HyPLC: Hybrid Programmable Logic Controller Program Translation for Verification

Programmable Logic Controllers (PLCs) provide a prominent choice of implementation platform for safety-critical industrial control systems. Formal verification provides ways of establishing correctness guarantees, which can be quite important for such safety-critical applications. But since PLC code does not include an analytic model of the system plant, their verification is limited to discrete properties. In this paper, we, thus, start the other way around with hybrid programs that include continuous plant models in addition to discrete control algorithms. Even deep correctness properties of hybrid programs can be formally verified in the theorem prover KeYmaera X that implements differential dynamic logic, dL, for hybrid programs. After verifying the hybrid program, we now present an approach for translating hybrid programs into PLC code. The new tool, HyPLC, implements this translation of discrete control code of verified hybrid program models to PLC controller code and, vice versa, the translation of existing PLC code into the discrete control actions for a hybrid program given an additional input of the continuous dynamics of the system to be verified. This approach allows for the generation of real controller code while preserving, by compilation, the correctness of a valid and verified hybrid program. PLCs are common cyber-physical interfaces for safety-critical industrial control applications, and HyPLC serves as a pragmatic tool for bridging formal verification of complex cyber-physical systems at the algorithmic level of hybrid programs with the execution layer of concrete PLC implementations.Comment: 13 pages, 9 figures. ICCPS 201

Extending Hybrid CSP with Probability and Stochasticity

Probabilistic and stochastic behavior are omnipresent in computer controlled systems, in particular, so-called safety-critical hybrid systems, because of fundamental properties of nature, uncertain environments, or simplifications to overcome complexity. Tightly intertwining discrete, continuous and stochastic dynamics complicates modelling, analysis and verification of stochastic hybrid systems (SHSs). In the literature, this issue has been extensively investigated, but unfortunately it still remains challenging as no promising general solutions are available yet. In this paper, we give our effort by proposing a general compositional approach for modelling and verification of SHSs. First, we extend Hybrid CSP (HCSP), a very expressive and process algebra-like formal modeling language for hybrid systems, by introducing probability and stochasticity to model SHSs, which is called stochastic HCSP (SHCSP). To this end, ordinary differential equations (ODEs) are generalized by stochastic differential equations (SDEs) and non-deterministic choice is replaced by probabilistic choice. Then, we extend Hybrid Hoare Logic (HHL) to specify and reason about SHCSP processes. We demonstrate our approach by an example from real-world.Comment: The conference version of this paper is accepted by SETTA 201

Formalization and Validation of Safety-Critical Requirements

The validation of requirements is a fundamental step in the development process of safety-critical systems. In safety critical applications such as aerospace, avionics and railways, the use of formal methods is of paramount importance both for requirements and for design validation. Nevertheless, while for the verification of the design, many formal techniques have been conceived and applied, the research on formal methods for requirements validation is not yet mature. The main obstacles are that, on the one hand, the correctness of requirements is not formally defined; on the other hand that the formalization and the validation of the requirements usually demands a strong involvement of domain experts. We report on a methodology and a series of techniques that we developed for the formalization and validation of high-level requirements for safety-critical applications. The main ingredients are a very expressive formal language and automatic satisfiability procedures. The language combines first-order, temporal, and hybrid logic. The satisfiability procedures are based on model checking and satisfiability modulo theory. We applied this technology within an industrial project to the validation of railways requirements

Proceedings of the Sixth NASA Langley Formal Methods (LFM) Workshop

Today's verification techniques are hard-pressed to scale with the ever-increasing complexity of safety critical systems. Within the field of aeronautics alone, we find the need for verification of algorithms for separation assurance, air traffic control, auto-pilot, Unmanned Aerial Vehicles (UAVs), adaptive avionics, automated decision authority, and much more. Recent advances in formal methods have made verifying more of these problems realistic. Thus we need to continually re-assess what we can solve now and identify the next barriers to overcome. Only through an exchange of ideas between theoreticians and practitioners from academia to industry can we extend formal methods for the verification of ever more challenging problem domains. This volume contains the extended abstracts of the talks presented at LFM 2008: The Sixth NASA Langley Formal Methods Workshop held on April 30 - May 2, 2008 in Newport News, Virginia, USA. The topics of interest that were listed in the call for abstracts were: advances in formal verification techniques; formal models of distributed computing; planning and scheduling; automated air traffic management; fault tolerance; hybrid systems/hybrid automata; embedded systems; safety critical applications; safety cases; accident/safety analysis

Software Tools for Technology Transfer manuscript No. (will be inserted by the editor) How to Prove Complex Properties of Hybrid Systems with KeYmaera: A Tutorial

The date of receipt and acceptance will be inserted by the editor Abstract. This paper is a tutorial on how to model and prove complex properties of complex hybrid systems in KeYmaera, an automatic and interactive formal verification tool for hybrid systems implementing differential dynamic logic. Hybrid systems can model highly nontrivial controllers of physical plants, whose behaviors are often safety critical such as trains, cars, airplanes, or medical devices. Formal methods can help design systems that work correctly. This paper illustrates how KeYmaera can be used to systematically model, validate, and verify hybrid systems. We develop tutorial examples that illustrate challenges arising in many realworld systems. In the context of this tutorial, we identify the impact that modeling decisions have on the suitability of the model for verification purposes. We show how the interactive features of KeYmaera can help users understand their system designs better and prove complex properties for which the automatic prover of KeYmaera still takes an impractical amount of time. We hope this paper is a helpful resource for designers of embedded and cyber-physical systems and that it illustrates how to master common practical challenges in hybrid systems verification.

A Formal Methodology for Engineering Heterogeneous Railway Signalling Systems

Ph. D. Thesis.Over the last few decades, the safety assurance of cyber-physical systems has become one of the biggest challenges in the field of model-based system engineering. The challenge arises from an immense complexity of cyber-physical systems which have deeply intertwined physical, software and network system aspects. With significant improvements in a wireless communication and microprocessor technologies, the railway domain has become one of the frontiers for deploying cyber-physical signalling systems. However, because of the safety-critical nature of railway signalling systems, the highest level of safety assurance is essential. This study attempts to address the challenge of guaranteeing the safety of cyber-physical railway signalling systems by proposing a development methodology based on formal methods. In particular, this study is concerned with the safety assurance of heterogeneous cyber-physical railway signalling systems, which have emerged by gradually replacing outdated signalling systems and integrating mainline with urban signalling systems. The main contribution of this work is a formal development methodology of railway signalling systems. The methodology is based on the Event-B modelling language, which provides an expressive modelling language, a stepwise model development and a proof-based model verification. At the core of the methodology is a generic communication-based railway signalling Event-B model, which can be further refined to capture specific heterogeneous or homogeneous railway signalling configurations. In order to make signalling modelling more systematic we developed communication and hybrid railway signalling modelling patterns. The proposed methodology and modelling patterns have been evaluated on two case studies. The evaluation shows that the methodology does provide a system-level railway signalling modelling and verification method. This is crucial for verifying the safety of cyber-physical systems, as safety is dependent on interactions between different subsystems. However, the study has also shown that automatic formal verification of hybrid systems is still a major challenge and must be addressed in the future work in order to make this methodology more practical.(EPSRC and Siemens Rail Automation

Accelerating cerification of cyber-physical systems using symmetry

Autonomous systems are increasingly being deployed in safety-critical applications such as transportation and medicine. Numerous approaches to analyze their safety have been considered including testing, falsification, and formal verification. The major challenge for all of these approaches is scalability to large and complex models. To address this challenge, we propose to use the symmetry naturally present in the dynamics of many of these systems. Reachability-based safety analysis simulates the dynamical models of the autonomous systems, such as differential equations or hybrid automata, and checks if any of their reachable states is unsafe. Symmetries in dynamical systems are maps that transform any of their trajectories to other trajectories. In this thesis, we show how to use known symmetries of autonomous systems to cache their reachable states and abstract their dynamical models to accelerate their safety analysis. The main contributions of this thesis are as follows: 1. Augmenting a state-of-the-art data-driven safety verification algorithm with a cache to reuse computed sets of reachable states. The proposed algorithm uses symmetries of the model under verification to increase the cache hit rate. 2. Augmenting traditional hybrid automata safety verification algorithms with a cache to reuse computed sets of reachable states. The proposed algorithm uses symmetries to share computed reachable sets between different modes and automata being verified. 3. Abstracting hybrid automata by combining modes with symmetric dynamics in the same abstract modes. 4. Designing a symmetry-based counter-example guided abstraction-refinement (CEGAR) algorithm for hybrid automata with symmetric continuous dynamics to accelerate their safety verification. 5. Finally, designing an efficient testing algorithm for autonomous systems that uses a cache to share symmetric trajectories among the test cases of a test suite, avoiding repetition of high-fidelity simulations. The algorithmic contributions of this thesis come with theoretical guarantees that ensure their soundness and completeness. The algorithms presented build on top of state-of-the-art reachability analysis and verification algorithms. They accelerate their computations, without affecting their soundness and completeness guarantees. Finally, we present software implementations and empirical analyses of the different algorithms presented, showing up to orders of magnitude speedup in verification and testing time of different dynamical models including a car, fixed-wing aircraft, a neural network-controlled quadrotor, and a Gazebo-based Hector quadrotor

Automatic Verification of Wireless Control in a Mining Ventilation System

International audienceWe address a wireless networked control problem for a mine ventilation system. Ventilation control is essential for the control of the operation of a mine for safety and energy optimization. The main control objective is to guarantee safety of the closed loop system. This test-case is simple enough to be computationally tractable, and yet it exposes the main difficulties encountered when using wireless networked systems for safety-critical applications. The focus of this paper is the formal verification of the operation of a closed loop control system for the so called secondary ventilation system that ensures air flow in the chambers of the mine where extraction takes place. The secondary ventilation system is modeled conservatively in the sense that if the formal verification process provides a positive answer then the system is guaranteed to work correctly while the converse is not necessarily true. For control, we use a simple threshold scheme. The overall closed-loop system is described by a hybrid model that takes into account the effects of time-delay, transmission errors and allows the precise formulation of the safety constraints. To ensure that the formal verification process is computationally tractable, we reason in the framework of temporal logics, and apply abstraction techniques and model checking tools that we developed previously