System correctness under adverse conditions

1 System correctness

The quest for correctness started in the early days of computing, with landmark papers by Alan Turing, Robert Floyd, and Tony Hoare. Then program correctness expressed by flow charts annotated with assertions or by Hoare triples { p } S { q } was in the focus of interest, where S is a program, p a precondition, and q a postcondition. Today, we are concerned with system correctness. It can be expressed by the formula A s m ⊢ ( E n v ‖ S y s ) sat S p e c. Here a system S y s interacts with its environment E n v. Correctness means that their parallel composition ( E n v ‖ S y s ) should satisfy a specification S p e c, where the satisfaction relation sat can have different definitions ranging from Boolean yes/no to probabilistic interpretations. The correctness may depend on certain assumptions A s m on the interaction between system and environment. System correctness is an ongoing concern because the notion of system is advancing, for example a system may comprise multiple cars moving along a road. Application contexts induce adverse conditions, for example limited sensing in traffic manoeuvres.

Examples for such systems can be found in any flavour of the domain of embedded control: in addition to many household appliances of daily use, automated transportation systems, Industry 4.0 applications, or smart health systems are prominent instances thereof. Such systems often implement safety-critical applications which are required to be robust against unexpected situations or component failures. Thus, correctness guarantees are desirable or even mandatory. This is where the Research Training Group on “System Correctness under Adverse Conditions”, abbreviated SCARE, at the University of Oldenburg made and makes its contribution.

A rigorous analysis of the system behaviour under adverse conditions is required in order to prove system correctness, i. e. to prove that the joint behaviour of the system and its environment satisfies a given specification of safety, stability, or liveness properties. In SCARE, we concentrate on the following adverse conditions:

1. limited knowledge, i. e. systems interacting with an environment that is only partially known or imprecisely observed via error afflicted measurements,

2. unpredictable behaviour, i. e. systems that a) exhibit sporadic or persistent errors or component failures caused by design errors, aging effects, or environmental effects occurring at runtime, or that b) interact with an environment that develops unexpected behaviour, and

3. changing system environment and system structure, i. e. systems interacting with an environment changing due to, e. g., physical positions changing over time and thereby changing the ego system’s context which in turn might cause a change of the system structure by enabling or disabling components.

1. formal modeling,

2. verification and analysis,

3. constructive techniques, where formal methods are combined with engineering techniques, in particular the use of machine learning.

2 Contents

This special issue comprises seven overview papers authored by current or past PhD students of SCARE, often together with their supervisors. Each paper has undergone two reviewing and revision rounds.

The topic of safe transportation is addressed in the paper Proving Properties of Autonomous Car Manoeuvres in Urban Traffic by Maike Schwammberger. It defines an abstract model to logically reason about properties of autonomous manoeuvres at intersections in urban traffic. The approach introduces extended timed automata Crossing Controllers that use the traffic logic Urban Multi-lane Spatial Logic to reason about traffic situations. Safety in the sense of collision freedom is mathematically proven. Liveness and fairness properties are examined using the model checker UPPAAL for timed automata.

The analysis of analog and hybrid-state circuits and systems is addressed by three papers.

The paper Bayesian Hybrid Automata: Reconciling Formal Methods with Metrology by Paul Kröger and Martin Fränzle presents a revised formal model for hybrid systems, which combine discrete actions and continuous behaviour. A natural domain of such systems are emerging smart technologies which add elements of intelligence, co-operation, and adaptivity to physical entities. The new model is able to represent state tracking and estimation in hybrid systems and thereby enhancing precision of verification verdicts.

The paper Functional Verification of Cyber-Physical Systems Containing Machine-Learnt Components by Farzaneh Moradkhani and Martin Fränzle addresses the problem of automatically reasoning about systems with artificial neural networks (ANNs) as a major part. The focus is on dealing with activation functions that cannot be modelled any more with piecewise linear functions supported by the majority of satisfiability modulo theories (SMT) solvers and specialized solvers for ANNs. The research uses the SMT solver iSAT which aims at solving Boolean combinations of linear and non-linear constraint formulas, and therefore is suitable to verify the safety properties of deep neural networks which contain non-linear transfer functions.

The paper A Sampling-based Approach for Handling Delays in Continuous and Hybrid Systems by Erzana Berani Abdelwahab and Martin Fränzle considers a more realistic setting for feedback loops in dynamical systems where delays are explicitly modelled. It demonstrates that for continuous systems such as delay differential equations, a major part of the delay-induced complexity can be reduced effectively when adding natural constraints to the model of the delayed feedback channel, namely that it transports a band-limited signal and implements a non-punctual, distributed delay. The reduction is based on a sampling approach which is applicable when the above conditions on the feedback are satisfied.

Aging hardware is studied in the paper Abstraction NBTI Model by Stephan Adolf and Wolfgang Nebel. It addresses one of the major transistor aging effects called Negative Bias Temperature Instability, NBTI for short. This can lead to timing failures during the run-time of a system. The paper proposes an abstract model reducing the state space of trap based NBTI models using two abstraction parameter, applying a state transformation to incorporate variable stress conditions. This transformation is faster than traditional approaches.

The correctness of graph transformation systems is addressed in the paper Infinite-state Graph Transformation Systems under Adverse Conditions by Okan Özkan. To model adverse conditions, it constructs joint graph transformation systems which involve a system, an interfering environment, and an automaton modeling their interaction. For joint graph transformation systems, it presents notions of correctness under adverse conditions that are expressible in LTL (linear temporal logic) or CTL (computation tree logic), respectively. The automatic verification of these correctness conditions, in particular under the concept of well-structuredness of transition systems, is then discussed.

The topic of system synthesis is addressed in the paper Exploiting Symmetries of High-Level Petri Games in Distributed Synthesis by Nick Würdemann. It deals with the problem of automatically generating correct controllers for individual agents in a distributed system. Petri games model this problem by a game between two teams of players on a Petri net structure. The concept of symmetries in Petri nets is transferred to Petri games, and used to create concise high-level representations of Petri games. Petri games can be solved by a reduction to a two-player game. Applying symmetries to the states in this game results in a significant state space reduction.