Mechatronic systems are part of highly safety-critical systems such as control systems for vehicles, machines aircraft or medical instruments. Verification is a crucial aspect of their development, but also challenging due to its complexity. One prominent problem is that verification cannot easily handle the state space dimen- sion of mechatronic systems, whose size is determined also by the number of continuous variables. Testing and simulation are widely used validation techniques.
These techniques only consider a relatively small subset of all possible executions of the system. Compared to (informal) testing, formal verification has the advantage that the verification is made in a complete, semi-automatic or fully automatic exhaustive way, where all the possible executions of the system are considered.
On the other hand, there are important issues that may reduce its applicability, e.g. not optimal integration in modelling tools, skills that are required to use it, enough time or memory resources for some verifications.
Despite its complexity, formal verification tools have been introduced in indus- trial development projects. There are two fundamental verification techniques:
model checking and theorem proving. For these techniques: first, a mathematical model of the system, and second, formally specified requirements, which the model should satisfy, have to be provided.
We believe in better-integrated development environments, where design and verification tasks are strictly linked together with faster and more usable methods.
In this integration, also the usability and the integration in support tools are important aspects, because the effectiveness of powerful verification solutions
4http://www.mathworks.com
may be invalidated by a not optimal integration, or by the high skills required to manage the tools and the verification properties.
Our modelling tool AutoFOCUS 3 provides an interactive graphical simulation environment and testing/verification capabilities for the logical architecture. For- mal verification integration in AutoFOCUS 3 is depicted in Fig.4.4.
We built a user-friendly integration of the model checker NuSMV5 in the modelling environment. The choice of NuSMV as model checker is mainly due to its semantics. In fact, in AutoFOCUS 3 the interconnected components execute an elaboration step synchronously, in the same manner as the modules in a NuSMV model. Furthermore, the symbolic model checking provided by NuSMV works well with hardware-like systems. NuSMV guarantees one of the best performances for the formal verification of such systems available (Cimatti et al. 1999). For the execution of the NuSMV model checker, AutoFOCUS 3 automatically translates the selected component with all its subcomponents into an SMV instance. We performed preliminary invariant verifications of i/o FOCUS hybrid state machines with a special version of NuSMV for hybrid systems (HyCOMP6). The verification of invariants of continuous variables can be used in future for the automatic determination of parameters for the introduced sampling algorithms.
We demonstrate applicability of verification mainly in three areas. First, we integrate specification and verification tightly into the model-based development Fig. 4.4 Formal verification approach in the tool AutoFOCUS 3
5http://nusmv.fbk.eu
6https://es-static.fbk.eu/tools/hycomp
process. This means that verification properties are linked to model elements and can be saved along with the model itself. The properties can be verified locally easily during the development. In addition, the support for different specification languages is essential. Properties, as highlighted in Fig.4.4, can be expressed with temporal logic, as for instance Linear Temporal Logic and Computational Tree Logic. The Structured Assertion Language for Temporal Logic (SALT) provides a higher level of abstraction compared to other temporal logics formalisms (Bauer et al.2006). This is based on ideas of existing approaches, such as specification patterns but also provides nested scopes, exceptions, support for regular expres- sions, real-time, and employs some constructs similar to a programming language.
The second approach is a pattern-based approach for the presentation, codification and reuse of property specifications for finite-state verification. Specification pat- terns permit to describe properties for the model checker at a high level of abstraction (Dwyer et al.1999). Patterns are generalized description of occurring requirements concerning aspects of the system’s behaviour. The behaviour of the system is modelled as state/event sequences in a finite-state model. We added most of the specification patterns in the model checker view of AutoFOCUS 3, where parts of the patterns can be defined and customized with logical operators and elements of the models. The third type of specifications are specific properties templates that can be directly selected, configured and executed from the graphical interface.
We implemented property templates for the simpler but recurrent cases and high-level languages for the more complex properties. Properties disproved by verification must be analysed and either the system model or the properties have to be corrected. NuSMV checks whether the system satisfies a property, and pro- vides a “yes” or “no” answer. If the system does not satisfy a property, the answer is
“no” and a counterexample is provided, i.e., a trace (system run) violating the property. In AutoFOCUS 3 counterexamples can be either simulated or represented as a message sequence chart. AutoFOCUS 3 models can be verified with the theorem prover Isabelle/HOL7through a formal model transformation (Spichkova 2007). In practice, theorem proving expresses the property and the system in mathematical logic as a set of axioms and a set of inference rules; and finds a proof of a property from the axioms. The proof is composed of steps, which invoke the axioms and rules, and derive definitions and intermediate lemmas if possible.
Model checking is completely automatic in contrast to theorem proving. In AutoFOCUS 3, system models are encoded in Isabelle/HOL, as well as proof of theorems that support subsequent verification of properties in Isabelle/HOL.
7http://www.cl.cam.ac.uk/research/hvg/Isabelle