Automatic Verification of Linear Controller Software

We consider the problem of verification of software implementations of linear time-invariant controllers. Commonly, different implementations use different representations of the controller’s state, for example due to optimizations in a third-party code generator. To accommodate this variation, we exploit input-output controller specification captured by the controller’s transfer function and show how to automatically verify correctness of C code controller implementations using a Frama-C/Why3/Z3 toolchain. Scalability of the approach is evaluated using randomly generated controller specifications of realistic size

Automatic Verification of Finite Precision Implementations of Linear Controllers

We consider the problem of verifying finite precision implementation of linear time-invariant controllers against mathematical specifications. A specification may have multiple correct implementations which are different from each other in controller state representation, but equivalent from a perspective of input-output behavior (e.g., due to optimization in a code generator). The implementations may use finite precision computations (e.g. floating-point arithmetic) which cause quantization (i.e., roundoff) errors. To address these challenges, we first extract a controller\u27s mathematical model from the implementation via symbolic execution and floating-point error analysis, and then check approximate input-output equivalence between the extracted model and the specification by similarity checking. We show how to automatically verify the correctness of floating-point controller implementation in C language using the combination of techniques such as symbolic execution and convex optimization problem solving. We demonstrate the scalability of our approach through evaluation with randomly generated controller specifications of realistic size

Automatic Verification Of Linear Controller Software

Many safety-critical cyber-physical systems have a software-based controller at their core. Since the system behavior relies on the operation of the controller, it is imperative to ensure the correctness of the controller to have a high assurance for such systems. Nowadays, controllers are developed in a model-based fashion. Controller models are designed, and their performances are analyzed first at the model level. Once the control design is complete, software implementation is automatically generated from the mathematical model of the controller by a code generator. To assure the correctness of the controller implementation, it is necessary to check that the code generation is correctly done. Commercial code generators are complex black-box software that are generally not formally verified. Subtle bugs have been found in commercially available code generators that consequently generate incorrect code. In the absence of verified code generators, it is desirable to verify instances of implementations against their original models. Such verification is desired to be performed from the input-output perspective because correct implementations may have different state representations to each other for several possible reasons (e.g., code generator\u27s choice of state representation, optimization used in code generator and code transformation). In this dissertation, we propose several methods to verify a given controller implementation against its given model from the input-output perspective. First of all, we propose a method to derive assertions from the controller model, and check if the assertions are invariant to the controller implementation via a proposed toolchain based on a popular deductive program verification framework. Moreover, we propose an alternative more scalable method that extracts a model from the controller implementation using the symbolic execution technique, and compare the extracted model to the original controller model using state-of-the-art constraint solvers. Lastly, we extend our latter method to correctly account for the rounding errors in the floating-point computation of the controller implementation. We demonstrate the scalability of our proposed approaches through evaluation with randomly generated controller specifications of realistic size

Formal Guaranties for Safety Critical Code Generation: the Case of Highly Variable Languages

Les fonctions de commande et de contrôle sont parmi les plus importantes des systèmes embarqués critiques utilisés dans des activités telles les transports, la santé ou la gestion de l’énergie. Leur impact potentiel sur la sûreté de fonctionnement fait de la vérification de leur correction l’un des points les plus critiques de leur développement. Cette vérification est usuellement effectuée en accord avec les normes de certification décrivant un ensemble d’objectifs à atteindre afin d’assurer un haut niveau de qualité du système et donc de prévenir l’apparition de défauts. Cette vérification du logiciel est traditionnellement basée sur de nombreux tests et des activitiés de relectures de code, toutefois les versions les plus récentes des standards de certification permettent l’utilisation de nouvelles approches de développement telles que l’ingénierie dirigée par les modèles et les méthodes formelles ainsi que l’utilisation d’outil pour assister les processus de développement. Les outils de génération automatique de code sont exploités dans la plupart des processus de développement de systèmes embarqués critiques afin d’éviter des erreurs de programmation liées à l’humain et pour assurer le respect des règles de production de code. Ces outils ayant pour vocation de remplacer les humains pour la production de code, des erreurs dans leur conception peuvent causer l’apparition d’erreurs dans le code généré. Il est donc nécessaire de vérifier que le niveau de qualité de l’outil est le même que celui du code produit en s’assurant que les objectifs spécifiées dans les normes de qualification sont couverts. Nos travaux visent à exploiter l’ingénierie dirigée par les modèles et les méthodes formelles pour développer ces outils et ainsi atteindre un niveau de qualité plus élevé que les approches traditionnelles. Les fonctions critiques de commande et de contrôle sont en grande partie conçues à l’aide de langages graphiques à flot de données. Ces langages sont utilisés pour modéliser des systèmes complexes à l’aide de blocs élémentaires groupés dans des librairies de blocs. Un bloc peut être un objet logiciel sophistiqué exposant une haute variabilité tant structurelle que sémantique. Cette variabilité est à la fois liée aux valeurs des paramètres du bloc ainsi qu’à son contexte d’utilisation. Dans notre travail, nous concentrons notre attention en premier lieu sur la spécification formelle de ces blocs ainsi que sur la vérification de ces spécifications. Nous avons évalué plusieurs approches et techniques dans le but d’assurer une spécification formelle, structurellement cohérente, vérifiable et réutilisable des blocs. Nous avons finalement conçu un langage basé sur l’ingénierie dirigées par les modèles dédié à cette tâche. Ce langage s’inspire des approches des lignes de produit logiciel afin d’assurer une gestion de la variabilité des blocs à la fois correcte et assurant un passage à l’échelle. Nous avons appliqué cette approche et la vérification associée sur quelques exemples choisis de blocs issus d’applications industrielles et l’avons validé sur des prototypes logiciels que nous avons développé. Les blocs sont les principaux éléments des langages d’entrée utilisés pour la génération automatique de logiciels de commande et de contrôle. Nous montrons comment les spécifications formelles de blocs peuvent être transformées en des annotations de code afin de simplifier et d’automatiser la vérification du code généré. Les annotations de code sont vérifiées par la suite à l’aide d’outils spécialisés d’analyse statique de code. En utilisant des observateur synchrones pour exprimer des exigences de haut niveau sur les modèles en entrée du générateur, nous montrons comment la spécification formelle de blocs peut être utilisée pour la génération d’annotations de code et par la suite pour la vérification automatique des exigences. Finalement, nous montrons dans quelle mesure les spécifications de blocs permettent de générer des données de qualification tel que des exigences, des tests ou des données de simulation utilisées pour la vérification et le développement de générateurs automatiques de code. ABSTRACT : Control and command softwares play a key role in safety-critical embedded systems used for human related activities such as transportation, healthcare or energy. Their impact on safety makes the assessment of their correctness the central point in their development activities. Such systems verification activities are usually conducted according to normative certification guidelines providing objectives to be reached in order to ensure development process reliability and thus prevent flaws. Verification activities usually relies on tests and proof reading of the software but recent versions of certification guidelines are taking into account the deployment of new development paradigms such as model-based development, and formal methods; or the use of tools in assistance of the development processes. Automatic code generators are used in most safety-critical embedded systems development in order to avoid human related software production errors and to ensure the respect of development quality standards. As these tools are supposed to replace humans in the software code production activities, errors in these tools may result in embedded software flaws. It is thus in turn mandatory to ensure the same level of correctness for the tool itself than for the expected produced code. Tools verification shall be done according to qualification guidelines. We advocate in our work the use of model-based development and formal methods for the development of these tools in order to reach a higher quality level. Critical control and command software are mostly designed using graphical dataflow languages. These languages are used to express complex systems relying on atomic operations embedded in blocks that are gathered in block libraries. Blocks may be sophisticated pieces of software with highly variable structure and semantics. This variability is dependent on the values of the block parameters and of the block's context of use. In our work, we focus on the formal specification and verification of such block based languages. We experimented various techniques in order to ensure a formal, sound, verifiable and usable specification for blocks. We developed a domain specific formal model-based language specifically tailored for the specification of structure and semantics of blocks. This specification language is inspired from software product line concepts in order to ensure a correct and scalable management of the blocks variability. We have applied this specification and verification approach on chosen block examples from common industrial use cases and we have validated it on tool prototypes. Blocks are the core elements of the input language of automatic code generators used for control and command systems development. We show how our blocks formal specification can be translated as code annotations in order to ease and automate the generated code verification. Code annotations are verified using specialised static code analysis tools. Relying on synchronous observers to express high level requirements at the input model level, we show how formal block specification can also be used for the translation of high level requirements as verifiable code annotations discharged using the same specialised tooling. We finally target the assistance of code generation tools qualification activities by arguing on the ability to automatically generate qualification data such as requirements, tests or simulation results for the verification and development of automatic code generators from the formal block specification

Perceived decision making factors in the use of traditional and alternative medicine for people living with HIV and AIDS

AIDS is one of the most destructive diseases humankind has ever faced and also brings with it profound social, economic and public health consequences, making it one of the most serious health and development challenges in the world today. Zimbabwe, situated in southeastern Africa, is not spared from the pandemic. It continues to be one of the Sub-SaharanAfrican countries mostly heavily impacted by the AIDS epidemic, with almost 1.2 million people infected and over 1.1 million orphans. It ranks, therefore, as fifth highest in the world in the impact HIV and AIDS has had on the country. The most effective response has been to introduce programmes to reduce the number of new infections. Recent research has demonstrated treatment as a preventative measure to be very effective. This approach involves targeting those who are infected so that they are not able to transmit the disease. The decision that has to be made by an infected person, however, is whether to look for traditional treatment, conventional treatment or a combination of the two. Herbal medicine use is becoming very common in many countries, especially in the developing world, where public health safety has become a concern. It has become common to use herbal medicine concomitantly with allopathic or conventional medicine. The present study focused on investigating perceptions leading to the choice of treatment with the traditional alternative medicines (TAM) as (a)/n alternative or compliment to the conventional or allopathic option. This is a qualitative study that explores and describes participant’s perceptions, beliefs, attitudes and feelings around the use of traditional medicine, within the context of the Integrative Behaviour Model (IBM). Data was collected from 20 people living with HIV and AIDS from urban and rural settings of different ethnicities (Shona and Shangani). The data analysis was informed by The Interpretive Phenomenological Analysis with the aid of NVivo (V.10), a computer-assisted Qualitative Data Analysis Software. As predicted by the IBM, both perceived individual and environmental factors were found to be key in influencing decision-making on the use of TAM by people living with HIV and AIDS. Although there were a number of incidents in which either individual or environmental factors were perceived as independently influencing the TAM-use decision-making process, there was a lot of mutual influence between the environment and the individual. Such mutual causation was abstracted as reciprocal determinism. The IMB model assumed a unidirectional causation in which the environment could affect the individual factors. While the present study identified and demonstrated these environmental effects on the individual, it also identified and presented a reverse causation in which the individual would also affect the environment with respect to motivation for TAM use. Individual factors were psychological properties that drove the individual to use TAM. Attitude, social influence and personal agency emerged as the three dimensions of individual factors. Attitudes helped in identification of orientations that located objects of thought on dimensions of judgment about the use of TAM. Social influence explained social pressure experienced and expected regarding the use of TAM. The study demonstrated the importance of both the descriptive and injunctive norm with participants indicating that they perceived important others to be using traditional medicine and that they felt perceived expectations from others to do the same and hence the motivation to comply. Personal agency pointed to the participants’ capacities to originate and direct actions for the purposes of TAM use. All these constructs were found to be very important as perceived determinants of the behavioral intentions of people living with HIV and AIDS to use traditional medicines. In experiential attitude, generally the respondents showed more perceived positive evaluations of pleasurable experiences in their use of traditional medicines. However, there were other outcome evaluations that seemed to be ambivalent and which appeared to cause a lot of tension. The comprehension of experiential attitude was found therefore found to be trichotomous rather than dichotomous as per the IBM. The effects of the instrumental attitude were revealed in the ratings of the extent to which the use of traditional medicine was perceived as useful or rewarding, with the study revealing high ratings of usefulness. It becomes clear, therefore, that for people living with HIV and AIDS social influence, perceived attitudes and personal agency are important decision-making factors in their use of traditional and alternative medicine. Efforts towards education, integration and behaviour change programmes should design messages targeting these behavioral determinants. Understanding of these perceived determinants is crucial to influencing policy as well as the adoption of health practices through education, marketing and other modes of health promotion