-In aviation and other safety-critical domains, software faults are unacceptable. A means of detecting and avoiding these faults is to use formal methods. Although formal methods strongly contribute to the reliability and robustness of the system, some drawbacks prevent their general usage. A drawback is their reputation to be hard to apply for non-experts. Non-experts have to be familiarized with the tools to efficiently make use of them. But is this reputation still valid? Over the years, formal methods tools have evolved. They are capable to analyze more complex system properties. Further, their user experience was addressed by industrial companies to actually allow non-experts to profit from the advantages of formal methods. This paper represents the first step towards putting the mentioned assumption under test by trying to use formal methods for prototyping. We propose an approach for software prototyping which makes use of the formalization of requirements. We depict advantages and discuss first results of evaluating the commercial tool BTC EmbeddedPlatform R that we were able to use without cost in a project cooperation. We plan to continue the project cooperation to answer the headline in future. Index Terms-prototyping, formal specification, monitoring
In software development, validation is a difficult and
errorprone task. There are several different development models
that lead through the software life cycle and support the
development of the software product. Common to most of
these methods is a set of requirements from which code
and test cases are created. Complementary, when developing
safety-critical software, recommended software standards such
as DO-178C [
Often a proof of concept is developed with reduced rigor in
form of a prototype before the final software product is created.
In aviation, ARP4754A [
At the department Unmanned Aircraft of German Aerospace
Center (DLR), prototypes are built to foster autonomy of
unmanned aircraft system. This also incorporates to consider
AI methods and their validation. One problem in AI is that the
function is not written as transparent and human-readable code
which can be manually checked and traced. Instead, the
function is learned and tested based on data and, therefore, often
considered as black-box. Currently, there is a trend towards
simulation validation of AI due to the lack of other means. To
check black-box systems, e.g. during simulation, one approach
is runtime monitoring [
Fig. 1. Using runtime monitoring to check black-box systems.
In summary, an approach which allows to early identify requirement violations and to safely (documented, consistent) adapt requirement threshold values to capture or even bound the behavior of the target (AI) application is highly desirable for both developing an end-product as well as prototyping. In this paper, we propose an approach based on the formalization of requirements and depict its possible advantages. Further, we point out first insights whether the commercial tool BTC EmbeddedPlatform R can be used for the proposed approach.
Imprecise or incorrect requirements is one of the root
causes of software errors and the associated costs to fix
a software error in late stages of development is highest
for errors introduced during requirements elicitation [
Often during prototyping, assumptions and requirements on the system are implicitly given. Still, we think they should be explicitly stated during the prototyping process. Especially functional requirements are interesting for prototyping: every 100Hz the controller has to output a value; control-flow properties like if the pilot requests ascending of the drone then the drone shall increase height within 0.2 to 0.5 seconds; or if an obstacle is detected above then the drone shall stop to increase height within 0.1 seconds; or even high-level assumptions like during daytime tracking of an object works. They can actually help developers to avoid false, e.g. outdated due to system changes, assumptions on the current software state. Of course, writing and checking requirements on the prototype level imply an additional workload. However, it can guide towards the source of error. Also, after prototyping, written requirements offer a good starting point for creating the full set of requirements. In general, prototyping should not turn into an end-product development, therefore a lightweight approach is desirable.
The approach focuses on the formalization of such functional requirements. As a result, the requirements could be depicted as an automaton or formula. This is an additional step which needs to be light and efficient. But the main advantages of formalized requirements are: First, they offer an unambiguous documentation. Second, at an early stage consistency can be automatically checked and, therefore, later code iterations potentially avoided. Third, basic test cases can be automatically generated. Forth, monitors can be generated for each property and attached to the code, checking the adherence to the property online. In the next subsection, we describe one way how the formalization can be achieved. The approach is shown in Fig. 2 and explained in more detail in Subsection III-B.
BTC EmbeddedPlatform R (EP) is a tool suite for specification, testing, and verification of requirements for Simulink R and TargetLink R models and production code, currently mainly used in the automotive domain. EP has been successfully certified by German T U¨V Su¨d as fit for purpose for the usage in safety-critical software development projects according to IEC 61508-3:2010, ISO 26262, EN 50128, IEC 62304 as well as ISO 25119. However, there is no dedicated tool qualification support for the aerospace domain, as of yet.
The workflow for the use case of this paper is shown in Fig. 3. Textual requirements are first imported into EP. Then the BTC specification method guides the user during the complex conversion phases from an informal textual requirement to a uniquely defined and correctly formalized requirement. One particularity of the method is that the underlying formalism called Simplified Universal Pattern (SUP) inherently reflects the intrinsic nature of an informal requirement by describing a temporal trigger-action relationship, namely in an intuitive and graphical way.
Fig. 3. Workflow using BTC EmbeddedPlatform R .
We briefly introduce the idea behind SUP by means of an
example. For more details about the syntax and semantics
of SUP the reader is referred to [
Based on formalized specifications, fully automated formal
checks can be executed in order to find and fix problems
in the requirements set at a very early design stage, which
leads to greater product quality with less cost compared to
traditional processes. As indicated by Fig. 3, we consider the
consistency check of requirements within this paper, i.e. we
aim at finding any contradiction within the requirements fully
automatically [
Finding requirement-specific test cases, i.e. test cases that
(FR-1)
(FR-2)
actually test the requirements, most often is a manual and thus
very time-consuming task. As shown in Fig. 3, EP facilitates
the automatic generation of test cases by taking into account
the intended behavior described by the requirements, leading
to high-quality test cases, cf. [
Another capability is to export executable monitors, also
called observers, from formal requirements as depicted in
Fig. 3. These observers implement the behavior of the formal
requirements and establish a very flexible way of monitoring
the correctness of the behavior of the actual system under
test in external simulation environments. Technically, these
observers are exported as a functional mock-up unit (FMU)
in the tool independent FMI standard1, cf. [
We propose an iterative prototyping approach (cf. Fig. 2): 1 Informal requirements on the application are collected. 2 We formalize the requirements using EP. Note that EP focuses on functional requirements. Requirements on the system design, e.g. structural redundancies, cannot be expressed in general. 3 Then, formal requirements are checked for consistency.
An automatic check is highly desirable since the software is build iteratively and variables can change at any point in the prototype development. Also, especially, wrong timing assumptions are hard to find during later iteration. Imagine the requirement on component c when input a is set, output b should be set within 50ms. At a later development phase, component c is divided into consecutive subcomponents c1 and c2 with requirements if input a is set then a1 is set after 25ms and when input a1 is set then b is set within 25ms, respectively. Due to the automated check of the formal requirements, we can automatically detect an inconsistency by finding a trace falsifying the initial requirement on c. The required time for the second property is unbounded, after 25ms and could lead to a violation, i.e. b could be set after 50ms. 4 Based on formal requirements Test Cases and FMU
Observers are generated by EP. 5 We instrument the system code to send required data to the generated monitors. The monitors evaluate the 1Details about FMU and FMI can be found at https://fmi-standard.org/. specified properties and return an early verdict whether the system adheres to the system requirements. Note that it is preferable to monitor the system outline on a dedicated hardware to avoid impacts on the system. Next, we run our system. First, we use the generated Test Cases. Then, simulations are used.
After each step, the artifacts are checked for violations, e.g. during execution the outcome of the FMU Observers are checked whether any requirements are violated.
Currently, EP is able to realize the required functions. But
its scalability on real-world example from aviation domain is
unclear and needs to be addressed in future. First tests indicate
that the formalization of textual requirements is easy to use.
However, currently, one is limited to SUP which represent
temporal trigger-action relationships. Still, based on
experience, most of the functional requirements do actually fit in this
pattern. For others, other languages exist like the stream-based
specification language Lola [
In future work, we have to investigate the trade-off of the approach in order to estimate the cost-benefit ratio between writing and formalizing requirements and the added value of better code at early stages, e.g. test cases and monitors. Clear metrics have to be found to estimate the benefit. Formalization overhead also incorporates mistakes during formalization. To which degree these kinds of mistakes are automatically detected by the consistency checks is also important.
During simulation, the use of generated monitors offer clear benefits like early feedback and avoidance of inline assertions. There, the main concern is the integration into the system setup, especially the system instrumentation. The monitors need to be able to run along the system while having a low impact on its execution. Figure 6 exemplary shows our current system instrumentation. We are not limited on passively reading databuses. We also instrumented the code to send information about the internal software status via UDP.
We motivated a structured approach for prototyping. The approach is centered around the formalization of requirements. It allows to automatically check their consistency and to generate test cases and monitors. The approach can be implemented using open-source tools. As formal specification language, linear temporal logic (LTL) could be a candidate for which tools for model checking, runtime monitoring, and test generation do exist. We decided to use a commercial tool that combines all of these approaches. We showed how the integration into development could be done. Then, we discussed the barriers for an actual integration. In future, we plan to actually apply the approach and to report findings to come closer to answering the question whether formal methods pay off for prototyping. # M o n i t o r s i d e 1 fmu = FMU( p a t h ) 2 fmu . i n s t a n t i a t e ( . . . ) 3 mapping = f V a r i a b l e > ( ID , Type ) g 4 s o c k e t = o p e n S o c k e t ( i p , p o r t , mapping ) 5 w h i l e ( t r u e ) : 6 ID , d a t a , e v a l u a t e = s o c k e t . r c v ( ) 7 fmu . s e t V a l u e ( ID , d a t a ) 8 i f e v a l u a t e : 9 fmu . d o S t e p ( . . . ) 10 f o r key i n mapping : 11 p r i n t ( key , fmu . g e t B o o l e a n V a l u e ( key ) ) 12 . . . Teardown 13 # System s i d e 14 . . . s t a r t up . . . i n i t i a l i s e s o c k e t 15 w h i l e ( t r u e ) : 16 hgt cmd , c u r h g t =getHgtCmd ( ) , g e t C u r H e i g h t ( ) 17 o b s = c h e c k O b s t a c l e A b o v e ( ) 18 cmd hgt = c a l c u l a t i o n ( hgt cmd , c u r h g t , o b s ) 19 s e t C m d H e i g h t ( cmd hgt ) 20 s e n d D a t a ( 21 [ ’request_ascending’ , ’increase_hgt’ , ’obstacle’ ] 22 [ hgt cmd > 0 , cmd hgt > 0 , o b s t a c l e a b o v e ] ) 23 . . . Teardown 24