Formal Methods for the Analysis of Critical Control Systems Models: Combining Non-linear and Linear Analyses

Critical control systems are often built as a combination of a control core with safety mechanisms allowing to recover from failures. For example a PID controller used with triplicated inputs and voting. Typically these systems would be designed at the model level in a synchronous language like Lustre or Simulink, and their code automatically generated from these models. We present a new analysis framework combining the analysis of open-loop stable controllers with safety constructs (redundancy, voters, ...). We introduce the basic analysis approaches: abstract interpretation synthesizing quadratic invariants and backward analysis based on quantifier elimination and convex hull computation synthesizing linear invariants. Then we apply it on a simple but representative example that no other available state-of-the-art technique is able to analyze. This contribution is another step towards early use of formal methods for critical embedded software such as the ones of the aerospace industry. 1 Control-Command Software Focused Analyses to Address V&V and Certification Needs The aerospace industry is notoriously faced with highly critical issues. The safety of systems should be guaranteed even if the cost of ensuring safety is important. In development costs of the Boeing 777 [8], software accounts for a third of all costs. In this third, 70% consists in verification costs while only 30% are devoted to software development. Other aircraft manufacturers have similar figures. The software specific certification regulatory document, ie. the recently updated DO 178-C, characterizes different levels of criticality from level A the most critical to level E the less critical. Depending on the identified level, verification and validation activities are more or less intensive and therefore costly. This certification document has recently been updated and it also provides a formal methods supplement, identified as RTCA DO 333. This supplement explicitly enables the use of formal methods for critical embedded software. Among the various systems of an aircraft, and their associated software, one of the most critical is the flight control system of the aircraft. Addressing the issue of verifying such specific software seems to be a pertinent goal: proposing 2 A. Champion, R. Delmas, M. Dierkes, P.L. Garoche, P. Roux new ways to validate it could both increase the trust we have in the released software and reduce the cost of V & V by providing more automatic (and exhaustive) analysis means. These reactive system can be seen as the composition of two parts. The first is the computation core itself, achieving the main objective of the software: controlling the aircraft by receiving inputs from sensors and commanding the aircraft actuators. The second part tries to handle any possible failure of sensors or of the core system. This safety architecture is mainly based on information redundancy and fusion. These two parts are usually designed using a model based approach. The approach of control system modeling as proposed by The MathWorks with MATLAB Simulink, by Esterel Technologies with the SCADE language or by the academic community with the Lustre language, is extensively used for reactive systems design and often allows the automatic generation of the embedded code. However, despite the existence of a few formal verification tools supporting these languages, few system builders actually rely on formal approaches to demonstrate safety properties of their software products. Recent advances of formal methods, as well as the evolution of certification standards enable the deployment of formal methods in the industry to analyze such systems. Formal methods can thus be truly considered as a key technological advantage on the critical systems market. Thanks to long term research efforts, formal methods have matured up to the point they were found, by industrials, to be helpful in dealing with the difficulties arising from highly complex system designs, and enabled system providers to meet the requirements of certification which are to: – provide evidence of the system safety, and – master the overall product life-cycle. Our goal is to support the verification and validation of such systems for all their specification, at the various stages of their development. This paper focus on a representative running example: a controller for a physical device together with inputs triplication and voting. We show how we propose to analyze such systems by composing new-generation formal methods. The paper is structured as follows: Section 2 recalls the state of the art of formal methods in that context; Section 3 presents the running example in details; Sections 4 and 5 introduce our contribution, two new automatic analyses; Section 6 illustrates the use of these new techniques in combination on the example; and Section 8 presents the tools implementing these techniques. 2 State of the Art of Formal Methods Since the early 60s, researchers have proposed multiple theoretical frameworks to analyze systems and programs. These techniques, based on formal foundations – mainly discrete mathematics, algebra – allow the exhaustive study of all the behaviors of some categories of systems, as opposed to test or simulation methodologies which only cover the system traces identified by a collection of tests scenarios. We briefly focus here on relevant techniques for the analysis of functional specifications of control systems. These techniques, from early academic work Combining Non-Linear and Linear Analyses 3 driven by industry needs, to actual transferred technologies[18], are currently used in the aerospace industry, at different TRLs4. 2.1 Abstract Interpretation Abstract interpretation was first proposed in the 70s as a general framework to express static analyses. In practice, it has shown to be very efficient to compute numerical invariants over programs. The basic principle of this static analysis technique is to automatically compute an over-approximation of the set of all behaviors of the program (i.e. its semantics). This over-approximation is computed thanks to abstract domains. The role of abstract domains is twofold: (1) they characterize the nature of the over-approximation which is performed, (2) they are equipped with a set of functions, the abstract primitives, which allow to compute the abstract semantics. Each abstract domain is associated with a given trade off between precision (depending on the kind of properties that it can infer) and efficiency (related to the computational complexity of its abstract primitives). A wide literature addresses the definition of abstract domains, and more specifically numerical abstract domains, eg. intervals [5], polyhedra [6] or weaker but less costly domains such as zones [13] or octagons [14]. A success story of abstract interpretation is the complete analysis of the flight control systems of the Airbus A380 [12], which has proved that no runtime error (out of bounds memory accesses or arithmetic exceptions) can occur. One of the domains used to perform this analysis is specifically focused on second order linear filters. This domain is able to precisely over-approximate their set of reachable states. We present in this paper another similar abstraction that outperforms it in terms of expressiveness.interpretation was first proposed in the 70s as a general framework to express static analyses. In practice, it has shown to be very efficient to compute numerical invariants over programs. The basic principle of this static analysis technique is to automatically compute an over-approximation of the set of all behaviors of the program (i.e. its semantics). This over-approximation is computed thanks to abstract domains. The role of abstract domains is twofold: (1) they characterize the nature of the over-approximation which is performed, (2) they are equipped with a set of functions, the abstract primitives, which allow to compute the abstract semantics. Each abstract domain is associated with a given trade off between precision (depending on the kind of properties that it can infer) and efficiency (related to the computational complexity of its abstract primitives). A wide literature addresses the definition of abstract domains, and more specifically numerical abstract domains, eg. intervals [5], polyhedra [6] or weaker but less costly domains such as zones [13] or octagons [14]. A success story of abstract interpretation is the complete analysis of the flight control systems of the Airbus A380 [12], which has proved that no runtime error (out of bounds memory accesses or arithmetic exceptions) can occur. One of the domains used to perform this analysis is specifically focused on second order linear filters. This domain is able to precisely over-approximate their set of reachable states. We present in this paper another similar abstraction that outperforms it in terms of expressiveness. 2.2 SMT-Based Verification Approaches Satisfiability Modulo Theory Satisfiability Modulo Theories solvers are decision procedures for logical theories in which some atoms belong to certain decidable first order theories such as linear real/integer arithmetic, the theory of bit-vectors, the theory of arrays (with read over write axioms), etc. Roughly speaking, these procedures are usually built by extending Boolean satisfiability procedures with a combination of dedicated background theory solvers [20]. SMT-solvers are used as back-end reasoning engines in a wide range of formal verification applications, such as deductive methods, bounded model checking, k-induction, test case generation, etc. Recently, the SMT-lib initiative (http://www.smtlib.org/) has gathered major SMT-solver developers around a standardized formula and solver command language. The SMT-lib 2.0 standard introduced specific features easing the implementation of incremental verification approaches like BMC or k-induction. 4 Technology Readiness Levels as defined by NASA; see http://esto.nasa.gov/files/trl_definitions.pdf 4 A. Champion, R. Delmas, M. Dierkes, P.L. Garoche, P. Roux Quantifier Elimination Assuming a first order formula over Boolean, real or integer variables ∃x,F(x, y1, . . . , yn), whereF is quantifier-free, quantifier elimination allows to generate a new formula G(y1, . . . , yn) ≡ ∃x,F(x, y1, . . . , yn) by eliminating the quantified variable x from F . Slightly rephrased, quantifier elimination generates a condition G on variables y1, . . . , yn which, when satisfied, entails the existence of an x such that F(x, y1, . . . , yn) is also satisfied. Even though the theory of real closed fields admits quantifier elimination [4,19], general non-linear QE methods have extremely high computational costs, limiting their practical applications. This is why QE for linear fragments of integer and real theories has been a very busy research domain. The most recent advance for linear QE combines state of the art SMT-solving with polyhedral projection [15] for a great performance increase, the general idea of which is given in Algorithm 1. Algorithm 1 QE (F , V ) QE by Lazy Model Enumeration. Require: F : a linear arithmetic formula. Require: V : a collection of variables to eliminate from F . Ensure: O: a formula in disjunctive normal form such thatO ≡ ∃V,F O ← ⊥ while isSatisfiable(F ∧ ¬O) do . check satisfiability using an SMT solver. M ← getModel(F ∧ ¬O) . get a model using an SMT solver. P ← extrapolate(F,M) . extrapolate M , yields a conjunction of literals which entail F . P ′ ← project(P, V ) . polyhedral projection. O ← O ∨ P ′ end while returnO The extrapolate function generalizes the model M with respect to F and produces a conjunction of literals P , i.e. a polyhedron in geometric terms, such that M |= P and P =⇒ F . Polyhedral projection is then used to eliminate variables V from P and obtain another P ′ characterizing a polyhedron of lower dimension. The formula O resulting from this procedure can be viewed as a union of polyhedra over reals/integers. Quantifier elimination enjoys many applications in formal verification: preimage computation on transition systems, automatic program abstraction and even controller synthesis, to name only a few. Section 5 details our use of QE for pre-image computation and lemma generation. 3 Running Example: Coupled Mass System Linear Controller Behind Triplicated Inputs with Saturations Throughout this article, we consider the control of the coupled mass system5 shown in Figure 1a. Such a coupling can be used to model numerous physical phenomena such as vibration propagation patterns in fluids and flexible structures, among others. 5 This system is extracted from [17]. Combining Non-Linear and Linear Analyses 5