Academia.eduAcademia.edu

Outline

Title
Abstract
Figures
Introduction
Results
References
All Topics
Computer Science
Software Engineering

Verification of Automotive Control Units

Profile image of Werner DammWerner Damm

1999, Springer eBooks

https://doi.org/10.1007/3-540-48092-7_14
visibility

description

23 pages

link

1 file

Abstract

This paper describes the application of model-checking based veri cation tools to speci cation models of automotive control units. It rstly discusses the current state of a tool set which copes with discrete controllers described in Statemate, and then reports on proposed extensions currently under development to deal with hybrid ones which involve continuous values, too. First results based on an extension of abstraction techniques to verify such units are reported.

Figures (8)
Fig. 1. View of electronic components in a car
Fig. 1. View of electronic components in a car
Fig. 2. The increasing responsibility of electronic features
Fig. 2. The increasing responsibility of electronic features
Fig. 3. Top level activity of the braking system
Fig. 3. Top level activity of the braking system
Fig. 5. The STATEMATE Verification Environment
Fig. 5. The STATEMATE Verification Environment
Table 1. Model checking results for the EMF with manual abstractions
Table 1. Model checking results for the EMF with manual abstractions
Table 2. First-order model-checking results for the EMF
Table 2. First-order model-checking results for the EMF
Proposition table: The right side of the tableau (see Figure 6) needs some more attention. We ini- ialize the atoms ¢2,, and ALARM = true with q3 and the BDD-represented tate for ALARM = true, respectively. The precondition for ALARM is qa. [he proposition q, annotates therefore the tableau node ¢2,2. For the node bo1 — 2,2 we get q3 — q4. The computation of the annotation for the sec- ond next-step operator requires quantification of the data input SENSOR. Renaming SENSOR in q3 and q4 by SENSOR’ and substituting SENSOR or OLD introduces the new propositions gs; and gg into the proposition table. The quantification performed afterwards yields q7 as annotation for the node AX (62,1 + ¢2,2)).
Proposition table: The right side of the tableau (see Figure 6) needs some more attention. We ini- ialize the atoms ¢2,, and ALARM = true with q3 and the BDD-represented tate for ALARM = true, respectively. The precondition for ALARM is qa. [he proposition q, annotates therefore the tableau node ¢2,2. For the node bo1 — 2,2 we get q3 — q4. The computation of the annotation for the sec- ond next-step operator requires quantification of the data input SENSOR. Renaming SENSOR in q3 and q4 by SENSOR’ and substituting SENSOR or OLD introduces the new propositions gs; and gg into the proposition table. The quantification performed afterwards yields q7 as annotation for the node AX (62,1 + ¢2,2)).

Related papers

Automatic verification of control system implementations
Indranil Saha

2010

Software implementations of controllers for physical subsystems form the core of many modern safety-critical systems such as aircraft flight control and automotive engine control. A fundamental property of such implementations is stability, the guarantee that the physical plant converges to a desired behavior under the actions of the controller. We present a methodology and a tool to perform automated static analysis of embedded controller code for stability of the controlled physical system.

View PDFchevron_right
Formal Verification of Industrial Controllers: with or without a Plant model?
Jean-jacques Lesage

The use of a plant model for formal verification of industrial controllers makes the formal verification tasks more realistic, because any industrial system is always composed by a controller and a plant. Therefore, if the plant model is not used, there is a part of the system that is not considered. However, if there are some cases where the use of a plant model becomes the formal verification results more realistic and robust there are other cases where it nor always happens. In this paper there are indicated which are the circumstances where it is useful to use, or not, a plant model on formal verification tasks, using model-checking techniques.

View PDFchevron_right
On controller and plant modeling for model-based formal verification
Reijo Tuokko

2005

The acceptance of formal methods in industry is a challenging task mainly due to difficult learning process and the lack of the tools and methods helping control engineer to interpret the results of formal verification procedure. We model existing source code ofthe controller and controller related information (controller model) along with controlled object (plant model) and verify modeled system by means ofmodel-checking.

View PDFchevron_right
Cross-layer analysis, testing and verification of automotive control software
Manoranjan Satpathy

Proceedings of the ninth ACM international conference on Embedded software - EMSOFT '11, 2011

Automotive architectures today consist of up to 100 electronic control units (ECUs) that communicate via one or more FlexRay and CAN buses. Multiple control applications-like cruise control, brake control, etc.-are specified as Simulink/Stateflow models, from which code is generated and mapped onto the different ECUs. In addition, scheduling policies and parameters, both for the ECUs and the buses, need to be specified. Code generation/optimization from the Simulink/Stateflow models, task partitioning and mapping decisions, as well as the parameters chosen for the schedulers-all of these impact the execution times and timing behaviour of the control tasks and control messages. These in turn affect control performance, such as stability and steady-/transient-state behaviour. This paper discusses different aspects of this multi-layered design flow and the associated research challenges. The emphasis is on modelbased code generation, analysis, testing and verification of control software for automotive architectures, as well as on architecture or platform configuration to ensure that the required control performance requirements are satisfied.

View PDFchevron_right
Combining a computer science and control theory approach to the verification of hybrid systems
Luis Urbina

Proceedings of 5th International Workshop on Parallel and Distributed Real-Time Systems and 3rd Workshop on Object-Oriented Real-Time Systems, 1997

We report on the project "Specification and Verification of Discrete Controllers for Continuous Systems Based on Modular Models and Compositional Analysis". Within this project we aim at developing an automatic verification tool for discrete controllers of technical systems which can be applied to systems of industrial size. To reach this objective we combine two different approaches being used in control theory and computer science. These are the "Timed Condition/Event Systems" (TCESs) and the "Timed Automata" (TAs) formalisms. The state of the project is such that, because of the equivalence of TCESs and TAs we have shown in , it is possible to automatically analyze real-time systems modeled by TCESs with analysis tools developed for TAs. In this paper we describe in detail motivation, goal and state of our project, and illustrate the equivalence of TCESs and TAs.

View PDFchevron_right
LCV: A Verification Tool for Linear Controller Software
Junkil Park

Lecture Notes in Computer Science, 2019

In the model-based development of controller software, the use of an unverified code generator/transformer may result in introducing unintended bugs in the controller implementation. To assure the correctness of the controller software in the absence of verified code generator/transformer, we develop Linear Controller Verifier (LCV), a tool to verify a linear controller implementation against its original linear controller model. LCV takes as input a Simulink block diagram model and a C code implementation, represents them as linear time-invariant system models respectively, and verifies an input-output equivalence between them. We demonstrate that LCV successfully detects a known bug of a widely used code generator and an unknown bug of a code transformer. We also demonstrate the scalability of LCV and a real-world case study with the controller of a quadrotor system.

View PDFchevron_right
Model checking aircraft controller software: a case study
Chang Liu

Software: Practice and Experience, 2013

This paper documents an application of model checking to formally verify an interrupt-driven Slats and Flaps Control Unit software programmed in C, one component of a certain type of Chinese aircraft. Our objective was to identify errors rather than to prove correctness. We focused on the correctness of the algorithms used in the buffer operations, which are very common and important in aircraft software. In the verification, a total of four flawed code fragments was identified, including a minor efficiency issue. According to the programming team, this is regarded as a very successful result, and this project is the first successful attempt to apply model checking to the practice of verifying onboard aircraft software in China. Thanks to its completeness and reality, this case study can also serve as a complete and valuable real-world example for teaching and learning model checking.

View PDFchevron_right
State Identification and Verification using a Model Checker
Christopher Robinson-mallett

This paper presents a method for the application of model checking, i.e. verifying a finite state system against a given temporal specification, to the problem of generating test inputs. The generated test inputs allow state characterization, i.e. the identification and verification of internal states of the software under test by observation of the input/output behavior only. A test model is derived semiautomatically from a given state based specification and the testing goal is specified in terms of temporal logic. On the basis of these inputs, a model checking tool performs the testing input generation automatically. In consequence, the complexity of our approach is depending on the input model, the testing goal, and the applied model checking algorithm. The presented approach can be adapted with small changes to other model checking tools. It is a capable test generation method, whenever a state based behavioral specification of the software under test exists. Furthermore, it provides a descriptive view on state based testing, which may be beneficial in other contexts, e.g. education and program comprehension.

View PDFchevron_right
Modelling and verification methodology for control systems
simon Collart-dutilleul

The modelling process is dedicated to analysing requirements and designing systems in order to formalize text or other representations of requirement specifications. Verification is the qualification process that allows detection or prevention of defects in system design. A great variety of approaches of modelling and verification have been proposed in requirements engineering. Many of them have been widely used in the industry in recent years to. The diversity of techniques is the source of interoperability and portability weaknesses between projects and experts. This can lead to a large number of complex notations and methods that have to be understood. The expertise of many domains while necessary, is not always achievable. The present work focuses on improving the performances of the modelling and the verification processes through the reuse of specific domain knowledge distributed among different similar projects. The methodology is for developing complex real-time control systems.

View PDFchevron_right
C2E2: A Verification Tool for Stateflow Models
Sayan Mitra

Tools and Algorithms for the Construction and Analysis of Systems, 2015

Mathworks' Stateflow is a predominant environment for modeling embedded and cyber-physical systems where control software interacts with physical processes. We present Compare-Execute-Check-Engine (C2E2)-a verification tool for continuous and hybrid Stateflow models. It checks bounded time invariant properties of models with nonlinear dynamics, and discrete transitions with guards and resets. C2E2 transforms the model, generates simulations using a validated numerical solver, and then computes reachtube over-approximations with increasing precision. For this last step it uses annotations that have to be added to the model. These annotations are extensions of proof certificates studied in Control Theory and can be automatically obtained for linear dynamics. The C2E2 algorithm is sound and it is guaranteed to terminate if the system is robustly safe (or unsafe) with respect to perturbations of guards and invariants of the model. We present the architecture of C2E2, its workflow, and examples illustrating its potential role in model-based design, verification, and validation. 1 Introduction Cyber-physical systems (CPS) are systems that involve the close interaction between a software controller and a physical plant. The state of the physical plant evolves continuously with time and is often modeled using ordinary differential equations (ODE). The software controller, on the other hand, evolves through discrete steps and these steps influence the evolution of the physical process. This results in a "hybrid" behavior of discrete and continuous steps that makes the formal analysis of these models particularly challenging, so much so, that even models that are mathematically extremely simple are computationally intractable. In addition, many physical plants have complicated continuous dynamics that are described by nonlinear differential equations. Such plants, even without any interaction with a controlling software, are often unamenable to automated analysis. On the other hand, the widespread deployment of CPS in safety critical scenarios like automotives, avionics, and medical devices, have made formal, automated analysis of such systems necessary. This is evident from the extensive activity in the research community [20,19,7]. Given the challenges of formally verifying CPS, the sole analysis technique that is commonly used to analyze nonlinear systems is numerical simulation. However, given the large, uncountable space of behaviors, using numerical simulations

View PDFchevron_right

References (16)

  1. BBD + 99] Tom Bienm uller, Udo Brockmeyer, Werner Damm, Gert D ohmen, Claus E mann, Hans-J urgen Holberg, Hardi Hungar, Bernhard Josko, Rainer Schl or, Gunnar Wittich, Hartmut Wittke, Geo rey Clements, John Row- lands, and Eric Sefton. Formal Veri cation of an Avionics Application using Abstraction and Symbolic Model Checking. In Felix Redmill and Tom Anderson, editors, Towards System Safety { Proceedings of the Sev- enth Safety-critical Systems Symposium, Huntingdon, UK, pages 150{173. Safety-Critical Systems Club, Springer Verlag, 1999.
  2. S. Bensalem, A. Bouajjani, C. Loiseaux, and J. Sifakis. Property preserving simulations. In G.v. Bochmann and D.K. Probst, editors, 4th Int. Workshop on Computer Aided Veri cation, LNCS 663, pages 260{273. Springer, 1992.
  3. BDG + 98] J. Bohn, W. Damm, O. Grumberg, H. Hungar, and K. Laster. First-order CTL model checking. In V. Arvind and R. Ramanujam, editors, FSTTCS 98, LNCS 1530, pages 283{294, 1998.
  4. Bri99] Henning Brinkmann. Veri kation eines hybriden Steuersystems mit Hilfe erweiterter Abstraktionsmethoden. Master's thesis, Carl von Ossietzky Universit at Oldenburg, February 1999.
  5. Randal E. Bryant. Symbolic boolean Manipulation with ordered Binary- Decision Diagrams. ACM Comp. Surveys, 24:293{318, 1992.
  6. Edmund M. Clarke, E.A. Emerson, and A.P. Sistla. Automatic veri ca- tion of nite state concurrent systems using temporal logic speci cations: A practical approach. In Procceedings of the 10th ACM Symposium on Principles of Programming Languages, pages 117{126, 1983.
  7. Edmund M. Clarke, Orna Grumberg, and David E. Long. Model checking and abstraction. In ACM Transactions on Programming Languages and Systems, volume 16, pages 1512{1542, September 1994.
  8. Werner Damm, Bernhard Josko, Hardi Hungar, and Amir Pnueli. A compo- sitional real-time semantics of STATEMATE designs. In W.-P. de Roever, editor, Proceedings, International Symposium on Compositionality { The Signi cant Di erence, LNCS 1536, pages 186{238. Springer-Verlag, 1998.
  9. W. Damm, B. Josko, and R. Schl or. Speci cation and veri cation of VHDL- based system-level hardware designs. In E. B orger, editor, Speci cation and Validation Methods, pages 331{410. Oxford Univ. Press, 1995.
  10. H. Hungar, O. Grumberg, and W. Damm. What if model checking must be truly symbolic. In P. Camurati and H. Eveking, editors, CHARME 95, LNCS 987, pages 1{20. Springer Verlag, 1995.
  11. T.A. Henzinger, P.-H. Ho, and H. Wong-Toi. HyTech: A model checker for hybrid systems. Software Tools for Technology Transfer, 1:110{122, 1997.
  12. C.A.R. Hoare. An axiomatic basis for computer programming. Communi- cations of the ACM, 12:576{583, 1969.
  13. Jos93] Bernhard Josko. Modular Speci cation and Veri cation of Reactive Sys- tems. Carl von Ossietzky Universit at Oldenburg, 1993. Habiltationsschrift.
  14. R.P. Kurshan. Formal veri cation in a commercial setting. In Proc. 34th Design Automation Conference, pages 258{262, 1997.
  15. Kenneth L. McMillan. Symbolic Model Checking. Kluwer Academic Pub- lishers, 1993.
  16. Pierre Wolper. Expressing interesting properties of programs in proposi- tional temporal logic. In Proceedings of the 13th Annual ACM Symposium in Principles of Programming Languages, pages 184{193, 1986.

Related papers

Formal Verification of Automotive Simulink Controller Models: Empirical Technical Challenges, Evaluation and Recommendations
Joost-Pieter Katoen

Lecture Notes in Computer Science, 2018

The automotive industry makes increasing usage of Simulink-based software development. Typically, automotive Simulink designs are analyzed using non-formal test methods, which do not guarantee the absence of errors. In contrast, formal verification techniques aim at providing formal guarantees or counterexamples that the analyzed designs fulfill their requirements for all possible inputs and parameters. Therefore, the automotive safety standard ISO 26262 recommends the usage of formal methods in safety-critical software development. In this paper, we report on the application of formal verification to check discrete-time properties of a Simulink model for a park assistant R&D prototype feature using the commercial Simulink Design Verifier tool. During our evaluation, we experienced a gap between the offered functionalities and typical industrial needs, which hindered the successful application of this tool in the context of model-based development. We discuss these issues and propose solutions related to system development, requirements specification and verification tools, in order to prepare the ground for the effective integration of computer-assisted formal verification in automotive Simulink-based development.

View PDFchevron_right
A novel verification technique for control units
Mossaad Ben Ayed

2013

Abstract—Due to the complexity and heterogeneity of systems, design and verification environments are widely requested. Such systems combine into continuous and discrete models. The main problem is the difference of algorithms between continuous and discrete simulators. The industrial tool Matlab/Simulink is widely used in modeling systems. The main advantage of this tool is its ability to model in a common formalism the software and its physical environment. Unfortunately, Matlab/Simulink still suffers from many limits in modeling and verification. Due to the multidisciplinary nature of advanced systems and to overcome these limits in modeling and verification, several tools based on combined language are adopted. This paper describes a novel verification technique for Control Units. A synchronization model between Matlab/Simulink and a real board is presented. KeywordsHIL, Co-design, Simulator, Emulator, Verification, Simulink.

View PDFchevron_right
HyTech: A model checker for hybrid systems
Pei-Hsin Ho

Computer Aided Verification, 1997

A hybrid system consists of a collection of digital programs that interact with each other and with an analog environment. Examples of hybrid systems include medical equipment, manufacturing controllers, automotive controllers, and robots. The formal analysis of the mixed digital-analog nature of these systems requires a model that incorporates the discrete behavior of computer programs with the continuous behavior of environment variables, such as temperature and pressure. Hybrid automata capture both types of behavior by combining finite automata with differential inclusions (i.e. differential inequalities). HYTECH is a symbolic model checker for linear hybrid automata, an expressive, yet automatically analyzable, subclass of hybrid automata. A key feature of HYTECH is its ability to perform parametric analysis, i.e. to determine the values of design parameters for which a linear hybrid automaton satisfies a temporal requirement. From finite to hybrid automata. Model checking Ill, 39], and in particular symbolic model checking [10] (i.e. the manipulation of state sets rather than individual states), has been proven an effective technique for the automatic analysis of complex finite-state systems. The first extensions of discrete models toward mixed discrete

View PDFchevron_right
On the applicability of hybrid systems safety verification tools from the automotive perspective
Erika Abraham

International Journal on Software Tools for Technology Transfer, 2023

Traditionally, extensive vehicle testing is applied to assure the robustness and safety of automotive systems. This approach is highly challenged by increasing system complexity. Formal verification lends a powerful framework for model-based safety assurance, but due to the mixed discrete-continuous behavior of automotive systems, traditional tools for discrete program verification are helpful but not sufficient. In academia, during the last two decades new approaches arose for the formal verification of such mixed discrete-continuous systems. However, the industry is not fully aware of this development, the tools are seldom tried and their applicability is not well examined. In a Ford-RWTH research alliance project, we aimed at evaluating the potential of knowledge and technology transfer in this area. This paper has two main objectives. Firstly, we want to report on the state-of-the-art in the above-mentioned academic development in a generally understandable form, targeted to interested potential users. Secondly, we want to share our observations after testing different available tools for their applicability and usability in the automotive sector and as a conclusion devise some recommendations.

View PDFchevron_right
A new approach for modeling and verification of discrete control components within a Modelica environment
Jürgen Haufe

2008

The paper presents the use of a subset of UML State-charts to model discrete control components together with the physical model within a Modelica simula-tion environment. In addition, we show how state-charts can also be used to describe assertions charts for checking the compliance of user defined model properties and model behaviour during simulation. As the main difference to other approaches, neither Modelica language enhancements nor special librar-ies are necessary. The statechart model is automati-cally mapped onto standard Modelica constructs and can be simulated with any common Modelica stan-dard simulator. Controlled by the user, the Modelica model can be automatically instrumented by addi-tional Modelica code to examine the state coverage and transition coverage during simulation.

View PDFchevron_right

Related topics

  • Engineering
  • Computer Science
  • Formal Verification
  • Automotive control systems

    • Cited by

    Guaranteed Termination in the Verification of Ltl Properties of Non-linear Robust Discrete Time Hybrid Systems
    Guilherme Pinto

    International Journal of Foundations of Computer Science, 2007

    We present a novel approach to the automatic verification and falsification of LTL requirements of non-linear discrete-time hybrid systems. The verification tool uses an interval-based constraint solver for non-linear robust constraints to compute incrementally refined abstractions. Although the problem is in general undecidable, we prove termination of abstraction refinement based verification and falsification of such properties for the class of non-linear robust discrete-time hybrid systems. We argue, that-in industrial practice-safety critical control applications give rise to hybrid systems that are robust. We give first results on the application of this approach to a variant of an aircraft collision avoidance protocol.

    View PDFchevron_right
    Automatic Verification of Hybrid Systems with Large Discrete State Space
    Werner Damm

    Lecture Notes in Computer Science, 2006

    We address the problem of model checking hybrid systems which exhibit nontrivial discrete behavior and thus cannot be treated by considering the discrete states one by one, as most currently available verification tools do. Our procedure relies on a deep integration of several techniques and tools. An extension of AND-Inverter-Graphs (AIGs) with first-order constraints serves as a compact representation format for sets of configurations which are composed of continuous regions and discrete states. Boolean reasoning on the AIGs is complemented by firstorder reasoning in various forms and on various levels. These include implication checks for simple constraints, test vector generation for fast inequality checks of boolean combinations of constraints, and an exact subsumption check for representations of two configurations. These techniques are integrated within a model checker for universal CTL. Technically, it deals with discrete-time hybrid systems with linear differentials. The paper presents the approach, its prototype implementation, and first experimental data.

    View PDFchevron_right
    Verifying Statemate Statecharts Using CSP and FDR
    Bill Roscoe

    Formal Methods and Software Engineering, 2006

    We propose a framework for the verification of statecharts. We use the CSP/FDR framework to model complex systems designed in statecharts, and check for system consistency or verify special properties within the specification. We have developed an automated translation from statecharts into CSP and exploited it in both theoretical and practical senses.

    View PDFchevron_right
    The Statemate Verification Environment
    Werner Damm

    Lecture Notes in Computer Science, 2000

    The Statemate Verification Environment supports requirement analysis and specification development of embedded controllers as part of the Statemate product offering of I-Logix, Inc. This paper discusses key enhancements of the prototype tool reported in [2,5] in order to enable full scale industrial usage of the tool-set. It thus reports on a successfully completed technology transfer from a prototype tool-set to a commercial offering. The discussed enhancements are substantiated with performance results all taken from real industrial applications of leading companies in automotive and avionics.

    View PDFchevron_right
    580 California St., Suite 400
    San Francisco, CA, 94104
    © 2025 Academia. All rights reserved