The exponential growth of the complexity of electronic systems makes their verification increasingly difficult. To address this problem, incremental refinements of existing approaches are insufficient in the long term; new approaches are needed. In this paper, we explore the new approach of selfverification, where systems will verify themselves during run time. Self-verification will give system engineers more time, more resources, and more information to successfully finish the verification. We sketch an architecture and methodology for selfverification, which maps system properties to the development phase in which they are verified, and illustrate the approach with a first case study.
I. INTRODUCTION
Embedded and cyber-physical systems have found their way into almost all parts of our lives, sometimes without us noticing. They are at work in everyday devices, from the ubiquitous smartphone to washing machines to cars and trains, and we expect them to work fault-free and reliably, especially when employed in safety-critical application areas such as transportation. This proliferation into different application areas has been made possible by immense progress in the development of microchips, which are at the core of these cyber-physical systems. Microchips have steadily become more powerful over the last forty years, growing in an exponential fashion -the number of transistors in a device is still doubling every 18 months (the well-known Moore's Law) -resulting in systems which today consist of billions of components.
To assure the correctness of embedded and cyber-physical systems, a variety of verification methods help designers to check whether the system is free of errors, and whether it meets its specified requirements. Amongst the verification methods in use today are the following:
Simulative verification, which is based on a model of the system. The inputs are explicitly assigned and propagated through the system, and afterwards the outputs are compared to the expected values. This technique is very mature and well supported, but complete coverage of all Research supported by BMBF grant SELFIE, grant no. 01IW16001. possible input values is practically impossible to obtain by simulation for contemporary systems.
Emulative verification realizes simulation directly in a prototypical implementation of the desired chip in dedicated hardware. While this allows for an acceleration by several orders of magnitudes, with this method complete coverage can only be achieved in rare cases.
Formal verification considers the problem mathematically and proves that a chip is correct (i.e. satisfies certain properties). This is currently an intensively researched topic in both academia and industry. Formal verification aims for complete coverage, but scalability remains an issue: formal verification can today only be applied to rather small circuits and systems. Unfortunately, the progress in manufacturing and developing microchips has far outpaced the progress in developing verification methods. This is known as the verification gap: the time needed to verify systems has been growing while simultaneously the time to market has been decreasing. Current research activities try to address this problem. However, almost all corresponding developments rely on incremental improvements of existing solutions. For example, designers try to lift the respective design and verification tasks to higher levels of abstraction, provided by modeling languages such as SysML or system description languages such as SystemC, which eventually leads to design at the socalled formal specification level [1] or the electronic system level [2] . But these developments have been unable to close the verification gap comprehensively, due to the exponential nature of Moore's law. It is obvious that the underlying problems cannot be addressed through incremental improvements, but require a fundamental change in the way how circuits and systems are verified today.
Because of the complexity of the underlying theoretical satisfiability problem (it is NP-complete) we cannot reasonably hope to speed up verification methods by the required orders of magnitude. Hence, we need to extend the time available for verification. This can be achieved by continuing verification after production and deployment. In other words, systems continue to verify their correctness at run time. This is the basic idea of self-verification. We have put forth this idea in earlier papers [3] , [4] ; in this paper, we will lay out first steps towards a sustainable methodology of selfverification. This paper is structured as follows: we first present the basic principles of self-verification, followed by the methodology of how to develop self-verifying systems. We explore a first case study, and finish with conclusions.
II. SELF-VERIFICATION
By allowing verification to continue after deployment, engineers will gain the following advantages:
more time, as verification is not cut off at deployment, and thus not bound by time-to-market constraints anymore;
more resources, as self-verification can be run on all deployed systems in parallel;
more information, as self-verification can take into account knowledge about the environment the system is deployed in. The basic architecture for self-verification is sketched in Figure 1 . The target system, which realizes the intended functionality, is extended with a verification system, which performs verification at run time. The latter checks and proves that the system realizes the intended functionality correctly. Using dedicated hardware separate from the target system instead of e.g. using one dedicated core of a multi-core processor has the advantage that at least in theory the verification system can be formally verified and thus proven to be error-free, and that we can also reuse the verification system design for many other systems, in particular for custom-built hardware which may not provide an additional core (as in our case study below). Due to limited resources available in the verification system, the tools supporting formal verification have to be adapted to lightweight versions of existing tools, with the goal of providing maximum performance with minimal resources.
This architecture raises a number of interesting research questions, such as which properties are suitable to be verified at run time, which have to be proven at design time, how does a design flow for a self-verifying system look like, and how can we reduce the system state space enough to allow verification at run time under limited resources? We will address these questions in the following, thus constituting a methodology for self-verification.
III. METHODOLOGY
To motivate our methodology, we consider a simple methodology exercise from the application domain of smart homes. Suppose we want to implement a smart light controller connected to a light sensor and a light switch. It should turn off the light when it gets bright enough outside, and turn on the light when it gets dark. This system is basic enough that we can understand the behaviour in toto and thus are able to envisage the design flow. We emphasize that due to this simplicity it is not a useful case study; we will consider one later.
A. Informal Requirements Specification
We start the development with a non-formal specification of the intended behaviour. A first attempt would be an informal, textual specification (which we call RS-1):
Note how we implemented a hysteresis with two different thresholds E lo < E hi to avoid a flickering effect when the luminosity jitters around one threshold. We also introduce a delay in switching off the light such that the light stays on if there is a short bright flash (e.g. lightning, a passing car) during an otherwise dark night. A first attempt to formalize this specification using differential equations (describing the change of the system behaviour over time) might be the following, which we call RS-2:
where light(t) is the state of the light at time t, and on(t); off(t) auxiliary functions which model turning the light on and off.
B. Formal Requirements Specification
The continuous mathematics used in RS-2, although wellknown to engineers, is not well suited for systems development, as digital system are by their nature discrete. 1 A discrete system uses a discrete clock, which is measured in where is the number of ticks in the time span TD. The system state at tick n depends on off(n-D); : : : ; off(n-1). This is not desirable, because the underlying system model is a finite state machine with transitions based on the current state and the observed input; in other words, we do not keep track of past states. Specifications at this level need to be relational in the sense that they only relate two states, a preand a post-state, thereby defining all possible state transitions.
To achieve such a relational specification, we internalize the counting into the system state by defining a function cnt as follows in specification FS-2, where on(n) and off(n) are given by (4), (5):
C. Formal Specification Level
It is not straightforward how to implement the system specified by FS-2. The equations do not specify which arguments are inputs and what constitutes the output of the system. Thus, we need a more concrete model of the system which specifies the components and datatypes in more detail.
We give this model in SysML/OCL, where SysML is used to model the data, and OCL is used to specify the state transitions.
SysML [7] , [8] is a modeling language, closely related to UML, which describes the structure and behaviour of a system by nine different diagram types, such as block definition diagrams, state machine diagrams, or sequence diagrams.
SysML diagrams can be formal or informal; we concentrate on the former here, and in particular use block definition diagrams to describe the structure of our system. 1Having said that, there are numerous attempts to describe the behavior of these so-called hybrid systems (e.g. [5] , [6] Requirements (R-2) and (R-3) are specified as the postcondition of the tick operation, which models the state transition:
For space reasons, we do not give the Chisel model here, as our main focus is the verification of properties of the SysML/OCL model. What makes the verification of this system particularly challenging is the dynamic nature of the infrastructure. All the components can be dynamically added to and removed from the system, and every sensor, switch and detector can register for a light source. Dynamic aspects of this kind yield unmanageably large search spaces when attempting a full verification. If we assume identifiers to be only one byte for the components allowing for a maximum of just 256 components of every kind, this already yields ( 2 8 Of course the complexity of a proof can not be measured by the number of variables involved alone. Consider the arithmetic average function which is used to combine several sensor values into one. When implementing this in hardware one might chain multiple additions with a multiplication.While hardware adders are relatively easy to check, optimized hardware multipliers are very hard to verify since the usual branch cutting approaches of model checkers and solvers fail to reduce the search space for those particular circuits. Even a simple 32 bit multiplier already yields a 64 bit search space, requiring very elaborate proof methods to reduce this search space [13] , [14] . In the example, we have to multiply the sum of the sensor values with the reciprocal of the number of sensors. Obviously the sum of the sensor values is changing frequently, but the number of sensors assigned to a light source only changes when the system is reconfigured and can thus be considered as quasi static. By verifying the multiplier with one particular factor considered static every time the configuration changes we can reduce the search space from 2 64 to 2 32 .
IV. CONCLUSIONS
In this paper, we have proposed a basic methodology to develop self-verifying systems, which continue their verification at run time after deployment. This gives engineers more time, more resources and more information to successfully finish the verification. Self-verification goes beyond self-testing (which addresses failures in the production process), towards proving functional correctness.
For the properties to be verified, we distinguish global properties, concerning all system states, and relational properties, relating a pre-and a post-state. The latter suggests the use of the SysML modeling language together with OCL as a specification language for self-verifying systems.
Proof at run time has to be automatic, and at the same time has to have a small memory footprint. To reduce the search space of automatic proof methods, we have introduced the concept of quasi-static attributes, which are those system which change infrequently, so instead of trying to prove verification properties for all values of these quasi-static attributes, we only prove it for fixed values whenever they are set; a typical application example of quasi-static data are configurations.
We have demonstrated our methodology with a small first case study: we have shown how to model the system behavior in SysML/OCL, and how by treating configuration data as quasi-static we could reduce the state space by a factor of 2 10240 even in this very simple scenario.
These are but small first steps, and need to be followed by more work to make self-verification applicable, yet we believe that self-verifying systems could provide the key to closing the verification gap, and make the cyber-physical systems which surround us every day more correct, and hence more safe.
