ABSTRACT ISO 26262, an automotive functional safety standard, ensures the functional safety of automotive systems by providing requirements and processes to govern the software lifecycle. Each functional system must be classified in terms of safety goals, risks, and automotive safety integrity level (ASIL: A, B, C, and D), with ASIL D, denoting the most stringent safety level. As the risk of the system increases, the ASIL level increases, and the standard highly recommends more stringent methods to ensure safety. ISO 26262 highly recommends that ASIL C and D-classified systems utilize semiformal and formal verification among other techniques to verify software unit design and implementation. In this paper, we compare industrial design verification steps of WatchDog Manager in an effort to be ASIL B-compliant with a proposed nondisruptive methodology to semiformally verify WatchDog Manager UML design via an automated formal framework backbone. This semiformal verification framework will allow automotive software to comply with ASILs C and D formal and semiformal unit design and implementation verification recommended guidelines in ISO 26262. Semiformal UML finite-state machines are automatically compiled into formal notations based on the Symbolic Analysis Laboratory formal notation. We capture requirements in the UML design and compile them automatically into theorems. Model checkers are run against the compiled formal model and theorems to detect counterexamples that violate the requirements in the UML model. We show that semi-formal verification of the design allows us to uncover issues that were detected in testing and production stages of ASIL B-compliant Watchdog Manager existing implementation.
I. INTRODUCTION
In recent years, software costs increased exponentially due to the increasing number of software enabled features in a car. A modern car can contain up to 90 Electronic Control Units (ECUS), 11 networks and might host one million lines of code (LOC) [1] . This increases software complexity and with it, the probability of failures. The task of verifying software to detect failures is becoming more and more difficult, time consuming and critical.
Failure of safety critical software could cause hazardous consequences on human life. It is crucial in automotive systems to ensure design correctness from compliance to specification perspective as early as possible. Safety standards put strict processes that involve manual reviews and requirements traceability in all software life cycle to ensure specification compliance. Industry still heavily relies on manual reviews and processes which is impractical since specification is still captured in informal and semi-formal notations which opens the door for requirement specification ambiguity. Attention to safety software engineering started when failures in embedded critical systems resulted in hazardous consequences. A good number of such failures are attributed to non-compliance to specification. A glitch in an automaker's software design and testing approach in airbags design resulted in the recall of 47,401 vehicles in the US and a further 3,099 in Canada and Mexico [2] .
An automotive functional safety standard, ISO 26262 [3] , has been published in 2011 whose objectives are: providing an automotive safety lifecycle (management, development, production, operation, service, decommissioning), supports tailoring the necessary activities during these lifecycle phases, and providing an automotive specific risk-based approach for determining risk classes (Automotive Safety Integrity Levels, ASILs). The standard highly recommends capturing the design in semi-formal notation and also highly recommends the use of semi-formal verification methods to ensure design correctness in ASILs C and D. The use of formal methods is only recommended for ASIL D software. Formal methods have traditionally not been widely adopted in automotive industry due to several barriers such as: legacy methods migration, scalability shortcomings, and insufficient tool automation support for formal methods [4] . It is generally believed that formal methods will not have a significant impact unless they can be used by people who do not understand them. Formal model checking have gained traction in academic research but have not gained traction in the automotive industry. They are utilized in other domains such as airborne systems and air traffic management systems in compliance with DO-333 standard [5] .
In general, current verification approaches tend to focus on inspection, simulation testing, and dependency on test coverage metrics. Such approaches tend to depend on the rigor of test coverage and the experience of the person in charge of the test design but an exhaustive proof is not possible. In Model checking, a key property that is checked via model checkers is analogous to full exhaustive testing [6] .
Raghad et all [7] present an industrial case study of product-based evidence needed to build sub-arguments for a safety case using Goal Structuring Notation in Fuel level estimation and Display System. The aim of this work is to evaluate the effort needed to comply with ISO 26262 via automotive suppliers. Our work complements this study as our proposed framework can be used to capture identified safety cases.
In this paper, we will present a framework that allows software designers to formally verify a specified software in a semi-formal notation (UML). This complies with ISO 26262 design verification guidelines for ASILs C and D that highly recommend semi-formal verification of the design for ASILs C and D. We used AUTOSR's WatchDog Manager Basic Software Module [8] as a case study. In addition, an ASIL B compliant implementation (and reported testing/production level defects) was used to conduct a comparative analysis and evaluation of the proposed framework. Our aim in this case study was to show that defects identified on the code level during testing and release stages of an ASIL B compliant module could be identified on the design level via our proposed framework which automatically supports semi-formal and formal verification of the design.
The paper is organized as follows: section II gives brief overviews on existing UML to formal notations transformations, section III discusses ISO 26262 design verification guidelines, section IV presents challenges faced in an industrial endeavor to verify case study module in compliance with ASIL B, section V presents the framework and gives an overview on SAL (Symbolic Analysis Laboratory) [9] , section VI presents the case study module and comparison findings, and section VII concludes the paper while emphasizing on future work to the framework.
II. FORMAL MODEL CHECKING OF UML STATE CHARTS
Our proposed framework is based on a UML model as a starting point. UML has become a de-facto standard for software industries. AUTOSAR specifications are primarily depending on UML diagrams. This, among others, was the main reason why several research endeavors focused on model checking of UML diagrams, namely state charts and sequence diagrams.
In [10] , a UML state chart system based model is translated into π -calculus. The intermediate π -calculus model is then translated into NuSMV input language based on defined translation rules. NuSMV model checking is then run to evaluate any non-compliances or problems in the model. This is a 2 step translation process and it does not show how the UML model engineer will interpret the feedback in UML domain/notation.
In [11] , the authors translate UML state charts into FSMs (Finite State Machines), FSMs are then transformed into NuSMV input model and NuSMV model checking is finally run on the 2nd level translated model.
In [12] , the authors translate UML models to an input language in a self-developed model checker called PAT in such a way that is transparent to users. In particular this approach utilized PAT as the back end for verification capabilities. The tool flow is based on parsing UML XMI (XML metadata Interchange), the object management group standard of exchanging UML diagrams. The authors claim that PAT can address deadlock, reachability, trace, and refinement relationship. They presented the framework but stopped short of applying the theory to any industrial use-case. Published results fail to show how the UML user will get the model checking feedback in a non-formal understandable notation.
Similarly, Ma and Hei [13] translate abstracted UML state chart railway interlocking system model into FSM which is then translated into NuSMV input language and utilized NuSMV checker. They did not show how counterexamples can be expressed back in UML domain. Their results lack any documentation on how the safety properties are constructed and translated into LTL formulas.
Ji et. al. [14] transform UML verification model to PROMELA model which uses hierarchical automata to describe the state machine and its formal semantics and then verifies the correctness of the model using SPIN since SPIN accepts PROMELA based models. The same drawbacks discussed in previous endeavors are also applicable to this effort.
In [15] , an approach to formalize UML is shown via transforming UML to Event-B. The transformation only covers UML activity diagram to Event-B models and does not cover state flow diagrams.
In [16] , an approach is presented that semi-automatically generates formal specifications from state machine and activity diagrams. The model is translated to text using MERL language and MetaEdit tool. State machine is transformed into SMV model description and activity diagrams into LTL formulas. NuSMV model checker is then used to verify the specification.
In [17] , a method is proposed to map UML state chart to BIR language, which is designed for BOGOR model checking in order to only evaluate the deadlock property.
In [18] , Echo verification is employed where the system under test has to be captured with a PVS based formal specification including low level specification capturing pre and post conditions. Additionally, the proof is semi-automated where the complete proof needs to be done under human guidance, Earlier attempts did not consider minimizing transformation steps due to ISO 26262 tool qualifications recommendations and they address limited category of errors. They also either propose a new low level specification language, limited to architecture as opposed to functional mapping or lack showing how the model checker result can be interpreted via a UML designer. Additionally, the existing endeavors were not evaluated based on an industrial specification that was compared to an industrial implementation of the case study module. Our proposed framework attempts to address these shortcomings
III. ASILs B AND C ISO 26262 VERIFICATION GUIDELINES
The birth of AUTOSAR and ISO-26262 automotive functional safety standard is a strong proof of how automotive suppliers are committed to enhancing their software to meet challenges and it is one of the motivations behind the work presented in this paper. According to ISO 26262 [3] , ASIL B compliant modules are highly recommended (++) to use design/code inspection, and static code analysis while they are only recommended (+) to use design/code walkthrough, semi-formal verification, control /data flow analysis, and semantic code Analysis [3] .
On the other hand, ASILs C and D compliant modules are highly recommended to use code/design inspection, semiformal verification, control / data flow analysis, and static code analysis while they are only recommended to use formal verification and semantic code analysis [3] .
The recommendations clearly show that ASILs C and D compliant software needs to adopt semi-formal and formal verification based techniques. ASIL B compliant modules have the flexibility to potentially skip the semi-formal verification once they utilize the other highly recommended techniques in ASIL B guidelines while ASILs C and D compliant modules do not have such luxury. Figure 1 shows the recommended methods for verification of software unit design and implementation according to ISO 26262-6 Table 9 [3] . ('++' indicates that the method is highly recommended for the identified ASIL, '+' indicates that the method is recommended for identified ASIL, 'o' means no recommendation).
Additionally, verification cases should ensure that techniques are adopted to confirm compliance to the requirements, equivalence classes' conditions, boundary value conditions and expected errors are covered [3] . Figure 2 shows recommended and highly recommended methods for deriving test cases for the different ASIL levels. In summary, ASIL B and C compliant modules are highly recommended to use analysis of requirements, generation and analysis of equivalence classes, analysis of boundary values, while they are only recommended to adopt error guessing in deriving test cases.
Our research fulfils recommendations made by the standard in the validation and verification activities of the design recommendation. The steps recommended by the standard include semi-formal verification of the design and formal verification of the design. Our proposed framework supports these guidelines. Test derivation guidelines recommend checks to be based on requirement of analysis, boundary conditions and equivalence partitioning. We will show that our formal framework support these guidelines while checking the model to report any violation.
IV. ISO 26262 ASIL B AUTOSAR WatchDog MANAGER COMPLIANCE CHALLENGES
In order to evaluate our approach, we needed to conduct a comparative analysis between our proposal and an existing module that was developed in compliance to ISO 26262 via a BSW supplier. In this section, we present an analysis of defects and challenges faced while complying with ISO 26262 guidelines in a BSW watchdog Manager Module development.
Development team faced several challenges in their endeavor to comply several AUTOSAR BSW implementations with ISO 26262 ASIL B level. 1 Initially, the team focused on ASIL B compliancy since they were unable to conduct highly recommended guidelines in ASILs C and D, namely, semi-formal and formal verification of the design. Our aim is to present the challenges faced during trying to comply Watchdog Manager Implementation with ASIL B and try to overcome these challenges to pave the way for module suppliers to comply with verification design guidelines as recommended in ASILs C and D.
The first challenge faced was the ability to apply required verification methods. ISO 26262 formal and semi-formal verification guidelines were not feasible when working with embedded C software. Static analysis, and control/data flow analysis were considered as acceptable alternatives. Arguments for not performing semi-formal or formal verifications were made. The alternative approaches apply on the source code itself and are mainly manually driven. Control flow/data flow analysis were done by manually analyzing the control statements inside source code and creating control flow/data flow graphs for control statements and variables. This was feasible as the modules that were required to be ASIL B compliant were small which rendered this manual effort feasible. It is expected that this is not going to be possible with larger modules. From a safety team perspective aiming to reach ASIL C compliancy for developed modules, it is inevitable that the software be verified in early phases using semi-formal and formal verification as recommended by ISO 26262 design verification guidelines.
The second challenge faced was establishing traceability between requirements, design, and code and test elements in an automated fashion. Manual trace and label of the requirements were employed. Supporting traceability in an automated fashion between requirements, design, code and test elements would decrease the number of review/update iterations of sequence diagrams, control and data flow diagrams and traceability to software requirements.
The third challenge was related to the test case derivation. Figure 2 shows the recommended methods for deriving test cases for software unit testing according to ISO 26262-6 Table 11 [3] . Automation methods that help in identifying decision points/variables to automatically generate test cases would definitely save time and ensure compliance to ISO 26262 guidelines.
In conclusion, all safety team verification and test case derivation methods were based on manual inspection, as recommended for ASIL B compliant modules. This will not be feasible for ASIL C compliant modules as semi-formal verification is highly recommended for levels greater than B.
Seventy one defects were raised during ASIL B compliancy endeavor of the WatchDog Manager module. Additionally, some of the reported defects were uncovered after production and during customer module integration endeavors. Table 1 summarizes the raised defects number and classification.
Defects under logic bugs category include but are not limited to, bugs such as array bound issues, incorrect array index, invalid mathematical operator, and last array index not getting initialized properly. Defects under non-compliance to specification includes defects such as WDGM triggers watchdog Interface to be in WDGIF_OFF_MODE while in WDGM_G_STATUS_STOPPED state (non-compliance to WDGM122) and WdgMExpectedAliveIndications, which is a defined parameter in the specification holding the amount of expected alive indications, range does not match AUTOSAR watchdog manager specification. The remaining defects were related to traceability (Missing text cases, missing relations between requirement and design/code/test elements).
V. PROPOSED FRAMEWORK ELEMENTS
The proposed framework is motivated by the following objectives:
1) Ability to capture detailed design using xtUML to Design deadlock checker The framework input is a UML state based system. This also includes specification requirements which are captured in the UML design in the form of satisfiability conditions on variable, state, and transition levels. Requirement specification document is initially mapped to an xtUML model design implementation. The requirements are mapped into UML packages, components, classes (attributes and operations), and state machines. All defined data types, attributes, functions are defined in the UML model. Once UML model is complete, the model currently captures architectural design of the specification. OAL (Object Action Language) is now embedded in states, transitions, operations (Instance or class based), ports, mathematically derived attributes, and functions to capture the specification behavior.
This input is fed into a model compiler which parses the UML model presented in XML format and constructs object instances of all elements in the UML design. The objects are traversed and mapped into a SAL model and theorems based on transformation rules [9] . SAL objects are also stored and linked to their UML counterparts. Once the SAL model is generated, SAL model checkers get launched to detect any violation against the generated theorems. Any generated counterexample is analyzed by the designer and fixed in UML model domain.
As shown in Figure 3 xtUML (eXecutable Translatable UML) implementation is initially done based on the software specification in BridgePoint xtUML IDE [19] . The xtUML model contains the de-facto UML standard diagrams and elements including but not limited to component(s), classes(s), state machine(s), transition(s), states, abstract object language to capture behavior within the model, data type(s), operation(s), attribute(s) etc.
The model also encapsulates the requirements labels to trace existing design elements to the original requirements in the software specification. Once the model is complete, a manual build command is triggered from the IDE which automatically triggers the model compiler. BridgePoint enables the creation of a custom model compiler that traverses all UML model elements and generates new model based on extendable implementation.
We have created a custom model compiler that generates SAL model from the xtUML model. The model compiler developed component compiles the xtUML model to generate a formal SAL model and theorems [9] [4] . Model checkers are manually executed to identify model violations. Examples of checkers include but are not limited to deadlock checker to detect any deadlock in the model. SMT/SAT checkers are manually triggered on the generated SAL model for each generated theorem. The execution reports any model violation (counter example). Any reported counter example can be analyzed by the designer to trigger xtUML model fix/refinement to address the generated counterexample.
Our UML model extensions -satisfiability conditions aim to address the techniques in Figure 2 .
• Variable satisfiability conditions (Upper and Lower limit): Generate theorems to cover boundary value analysis and equivalence classes
• State satisfiability conditions: capture conditions to ensure requirement compliance of variables in a given state in the state machine
• Transition satisfiability conditions: capture conditions to ensure requirement compliance of variables in a given transition in the state machine
A. SYMBOLIC ANALYSIS LABORATORY
SAL is a framework for combining different tools for abstraction, program analysis, theorem proving, and model checking toward the calculation of properties (symbolic analysis) of transition systems [9] . A key part of the SAL framework is an intermediate language for describing transition systems. This language is intended to serve as the target for translators that extract the transition system description for other modeling and programming languages, and as a common source for driving different analysis tools [9] .
SAL intermediate language is a basic transition system language. SAL describes transition systems in terms of initialization and transition commands [9] . The current generation of SAL tools contains a group of state of the art LTL based model checkers and auxiliary tools based on them.
SAL framework comes with a variety of existing tools that verifies transition based systems. The checkers include salsmc which is a BDD-based model checker for finite state systems. The checker confirms whether a specific theorem holds or not and asserts counterexamples showing how a theorem can be invalidated on a specific state machine. The model checker can do forward and backward search and prioritized traversal as well. The checker is for finite systems. Sal-deadlock-checker is a SAL auxiliary tool based on the SAL symbolic model checker to detect deadlock states. sal-bmc is a bounded model checker based on SAT (SAT-ISFIABILITY) solver for finite state systems. It generates counterexamples/assertions and detects bugs via refutation. It also can perform verification by k-induction. SAL can use several SAT solvers but defaults to Yices [21] . Sal-inf-bmc is an infinite bounded model checker for infinite state systems based on SMT solvers [9] . 
B. UML/SAL TRANSFORMATION RULES

VI. CASE STUDY: SEMI-FORMAL VERIFICATION OF AUTOSAR's WatchDog MANAGER DESIGN A. AUTOSAR
AUTOSAR is a worldwide development cooperation of car manufacturers, suppliers and other companies from the electronics, semiconductor and software industry. Since 2003 they have been working on the development and introduction of open, standardized software architecture for the automotive industry [20] . AUTOSAR specification relies on informal and semi-formal representation, namely UML, of systems which open the door for design errors due to ambiguity and clarity challenges of semiformal notations. Indeed, several iterations and releases of the specification were required to address a good number of such ambiguities. In the AUTOSAR Layered Software Architecture, WatchDog Manager belongs to the Services Layer. Figure 4 presents AUTOSAR Layered Architecture Diagram [20] and Figure 5 shows WatchDog Manager as part of the services layer.
B. AUTOSAR's WATCHDOG MANAGER
The Watchdog Manager is a basic software module at the service layer of the standardized basic software architecture of AUTOSAR. It is able to supervise the program execution abstracting from the triggering of hardware watchdog entities. The Watchdog Manager supervises the execution of socalled Supervised Entities [8] . When it detects a violation of the configured constraints on program execution, it takes a number of configurable actions to recover from this failure. Periodic Supervised Entities have constraints on the number of times they are executed within a given time span (Alive Supervision). Aperiodic Supervised Entities have individual constraints on the timing between two Checkpoints (Deadline Supervision). Logical supervision is for checking the correct execution of embedded system software. Logical supervision focuses on control flow errors, which cause a divergence from the valid (i.e. coded/compiled) program sequence during the error-free execution of the application. Depending on the Local Supervision Status of each Supervised Entity and on the Global Supervision Status, the Watchdog Manager initiates a number of mechanisms to recover from supervision VOLUME 5, 2017 FIGURE 6. Watchdog manager supervised entity local supervision state machine. failures. These range from local error recovery within the Supervised Entity to a global reset of the ECU. Figure 6 and Figure 7 show the local and global supervision state machines as captured in AUTOSAR's requirement specification document [8] . WatchDog Manager Module has two state machines, 9 states, and 26 transitions. We have evaluated the requirements in the WatchDog Manager module. A total of 186 requirements were identified. 146 requirements were testable which basically means that they are categorized as design level behavioral/functional checks, boundary limit checks or internal /external interfaces checks. 40 requirements were not testable as they were related to code file structure, header file structure, preprocessor code level requirements or configuration tool requirements.
Although our case study is based on AUTOSAR watchdog Manager. The proposed framework can be utilized to capture safety cases in UML [6] . The safety cases can be captured as satisfiability conditions in the model and used to generate model theorems via our proposed model compiler.
C. WATCHDOG MANAGER xtUML IMPLEMENTATION
Watchdog Manager was implemented in BridgePoint xtUML. The implementation was based on AUTOSAR's specifications which were based on UML and informal syntax. Watchdog Manager UML elements were created which encapsulates all behavior, variables and operations as described in AUTOSAR's watchdog Manager Software Specification [8] .
The created model included 6 user defined data types, 1 class, 2 state machines, and 12 operations exhibiting behavior using OAL. Figure 8 shows a partial snapshot of the created model where a Watchdog Manager component includes a Manager package which includes defined types and WdgM class which encapsulates class attributes, operations and state machines as documented in the AUTOSAR specification.
There are two defined state machines, one for the local supervision of each supervised entity and the other for the global supervision. State machine transitions are triggered via variable conditions specified in the specification. Variable updates are triggered via operations actions in the xtUML WatchDog Manager model. Figure 9 shows a snapshot of local supervision state machine diagram in BridgePoint.
BridgePoint captures the behavior as opposed to only the design elements. The states, transitions, operations contain action language that manipulates the behavior of the model based on the input triggers. This allows the model compiler to generate complete target models in different languages including embedded C, C++ or our developed SAL target model.
A UML WatchDog Manager component was defined in a UML package. The component contains WatchDog Manager Class which holds module attributes, operations and state machines as described in the AUTOSAR specification. The state, transitions, operations hold action statements that map to requirements. BridgePoint xtUML supports model behavior using OAL (Object Action Language).
Requirement WDGM205 in the watchdog manager specification describe preconditions needed to execute a state transition in the WatchDog manager local state machine. It basically mandates that a transition from WDGM_LOCAL_STATUS_FAILED to WDGM_LOCAL_ STATUS_OK should occur only when supervised entity alive supervision result is correct and the counter for failed supervision equals to 1 AND supervised entity deadline supervision results are correct AND supervised entity logical supervision results are correct. The SWS requirement is shown in Figure 10 .
The above described requirement, WDGM205 xtUML mapping is shown in Figure 11 where the WDGM_LOCAL_ STATUS_FAILED state contains action logic to trigger a transition event to WDGM_LOCAL_STATUS_OK based on requirement WDGM205 conditions. All action implementation driving transitions are labelled with their AUTOSAR requirement id for traceability. The transition label matches the requirement label and the generated theorem against this requirement is also assigned the same requirement Id. So, WDGM205 requirement is traced in the design and the theorem covering the requirement. OAL statements inside WDGM_LOCAL_STATUS_FAILED checks the results of alive supervision, deadline supervision, logical supervision for a supervised entity and checks the supervision reference cycle counter to decide to execute transition to WDGM_LOCAL_STATUS_OK or not.
D. WatchDog MANAGER xtUML MODEL SATISFIABILITY CONDITIONS
In addition to the WatchDog Manager complete implementation in xtUML. We have extended the xtUML model to capture satisfiability conditions on the state, transition, operations and variables. The Software specification requirements from AUTOSAR Software specification are mapped into satisfiability conditions in the UML design. Currently, the conditions are captured as descriptions on the UML element (State, transition, class operation, class attribute etc.). A description of two such requirements and their mapping to satisfiability conditions in the UML are described below.
These conditions map to the AUTOSAR requirements and serve as the baseline for formal theorem generation via the model compiler. Figure 12 shows state level conditions that need to be satisfied if the WatchDog Manager local supervision state machine is in state 'WDGM_LOCAL_STATUS_OK'. The Satisfiability condition maps to WDGM205 that was described and implemented in UML in previous section. This condition is captured in the xtUML model and triggers a generation of the following textual and LTL rule mapping when the model compiler is triggered: • (LTL): Figure 14 shows the AUTOSAR Watchdog Manager range constraint on variable WdgMFailedAliveSupervisionRefCycleTol as mandated in the specification. Figure 13 shows how the requirement is mapped in UML on the variable level. The constraint aims to govern the boundary conditions to validate that assigned values to this variable in the model cannot be outside boundaries set in the requirement. This condition is captured in the xtUML model and triggers a generation of the following textual and LTL rule mapping when the model compiler is triggered:
• (Textual) Globally, it is always true that failed alive supervision reference cycle tolerance is less or equal to 255 and greater than or equal to 0.
• LTL:
The next step would be to trigger the generation of the SAL model and the theorems from xtUML. It is worth noting that the generated SAL notation for attributes, states, events, configuration parameters utilize the same UML model names and is based on a 1-1 mapping of the UML elements as shown in section V-B. This allows the UML designer to traverse the generated counterexample path and directly understand the equivalent UML path that lead to a violation of the requirement.
1) DEADLOCK CHECKER
We triggered SAL deadlock checker on the WatchDog Manager design to detect if there is any deadlock state. Initially, the deadlock checker on the generated SAL model reported that the module does not contain any deadlock states. We introduced several bugs in several states of the Local Supervision state machine that cause deadlocks. We regenerated the model and reran the deadlock checker which reported deadlock state and all the variables states/values steps leading to that deadlock state. Figure 15 shows deadlock checker report of a set of conditions that lead up to a deadlock state in the watchdog manager state machine. The report basically shows that the design will enter deadlock state 'ST_WDGM_LOCAL_STATUS_EXPIRED' [8] given the specified attributes assignments in the Watchdog Manager module. The reported SAL counter example is based on used UML names for attributes which will allow the UML designer to directly check the set of conditions leading up to the deadlock state and fix this case in the original UML model. The assignment set of variables shown in Figure 15 will lead to a deadlock state.
2) BOUNDARY VALUE ANALYSIS
Several generated theorems were based on WatchDog Manager Boundary value parameters requirements. ISO 26262 test derivation guidelines highly recommend using analysis of boundary values to derive test cases for testing as shown in Figure 2 . The SAL model checker was utilized to validate the generated theorems. We introduced variable assignment violation in the UML model that were violating several boundary value conditions. An example based on requirement WDGM327 showing the UML violation and SAL model checker detection is detailed below. Figure 14 shows that AUTOAR specification mandates that 'WdgMFailedAliveSupervisionRefCycleTol' [8] should be assigned a value between 0-255. We added a defect in the model that increments this counter leading up to an overflow. Model Checker was able to detect the violation and generated a complete snapshot of all variables/state transitions that led to the requirement non-compliance. The same bug was uncovered during the testing stage of ASIL B compliant implementation that we are using as a reference in our comparison. Our framework was able to detect the violation at design level as opposed to testing level.
3) LOGIC AND REQUIREMENTS COMPLIANCE
ISO 26262 test derivation guidelines highly recommend using analysis of requirements to derive test cases for testing as shown in Figure 2 .
We introduced several errors in the UML design that violate functional requirements. Introduced errors were related to being in a state or executing a transition while the preconditions are not met, and exiting functions with invalid return values. The examples below show how these errors were easily detected by the model checkers in our proposed framework.
WDGM154 Figure 10 . Figure 16 shows a checker output reporting a violation against WDGM205. The requirement indicates that the state machine should be in state 'WDGM_LOCAL_STATUS_OK' when there are no alive supervision errors, deadline supervision errors and logical supervision errors. The model checker uncovered a sequence of steps (assignments) and state machine transitions that lead up to the state machine being in a different state given the specified conditions. Figure 16 shows partial reported counterexample path with variable assignment set of each step that lead up to the violation where the variable assignment set matches WDGM205 yet the state is not 'WDGM_LOCAL_STATUS_OK'.
We were able to detect logic and requirement noncompliance bugs in the design level via running SAL model checkers against our LTL generated theorems to detect model violation against the satisfiability conditions that is captured in our model. All requirement non-compliance defects that were previously detected on the testing/production level IV were detected via our framework on the design level. Our approach allows non-compliance to be detected on the design as opposed to the coding level in an automated way. The reported counterexamples are using the same UML notations and states allowing the UML designer to understand the faulty sequence and resolve the issue in UML domain. Counterexamples are additionally reported against the specification requirement Id ensuring traceability and ease of resolution via the application designer.
VII. CONCLUSION
In this paper, we showed how a UML finite state machine based model can be transformed to a formal transition model augmented with complex data types in SAL notation. The mapping is based on a 1-1 UML to SAL mapping. We showed how we were able to formally verify a semi-formal model via augmenting the UML model with satisfiability conditions. We have constructed theorems that represent specification requirements in UML. A model compiler was developed to map the UML model into SAL formal model and LTL based theorems automatically shielding the application designer from having to create a formal model. A SAL SMT solver was utilized so that a formal verification can be accomplished on the SAL model. We demonstrated how specification noncompliances was detected by the SMT solver through the asserted counterexamples. We have shown how our framework can detect requirement non-compliances as well as support tests of boundary conditions in an automated fashion. The application model engineer could fix the model viola-tions at a very early stage based on the formal verification of the semi-formal model using the proposed approach.
The validity of the mapping / SAL generation was established through the correct assertions that show violations of satisfiability conditions in the UML design. All introduced errors were properly detected and reported via the model checker.
The proposed approach makes emerging ISO 26262 standard ASIL C and D test case derivation and software unit design and implementation verification guidelines, namely, semi-formal and formal verification guidelines possible in an automated fashion. Our work also addresses one of AUTOSAR's major drives which is early design errors detection. Problems such as the complexity of the formal notations, theorem construction and checkers execution and analysis have been shielded via the use-case yet the benefits of using formal verification on a semi-formal notation are retained. As next steps, we initially plan to qualify the model compiler in accordance with ISO 26262 tool qualification guidelines to ensure the safety of the tool and the generated SAL intermediate language. We plan to do further case studies based on automotive applications and to test our framework against more complex state machines. We also plan to take our model compiler into another dimension where we generate AUTOSAR SWC XML based on the formally verified UML model. Additionally, we plan to generate AUTOSAR compliant embedded C code based on the formally verified model to ensure that generated code maps to the formally verified design.
GHADA BAHIG received the bachelor's and master's degrees from American University in Cairo, Egypt, where she is currently pursuing the Ph.D. degree in the safety of software development and the automatic verification of embedded software using formal methods. She is also a veteran Software Engineer with more than 20 years' experience. She was with Nortel Networks Canada for five years in the wireless Universal Telecommunication Networks Radio Node Controller. She was an Engineering Manager with Mentor for 12 years in the System Level Engineering Division, which is responsible for engaging Mentor with new technologies and markets. She was involved in driving products in modelbased code and test generation, and the implementation of first AUTOSAR BSW releases, helping with customer integrations of AUTOSAR. 
