Romain Jobredeaux

A generic ellipsoid abstract domain for linear time invariant systems

Embedded system control often relies on linear systems, which admit quadratic invariants. The parts of the code that host linear system implementations need dedicated analysis tools, since intervals or linear abstract domains will give imprecise results, if any at all, on these systems. Previous work by FERET proposes a specific abstraction for digital filters that addresses this issue on a specific class of controllers. This paper aims at generalizing the idea. It works directly on system representation, relying on existing methods from control theory to automatically generate quadratic invariants for linear time invariant systems, whose stability is provable. This class encompasses n-th order digital filters and, in general, controllers embedded in critical systems. While control theorists only focus on the existence of such invariants, this paper proposes a method to effectively compute tight ones. The method has been implemented and applied to some benchmark systems, giving good results. It also considers floating points issues and validates the soundness of the computed invariants.

PVS linear algebra libraries for verification of control software algorithms in C/ACSL

The problem of ensuring control software properties hold on their actual implementation is rarely tackled. While stability proofs are widely used on models, they are never carried to the code. Using program verification techniques requires express these properties at the level of the code but also to have theorem provers that can manipulate the proof elements. We propose to address this challenge by following two phases: first we introduce a way to express stability proofs as C code annotations; second, we propose a PVS linear algebra library that is able to manipulate quadratic invariants, i.e., ellipsoids. Our framework achieves the translation of stability properties expressed on the code to the representation of an associated proof obligation (PO) in PVS. Our library allows us to discharge these POs within PVS.

From Design to Implementation: An Automated, Credible Autocoding Chain for Control Systems

In a context of heightened safety requirements for safety-critical embedded systems and ever-increasing costs of verification and validation, we describe a fully automated, credible autocoding chain for control systems. This chain generates code, along with guarantees of high level functional properties, which cans be independently verified. The platform relies on domain specific knowledge and formal analysis methods to bridge the semantic gap between domain experts and code verification experts. First, a graphical dataflow language is extended with annotation symbols, enabling the control engineer to express high level properties of its control law within the framework of a familiar block-diagram language. A public-domain autocoder is enhanced not only to generate the code implementing the initial design, but also to carry high level properties down to annotations at the level of the code. Finally, using customized code analysis tools, certificates are generated, which guarantee the correctness of the annotations with respect to the code, and can be verified using existing static analysis tools. For now, we limit the conclusions to the bounded-input bounded-output characteristic of linear controllers, however the approach appears readily extendable to a broader array of properties and systems.

Autocoding control software with proofs I: Annotation translation

In an effort to meet the reliability standards that control systems operating in safety-critical roles require, we have started laying the foundation for a tool-set that migrates control theory properties and proofs into the software implementation of those control systems designs. By using this tool the engineer can provide a more rigorous guarantee of the quality of the software and initiate the formal verification process. The tool focuses on control software in order to leverage the domain knowledge from existing mathematical techniques for the analysis and synthesis of control systems. As a first step in the development of the tool-set, we have created a prototype of a Scilab to C translator with proof annotation support. Though limited in its current functionalities, the development of this prototype allowed us to identify the key issues which will be used to further refine the translator. This paper describes the prototype and the further improvements planned for the translator.

Credible autocoding of fault detection observers

We present a domain specific process to enable the verification of observer-based fault detection software. Observer-based fault detection systems, like control systems, yield invariant properties of quadratic types. These quadratic invariants express both safety properties of the software, such as the boundedness of the states, and correctness properties, such as the absence of false alarms from the fault detector. We seek to leverage these quadratic invariants, in an automated way, for the formal verification of the fault detection software. The approach, named the credible autocoding framework, can be characterized as autocoding with proofs. The process starts with the fault detector model, along with its safety and correctness properties, all expressed formally in a synchronous modeling environment such as Simulink. The model is then transformed by a prototype credible autocoder into both code and analyzable annotations for the code. We demonstrate the credible autocoding process on a running example of an output observer fault detector for a 3 degree-of-freedom helicopter control system.

Developing proof carrying code to formally assure termination in fault tolerant distributed controls systems

We address the semantic gap between the model and the implementation of control algorithms for distributed systems in a formal fashion: we provide an interactive (partially automated) method by which to translate the global, model level theoretical properties, such as stability and convergence, into code level assertions and invariants which assure termination of the relevant implementations and validity of the result. We outline a simple flight control system example for altitude holding, and describe a fault-tolerant distributed agreement protocol among n processor nodes, in the presence of a varying network topology. We develop a Lyapunov-like function for the distributed algorithm, and attain a polynomial time theoretical bound on the convergence time Tconv ∝ n3. We then exploit the Lyapunov function and convergence proof, in order to derive requisite ANSI-C Specification Language (ACSL) annotations for the C code distributed implementation, in order to guarantee termination. The ACSL annotations can then be used to automatically generate formal proof obligations via the Frama-C tool. These proof obligations also encompass assertions relating to timing, memory allocation, type checking and processor specific issues. The proof obligations can then be automatically discharged using a theorem prover, and their success guarantees that the behavior of the corresponding distributed code will evince the global properties proven for the model. Thus, the verification process spans efforts from the high-level control theory to the low-level implementation as a C program.

Closed loop analysis of control command software

Recent work addressing the stability analysis of controllers at code level has been mainly focused on the controller alone. However, most of the properties of interest of control software lie in how they interact with their environment. We introduce an extension of the analysis framework to reason on the stability of closed loop systems, i.e., controllers along with a model of their physical environment, the plant. The proposed approach focuses on the closed loop stability of discrete linear control systems with saturations, interacting with a discrete linear plant. The analysis is performed in the state space domain using Lyapunov-based quadratic invariants. We specifically address the automatic synthesis of such invariants and the treatment of floating-point imprecision.

Formal Methods for the Analysis of Critical Control Systems Models: Combining Non-linear and Linear Analyses

Critical control systems are often built as a combination of a control core with safety mechanisms allowing to recover from failures. For example a PID controller used with triplicated inputs and voting. Typically these systems would be designed at the model level in a synchronous language like Lustre or Simulink, and their code automatically generated from these models. We present a new analysis framework combining the analysis of open-loop stable controllers with safety constructs (redundancy, voters, ...). We introduce the basic analysis approaches: abstract interpretation synthesizing quadratic invariants and backward analysis based on quantifier elimination and convex hull computation synthesizing linear invariants. Then we apply it on a simple but representative example that no other available state-of-the-art technique is able to analyze. This contribution is another step towards early use of formal methods for critical embedded software such as the ones of the aerospace industry.

Formal Analysis of Robustness at Model and Code Level

Robustness analyses play a major role in the synthesis and analysis of controllers. For control systems, robustness is a measure of the maximum tolerable model inaccuracies or perturbations that do not destabilize the system. Analyzing the robustness of a closed-loop system can be performed with multiple approaches: gain and phase margin computation for single-input single-output (SISO) linear systems, mu analysis, IQC computations, etc. However, none of these techniques consider the actual code in their analyses. The approach presented here relies on an invariant computation on the discrete system dynamics. Using semi-definite programming (SDP) solvers, a Lyapunov-based function is synthesized that captures the vector margins of the closed-loop linear system considered. This numerical invariant expressed over the state variables of the system is compatible with code analysis and enables its validation on the code artifact. This automatic analysis extends verification techniques focused on controller implementation, addressing validation of robustness at model and code level. It has been implemented in a tool analyzing discrete SISO systems and generating over-approximations of phase and gain margins. The analysis will be integrated in our toolchain for Simulink and Lustre models autocoding and formal analysis.

An application of a prototype credible autocoding and verification tool-chain

We present the usage of a prototype that is the result of our research efforts in the translation of control theory into code semantics and the automatic verification of control software using those generated semantics. We demonstrate an application of tool-chain for a jet engine, produced by the lightweight jet engine manufacturer Price Induction, running in closed-loop with its Full Authority Digital Controller (FADEC) hardware. The framework for the tool is based on the model-based development paradigm but with integration of formal methods into the development process to support the claim of correctness of the auto-generated code. The prototype is a two parts tool-chain. The credible autocoding part is designed to translate a Simulink model of a control system into an annotated C program. The annotations, which express control semantics of the system, are generated during the autocoding process and embedded into the C program as comments. The control semantics are formal expressions of the safety and performance requirements of the control system and their proofs. The second part, the verification backend, which in general runs independently of the first part, checks the correctness of the annotations with respect to the code.