Requirement verification in simulation-based automation testing

The emergence of the Industrial Internet results in an increasing number of complicated temporal interdependencies between automation systems and the processes to be controlled. There is a need for verification methods that scale better than formal verification methods and which are more exact than testing. Simulation-based runtime verification is proposed as such a method, and an application of Metric temporal logic is presented as a contribution. The practical scalability of the proposed approach is validated against a production process designed by an industrial partner, resulting in the discovery of requirement violations.Comment: 4 pages, 2 figures. Added IEEE copyright notic

Bounded Verification with On-the-Fly Discrepancy Computation

Simulation-based verification algorithms can provide formal safety guarantees for nonlinear and hybrid systems. The previous algorithms rely on user provided model annotations called discrepancy function, which are crucial for computing reachtubes from simulations. In this paper, we eliminate this requirement by presenting an algorithm for computing piece-wise exponential discrepancy functions. The algorithm relies on computing local convergence or divergence rates of trajectories along a simulation using a coarse over-approximation of the reach set and bounding the maximal eigenvalue of the Jacobian over this over-approximation. The resulting discrepancy function preserves the soundness and the relative completeness of the verification algorithm. We also provide a coordinate transformation method to improve the local estimates for the convergence or divergence rates in practical examples. We extend the method to get the input-to-state discrepancy of nonlinear dynamical systems which can be used for compositional analysis. Our experiments show that the approach is effective in terms of running time for several benchmark problems, scales reasonably to larger dimensional systems, and compares favorably with respect to available tools for nonlinear models.Comment: 24 page

Controlling Concurrent Change - A Multiview Approach Toward Updatable Vehicle Automation Systems

The development of SAE Level 3+ vehicles [{SAE}, 2014] poses new challenges not only for the functional development, but also for design and development processes. Such systems consist of a growing number of interconnected functional, as well as hardware and software components, making safety design increasingly difficult. In order to cope with emergent behavior at the vehicle level, thorough systems engineering becomes a key requirement, which enables traceability between different design viewpoints. Ensuring traceability is a key factor towards an efficient validation and verification of such systems. Formal models can in turn assist in keeping track of how the different viewpoints relate to each other and how the interplay of components affects the overall system behavior. Based on experience from the project Controlling Concurrent Change, this paper presents an approach towards model-based integration and verification of a cause effect chain for a component-based vehicle automation system. It reasons on a cross-layer model of the resulting system, which covers necessary aspects of a design in individual architectural views, e.g. safety and timing. In the synthesis stage of integration, our approach is capable of inserting enforcement mechanisms into the design to ensure adherence to the model. We present a use case description for an environment perception system, starting with a functional architecture, which is the basis for componentization of the cause effect chain. By tying the vehicle architecture to the cross-layer integration model, we are able to map the reasoning done during verification to vehicle behavior

On Provably Correct Decision-Making for Automated Driving

The introduction of driving automation in road vehicles can potentially reduce road traffic crashes and significantly improve road safety. Automation in road vehicles also brings several other benefits such as the possibility to provide independent mobility for people who cannot and/or should not drive. Many different hardware and software components (e.g. sensing, decision-making, actuation, and control) interact to solve the autonomous driving task. Correctness of such automated driving systems is crucial as incorrect behaviour may have catastrophic consequences. Autonomous vehicles operate in complex and dynamic environments, which requires decision-making and planning at different levels. The aim of such decision-making components in these systems is to make safe decisions at all times. The challenge of safety verification of these systems is crucial for the commercial deployment of full autonomy in vehicles. Testing for safety is expensive, impractical, and can never guarantee the absence of errors. In contrast, formal methods, which are techniques that use rigorous mathematical models to build hardware and software systems can provide a mathematical proof of the correctness of the system. The focus of this thesis is to address some of the challenges in the safety verification of decision-making in automated driving systems. A central question here is how to establish formal verification as an efficient tool for automated driving software development.A key finding is the need for an integrated formal approach to prove correctness and to provide a complete safety argument. This thesis provides insights into how three different formal verification approaches, namely supervisory control theory, model checking, and deductive verification differ in their application to automated driving and identifies the challenges associated with each method. It identifies the need for the introduction of more rigour in the requirement refinement process and presents one possible solution by using a formal model-based safety analysis approach. To address challenges in the manual modelling process, a possible solution by automatically learning formal models directly from code is proposed

Requirement Validation for Embedded Systems in Automotive Industry Through Modeling

Requirement validation contributes significantly toward the success of software projects. Validating requirements is also essential to ensure the correctness of embedded systems in the auto industry. The auto industry emphasizes a lot on the verification of car designs and shapes. Invalid or erroneous requirements lead to inappropriate designs and degraded product quality. Considering the required expertise and time for requirement validation, significant attention is not devoted to verification and validation of requirements in the industry. Currently, the failure ratio of software projects is significantly higher and the key reason for that appears to be the inappropriate and invalidated requirements at the early stages in the projects. To that end, we propose a model-based approach that uses the existing V&V model. Through virtual prototyping, the proposed approach eliminates the need to validate the requirements after each stage of the project. Consequently, the model is validated after the design phase and the errors in requirements are detected at the earliest stage. In this research, we performed two different case studies for requirement validation in the auto industry by using a modeling-based approach and formal technique using Petri nets. A benefit of the proposed modeling-based approach is that the projects in the auto industry domain can be completed in less time due to effective requirements validation. Moreover, the modeling-based approach minimizes the development time, cost and increases productivity because the majority of the code is automatically generated using the approach

Model Checking Communicating Processes: Run Graphs, Graph Grammars, and MSO

The formal model of recursive communicating processes (RCPS) is important in practice but does not allows to derive decidability results for model checking questions easily. We focus a partial order representation of RCPS’s execution by graphs—so called run graphs, and suggest an underapproximative verification approach based on a bounded-treewidth requirement. This allows to directly derive positive decidability results for MSO model checking (seen as partial order logic on run graphs) based on a context-freeness argument for restricted classes run graph

Putting formal specifications under the magnifying glass: Model-based testing for validation

A software development process is effectively an abstract form of model transformation, starting from an end-user model of requirements, through to a system model for which code can be automatically generated. The success (or failure) of such a transformation depends substantially on obtaining a correct, well-formed initial model that captures user concerns. Model-based testing automates black box testing based on the model of the system under analysis. This paper proposes and evaluates a novel model-based testing technique that aims to reveal specification/requirement-related errors by generating test cases from a test model and exercising them on the design model. The case study outlined in the paper shows that a separate test model not only increases the level of objectivity of the requirements, but also supports the validation of the system under test through test case generation. The results obtained from the case study support the hypothesis that there may be discrepancies between the formal specification of the system modeled at developer end and the problem to be solved, and using solely formal verification methods may not be sufficient to reveal these. The approach presented in this paper aims at providing means to obtain greater confidence in the design model that is used as the basis for code generation

Time Properties Dedicated Transformation from UML-MARTE Activity to Time Petri Net

Critical Real-Time Embedded Systems (RTES) have strong requirement regarding system's reliability. UML and its pro- file MARTE are standardized modeling language that are getting widely accepted by industrial designers to cope with the development of complex RTES. Relying on Model-Driven Engineering (MDE), critical time properties' verification in UML-MARTE model at early phases of the system lifecycle becomes possible. However, many challenges still exist. A key challenge is to eliminate the gap between UML semi- formal semantics and fully formal executable semantics us- ing model transformation. The model transformation must ensure on the one hand the consistency between high-level user dedicated models and lower-level verification dedicated ones, and on the other hand that the subsequent verification is not too expensive and can be applied to real size industrial models. This paper presents an approach to translate UML- MARTE Activity Diagrams to Time Petri Net (TPN) with the aim of verifying efficiently time properties. This work is under the framework of the UML-MARTE Model Checker which is dedicated to verifying time properties (synchroniza- tion, schedulability, boundedness, WCET, etc.) in RTES. This contribution focuses on how to define the TPN formal semantics to avoid the core problem of state space explosion in model checking. The proposed method is validated using a representative case study. Experimental results are given that demonstrate the method's performance