From Verified Models to Verifiable Code

Declarative specifications of digital systems often contain parts that can be automatically translated into executable code. Automated code generation may reduce or eliminate the kinds of errors typically introduced through manual code writing. For this approach to be effective, the generated code should be reasonably efficient and, more importantly, verifiable. This paper presents a prototype code generator for the Prototype Verification System (PVS) that translates a subset of PVS functional specifications into an intermediate language and subsequently to multiple target programming languages. Several case studies are presented to illustrate the tool's functionality. The generated code can be analyzed by software verification tools such as verification condition generators, static analyzers, and software model-checkers to increase the confidence that the generated code is correct

Linear Parametric Model Checking of Timed Automata

We present an extension of the model checker Uppaal capable of synthesizing linear parameter constraints for the correctness ofparametric timed automata. The symbolic representation of the (parametric) state-space is shown to be correct. A second contribution of thispaper is the identification of a subclass of parametric timed automata(L/U automata), for which the emptiness problem is decidable, contraryto the full class where it is know to be undecidable. Also we present anumber of lemmas enabling the verification effort to be reduced for L/Uautomata in some cases. We illustrate our approach by deriving linearparameter constraints for a number of well-known case studies from theliterature (exhibiting a flaw in a published paper)

Model checking timed safety instrumented systems

Defects in safety-critical software systems can cause large economical and other losses. Often these systems are far too complex to be tested extensively. In this work a formal verification technique called model checking is utilized. In the technique, a mathematical model is created that captures the essential behaviour of the system. The specifications of the system are stated in some formal language, usually temporal logic. The behaviour of the model can then be checked exhaustively against a given specification. This report studies the Falcon arc protection system engineered by UTU Oy, which is controlled by a single programmable logic controller (PLC). Two separate models of the arc protection system are created. Both models consist of a network of timed automata. In the first model, the controller operates in discrete time steps at a specific rate. In the second model, the controller operates at varying frequency in continuous time. Five system specifications were formulated in timed computation tree logic (TCTL). Using the model checking tool Uppaal both models were verified against all five specifications. The processing times of the verification are measured and presented. The discrete-time model has to be abstracted a lot before it can be verified in a reasonable time. The continuous-time model, however, covered more behaviour than the system to be modelled, and could still be verified in a moderate time period. In that sense, the continuous-time model is better than the discrete-time model. The main contributions of this report are the model checking of a safety instrumented system controlled by a PLC, and the techniques used to describe various TCTL specifications in Uppaal. The conclusion of the work is that model checking of timed systems can be used in the verification of safety instrumented systems

Formal modelling and analysis of broadcasting embedded control systems

PhD ThesisEmbedded systems are real-time, communicating systems, and the effective modelling and analysis of these aspects of their behaviour is regarded as essential for acquiring confidence in their correct operation. In practice, it is important to minimise the burden of model construction and to automate the analysis, if possible. Among the most promising techniques for real-time systems are reachability analysis and model-checking of networks of timed automata. We identify two obstacles to the application of these techniques to a large class of distributed embedded systems: firstly, the language of timed automata is too low-level for straightforward model construction, and secondly, the synchronous, handshake communication mechanism of the timed automata model does not fit well with the asynchronous, broadcast mechanism employed in many distributed embedded systems. As a result, the task of model construction can be unduly onerous. This dissertation proposes an expressive language for the construction of models of real-time, broadcasting control systems, and demonstrates how effi- cient analysis techniques can be applied to them. The dissertation is concerned in particular with the Controller Area Network (CAN) protocol which is emerging as a de facto standard in the automotive industry. An abstract formal model of CAN is developed. This model is adopted as the communication primitive in a new language, bCANDLE, which includes value passing, broadcast communication, message priorities and explicit time. A high-level language, CANDLE, is introduced and its semantics defined by translation to bCANDLE. We show how realistic CAN systems can be described in CANDLE and how a timed transition model of a system can be extracted for analysis. Finally, it is shown how efficient methods of analysis, such as 'on-the- fly' and symbolic techniques, can be applied to these models. The dissertation contributes to the practical application of formal methods within the domain of broadcasting, embedded control systemsSchool of Computing and Mathematics at the University of Northumbri