-In this paper the extension of an intelligent compositional verification framework for cyber-physical systems is presented and the capabilities of accompanying underspecificationrefinement steps by verification are demonstrated on a representative example of a flight guidance system. Formal knowledge representation using higher-order logic and intelligent reasoning is shown to be applied to software engineering problems to perform correctness proofs, execute symbolic tests or find counterexamples. The theorem prover Isabelle is a mature and fundamental tool, which allows to represent knowledge as a collection of definitions and theorems and reason about systems. To increase the usability, an architecture description language (ADL) coupled with a code generator from the ADL to Isabelle is used. These and the rapid increase of computation capabilities suggest that a prominent application for reducing certification costs of critical systems such as intelligent flight control systems or assistance systems for air or road traffic management is not far in the future.
The complexity of safety-critical systems is increasing in the
avionics and other fields and new technologies like unmanned
flying vehicles are rapidly introduced into the market. These
bring new challenges to certification processes. While trying
to maintain high system reliability, the scalability of traditional
quality assurance methods such as testing and reviewing is not
ideal and causes considerable amount of costs [
If requirements were to be specified in a formal way, one
could reason about them and thereby replace or complement
many tests (please see also the conclusion for a more detailed
discussion). Abstract Interpretation [
Meanwhile, artificial intelligence fields such as logic and knowledge representation have also been applied successfully in software engineering. When representing knowledge by logic, theorem proving is then reduced to intelligent reasoning. So by creating a knowledge base for safety-critical systems, automatic reasoning becomes possible by reducing verification into applying AI techniques such as metaheuristic (proof-) search techniques. Same holds for error detection; a counterexample-finder takes as input a system model, (the negation of) a property, and error detection is reduced into a search problem (and in case of an error the trace-path of this search is returned as a malicious input). In a time of increasing computational power, these techniques open up possibilities to maintain manageable certification costs.
Common ADLs used for model-based development avionics
are AADL [
For the incorporation of analysis tools in their life-cycle
processes, companies such as Airbus and Dassault Avionics
have identified a number of requirements [
Ability to be integrated into the certification standards conforming process Cost Savings Deliver correctness by construction Scalability: Compositional Verification Expressivity of Specification Language Timing aspects and underspecification refinement Usability by normal software engineers on normal machines
The Chair for Software Engineering at the RWTH Aachen
University has been conducting research for many years
using its language workbench MontiCore [
In principle, for any DSL one can create a knowledge base
and reason about it in a logic language. In this paper this is
demonstrated on the example of an architecture description
language (ADL) for cyber-physical systems (called MontiArc
[
The contribution of this work is the extension of logicbased a knowledge representation for an automatic reasoning approach aiming at reducing certification costs of safetycritical systems. This is demonstrated through accompanying the refinement of different abstraction levels of underspecification (see fig. 1) by verification. The full compositionality of refinement of FOCUS is leveraged for the step-wise refinement of a representative example of a pilot flying system (in this cyber-physical system the bus component is hardware and the flight guidance component is software).
On a more detailed level, this includes:
Extending an ADL and its knowledge base for enabling higher-level history-oriented requirement specification. Extending an ADL and its knowledge base for enabling refinement of history-oriented requirement specifications into lower-level (closer to implementation, yet still not necessarily deterministic) state-based requirement specifications.
High-Level B Requirements‘ -Compliance -Traceability
D -Verifiability -Accuracy and Consistency -Verifiability -Accuracy and Consistency
C
System
A Requirements -Verifiability -Accuracy and consistency -Verifiability -Accuracy and consistency -Compliance -Traceability
H I -Compliance
-Traceability
High-Level
Requirements -Compliance -Verifiability -Accuracy and consistency J
K --TCroamcepalibainlictye Source Code
F
E -Verifiability -Accuracy and consistency
G Software Architecture
Low-Level Requirements
Software Architecture
Low-Level Requirements‘ Fig. 1. Certification Activities (Letters = Sections in Chapter 2). The denoted activities are shown to be handled by our methodology and thus save a lot of test and review costs.
Extending an ADL and its knowledge base for enabling refinement of lower-level non-deterministic stateoriented requirement specifications into another stateoriented specification by means of transition-refinement and state refinement.
Extending counterexample-finding capability for design error detection.
Optimizing signatures of key structures in the knowledge
base to increase the automation degree and reduce the
needed user-expertise (consisted in rewriting the encoding
with total functions instead of partial functions (such as in
[
Discussing at what extend such a knowledge representation approach can scale to meet industrial requirements, documented in a table in the conclusion after the evaluation and consideration of the lessons learned.
Providing an Integrated Verification Environment created with Visual Studio Code for the integration of all the artifacts of the framework (see Appendix).
The rest of the papers consists in the following: The next
chapter describes a typical avionics software development
activity, where step-wise refinements of underspecification
accompanied by verification is presented on the example
of a flight guidance system (adapted from a collaboration
between NASA and Rockwell Collins [
In this section we present the development of a pilot
flying system (PFS) with two flight guidance systems (FGSs)
in a refinable, decomposable fashion, adapted from [
The semantics of components are sets of stream processing
functions mapping input channel histories to output channel
histories and are hierarchically decomposable [
One-directional channels connect components by transmitting input and output messages. In the PFS, messages sent between the FGSs are transmitted by hardware buses. Each FGS outputs a pair of booleans where the first boolean denotes the liveness of the system and the second boolean is used as an acknowledgement bit. Clocks restrict the other components behavior by sometimes forcing them to output the last message and not reacting to its input in any way. The system is visualized in fig. 3.
For each component (hardware and software), HLRs and LLRs were created. When verifying compliance (say between HLR and SysReqs), the HLRs of all components in the software architecture are proven to fulfill all SysReqs. We demonstrate to handle in the following a few representative certification activities. In our knowledge representation approach, certification credits concerning ”‘verifiability”’ of requirements (see fig. 1) are generally claimed by having used a formal language for the specification, and ”‘accuracy”’ is claimed by having formal proofs.
The system requirements (SysReqs) are largely adapted
from [
SysReq1: At least one side is the active pilot flying side.
Below is the first SysReq also as an OCL expression. It is formulated in the context of the general component structure from fig. 3 and addresses the streams by their port name: f s t c 1 [ n ] o r f s t c 3 [ n ]
The OCL expression consists of elements known from first-order logic. Ports are named after the connected channels from fig. 3. A syntactic extension allows to obtain the nth element (point in time) of the stream flowing in the channel c1 as c1[n]. The translation as Isabelle theorem looks alike (variables are per default universally quantified). The first item of a tuple is returned by f st.
Furthermore, we define a safety-critical sixth SysReq informally.
SysReq6: Pressing and holding the transfer switch c5 for 10 milliseconds always switches the inactive flying side, if the inactive component received the last transfer switch input and the system is in a stable state (see also section C for the architecturial contex).
The engineer now tries to develop high-level requirements for each sub-component, so that the overall system requirements can be fulfilled. First, we introduce the high-level requirements of the clocks (corresponding in fig. 1 to HLR’): component C l o c k U n f a i r S p e c f t i m i n g s y n c ; s p e c f / / o u t p u t s an i n f . l o n g b o o l s t r e a m c l k 1 . l e n g t h ( ) = INF g g
The bits on the clocks output stream determine whether its associated component is active (executing) or not. The ADL MontiArc is used to define the high-level requirements (HLRs)of the clock component. This is a component with one output and no input channel. First, the timing of the clock is defined. The keyword sync indicates weak-causal and causalsync strong-causal time-synchronous components (causality captures realizability in time sensitive modeling,
Clock 1 clk1 c5
L-FGS c4 c1
Clock 4
clk4 RL-Bus LR-Bus
clk2 Clock 2 c3 R-FGS c2 clk3
Clock 3
Fig. 3. An architecture of the pilot flying system (PFS), sufficient for
correctly synchronizing the pilot flying sides and the other mentioned system
requirements. clk1 etc. denote the channels that have clocks as sources, c1
etc. refer to the other communication channels, L-FGS denotes the left flight
guidance system, RL-Bus denotes the bus from right to left.
some technical details concerning the knowledge base see
[
F GSL
F GSR
BusLR
BusRL clk1 clk2 clk3
clk4
After defining the Pilot Flying System as a composition
of its sub-components, we define the low-level requirements
of the sub-components. The unfair clock has to output
nondeterministicially true or false (input and transition guards can
be modeled in MontiArc [
The HLRs for the Buses and FGSs are defined similarly. to section II-B. The automata then specifies the behavior in This paper lists only the LLR’ as supplementary material in a lower-level, yet still non-deterministic fashion. States are fig. 7. defined in the first line of the automata body. The second line sets the initial state of the automata. Following the state C. Software Architecture and Lower-Level Requirements’ specifications, the automata transitions and the output and (LLR’) state-change behavior are defined on a step-by-step basis.
In fig. 3 each component is represented by a named box.
The channels describe the internal interaction between the components. The incoming and outgoind channels are the global in- and outputs of the PFS. Small boxes represent the ports of a component. Our scalable vector graphics (SVG) generator draws figures based on MontiArc models. Such visualization is a powerful tool to gain overview and improve the communication, especially in the early stages of the development process.
Here, each of the 4 clocks is connected to one of the nonclock components to model their non-deterministic behavior.
On a ”‘False”’ clock output signal, each non-clock component does not react to its input and simply repeats the last output.
Input channel c5 transmits the transfer switch status, c1 is the output of the L-FGS system and c4 its input from the RL-Bus etc.
The complete system can be decomposed into
subcomponents hierarchically [
The consistency of a specification is defined as the existence of at least one implementation that satisfies the specification.
The consistency of our HLR’ can be shown as follows: First prove the compliance of LLR’ to HLR’ (i.e., LLR’ refines HLR’). Then show that an implementation of LLR’ exists.
For the later, consider that LLR’ (e.g. of the clocks) are nondeterminsitic (total) automata, and can easily be converted to an implementation (deterministic automata) by removing transitions responsible for non-determinism. Next, we focus on compliance of LLR’ to HLR’.
For this, the LLR’ MontiArc automata is translated to an
Isabelle automata and further transformed to (sets of) stream
processing functions. The HLR’ spec is directly transformed
to (a set of) stream processing functions. The transformation
from automata to stream processing function (SPF) is defined
as a (greatest) fixed point calculation of the corresponding
functional [
streamc5 = F alse1 streamclk3 = T rue1
T rue11 F alse11
F alse1
T rue1
Single The infix is used for stream concatenation, whereas i-fold
repetition is formalized as i. The stream T rue1 for example
is an infinitely long stream of messages T rue. Obviously, the
assignment does not contradict the HLR’ of the clock (random
trues and f alses). But the system does not change the flying
Fig. 4. The unfair clock outputs non-deterministically booleans side after pressing the button for 10 milliseconds (SysReq 6),
as the clock blocks any reaction for 11 time-units. Thus, a
the following Isabelle theorem, where the Isabelle-semantics new and sufficient HLR has to be formulated.
of a MontiArc construct is abbreviated by J:::K): chaTihnehiansfrbaseternucetuxrteenfdoerdfibnydinidgenctoiufynitnegrexaanmdpilnesseritninogur(dtoonoel
theorem as described e.g. in [
It might be interesting to note that compared to [
The next important step is to check the fulfillment of the
system requirements. HLR’ fulfills the first 5 SysReqs, but
not the 6th. The proofs that HLRs comply with the 5 SysReqs
is generally history-oriented (reasoning over infinite streams).
Meanwhile, tools like quickcheck and nitpick were integrated
in our tool chain and can be used to automatically search
for counterexamples. Quickcheck originates from Haskell and
is a test-based tool that needs an executable implementation
from which it generates Haskell code and is fast [
Similar to above, one does not need to come up with an entirely new LLR (for the clocks) out of their HLR, but can instead refine the almost-successful LLR’ just enough to comply with the HLR. A new LLR for the fair clock is defined as a non-deterministic automata (see fig. 5) using a finite timer to force at least one true every 10 milliseconds: proving the remaining 6th SysReq. This reduces certification costs of HLR compliance.
Compliance: The compliance with the last SysReq follows straightforwardly (proof is thus easily found automatically) from the added OCL-predicate in the spec-body of HLR in section II-F).
Traceability: Certification credits for the traceability of HLR is claimed by deleting HLR-predicates (OCL-expressions from the spec body) one-by-one and proving that each deletion in isolation already leads to an incompliant system requirement (one of these cases led to the above mentioned HLR’).
The non-deterministic clocks can be refined to a
deterministic behavior by deleting transitions that offer non-deterministic
choices (e.g. by deleting one of the transitions such as
those occurring in ClockUnfairAutomata). Apart from
the non-deterministic clocks, any LLR of other components
is a deterministic MontiArc model and can be interpreted
as an implementation, since its semantic is a single stream
processing function [
One can save certification costs (of proving compliance of LLR with HLR and SysReq all over again) by proving that LLR is a refinement of LLR’, and then reasoning that the already proven properties (LLR’ refines HLR’ and HLR’ fulfills almost all SysReq) will also hold for LLR. This means one only needs to prove the missing 6th SysReq.
The refinement of LLR’ into LLR is a refinement between non-deterministic automata. Similar to the refinement between HLR and HLR’, a theorem in Isabelle can be formulated over the automata’s semantics:
After translating the deterministic components (representing the source code) to Isabelle, the compliance of source code with LLR can be proven. The proof is reduced to showing that the resulting stream processing function (i.e. the semantics of the deterministic automata) is an element of the LLR semantics theorem (a set of SPFs). Accuracy and consistency are correct per ”J C l o c k F a i r A u t o m a t a K J C l o c k U n f a i r A u t o m a t a K” construction in the case of a deterministic component. The
This is proven by two simple refinement steps. The first one compliance of the source code to the software architecture
is a semantics-preserving state-refinement (through splitting and to the system requirements holds without further
efthe one state of LLR’ into 10 by introducing a counter fort by the unique property of FOCUS, that refinement is
variable. The set of behaviors remains after this step the fully compositional. Since the other (non-clock) components
same (does not become strictly smaller yet) [
As LLR’ refines HLR’ (section II-D) and LLR refines LLR’ (section II-G), it follows that LLR refines HLR’. Now all that is left to prove is that LLR satisfies the additional constraints of HLR (compared to HLR’). This reduces certification costs for the HLR consistency proof significantly. The property that the state with counter = 0 is reached after maximal 9 steps (visible in fig. 5) is sufficient to prove the additional HLR property easily automatically.
As HLR’ is already proven to satisfy all but one SysReq and HLR is a further refinement of HLR’, we can directly conclude that HLR also satisfies the first 5 SysReq. We thus focus on In conclusion, the methodology in this paper demonstrated handling representative scenarios for a verified development and compositional refinement of safety-critical systems. A developer can specify either directly using a logic language (e.g. Isabelle), or using an ADL for distributed systems as frontend to describe interfaces of the components, their behavior and their interaction in a comfortable way. Then the system model and all desired properties can be then translated into an equivalent specification in a knowledge base created in a logic language.
The developed knowledge base for MontiArc is very general and can be largely reused for creating knowledge bases for other modeling languages (such as AADL, SysML, SCADE, Simulink etc.) Keeping FOCUS as semantical underpinning has the already mentioned advantage that refinement is fully compositional.
This kind of approach can replace a lot of tests and reviews. This helps also with requirements involving always/never, which cannot be exhaustively verified in general by tests. Please note though that a certain group of tests and reviews can only be complemented hereby, but not completely replaced, for instance checking whether: requirements formalization is correct (in general compliance between informal and formal models), the methodology is justified and appropriate, requirements and software architecture are compatible with the target computer (unless the target environment is formally modeled), a requirement has not been forgotten, there is no unidentified dead or deactivated code.
As can be seen in fig. 1, a lot of development and
certification costs can be saved by omitting coming up with Source
Code’ out of LLR’, since it would not be correct anyway,
because HLR’ are not good enough. One could have even
spared the effort of creating LLR’ by the following reasoning:
HLR’ has to fulfill SysReqs and to be consistent. In our case
we went first for consistency. Instead, by leveraging the
higherlevel history-oriented spec-infrastructure of our methodology,
before one takes care of consistency, one could have shown
first that high-level spec’s and the architecture violate SysReqs
(and these kind of proofs are generally history-oriented, thus
much easier than induction-based proofs of inductively,
stateoriented LLR automata proofs [
Concerning lessons learned, an interesting observation is that there are a couple of reasons for preferring the specification of components by means of an ADL ideally in a statebased fashion (coupled with a generator), rather then giving the user just an encoding of the stream data type and set of theorems over streams in Isabelle:
The ADL is for a user more comfortable than writing
recursive (specified typically as least fixed points [
The input/output automata of this work are designed to describe realizable components per construction (and only these).
The automata of our methodology are general enough
to represent every realizable stream processing function
(proof in [
Finally, the table in fig. 6 summarizes how the methodology presented in this paper handles the industrial requirements described in the introduction. The biggest challenge encountered is having a proof being found automatically in a large model. The mitigation of this is an ongoing work consisting in increasing the number of general theorems over dataflowbased systems (which are identified intellectually during verifying case studies), and also exploiting the rapid increase of computational capability by using a central web-based highperformance service to perform the proof search.
However the application of reasoning over knowledge bases is still not mature enough and further research and time will Soundness Ability to be integrated into the DO-178x conforming process Cost savings
Established usually by peer reviews, from 1980-now there are over 200 papers about FOCUS.
The methodology replaces or complements many tests and supports fulfilling certification requirements. By relocating the majority of the code generator internally in Isabelle (we aim over >99%), the tool chain becomes easier qualifiable due to Isabelle’s axiomatic and conservative nature.
Replaces traditional verification methods throughout the development life cycle, as seen in the running example (also see the point below) Automata Language restricts the user into specifying only well-behaved implementable functions (vs expect user to write realizability proofs) Correctness by construction Underlying methodology FOCUS: Refinement fully compositional – After decomposing a system, refining the components separately, and composing back, the new system is a refinement of the old one (no new (unwanted) behaviors are added, thus sparing test and integration costs) Scalability: Compositional verification Expressivity of specification language Timing aspects and underspecification refinement
Verification: Compatibility of composition with refinement
allows modularizing and breaking down the proof complexity
of representative industrial-sized models (as in the running
example)
Automata language can represent all implementable Stream
Processing Functions (semantical mapping is surjective,
proof in [
A user-friendly frontend language and a high-level API in the Usability by normal software knowledge base helps (for hiding low-level engine concepts) engineers on normal machines
A large amount of encoded lemmas helps aiming for high automation (which implies less user expertise needed) - see demo in: https://www.youtube.com/watch?v=krl4Q7MAAlo be needed to make it a standard in the tool box of software engineering development processes.
FGS LLR BUS LLR
The System is in a stable situation whenever both FGSs acknowledgements are true. If the system is in a stable state, then at most one side is the active pilot flying side. Pressing the transfer switch changes the inactive side, if the system is in a stable state and the inactive side receives the input.
In the beginning one side has to be the active pilot flying side. Without loss of generality we choose the left side to be active. The right side has to be inactive. Only switch to inactive side, if transfer switch is pressed.