Common use of Formal verification Clause in Contracts

Formal verification. As a system architecture description language, EAST-ADL plays an important role for consolidating various kinds of behavior concerns in the engineering of automotive EE systems. In MAENAD, an investigation of the EAST-ADL support for formal verification of behaviour centric system properties, based on the regenerative braking system case, will be carried out. The aim is to validate the EAST-ADL support for formalizing various temporal concerns, such as during requirements engineering, function and execution design, safety engineering, etc. By aligning the EAST-ADL semantics with existing mature formalisms, one can then allow formal verification of such concerns through the corresponding external analysis engines. One advantage is that the EAST-ADL users will then obtain analysis leverage by model-checking. Compared to those standalone analytical models in external tools, EAST-ADL models complement with detailed architecture information and facilitate the integration of many related architectural aspects for the purpose of architecture design, safety engineering, reuse and change management. Key points for the analysis The most important objective of this case study is to validate the EAST-ADL support for temporal constraints as well as the claimed advantages to be brought in by EAST-ADL. This will be achieved through two existing mature formalisms: UPPAAL and SPIN. Both UPPAAL and SPIN allow exhaustive reasoning of the compositional consequence of behaviours. They are considered as two representative technologies in the area of formal verification. • UPPAAL is a timed model checker for formal verification of real-time embedded systems (▇▇▇▇://▇▇▇.▇▇▇▇▇▇.▇▇▇/). Based on timed-automata theory, UPPAAL provides support for modelling and simulating system behaviours in the form of compositional automata. The tool has been used in several industrial cases and is recently commercialized. • SPIN is a model checker for formal verification of distributed and concurrent systems (▇▇▇▇://▇▇▇▇▇▇▇▇.▇▇▇). Compare to UPPAAL, the SPIN approach emphasizes the logical aspects of temporal behaviours. It deliberatively avoids the quantitative notion of time, but focuses on the interaction and synchronization of asynchronous processes. This simplification allows SPIN to verify the functional or logical properties of more complex system than timed model checkers usually do. The intended language validation through UPPAAL and SPIN will be performed in the context of FEV development. By incorporating the analysis engines of UPPAAL and SPIN, the case study will prove and demonstrate the following features of EAST-ADL in regard to behaviour specification and formal verification: • Supporting precise definitions of temporal characteristics for the definition and analysis of safety constraints (required by 4SG#0050, 4SG#0057, 4SG#0058, 4SG#0059) • Supporting assessment of completeness and correctness of the safety requirements (required by 4SG#0048) • Supporting the descriptions of driving profiles (required by CON#2001), physical dynamics (required by CRF#0006b, CRF#0007b), power management procedures (required by CRF#0010b, CRF#0011b, CRF#0013b, CRF#0014b, CRF#0015b), fault tolerance design (required by CRF#0017b, CRF#0018b) • Supporting the generation and precise definition of test cases (4SG#0049a, 4SG#0050) • Supporting the integration with external formalisms (CON#0017, CON#0018, CON#0019) Analysis strategies Validation of the EAST-ADL semantics for temporal constraint specification Analyse the FEV requirements, and then elicit and specify the constraints on boundary conditions, modes and control logics, (end- to-end) timing. Formalize the temporal constraints, their targets and other traceable artefacts in EAST-ADL. Validation the provision of analysis leverage through the incorporation of the UPPAAL&SPIN engines. Formalize and assess the conceptual mappings between EAST-ADL and UPPAAL&SPIN models. Develop transformation algorithms and proof-of-concept tool support. Analysis results This case study will be based on the regenerative braking case system. En extension with emergency braking assistant function may also be used for the study of some detailed temporal characteristics. Main results from the case study, as proofs for the intended modelling features mentioned above, include: • Report on the validation of EAST-ADL modelling support for temporal constraints in regard to mature formalisms represented by UPPAAL&SPIN. • Example EAST-ADL models that provide precise definitions of temporal characteristics for the definition and analysis of safety constraints. • Example EAST-ADL models and corresponding external analytical models in UPPAAL&SPIN for assessing the completeness and correctness of safety requirements. • Example EAST-ADL models that provide precise descriptions of driving profiles, physical dynamics, power management procedures, fault tolerance design. • Example EAST-ADL models that provide support for the generation and precise definition of test cases. • Proof-of-concept solutions for the mappings and integrations of EAST-ADL with UPPAAL&SPIN. See Figure 8 for an illustration of the intended mapping from EAST-ADL declaration to UPPAAL model for the verification of temporal properties. Figure 8. EAST-ADL temporal constraint model and its UPPAAL correspondence.

Formal verification. As a system architecture description language, EAST-ADL plays an important role for consolidating various kinds of behavior behaviour concerns in the engineering of automotive EE systems. In MAENAD, an investigation of the EAST-ADL support for formal verification of behaviour centric system properties, based on the regenerative braking system case, will be carried out. The aim is to validate the EAST-ADL support for formalizing various temporal concerns, such as during requirements engineering, function and execution design, safety engineering, etc. By aligning the EAST-ADL semantics with existing mature formalisms, one can then allow formal verification of such concerns through the corresponding external analysis engines. One advantage is that the EAST-ADL users will then obtain analysis leverage by model-checking. Compared to those standalone analytical models in external tools, EAST-ADL models complement with detailed architecture information and facilitate the integration of many related architectural aspects for the purpose of architecture design, safety engineering, reuse and change management. Key points for the analysis The most important objective of this case study is to validate the EAST-ADL support for temporal constraints as well as the claimed advantages to be brought in by EAST-ADL. This will be achieved through two existing mature formalisms: UPPAAL and SPIN. Both UPPAAL and SPIN allow exhaustive reasoning of the compositional consequence of behaviours. They are considered as two representative technologies in the area of formal verification. • UPPAAL is a timed model checker for formal verification of real-time embedded systems (▇▇▇▇://▇▇▇.▇▇▇▇▇▇.▇▇▇/). Based on timed-automata theory, UPPAAL provides support for modelling and simulating system behaviours in the form of compositional automata. The tool has been used in several industrial cases and is recently commercialized. • SPIN is a model checker for formal verification of distributed and concurrent systems (▇▇▇▇://▇▇▇▇▇▇▇▇.▇▇▇). Compare Compared to UPPAAL, the SPIN approach emphasizes the logical aspects of temporal behaviours. It deliberatively avoids the quantitative notion of time, but focuses on the interaction and synchronization of asynchronous processes. This simplification allows SPIN to verify the functional or logical properties of more complex system than timed model checkers usually do. The intended language validation through UPPAAL and SPIN will be performed in the context of FEV development. By incorporating the analysis engines of UPPAAL and SPIN, the case study will prove and demonstrate the following features of EAST-ADL in regard to behaviour specification and formal verification: • Supporting precise definitions of temporal characteristics for the definition and analysis of safety constraints (required by 4SG#0050, 4SG#0057, 4SG#0058, 4SG#0059) • Supporting assessment of completeness and correctness of the safety requirements (required by 4SG#0048) • Supporting the descriptions of driving profiles (required by CON#2001), physical dynamics (required by CRF#0006b, CRF#0007b), power management procedures (required by CRF#0010b, CRF#0011b, CRF#0013b, CRF#0014b, CRF#0015b), fault tolerance design (required by CRF#0017b, CRF#0018b) • Supporting the generation and precise definition of test cases (4SG#0049a, 4SG#0050) • Supporting the integration with external formalisms (CON#0017, CON#0018, CON#0019) Analysis strategies Validation of the EAST-ADL semantics for temporal constraint specification Analyse the FEV requirements, and then elicit and specify the constraints on boundary conditions, modes and control logics, (end- to-end) timing. Formalize the temporal constraints, their targets and other traceable artefacts in EAST-ADL. Validation the provision of analysis leverage through the incorporation of the UPPAAL&SPIN engines. Formalize and assess the conceptual mappings between EAST-ADL and UPPAAL&SPIN models. Develop transformation algorithms and proof-of-concept tool support. Analysis results This case study will be based on the regenerative braking case system. En An extension with emergency braking assistant function may also be used for the study of some detailed temporal characteristics. Main results from the case study, as proofs for the intended modelling features mentioned above, include: • Report on the validation of EAST-ADL modelling support for temporal constraints in regard to mature formalisms represented by UPPAAL&SPIN. • Example EAST-ADL models that provide precise definitions of temporal characteristics for the definition and analysis of safety constraints. • Example EAST-ADL models and corresponding external analytical models in UPPAAL&SPIN for assessing the completeness and correctness of safety requirements. • Example EAST-ADL models that provide precise descriptions of driving profiles, physical dynamics, power management procedures, fault tolerance design. • Example EAST-ADL models that provide support for the generation and precise definition of test cases. • Proof-of-concept solutions for the mappings and integrations of EAST-ADL with UPPAAL&SPIN. See Figure 8 4-1 for an illustration of the intended mapping from EAST-ADL declaration to UPPAAL model for the verification of temporal properties. Figure 84-1. EAST-ADL temporal constraint model and its UPPAAL correspondence.