From stateflow simulation to verified implementation: A verification approach and a real-time train controller design

Simulink is widely used for model driven development (MDD) of industrial software systems. Typically, the Simulink based development is initiated from Stateflow modeling, followed by simulation, validation and code generation mapped to physical execution platforms. However, recent industrial trends have raised the demands of rigorous verification on safety-critical applications, which is unfortunately challenging for Simulink. In this paper, we present an approach to bridge the Stateflow based model driven development and a well- defined rigorous verification. First, we develop a self- contained toolkit to translate Stateflow model into timed automata, where major advanced modeling features in Stateflow are supported. Taking advantage of the strong verification capability of Uppaal, we can not only find bugs in Stateflow models which are missed by Simulink Design Verifier, but also check more important temporal properties. Next, we customize a runtime verifier for the generated nonintrusive VHDL and C code of Stateflow model for monitoring. The major strength of the customization is the flexibility to collect and analyze runtime properties with a pure software monitor, which opens more opportunities for engineers to achieve high reliability of the target system compared with the traditional act that only relies on Simulink Polyspace. We incorporate these two parts into original Stateflow based MDD seamlessly. In this way, safety-critical properties are both verified at the model level, and at the consistent system implementation level with physical execution environment in consideration. We apply our approach on a train controller design, and the verified implementation is tested and deployed on a real hardware platform

Phase Two Feasibility Study for Software Safety Requirements Analysis Using Model Checking

A feasibility study was performed on a representative aerospace system to determine the following: (1) the benefits and limitations to using SCADE , a commercially available tool for model checking, in comparison to using a proprietary tool that was studied previously [1] and (2) metrics for performing the model checking and for assessing the findings. This study was performed independently of the development task by a group unfamiliar with the system, providing a fresh, external perspective free from development bias

Automatic Generation of Failure Scenarios for SoC

International audienceAs process technology downscales, testing difficulties and susceptibility of circuits to random hardware faults arise. This trend, combined with increasing complexity of functions to be performed by Systems-on-Chip, poses crucial concerns when system engineers have to quantify the dependability achieved by their SoC design. In this paper we propose an extension of the existing approaches to the fault analysis of SoCs describing (1) an algorithm for the automatic generation of failure scenarios based on Bounded Model Checking (BMC) (2) a methodology and Simulink-based tool for the automatic execution of SoC safety analysis and (3) an application of the proposed analysis flow to a concrete SoC use case

ADGS-2100 Adaptive Display and Guidance System Window Manager Analysis

Recent advances in modeling languages have made it feasible to formally specify and analyze the behavior of large system components. Synchronous data flow languages, such as Lustre, SCR, and RSML-e are particularly well suited to this task, and commercial versions of these tools such as SCADE and Simulink are growing in popularity among designers of safety critical systems, largely due to their ability to automatically generate code from the models. At the same time, advances in formal analysis tools have made it practical to formally verify important properties of these models to ensure that design defects are identified and corrected early in the lifecycle. This report describes how these tools have been applied to the ADGS-2100 Adaptive Display and Guidance Window Manager being developed by Rockwell Collins Inc. This work demonstrates how formal methods can be easily and cost-efficiently used to remove defects early in the design cycle

Verifying Timed LTL Properties Using Simulink Design Verifier

RÉSUMÉ Les logiciels jouent un rôle de plus en plus important dans les systèmes embarqués notamment dans les domaines de la santé, de l’automobile et de l’avionique. Un objectif important du génie logiciel est d’offrir, aux développeurs, un support ainsi que les outils d’aide à la conception de systèmes fiables nonobstant leur complexité. Dans le but d’atteindre cet objectif, des environnements de développement comme Simulink et SCADE proposent un processus de développement, basé sur des modèles, qui intègre, d’une manière réfléchie, différentes approches et outils de vérification (test, simulation, vérification formelle, évaluation, génération de code, etc). Ils permettent ainsi de concevoir, tester, simuler, vérifier, corriger des modèles puis de générer automatiquement du code à partir de ces modèles. Cette thèse s’intéresse aux méthodes formelles et à l’intégration de celles-ci dans l’environnement de développement Simulink. Les méthodes formelles s’appuient sur des outils mathématiques pour spécifier, par des modèles, le comportement et les propriétés d’un système et prouver qu’il satisfait ses requis. Simulink-Design-Verifier (SLDV) est un outil de vérification formelle, intégré à l’environnement de développement Simulink, qui permet de vérifier des propriétés de sûreté (assertions) sur des modèles Simulink. Cette thèse vise à étendre cette classe de propriétés à des propriétés linéaires LTL (Linear Temporal Logic), LTL temporisé et LTL à base d’événements. Les contributions de cette thèse sont présentées sous forme de trois articles. Le premier article présente une étude de cas qui a permis d’expérimenter l’environnement de développement Simulink, d’identifier ses caractéristiques et ses limitations. Il s’agit de modéliser et vérifier un dispositif médical appelé sonde d’intubation. Une sonde d’intubation est une tubulure mise en place sur un sujet inconscient qui permet notamment d’assurer en permanence le passage de l’air vers les poumons. Ce système est composé de deux ballonnets, deux robinets d’accès pour gonflage manuel, deux capteurs de pression, un distributeur de puissance, une pompe et un réservoir d’air. Tous ces composants sont concurrents et contrôlés par contrôleur programmable décrit par un grafcet. Cet article montre comment utiliser l’environnement Simulink pour, d’une part, modéliser ces différents composants ainsi que leurs interactions, et d’autre part, vérifier formellement des propriétés, afin de s’assurer du bon fonctionnement du système. Cependant, la spécification de certaines propriétés temporelles n’est pas évidente car elles doivent être exprimées sous forme d’assertions. Les articles suivants proposent des blocks canevas pour des propriétés temporelles linéaires. Le deuxième article est une version améliorée et étendue du premier article. Il s’est intéressé à réduire la complexité de vérification en modifiant significative le modèle et en proposant des blocks de spécification de propriétés linéaires basées sur les événements émis par le contrôleur. Le troisième article est dédié à la spécification de propriétés LTL en utilisant SLDV. Il propose des blocs Simulink configurables qui spécifient ces propriétés. Le but de ces blocs est de transformer les propriétés en assertions qui sont vérifiables par SLDV. La solution proposée dans le seconde et troisième article, est donc une extension de la bibliothèque de blocs de Simulink qui permet aux utilisateurs moins experts de spécifier et vérifier certaines propriétés LTL. Ce travail est donc limité aux propriétés LTL à temps discret, et restreint à certaines propriétés LTL. Nos travaux futurs consisteraient à l’extension de la bibliothèque de blocs de Simulink pour supporter des propriétés LTL plus complexes et à plus grande échelle.----------ABSTRACT Software plays increasingly a significant role in embedded systems particularly used in healthcare, automotive and avionics. An important goal of software engineering is to offer developers support tools to design reliable systems despite the system complexity. In order to achieve this, development environments like Simulink and SCADE propose a model-based development process, which integrates in a thoughtful way, different approaches and verification tools (test, simulation, formal verification, evaluation, code generation, etc.). They allow to design, test, simulate, verify, correct the models and then automatically generate code from these models. This thesis is interested in formal methods and integrating them in the Simulink development environment. Formal methods are based on mathematical tools to specify the behavior and properties of a system by models, and prove, if it meets its requirements. Simulink Design Verifier (SLDV) is a formal verification tool, integrated in Simulink development environment, to verify safety properties (assertions) on Simulink models. This thesis aims to extend this class of properties to linear properties LTL (Linear Temporal Logic), timed LTL and event based LTL. The contributions of this thesis are presented in three articles. The first article presents a case study that experiment the Simulink development environment, to identify its characteristics and limitations. It consists of modeling and verifying a medical device called intubation tube. An intubation tube is a tube that assures permanent air flow to the lungs of unconscious person. This system consists of two balloons, two access valves for manual inflation, two pressure sensors, a power distributor, a pump and an air reservoir. All these components work in parallel and are controlled by a programmable controller described by grafcet. This article shows how to use the Simulink environment, to model these components and also how to verify formally the properties to ensure the system is well functioning. However, the specification of certain temporal properties is not obvious because they must be expressed as assertions. The following articles propose canvas blocks for linear temporal properties. The second article is an improved and extended version of the first article. It is interested in reducing verification complexity by changing significantly the model, and proposing specification blocks of linear properties, based on events issued by the controller. The third article is dedicated to the specification of LTL properties using SLDV. It proposes configurable Simulink blocks that specify these properties. The purpose of these blocks is to transform the properties into assertions that are verifiable by SLDV. The solution proposed in the second and third articles, is to extend the block library of Similink, which allows less-expert users to specify and verify some Linear Temporal Logic (LTL) properties. This work is limited to discrete time LTL properties, and restricted to specify some LTL properties. Our future work is devoted to extend the block library of Simulink to have support for a large scale and more complex LTL properties

Generating Property-Directed Potential Invariants By Backward Analysis

This paper addresses the issue of lemma generation in a k-induction-based formal analysis of transition systems, in the linear real/integer arithmetic fragment. A backward analysis, powered by quantifier elimination, is used to output preimages of the negation of the proof objective, viewed as unauthorized states, or gray states. Two heuristics are proposed to take advantage of this source of information. First, a thorough exploration of the possible partitionings of the gray state space discovers new relations between state variables, representing potential invariants. Second, an inexact exploration regroups and over-approximates disjoint areas of the gray state space, also to discover new relations between state variables. k-induction is used to isolate the invariants and check if they strengthen the proof objective. These heuristics can be used on the first preimage of the backward exploration, and each time a new one is output, refining the information on the gray states. In our context of critical avionics embedded systems, we show that our approach is able to outperform other academic or commercial tools on examples of interest in our application field. The method is introduced and motivated through two main examples, one of which was provided by Rockwell Collins, in a collaborative formal verification framework.Comment: In Proceedings FTSCS 2012, arXiv:1212.657

Systematic Model-based Design Assurance and Property-based Fault Injection for Safety Critical Digital Systems

With advances in sensing, wireless communications, computing, control, and automation technologies, we are witnessing the rapid uptake of Cyber-Physical Systems across many applications including connected vehicles, healthcare, energy, manufacturing, smart homes etc. Many of these applications are safety-critical in nature and they depend on the correct and safe execution of software and hardware that are intrinsically subject to faults. These faults can be design faults (Software Faults, Specification faults, etc.) or physically occurring faults (hardware failures, Single-event-upsets, etc.). Both types of faults must be addressed during the design and development of these critical systems. Several safety-critical industries have widely adopted Model-Based Engineering paradigms to manage the design assurance processes of these complex CPSs. This thesis studies the application of IEC 61508 compliant model-based design assurance methodology on a representative safety-critical digital architecture targeted for the Nuclear power generation facilities. The study presents detailed experiences and results to demonstrate the benefits of Model testing in finding design flaws and its relevance to subsequent verification steps in the workflow. Additionally, to study the impact of physical faults on the digital architecture we develop a novel property-based fault injection method that overcomes few deficiencies of traditional fault injection methods. The model-based fault injection approach presented here guarantees high efficiency and near-exhaustive input/state/fault space coverage, by utilizing formal model checking principles to identify fault activation conditions and prove the fault tolerance features. The fault injection framework facilitates automated integration of fault saboteurs throughout the model to enable exhaustive fault location coverage in the model