Block-Based Models and Theorem Proving in Model-Based Development Electronic Communications of the EASST Volume 079 (2020) Interactive Workshop on the Industrial Application of Verification and Testing ETAPS 2020 Workshop (InterAVT 2020) Block-Based Models and Theorem Proving in Model-Based Development Cinzia Bernardeschi, Andrea Domenici, Adriano Fagiolini, and Maurizio Palmieri 8 pages Guest Editors: Stylianos Basagiannis, Goetz Botterweck, Anila Mjeda ECEASST Home Page: http://www.easst.org/eceasst/ ISSN 1863-2122 http://www.easst.org/eceasst/ ECEASST Block-Based Models and Theorem Proving in Model-Based Development Cinzia Bernardeschi1, Andrea Domenici1, Adriano Fagiolini2, and Maurizio Palmieri1 1 name.surname@ing.unipi.it Department of Information Engineering University of Pisa, Italy 2 adriano.fagiolini@unipa.it Department of Engineering University of Palermo, Italy Abstract: This paper presents a methodology to integrate computer-assisted the- orem proving into a standard workflow for model-based development that uses a block-based language as a modeling and simulation tool. The theorem prover pro- vides confidence in the results of the analysis as it guides the developers towards a correct formalization of the system under development. Keywords: Model-based development, theorem proving, Matlab, PVS 1 Introduction Model-based development relies on system modeling and simulation, using textual and graphical modeling languages that are both declarative, as they produce abstract but detailed descriptions of a system, and executable, as they generate code to simulate the system. This approach is very productive since it allows developers to explore and validate different design choices, and detect errors and problems at early development stages. However, the levels of dependability afforded by simulation may fall short of the strict requirements that current and future systems must satisfy. Formal methods are increasingly being employed to provide a solid mathematical foundation to claims of correctness and dependability of complex – often safety-critical – systems. Formal methods, however, rely on languages and tools often unfamiliar to developers and quite different from the commonly used environments. This paper aims at contributing to the deployment of formal methods in a standard model- driven development process, using them along with traditional modeling and simulation. More precisely, the proposed workflow begins by modeling a system with the Matlab/Simulink envi- ronment [sim], using its symbolic computation capability to extract a mathematical definition of its properties, and then analyzing these properties with the Prototype Verification System (PVS) theorem-proving environment [ORS92]. For the sake of illustration, this approach is demon- strated on a very simple system, a single-axle robot vehicle. Clearly, the advantage of coupling theorem proving to modeling and simulation would show in much more complex scenarios. 1 / 8 Volume 079 (2020) mailto:name.surname@ing.unipi.it mailto:adriano.fagiolini@unipa.it Block-Based Models and Theorem Proving in Model-Based Development PVS is an interactive theorem prover, i.e., a user writes a theory defining the problem to study (e.g., a system design) and then proves theorems and lemmas (goals) about the theory (e.g., statements about system properties), building a proof in a series of steps by invoking prover commands interactively. Each prover command applies one or more inference rules. A PVS theory contains declarations of types, variables, constants, and functions, and logical statements to be proved (theorems or lemmas) or taken as valid a priori (axioms). Readers are referred to the literature for information on the language and inference system (e.g., [ORS92, COR+95]) or its applications (e.g., [BD16, MTDB17, BDM18]). 2 Overview of the approach mathematical model requirements plant dynamics control law definitionssimulator computer math plant dynamicstheorems logic model environment proof plant dynamics control law block−based model equations symbolic constraints parameter verification requirement Figure 1: Computer-assisted mathematics and theorem proving. The approach adopted in this paper is summarized in Fig. 1. The dynamical behavior of a system, its control law, and its requirements are initially described in terms of mathematical relationships. In a typical model-based process, the mathematical specification of plant and controller is expressed in a block-based model using such modeling and simulation tools such as Simulink or Modelica. The process exposed in this paper adds a step, where computer-assisted mathematics tools, such as the Symbolic Math Toolbox available in Matlab or Mathematica, are used to obtain symbolic solutions to relationships expressing requirements. These symbolic solutions are included in a logic-based model, which represents the whole mathematical model, including the requirements, in the form of definitions and theorems in a higher-order logic language. Interactive theorem proving is then used both to verify requirements and to find constraints on design parameters that make requirements satisfiable. It may be noticed that it is possible to limit the application of this process to specific compo- nents of the system, e.g., safety-critical ones. Also, not all components need a formal verification, such as parts that have been previously tested and verified. 3 A case study This case study concerns the design of a controller for a robot vehicle. The robot must reach a given straight line l from an arbitrary initial position outside the line, as shown in Figure 2, InterAVT 2020 2 / 8 ECEASST where d is the distance from l to the current robot position p, ψ is the current robot heading, and σ is the distance to the projection of p on l from a reference point σ0. The robot must approach the line with a smooth curve, without oscillating. The robot moves on a flat surface without obstacles at a constant speed V and its turning speed ω is set by the controller. x y l ψ y = (tanψl)x + yr d p σ0 plσ ψl yr Figure 2: Line-seeking task for a robot vehicle. With θ = ψ −ψl , a control law is chosen with the form ω =−ky dV sinc θ −kθ , (1) where sinc equals (sin θ )/θ for θ 6= 0 and 1 otherwise, and k is a design parameter ranging over the non-negative reals, whose value determines the stability and convergence properties of the system1. More precisely, it is necessary to find a range of values for k such that both d and θ approach zero as time approaches infinity, with the further requirement that the robot’s trajectory does not oscillate. The above task has been carried out with the following steps: 1. The system’s generating functions have been found:  σ̇ = V cos θ ḋ = V sin θ θ̇ =−dV sinc θ −kθ , (2) 2. System (2) has been linearized with the Jacobian J, computed with the Matlab Symbolic 1 Without loss of generality ky can be chosen equal to 1 rad m2 and therefore it will be omitted in subsequent equations. 3 / 8 Volume 079 (2020) Block-Based Models and Theorem Proving in Model-Based Development Math Toolbox (SMT) [smt], and evaluated for d = 0 and θ = 0: J0 =   0 0 00 0 V 0 −V −k   (3) 3. The eigenvalues of J0 have been computed with the SMT: λ1 =− √ k2−4V 2+k 2 λ2 = √ k2−4V 2−k 2 λ3 = 0 . (4) 4. The range of values for k that satisfies the requirements has been determined by interactive theorem proving, as discussed in the following subsection. 4 The Challenge 4.1 Parameter Synthesis by Theorem Proving From control theory, the requirements presented above are fulfilled if the eigenvalues are real and nonpositive. After the control law has been chosen and the eigenvectors for the resulting linearized system have been symbolically computed, the remaining task is finding an appropriate range of values for the design parameter k. In this simple case, the task reduces to solving the following system for k, whose solution is k > 2V :√ k2 −4V 2 ≤ 0, λ1 ≤ 0, λ2 ≤ 0 . (5) This simple system can be easily solved with the SMT (or, indeed, by paper and pencil), but it is worth considering how theorem proving can be used in this problem. The theorem-proving approach consists in defining the eigenvalues in a PVS theory and proving that a given range for k satisfies the requirements. This is shown more in detail in [DFP18]. 4.2 Upper bound on the maximum distance of the vehicle from the line In this section, theorem proving is used to find an upper bound to the distance of the robot from the target line, which would be hard to compute directly with such tools as SMT. Moreover, this analysis concerns a discretized, executable PVS theory, i.e., a theory written in such a form that a PVS interpreter [Muñ03] can simulate the system described by the theory, as it evolves in discrete time steps. An executable theory specifies a transition system whose states are sets of values for the system variables, and whose transitions are defined by a step function that maps the current state to the next one. A simple example is considered, with the assumptions that the target line l is parallel to the x-axis, the initial heading ψ lies within the first quadrant, as shown in Figure 3, and parameter k of the control law is chosen within the region found above (Sec. 4.1). The controller has been modeled as a discretized executable theory, defining the system state at a step i as a tuple si = (ωi,xi,yi,ψi). At each step, the state is updated by the step function: si+1 = step(si) , InterAVT 2020 4 / 8 ECEASST x y l ψ p d yr y = yr σ σ0 = 0 Figure 3: Line-seeking task for the line y = yr. which generates the sequence ρ = s0,s1,...,si,si+1 ... . Let the initial position and heading be p0 = (x0,y0) and ψ = ψ0, respectively. The discretized equations are shown in (6), where ∆t > 0 is the discretization step and i ≥ 0.  xi+1 = xi + ∆tV cos ψi yi+1 = yi + ∆tV sin ψi ψi+1 = ψi + ∆t ωi ωi =−(yi cos ψl −xi sin ψl −yr cos ψl)V sin(ψi −ψl) ψi −ψl −k(ψi −ψl) (6) Since ψl = 0, the control law for ω reduces to (7): ωi =−(yi −yr)V sin ψi ψi −kψi (7) In the example of Figure 3, we take x0 = 2, y0 = 4, 0 ≤ ψ0 ≤ π/2, and ω0 = 0. An upper bound on the distance d of the robot from l is found considering that (i) the vehicle departs from the line with ψ > 0, and (ii) ψ decreases at each step. From this, it follows that initially, the robot will move away from l, until ψ vanishes and the robot heads towards l. It is then possible to find an upper bound L on the increment of y at each step, and an upper bound N on the number of steps executed until ψ vanishes. As shown in Section 4.1, the condition k > 2V guarantees that no further oscillations take place after that point. It is immediate to show that ∆tV sin ψ0 is the least upper bound for the y-increment (Lemma 5). An upper bound on d is then dub = y0 + N∆tV sin ψ0 , 5 / 8 Volume 079 (2020) Block-Based Models and Theorem Proving in Model-Based Development and we will focus on finding a value for N in the following. We use an “instrumented” PVS theory, where the state is augmented with a Boolean variable α denoting that ψ has assumed values less than or equal to zero in the current state or in any previous state. In the initial state, since ψ > 0, α = F (false). Then, when α becomes T (true), it remains equal to T forever. Equations (2) become (8):   xi+1 = xi + ∆tV cos ψi yi+1 = yi + ∆tV sin ψi ψi+1 = ψi + ∆t ωi ωi(yi,ψi) =−(yi −yr)V sin ψi ψi −kψi αi+1 = αi ∨(ψi+1 ≤ 0) (8) The following lemma states some properties of ω and of the y co-ordinate of p in the next state. In particular, ω is negative, and the y co-ordinate is greater than yr. Lemma 1 If ψi ∈ (0, π2 ) and yi > yr then ωi < 0 and yi+1 > yr. Lemma 2 Let p0 = (x0,y0) be the initial position, with x0 ≥ 0, y0 ≥ 0, and ψ0 > 0, and let y = yr be the line equation, with yr < y0. Then, ∀i>0αi ∨(ψi > 0∧ψi < ψi−1 ∧yi > yr). Lemma 3 From the above hypotheses and lemmas, it follows that ∀i(∀ j (y0 −yr)V cos ψ0). For each step i such that α = F for all preceding steps and αi+1 = F, the term (y0 −yr)V cos ψ0 is a lower bound to the decrement of ψ between two consecutive steps. Lemma 4 If j is such that α j = T and ∀i< jαi = F, and N =d ψ0 ∆t (y0−yr)V cos ψ0 e then j ≤ N. N is an upper bound to the number of steps executed before ψ becomes less than or equal to zero. Lemma 5 We can prove that, for all states i such that α = F for all preceding steps and αi+1 = F, the least upper bound of the y-increment is ∆tV sin ψ0 : ∀i(∀ j0 AND psi(i)y_r AND ( FORALL(j|j y(j) AND psi(j+1) < psi(j)) IMPLIES abs(w(i)) > (y(0)-y_r)*V*cos(psi(0)) The condition ∀ j y j ∧ψ j+1 < ψ j). Using the command (lemma lemma1), we can invoke Lemma 1, which states that ωi < 0, and then we can expand the abs function (command (expand abs)) and rewrite ωi, obtaining the following sequent, where the AND of the negative-numbered formulas (antecedents) implies the positive-numbered one: {-1} w(i) < 0 {-2} y(i+1) > y(i) [-3] psi(i) > 0 [-4] psi(i) < pi/2 [-5] y(i) > y_r {-6} FORALL (j: nat | j < i): y(j+1) > y(j) AND psi(j+1) < psi(j) |------- {1} k * psi(i) + sinc(psi(i)) * (y(i) - y_r) * V > (y(0) - y_r) * V * cos(psi(0)) Since kψi > 0 and V > 0, we can simplify the consequent by removing kψi and canceling V (with the command (cancel-by 1 "V")), obtaining: {-1} w(i) < 0 {-2} y(i+1) > y(i) [-3] psi(i) > 0 [-4] psi(i) < pi/2 [-5] y(i) > y_r {-6} FORALL (j: nat | j < i): y(j+1) > y(j) AND psi(j+1) < psi(j) |------- {1} sinc(psi(i)) * (y(i) - y_r) > cos(psi(0)) * (y(0) - y_r) Knowing that ∀ψ∈(0, π2 ) sin ψ ψ > cos ψ , the previous consequent is true if yi > y0 ∧ sinc(ψi) > sinc(ψ0) > cos ψ0. Using the antecedent -6, we can easily prove by induction (command (induct j)) that yi > y0 and ψi < ψ0, which leads to sinc(ψi) > sinc(ψ0), and thus prove the consequent of Lemma 3. 5 Conclusions Formal verification is important in the development of safety-critical systems. This work sup- ports the thesis that computer-assisted verification can be integrated within model-based devel- opment of control systems. In particular, interactive theorem proving is used to verify a safety requirement of a nonlinear control system, not easily derivable by the Matlab/Simulink tools. Possible future directions of this work should address (i) the proposal of a systematic, possibly automatic, translation from a subset of Simulink models to PVS theories, that will simplify the application of the proposed approach, (ii) the collection of proofs that can be reused to simplify the interactive verification process and integrate the theorem prover in the development process, 7 / 8 Volume 079 (2020) Block-Based Models and Theorem Proving in Model-Based Development (iii) the application of the proposed approach to a more realistic case study in order to assess its feasibility. To this respect, this paper makes simplifying assumptions on perfect state mea- surement and exact knowledge of the system’s model. More precisely, the typical assumption of slow-motion for the vehicle is made, implying that no lateral wheel slip occurs. In practice, the validity of such assumption depends on the underlying surface, not considered in this work. Acknowledgments The authors would like to thank the anonymous reviewers for their comments and suggestions. Work partially supported by the Italian Ministry of Education and Research (MIUR) in the frame- work of the CrossLab project (Departments of Excellence). Bibliography [BD16] C. Bernardeschi, A. Domenici. Verifying safety properties of a nonlinear control by interactive theorem proving with the Prototype Verification System. Information Processing Letters 116(6):409–415, 2016. [BDM18] C. Bernardeschi, A. Domenici, P. Masci. A PVS-Simulink Integrated Environment for Model-Based Analysis of Cyber-Physical Systems. IEEE Transactions on Soft- ware Engineering 44(6):512–533, 2018. [COR+95] J. Crow, S. Owre, J. Rushby, N. Shankar, A. Srivas. A Tutorial Introduction to PVS. In Proceedings of the Workshop on Industrial-Strenght Formal Specification Tech- niques (WIFT’95). April 1995. [DFP18] A. Domenici, A. Fagiolini, M. Palmieri. Integrated Simulation and Formal Verifica- tion of a Simple Autonomous Vehicle. In Cerone and Roveri (eds.), Software Engi- neering and Formal Methods. Lecture Notes in Computer Science 10729, pp. 300– 314. Springer International Publishing, Cham, 2018. [MTDB17] G. Mauro, H. Thimbleby, A. Domenici, C. Bernardeschi. Extending a User Interface Prototyping Tool with Automatic MISRA C Code Generation. In Proceedings of the Third Workshop on Formal Integrated Development Environment, F-IDE@FM 2016, Limassol, Cyprus, November 8, 2016. Pp. 53–66. 2017. [Muñ03] C. Muñoz. Rapid prototyping in PVS. Contractor report NASA/CR-2003-212418, NASA, Langley Research Center, Hampton VA 23681-2199, USA, May 2003. [ORS92] S. Owre, J. Rushby, N. Shankar. PVS: A prototype verification system. In Kapur (ed.), Automated Deduction — CADE-11. Lecture Notes in Computer Science 607, pp. 748–752. Springer Berlin Heidelberg, 1992. [sim] Simulink R© web site. http://www.mathworks.com/products/simulink [smt] Matlab R© SMT web site. http://www.mathworks.com/products/symbolic InterAVT 2020 8 / 8 http://www.mathworks.com/products/simulink http://www.mathworks.com/products/symbolic Introduction Overview of the approach A case study The Challenge Parameter Synthesis by Theorem Proving Upper bound on the maximum distance of the vehicle from the line Example of a Lemma Proof in PVS Conclusions