WO2020224786A1 - Method and system for graphical editing of formulas for requirements and specification modelling as well as for formal verification - Google Patents

Method and system for graphical editing of formulas for requirements and specification modelling as well as for formal verification Download PDF

Info

Publication number
WO2020224786A1
WO2020224786A1 PCT/EP2019/061941 EP2019061941W WO2020224786A1 WO 2020224786 A1 WO2020224786 A1 WO 2020224786A1 EP 2019061941 W EP2019061941 W EP 2019061941W WO 2020224786 A1 WO2020224786 A1 WO 2020224786A1
Authority
WO
WIPO (PCT)
Prior art keywords
formula
generated
features
requirements
solution space
Prior art date
Application number
PCT/EP2019/061941
Other languages
French (fr)
Inventor
Jan Götz
Andrés Botero Halblaub
Jan Richter
Original Assignee
Siemens Aktiengesellschaft
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Siemens Aktiengesellschaft filed Critical Siemens Aktiengesellschaft
Priority to PCT/EP2019/061941 priority Critical patent/WO2020224786A1/en
Publication of WO2020224786A1 publication Critical patent/WO2020224786A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F30/00Computer-aided design [CAD]
    • G06F30/30Circuit design
    • G06F30/31Design entry, e.g. editors specifically adapted for circuit design
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F30/00Computer-aided design [CAD]
    • G06F30/30Circuit design
    • G06F30/32Circuit design at the digital level
    • G06F30/33Design verification, e.g. functional simulation or model checking
    • G06F30/3308Design verification, e.g. functional simulation or model checking using simulation
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F30/00Computer-aided design [CAD]
    • G06F30/30Circuit design
    • G06F30/32Circuit design at the digital level
    • G06F30/33Design verification, e.g. functional simulation or model checking
    • G06F30/3323Design verification, e.g. functional simulation or model checking using formal methods, e.g. equivalence checking or property checking

Abstract

For most of the current project requirements are only represented informally in natural language, which is not exact and leaves room for interpretation. These requirements representations many times, when consumed by another party other than the author, do not represent the intended behavior. The present invention's purpose is to provide a method and a system that improves the above described situation by introducing a simple and intuitive modelling method for formulas/requirements that is also possible without verification expert knowledge.

Description

Description
Method and System for graphical editing of formulas for re quirements and specification modelling as well as for formal verification
Background of the invention
With formal verification methods a computer program or system model can mathematically be checked for correctness. In theo retical computer science, correctness of an algorithm is as serted when it is said that the algorithm is correct with re spect to a specification. Functional correctness refers to the input-output behavior of the algorithm (i.e., for each input it produces the expected output) , partial correctness requires that if an answer is returned it will be correct, whereas total correctness additionally requires that the al gorithm terminates. To perform a verification task, mathemat ical formulas are needed, which describe the correct behav ior. For time depending systems, this can be done by signal temporal logic (STL), for example.
Many standards (e.g. ISO 26262, Road vehicles - Functional safety, or IEC 61508, Functional Safety of Electri
cal/Electronic/Programmable Electronic Safety-related Sys tems) , especially for safety-critical systems recommend a semi-formal or formal notation of requirements. However, es tablishing the correct mathematical formulas for the verifi cation is a complicated and time-consuming task, which is mostly done by verification experts. Additionally, the fur ther processing of STL formulas and usage for verification and testing is challenging.
State of the Art
For most of the current projects the requirements are only represented informally in natural language, which is not ex- act and leaves room for interpretation. These requirements representations many times, when consumed by another party other than the author, do not represent the intended behav ior .
Additionally, requirements in this form cannot be used for further verifications tasks. In order to generate correct mathematical formulas for the verification task, there are currently two different options:
Either the formulas are modelled by a verification expert, in form of blocks e. g. in Simulink Design Verifier, or directly via formulas.
Or the formulas are transferred from natural text into formal format e.g. via template mechanisms or user-assisted trans formation .
The latter can, for example, be done by BTC Embedded Specifi er and Argosim Stimulus, which support users while importing natural language requirements. Then individual expressions or events within these requirements need to be identified to so- called macros. The macros finally need to be structured to define their relation and timing behavior and mapped to the real objects.
One possible approach is described in the paper "Events and Constraints: A Graphical Editor for Capturing Logic Require ments of Programs." By M.H. Smith, G.J. Holzmann and K.
Etessami, Conference Paper January 2001. The document can be found on https://www.researchgate.net/publication/221221992
Description of the invention
The present invention' s purpose is to provide a method and a system that improves the above described situation by intro ducing a simple and intuitive modelling method for formu las/requirements that is also possible without verification expert knowledge. This task is solved by the method according to the features of patent claim 1 and by a system according to the features of patent claim 8.
The proposed method for editing a formula for the purpose of formal verification of a computer program or system model has the following steps, which is exemplary depicted in Figure 3: a) the formula is generated in a tool that is suitable to process input with a graphical editor by choosing at least one element in a tool palette (31) of that graphical editor, the elements representing conditions and / or restrictions that the computer program or system model must be compliant with, and placing it in the graphical editor (32),
b) the tool generating the formula (35) by using the infor mation about kind and location of the at least one placed el ement,
c) using the generated formula to calculate a solution space, dl) visualizing the calculated solution space in the graph ical editor (33) ,
d2) transferring the generated formula to an engine suitable for simulation or model-checking for generating signals that fulfil the conditions and / or restrictions of the computer program or system model,
el) go to step a) by adding at least one further element rep resenting conditions and / or restrictions, for refinement of the formula and calculated solution space or
e2) transfer the generated formula to an executable represen tation for the formal verification.
Advantageous developments of the claimed objects can be found in the subordinate claims.
The advantageous algorithm is divided into two steps:
in a first step editing the correct (e.g. STL - Signal Tem poral Logic) formula in an interactive editor, and
in a second step usage of the (STL) formula by a specifica tion analyzer or model checker,
which are both discussed in detail in the following. The combination of a graphical editor with methods from ana lytical geometry, simulation and model checking allows an in tuitive modelling of requirements with direct feedback to the user .
The drawings shall clearly show the interaction of the indi vidual features and emphasize the essential of the invention, whereas
Figure 1 depicts a high-level architecture of the process, Figure 2 shows a time frequency logic example,
Figure 3 illustrates a first workflow for modelling require ments and using the generated formula,
Figure 4 show a further, more complex example for workflows after the invention and
Figure 5 an example for the transformation of a problem into a piece-wise affine/linear problem.
A general workflow of the claimed invention is illustrated in detail in Figure 4:
(1) . The user chooses an element from the tool palette 441 and places it in the editor 41. The elements represent condi tions and restrictions for the requirements of the chosen task .
(2) . The tool generates the corresponding, in this case but not exclusive, signal temporal logic formula in the back ground, <> _N=5((a>=2)) (equivalent to natural language ex pression
Figure imgf000005_0001
eventually within the next five time steps varia ble a shall be larger or equal to 2) .
(3) . The tool transfers the formula to the analytical geome try engine, which calculates the solution space and visual izes it in the editor, 42, possibly triggered by user input, or automatically in the background. This step furthermore aids the debugging of specifications.
(4) . The tool transfers the formula to the model-checking en gine or simulation engine 43, depending on the use case, which generates signals, fulfilling the constraints, again triggered either by user input or self-triggered . (5) . Further steps, starting over with point (1), additional ly reduce the solution space and generate new valid signals, 44.
(6) . The generated formula can be transferred to an executa ble representation 453 and used for testing (45) or to a ver ifier (46), which can formally check the system for correct ness.
Figure 1 depicts a highlevel architecture of the process and the architecture for the requirements editor with transfor mation and applications in simulation and verification, re spectively. Figure 4 shows some of the details of the same architecture .
From the STL formula, 12, generated from the elements entered by a user over a GUI, 11, an automaton is generated, which can be used together with a formal representation of the sys tem by a formal verifier to verify the correctness of the system against the specification. Further artifacts can be generated, e.g. constraints for an optimization problem, in puts for symbolic math solver, inputs for SMT solvers, and other .
The user specifies the requirements using the tool palette (left), 441, and the interactive editor (center), 44. When drawing in the editor, the remaining solution space and pos sible signal traces are shown. The corresponding formula is generated (right) and can be used for verification or test ing .
In the editing step, advantageously a grammar 15, for creat ing STL Signal Temporal Logic formulas 12 can be used, which restricts the possible usage and placement of the objects from the palette to the canvas and helps the user to formu late correct formulas. The generated STL equations are the central representation of the constraints, which are then transferred to the different domains. The grammar is used by a compiler 16 transforming the formulas to an automaton 17, and to a specification prover 10, which can be used for veri fication 19 and testing respectively, 10/46 (Verifier). Additionally, the formulas are transformed and used by a solver 14 (e.g. a constraint solver in combination with tech niques from analytical geometry) to calculate the remaining solution space of the system. The result is used by a simula tion to calculate valid traces in the solution space, which are then shown with the remaining space in the GUI. This gives a direct feedback for the user.
In the following, we allow a discrete-time version of the well-established signal temporal logic (STL, see Maler, Oded, and Dejan Nickovic. "Monitoring temporal properties of con tinuous signals." Formal Techniques, Modelling and Analysis of Timed and Fault-Tolerant Systems . Springer Berlin Heidel berg, 2004, page 152-166) to model behavioral requirements specifications .
The grammar of STL is given as Backus-Naur form as follows
F : := m | -F | F v F|°F|F V F
— is the logical negation,
V is disjunction,
° is the next operator, and
V is the until operator.
The atomic logical proposition Pj is connected to a possibly vector-valued signal s by means of the abstraction
(1) mj (t) = (QT s (t) - b > 0), aT S — b is an affine scalar-valued function mapping signal s to a real number, and (·) T denotes transposition.
A (or A) stands for the estimates operator.
The proposition m (t) is true at time t if and only if the inequality is fulfilled by the signal s (t) at time t. Further operators such as implication ==>, equivalence <==>, henceforth [] and eventually <> are derived from the basic operators .
The invention shall also cover the case where the signal ab straction (1) is a non linear function f i.e.
(2) Pj (t) A ( f(s(t)) > 0).
Nonlinear functions in this description are not used, since it leads to the computationally harder class of mixed-integer nonlinear optimization problems, which are more difficult to solve than the class of mixed-integer linear problems arising from (1) . This type of problems can be simplified by trans forming them into a piece-wise affine/linear problem. This step can be automated such that an optimizer tries to reduce the gap between the nonlinear path and the piece-wise linear approximation. See Figure 5, where the blue curve is fitted automatically by the three PWA curves A, B, C.
The following steps indicate the usage of the STL formula for test result validity check by a specification prover 10.
The automaton or test harness is generated directly from the STL formula 18. The algorithmic generation of a specification prover is based on the generated STL formula from the GUI and transformed either to a logic statement or to a mixed integer algebraic MILP (Mixed Integer Linear Programming) equivalent and solved with the corresponding solvers. This is explained in the following steps for a simplified version of the STL formula from above.
1. Solving with logic statement (see Figure 1) :
time dependencies of (STL) formulas have to be unfolded and the time vectors from the system simulation are used to fur ther define the logic statement problem. The problem is solved with a SAT ("satisfiability") solver. The solution renders true if the (STL) conditions are held and vice versa. The procedure is explained for a simplified extract of the previous example through the following steps:
1) Spec = (2 < at=i < 9) A (2 < at=2 < 9) A ... A (2 < at=N < 9)
2) Replace the values of the variable with those from the simulation
(at=i = 3) , ( at=i = 5) , ... , ( t=N = 8)
3) Subsequently compute the satisfiability of the specifica tion statement.
2. Solving the algebraic representation of the specification, see Figure 1, serve as constraints for an optimizer. By ex tending these constraints with the resulting vectors from simulation of the system at test, the specification
satisfiability problem can be assessed using the solver's feasibility check.
Alternatively, an SMT (satisfiability modulo theory) solver can be used. The pre-solve step with a MILP solver renders whether the time vectors remain within the feasible space of the problem and thus rendering problem feasible when the specification is held, infeasible otherwise. An example of the procedure is shown in the following steps for a simula tion time horizon of N = 3:
1) Algebraic transformation of STL
2) Insertion of results from simulation
a_i_1 = 3
a_i_2 = 5
a_i_3 = 8
3) Feasibility check through MILP solver
In an advantageous variant of the disclosure, further classes of logics are used, such as time-frequency logic (TFL) .
Time-frequency logic might be used to express musical tastes. Technical applications lie in specifying signal processing systems, noise and vibration properties, electromagnetic com- patibility, and possibly other domains where relationships between timing and frequencies are important.
Time-frequency logic:
. Time domain: .+
. Extends metric temporal logic (MTL) by signal abstractions . Logic part defined by
. F : : = m | F|F v F|°F|F i F
. Signal abstraction through test functions
. Pj = ( j(s) £ 0), see above
. Windowed (gL) frequency analysis through short-time Fourier transform (STFT)
F describes the grammar of the logic part
° is the next operator, and
X/ is the until operator,
s is the signal
j describing the possible vector format of m
Figure imgf000010_0001
w is the frequency
T is the time index
gL is the window function
t is the time and these detector signals are connected to the logic like other real signals via abstraction.
Figure 2 shows a time frequency logic example for the above described mechanism.
The visual editing of formal requirements in combination with the direct feedback of the solution space is not known in the state of the art. The described advantages are achieved by the representation of formula elements with graphical elements and combining different methods from simulation, analytical geometry, and visualization with model-transformation methods. The repre sentation of the formula is then used as a central starting point and transformed to different domains using compilers and model transformation techniques. In an advantageous em bodiment of the invention, a grammar for STL formulas is used in the editing step to guarantee a correct STL formula. The grammar is also reused by the following model transformation methods and the compiler.
Furthermore, the generation of logic statement or algebraic MILP from STL formula and the usage in a specification prover to show the correctness of system traces is novel.
The modelling of formulas and requirements is made simple and intuitive such that it can be done without specific STL or requirements modelling expert knowledge. A direct feedback allows to understand the requirements during modelling, which reduces errors because there is no space for interpretation during the formal modelling.
The creation of a test harness from the graphical representa tion for the test of simulations and setup of the verifica tion will happen directly.

Claims

Patent claims
1. Method for editing a formula for the purpose of formal verification of a computer program or system model with the following steps:
a) the formula is generated in a tool that is suitable to process input with a graphical editor by choosing at least one element in a tool palette (31) of that graphical editor, the elements representing conditions and / or restrictions that the computer program or system model must be compliant with, and placing it in the graphical editor (32),
b) the tool generating the formula (35) by using the infor mation about kind and location of the at least one placed el ement,
c) using the generated formula to calculate a solution space, dl) visualizing the calculated solution space in the graph ical editor (33) ,
d2) transferring the generated formula to an engine suitable for simulation or model-checking for generating signals that fulfil the conditions and / or restrictions of the computer program or system model,
el) go to step a) by adding at least one further element rep resenting conditions and / or restrictions, for refinement of the formula and calculated solution space or
e2) transfer the generated formula to an executable represen tation for the formal verification.
2. Method according to the features of patent claim 1, characterized in that the generated formula is drafted in Signal Temporal Logic STL language.
3. Method according to the features of one of the preceding patent claims, characterized in that
the editor is interactive in that traces of signal traces are shown in addition to the generated solution space.
4. Method according to the features of one of the preceding patent claims 2 or 3, characterized in that a grammar for the creation of STS formulas is defined, that restricts the usage and placement of the elements in the graphical editor in step a) only to possible input.
5. Method according to the features of patent claim 4, char acterized in that
the generated formula is used by a solver to calculate the remaining solution space.
6. Method according to the features of patent claim 5, char acterized in that
the generated formula is used by a simulation tool to calcu late valid signal traces.
7. Method according to the features of one of the preceding patent claims, characterized in that
further classes of logics are used, in particular time- frequency logic TFL.
8. Apparatus for carrying out one of the methods, specified through the features of one of the patent claims 1 to 7.
PCT/EP2019/061941 2019-05-09 2019-05-09 Method and system for graphical editing of formulas for requirements and specification modelling as well as for formal verification WO2020224786A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/EP2019/061941 WO2020224786A1 (en) 2019-05-09 2019-05-09 Method and system for graphical editing of formulas for requirements and specification modelling as well as for formal verification

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/EP2019/061941 WO2020224786A1 (en) 2019-05-09 2019-05-09 Method and system for graphical editing of formulas for requirements and specification modelling as well as for formal verification

Publications (1)

Publication Number Publication Date
WO2020224786A1 true WO2020224786A1 (en) 2020-11-12

Family

ID=66685568

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2019/061941 WO2020224786A1 (en) 2019-05-09 2019-05-09 Method and system for graphical editing of formulas for requirements and specification modelling as well as for formal verification

Country Status (1)

Country Link
WO (1) WO2020224786A1 (en)

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140109036A1 (en) * 2012-10-15 2014-04-17 The Regents Of The University Of California Systems and Methods for Mining Temporal Requirements from Block Diagram Models of Control Systems

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140109036A1 (en) * 2012-10-15 2014-04-17 The Regents Of The University Of California Systems and Methods for Mining Temporal Requirements from Block Diagram Models of Control Systems

Non-Patent Citations (5)

* Cited by examiner, † Cited by third party
Title
DILLON L K ET AL: "A graphical interval logic for specifying concurrent systems", ACM TRANSACTIONS ON SOFTWARE ENGINEERING AND METHODOLOGY, ASSOCIATION FOR COMPUTING MACHINERY, NEW YORK, US, vol. 3, no. 2, 1 April 1994 (1994-04-01), pages 131 - 165, XP058144806, ISSN: 1049-331X, DOI: 10.1145/192218.192226 *
KUTTY G ET AL: "Visual tools for temporal reasoning", VISUAL LANGUAGES, 1993., PROCEEDINGS 1993 IEEE SYMPOSIUM ON BERGEN, NORWAY 24-27 AUG. 1993, LOS ALAMITOS, CA, USA,IEEE COMPUT. SOC, US, 24 August 1993 (1993-08-24), pages 152 - 159, XP010032707, ISBN: 978-0-8186-3970-8, DOI: 10.1109/VL.1993.269591 *
M.H. SMITHG.J. HOLZMANNK. ETESSAMI: "Events and Constraints: A Graphical Editor for Capturing Logic Requirements of Programs", CONFERENCE PAPER, January 2001 (2001-01-01)
MALER, ODEDDEJAN NICKOVIC: "Formal Techniques, Modelling and Analysis of Timed and Fault-Tolerant Systems", 2004, SPRINGER, article "Monitoring temporal properties of continuous signals", pages: 152 - 166
MOSER L E ET AL: "A graphical environment for the design of concurrent real-time systems", ACM TRANSACTIONS ON SOFTWARE ENGINEERING AND METHODOLOGY, ASSOCIATION FOR COMPUTING MACHINERY, NEW YORK, US, vol. 6, no. 1, 1 January 1997 (1997-01-01), pages 31 - 79, XP058144755, ISSN: 1049-331X, DOI: 10.1145/237432.237438 *

Similar Documents

Publication Publication Date Title
US20090064111A1 (en) Formal Verification of Graphical Programs
Monson et al. Using source-level transformations to improve high-level synthesis debug and validation on FPGAs
US20140214396A1 (en) Specification properties creation for a visual model of a system
Kim et al. NuDE 2.0: A formal method-based software development, verification and safety analysis environment for digital I&Cs in NPPs
Shin et al. Model-based automatic test case generation for automotive embedded software testing
Bonfiglio et al. Executable models to support automated software FMEA
O’Halloran Automated verification of code automatically generated from Simulink®
Darvas et al. PLCverif re-engineered: An open platform for the formal analysis of PLC programs
Iqbal et al. Exhaustive simulation and test generation using fuml activity diagrams
Rashid et al. Exploring the platform for expressing SystemVerilog assertions in model based system engineering
Punnoose et al. Survey of Existing Tools for Formal Verification.
Shin et al. HITECS: A UML profile and analysis framework for hardware-in-the-loop testing of cyber physical systems
Hu et al. Equivalence checking between SLM and TLM using coverage directed simulation
WO2020224786A1 (en) Method and system for graphical editing of formulas for requirements and specification modelling as well as for formal verification
Shashidhar et al. Geometric model checking: An automatic verification technique for loop and data reuse transformations
Lee et al. Equivalence checking between function block diagrams and C programs using HW-CBMC
Dobis et al. Enabling coverage-based verification in chisel
Hunt Verifying VIA nano microprocessor components
Filax et al. Building models we can rely on: requirements traceability for model-based verification techniques
Basold et al. An open alternative for SMT-based verification of SCADE models
Mishra et al. An auto-review tool for model-based testing of safety-critical systems
Ceesay-Seitz Automated verification of a System-on-Chip for radiation protection fulfilling Safety Integrity Level 2
Feja et al. Checkable graphical business process representation
Pachiana et al. Automated traceability of requirements in the design and verification process of safety-critical mixed-signal systems
Dahlweid et al. Model-based testing: automatic generation of test cases, test data and test procedures from SysML models

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19727844

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19727844

Country of ref document: EP

Kind code of ref document: A1