Some related studies were carried out toward the formal modeling of power smart grids [11] and to maximize the power point of solar panels [17]; however, those studies do not perform automated formal verification and they restrict themselves to solar panels or smart grids. In addition, recent research that applies formal verification to solar energy, has attempted to formalize and implement a formal study of large population of PV panels, where the focus has been on the modeling of the dynamics of PV panels and their interaction with the grid, without batteries [18]; or to model a PV system in Modelica, to verify the maximum power point of solar panels with the use of Jmodelica tool [19]. Both studies restrict to PV panels, and do not include batteries, inverters, and charge controllers.
Given the current knowledge in formal verification, this is the first study to apply a formal verification technique to formally check the design of a standalone solar PV system. In summary, this paper makes three original contributions. Firstly, we describe a modular modeling of each component of a PV system by means of mathematical models that can be encoded into fragments of firstorder theories supported by software model checkers. Secondly, we propose an automated verification method that formally checks the design of a given PV system using incremental model checking based on Satisfiability Module Theories (SMT). Thirdly, experimental results show that this proposed approach can find subtle design errors in PV systems, which are not easily detected by other stateoftheart approaches based on simulation.
Outline. Section II gives the background about solar PV systems, design and validation of PV systems, and the mathematical modeling. Section III presents the automated verification technique. The methodology is presented in section IV. Section V is devoted to the results. Section VI presents the conclusion and describes future work.
Ii Solar Photovoltaic System
PV systems are classified into three distinct types [20]: (1) standalone systems, where the energy is generated and consumed in the same place and which do not interact with the main grid; (2) gridconnected systems; and (3) solar PV hybrid system. Specifically for the energy needed for remote rural areas of developing countries or places where the grid extension is not possible or even feasible, the most suitable configuration is the regulated standalone system with battery and AC load; this configuration is the focus of this study.
Iia Design and Simulation of Solar PV systems
In order to address different aspects of the PV system design, there are various software tools available in the literature [21, 22]. The capabilities of those tools range from simple solar resource and energy production estimation, to complex financial analysis and project optimization. Here we evaluated the most popular ones: PVWatts, SAM, HOMER, RETScreen, and Hybrid2 [4, 5, 6, 7, 8].
Table I summarizes the offtheshelf tools employed here, where only Hybrid2 does not have technical support; HOMER and Hybrid2 perform offgrid system or battery backup analysis. Additionally, HOMER and RETScreen include economical analysis or even optimizationsensitive analysis. RETScreen and HOMER have a free webbased version, but they have limited resources since they do not allow us to save the PV projects or even upload data from manufacturers. However, commercial version of those tools, called RETScreen Expert and HOMER Pro, are available only for Microsoft Windows and the annual subscription typically range from US$504.00 to US$657.00.
Characteristic 
PVWatts 
SAM 
HOMER 
RETScreen 
Hybrid2 

Support  X  X  X  X  
Offgrid systems  X  X  X  
Hybrid systems  X  X  X  
Photovoltaics  X  X  X  X  X  
Batteries  X  X  

T  T  E  E  T  
Optimization  X  X  
Sensitive analysis  X  X 
In this study, only HOMER remains for a comparative evaluation with our proposed verification approach. Thus, the main challenge here is to demonstrate the application of software model checking to formally verify a standalone PV solution, thus proving that this approach is more effective and complete than other stateoftheart tool such as HOMER Pro. The comparative evaluation between HOMER Pro and our approach is presented in Section VC.
IiB Component models for a standalone PV system
The mathematical modeling of the PV system is based on modular blocks, as illustrated in Fig.1. It identifies the PV generator, batteries, charge controller, inverter, and AC load.
The PV generator, which can be a panel or an array, is a semiconductor device that can convert solar energy into DC electricity. In Fig.1, there are two variables that depend on the site where the system is deployed and the weather (i.e., solar irradiance and temperature ). For night hours or rainy days, we need to hold batteries, where power can be stored and used. The use of battery as a storage form implies the presence of a charge controller [23, 24]. The PV arrays produce DC and therefore when the PV system contains an AC load, a DC/AC conversion is required. That converter is called of inverter; and the AC load dictates the behavior of AC electrical load from the house that will be fed by the system.
IiC PV generator model
The performance of PV systems is usually studied using an equivalent circuit model [25, 26, 24], which consists of a current source with one or two diodes connected in parallel, and up to two resistors, one connected in parallel and the other one in series, to take into account energy losses in this model [27].
The 1diode model, illustrated in Fig. 2, whose equation relates the output current, , to the output voltage, , is described by Eq. (1):
(1) 
where is the photocurrent delivered by the constant current source; is the reverse saturation current corresponding to the diode; is the number of seriesconnected cells ( in a single cell configuration); is the ideality factor (or quality factor) that takes into account the deviation of the diodes from the Shockley diffusion theory ( for ideal diodes and between and for real diodes); is the thermal voltage (); is the Boltzmann constant (); the temperature of the pn junction (or cell temperature) in Kelvin; is absolute value of the electron’s charge ().
The simplified model of 1diode has demonstrated that it has a small error rate, between 0.03% and 4.68% from selected PV panels tested [26]. In addition, this mathematical modeling has the advantage of being an explicit model, which does not use iterative numerical calculation, which is timeconsuming to computing [27]. Eq. (1) is used to express currents and voltages at each key point of the characteristic curve from a PV cell [28]. The voltage and the current at the maximum power point tracking (MPPT), can be described by Equations (2), (3), and (4) as follows [26]:
(2) 
(3) 
(4) 
However, the photocurrent delivered by the constant current source () or even the reverse saturation current () are not given by PV manufacturers. Therefore, Eq. (5) is used to calculate the photocurrent as function of irradiance and temperature [28]:
(5) 
where the reference state (STC) of the cell is given by the solar irradiance and the temperature ; is the shortcircuit current temperature coefficient () (provided by PV manufacturers). can be approximated to the reference shortcircuit current [29] that is provided by PV manufacturers (). The cell temperature () is described by Eq. 6 [30]:
(6) 
where is the ambient temperature, is the nominal operating cell temperature (in C) that is found at the PV manufacturer’s datasheet [30], and is the solar irradiance () of the place where the PV system is deployed.
Furthermore, Eq. (7) permits the saturation current () to be expressed as a function of the cell temperature as [28]
(7) 
where is the reference opencircuit voltage and is an opencircuit voltage temperature coefficient ().
Using the maximum power point current (cf. Eq. (4)) and the saturation current in the reference temperature given by Eq. (7), the diode ideality factor is determined by Eq. (8):
(8) 
where , , , and are key cell values obtained under both actual cell temperature and solar irradiance conditions, usually provided by manufacturers; the PV generator model is now completely determined.
In addition to the model verification performed by the proposed technique, there is the prior stage of PV system sizing check, based on manufacturer’s data and information from the sizing and the site; this stage ensures that the system meets its specification, thereby considering the standard project steps [31]. Firstly, we need to correct the energy consumption estimated to the load (), which is carried out by Eq. (9) [31], where the efficiency of batteries (), controller (), and the inverter () are considered as
(9) 
The total minimum number of needed solar panels () is computed by Eq. (10) and the check is performed using Eq. (11), where the sized number of panels () must be greater than the result from Eq. (10).
(10) 
(11) 
Particularly, the total number of panels in series () and parallel () are given by (12) and (13), respectively. With the check performed by (14) and (15), is the DC voltage of the bus, normally , or V.
(12) 
(13) 
(14) 
(15) 
IiD The Battery Storage Model
Various models have been described in the literature and the most common ones are based on leadacid batteries [32, 33, 31]; that kind of battery has relative low cost and wide availability [32]. Here, the model adopted uses only manufacturer’s data without empirical tests [32]. The discharge voltage equation is described by (16) as
(16) 
where means 10h of rated capacity, which is standard on the manufacturer’s datasheet, is temperature variation (, ), or state of charge indicates how much electric charge is stored in the cell at a given time. Mathematically, it is the ratio between the present capacity and the nominal capacity (in , provided by manufacturer). If , then the battery is totally charged; and if , then the battery is fully discharged. The depth of discharge () or the fraction of discharge, is .
For the charging process, however, the parameters are described by Eq. (17) as
(17) 
Note that SOC can be calculated easily at any point during the discharge period, thereby considering the current drained from batteries during a certain time period. In addition to the model verification, there is also the prior stage of project sizing check, as performed for the solar panel. Firstly we define the total capacity of the battery bank, as described by Eq. (18) as
(18) 
where the variable is a design definition and normally has a value ranging from to h; the other variables were discussed previously in Section IIC and IID. Secondly, the total (minimum) number of batteries is computed, as described by Eq. (19). Additionally, Eq. (20) performs the final sizing check, thus considering the number of batteries in series () and the number of batteries in parallel () that are established to the project.
(19) 
(20) 
IiE Charge Controller Model
In general, there are two main operating modes for the controller [22]: normal operating condition, when the battery voltage fluctuates between maximum and minimum voltages; and overcharge or overdischarge conditions, which occur when the battery voltage reaches some critical values.
To protect the battery against an excessive charge, the PV arrays are disconnected from the system, when the terminal voltage increases above a certain threshold and when the current required by the load is less than the current delivered by the PV arrays [23]. PV arrays are connected again when the terminal voltage decreases below a certain value . In order to protect the battery against excessive discharge, the load is disconnected when the terminal voltage falls below a certain threshold and when the current required by the load is larger than the current delivered by the PV arrays [23]. The load is reconnected to the system, when the terminal voltage is above a certain value . The steps in the modeling of the controller process are summarized in Table II.
Step  Constraint  Command  
(1) 



(2) 



(3) 



(4) 


The output power () of DCDC converter is given by Eq. (21) as
(21) 
Assuming that the efficiency of the controller () is a manufacturer’s data, from Eq. (21) we compute Eq. (22) as
(22) 
where is the voltage across the PV array, is the output current of PV array, is the DC bus voltage, and is the output current from the converter.
One more time, some steps must be done to check the sizing project of the controller, prior the verification phase. Initially, the controller must meet the voltage requirement of the PV system, as described by Eq. (23):
(23) 
Following, the short circuit reference information from the manufacturer’s solar panel must be corrected to the cell temperature, as described by Eq. (24):
(24) 
(26) 
IiF The inverter model
The role of the inverter is to keep the voltage constant on the AC side, i.e., at the rated voltage, and to convert the input power into the output power with the best possible efficiency as described by Eq. (27) [23]:
(27) 
where is the current required by the inverter from the DC source to be able to keep the rated voltage on the AC side, is the input voltage to the inverter delivered by the DC source (PV panel or battery), and are the output voltage and current, respectively, and can be obtained from the inverter’s datasheet.
The sizing project check of the inverter is carried out by means of three equations. Eq. (28) ensures that the input voltage of the controller meets the system voltage. Eq. (29) ensures that the output voltage of the controller meets the AC voltage of the load. Finally, Eq. (30) ensures that the controller can support the total demand of the load and the surge power.
(28) 
(29) 
(30) 
Iii Automated Verification Using Model Checking
Validation is the process of determining whether a design meets the user requirements, whereas verification is the process of determining whether a design meets a set of requirements, specifications, and regulations [3]. If the requirements, specifications, and regulations are given in a formal language, then it may be possible to automate the verification process, thus resulting in a process known as formal verification. Verification may form part of a validation process. While simulation and testing explore some of the possible behaviors and scenarios of the system, leaving open the question of whether the unexplored trajectories may contain a flaw, formal verification conducts an exhaustive exploration of all possible behaviors. Thus, when a design is pronounced correct by a formal verification method, it implies that all behaviors have been explored, and the questions of adequate coverage or a missed behavior becomes irrelevant [34].
Formal verification is a systematic approach that applies mathematical reasoning to obtain guarantees about the correctness of a system [35]; one successful method in this domain is model checking [34]. The process of model checking can be split into three main components: modeling, specification, and verification method. In modeling, a model (normally mathematical) of the system is created; in specification, normally a list of properties to be satisfied by the system is established, i.e., the requirements, normally expressed in a temporal logic form (e.g., CTL or LTL). The model checking algorithm can be described as [3]:

Given the model and a CTL (or LTL) formula as input;

Model checking algorithm provides all the states of model which satisfies ;

It returns YES if is TRUE, or returns NO if is FALSE.
Specifically for the FALSE verification result, the algorithm returns a counterexample (i.e., a sequence of states that leads to a property violation), which is useful as diagnostic of the system to discover in which situation the model is violated; this is the most important advantage of the use of model checking [3]. Fig. 3 shows the process to convert a real PV system to a model to be verified by a model checking procedure.
However, there is a main disadvantage of model checking: the state explosion problem. In order to tackle this problem, many different techniques were developed in the last decades. One of the first major advances was symbolic model checking with binary decision diagrams (BDDs). In this approach, a set of states is represented by a BDD instead of by listing each state individually, which is often exponentially smaller in practice. Another promising approach to overcome state explosion problem is Bounded Model Checking (BMC) [37]. BMC is a method that checks a model up to a given path in the path length. BMC algorithms traverse a finite state machine for a fixed number of steps, , and checks whether a property violation occurs with this bound. It uses Boolean Satisfiability (SAT) or Satisfiability Module Theories (SMT) solvers to check the generated formula from BMC.
SAT problem is a problem of determining whether there are certain conditions or interpretations that satisfy a given Boolean expression [3]. SMT decides the satisfiability of a fragment of firstorder formulae using a combination of different background theories and thus generalizes SAT by supporting uninterpreted functions, linear and nonlinear arithmetic, bitvectors, tuples, arrays, and other decidable firstorder theories [3]. The SAT or SMT solvers search the model for conditions (value of variables) that make the formula satisfiable. If a SAT or SMT solver finds a substitution for the formula/function then the substitute induces a counterexample and is said to be satisfiable, i.e., it is satisfiable iff the verified system contains errors. ESBMC is one of the most representatives bounded model checkers for embedded C/C++ software based on SMT solvers [12]. ESBMC comes as an alternative to overcome limitations of the system modeling, especially considering that the system complexity is increasing and SMT has richer theories than SAT to represent models.
Iiia Esbmc
ESBMC (or Efficient SMTbased Bounded Model Checker) is an open source, permissively licensed (Apache 2), cross platform bounded model checking for C and C++ programs [12], which supports the verification of LTL properties with bounded traces [36]. ESBMC’s verification flow can be summarized in three stages: (i) a frontend that can read and compile C/C++ code, where the formal specification of the system to be verified is first handled; (ii) preprocessing steps to deal with the representation of the code, control flow and unwinding of loops, and the model simplification, thereby aiming to reduce the verification effort; and finally (iii) the SMT solving stage, where all the constraints and properties of the system to be verified are encoded into SMT and checked for satisfiability. If the SMT formula is shown to be satisfiable (SAT), a counterexample is presented; otherwise, the formula is unsatisfiable (UNSAT), i.e., there are no errors up to the given unwinding bound.
ESBMC exploits the standardized input language of SMT solvers (SMTLIB^{1}^{1}1http://smtlib.cs.uiowa.edu/ logic format) to make use of a resource called assertion stack. An assertion, in SMT solvers, is a constraint over the variables in a formula that must hold if the formula is satisfiable [38]. New assertions can be added to or old assertions removed from this stack, depending on the evaluated value of variables. This enables ESBMC, and the respective solver, to learn from previous checks, optimizing the search procedure and potentially eliminating a large amount of formula state space to be searched, because it solves and disregards data during the process, incrementally. This technique is called “incremental SMT” [39] and allows us to reduce the memory overhead, mainly when the verified system is complex and the computing platform does not have large amount of memory to deal with all the design space state.
Iv Model Checking Standalone Solar Photovoltaic Systems
The flowchart of the proposed automated verification method is illustrated in Fig. 4. In Step 1, the PV input data (e.g., load power demand and load energy consumption) and the formulae to check the sizing project, the mathematical model, the limits of the weather nondeterministic variables, are all written as an ANSIC code [40]. In Step 2, the sizing check of the PV system takes place to make sure that the components were selected according to the recognized design standards [31].
In Step 3, weather variables (e.g., solar irradiance and ambient temperature) will be systematically explored by our verification engine based on maximum and minimum values from the site, where the PV system will be deployed. In addition, depending on one of the desired properties of the system such as battery autonomy, energy availability, or even system power supply, our verification engine is able to indicate a failure if those properties are not met; in this particular case, it provides a diagnostic counterexample that shows in which conditions the property violation occurred.
In a nutshell, ESBMC will process the ANSIC code with constraints and properties from the PV system that are provided by the user, and the tool will automatically verify if the PV system requirements are met. If it returns a failure (i.e., SAT), then the tool provides a counterexample, i.e., a sequence of states that leads to the property violation; this information can be used as a feedback to improve the PV system design. However, if the verification succeeds (i.e., UNSAT), there is no failure up to the bound ; therefore, the PV system will present its intended behavior up to the bound , i.e., our verification engine does not give any guarantee that there is no error in bound unless some induction method is employed [41].
Algorithm 1 describes the pseudocode used to perform the automated verification. Line 1 indicates a function call that performs the size checking of the entire PV system: using Equations (10), (11), (12), (14), (15), and (13) to verify the PV panel; using (18), (19), and (20) to verify the batteries; using (23), (25), and (26) to verify the charge controller; and using (28), (29), and (30) to verify the inverter. The verification is carried out by the assert macro from the ANSIC programming language to encode each equation above. The argument to the assert statement must be true if the system specification is met; otherwise, the program aborts and prints a counterexample indicating a property violation. If there is no property violation, then the verification algorithm continues and the batteries are assumed to have SOC of 80% (Line 5).
Information related to average temperature () and solar irradiance (), maximum and minimum annual, are given to the algorithm in Lines 7 to 10 using nondeterministic variables from ESBMC to explore all possible states and the assume macro to constrain the nondeterministic values using a given range. In order to reduce the computational effort of the algorithm, every 24hday was considered as a timestep of 1 hour, and it was split into two parts: (a) one where it is possible to occur PV generation, during daylight, with a duration in hours depending on each site (but dependent on the sun and weather conditions); and (b) one that includes all the remaining day (without any PV generation). Therefore, our approach depends on specific data about the solar irradiation levels to define the average amount of hours of PV generation.
After that, the model from PV generator is used in the function call of Line 11, to produce the voltage and current considering the states of and . With respect to every hour considered, the conditional ifelseendif statements from Lines 12, 17, 23 and 28, will perform the charge or discharge of batteries according to the value of different variables: if there is PV generation (which depends on and ), the updated state of charge from batteries, the house’s load and the setup information of the PV system.
Next, representing the time of the day where PV generation is not possible anymore, starting in Line 31, the algorithm will only discharge the batteries (using the 1 hour step) until a new charging process (at the next day) starts. Specific asserts in Lines 27 and 35 will check the state of charging from batteries, and they will violate the property if their levels reach the minimum that represents a discharged battery; therefore, the PV system is unable to supply energy to the house. Nevertheless, if the verification engine does not fail, then we can conclude that the PV system does not need further corrections up to the given bounds.
V Experimental Evaluation
Va Description of the Case Studies
We have performed five case studies to evaluate our proposed verification method: (a) four PV systems (700 W inverter, with 48h autonomy) deployed in four different houses in an indigenous community (GPS coordinates 244’50.0”S 6025’47.8”W) situated nearby Manaus (Brazil), with each house having a different power demand (house 1 = 253 W, house 2 = 263 W, house 3 = 283 W, and house 4 = 501 W); and (b) one case concerning a system deployed as an individual system in Manaus (GPS coordinates 34’20.208”S 600’30.168”W), supporting 915 W of the house’s load (house 5 with 1,200 W inverter, and autonomy of just 6 h).
Note that the annual average temperature () in Manaus is from 23C to 32C; and irradiance () varies from 274 W/m to 852 W/m when there is sunlight (that information is provided in Lines 9 and 10 of Algorithm 1). Another characteristic of Manaus, based on historical weather data [42], [43], is related to the fact that only during 8 hours of the day is possible to have PV generation, from 8:00h to 16:00h (that information is provided in Algorithm 1 as well).
VB Objectives and Setup
Our experimental evaluation aims to answer two research questions:

(soundness) Does our approach provide correct results?

(performance) How does our approach compare against other existing tools?
In order to evaluate the proposed verification method and its performance, we have considered five case studies and also compared its performance to the HOMER Pro tool. Every dweller, who owns a PV system, was interviewed to get information about his/her PV system during four months of use. This information was used to know possible flaws from every system in the field.
All experiments were conducted on an otherwise idle Intel Core i72600 (8cores), with 3.4 GHz and 64 GB of RAM, running Ubuntu 18.04.1 LTS 64bits. Concerning our verification engine, ESBMC v5.1 was used with the SMT incremental mode^{2}^{2}2The commandline used to perform the verification is: $ esbmc filename.c noboundscheck nopointercheck nodivbyzerocheck unwind 300 smtduringsymex smtsymexguard z3 enabled with the goal of reducing memory usage; we have also used the SMT solver Z3 version 4.7.1 [44]. The experiments were performed without a predefined timeout.
Experimental setup of HOMER Pro: all experiments were conducted on an otherwise idle Intel Core i54210 (4cores), with 1.7 GHz and 4 GB of RAM, running Microsoft Windows 10; we have used HOMER Pro v3.12.0.
VC Results
The description of our experimental results can be broken down into two parts: (a) the 1,200 W PV system (house 5) failed during the sizing check since the number of panels was incorrectly sized; in particular, the counterexample provided by our verification engine indicated 3 PV panels in parallel and the actual project has 2 in series and 2 in parallel. This verification took approximately 63.3 hours to be performed. Surveying the owner of the 1,200 W system we identified that, in fact, the system does not meet the battery autonomy most of the time (mainly when all loads are turned on), thus affirming RQ1; this behavior is expected since the system was purchased as an offtheshelf solution and not as a customized design for the electrical charges of the house; (b) For the 700 W PV systems of houses 1, 2, 3, and 4, the sizing check was successful during verification, but our verification engine has found flaws related to the battery autonomy, particularly when SOC reached a emptybattery level. Our verification engine identified those flaws (for all four houses) right after the first nightdischarge cycle, i.e., before the solar system started to recharge the batteries. Our verification engine took approximately 409.3 hours to find this flaw in house 1; 611.2 hours for house 2; 615.8 hours for house 3, and 620.8 hours for house 4. These flaws were confirmed with the dwellers who own the systems by an interview process: at least once a month is usual the system to turn off, normally in raining or clouds days, thereby reaching the situation described in Step 3 of Table II, further affirming RQ1; after the sun rises, the systems returns to normal condition operation.
The same five case studies were evaluated by HOMER Pro. The simulation results showed that the project restrictions were met by four 700 W PV systems (house 1, 2, 3 and 4), without any indication of sizing error or even performance related issues. The case study that was unsuccessful during simulation was the 1,200 W (house 5); however, without any indication about the failures of this PV system. All the simulations took less than 5 seconds (each) to be performed by HOMER Pro. Despite the divergence of results for the houses 1, 2, 3 and 4 w.r.t. our proposed approach, it is evident that the information collected from the dwellers indicate that our approach provides the correct evaluation of the PV system, thus answering RQ2. House 5 presented flaws from both tools; however, only our approach indicated which design error was responsible for the flaw (number of PV panels), further answering RQ2. Note that a PV design always uses daily average values of sun hours to each site, with impact in the PV components. Those hours are based on historical data and, in field, it is not unusual to find days where that number of hours was not reached due to weather conditions. The season has impact since the case studies are from the rain forest, where clouds are always present. As a result, the identified flaws in houses 1, 2, 3, and 4, are justified once again.
VD Threats to Validity
We have reported a favorable assessment of the proposed method over a diverse set of realworld benchmarks. Nevertheless, we have also identified three threats to the validity of our results that can further be assessed.
Model precision: each component of the PV system is mathematically modelled, and the precision of the proposed method depends on the precision of that particular model. A careful evaluation in a PV laboratory to validate the model could add more reliability to the results produced by our method.
Time step: The runtime complexity of our proposed method is an issue; the time step of one hour can be further reduced to approximate the algorithm to the realworld scenario, where a solar irradiance and ambient temperature can change in fractions of minutes.
Case studies: Our case studies are performed only in Manaus, in particular in the south hemisphere. A more complete evaluation can be performed if other places around the world could become case studies.
Vi Conclusion and Future Work
We have described and evaluated an automated verification method to check whether a given PV system meets its specification using software model checking techniques. We have considered five case studies from real photovoltaic systems deployed in five different sites, ranging from W to W. Although this verification method takes longer than simulation methods, it is able to find specific conditions that lead to failures in a PV system previously validated by a commercial simulation tool. In particular, the proposed method was successful in finding sizing errors and indicating in which conditions a PV system can fail. As future work, the proposed method will be extended to start from a list of commercial equipment, where each equipment is verified and the final solution, which satisfies the project specification, is found via Counterexample GuidedInductive Synthesis [45], thus leading to an optimum sizing of PV systems. We will also consider other types of renewable energy and even hybrid ones to allow our method to design and verify typical rural electrification.
Acknowledgment
To Coventry University and Sustainable Amazonas Foundation (FAS) for the possibility to test real PV systems.
References
 [1] S. Coelho, A. SanchesPereira, L. Tudeschini, J. Escobar, M. Poveda, N. Coluna, A. Collin, E. L. Rovere, A. Trindade, and O. Pereira, “Biomass residues as electricity generation source in low HD source in regions of Brazil,” in The XI Latin. Cong. of Elec. Gener. and Transm. CLAGTEE, UNESP, Ed., 2015, pp. 1–8.
 [2] EPIA, Global market outlook for photovoltaics 20172021. Belgium: European Phototoltaic Industry Association, 2017.
 [3] E. M. Clarke, T. A. Henzinger, and H. Veith, “Introduction to model checking,” in Handbook of Model Checking., 2018, pp. 1–26.
 [4] S. Pradhan, S. Singh, M. Choudhury, and D. Dwivedy, “Study of cost analysis and emission analysis for grid connected PV systems using retscreen 4 simulation software,” Int. J. of Eng. Res. & Tech., vol. 4, no. 4, pp. 203–207, 2015.
 [5] N. Swarnkar, L. Gidwani, and R. Sharma, “An application of HOMER Pro in optimization of hybrid energy system for electrification of technical institute,” in Int. Conf. on Energ. Eff. Tech. for Sust. (ICEETS), 2016, pp. 56–61.
 [6] A. Dobos, “PVWatts Version 5 Manual,” National Renewable Energy Laboratory, Colorado, Tech. Rep., 2014.
 [7] N. Blair, A. Dobos, J. Freeman, T. Neises, and M. Wagner, “System Advisor Model, SAM 2014.1.14: General Description,” National Renewable Energy Laboratory, Colorado, Tech. Rep., 2014.
 [8] A. Mills and S. AlHallaj, “Simulation of hydrogenbased hybrid systems using Hybrid2,” Int. J. of Hydrog. Energy, vol. 29, no. 10, pp. 991–999, 2004.
 [9] J. Gow and C. Manning, “Development of a photovoltaic array model for use in powerelectronics simulation studies,” in Proceedings of the 14th IEE Electric Power Applications Conference, vol. 146, no. 2, 1999, pp. 193–200.
 [10] A. Benatiallah, D. Benatiallah, T. Ghaitaoui, A. Harrouz, and S. Mansouri, “Modelling and simulation of renewable energy systems in Algeria,” Int. J. of Sc. and App. Inf. Tech, vol. 7, no. 1, pp. 17–22, 2017.
 [11] W. Akram and M. A. Niazi, “A formal specification framework for smart grid components,” Complex Adaptive Systems Modeling, vol. 6, no. 1, p. 5, Sep 2018.
 [12] M. Gadelha, F. Monteiro, J. Morse, L. Cordeiro, B. Fischer, and D. Nicole, “ESBMC 5.0: An industrialstrength C model checker,” in ACM/IEEE Int. Conf. on Aut. Soft. Engin. (ASE’18). New York, NY, USA: ACM, 2018, pp. 888–891.
 [13] A. R. Bradley and Z. Manna, The calculus of computation  decision procedures with applications to verification. Springer, 2007.
 [14] N. Samrat, N. Ahmad, I. Choudhury, and Z. Taha, “Modeling, control, and simulation of battery storage photovoltaicwave energy hybrid renewable power generation systems for island electrification in Malaysia,” The Scient. World J., vol. 2014, no. ID 436376, pp. 1–21, 2014.
 [15] E. Natsheh and A. Albarbar, “Solar power plant performance evaluation: simulation and experimental validation,” in J. of Physics: Conf. Ser., vol. 364, 2012.
 [16] M. Lamnadi, M. Trihi, and A. Boulezhar, “Study of a hybrid renewable energy system for a rural school in tagzirt, morocco,” in Int. Ren. and Sust. Energ. Conf. (IRSEC), 2017.
 [17] Y. Driouich, M. Parente, and E. Tronci, “Modeling cyberphysical systems for automatic verification,” in 14th Int. Conf. on Synth., Mod., Appl. to Circ. Des. (SMACD 2017), 2017, pp. 1–4.
 [18] A. Abate, “Verification of networks of smart energy systems over the cloud,” in Num. Soft. Verif., S. Bogomolov, M. Martel, and P. Prabhakar, Eds., vol. LNCS 10152, 2017, pp. 1–14.
 [19] Y. Driouich, M. Parente, and E. Tronci, “A methodology for a complete simulation of cyberphysical energy systems,” in IEEE Work. on Envir., Energ., and Struc. Monit. Syst. (EESMS), 2018.
 [20] P. Mohanty, K. Sharma, M. Gujar, M. Kolhe, and A. Azmi, Solar Photovoltaic System Applications. Springer International Publishing, 2016, ch. PV System Design for OffGrid Applications, pp. 49–83.
 [21] S. Rajanna and R. Saini, “Modeling of integrated renewable energy system for electrification of a remote area in India,” Renew. Energ., vol. 90, no. C, pp. 175–187, 2016.
 [22] R. Rawat, S. Kaushik, and R. Lamba, “A review on modeling, design methodology and size otimization of photovoltaic based motor pumping, standalone and grid connectec system,” Renew. and Sust. Energ. Rev., vol. 57, pp. 1506–1519, 2016.
 [23] A. Hansen, P. Srensen, L. Hansen, and H. Bindner, Models for a standalone PV system. Forskningscenter Risoe, 2001, no. 1219.
 [24] A. Mellit, M. Benghanem, and S. Kalogirou, “Modeling and simulation of a standalone photovoltaic system using an adaptive artificial neural network: Proposition for a new sizing procedure,” Renew. Energ., vol. 32, no. 2, pp. 285–313, 2007.
 [25] H. Yatimi and E. Aroudam, “Modeling and simulation of a standalone photovoltaic system,” in Xth Int. Conf. on Int. Des. and Prod., T. Marocco, Ed., 2015.
 [26] E. Saloux, A. Teyssedou, and M. Sorin, “Explicit model of photovoltaic panels to determine voltages and currents at the maximum power point,” Solar Energy, vol. 85, no. 5, pp. 713–722, 2011.
 [27] J. Cubas, S. Pindado, and F. SorribesPalmer, “Analytical calculation of photovoltaic systems maximum power point (MPP) based on the operation point,” Applied Sciences, vol. 7, no. 9, pp. 870–884, 2017.
 [28] M. Villalva, J. Gazoli, and E. Filho, “Comprehensive approach to modeling and simulation of photovoltaic arrays,” IEEE Trans. on Power Elec., vol. 24, pp. 1198–1208, 2009.
 [29] A. Jakhrani, S. Samo, S. Kamboh, J. Labadin, and A. Rigit, “An improved mathematical model for computing power output of solar photovoltaic modules,” Int. J. of Phot., vol. 2014, no. ID 346704, p. 9, 2014.
 [30] R. Ross, “Flatplate photovoltaic array design optimization,” in 14th IEEE Photovoltaic Specialists Conference, C. San Diego, Ed., 1980, pp. 1126–1132.
 [31] J. Pinho and M. Galdino, Manual de Engenharia para Sistemas Fotovoltaicos. Rio de Janeiro/RJ: CEPEL ? CRESESB, 2014.
 [32] J. Copetti, E. Lorenzo, and F. Chenlo, “A general battery model for PV system simulation,” Prog. in Photovoltaics: Res. and App., vol. 1, no. 4, pp. 283–292, 1993.
 [33] J. Manwell and J. McGowan, “Lead acid battery storage model for hybrid energy systems,” Solar Energy, vol. 50, no. 5, pp. 399–405, 1993.
 [34] E. Clarke, W. Klieber, Miloš Nováček, and P. Zuliani, Model Checking and the State Explosion Problem. Berlin: Springer, 2012, pp. 1–30.
 [35] F. Forejt, M. Kwiatkowska, G. Norman, and D. Parker, Automated Verification Techniques for Probabilistic Systems. Berlin, Heidelberg: Springer Berlin Heidelberg, 2011, pp. 53–113.
 [36] J. Morse, L. C. Cordeiro, D. A. Nicole, and B. Fischer, “Model checking LTL properties over ANSIC programs with bounded traces,” Software and System Modeling, vol. 14, no. 1, pp. 65–81, 2015.
 [37] A. Biere, A. Cimatti, E. M. Clarke, and Y. Zhu, “Symbolic Model Checking without BDDs,” in TACAS, ser. LNCS, vol. 1579, 1999, pp. 193–207.
 [38] J. Morse, “Expressive and efficient bounded model checking of concurrent software,” Ph.D. dissertation, University of Southampton, 2015.
 [39] P. Schrammel, D. Kroening, M. Brain, R. Martins, T. Teige, and T. Bienmüller, “Incremental bounded model checking for embedded software,” Formal Asp. Comput., vol. 29, no. 5, pp. 911–931, 2017.
 [40] I. O. for Standardization. ISO/IEC 9899:2018 Information Technology – Programming Languages – C. Acessed: 14.11.2018. [Online]. Available: https://www.iso.org/standard/74528.html.
 [41] M. Y. R. Gadelha, H. I. Ismail, and L. C. Cordeiro, “Handling loops in bounded model checking of C programs via kinduction,” STTT, vol. 19, no. 1, pp. 97–114, 2017.
 [42] Weatherbase. Manaus, Amazonas travel weather averages. Acessed: 09.07.2018. [Online]. Available: http://www.weatherbase.com/weather/weather.php3?s=23328&cityname=ManausAmazonasBrazil.
 [43] EnergyPlus. Weather data by location. Acessed: 09.07.2018. [Online]. Available: https://energyplus.net/weatherlocation/south_america_wmo_region_3/BRA//BRA_AM_ManausGomez.Intl.AP.817300_INMET.
 [44] L. D. Moura and N. Bjrner, “Z3: An Efficient SMT Solver,” in Tools and Alg. for the Const. and An. of Sys. (TACAS), vol. LNCS 4963, 2008, pp. 337–340.
 [45] A. SolarLezama, L. Tancau, R. Bodík, S. A. Seshia, and V. A. Saraswat, “Combinatorial sketching for finite programs,” in ASPLOS. ACM, 2006, pp. 404–415.
Alessandro Trindade received his BSc and MSc in Electrical Engineering from the Federal University of Amazonas (UFAM) in 1995 and 2015, respectively. Currently, he is pursuing his PhD in the Postgraduate Program in Informatics (PPGI) at UFAM, and holds an Assistant Professor position in the Electricity Department from UFAM. Prior to joining UFAM, he worked 4 years as Consultant of renewable energy to the State Electric Utility and to the InterAmerican Institute for Cooperation on Agriculture (IICA); he also worked for 12 years as R&D and project manager at a nonprofit foundation (Centre of Analysis, Research and Innovation Technology Foundation). His interest is in renewable energy, automated verification, and model checking. 
Lucas Cordeiro received his Ph.D. degree in Computer Science in 2011 from the University of Southampton, UK. Currently, he is a Senior Lecturer in the School of Computer Science at the University of Manchester, UK and leads the Systems and Software Verification laboratory. He is also a collaborator in the Postgraduate Program in Electrical Engineering and Informatics at the Federal University of Amazonas (UFAM), Brazil. Prior to joining the University of Manchester, he worked as a researcher / researcher engineer at Oxford University / Diffblue and as an adjunct professor at UFAM; he also worked for 4 years as a software engineer at Siemens Mobile and CTPIM. His work focuses on software model checking, automated testing, program synthesis, and embedded & cyberphysical systems. 