# Proving Real-time Properties of Embedded Software Systems

## **Outline of Presentation**

- Introduction and Preliminaries
- Previous Related Work
- Held\_For Operator
- Sensor Lock System
- Verified Design for Timing Properties
- Delayed Trip System
- Optimization
- Conclusion

## **Real-time Safety Critical Systems**

A system whose correctness depends on

- the system outputs values
- the times at which these outputs are generated

#### Failure results in:

- physical injury or loss of life
- unacceptable financial loss

#### **Applications Areas:**

- Medical equipment
- Aerospace
- Process control e.g. Darlington Nuclear Generating Station Shutdown Systems (SDS)

#### Motivation

- Minor changes result in another extensive (&expensive) round of testing and review
- Capture and validate system requirements
- Guide the design and verification
- Reduce the verification work by modular design
- Approach to formally verified design optimization

#### **Research Scope**

- Will consider real-time systems in a discrete time setting
- Only one clock working in one real time system
- No concurrent clocks at different sample rates
- Ignore the intersample behaviour when modeling real-time systems
- No tolerance on timing specifications



- ${\bf M}$  Monitored Variable states pace
- ${\bf C}$  Controlled Variable states pace
- ${\bf I}$  Input Variable states pace
- **O** Output Variable statespace

 $\mathbf{M}, \mathbf{C}, \mathbf{I}, \mathbf{O}$  are time series vectors and REQ,~SOF,~IN,~OUT are relations.

We use a special case where all relations are functional resulting in proof obligation:

$$REQ = OUT \circ SOF \circ IN \tag{1}$$

Here REQ and SOF are the one step transition functions of the requirements and design respectively.

### **Example: Tabular Requirements**

Many of the system requirements involve simple input/output logic, possibly dependent upon the previous value of the state variable:

e.g., Power Conditioning



PwrCond(Prev:bool, Power, Kin, Kout:posreal):bool =

| $Power \leq Kout$ | Kout < Power < Kin | $Power \geq Kin$ |
|-------------------|--------------------|------------------|
| FALSE             | Prev               | TRUE             |

What about more complicated timing properties?

#### Clocks Theory (Dutertre and Stavridou)

For a positive real number T, we define a clock of period T, denoted  $clock_T$ , to be a set of "sample instances"

$$clock_T := \{t_0, t_1, t_2, \dots, t_n, \dots\}$$

 $= \{0, T, 2T, \dots, nT, \dots\}$ 

For a period T = 5, the clock of period 5 is simply

$$clock_5 := \{0, 5, 10, 15, \ldots\}$$

Note that  $clock_5$ , like all clocks as defined above, "starts" at time  $t_0 = 0$ . Define *init*,  $next_T$  and  $pre_T$  operators on the elements of  $clock_T$  as follows:

$$init(t_n) := \begin{cases} TRUE, & n = 0\\ FALSE, & \text{otherwise} \end{cases}$$
$$pre_T(t_n) := \begin{cases} t_{n-1}, & n \ge 1\\ \text{undefined}, & \text{otherwise} \end{cases}$$
$$next_T(t_n) := t_{n+1}$$

Held\_For Operator (Lawford, Wu, OPG)

 $pred(clock_T) := \{f | f : clock_T \rightarrow \{TRUE, FALSE\}\}$ 

HELD\_FOR :  $pred(clock_T) \times \mathbb{R}^{\geq 0} \rightarrow pred(clock_T)$ such that (P)HELD\_FOR $(duration)(t_n) = TRUE$  iff  $(\exists t_j \in clock_T)(t_n - t_j \geq duration) \land$  $(\forall t_i \in clock_T)(t_j \leq t_i \leq t_n \Rightarrow P(t_i))$ 

Here we use  $\mathbb{R}^{\geq 0}$  to denote non-negative real numbers.

#### Example:

Let T=150, Sensor(t) be a clock predicate



 $f(450) = (Sensor)Held\_For(295)(450) = TRUE$ 

 $g(450) = (Sensor)Held\_For(310)(450) = FALSE$ 

Note: We ignore the intersample behaviour of Sensor.



Sensor Lock Real-time Controller

- Takes two boolean valued inputs, *Sensor* and *Reset*, and produces a single boolean valued output *SenLock* that is updated
- Sampling rate T,e.g., T=100ms

#### Behaviour

- When input Sensor is continuously TRUE for  $k\_ldelay = 150$ ms or longer, then the channel is "locked" and SenLock output is TRUE
- Once "locked" (i.e., SenLock becomes *TRUE*), the system will not "unlock" (SenLock becomes *FALSE*) until manually reset (*Reset* = *TRUE*)

## Software Requirements

The required behaviour of the update function is summarized by the following table:

|                       |                     | Result    |
|-----------------------|---------------------|-----------|
| Condition             | SenLock             |           |
| (Sensor) Held for (k. | _ldelay)            | TRUE      |
| NOT [(Sensor) Held    | Reset               | FALSE     |
| for (k_ldelay)]       | $\neg \text{Reset}$ | No Change |

Here  $k\_ldelay = 150$ ms. When the conjunction of atomic proposition in a given row of the *Condition* columns is *TRUE*, then *SenLock* is set to the *Result* value for that row. E.g., when

 $NOT[(Sensor)Held\_For(k\_ldelay)] \land Reset$ 

then SenLock = False.

## Software Design

The SDD or "implementation" of this specification is given by the following table:

Results

| Condition |                         |                     | Elock | LTime       |
|-----------|-------------------------|---------------------|-------|-------------|
|           | Elock                   | Reset               | GOOD  | 0           |
| NOT       | =LOCK                   | $\neg \text{Reset}$ | LOCK  | 0           |
| Sensor    | Elock≠LOCK              |                     | GOOD  | 0           |
|           | LTin                    | ne=0                | BAD   | next(LTime) |
| Sensor    | $0 < LTime < k\_ldelay$ |                     | NC    | next(LTime) |
|           | $LTime \ge k\_ldelay$   |                     | LOCK  | 0           |

### Notes:

1. Here Elock has type  $\{GOOD, BAD, LOCK\}$ . The designer wants to use the additional information elsewhere in the system.

$$(Elock = LOCK) \equiv (SenLock = TRUE)$$

- 2. "NC" denotes "No Change".
- 3. *LTime* is timer variable used to implement the *Held\_For*.

```
Systematic Design Verification
```

```
SenLock_ELOCK: THEOREM
   SenLock(t) = LOCK?(Elock(ELOCK(t)))
```

To apply PVS to this Verification Problem we use the strategy (INDUCT "t" 1 "clock\_induction"). This breaks proof into two parts: (i) Base Case when t=0, and (ii) inductive case. In the course of proving these cases, we find the following errors:

- 1. Wrong initial condition for Elock.
- 2. Elock becomes unlocked without a manual reset.
- 3. Cases exist where manual reset unlocks the SenLock but not Elock.

## Systematic Design Verification (cont)

The complete specification and design require fail-safe operation so the value of SenLock was initially set to TRUE. In the original design Elock was initialized to BAD.

The SDD becomes unlocked because the LTime counter is reset to 0 when Elock is set to LOCK. As a result the system loses the "history" of Sensor. Although Elock does not correctly implement this requirement as specified by SenLock, it also illustrates how SenLock could be made "safer". When Sensor = TRUE, Elock will not allow a manual reset, while SenLock will permit such a reset if Sensor was FALSE in the recent past.

## Systematic Design Verification (cont)

Taking these issues into consideration, we provide "fixed" versions of the specification and implementation below:

ConditionSenLock(Sensor) Held for  $(k \perp delay)$ TrueNOT [(Sensor)Reset $\neg$ SensorHeldfor  $(k \perp delay)$ ]Image $\neg$ Reset $\neg$ SensorNo Change

Result

|           |                       |                   |       | Results     |
|-----------|-----------------------|-------------------|-------|-------------|
| Condition |                       |                   | Elock | LTime       |
|           | Elock                 | Reset             | GOOD  | 0           |
| NOT       | =LOCK                 | ¬Reset            | LOCK  | 0           |
| Sensor    | Elock≠LOCK            |                   | GOOD  | 0           |
|           | LTime<                | $Elock \neq LOCK$ | BAD   | next(LTime) |
| Sensor    | k_ldelay              | Elock=LOCK        | LOCK  | next(LTime) |
|           | $LTime \ge k\_ldelay$ |                   | LOCK  | NC          |

## Software Requirements Specification (SRS)

|                    |                     |               | Result                   |
|--------------------|---------------------|---------------|--------------------------|
| Condition          |                     |               | $\operatorname{SenLock}$ |
| (Sensor) Held_F    | For (k_lde          | lay)          | True                     |
| NOT [(Sensor) Held | Reset               | $\neg Sensor$ | False                    |
| _For (k_ldelay)]   |                     | Sensor        | No Change                |
|                    | $\neg \text{Reset}$ |               | No Change                |

## Software Design Description (SDD)

|        |                                                                    |                     | Results |             |  |
|--------|--------------------------------------------------------------------|---------------------|---------|-------------|--|
|        | Condition                                                          |                     | Elock   | LTime       |  |
|        | Elock                                                              | Reset               | GOOD    | 0           |  |
| NOT    | =LOCK                                                              | $\neg \text{Reset}$ | LOCK    | 0           |  |
| Sensor | Elock≠LOCK                                                         |                     | GOOD    | 0           |  |
| Sensor | LTime <k_ldelay< td=""><td>NC</td><td>next(LTime)</td></k_ldelay<> |                     | NC      | next(LTime) |  |
|        | $LTime \ge k\_ldelay$                                              |                     | LOCK    | NC          |  |

### A Systematic Approach

**Problem:** Getting complicated timing properties right in the implementation can be difficult when designer has to start and stop timers to implement timing constructs.

**Solution:** Used pre-verified blocks of code to implement recurring types of timing requirements.

Timing Behaviour in SRS and SDD of Sensor Lock System

- SRS: (Sensor)Held\_For(k\_ldelay)
- SDD:  $Sensor \land LTime \ge k\_ldelay$

Why not reuse this verified design for Held\_For operator?

## Monolithic Verification v.s. Modular Verification

#### Monolithic Verification

- All-in-one structure for code and verification
- Difficult to identify and implement timing properties
- Difficult to verify the system
- Non-re-usability
- One change in requirement need to verify the whole system again.
- Potential performance advantage

#### Modular Verification

- Modularized structure easier for code maintenance
- Clear implementation of timing properties
- Easy to use and guarantee the correctness. Developer can easily use the module implementing a timing property
- Easier verification by instantiating a pre-verified theorem to complete the system specific verification
- Greatly reduced the verification work if changes happen to requirements
- Re-usability and Portability
- Overhead may exist due to modularization



```
TimerGeneral [T:posreal] : THEORY
BEGIN
IMPORTING Held For[T]
```

```
t, previous: VAR clock
P:var pred[clock]
timeout : VAR posreal
CurrentP:VAR bool
```



```
Timer(P,timeout)(t):RECURSIVE clock=
IF init(t) THEN TimerUpdate(P(t),timeout,0)
ELSE TimerUpdate(P(t),timeout,Timer(P,timeout)(pre(t)))
ENDIF
MEASURE rank(t)
TimerGeneral: THEOREM
IF init(t) THEN FALSE
ELSE P(t) AND Timer(P,timeout)(pre(t))>=timeout ENDIF
= Held_For(P,timeout)(t)
```

```
END TimerGeneral
```



Delayed Trip Controller

- Takes 2 boolean inputs Power and Pressure; output Relay as time predicate
- If power and pressure both exceed the Power Threshold (PT) and Delayed Trip Point(DSP) for  $k\_timeout_1 = 3s$ , then open the relay for  $k\_timeout_2 = 2s$ . The DTS block's cycle time is T = 100ms, which means system inputting and updating every 0.1 seconds

Timing behaviour

- Need to use 2 Held\_For Operators to specify requirements (SRS)
- Nesting of 2 Held\_For Operators is necessary

### Delayed Trip System SRS

Result

| Condition                                                                                       | relay_open |
|-------------------------------------------------------------------------------------------------|------------|
| (PP) Held_For k_timeout1                                                                        | TRUE       |
| $(\neg [(PP) Held\_For k\_timeout1]) Held\_For k\_timeout2$                                     | FALSE      |
| $[\neg (PP) \text{ Held}_For \text{ k\_timeout1}] \land$                                        |            |
| $(\neg [\neg (PP) \text{ Held}_For \text{ k\_timeout1})] \text{ Held}_For \text{ k\_timeout2})$ | No Change  |

#### Delayed Trip System PVS for Requirements

```
DelayedTrip_SRS(P,t,k_timeout1,k_timeout2): RECURSIVE bool=
    IF init(t) THEN FALSE ELSE
LET NoChange = DelayedTrip_SRS(P,pre(t),k_timeout1,k_timeout2) IN
TABLE
    |Held_For(P,k_timeout1)(t) | TRUE ||
    |Held_For(NOT Held_For(P,k_timeout1),k_timeout2)(t) | FALSE ||
    |NOT Held_For(P,k_timeout1)(t) &
    (NOT Held_For(NOT Held_For(P,k_timeout1),k_timeout2)(t))| NoChange ||
ENDTABLE
ENDIF
MEASURE rank(t)
```

#### Delayed Trip System PVS for Design

SDD\_State: TYPE = [# Relay: Relay\_State, Timer1: clock, Timer2:clock #]

```
RelayUpdate(k_timeout1,k_timeout2,CurrentP,S):Relay_State =
LET NoChange = Relay(s) IN
TABLE
|CurrentP & (Timer1(S) >= k_timeout1) | OPEN ||
|NOT (CurrentP&Timer1(S)>=k_timeout1) & Timer2(S)>=k_timeout2 |CLOSED ||
|NOT(CurrentP& Timer1(S)>=k_timeout1) & NOT( Timer2(S)>=k_timeout2) |NoChange||
ENDTABLE
```

#### Delayed Trip System PVS for Design (Continued)

```
SDD(Power,Pressure)(t):RECURSIVE SDD_State =
LET pp = Power(t)>=PT & Pressure(t)>=DSP IN
 IF init(t) THEN (#
                        Relay := CLOSED,
                        Timer1:=TimerUpdate(pp,k_timeout1,0),
                        Timer2:=TimerUpdate(TRUE,k_timeout2,0)
                                                                  #)
  ELSE
(#
        Relay:=RelayUpdate(Power(t),Pressure(t),SDD(Power,Pressure)(pre(t))),
        Timer1:=TimerUpdate(pp,
                            k_timeout1,
                            Timer1(SDD(Power,Pressure)(pre(t)))),
        Timer2:=TimerUpdate(NOT (pp & (Timer1(SDD(Power,Pressure)(pre(t)))>=floor(k_timeout1/T)*T)),
                            k_timeout2,
                            Timer2(SDD(Power,Pressure)(pre(t))) #)
  ENDIF
  MEASURE rank(t)
Timer1_Timer: lemma Timer(P,k_timeout1)(t)=Timer1(SDD(P,k_timeout1,k_timeout2)(t))
Timer2_Timer: lemma
Timer(NOT Held_For(P,k_timeout1),k_timeout2)(t) = Timer2(SDD(P,k_timeout1,k_timeout2)(t))
DelayedTrip_Block :THEOREM
```

DelayedTrip\_SRS(PP,k\_timeout1,k\_timeout2)(t)= OPEN?(Relay(SDD(PP,k\_timeout1,k\_timeout2)(t)))

## Performance and Verification

Objective:

- Improve the performance
- Guarantee the correctness of Optimized Code (Implementation)
- Save the verifier and developer from repeated work

Methods:

- Use PVS theorem prover's rewriting and propositional simplification
- Extend the Systematic Design Verification approach



#### DTS fastSDD implementation

How do you produce the "optimized" version with fewer conditional evaluations?

Define function constant fastSDD of same type as SDD, then try to prove they are equivalent.

```
fastSDD(Power,Pressure)(t):SDD_State
```

```
Optimize: PROPOSITION
fastSDD(Power,Pressure)(t) = SDD(Power,Pressure)(t)
```

You can actually use PVS to produce the optimized code by (skolem!), rewrite the definitions of SDD and TimerUpdate, then (bddsimp) and interpret the unprovable sequents as disctinct case.

There are now some compilers that do this sort of thing for you.

```
IF Power>=PT & Pressure(t)>=DSP THEN
  IF Timer1>=k_timeout1 THEN
             Relay := OPEN,
             Timer2 := 0
  ELSIF Timer2>=k_timeout2 THEN
             Timer1 := Timer1 + T
  ELSE
             Timer1 := Timer1 + T,
             Timer2 := Timer2 + T
  ENDIF
ELSIF Timer2>=k_timeout2 THEN
    IF Power(t) < PT THEN
             Relay := CLOSED,
            Timer1 := 0
    ELSE
             Timer1 := 0
    ENDIF
ELSE
             Timer1 := 0,
             Timer2 := Timer2 + T
ENDIF
```

Pseudo code for "Optimized" Delayed Reactor Trip Example



## Conclusion

- PVS-RT method deliver a guarantee of domain coverage.
- Pre-verified timing properties provide significant aid to PVS-RT method for re-usability and portability
- Formally verified Design Optimization
- Also PVS theorem prover can help to validate the requirements

## Future Work

- Held\_For operator with timing tolerance
- Consider applying different clock rates for data streams in the real-time systems.
- Create a real-time property verification library, including different timing operators.