Generating Property-Directed Potential Invariants By Backward Analysis

This paper addresses the issue of lemma generation in a k-induction-based formal analysis of transition systems, in the linear real/integer arithmetic fragment. A backward analysis, powered by quantifier elimination, is used to output preimages of the negation of the proof objective, viewed as unauthorized states, or gray states. Two heuristics are proposed to take advantage of this source of information. First, a thorough exploration of the possible partitionings of the gray state space discovers new relations between state variables, representing potential invariants. Second, an inexact exploration regroups and over-approximates disjoint areas of the gray state space, also to discover new relations between state variables. k-induction is used to isolate the invariants and check if they strengthen the proof objective. These heuristics can be used on the first preimage of the backward exploration, and each time a new one is output, refining the information on the gray states. In our context of critical avionics embedded systems, we show that our approach is able to outperform other academic or commercial tools on examples of interest in our application field. The method is introduced and motivated through two main examples, one of which was provided by Rockwell Collins, in a collaborative formal verification framework.Comment: In Proceedings FTSCS 2012, arXiv:1212.657

Integrated formal verification of safety-critical software

This work presents a formal verification process based on the Systerel Smart Solver (S3) toolset for the development of safety-critical embedded software. In order to guarantee the correctness of the implementation of a set of textual requirements, the process integrates different verification techniques (inductive proof, bounded model checking, test case generation and equivalence proof) to handle different types of properties at their best capacities. It is aimed at the verification of properties at system, design, and code levels. To handle the floating-point arithmetic (FPA) in both the design and the code, an FPA library is designed and implemented in S3. This work is illustrated on an Automatic Rover Protection (ARP) system implemented on-board a robot. Focus is placed on the verification of safety and functional properties and on the equivalence proof between the design model and the generated code

Automated Fault Tolerance Augmentation in Model-Driven Engineering for CPS

Cyber-Physical Systems are usually subject to dependability requirements such as safety and reliability constraints. Over the last 50 years, a body of efficient fault-tolerance mechanisms has been devised to handle faults occurring at run-time. However, properly implementing those mechanisms is a time-consuming task that requires a great deal of know-how. In this paper, we propose a general framework which allows system designers to decouple functional and non-functional concerns, and express non- functional properties at design time using domain-specific languages. In the spirit of generative programming, functional models are then automatically “augmented” with dependability mechanisms. Importantly, the real-time behavior of the initial models in terms of sampling times and meeting deadlines is preserved. The practicality of the approach is demonstrated with the automated implementation of one prominent software fault-tolerance pattern, namely N-Version Programming, in the CPAL model-driven engineering workflow

Toward model-based engineering for space embedded systems and software

International audienceEmbedded systems development suffers from difficulties to reach cost, delay and safety requirements. The continuous increase of system complexity requires a corresponding increase in the capability of design fault-free systems. Model-based engineering aims to make complexity management easier with the construction of a virtual representation of systems enabling early prediction of behaviour and performance. In this context, Space industry has specific needs to deal with remote systems that can not be maintained on ground. In such systems, fault management includes complex detection, localisation and recovery automatic procedures that can not be performed without confidence on safety. In this way, only simulation and formal proofs can support the validation of all the possible configurations. Thus, formal description of both functional and non-functional properties with temporal logic formulae is expected to analyse and to early predict system characteristics at execution. This paper is based on various studies and experiences that are carried out in space domain on the support provided by model-based engineering in terms of: • support to needs capture and requirements analysis, • support to design, • support to early verification and validation, • down to automatic generation of code

Development of a Formal Verification Methodology for B Specifications using PERF formal toolkit. Application to safety requirements of railway systems.

The design of complex systems involves several design models supporting different analysis techniques for validation and verification purposes. These activities lead to the definition of heterogeneous modelling languages and analysis techniques. In this setting, meeting certification standards becomes a key issue in system engineering. Reducing heterogeneity due to the presence of different modelling languages can be addressed by providing an integrated framework in which involved modelling languages and techniques are formalised. In such a framework, checking global requirements fulfilment on heterogeneous models of a complex critical system becomes possible in many cases. The work presented in this thesis addresses the problem of integrated verification of system design models in the context of transportation systems, in particular railway systems. It has been achieved in context of the B-PERFect project of RATP (Parisian Public Transport Operator and Maintainer) aiming at applying formal verification using the PERF approach on the integrated safety-critical models of embedded software related to railway domain expressed in a single unifying modelling language: High Level Languge (HLL). We also discuss integrated verification at the system level. The proposed method for verification of safety-critical software is a bottom-up approach, starting from the source code to the high-level specification. This work addresses the particular case of the B method. It presents a certified translation of B formal models to HLL models. The proposed approach uses Isabelle/HOL as a unified logical framework to describe the formal semantics and to formalise the transformation relation between both modelling languages. The developed Isabelle/HOL models are proved in order to guarantee the correctness of our translation process. Moreover, we have also used weakbisimulation relation to check semantic preservation after transformations. In this thesis, we also present the implementation of the defined transformation syntactic rules as the B2HLL tool. Moreover, we show the model animation process we set up to validate the B2HLL translator tool with respect to the formalised transformation rules we defined in Isabelle/HOL. This approach helps us to validate definitions, lemmas and theorems of our formalised specifications. We have used the B2HLL tool to translate multiple B models, and we also show that when models are translated into this unified modelling language, HLL, it becomes possible to handle verification of properties expressed across different models

Dynamic model-based safety analysis: from state machines to temporal fault trees

Finite state transition models such as State Machines (SMs) have become a prevalent paradigm for the description of dynamic systems. Such models are well-suited to modelling the behaviour of complex systems, including in conditions of failure, and where the order in which failures and fault events occur can affect the overall outcome (e.g. total failure of the system). For the safety assessment though, the SM failure behavioural models need to be converted to analysis models like Generalised Stochastic Petri Nets (GSPNs), Markov Chains (MCs) or Fault Trees (FTs). This is particularly important if the transformed models are supported by safety analysis tools.This thesis, firstly, identifies a number of problems encountered in current safety analysis techniques based on SMs. One of the existing approaches consists of transforming the SMs to analysis-supported state-transition formalisms like GSPNs or MCs, which are very powerful in capturing the dynamic aspects and in the evaluation of safety measures. But in this approach, qualitative analysis is not encouraged; here the focus is primarily on probabilistic analysis. Qualitative analysis is particularly important when probabilistic data are not available (e.g., at early stages of design). In an alternative approach though, the generation of combinatorial, Boolean FTs has been applied to SM-based models. FTs are well-suited to qualitative analysis, but cannot capture the significance of the temporal order of events expressed by SMs. This makes the approach potentially error prone for the analysis of dynamic systems. In response, we propose a new SM-based safety analysis technique which converts SMs to Temporal Fault Trees (TFTs) using Pandora — a recent technique for introducing temporal logic to FTs. Pandora provides a set of temporal laws, which allow the significance of the SM temporal semantics to be preserved along the logical analysis, and thereby enabling a true qualitative analysis of a dynamic system. The thesis develops algorithms for conversion of SMs to TFTs. It also deals with the issue of scalability of the approach by proposing a form of compositional synthesis in which system large TFTs can be generated from individual component SMs using a process of composition. This has the dual benefits of allowing more accurate analysis of different sequences of faults, and also helping to reduce the cost of performing temporal analysis by producing smaller, more manageable TFTs via the compositionality.The thesis concludes that this approach can potentially address limitations of earlier work and thus help to improve the safety analysis of increasingly complex dynamic safety-critical systems

Safety Analysis Concept and Methodology for EDDI development (Initial Version)

Executive Summary:This deliverable describes the proposed safety analysis concept and accompanying methodology to be defined in the SESAME project. Three overarching challenges to the development of safe and secure multi-robot systems are identified — complexity, intelligence, and autonomy — and in each case, we review state-of-the-art techniques that can be used to address them and explain how we intend to integrate them as part of the key SESAME safety and security concept, the EDDI.The challenge of complexity is largely addressed by means of compositional model-based safety analysis techniques that can break down the complexity into more manageable parts. This applies both to scale — modelling systems hierarchically and embedding local failure logic at the component-level — and to tasks, where different safety-related tasks (including not just analysis but also requirements allocation and assurance case generation) can be handled by the same set of models. All of this can be combined with the existing DDI concept to create models — EDDIs — that store all of the necessary information to support a gamut of design-time safety processes.Against the challenge of intelligence, we propose a trio of techniques: SafeML and Uncertainty Wrappers for estimating the confidence of a given classification, which can be used as a form of reliability measure, and SMILE for explainability purposes. By enabling us to measure and explain the reliability of ML decision making, we can integrate ML behaviour as part of a wider system safety model, e.g. as one input into a fault tree or Bayesian network. In addition to providing valuable feedback during training, testing, and verification, this allows the EDDI to perform runtime safety monitoring of ML components.The EDDI itself is therefore our primary solution to the twin challenges of autonomy and openness. Using the ConSert approach as a foundation, EDDIs can be made to operate cooperatively as part of a distributed system, issuing and receiving guarantees on the basis of their internal executable safety models to collectively achieve tasks in a safe and secure manner. Finally, a simple methodology is defined to show how the relevant techniques can be applied as part of the EDDI concept throughout the safety development lifecycle