Formal Specification and Verification for Automated Production Systems

Complex industrial control software often drives safety- and mission-critical systems, like automated production plants or control units embedded into devices in automotive systems. Such controllers have in common that they are reactive systems, i.e., that they periodically read sensor stimuli and cyclically execute the same program to produce actuator signals. The correctness of software for automated production is rarely verified using formal techniques. Although, due to the Industrial Revolution 4.0 (IR4.0), the impact and importance of software have become an important role in industrial automation. What is used instead in industrial practice today is testing and simulation, where individual test cases are used to validate an automated production system. Three reasons why formal methods are not popular are: (a) It is difficult to adequately formulate the desired temporal properties. (b) There is a lack of specification languages for reactive systems that are both sufficiently expressive and comprehensible for practitioners. (c) Due to the lack of an environment model the obtained results are imprecise. Nonetheless, formal methods for automated production systems are well studied academically---mainly on the verification of safety properties via model checking. In this doctoral thesis we present the concept of (1) generalized test tables (GTTs), a new specification language for functional properties, and their extension (2) relational test tables (RTTs) for relational properties. The concept includes the syntactical notion, designed for the intuition of engineers, and the semantics, which are based on game theory. We use RTTs for a novel confidential property on reactive systems, the provably forgetting of information. Moreover, for regression verification, an important relational property, we are able to achieve performance improvements by (3) creating a decomposing rule which splits large proofs into small sub-task. We implemented the verification procedures and evaluated them against realistic case studies, e.g., the Pick-and-Place-Unit from the Technical University of Munich. The presented contribution follows the idea of lowering the obstacle of verifying the dependability of reactive systems in general, and automated production systems in particular for the engineer either by introducing a new specification language (GTTs), by exploiting existing programs for the specification (RTTs, regression verification), or by improving the verification performance

Generic Expression in B of the Influence/Reaction Model: Specifying and Verifying Situated Multi-Agent Systems

This paper addresses the formal specification and verification of situated multi-agent systems that can be formulated within the influence-reaction model as proposed in 1996 by Ferber & Muller. In this framework our objective is to prove the correctness of reactive multi-agent systems with respect to a certain formal specification or property, using formal methods. This is an important step to bring multi-agent systems to high quality standards as required for critical applications encountered in domains such as transport systems. A generic B writing of systems instantiating the influence reaction model is proposed, using patterns of specification. An illustration is then presented on the formal specification of a system operating electrical vehicles under precise automatic control at close spacings to form a platoon. The papers ends with considerations about further improvements of the framework, involving simulation and study of the properties of the system

Specifying in B the Influence/Reaction Model to Study Situated MAS: Application to vehicles platooning

International audienceThis paper addresses the formal specification and verification of situated Multi-Agent Systems (MAS) that can be formulated within the Influence/Reaction model as proposed in 1996 by Ferber \& Muller. In this model, our objective is to prove the correctness of reactive MAS with respect to a certain formal specification or property, using formal methods. This is an important step to bring MAS to high quality standards as required for critical applications encountered in domains such as transport systems. A generic B representation of systems instantiating the Influence/Reaction model is proposed, using patterns of specification. We illustrate our approach with a MAS to control unmanned land vehicles to form a platoon. The papers ends with considerations about further improvements of the framework, involving simulation and study of the properties of the system

Compositional Reactive Synthesis for Multi-Agent Systems

With growing complexity of systems and guarantees they are required to provide, the need for automated and formal design approaches that can guarantee safety and correctness of the designed system is becoming more evident. To this end, an ambitious goal in system design and control is to automatically synthesize the system from a high-level specification given in a formal language such as linear temporal logic. The goal of this dissertation is to investigate and develop the necessary tools and methods for automated synthesis of controllers from high-level specifications for multi-agent systems. We consider systems where a set of controlled agents react to their environment that includes other uncontrolled, dynamic and potentially adversarial agents. We are particularly interested in studying how the existing structure in systems can be exploited to achieve more efficient synthesis algorithms through compositional reasoning. We explore three different frameworks for compositional synthesis of controllers for multi-agent systems. In the first framework, we decompose the global specification into local ones, we then refine the local specifications until they become realizable, and we show that under certain conditions, the strategies synthesized for the local specifications guarantee the satisfaction of the global specification. In the second framework, we show how parametric and reactive controllers can be specified and synthesized, and how they can be automatically composed to enforce a high-level objective. Finally, in the third framework, we focus on a special but practically useful class of multi-agent systems, and show how by taking advantage of the structure in the system and its objective we can achieve significantly better scalability and can solve problems where the centralized synthesis algorithm is infeasible

Animation and formal verification of real-time reactive systems in an object-oriented environment

Real-time reactive systems are characterized by their continuous interaction with their environment through stimulus-response behavior. The safety-critical nature of their domain and their inherent complexity advocate the use of formal methods in the software development process. TROMLAB development environment supports a process model adequate for dealing with the complexity of reactive systems. The foundation of the TROMLAB environment is the Timed Reactive Object Model (TROM), which combines object-oriented and real-time technologies. Simulation is essential in the behavioral analysis of real-time reactive systems; animation allows a visualization of the simulation process. A rigorous trace analysis of simulation scenarios provides insight into the behavior of the collaborating entities in the configuration. This supports validation of systems designed incrementally and iteratively in the software development life-cycle. Moreover, safety-critical systems need to be verified for adherence to stringent safety and liveness properties. The scope of this thesis is two-fold. We first present an animation tool supporting simulation of reactive systems described in the TROM formalism. We include formal specifications of the functionalities of the simulator in VDM specification language. We then introduce a methodology for formal verification of TROM subsystems. The novelty of the methodology lies in the formal verification approach embedded within an object-oriented framework. The simulator and the verification methodology conform respectively to the operational and logical semantics of TROMs

Synthesizing Adaptive Test Strategies from Temporal Logic Specifications

Constructing good test cases is difficult and time-consuming, especially if the system under test is still under development and its exact behavior is not yet fixed. We propose a new approach to compute test strategies for reactive systems from a given temporal logic specification using formal methods. The computed strategies are guaranteed to reveal certain simple faults in every realization of the specification and for every behavior of the uncontrollable part of the system's environment. The proposed approach supports different assumptions on occurrences of faults (ranging from a single transient fault to a persistent fault) and by default aims at unveiling the weakest one. Based on well-established hypotheses from fault-based testing, we argue that such tests are also sensitive for more complex bugs. Since the specification may not define the system behavior completely, we use reactive synthesis algorithms with partial information. The computed strategies are adaptive test strategies that react to behavior at runtime. We work out the underlying theory of adaptive test strategy synthesis and present experiments for a safety-critical component of a real-world satellite system. We demonstrate that our approach can be applied to industrial specifications and that the synthesized test strategies are capable of detecting bugs that are hard to detect with random testing

CoFI: The Common Framework Initiative for Algebraic Specification and Development

An open collaborative effort has been initiated: to design acommon framework for algebraic specification and development of software. The rationale behind this initiative is that the lack of such a common framework greatly hinders the dissemination and application of researchresults in algebraic specification. In particular, the proliferationof specification languages, some differing in only quite minor ways from each other, is a considerable obstacle for the use of algebraic methods in industrial contexts, making it difficult to exploit standard examples, case studies and training material. A common framework with widespread acceptancethroughout the research community is urgently needed.The aim is to base the common framework as much as possible on a critical selection of features that have already been explored in various contexts. The common framework will provide a family of specificationlanguages at different levels: a central, reasonably expressive language, called CASL, for specifying (requirements, design, and architecture of) conventional software; restrictions of CASL to simpler languages, for use primarily in connection with prototyping and verification tools; and extensionsof CASL, oriented towards particular programming paradigms,such as reactive systems and object-based systems. It should also be possibleto embed many existing algebraic specification languages in members of the CASL family. A tentative design for CASL has already been proposed. Task groupsare studying its formal semantics, tool support, methodology, and other aspects, in preparation for the finalization of the design

Efficient CTL Verification via Horn Constraints Solving

The use of temporal logics has long been recognised as a fundamental approach to the formal specification and verification of reactive systems. In this paper, we take on the problem of automatically verifying a temporal property, given by a CTL formula, for a given (possibly infinite-state) program. We propose a method based on encoding the problem as a set of Horn constraints. The method takes a program, modeled as a transition system, and a property given by a CTL formula as input. It first generates a set of forall-exists quantified Horn constraints and well-foundedness constraints by exploiting the syntactic structure of the CTL formula. Then, the generated set of constraints are solved by applying an off-the-shelf Horn constraints solving engine. The program is said to satisfy the property if and only if the generated set of constraints has a solution. We demonstrate the practical promises of the method by applying it on a set of challenging examples. Although our method is based on a generic Horn constraint solving engine, it is able to outperform state-of-art methods specialised for CTL verification.Comment: In Proceedings HCVS2016, arXiv:1607.0403