Formal Verification in the Loop to Enhance Verification of Safety-Critical Cyber-physical Systems

Formal verification may play a central role in the development of safecontrollers, such as those found in electric drives or (semi-)autonomousvehicles, whose complexity arises from the coexistence ofmechanical and electrical subsystems with sophisticated electronic controllersthat must implement high-level control policies according to different drivingmodes, while optimizing several objectives, such as safety first and foremost,efficiency, and performance among others.  Model-driven development resorts tosimulation to assess how well the various requirements and constraints aresatisfied, but there is a growing awareness that more rigorous methods areneeded to achieve the required levels of safety.  This paper proposes aconceptual framework for the development of complex systems based on (i)higher-order logic specification, (ii) verification by theorem proving, and(iii) tight integration of verification with model-driven development andsimulation.  This framework addresses both digital and analog systems, asillustrated with some examples in different fields including implantablebiomedical systems, autonomous vehicles, and electric valve actuation

Extending a user interface prototyping tool with automatic MISRA~C code generation

We are concerned with systems, particularly safety-critical systems, that involve interaction between users and devices, such as the user interface of medical devices. We therefore developed a MISRA~C code generator for formal models expressed in the PVSio-web prototyping toolkit. PVSio-web allows developers to rapidly generate realistic interactive prototypes for verifying usability and safety requirements in human-machine interfaces. The visual appearance of the prototypes is based on a picture of a physical device, and the behaviour of the prototype is defined by an executable formal model. Our approach transforms the PVSio-web prototyping tool into a model-based engineering toolkit that, starting from a formally verified user interface design model, will produce MISRA~C code that can be compiled and executed for a final product. An initial validation of our tool is presented for the data entry system of an actual medical device

Design patterns for models of interactive systems

Building models of safety-critical interactive systems (in healthcare, transport, avionics and finance, to name but a few) as part of the design process is essential. It is also advised for non-safety critical interactive systems if we want to be certain they will behave as intended in all circumstances. However, modelling interactive systems is also challenging. The levels of complexity in modern user interfaces and the wealth of interaction possibilities means that modelling at a suitable level of abstraction is crucial to ensure our models remain reasonably sized, readable, and therefore usable. The decisions we make about how to abstract the system to retain enough detail to be able to reason about it without running into known modelling problems (state-explosion, verbosity, unread ability) are complex, even for experienced modellers. We have identified a number of commonly seen problems in such models based on occurrences of common properties of interactive systems, and in order to help both experienced and novice modellers we propose model-patterns as a solution to this

Animating user interface prototypes with formal models

Dissertação de mestrado integrado em Informatics EngineeringThe User Interface (UI) provides the first impression of an interactive system and should, thus, be intuitive, in order to guide users effectively and efficiently in performing their tasks. User interface prototyping is a common activity in UI development, as it supports early exploration of the UI design by potential users. UI quality plays a crucial role in safety-critical contexts, where design errors can poten tially lead to catastrophic events. Model-based analysis approaches aim to detect usability and performance issues early in the design process by leveraging formal analysis. They complement prototyping, which supports user involvement, but not an exhaustive analysis of the designs. The IVY Workbench emerges as a model-based analysis tool intended for non-expert usage. The tool was originally focused on supporting modelling and verification, but more recently an effort began to combine the formal model capabilities with UI mock-ups, to produce more interactive prototypes than traditional mock-up editors support. This work addresses the enhancement of the prototyping features of the IVY Workbench. The improvements of such features include the creation of a dynamic widget library that can vastly improve the quality of prototypes. Such a library, however, should be compatible with several mock-up editors to attract a broader design community. The results of this work include an analysis of alternative prototyping tools, identifying potential features that can enhance the IVY Workbench, the creation of a dynamic widget library that is compatible with several mock-up editors, and several improvements to IVY’s prototyping plugin, including the addition of code exporting functionalities. Usability tests were conducted to validate the new features of the tool, with positive results. Two mobile applications were also created, allowing users to test prototypes in their mobile devices.A UI proporciona o primeiro contacto entre um utilizador e um sistema interativo. Assim, a UI deverá ser capaz de guiar o utilizador na execução das suas tarefas, de um modo eficiente e eficaz. A prototipagem de interfaces é uma atividade comum no processo de desenvolvimento de UIs, já que permite a exploração antecipada do design de uma UI com potenciais utilizadores. A UI tem um papel bastante relevante no contexto de sistemas críticos, onde falhas no design podem gerar eventos catastróficos. As metodologias de análise baseadas em modelos procuram detetar potenciais falhas de usabilidade e desempenho, em fases iniciais do processo de desenvolvimento, através de análise formal. Estas metodologias complementam o processo de prototipagem, que suporta o envolvimento dos utilizadores mas não oferece uma análise exaustiva do design. A IVY Workbench surge como uma ferramenta de análise baseada em modelos que visa suportar utilizadores sem grandes conhecimentos de análise formal. Embora originalmente focada na modelação e verificação, surgiu recentemente um esforço para combinar as capacidades da análise formal com mock-ups da UI. O objetivo é produzir protótipos com maior nível de interação do que os produzidos pelos tradicionais editores de mock-ups. O presente trabalho apresenta melhorias das capacidades de prototipagem da ferramenta IVY Workbench. Estas melhorias incluem a criação de uma biblioteca de widgets dinâmicos, que aperfeiçoa a qualidade dos protótipos desta ferramenta. Esta biblioteca deverá ser compatível com múltiplos editores de mock-ups, de modo a atrair uma vasta comunidade de designers. Os resultados deste trabalho incluem uma análise de alternativas de ferramentas de prototipagem, onde são identificadas funcionalidades que podem aprimorar a ferramenta IVY Workbench; a criação de uma biblioteca de widgets dinâmicos, compatível com inúmeros editores de mock-ups; assim como várias melhorias efetuadas no plugin de prototipagem desta ferramenta, incluindo a adição de funcionalidades de exportação de código fonte. Foram realizados testes de usabilidade para validar as novas funcionalidades da ferramenta com utilizadores, onde foram obtidos resultados positivos. Finalmente, foram criadas duas aplicações móveis que permitem que os utilizadores testem os protótipos nos seus dispositivos móveis

Automated Validation of State-Based Client-Centric Isolation with TLA ⁺

Clear consistency guarantees on data are paramount for the design and implementation of distributed systems. When implementing distributed applications, developers require approaches to verify the data consistency guarantees of an implementation choice. Crooks et al. define a state-based and client-centric model of database isolation. This paper formalizes this state-based model in, reproduces their examples and shows how to model check runtime traces and algorithms with this formalization. The formalized model in enables semi-automatic model checking for different implementation alternatives for transactional operations and allows checking of conformance to isolation levels. We reproduce examples of the original paper and confirm the isolation guarantees of the combination of the well-known 2-phase locking and 2-phase commit algorithms. Using model checking this formalization can also help finding bugs in incorrect specifications. This improves feasibility of automated checking of isolation guarantees in synthesized synchronization implementations and it provides an environment for experimenting with new designs.</p

Model-Based Usability Analysis of Safety-Critical Systems: A Formal Methods Framework

Complex, safety-critical systems are designed with a broad range of automated and configurable components, and usability problems often emerge for the end user during setup, operation, and troubleshooting procedures. Usability evaluations should consider the entire human-device interface including displays, controls, hardware configurations, and user documentation/procedures. To support the analyst, human factors researchers have developed a set of methods and measures for evaluating human-system interface usability, while formal methods researchers have developed a set of model-based technologies that enable mathematical verification of desired system behaviors. At the intersection of these disciplines, an evolving set of model-based frameworks enable highly automated verification of usability early in the design cycle. Models can be abstracted to enable broad coverage of possible problems, while measures can be formally verified to "prove" that the system is usable. Currently, frameworks cover a subset of the target system and user behaviors that must be modeled to ensure usability: procedures, visual displays, user controls, automation, and possible interactions among them. Similarly, verification methodologies focus on a subset of potential usability problems with respect to modeled interactions. This work provides an integrated formal methods framework enabling the holistic modeling and verification of safety-critical system usability. Building toward the framework, a set of five, novel approaches extend the capabilities of extant frameworks in different ways. Each approach is demonstrated in a medical device case study to show how the methods can be employed to identify potential usability problems in existing systems. A formal approach to documentation navigation models an end user navigating through a printed or electronic document and verifies page reachability. A formal approach to procedures in documentation models an end user executing steps as written and aids in identifying problems involving what device components are identified in task descriptions, what system configurations are addressed, and what temporal orderings of procedural steps could be improved. A formal approach to hardware configurability models end-user motor capabilities, relationships among the user and device components in the spatial environment, and opportunities for the user to physically manipulate components. An encoding tool facilitates the modeling process, while a verification methodology aids in ensuring that configurable hardware supports correct end- user actions and prevents incorrect ones. A formal approach to interface understandability models what information is provided to the end user through visual, audible, and haptic sensory channels, including explanations provided in accompanying documentation. An encoding tools facilitates the development of models and specifications, while the verification methodology aids in ensuring that what is displayed on the device is consistent; and, if needed, an explanation of what is displayed is provided in documentation. A formal approach to controlled actuators leverages an existing modeling technique and data collected from other engineering activities to model actuator dynamics mapping to referent data. An encoding tool facilitates model development, and a verification methodology aids in validating the model with respect to source data. Finally, new methodologies are combined within the integrated framework. A model architecture supports the analyst in representing a broad range of interactions among constituent framework models, and a set of ten specifications is developed to enable holistic usability verification. An implementation of the framework is demonstrated within a case study based on a medical device under development. This application shows how the framework could be utilized early in the design of a safety-critical system, without the need for a fully implemented device or a team of human evaluators.Ph.D., Biomedical Science -- Drexel University, 201

Combining PVSio with Stateflow

An approach to integrating PVS executable specifications and Stateflow models is presented that uses web services to enable a seamless exchange of simulation events and data between PVS and Stateflow. Thus, it allows the wide range of applications developed in Stateflow to benefit from the rigor of PVS verification. The effectiveness of the approach is demonstrated on a medical device prototype, which consists of a user interface developed in PVS and a software controller implemented in Stateflow. Simulation on the prototype shows that simulation data produced is exchanged smoothly between in PVSio and Stateflow