## HARDENS Final Report

Joseph Kiniry, Alexander Bakst, Simon Hansen, Michal Podhradsky, and Andrew Bivin

Galois

October 2022

## Contents

| 1 | Exe                        | ecutive Summary                                       | 5  |  |  |  |  |  |
|---|----------------------------|-------------------------------------------------------|----|--|--|--|--|--|
| 2 | Inti                       | Introduction                                          |    |  |  |  |  |  |
|   | 2.1                        | Early Modeling Languages: UML and SysML               | 10 |  |  |  |  |  |
|   | 2.2                        | Semantic Modeling                                     | 10 |  |  |  |  |  |
|   | 2.3                        | Verification Competitions: Driving Tools to Utility   | 11 |  |  |  |  |  |
|   | 2.4                        | Grounded Modeling: Connecting Models and Code         | 13 |  |  |  |  |  |
|   |                            | 2.4.1 Disconnected Models                             | 13 |  |  |  |  |  |
|   |                            | 2.4.2 Fully Connected Models                          | 14 |  |  |  |  |  |
|   | 2.5                        | Assurance Cases                                       | 15 |  |  |  |  |  |
|   |                            | 2.5.1 Tool Support for Assurance Case Presentation    | 15 |  |  |  |  |  |
|   |                            | 2.5.2 The HARDENS Assurance Case and its Presentation | 16 |  |  |  |  |  |
| 3 | Model-based Engineering 18 |                                                       |    |  |  |  |  |  |
|   | 3.1                        | Basic Facts of Model-Based Engineering                | 18 |  |  |  |  |  |
|   | 3.2                        | Engineering in the 2020s                              | 18 |  |  |  |  |  |
|   | 3.3                        | Novel Improvements                                    | 19 |  |  |  |  |  |
|   | 3.4                        | Typical Set of MBE Technologies                       | 20 |  |  |  |  |  |
|   |                            | 3.4.1 Modeling Languages                              | 20 |  |  |  |  |  |
|   |                            | 3.4.2 Modeling Environments                           | 20 |  |  |  |  |  |
|   |                            | 3.4.3 Programming Languages                           | 21 |  |  |  |  |  |
|   |                            | 3.4.4 Reasoning Tools                                 | 21 |  |  |  |  |  |
|   |                            | 3.4.5 Specification Languages                         | 21 |  |  |  |  |  |
|   |                            | 3.4.6 Operating Systems and Related Technologies      | 22 |  |  |  |  |  |
|   | 3.5                        | MBE Technologies that Really Work                     | 22 |  |  |  |  |  |
|   | 3.6                        | MBE for High-Assurance Engineering                    | 23 |  |  |  |  |  |
|   | 3.7                        | Gap Analysis                                          | 24 |  |  |  |  |  |
|   |                            | 3.7.1 Market Gaps                                     | 24 |  |  |  |  |  |
|   |                            | 3.7.2 Research Gaps                                   | 25 |  |  |  |  |  |
|   |                            | 3.7.3 Practice Gaps                                   | 26 |  |  |  |  |  |
| 4 | Rev                        | viewing Model-based Systems                           | 27 |  |  |  |  |  |
|   | 4.1                        | Reviewing                                             | 27 |  |  |  |  |  |
|   | 4.2                        | Tool Dependencies                                     | 28 |  |  |  |  |  |

|   | 4.3 | Trust, but Verify                                | 28  |
|---|-----|--------------------------------------------------|-----|
|   | 4.4 | Key Relations                                    |     |
|   | 4.5 | Validating Models                                |     |
|   | 4.6 | Validating Model-Implementation Correspondences  | 39  |
|   | 4.7 | Validating Claims                                | 40  |
|   | 4.8 | Key Questions to Answer                          | 43  |
| 5 | The | HARDENS Reactor Trip System (RTS) Demonstrator   | 44  |
|   | 5.1 | RTS Overview                                     | 45  |
|   | 5.2 | Specifications                                   | 45  |
|   |     | 5.2.1 High-Level System Specifications           | 45  |
|   | 5.3 | The Reactor Trip System's Goals                  |     |
|   |     | 5.3.1 Scope of Work                              |     |
|   |     | 5.3.2 Domain Engineering Model                   | 48  |
|   |     | 5.3.3 Feature Model                              | 49  |
|   |     | 5.3.4 Formalized Requirements                    |     |
|   | 5.4 | System Architecture and Models                   |     |
|   | 5.5 | Executable Behavioral Model                      |     |
|   |     | 5.5.1 Cryptol Model                              | 52  |
|   |     | 5.5.2 Formal Requirements Satisfaction           | 52  |
|   | 5.6 | Behavioral Model-based Interface Specification   |     |
|   | 5.7 | Implementation                                   |     |
|   |     | 5.7.1 Hardware Components                        |     |
|   |     | 5.7.2 Software Components                        | 57  |
|   |     | 5.7.3 Model-derived Components                   | 58  |
|   |     | 5.7.4 Hand-Written Components                    |     |
|   | 5.8 | V & V artifacts                                  | 60  |
|   |     | 5.8.1 Reviewing and Tracing Evidence             | 60  |
|   |     | 5.8.2 Specification Consistency                  | 60  |
|   |     | 5.8.3 Model-based Assurance                      |     |
|   |     | 5.8.4 Kinds of Evidence                          | 62  |
|   |     | 5.8.5 Assurance of the RTS                       | 63  |
|   |     | 5.8.6 Hand-written                               | 66  |
| 6 | Con | clusion                                          | 81  |
|   | 6.1 | What is Next for the RTS                         | 82  |
| A | Lan | do Models                                        | 85  |
|   | A.1 | Top-level RTS Domain Engineering Model Structure | 85  |
|   | A.2 | Project Acronyms                                 |     |
|   | A.3 | System Architecture                              | 88  |
|   | A.4 | System Dataflow                                  | 90  |
|   | A.5 | System Events                                    |     |
|   | A.6 | Project Glossary                                 | 93  |
|   | A.7 | System Hardware                                  | 98  |
|   | A 8 | System Instrumentation                           | 100 |

|              | A.9               | Project Requirements                                | 2 |  |  |  |  |
|--------------|-------------------|-----------------------------------------------------|---|--|--|--|--|
|              |                   | System Requirements                                 |   |  |  |  |  |
|              |                   | System Behavioral Scenarios                         |   |  |  |  |  |
|              |                   | System Test Scenarios                               |   |  |  |  |  |
|              |                   | System Tool Scenarios                               |   |  |  |  |  |
| В            | Lob               | ot Model 11                                         | 0 |  |  |  |  |
| $\mathbf{C}$ | FRE               | T Specification 11                                  | 3 |  |  |  |  |
| $\mathbf{D}$ | Sysl              | MLv2 Model 13                                       | 7 |  |  |  |  |
|              | D.1               | Top-level SysMLv2 Architecture Specification        | 7 |  |  |  |  |
|              | D.2               | RTS Actions                                         | 8 |  |  |  |  |
|              | D.3               | RTS Characteristics                                 | 9 |  |  |  |  |
|              | D.4               | RTS Contexts                                        | 0 |  |  |  |  |
|              | D.5               | RTS Glossary                                        |   |  |  |  |  |
|              | D.6               | RTS Hardware Artifacts                              |   |  |  |  |  |
|              |                   | RTS Implementation Artifacts                        |   |  |  |  |  |
|              |                   | RTS Physical Architecture                           |   |  |  |  |  |
|              |                   | RTS Properties                                      |   |  |  |  |  |
|              |                   | RTS Requirements                                    |   |  |  |  |  |
|              |                   | RTS Scenarios                                       |   |  |  |  |  |
|              |                   | RTS Stakeholders                                    |   |  |  |  |  |
|              |                   | RTS Static Architecture                             |   |  |  |  |  |
|              |                   | RTS Viewpoints                                      |   |  |  |  |  |
|              | D.15              | Semantic Properties                                 | 9 |  |  |  |  |
| $\mathbf{E}$ | Cryptol Model 163 |                                                     |   |  |  |  |  |
|              | E.1               | Top-level RTS Cryptol model                         | 3 |  |  |  |  |
|              | E.2               | Cryptol model of the Actuation Unit                 |   |  |  |  |  |
|              | E.3               | Cryptol model of the Actuator                       |   |  |  |  |  |
|              | E.4               | CRYPTOL model of the Instrumentation Unit           |   |  |  |  |  |
|              | E.5               | CRYPTOL Utility Functions                           |   |  |  |  |  |
|              | E.6               | SAW Model                                           |   |  |  |  |  |
|              |                   | E.6.1 SAWscript to test the Actuator                |   |  |  |  |  |
|              |                   | E.6.2 SAWscript to test the Actuation Unit          |   |  |  |  |  |
|              |                   | E.6.3 SAWscript to test the Instrumentation Unit 17 |   |  |  |  |  |
|              |                   | E.6.4 SAWscript to test the Saturation              | 7 |  |  |  |  |
|              |                   | E.6.5 SAWscript some standard definitions           |   |  |  |  |  |
|              | E.7               | HDL Implementation                                  |   |  |  |  |  |
|              |                   | E.7.1 HDL model of Instrumentation                  |   |  |  |  |  |
|              |                   | E.7.2 HDL model of Actuator                         |   |  |  |  |  |
|              | П 0               | E.7.3 HDL model of Actuation Unit                   |   |  |  |  |  |
|              | E.8               | BlueSpec Implementations                            |   |  |  |  |  |
|              | E.9               | ACSL Model                                          |   |  |  |  |  |
|              |                   | E.9.1 ACSL Model of the Actuation Unit 21           | 1 |  |  |  |  |

## Chapter 1

## **Executive Summary**

This is the final report of the *High Assurance Rigorous Digital Engineering for Nuclear Safety* (**HARDENS**) project. In this project, Galois has developed a high-assurance, safety-critical demonstration system for the Nuclear Regulatory Commission using Rigorous Digital Engineering (RDE). The system in question is a Digital Instrumentation and Control (DI&C) system for Nuclear Power Plants (NPPs), and is called the Reactor Trip System (RTS).

RDE is the combination of *Model-based Engineering*, *Digital Engineering*, and *Applied Formal Methods*. The engineering focus of RDE is broad, as we have used it to perform *software*, *firmware*, *hardware*, *systems*, *domain*, *requirements*, *product line*, *safety*, *and security engineering* of *high-assurance*, *secure-by-design systems*. The HARDENS project includes nearly all of these kinds of engineering, but for security engineering at this time.

To our knowledge, this demonstrator is the most rigorously specified and assured system of its kind that includes formally assured software and hardware for a safety-critical system.

Model-based Engineering focuses on the use of semi-formal and formal models and their properties to describe aspects of a system independent of a particular implementation. Models are connected to each other through a variety of relations (refinement, containment, subtyping/subsumption/implication, traceability, etc.), models are either or both denotational or operational (and thus executable), and models are used to specify, examine, understand, and reason about a system well-prior to a line of code ever being written. Models are used for rigorous validation—through automatic model-based test bench generation and bisimulation—and formal verification—through automatic model-based verification bench generation.

The models used in HARDENS include, from most to least abstract:

- a Lando high-level system specification model, which includes within it:
  - a domain engineering model,
  - a requirements engineering model, which includes:

- \* derived certification requirements,
- \* contractual requirements,
- \* safety requirements, and
- \* correctness requirements.
- a product line (feature) model,
- a static system model,
- a dataflow model of the RDE methodology,
- a system event model,
- a system scenario model (including all normal and exceptional behaviors),
- a hardware, software, and evidence Bill of Materials (BOMs),
- a SysMLv2 system model, which includes within it, as refined directly from the Lando model:
  - a stakeholder model,
  - a domain engineering model,
  - a requirements engineering model,
  - property specifications for all correctness and safety properties derived from the formal requirements model,
  - a product line (feature/variant) model,
  - a static system model that includes both the software and hardware manifestations of the system,
  - a system action model, and
  - a validation and verification assurance case model.
- a formal requirements model expressed in JPL's FRET tool, as refined from the Lando and SysMLv2 requirements models above,
- a Cryptol model of the entire system, including all subsystems and components, including formal, executable digital twin models of the system's sensors, actuators, and compute infrastructure, and this Cryptol model includes a refinement of all formal requirements from FRET into Cryptol properties (theorems) about the Cryptol model itself,
- a model of the semantics of the RISC-V instruction set,
- a model-based specification of critical portions of the RTS's software stack expressed in ACSL,
- an executable and synthesizable Bluespec System Verilog model of a family of RISC-V-based SoCs, and
- a System Verilog executable and synthesizable model of a simple, in-order 32-bit RISC-V CPU (NERV, from YosysHQ).

Digital Engineering focuses on the use of digital twins of physical systems, subsystems, and their components. A digital twin is typically an executable model that has known and measurable objective fidelity in relation to the models or systems that relate to the twin. For example, an executable Cryptol or SCADE model are a digital twins.

The HARDENS system includes several digital twins, including simulation and emulation of the system hardware (CPUs and SoCs), software implementation, and system model.

Applied formal methods are the sensible use of formal methods concepts, tools, and technologies to formally specifying and reasoning about systems and their properties. In the context of RDE and the HARDENS project, we use formal methods to achieve the following assurance:

- critical components of the RTS are automatically synthesized from Cryptol model into both formally verifiable C implementations and formally verifiable System Verilog implementations,
- automatically generated C code and hand-written implementations of the same models are used to fulfill safety-critical redundancy and fault-tolerance requirements, and all of those implementations are formally verified both against their model, as well as verified against each other as being equivalent, using Frama-C and Galois's SAW tool,
- the RISC-V CPU is formally verified against the RISC-V ISA specification using the Yosys open source verification tool,
- the RISC-V-based SoC is rigorously assured against the automatically generated end-to-end test bench,
- the formal requirements specified in FRET are formally verified for consistency, completeness, and realizability using SAT and SMT solvers,
- the refinement of these requirements into Cryptol properties are used as model validation theorems to rigorously check and formally verifying that the Cryptol model conforms to the requirements,
- the Cryptol model is used to automatically generate a component-level and end-to-end test bench (in C) for the entire system, and that test bench is executed on all digital twins and (soon) the full hardware implementation as well, and
- all models and assurance artifacts are traceable and sit in a semi-formal refinement hierarchy that spans semi-formal system specification written in precise natural language all of the way down for formally assured source code (in verifiable C), (a side-effect of the optional use of CompCert) binaries, and hardware designs (in System Verilog and Bluespec System Verilog).

While there are numerous relevant artifacts contained in this report and in the project repository, this project's focus was not on correct-by-construction techniques nor on the assurance case for a model-based system. Such work is likely the focus of future, follow-up projects.

The appendices of this report are automatically generated from the project artifacts using the *RDE Refinement Finder* tool, developed in parallel with this project. As such, a large fraction of refinements embodied in the RDE process and methodology are discovered and hyperlinked therein, permitting one to navigate the project specifications, implementations, and assurance evidence via a PDF.

Clearly there is a lot more that such a tool can accomplish with further revision. The tool highlights when the RTS artifacts themselves are not in full alignment via refinement, so as this system sees future development and evolution, it will undoubtedly drift decidedly toward complete refinement via RDE.

## Chapter 2

## Introduction

Models have been a part of computer science since its very beginnings. Naturally, given that computer science is the daughter of mathematics, many early models were defined with foundational mathematics and logics, such as set theory and type theory.

Such models, while useful for describing and analyzing conceptual artifacts, are very often far from the day to day artifacts of engineering, such as the source code of an application or the design of a printed circuit board. Thus modeling languished into narrow subdisciplines of computer science, mainly those called "formal methods" and "programming languages."

Other disciplines of engineering, such as structural and mechanical, needed their models to be closer to reality decades before it was necessary in computer science. Partly this timing was driven by the real world requirements of the field: a bridge must withstand normal and extraordingary environmental forces on it for its lifespan. Partly it was driven by the cost of early mistakes and failures: correcting a building mistake is very costly in materials and time. Partly it was driven by matters of scale: e.g., the need to manufacture thousands of identical widgets as a part of a production line.

But mostly it was due to matters driven by external societal requirements due to the safety-centric nature of engineered structures, such as liability insurance, contractual culpability in the case of structural failure, and, indirectly, manifested in the form of engineering certifications.

Unlike much of software engineering, structural engineers do not get to "wing it" while building that bridge, changing their mind as they go because of earlier mistakes made in a rush. If the bridge collapses, they do not just shrug and try something again. It is not virtuous to define a team's goals every week and rush toward those goals, demonstrating that that frame of a house somehow resembles what the concrete structure will someday look like.

Over the past twenty-five years, models in computer science—particularly in software and hardware engineering—have crept closer and closer to the found, reused, and created artifacts of engineering. In the 1980s, models resembled code only if one squinted right through a very abstract lens; in 2022, models

#### 2.1 Early Modeling Languages: UML and SysML

The rise of popularity of object-oriented languages in the early 1990s was a catalyst for the rapid creation of, experimentation with, and standardization of a host of modeling languages, such as the Unified Modeling Language (UML) and its ancestors and predecessors. While millions of models were described with UML, rarely would two model readers or writers precisely agree upon what their shared model meant.

The fundamental reason why there are these kinds of disagreements is that UML was created *without a formal semantics*. Semantics give meaning to things—models and code—and without semantics, everyone, and every tool, is free to interpret the meaning of a concept in their own way. UML did have a *specification*, but it was written in English and was full of omissions, ambiguities, and contradictions.

In the early 00s, researchers from several institutions spent years formalizing parts of UML, but in the end there was no agreement upon what constituted **the** semanatics for UML, and few-to-no tools paid attention to semantics-centric research. This lack of formal foundation would come back to haunt not only those that tried to apply UML to rigorous software engineering, but also the future of systems engineering.

In the early 00s, development on the System Modeling Language, SysML, began. SysML was created as a *profile* on top of UML, thus it could both extend and leverage UML in a variety of ways: principly to design SysML's meta-model, to include a subset of UML diagrams about which there was already substantial use and practical agreement of utility. Unfortunately, because UML's lack of widely agreed upon semantic underpinnings, SysML took UML's albetross and fattened it up.

Consequently, SysML (version 1, hereafter written as SysMLv1), while widely deployed now within industry and the DIB, is mainly used to specify the simplest and least semantic of system properties: static architectures, structured system requirements, and a small subset of behaviors at best.

Thus, in the end, UML and SysMLv1 are widely used, but are not "meaningful" in a formal sense, since they do not have accepted semantics that are concretized in tools, and have few means by which to connect models and code, as discussed later in section 2.4.

### 2.2 Semantic Modeling

In order to have "meaningful" models, models must be written in languages that have a formal description which is amenable to automated or interactive reasoning. A formal description typically must include: (1) a concrete and abstract syntax, (2) that syntax may be either or both textual and graphical, (3) a

type system which denotes which specifications are well-formed and meaningful, and (4) one or more semantics (axiomatic, operational, or denotational) in order give meaning to any specification.

Also, in order to be a *useful* modeling language, the language must also have (5) tools which support the efficient writing, rendering, type checking, and dynamic or static reasoning about specifications.

Many modeling languages have been invented over the decades that fulfill some of these requirements, and some of those modeling languages fulfill all of these requirements. Some of the more popular and high-impact high-level modeling languages that fulfill all of these requirements include (in alphabetical order): Alloy, B, BON, Event-B, Maude, OBJ and its daughters, SCADE (and its ancestor, Lustre), SPIN, UPPAAL, VDM and its daughters, Z and its daughters.

Formal specifications can also be written directly in logic. Logics come in various flavors, each with an increasing about of expressiveness that comes with an automation tradeoff: propositional logic is less expressive than first order logic (FOL), which is less expressive than second order logic (SOL), which is less expressive than higher order logic (HOL). The most popular tools that provide support for what amounts to "logical" modeling languages for these different logics include a variety of SAT (Boolean SATisfiability) solvers, Satisfiability Modulo Theory (SMT) solvers, FOL and SOL solvers, and Logical Frameworks (LFs) such as Coq, Isabelle, LEAN, and PVS.

Formal specifications written in these languages are necessarily "reasonable", as one must specify every single thing about a language for the tool to be 'ok' with its use. Of course, those languages that are only specified in an LF nearly always force one to interactively reason about specifications and their models, which is a complicated and sometimes expensive proposition at best. Languages that have both a complete HOL semantics and are supported by automated reasoning tools hit the sweet spot of well-foundedness, completeness, and usability.

# 2.3 Verification Competitions: Driving Tools to Utility

Formal modeling and reasoning tools are a dime a dozen. Over the years, hundreds of tools have been created to explore various specification and reasoning challenges and different domains. For a time, there was little coherence or coordination across the domain, thus to use two tools, one had to learn two input languages, and both tools' behaviors and capabilities.

Over time, this fragmentation was recognized as an impediment to transition and the joint/mutual use of multiple tools for a single problem or system. Thus, a consolidation of input formats began to occur.

Some input formats were determined by parties outside that of the modeling and reasoning community. If one is going to reason about programming language X, your tool has to be able to read and understand X.

Other input formats were created with the express intent of having a shared language or platform across a subdomain of modeling or reasoning. Subcommunities of researchers came/come together to define modeling and specification languages by combining the best ideas of earlier work, and these shared languages provide the commonality necessary to enable multi-faceted modeling and reasoning.

Once this commonality came to pass, soon after contests associated with conferences emerged as a means by which to compare apples to apples in reasoning communities. Contests drive R&D teams in two ways. First, contests provide a means by which to challenge the community with new kinds of reasoning goals: goals of scale, new theories, new properties, etc. Second, contests drives teams to aggresively explore new algorithms, internal representations, programming techniques, and more in order to achieve community goals.

As a consequence, several different verification contests now regularly run spanning various branches of modeling and reasoning. For example, a few of the more prominent competitions include SV-COMP, MCC, SAT, SMT-COMP, and VerifyThis.<sup>1</sup>

SV-COMP is the "software verification" competition, which focuses on general-purpose tools for modeling and reasoning about software written in the C programming language. MCC is a competition that focuses on general-purpose model checking, mainly specified via a modeling formalism called Petri nets. SAT is the longest running competition, which focuses on problems in Boolean SATisfiability—a foundational abstraction used by many reasoning techniques. SMT-COMP complements SAT, insofar as it focuses on reasoning about the satisfiability of models, modulo various algebraic theories. Finally, VerifyThis is the big-picture, general-purpose competition that permits teams to use any approach the like to specifying and reasoning about models and implementations.

Modern advanced modeling and verification was enabled by four key environmental factors: (1) mathematical sophistication sufficient for real world program reasoning, reinforced by mechanized reasoning environments, (2) the researcher community's willingness and bravery to tackle real world programming and modeling languages, (3) the dramatic rise in computational resources (primarily the Gb boundary, as the sweet spot of productivitity hit once RAM sizes passed 1 Gb and CPU performance passed 1 GHz), but perhaps most importantly, (4) the competitive nature of these competitions, pushing research teams beyond the threshold of academic publication, and toward usability and robustness.

<sup>&</sup>lt;sup>1</sup>There are many other competitions, many of which are summarized and enumerated on Alastair Reid's Verification Competitions blog post.

# 2.4 Grounded Modeling: Connecting Models and Code

While there are many kinds of modeling and reasoning, only a small fraction of modeling and reasoning is about *implementations*.

Partly this is due to the historic trends of research communities. Many, perhaps even most, lines of work in modeling and reasoning are classically grounded in the research area called *formal methods*.

Formal methods is the application of logical or mathematical techniques to the specification and reasoning of systems. Since formal methods is wholly grounded in formality via mathematics, it is no surprise that most of the early formal methods researchers were mathematicians. But for decades, "programming" was viewed akin to bricklaying, and thus was uninteresting to mathematicians-cum-computer scientists. Consequently, and perhaps surprisingly, the vast majority of modeling languages and their reasoning tools have little to nothing to do with *programs*.

Modeling languages and tools that have no direct connection to code are not inherently flawed, or the wrong tools to use. They can be used very effectively to reason about critical aspects of systems, especially systems whose models are terrifically complex, such as those that exhibit large amounts of concurrency. Likewise, thinking and reasoning at a more abstract level (at least, more abstract than raw code), or in a domain specific fashion, is commonly enormously more effective and scalable than reasoning about implementations in general purpose programming languages.

#### 2.4.1 Disconnected Models

But in doing so, one must ask, "How is the analysis obtained by this language or tool affected in the system which it purports to describe?" More often than not, these kinds of "disconnected" models fall into two usage categories.

The first, and least authentic and useful, is what we will call "slideware." Models are created, rendered, and shown in documentation and presentations (thus, "slideware"), but they have little or nothing to do with the systems that are built. This usage scenario is typified by the creation of complex *static* models of systems—models that explain the parts of a system and how they interconnect, for example—but no *dynamic* or *behavioral* descriptions of the system, explaining what it does, or how it operates.

The second kind of commonly seen "disconnected" model is a model that is rich, authentic, and demonstrates aspects of a system, and yet has no strong connection, even informal, to the system implementation. This situation is commonly mitigated by putting into place a rigorous process and/or methodology that attends to ensuring that model elements and properties are traceable to system implementation elements and properties.

There are international standards, such as the ISO 90000 family of process standards and the ISO 27001 information security standard, that focus on

describing and evaluating rigorous processes. Likewise, there are certification regimes that mandate rigorous processes and methodologies, such as the FAA DO-178 series of standards for aircraft safety.

While such standards can be effectively used to maintain a connection between authentic models and implementations, doing so requires diligence and excellent development and collaboration environment support for facilitating, reinforcing, and checking such human-in-the-loop processes. This pratice is also typically fairly resource intensive from a developer or compliance effort point of view.

#### 2.4.2 Fully Connected Models

Fully connected models, on the other hand, are models whose relationship to implementations is direct and is checked by reasoning tools. Connected models come in three flavors.

Code Generated from Models. The most common fully connected model is witnessed in specification systems that include code generators.

Some code generators only turn model abstractions into code abstractions, such as UML-based code generators that convert class diagrams into type declarations, such as Java classes or interfaces or C++ header files.

Other code generators are capable of translating behavioral specifications of algorithms into fully functional implementations, such as the code generators for Cryptol and SCADE.

Finally, some logical frameworks are able to generate code, converting specifications, implementations, and proofs in logic into implementations in languages like OCaml, Haskell, Scala, and C.

In all three of these scenarios, untouched code generated from a model is meant to be in full, traceable alignment with that model. What "alignment" means is very much dependent upon the tool and the goals of code generation, ranging from "they look about the same" to "all properties of the formal model are guaranteed to hold for the generated code."

Models Abstracted From Code. A second kind of fully connected model is witnessed when models are abstrated from code. More generically, they are abstract models lifted from more concrete models or code, as the relationship need not be only between models and models.

Some tools that support UML support model lifting (in the form of class, object, sequence, and collaboration diagrams) from source code. Many of Galois's formal reasoning tools lift models from source code, binaries, or intermediate representations, such as LLVM.

These kind of fully connected models are the dual of the first case: untouched abstract models generated from more concrete models or code are meant to be in full, traceable alignment. And, as before, what "alignment" means varies considerably across technologies.

Models and Code in a Refinement Relation. A final kind of fully connected model-model or model-code relation is that of a refinement relation. *Refinement relations* are relations that preserve specific, well-specified sets of properties across the relation.

What kinds of properties are, or can be, preserved very much depends upon the refinement, and thus on the nature of the two sides of the relation. The idea of refinement is discussed a great deal more in later chapters.

#### 2.5 Assurance Cases

Assurance cases describe a system, its purported properties, and the evidence that the system conforms to the properties. They are widely used in safety-critical and national defense domains, especially in sectors defined as nationally critical infrastructure.

A given assurance case focuses on a specific set of concerns. For example, one flavor of assurance case focuses on the *correctness* of a system, a second might focus on the *dependability* of a system, and a third might focus on the *safety* of a system.

Assurance cases commonly are stated and argued entirely informally. These kinds of "classical" cases are precisely written natural language documentation—say a large Microsoft Word document printed on paper which contains some figures, tabled, and a complementary Excel spreadsheet which explains traceability—that are read, reflected upon, and judged by subject matter experts.

It is not uncommon for such an informal assurance case to accompany a snapshot of part of the system it describes; say, for example, a printout of some of the system's source code. While assessors that are judging the quality and validity of the assurance case may, on occasion, examine those engineering artifacts, this is more the exception than the rule.

Only in the most rigorous safety-critical and security-centric certifications, such those of Common Criteria and the NSA, and their respective assurance cases are system engineering artifacts deconstructed and examined by experts carefully, often with some computational tool support.

#### 2.5.1 Tool Support for Assurance Case Presentation

There are a broad range of assurance case presentation research tools that have been created over the past few decades. Each focuses on a different kind of structured assurance case, or is targeting a particular domain. In general, few are robust, scalable, and supported, and until recently, none included support for formal specifications and verification.

The recent ARCOS DARPA program program focused on this problem. It is meant to build a general-purpose assurance case database and reasoning system that can be used to help explain and vet the kinds of systems that the Department of Defense regularly buys and builds. ARCOS is not yet ready for

use on a system like HARDENS, but should be soon.<sup>2</sup>

Assurance cases use a variety of notations for presentation, such as Goal Structured Notation (GSN) and the Claims Argument Evidence (CAE) notation. Many tools focus on the idea that an assurance case is a model in and of itself, and one should be able to generate "classical" informal and semi-formal written artifacts directly from such a model.

Automation (re-)generation of evidence and reports is a boon to teams that must regularly go through a certification gauntlet, saving time and effort. And in combination with collaborative development tools, when used properly, can help track development, changes, artifacts, and evidence. After all, hand-writing assurance cases, even after reusing templates and boilerplate text, as we often see in evidence submitted with NIST FIPS-180 certification for example, is a very time-consuming an expensive proposition.

Such automation to check the process-centric boxes of the past is now, recently being complemented by automated, computational means by which to check and re-check assurance claims. Automatic claim checking is meant to be largely familiar to traditional software because it looks and feels like a test bench.

## 2.5.2 The HARDENS Assurance Case and its Presentation

The HARDENS project demonstrates this kind of automation in spades, using *Rigorous Digital Engineering* to state claims, build arguments, and demonstrate evidence. Evidence comes in several flavors, from structured, traceable design decisions to runtime verification using dynamic evaluation of models (also known as digital twins) and code to full formal verification using theorem proving.

Going into this project Galois wanted to explore using existing assurance case tools that have been developed by and for other agencies, such as NASA's AdvoCATE tool. But given the project's size and budget, we decided early on to simply present the assurance case directly in the project artifacts, and describe in this report how to read, understand, and evaluate those artifacts through example.

Several Eclipse-based frameworks (in addition to AdvoCATE), such as ACEdit, SafeEd, and AutoFocus3, have been created to implement fragments of GSN. Other open source or freely available tools that have novel features include Cert-Ware, D-Case, EviCA, ACCESS, DiaSAR, the Evidential Tool Bus (ETB), and WEFACT.

Mature commercial are fewer in number, and include the widely used ASCE, Astah GSN, NOR-STA Assurance Case Tool, the Safety Case Toolkit (SCT), TurboAC, and Safety.Lab.

Denney and Pai [DenneyPai18] contains a good overview of the state of various commercial, research, and open source tools.

<sup>&</sup>lt;sup>2</sup>Galois is a performer and evaluator on the ARCOS program, and is working with DIB partners on evaluation and transition of ARCOS's technologies.

If Galois continues to work with the NRC on formal assurance case development and presentation—especially with Rigorous Digital Engineering—we recommend that we jointly choose one of these existing tools as a foundation for future experimentation and use.

In addition to performing on the ARCOS program, at Galois we currently use the *Resolute* language and tool from Collins Aerospace on the DARPA CASE project. Its use is inappropriate for the HARDENS project as Resolute is a specification language concretizes as an annotation annex for the AADL system specification language. While we use AADL on a number of projects at Galois, given the size and budget for this project, we chose not to demonstrate it in the HARDENS demonstrator. AADL was mentioned in our proposal, and fits into system specification below SysML, as it is most often used to precisely specify an embedded system's structure and behavioral, especially in mission-critical settings.

Consequently, especially given the document-centric framing mandated by the NRC, we use a generic-but-rich means by which to state our model-based assurance case. The whole of the argument is grounded in the primary document that frames the project: the original NRC RFP. From that single source we derive all artifacts relevant to the system and its goals and properties, including international standards, research papers, relevant software and hardware, and more.

## Chapter 3

## Model-based Engineering

Several very good books have been written about model-based engineering (MBE) [2, 1, 3], though few focus on rigorous MBE that is grounded in the use of applied formal methods.

Model-Based Engineering (MBE) is fundamentally just engineering that uses models. By *engineering*, we mean any kind of engineering: software, firmware, hardware, systems, safety, security, etc. *Models* are conceptual abstractions of physical or digital phenomena.

Marketing information about products and services often talks about MBSE, which is ambiguous. MBSE can mean Model-Based *System* Engineering or Model-Based *Software* Engineering.

MBE *augments* other forms of engineering, like those mentioned above, and is *mandatory* for verification of high-assurance systems, and *complements* digital engineering with digital twins.

### 3.1 Basic Facts of Model-Based Engineering

MBE is not a panacea, a silver bullet, or a joke. Its use on a project says very little, other than the project team uses moderately advanced development tools.

MBE often means, at least, that (1) some abstractions are written down that describe a system under development, (2) repetitive, boilerplate code that programmers are prone to get wrong is automatically generated, and (3) the environment in which a system operates and evolves is taken into account.

### 3.2 Engineering in the 2020s

Engineering today, especially for embedded systems, looks a lot like it did in the 90s. Programmers like to program, after all, and documentation is often out-of-date.

Unfortunately, the abstractions taught in CS, ME, and CE programs—state machines, grammars, regular languages, and more—are rarely explicitly used

by programmers to create systems.

The C programming language and antique ISAs (e.g., x86 and ARM) are in widespread use, and hardware design languages (HDLs) standardized twenty years ago (e.g., SystemVerilog) are still not widely adopted.

Moreover, in our experience, hardware engineers are loath to learn new HDLs (Chisel, BSV, SystemC, many others) because hardware design firms are extremely risk adverse. Most firms would rather keep using something that has worked for decades than take a shot at a new technology or design flow, even if it might save money, decrease effort, or increase quality. To put a point on it: hardware engineers still use hardware print statements, debuggers, and laborious testing to check correctness.

Rigorous specifications—even boring old assertions—are unheard of, especially anything formal, such as the Java Modeling Language or SystemVerilog Assertions (SVA). In fact, it is fair to say that the vast majority of projects never use, or perhaps have even heard of, the MBE-centric Design-by-Contract methodology introduced in the early 1990s.

#### 3.3 Novel Improvements

Over the past two decades there have been a number of technology improvements that has led to the ubiquity and impact of MBE. In the early days of MBE (back in the 1990s), MBE was often viewed as being too demanding for mainstream computing, both computationally (it impacted performance too much) and resource-wise (it used too much memory or storage).

Fast forward twenty-odd years, and hardware is faster and cheaper than ever. Who would have thought that pre-teens would carry around a multi-core, multi-gigahertz device (a supercomputer!) in their pockets?

New programming languages that are great for safe, embedded software engineering are breaking through, such as the Rust programming language. It is no longer necessary to implement embedded systems in assembly language or C in order to achieve high performance.

A new open, unencumbered Instruction Set Architecture (ISA) called RISC-V has catalyzed an explosion of novel hardware design for the masses. There are dozens of RISC-V CPUs and SoCs on the market, and the software ecosystem behind RISC-V is as large, rich, and stable as that of any other mainstream ISA.

RISC-V, in tandem with the rise in small, community-backed projects like those found on Kickstarter and via CrowdSupply, has created a new generation of open hardware developers. *Open hardware*, the brethren of the open software movement, has even become respected in many industry and government circles, including in U.S. Government agencies that are particularly concerned about reliability (e.g., Sandia National Labs) and security (e.g., the NSA).

Complementing the rise in open hardware, reprogrammable hardware (e.g., FPGAs) is widely available, well-understood, and adopted. DoD platform architectures today regularly witness the use of FPGAs to replace what was once

realized by expensive, underutilized general purpose processors. These new hardware-based architectures are higher performance and have much better power-performance ratios than their software predecessors.

Finally, Domain Specific Languages (DSLs) and Domain Specific Architectures (DSAs) have proliferated and increased productivity and quality.

#### 3.4 Typical Set of MBE Technologies

The core set of MBE technologies that are widely used includes modeling/specification languages, modeling environments, programming languages, reasoning tools, and operating systems. Here we enumerate the most prevalent of these that are in use today.

#### 3.4.1 Modeling Languages

Classical "modeling languages" are used to describe software systems and their environment. The dominant three modeling languages of this ilk are:

- UML: Unified Modeling Language. UML is mainly used to model software systems, both at a high level (e.g., domain models, requirements, viewpoints, etc.) and at a design level (e.g., classes and modules and their interfaces and APIs, and dynamics of a software system). Some UML tools permit the generation of software from specific UML artifacts (e.g., class diagrams), or the extraction of such artifacts from source code. UML was introduced in the mid-90s and is still in use today.
- AADL: Architecture Analysis & Design Language. AADL is mainly used to model embedded, sometimes real-time, systems, including their software, firmware, and hardware components. AADL tools often include powerful reasoning features and some include code generation. AADL was introduced in the early 00s and is in use in mission-critical sectors.
- SysML: System Modeling Language. SysML is used to model complex systems at a high-level, including their environments, software, firmware, hardware, and physical manifestations. SysML version 1, introduced in the early 00s, is a *UML profile*, and thus rests on UML as a foundation (for good and ill). SysML version 2 is under development at this time and decouples itself from UML. It should see standardization in 2023 and adoption soon thereafter.

#### 3.4.2 Modeling Environments

Modeling environments are tools that permit the creation of, editing of, generation of, and reasoning about, models. Some modeling environments support only a single modeling language. Others support multiple languages, usually through some kind of extension mechanism. Commercial environments often

costs hundreds or thousands of dollars per-seat and their cost is usually not public, but is instead negotiated on a case-by-case basis by their vendors.

The dominant environments in use today are as follows.

- IBM Rational Software
- Dassault Systèmes Cameo Systems Modeler
- Eclipse Software Foundation's Eclipse
- NI LabVIEW
- Vitech's GENESYS
- MathWorks System Composer, MATLAB, and Simulink
- Sparx Systems Enterprise Architecture
- OpenMBEE
- Ansys ModelCenter and **SCADE**
- BigLever onePLE

Those environments and tools in **bold** are de facto in various government agencies and large engineering firms with which we are familiar.

#### 3.4.3 Programming Languages

There are a host of programming languages widely used in the MBE domain. The two main sub-classes of languages are:

- various subsets of C (MISRA, verifiable), or
- safety-centric languages such as Rust, Safety-critical Java, and SPARK.

#### 3.4.4 Reasoning Tools

There are hundreds of MBE reasoning tools available today.

The main companies that develop and support such tools are: AbsInt, Galois, Microsoft, GrammaTech, Perforce, Parasoft, MathWorks, SonarSource, Ansys, Cadence, Synopsys, and Siemens.

#### 3.4.5 Specification Languages

There are a few dozen main specification languages in use today. These are, in the main, domain specific languages which permit the detailed specification of the behavior or structure of a system, and many have an underlying semantics (or two).

The main languages in use today includes: MATLAB, Simulink, SCADE, Statecharts, Java Modeling Language, CodeContracts, Cryptol, and SystemVerilog Assertions.

#### 3.4.6 Operating Systems and Related Technologies

There are just a few dominant operating systems (OSs) used in MBE. While mainstream OSs like various BSD flavors, Linux, macOS, and Windows are used as development platforms, and sometimes deployment platforms, for MBE, more often one sees MBE used for embedded systems engineering where such heavyweight OSs are ill-fitted.

The main go-to realtime/embedded OSs come from proprietary vendors such as Alteronic, Green Hills Software, Lynx, Segger, QNX, Wind River, or are open source and come from foundations—such as the Apache Foundation—or communities with corporate support, such as FreeRTOS/SafeRTOS—which is now supported by AWS—or MuttX, RTEMS, Zephyr.

Operating systems are complemented by various hypervisors, microkernels, and similar underlying technologies, some of which are widely used even without operating systems. The best examples of these technologies in deployment are seL4, MirageOS, Xen, QEMU, and KVM.

#### 3.5 MBE Technologies that Really Work

Just because a technology is mentioned earlier does not mean that it is fit for use in developing a high-assurance system, such as the control and protection subsystems of a nuclear power plant. In fact, some MBE technologies (e.g., the use of UML without a model-code connection or the use of OCL contracts) are viewed as being more trouble than they are worth in some settings, particularly if a team is not fully bought into MBE.

The kinds of MBE technologies that we see in the field as really working well and are effective for saving time and effort and increasing quality are as follows.

- data modeling and database generation, evolution, and management (Ruby on Rails and other tools),
- user interface design and behavior (e.g., Apple's Xcode, numerous tool-s/frameworks for Web 2.0)
- lexer and parser generators for language design (e.g., ANTLR, yacc/bison, flex/lex, XText, MPS)
- algorithm and protocol specification and reasoning systems (e.g., Cryptol, F, Ivy, ProVerif, CryptoVerif, FDR)
- Design-by-Contract and assurance of software (SPARK, JML, CodeContracts, Dafny, Kotlin), and
- Design-by-Contract and assurance of hardware (SVA, BlueCheck, One-Spin, Jasper, Formality, etc.)

#### 3.6 MBE for High-Assurance Engineering

Very few MBE technologies with a focus on mission-/safety-critical systems have been commercialized. Those that have have fairly small customer bases of dozens to hundreds of individuals/firms, rather than two or three orders of magnitude more, as is the case with mainstream development tools.

Numerous MBE technologies exist that are applicable to high-assurance engineering, but have no corporation solely supporting their use, and are mostly supported by ICs and SMEs. Examples of tools and technologies that are suited for high-assurance engineers are as follows. Those that are blessed and widely used in the DoD are highlighted in **bold**.

- design environments from **Dassault**, CMU SEI (**OSATE2** and Oquarina), Vitech, Sparx, **IBM**, **Ansys**, **Siemens**, Visual Paradigm, PTC, etc.
- reasoning tools from AbsInt, Galois, GrammaTech, Ansys, Runtime Verification, etc.
- logical frameworks such as Coq, Isabelle, Lean, and PVS,
- classical formal methods such as B, Event-B, VDM, and Z,
- modeling intermediate representations such as **Boogie**, **LLVM**, **ZIMPL**, **SAT**, and **SMT-LIB**,
- constraint, SAT, and SMT solvers such as CVC, MiniSAT, Yices, Z3, and many others,
- open source development and modeling environments (OpenMBEE, Eclipse, VS Code, etc.), model checking tools (Alloy, CBMC, SPIN, UPPAAL, FDR4, SPIN, TLA+), hardware verification tools (QED, Yosys, etc.), and
- numerous MBE technologies have been funded by the DoD, IC, and NASA such as Cryptol, SAW, Crux, AADL, CASE, ARCOS, CoPilot, AdvoCate, etc.

The state-of-the-art in MBE in 2022 outside of the mainstream commercial realm is mainly found in the list above. These tools are mainly focused on DSLs and DSAs (e.g., the model checking tools mentioned above, Cryptol, and SAW), they include model-lifting and reasoning features (e.g., SAW and Yosys), code generation and reasoning features (e.g., Cryptol and SAW), model-based runtime verification/testing, BISLs and model-based software engineering (the aforementioned JML, SPARK, etc.), or HLS/UVM/SVA for model-based hardware engineering.

#### 3.7 Gap Analysis

Today's MBE tools have seen thirty years of evolution, are powerful, very useful in commercial product development, often save developer and development time and money, and continue to evolve to work with new platforms, languages, and tools. Even so, there remain many practical and research gaps between today's tools and the vision of wholly integrated, high-assurance model-based enginering. This section summarizes many of those gaps, particularly with regards to the demands of high-assurance, safety-critical systems engineering.

#### 3.7.1 Market Gaps

As discussed in section 3.6, there are insufficient customers in high-assurance engineering to support a rich ecosystem of tool providers, platforms, and products.

Part of the problem is that, in the large, software engineers expect tools to be free, and historically virtually all commercial model-centric tools have been prohibitively expensive. Thus, most software engineers have little-to-no experience with using high-end commercial tools, and thus do not appreciate their utility.

Additionally, there is a pipeline problem in the discipline. While MBE has been around for thirty-odd years, few students graduate with knowledge of MBE because most universities have very few to no courses in the topic.

Corporate adoption of MBE also holds back the field. As with many engineering disciplines whose focus is largely on making money, the good is the enemy of the best. While MBE is used successfully by many companies as a market advantage, it does not see widespread use because the market awards first-to-market products, many firms get away with creating throw-away products poorly and quickly, and thus eschew not only models, but any other artifacts that help with long-term maintainability or correctness, such as documentation and rigorous testing.

Another challenge in the market is that of usability. Easy-to-use products are much more widely adopted than harder-to-use-but-more-impactful products, and unfortunately, none of the existing high-end MBE products seem to have seen any user-centric design.

Historically we have seen some IEEE/ISO standards and specific tools adopted due to compliance and certification mandates (e.g., SCADE or AbsInt tools for development that is meant to be assured under FAA DO-178). But compliance and culpability are not (yet) forcing functions in the world of MBE because no large agency or program has mandated their use. This may change soon, with the evolution of the U.S. Government's Digital Engineering strategy and modernization goals across the DoD, but for the moment, major DIB firms are largely holding pat on development tools, processes, and methodologies of two decades ago.

Finally, mission-/safety-critical industries are risk adverse. MBE, while decades old, represents a fundamental shift in the means by which systems

are created. Adopting MBE means developers learning at least one or two new languages, development platforms, testing frameworks and methodologies, and verification tools. Shifting a workforce to a new language is hard enough; shifting to a whole new way of thinking about design, implementation, validation, and verification is another thing entirely. Consequently, we should expect to only see new entrants and greenfield products using MBE, rather than large, old, traditional firms.

#### 3.7.2 Research Gaps

There are just over a dozen widely-recognized research challenges that have stifled more widespread adoptions of MBE over the past few decades. Many of these challenges are the focus of specific academic and industrial research programs, particularly at Galois, and historically in the academic career of one of the authors (Dr. Kiniry).

Each research challenge is only tersely summarized here, as explaining each of these in any degree of detail represents a section of material.

- 1. usable semantics that refine between levels
- 2. usable and useful traceability with semantics
- 3. reversibility of traceability
- 4. ambiguities in interpreting English into models
- 5. connecting semi-formal and formal models
- 6. consistency between text and graphical models
- 7. specifying and reasoning about systems of systems
- 8. supporting MBE in an agile methodology
- 9. augmenting IDEs with MBE for continuous learning
- 10. integrating rigor without loosing usability and scale
- 11. supporting product lines throughout the lifecycle
- 12. predictable and deterministic environments and products
- 13. consistency of all models across the whole lifecycle
- 14. trade space analysis and measurable, useful metrics

#### 3.7.3 Practice Gaps

Finally, there are a number of nuts-and-bots practical gaps in widespread adoption of MBE, especially for the mainstream. These gaps are not a hindrance to the use of MBE for mission-/safety-critical systems, as today's developers in those domains are rewarded for thinking hard and being careful, unlike your average web programmer.

Writing models is rarely as immediately rewarding as programming, since most are not executable. Models are often denotational as well, and thus are hard to think about and write for programmers who are used to thinking and "doing" operationally.

In fact, using modeling tools often feels more like writing and reviewing documentation than programming, and, frankly, programmers like to program. Some of the most common techniques used by programmers to understand and experiment with their systems, such as the infamous inline "print" statements, are rarely seen or used in modeling languages. And some modeling languages are only graphical, whereas most programmers prefer textual languages.

The biggest practical gap to widespread adoption in the broader set of mission-critical systems across the U.S. Government is historic. Trillions of lines of legacy code are not described with any existing models, and extracting models from code is much harder than generating code from models. Frequently, agencies and branches do not even have copies of the source code for the binaries that are in platforms. While lifting models from binaries is possible, it is the focus of several current DARPA projects, and thus is largely not ready for transition to mission-/safety-critical systems.

## Chapter 4

## Reviewing Model-based Systems

This chapter summarizes best practices in reviewing, validating, auditing, and certifying systems developed with model-based processes, methodologies, tools, and technologies.

#### 4.1 Reviewing

Systems that have been developed using MBSE tools are typically delivered in one of two ways: directly through project access in a collaborative development environment (e.g., a CDE like GitHub, GitLab, etc.) or an archived snapshot/release of the system.

The standard development artifacts that come with such a delivery are:

- digital documentation (e.g., PDF, HTML, ASCII text files, etc.),
- models (stored in either open or proprietary formats),
- model views (interactive or static figures generated from models),
- source code (written in software programming languages or hardware definition languages),
- physical hardware designs (such as a PCB layout or a GDS-II file describing an ASIC),
- binary representations (object files, executables, shared and static libraries, bitstreams, and other document file formats), and
- containers used to, in turn, store stable snapshots of development, validation, and verification environments (such as a Docker image).

#### 4.2 Tool Dependencies

Many of these artifacts are easily examined with off-the-shelf tools that come with standard operating systems, such as text editors, web browsers, and PDF viewers. But, given the nature of MBSE, one often finds dozens, or even hundreds, of artifacts stored in non-traditional file types. In order to read, evaluate, understand, and validate those files, one has to have the appropriate tools available.

Commercial MBSE tools commonly define their own proprietary file formats, and these formats change over time in backwards incompatible ways. Consequently, in order to vet a model artifact created with a proprietary tool, one often has to have access to exactly the right version/release of the tool that was used to create the artifact in question.

**Recommendation 1** (Tool Metadata). For each artifact kind and file type in a system under review, ensure that the tool(s) necessary to validate that artifact are precisely documented (name, vendor, version, operating system platform).

**Recommendation 2** (Tool Availability). For each artifact kind and file type in a system under review, ensure that the tool(s) necessary to validate that artifact is made available to the reviewer(s).

The best practice in fulfilling recommendation 2 is to deliver with the system an evaluation image snapshot that includes all necessary tools "out of the box".

**Recommendation 3** (Evaluation Platform). For each system under review, the system development team should provide a snapshot of a stable, coherent, documented evaluation platform to reviewers, such as a Virtual Machine image (e.g., VDI, VHD, VMDK file types), a Docker image, or a Nix configuration and cache.

#### 4.3 Trust, but Verify

When reviewing a system, one typically examines artifacts in a top-down fashion, moving from most abstract to most concrete. Whether or not one pursues a breadth-first or depth-first approach in moving through model abstraction layers is up to the reviewer's personal taste. Different people think in different ways when it comes to taking in and understanding a system that is larger than one can easily grok in an hour or less.

Moderate to large scale systems often include far more artifacts than can be reasonable examined in detail by a reviewer or review team in an acceptable amount of time. In such a circumstance, reviewers commonly pursue a "Trust, but Verify" approach to examining artifacts.

There are three key facets to such a review methodology, and they are summarized in the following recommendations.

**Recommendation 4** (End-to-End). Review at least one most abstract to most concrete chain.

**Recommendation 5** (Regularity). Review at least one instance of each artifact kind in detail, and check for regularity across adjacent model elements of the same kind.

**Recommendation 6** (Workflow). The recommended workflow for reviewing model-based assets moves through the four key facets of any system specification: structure, then data, then behavior, and then properties.

The reason that the ordering in recommendation 6 is recommended is because, typically, dependencies flow backwards through this ordering, and thus, e.g., in order to understand behavior, one must understand data and structure.

Recommendation 7 (Limit Risk). Review remaining artifacts (of all kinds, model, code, documentation, etc.) using a risk-limiting audit approach.

#### 4.4 Key Relations

Examining only artifacts such a models, source code, and documents is insufficient for validating or certifying a system created with MBSE. The *relationships* between artifacts are often as or more important than the artifacts themselves.

There are several key kinds of relations between artifacts to look for when examining a system. The following list, while extensive, is by no means complete.

**Traceability.** Traceability relations are those that link artifacts, often in a bi-directional fashion. Traceable relations should be labeled to indicate the purpose of the reference.

By bi-directional, we mean that many useful traceable relations define a trace relation  $\mathcal{T}$  between two elements A and B as  $A\mathcal{T}B$  and, by virtual of its bi-directionality, one can follow the trace  $from\ A$  to B and, independently, from B to A.

Traceable relations commonly found in documentation include glossaries, indices, table of contents, lists of figures, lists of table, etc. Best practices in traceable relations enable both *active tracing* via hyperlinks, hovers, or other similar simple action triggered by a mouse or keyboard event and *passive tracing* via a traditional unique directional reference, such as a page number or file name with a relative or absolute path.

Traceable relations commonly found in model-based systems engineering artifacts include requirements and feature matrices, model-model/model-view/model-code relations as described below, abstract/concrete refinements, definitional lookups, and evidence derivation.

**Recommendation 8** (Traceability Completeness). At every layer of model refinement, every assumption, goal, and requirement that frames a model-based specification at the abstract end of the refinement must be traceable to a corresponding assumption/rely/precondition, goal, or property in at least one refined artifact.

Without traceability completeness, model elements are left "hanging." For assumptions this is not fundamentally problematic: nothing needed the assumption in order to build and assure the system. But for goal and requirements, and artifacts derived thereof, such as scenarios, events, properties and the like, it is much more problematic because, if such a traceability relation does not exist, then the goal or requirement is unfulfilled in the assurance case.

**Recommendation 9** (Bi-directional Traceability). Every model, code, or assurance artifact A that is in a traceability relation to another artifact B should (i) permit a trace from A to B and from B to A, and (ii) the nature of both traces must be clear.

Uni-directional traceability, while somewhat useful—as it help justifies other traceability properties like completeness and reachability—is not satisfactory from a reviewer point of view. One should be able to trace each artifact to its more abstract dependency (be it concretized as a requirement, goal, invariant, etc.) and back from that artifact. Likewise for any relations down from the artifact to more refined artifacts.

**Recommendation 10** (Traceability Reachability). Every model, code, or assurance artifact must be reachable by a trace relation to at least one, and preferably only one, other artifact.

Every mode, code, or assurance artifact that is included in a system built with MBSE technologies should be there for a reason. A traceability relationship to each artifact is, in part, the means by which to justify its inclusion.

**Recommendation 11** (Traceability Implicitness). *Implicit traceability is superior to explicit traceability.* 

Explicit traceability is realized by the writing or generation of model annotations which document trace relations. These annotations are often in the form of code or model comments, model notes, extra spreadsheet or CSV columns, source code formal annotations, etc. In our experience, such annotations are fragile, clutter models and programs, and are very difficult to maintain in the face of evolving artifacts on both ends of the traceability relationp.

Implicit traceability is realized by the use of types, naming convensions, and methodological rules that are machine checkable and human understandable. In model-based systems that use implicit traceability, no extra comments, notes, etc. are necessary, as one can always trace up and down between abstraction layers in a system design and implementation.

Tools, such as IDEs with rich user experiences, can assist with such tracing, such as the ability to lookup a type declaration and its semi-formal definition by touching a variable in a model or code and seeing a pop-up help message that can be activated to jump to the definition in the current or new window. Refinement or traceability checkers can analyze a system to determine if a system's implicit traceability is complete, bi-directional, and if all model elements are reachable.

Representational. Representational relations connect model abstractions to physical, digital, or computational manifestations. These kinds of relations are often based upon model abstractions that are meant to represent real-world constructs, whether they are physical (such as a CAD model of a PCB design), digital (such as a GDS-II model of an ASIC mask, a Entity-Relation model used to describe a database schema, or a wireframe model used to describe a user interface), or computational (such as an algorithm described in pseudocode or a protocol described with a domain specific language).

In each case, the model is meant to be an abstraction, and thus *every* property the model has should be a property witnessed by the thing it describes. In such a relation holds, we call the model *sound* with regards to its concretization. Moreover, a *complete* representational model is one which captures *all* properties of interest, given the context and goal of the model.

**Recommendation 12** (Representation Realizability). Every model must be realizable within an implementation; that is, once the model is refined to an implementation, an implementation must be able to be exist which fulfills all of the properties of the model. A model that is unrealizable is a model that is unimplementable.

Sometimes models are created without a thought to the implications of the model's properties. For example, a model might demand arbitrary amounts of compute or storage resources in order to be implemented. Or a model might demand that two properties hold at the same time, and those two properties contradict each other. This is very commonly seen when translating informal requirements into formal requirements, as English is notoriously imprecise and few write requirements with an eye toward logical consistency. All of these circumstances lead to unrealizable systems. Tools exist to help debug some of these kinds problems by, e.g., finding minimal models that resolve an inconsistency.

**Recommendation 13** (Representation Soundness). Models must be sound; unsound models are neither useful nor realizable. Models and model-code relations should be checked for soundness by attempting to rigorously validate or formally verify "bottom" implementations.

Demonstrating that a model is sound is often overlooked, but is necessary. During model evolution is is quite common to accidentally make a model unsound, and without some means by which to "smoketest" soundness, this can lead to a large amount of lost effort, late surprises in verification, and project risk.

The easiest means by which to check the soundness of a model is to intentionally attempt to demonstrate (either through runtime assertion checking or formal proof) a false proposition; i.e., try to prove that the lemma *false* holds. One can accomplish this in programming languages which provide an assertion construct by simply asserting *false*, thereby saying "the program that crashes, terminates successfully." Galois implements a "bottom" version of all models that does just this, and vets the soundness of models by attempting to rigorously validate or formally verify the whole of *bottom* with multiple tools.

**Recommendation 14** (Representation Completeness). Every model should be relatively complete, where relative completeness is defined with regards to (i) the expressivity of the modeling language, (ii) the utility and capability of tools which can reason about the model, and (iii) the property coverage necessary based upon the refinement relationships in which the model participates.

While relative completeness has a formal meaning, and while it does connect with the intention of this recommendation, it is rarely the case that our notion used here of the same name is defined as such.

In essence, each modeling language, and the tools that support operating on or with models expressed in the language (checking, reasoning about, compiling, synthesizing, etc.), is good at modeling a certain kind of *thing*, and that thing's *properties*. Those are the kinds of things that one should endeavor to cover in any model expressed in that language. If there are simple concepts and properties which should be included in a model, but are not, that is a warning sign with regards to relevative completeness.

Likewise, there are often certain shaped properties which, while possible to model in a given modeling language, are *unreasonable* with current tooling. By *unreasonable* here we mean that state of the art tools, while able to provide a semantic interpretation for an unreasonable property, cannot effectively determine if the property holds or not.

An abusive example of such a property is the embedding of an unsolved or extremely difficult theorem (say, Fermat's last theorem) into a specification. Another formal example, not uncomonly seen, is an attempt to formally verify a correctness property of an infinite stream without a reasoning framework that supports coinduction. A third common example is the statement of temporal logic expressions with prolific use of the *leadsto* operater, which essentially says "this thing will happen someday, but it could take a **very** long time."

Finally, if a (more abstract) model A is refined to a (more concrete) model B, and property  $P_A$  holds on A, then the refinement of  $P_A$  should hold on B. If it does not, then the model is relatively incomplete with regards to its abstraction's properties.

**Descriptive.** A descriptive relation is a relation that also connects an abstraction to a descriptive target, but no property correspondence is meant to hold between the model and the object it describes.

Common examples of descriptive relationships include document substructure summaries (e.g., a paper's abstract, a chapter's summary in an introduction, or a book's jacket description), source code substructure summarizes (a module's general purpose or a function's general meaning, as described in structured source code comments), and alternative text describing images for the sight impaired.

**Recommendation 15** (Descriptive Accuracy). Descriptions should be accurate, as judged by a reader who is familiar with its target.

Inaccurate descriptions are worse than no descriptions at all. The most common example of inaccurate descriptions is natural language comments on source code and system descriptions (architectural, security, operational, or otherwise) of systems that have witnessed a lot of evolution. In both cases, developers are wont to rewrite code, and rarely attend to updating the corresponding documentation, even though writing the documentation takes a fraction of the time taken to write and assure the code.

**Recommendation 16** (Descriptive Completeness). Descriptions should be complete with regards to the relative completeness of the artifacts to which they refine.

A description, while informal, has a scope driven by any formal properties associated with the artifact that is being described. Thus, the description should cover those properties/features of the artifact that are salient to the model. For example, if a model-based protocol specification attends to reasoning about protocol properties like robustness or fairness, then its description should discuss robustness and fairness. Likewise, if a concurrency model is created in order to reason about absence of deadlock and livelock, then its description should discuss such.

**Structural.** Structural relations are *part-whole* relations of various kinds. They are prolific in any artifact that has a hierarchical decomposition, such as this report, a system's source code, or a complex formal model.

Part-whole relations come in several flavors, including the dual expanded and referential substructures, containment, ownership, physical position and orientation, token-based access control, and more.

**Recommendation 17** (Structural Property Preservation). All traceable refinements of models that have structure should preserve all structural properties.

Note that recommendation 17 does not prevent the many ways tools transform models or code in ways that typically munge representations. A few examples of transformations that are, surprisingly, often struture-preserving: source code optimization during compilation via inlining; model flattening when moving from an very expressive (e.g., higher-order) model to a less expressive one (e.g., first order), transforming a operational artifacts, such as LLVM bitcode, into a relational artifact, such as a first order symbolic evaluation; and flattening a nested reference model by expansion of nested elements.

**Operational.** Operational relations are relations that describe possible unconstrained behaviors. One side of the relation often characterizes a set of possible abstract operations that can take place in a model, and the other side of the relation describes the concrete operations (such as function calls, message send/receives, UI events, etc.) that correspond to those abstract operations.

Classically, these kinds of relations are used to describe a variety of model phenomena, such as non-deterministic behavior, concurrency, timing uncertainty, human-in-the-loop actions, adversarial responses, etc.

**Recommendation 18** (Operation Realizability). Operations must be realizable in a system.

This recommendation is linked with the other, more abstract, recommendation that focus on realizability (recommendation 12). Operations, as the concretization through refinement in models or code of computation, must also be realizable, otherwise the system cannot be built.

Recommendation 19 (Operational Elegance). Operation design and implementation should be elegant. Elegance means: (1) there should be only a single operation that fulfills any system feature, (2) each operation should only implement a single feature, (3) simpler operational specifications are superior to more complex ones, (4) operations should either be pure queries (that change no system state) or simple commands that return no information beside success or failure, and (5) an operation that is both a query and a command (it changes state and then returns information) should be specified and implements as the composition of those two existing operations.

Many of these recommendations come from rules derived from verifiable engineering practices, as initially espoused by Meyer, and inspired by best practices from formal methods like B, VDM, and Z. Tools are available that will analyze elegance factors like those described above, both at the model and code level.

A high-quality MBSE methodology will include the use of such tools to automatically check for model and implementation elegance, as doing so ensure that this property is preserved during development and post-release system evolution, and it also helps ensure that the system's assurance case is no more complex than it needs to be.

**Recommendation 20** (Operation-Action Coupling). Every system operation should refine to a single system action.

This recommendation is the direct implication of the first two clauses of the definition of *elegence* in recommendation 19 and recommendation 17. Because it is an important system property, we highlight it in its own recommendation.

**Data.** Data relations describe models of data and their relationship with data in implementations. Typically, data in models is described abstractly, using generic mathematical objects like sets, sequences, vectors, streams, etc. Data in applications is, on the other hand, concretized in programming language data types and/or serialized data, such as records in a database or network packets in a transmission.

In order to relate abstract data and concrete data, a data relation must explain what invariants hold on data types, and especially *between* data types, and how those invariants are maintained by the implementation.

**Recommendation 21** (Absent Invariants). It is difficult to tell the difference between a component that has no invariants and one that has absent invariants. Absent invariants are invariants that hold for a model, but are not expressed by the development team due to accidental omission, oversight, or neglect.

No component should have absent invariants, and the best way to document such is to have process or methodological conventions that permit an observer, be it another developer or a reviewer, to understand that the invariant for a component with regards to a particular property really is just *true*.

Recommendation 22 (Data Simplicity). The core data model of a system should be modeled in the simplest possible way, and model or implementations complexities due to optimization, representation, platform, or infrastructure should be modeled as data refinements of the core data model.

**Recommendation 23** (Data Portability). Data portability should be accounted for in a model using a platform product line specification, thereby factoring out platform-specific issues from core system specification matters.

**Recommendation 24** (Data Transparency). Data models and their representations should contain no undocumented values, interpretations, structures, or relations. If the semantics of data fulfill this condition, it is transparent to any developer or reviewer.

**Recommendation 25** (Data Explainability). The semantics of data should be explainable within a model refinement; every data invariant should be justified by a traceable refinement up to a more abstract model property, or down to a more concrete model or system property.

**Action.** Finally, action relations describe the decomposition of complex actions into simple events, and how those actions and events are realized in a system implementation. An event is a state change in a system that, from the point of view of the observer, is atomic. An action is set of a sequences of events, possibly just a linear sequence (first *this* happens, then *that* happens), but often, instead, a branching tree of possible events. Actions are also known as *scenarios* and *use cases* in some methodologies.

An action relation maps an abstract action and its events to a concrete system. A *sound* action mapping ensures that any action that can be witnessed in the model can, in turn, be witnessed in the system, and, preferably, those two actions are in a refinement relation. A *complete* action mapping ensures that every interesting action (as defined by the domain of specification in the abstraction) is included in the model.

Actions are often used to describe both the normal behaviors of a system—how it should act under typical circumstances—and the abnormal behaviors of the system—how it should act in the presence of failures. Additionally, action specifications can describe non-terminating behavior, such a system that is meant to run continuously without fail.

**Recommendation 26** (Positive Action Completeness). Actions that define the behavior of a system under normal circumstances (no errors, exceptions, or faults) are positive actions. The model-based specification of a system should be (representationally) complete (see recommendation 14) with regards to positive actions.

Recommendation 27 (Negative Action Completeness). Actions that define the behavior of a system under abnormal circumstances (errors, exceptions, or faults) are negative actions. The model-based specification of a system should be (representationally) complete (see recommendation 14) with regards to negative actions.

Note that (i) no positive action can be equivalent to a negative action, and (ii) the union of all positive and negative actions is the sum total of all actions defined on a system.

**Recommendation 28** (Positive-Negative Consistency). The composition of positive and negative actions must be consistent, and thus realizable.

**Recommendation 29** (Action-Implementation Consistency). For every action A, A's action-event structural relation (that is, each action is decomposed into a set of events) should be maintained by the model refinement or implementation of A.

This recommendation is a corollary of recommendation 13 and recommendation 17.

**Recommendation 30** (Action-Event Completeness). Every event must be used in at least one action, and realized by a single model refinement or implementation feature.

This recommendation is a corollary of recommendation 8 and recommendation 14.

Relations in Systems Modeling Languages. Each modeling language includes some subset of these modeling relations. Rich systems modeling languages, such as SysML, cover virtually all of these relation types. Other, more restrictive, modeling languages, especially Domain Specific Languages (DSLs), only cover a small number of relation types. For example, entity-relation models and basic SQL models are solely about data, and thus only focus on data relations.

A well-designed modeling language will ensure that its relations fulfill many/all of the relation recommendations in this section, and, furthermore, that tooling should support the creation, update, checking, and enforcement of such relations and their desirable properties.

**Recommendation 31** (Relation Typing). For each relation identified or discovered in a system created with MBSE, if the relation is not explicitly typed according to the above classification scheme, deduce its type and check if it has the corresponding recommended properties described above. If it does not, ask the developers to justify its partial properties.

Asking for justifications often forces developers to use the full existing features of their modeling languages and tools and to update their process or methodology to guarantee certification demands, such as those recommended in this section.

# 4.5 Validating Models

In order to validate a model, one must work to understand the model's *purpose*, *utility*, *context*, *relationships*, *history*, *evolvability*, and *maintainability*.

Each of these model facets has at least a subjective, and sometimes and objective, quality measure. Determining the means by which such metrics are measured, one can "grade" each dimension as a part of a model validation process. We give some examples below for the metrics used at Galois for this kind of evaluation.

**Recommendation 32** (Model Purpose). Every model should have a purpose—a reason for it to exist.

Typically a model's purpose is to describe something that is not described elsewhere, or is indescribable in the other models used to specify a system. Another good purpose is to describe a system property from another perspective, either to transform a property in a such a way that a second reasoning tool can revalidate/reverify the property (see recommendation 46 below), or to explain the point of a model artifact or property to a developer or reviewer (cf. recommendation 15).

**Recommendation 33** (Model Utility). Every model must have a utility: a means by which to use the model toward providing assurance for a system.

Utility is typically either semi-formal—the model is used to explain a system property to a developer or a reviewer—or is formal, and is used to rigorously validate or formally verify that system properties hold (cf. recommendation 17 and the recommendations of section 4.7).

Recommendation 34 (Model Context). Every model must have an explicit context: a frame of reference in which the model's assumptions/rely are explicit.

A model without context is missing information critical to developers, reviewers, and reasoning tools. While on some rare occasions a model needs no context—it makes no assumptions at all outside of those definitionally included in the model—most models have an enormous number of subtle assumptions in order for the model to be valid. An example of a simple unspoken model assumption that is frequently seen in embedded systems code is that there is an unspoken assumption that no pointer used in any function invocation is NULL.

Assumptions that are made between refinement levels or between system abstraction layers are known as relies, as one can often use a form of specification and reasoning known as  $rely/guarantee\ reasoning$  in order to sensibly reason about the composition of layers in an architecture.

**Recommendation 35** (Model Relationships). Models are often connected with one another through relations, such as those described in section 4.4. A reviewer must understand and validate every model relationship, and every model relationship should have a purpose (cf. recommendation 32).

Recall that model artifacts include not just components and their features (i.e., attributes, functions, procedures, events, signals, etc.), properties (goals, requirements, invariants, etc.), and aggregations (i.e., subsystems), but also all functional and relational connections **between** model elements. This includes even, e.g., relations between relations, or functions on modules.

**Recommendation 36** (Model History). A reviewer should be able to observe the history of every model artifact, as that history often tells a story about the design and modeling decisions made by developers during a model's evolution, validation, verification, and refinement.

Model history is often captured in one of two ways: (1) via a built-in design justification history mechanism, as provided in advanced MBSE IDEs, or (2) via a revision control system changelog when used with a rigorous development process.

**Recommendation 37** (Model Evolvability). All models should be evolvable in a relation-preserving fashion.

If an MBSE developer is fearful of changing any model or implementation artifact because the change will cause a large, particularly manual, change in other artifacts, then the model is not evolvable. It is very common for complex system specified with SysML version 1 to have this property, and thus models are constructed as read-only, "golden" system architecture specifications or platform specifications and then rarely changed thereafter. Such is indicative of a seriously broken MBSE methodology.

Recommendation 38 (Model Maintainability). All models should be maintainable after system deployment.

Once a snapshot of a system "ships"—whether it is to a client, to a certification authority, or to an integrator—it must then be *maintained*. Maintenance is triggered either through dependencies (e.g., via an upstream change, such as a bug is found in a dependency which forces a model or implementation update), client feedback (e.g., certification rejection with recommendations, or a bug is discovered during acceptance testing), or because of an adversary (e.g., a security vulnerability is exploited which forces a maintenance update to mitigate the flaw).

A model that cannot be maintained in the presence of these common post-deployment scenarios fails this criteria. Such models become archaeological artifacts describing the history of a project or product, and are no longer useful for the product that exists in client's hands *today*. Many antique waterfall-based MBE tools fall into this trap, such as having an accurate UML model of a system in the first month's of a system's development, but the system's implementation today has little or nothing to do with that model just a few months later.

# 4.6 Validating Model-Implementation Correspondences

The most valuable models are those that have a direct, measurable, checkable relation or correspondence with implementation artifacts.

On many occasions, models are created in order to think abstractly about a system and its properties, and then the model is barely used as a documentation reference when designing and implementing the system. This is an example of poor model-implementation correspondence. If there is little-to-no evidence that the implementation corresponds to the model, then the model has little utility beyond helping developers or architects think about a system.

Note that the situation, while extremely common, is not unacceptable. After all, thinking carefully before diving into the very expensive and time consuming task of building a system often pays dividends: reduced time and effort, lower risk to schedule, etc. But given today's MBSE technologies, there is no reason to not have strong model-implementation relationships, and to keep models and code in sync.

When reviewing a system developed with MBSE from the model-implementation correspondence point of view, we make the following recommendations.

**Recommendation 39** (Model-Impl Traceability). The most concrete models that refine to implementations must be traceable.

This recommendation is a corollary of recommendation 8, but is particularly critical as the implementation, not the model, is the real system.

**Recommendation 40** (Model-Impl Rigor). The strongest, preferred relationship between a model and an implementation is one that is rigorous. A rigorous model-implementation relation is one that is codified mechanically (programmatically, in a machine-readable fashion) and can be automatically (re-)checked computationally.

There are numerous specification languages and reasoning tools which provide rigorous model-implementation relations, such as ACSL/Frama-C, SAWScript/SAW, JML/OpenJML, Eiffel, SPARK, and more. Without a rigorous relationship between models and implementation, model-code relation *drift* must be mitigated using manual, expensive, time-consuming, process-based techniques.

**Recommendation 41** (Model-Impl Refinement). The strongest, preferred model-implementation relation is one that is a refinement relation.

If a model-implementation relation is not a refinement, then earlier recommendations are violated, such as recommendation 17, and there is little clarity with regards to which model properties must, can, should, or must not hold for its implementation. This situation is often hard to understand, review, and is unmaintainable.

**Recommendation 42** (Model-Impl Evolvability). *Model and their implementations should* co-evolve, *preferably in an* automated *fashion*.

As a system evolves—whether during development as features and enhancements are added, bugs are fixed, or when requirements change—the system's models and implementation change over time. Every model-code relation is an extra artifact that must evolve as well, and because these relations are often used for traceability and assurance, it is critical that they are kept up-to-date and correct. While such updates can be accomplished manually, doing so if often expensive, time-consuming, and error-prone.

Recommendation 43 (Model-Impl Canonicity). In every model-implementation relation, either the model or the implementation should be declared canonical, and used as the ground truth for the relation.

Some powerful tools used in MBSE, such as Ansys SCADE and Galois's Cryptol, SAW, and Crux tools lift models from code or generate code from models. The source artifact of these tools is the canonical artifact fulfilling recommendation 43.

Other tools which do not have this nature typically expect that models and implementations co-evolve, per recommendation 42. A development process and methodology should precisely define and reinforce, preferably with automated tool support, how such evolution takes place.

The two most common rigorous methodologies are *Design by Contract* and *Contracting the Design. Design by Contract* holds that the contract (a model that describes a system's architecture, behavior, and more) is canonical. *Contracting the Design* holds that the code is canonical, and updates to the code must be periodically translated into the model.

But by far, the most common approach to attending to model-code conformance is to simply not do it at all. Many projects that use some MBSE technologies only pretend to do so: models have few properties, little-to-no validity or verifiability, and have no relation, semi-formal or rigorous, with the implementation at all. Such projects typically violate most, if not all, of the recommendations made in this chapter.

# 4.7 Validating Claims

Many claims will be made about a system developed with MBSE tools. A reviewer must validate many or all claims as a part of the review or certification process. The recommendations from section 4.3 especially hold for claim validation.

A rigorous claim is a decidable proposition about the system: it is either true or false and there is evidence to bolster either interpretation. An informal claim about a system is any statement made about a system for which there is not measurable, decidable evidence. Often such claims are more of the form of beliefs of the developers, and evidence for their beliefs are not found in peer-reviewed literature, case studies, or cannot be generated by explainable computational tools.

When evaluating the claims made about a system that was developed using MBSE technologies, we make the following recommendations.

**Recommendation 44** (Automated Claim Validation). Automating claim validation is far superior to, and preferred to, manual claim validation.

Recommendation 45 (Interactive Claim Validation). While machine-assisted interactive claim validation can provide as much, or more, rigor, confidence, and assurance of a claim, interactive evidence often requires much more effort, time, cost, and attention than automatic validation.

A halfway point between full automation and full interactivity is often possible: one can automatically validate claims that were originally made constructed interactively. Doing so permits automation, such as in continuous testing and integration systems and incorporation in developer pre-merge regression checks.

Examples of such a mechanism are in Galois's work in formally verifying Amazon's cryptographic libraries (re-running hand-written SAW proofs of the correctness of C and assembly implementations of high-performance, mission-critical cryptographic functions) or in the re-execution of proof scripts in a logical framework like Coq, Isabelle, or PVS.

Recommendation 46 (Claim Multi-Validation). Rigorously validating or formally verifying a claim with multiple tools or techniques is what we call multi-validation. In general, it is better to witness validation via multiple techniques, and multiple tools which rely upon distinct foundations, reasoning approaches, and different organizations.

Validating a claim with only a single technique or tool amounts to putting all of your eggs in one basket. By validating each claim using multiple techniques and tools, several kinds of risks are mitigated, such as the discovery of a critical flaw in a reasoning tool or missing environmental assumptions about a platform model in a static formal reasoning technique that might be caught when runtime checking claims on the actual.

Likewise, by using tools from multiple sources/vendors that use different foundations or reasoning techniques increases surety, such as using multiple formal verification tools from competing EDA vendors to assured a piece of critical hardware against a model written using SystemVerilog Assertions (SVA).

Recommendation 47 (Continuous Claim Validation). Claims should be continuously validated, not checked all at once aperiodically with great effort. Preferably claims are (re-)checkable on every developer's development machine, on private or cloud-based compute servers, or in a continuous integration (CI) service (e.g., as a part of a DevSecOps infrastructure).

Automatically checking claims continuously in a CI service is what we call *Continuous Validation* or *Continuous Verification* (uniformly abbreviated "CV"), depending on the nature of the assurance.

**Recommendation 48** (Claim Validation Dependencies). All dependencies of a claim and its validation should be included in an assurance package, be explicitly or implicitly traceable, and be validated as well, preferably starting from axiomatic foundations and moving up dependencies eventually to top-most theorems and properties.

Sometimes assurance packages do not include all dependencies explicitly. This is problematic for several reasons, some of which include: (1) the accidental or purposeful misrepresentation of a dependency's nature, claims, and assurance, (2) dependencies that disappear over time (websites go offline, companies go out of business, licensing requirements change), or (3) poor release management of dependencies, and thus it is unclear exactly what version of a dependency is necessary (such is prolific in modern "Web 2.0" development styles that wantonly pull dependencies from the internet).

**Recommendation 49** (Safety Claim Validation). Safety claims should be, if at all possible, validated with formal verification, not (only) with runtime assertion/property checking.

Safety claims, in the main, cannot be tested for validity, despite this being the most common way that safety properties are validated in system implementations.

Recommendation 50 (Risk Mitigation Claim Validation). Risk mitigation claims should, if at all possible, be validated using mechanized/computational techniques, and not just with subjective human judgment.

Recommendation 51 (Hazard Mitigation Claim Validation). Hazard analysis and mitigation claims should, if at all possible, be validated using mechanized/computational techniques, and not just with subjective human judgment. And when modeled computationally, they should be validated with formal verification, not (only) with runtime assertion/property checking.

Recommendation 52 (Security Mitigation Claim Validation). Security analyses and mitigations should, if at all possible, be validated using mechanized/computational techniques, and not just with subjective human judgment. And when modeled computationally, they should be validated with formal verification, not (only) with runtime assertion/property checking.

Too often, these kinds of analyses—risk, hazard, and security analysis and mitigation—are exclusively performed by experts using wisdom and checklists.

In our experience, when an existing subjective analysis (risk, security, correctness, and more) is augmented with mechanized reasoning, numerous flaws in the original analyses are discovered.

Therefore, for critical analyses like risk anlysis, we recommend that claims should be validated using computational techniques. Doing so "supercharges" those very same experts with wisdom.

Recommendation 53 (Claim Fidelity). The fidelity of every claim must be explicit if it is not precise. A precise claim is one that is a theorem/property of model or code for which all assumptions are explicit for for which a proof could be created/generated. An imprecise claim is a claim that is not precise. The fidelity of a claim is the context of a claim and its evidence—particularly its set of assumptions—including any necessary caveats, error bars, or other statistical analysis of related measures.

Classically, fidelity of measurement claims are characterized by statistical error bars, standard deviations and variance of measures and their distributions, etc. This kind of fidelity information is commonly wholly absent in MBSE artifacts which include simulation data.

Formal logical models usually only need a (formal) context statement in order to characterize fidelity: the set of axioms and assumptions made in writing, generating, or reasoning about the model suffices to explain how the model is valid, in what circumstances it may be invalid, and thus—by virtue of earlier recommendations on model property refinement—how those assumptions impact the model's implementation.

# 4.8 Key Questions to Answer

The final key questions to answer about a system developed with MBSE, augmenting all of the recommendations summarized above, are characterized by the following, final, recommendations.

**Recommendation 54** (Understandable). An MBSE-based assurance case should be understandable to any moderately experienced engineer.

**Recommendation 55** (Believable). An MBSE-based assurance case should be believable to any moderately experienced engineer.

**Recommendation 56** (Coherent). An MBSE-based assurance case should be coherent to any moderately experienced engineer.

Recommendation 57 (Surety). An MBSE-based assurance case should meet or surpass the assurance threshold set by a client (its surety), and the fact that an assurance case is not yet good enough should not be a surprise to any involved.

Is a system and its assurance case fulfills these four recommendations—reinforced by demonstrated alignment with all of the earlier recommendations that align with an organization's review remit (be it validation, certification, statutory, or rule-based), then the system is fit for acceptance based upon MBSE artifacts.

# Chapter 5

# The HARDENS Reactor Trip System (RTS) Demonstrator

The HARDENS Reactor Trip System is a demonstrator model-based engineering system built for the NRC. It demonstrates the art of what is possible using modern model-based hardware, firmware, software, and systems engineering for safety-critical systems, using only freely available, mostly open source, technologies.

Chapter 3 and ?? review the state-of-the-art in commercial and freely available MBE technologies. In the conclusion of this document, chapter 6, we reflect upon how this demonstrator and its assurance case might different were proprietary tools used instead.

This chapter describes all of the modeling artifacts used in creation of the RTS, and grounds their use from a traditional MBE perspective, which has no rigorous or formal model-based assurance. As such, we differentiate the widespread state-of-practice against the state-of-the-art. We advocate that only the state-of-the-art is adequate to guarantee the correctness, safety, and security of nationally critical infrastructure.

After all, if Galois is able to design, build, and assure a system like the RTS for a nickle (relatively speaking), larger corporations should be able to do at least as well using the orders of magnitude greater resources that they regularly consume or spend.

- 1. This chapter is about describing the RTS from a software and hardware engineering perspective.
- 2. It describes modeling artifacts in the context of their use from a traditional MBE perspective, with no rigorous or formal model-based assurance.
- 3. Explain the RTS at a high level.

#### 5.1 RTS Overview

The Reactor Trip System (RTS) is a demonstration of a digital instrumentation and controls (DI&C) system. As such, it features:

- 1. a sense-compute-control architecture;
- 2. a human-in-the-loop user interface;
- 3. a built-in self-test subsystem; and
- 4. a fault-tolerant design comprising components with identical behaviors implemented by multiple techniques.

In this chapter we discuss the artifacts comprising the RTS: not only the implementation artifacts, but also, crucially, the assurance artifacts.

# 5.2 Specifications

The RTS specification is naturally divided into a set of high-level system specifications comprising requirements, a domain engineering model, and a feature model. These high-level specifications are further refined by formal specifications of both the requirements and system architecture.

# 5.2.1 High-Level System Specifications

First, we will start with the NRC RFP as our first source for high-level system specifications. We will then review the relevant IEEE standard.

The Original NRC RFP. The core four pages of the original NRC RFP are included here in full on the following four pages. We will refer directly to elements therein in the following description of the HARDENS Top-level Project Goals.

In order to build our *domain engineering model* for the RTS as well as to make a start on our system requirements, we extract directly from this text, line by line, the following *goals* (section 5.3) and *scope of work* (section 5.3.1).

# 5.3 The Reactor Trip System's Goals

The goals of the are explicitly stated on the first page of the RFP. We manually highlight those declarations and transliterate them into a specification written in the Lando system specification language (see appendix A).

Each goal has a *short name*, which we will use when referring to specific goals in what follows. In general, we label, rather than number, high-level specification artifacts such as goals, scope, and requirements in this fashion. Labels have more semantic meaning and permanence than numbers and, as these artifacts changes over time (e.g., a requirement changes mid-project), developers do not confuse themselves or the reviewer with missing, evolved, or struck-out numbered specification artifacts.

We call our demonstrator system the *Reactor Trip System*, or RTS for short.

- Goal 1 (Project Focus). The project's main focus is on safety critical systems design.
- Goal 2 (Mitigate Complexity). The project must demonstrate MBSE's capability to address software and system complexity.
- Goal 3 (Enhance Productivity). The project must demonstrate MBSE's capability to address the productivity challenges of complex distributed embedded systems.
- Goal 4 (Regulatory Review). The project must demonstrate and help explain how Model-Based Systems Engineering (MBSE) methods and tools can support regulatory reviews of adequate design and design assurance.
- Goal 5 (Barriers and Gaps). The project must identify any barriers or gaps associated with MBSE in a regulatory review of Digital I&C for existing NPPs.
- Goal 6 (Superior for Complex SSCs). The project should demonstrate if MBSE, with its inherent ability to analyze and simulate many different scenarios, is a superior approach for more complex systems, structures, and components (SSCs).
- Goal 7 (Non-Document-based Evidence). NRC regulators must be prepared for MBSE applications where non-document-based evidence is a part of a safety evaluation.
- Goal 8 (Future Review Processes). The project should help the NRC understand if an MBSE-based assurance case presentation will help to enable the use of MBSE as an alternate review process DI&C-ISG-06, Rev. 2 (ML18269A259).

### 5.3.1 Scope of Work

The scope of work for the RTS defines a framing condition on the system's requirements and implementation. Each scope declaration turns into a framing assumption or a constraint on the system, in its specifications, implementation, or assurance case.

Scope declarations often help tremendously with regards to constraining the space of possible design decisions and, when there are few-to-no hard constraints, also help create and evaluate a multi-dimensional objective function that helps a system's creators focus on finding the optimal product that solves a client's need.

Each scope definition below is, again, transliterated into LANDO. See appendix A.

**Scope 1** (Simple Protection System). The demonstration implementation must be a simple protection system.

**Scope 2** (Modern Process). The demonstration implementation must be created using a highly integrated computer-based engineering development process.

**Scope 3** (MBSE). The demonstration implementation must be created using MBSE.

**Scope 4** (Module Functionality Completeness). All the modules of the simple protection system must be modeled functionally.

[FPGA]

**Scope 5.** One FPGA-based circuit card must be modeled/designed in detail.

**Scope 6.** The level of detail in the design and supporting analysis should address independence of functions.

**Scope 7.** Independence should address interfaces between functions.

**Scope 8.** Independence should address self-testing implemented on the circuit card.

**Scope 9.** Independence should address voting between protection system elements.

**Scope 10.** The final product must be the design itself and the associated evidence to demonstrate its technical soundness.

**Scope 11.** NRC technical staff for I&C must review the "demonstration" material and identify additional information needed or material that is not needed for regulatory purposes.

**Scope 12.** The research project is to explore the full scope of MBSE; in particular, it is not limited to simulation-based validation of I&C system designs.

**Scope 13.** The project should use models and simulations in the early design phases and for the validation of I&C system designs, such as to confirm required behavior and identify unwanted or undesirable interactions.

**Scope 14.** For each aspect of MBSE, the kind of engineering artifacts should be identified and described to include their use as evidence of the soundness of the design.

### 5.3.2 Domain Engineering Model

Our domain engineering model (or just domain model, for short) is a description of those conceptual elements unique to the domain of discourse for a given system. One can (and we do) extract a domain model directly from the artifacts salient to a system: RFPs, client documentation, standards, statutes, peer-reviewed papers, and more.

Galois has developed an NLP extraction tool that consumes documents, such as files in the PDF, Word, and ASCII or Unicode text file formats, and produces a histogram of *concepts* characterized by *grammatical category*.

Using that corpus, we remove those concepts that are common, widely understood, or generic to computer science and mathematics, and we are left with a prioritized list of concepts that we must represent in order to understand and write specifications in a given domain. Those concepts (nouns), and their character (adjectives) and interrelationships (verbs and adverbs) are the domain engineering model.

The domain model provides the semantics for the system requirements. Another perspective is that we build our *vocabulary* for specifying the system via the domain model. The high-level domain model is specified in Lando. The RTS *domain engineering model* is represented at its highest abstraction level in a structured Lando specification, shown in fig. 5.5, which defines all of the RTS artifacts using natural language.

The relations at the bottom of the source indicate that the RTS system contains each of the subsystems defined earlier in the the document. Each of these subsystems is further elucidated, including identifying and defining the constituent components, in the relevant LANDO documents.

The Lando model specifies the behavior of the RTS by defining a set of *events*, and using those events to define *scenarios*, which are (partial) executions of the system: the sum of the scenarios should define the legal behaviors of the system.

As an example, the external input actions of the system are specified in fig. 5.6. Generally, external events specify the different actions that the user can perform via the RTS user interface, including manually actuating a device or configuring various parameters such as setpoints or maintenance mode.

These events are used to specify scenarios, a selection of which appear in fig. 5.7. Scenarios are nothing more than a sequence of events. In section 5.8 we will see that these scenarios are used to perform validation.

#### 5.3.3 Feature Model

The RTS system is actually a *family* of related systems. For example, the RTS can be configured to run (1) on a host system that simulates the behavior of hardware, or (2) on an *emulated* hardware platform, or (3) on a real device.

The specification of this *product line* is captured via a *feature model* specified in the Lobot specification language. The model captures not only *variation points*, but also relations' valid values.

For example, note that the device can be configured, via all\_Devices\_twins, such that all devices are digital twins. A constraint (below the where) indicates that if this feature is set, then all devices (sensors and actuators) must have the corresponding twin feature set.

The LOBOT specification is heavily documented. Each *type* is used to capture a *feature* in the feature model. A *feature* is a decision (variation) point in the design of a product line. Legal/permitted sets of values of features are constrained by logical propositions included in **struct** declarations and their instances.

A struct is a collection of related features, listed as name-value pairs like in a typical *structure* found in many programming languages (what is known as a *labeled product type* in type theory), and a set of constraints which explain the legal configurations of its features. Constraints in LOBOT are specified after the *where* clause in the struct definition.

The LOBOT specification also acts as a specification for the build system, by precisely indicating which build configurations are available to the user. These constraints are expressed in the where clause of the rts struct. They specify that the soc must be a Twin exactly when all devices are twins, and the entire RTS runs as a virtualized platform exactly when either (a) the SoC is a twin, the board we are compiling to is a RISC-V VEGA board and there is no virtualized twin development twin platform in use (i.e., we are compiling to a real RISC-V CPU on a development board that is connected to sensors and actuators), or (b) the SoC is a twin and there is no board in use at all (thus, everything is running on a virtualized development platform, which as defined early in the specification, means that the RTS is running either on a POSIX host).

The LOBOT specification also includes a description of all legal products derivable from the RTS product line at this time. See the rts\_configs instance of the rts struct and its associated constraints.

Finally, there are a small set of checks at the bottom of the LOBOT specification. These are theorems that the LOBOT tool will try to prove that must hold for all legal configurations of the feature model.

The first theorem, check\_bottom, is a consistency check, akin to the requirements consistency checker provided in the FRET tool (section 5.3.4) and the consistency check we perform for the ACSL, CRYPTOL, and SAW specifications (cf appendices E.6 and E.9 and section 5.5.1). All of these "bottom" checks are discussed below in section 5.8.2.

The second, check\_twin\_build\_configs, checks that all virtualized builds do not need a development board.

Besides reasoning about feature models, the LOBOT tool has many other features, including the ability to count the number of models that exist, iteratively enumerate models, and drive back-end tools to turn models into systems (e.g., BSV CPUs) and assurance artifacts (e.g., RISC-V compliance tests). We are not using any of those features in this project.

The full LOBOT specification of the RTS system is found in ??.

#### 5.3.4 Formalized Requirements

The requirements expressed in Lando form the basis of the specification of the RTS. However, as they are written in natural language, they are not suitable for consumption by tools (such as formal verifiers) that can check whether or not a model (section 5.5) or implementation (section 5.7) satisfies a specification. The natural language requirements written in Lando must be formalized before they can be used as specifications for tools "lower" in the modeling and implementation stack.

We use NASA's FRET tool to help produce formalized requirements from our Lando specification. Use of a tool like FRET helps the designer in two complimentary ways.

First, FRET allows the user to use diagrams, simulators, and model checkers to explore requirement semantics. The user can use these tools to gain confidence that the formal representation accurately captures the intent of the corresponding natural language requirement. This analysis establishes the refinement step from the Landon specification to its formalization.

Second, FRET can automatically machine-check requirements for *realizability*. Realizability-checking checks that an implementation of a component exists that conforms to the requirements given any combination of valid inputs. This analysis guarantees the requirements are non-vacuous, and can thus be used in further refinement steps.

Figure 5.9 is a screenshot of the FRET requirement editor. FRET's input format is a stylized form on English NASA calls FRETish. FRETish is fairly easy to write and read, especially with interactive tool support, has a formal semantics, and is machine interpreted.

In order to deeply understand and debug requirements captured in FRET, one can use the tool to automatically convert a requirement in FRETish into two different-but-equivalent semantic interpretations written in *Linear Temporal Logic* (LTL): future time LTL and past time LTL. Essentially, these interpretations are duals of each other, one explaining the meaning of a requirements with regards to the past, and the other with regards to the future.

Also, as mentioned previously, FRET permits one to reason about a set of requirements in several ways. Requirements can be checked for *consistency*, *completeness*, and *realizability*. All three checkers have a similar user interface. The user interface of the realizability checker is shown in fig. 5.11.

Every requirement specified in the top-level Lando model which is about system properties is translated, using the RTS domain engineering model, into a FRET requirement. Traceability is maintained using our standard methodology of name translation between models.

Requirements that are project goals, constraints/scope, or architectural are not translated into FRET, as they have no semantic meaning with regards to the architecture. The only way such informal/semi-formal requirements can be demonstrated is with informal/semi-formal assurance artifacts, such as the requirement  $NRC\ Understanding$ . The full set of project requirements are found in appendix A.9.

# 5.4 System Architecture and Models

The system model is refined from the Lando specification to SysMLv2. The SysMLv2 models capture system-level aspects of the RTS. The full SysMLv2 model is found in appendix D.

The structure of the SysMLv2 specification includes a direct refinement of the Lando specification. Structural properties are maintained through the refinement, all informal/semi-formal Lando requirements are refined to SysMLv2 requirements, the Lobot model is refined to a SysML variation model, all formal FRET requirements are refined to SysMLv2 properties, etc.

The SysMLv2 specification, as it is a refinement of the Lando specification, also includes new details about the system that were not expressed, or were expressed abstractly, in the Lando specification.

For example, the hardware components used to build the demonstrator (e.g., all of the parts on the FPGA board, all sensors, solenoids, etc.) are itemized in the RTS Hardware Artifacts SysMLv2 package. The hardware is assembled into the RTS demonstrator, as explained in the RTS part.

Additionally, the context and stakeholders that hold concern about the RTS system are also captured in the SYSMLv2 specification in the RTS System Contexts and RTS Stakeholders packages.

SYSMLv2 tools currently are only capable of type checking a SYSMLv2 specification and rendering views on that specification in SYSMLv2's graphical syntax. At the moment, there is no means by which to behaviorally simulate a SYSMLv2 dynamic model (such as an abstract state machine) or to refinement check that a SYSMLv2 model conforms to an abstraction (such as a LANDO specification) or a refinement (such as our CRYPTOL or ACSL models or their implementations). The development of such refinement tools is part of the focus on a new DARPA I2O project starting in late 2022 led by Galois.

#### 5.5 Executable Behavioral Model

The next major refinement step of the RTS is an executable, denotational model of its behavior. In the RTS, our executable model not only serves as a reference to guide implementation, but is also used to generate test vectors (??), synthesize

implementations (section 5.7), and serve as a specification for formal tools to reason about implementation correctness (section 5.8).

#### 5.5.1 Cryptol Model

The RTS executable model is specified in CRYPTOL. Each component is specified in its own CRYPTOL model.

For example, the Actuator model is shown in fig. 5.12. The model includes a definition of the Actuator state, which is a record consisting of the last input from the voting stages, plus the last manual actuation command: both are Boolean values (which is a Bit in CRYPTOL).

Next, the model defines three functions: two (setInput and setManual) which simply set one of the two input bits, and one (ActuateActuator) which defines the logic for combining the signals from the two Actuation Logic stages into a single actuator command (via a logic OR).

Part of the Actuation Unit is shown in fig. 5.13. The terms shown model the logic (TemperatureLogic) for whether or not a set of temperature readings should result in a trip signal generation. This model includes a (local) definition of 2-out-of-4 coincidence logic.

### 5.5.2 Formal Requirements Satisfaction

In both CRYPTOL models, we connect models to requirements to establish the refinement of the high-level specifications and requirements to the behavioral model.

Every FRET formal requirement is refined to a CRYPTOL property (what amounts to a first order theorem) and all demonstrated to hold on the CRYPTOL model using:

- dynamic checking through the use of CRYPTOL's: check command which randomly generates values and checks that the property holds for those concrete values, and
- formal verification, by *proving* that the properties hold for all inputs using a SAT or SMT solver, using CRYPTOL's :sat and :prove commands.

For example, in the Actuator module, we indicate that ACTUATION\_LOGIC\_MANUAL\_

DEVICE\_0 and ACTUATION\_LOGIC\_MANUAL\_DEVICE\_1, which capture the requirement that the actuators have a manual mode, is satisfied trivially by representing the manual actuation state explicitly.

In the listing from the ActuationUnit module, we show how we indicate the satisfaction of ACTUATION\_LOGIC\_VOTE\_TEMPERATURE, which says that 2-out-of-4 coincidence logic should be used to determine if a trip signal should be generated. We capture this requirement as a *property*, which is just a function that tests whether or not the requirement is satisfied on a single input value. Properties such as these can be *proven correct* for *all inputs* using CRYPTOL and (using SMT solvers under the hood). In this case, proving the property correct means

that for all input signals, the model of the temperature logic returns a value consistent with the requirement.

In the full CRYPTOL model, which is located in appendix E, you will see dozens of properties about about the model, and all of them are formally verified (see the check\_model.icry script which is driven by the model Makefiles's check rule) and can dynamically validated, if one so desires.

# 5.6 Behavioral Model-based Interface Specification

Our CRYPTOL model is next refined to an ACSL specification of a C architecture. The C architecture is specified by refining the SYSMLV2 and CRYPTOL models, preserving structure and properties as normally done in our methodology.

Such a refinement not only makes for simple traceability up and down the refinement hierarchy, but also helps make formal verification of the implementation (both software and hardware) straightforward, as discussed below in section 5.8, such as in the use of SAW for proofs of correctness of software components against their CRYPTOL specifications.

ACSL is the de facto standard formal specification language for C and C++ programming and is specified in an ISO standard. Many tools understand ACSL, most of which are a part of the Frama-C tool suite from CEA. ACSL specification are written either in C header files, as seen in the RTS's instrumentation.h and platform.h files found in appendix E.9, or in C implementation files, as seen in the instrumentation.c and actuation\_unit.c files, all of which are included in appendices E.7 and F.

# 5.7 Implementation

The RTS implementation is a refinement of its higher-level Lando, SysMLv2, and Cryptol specifications. Every component of the implementation—including the hardware and bare-metal software—is derived directly from earlier specifications.

## 5.7.1 Hardware Components

The RTS hardware consists of a small System-on-Chip that contains one or three instances of a small RISC-V RV32 CPU called the NERV CPU, developed by our colleagues at YosysHQ.

NERV stands for the Naive Educational RISC-V Processor. It is a simple, small, open, RISC-V CPU that has been formally assured for correctness against the RISC-V ISA specification. We chose to use NERV exactly because it had these properties.

Overall Implementation Size, Shape, and Location. The overall implementation consists of:

- a set of Bluespec SystemVerilog (BSV) modules that describe our RISC-V System-on-Chip, spread across ten files located in hardware/SoC/src\_BSV,
- a set of Verilog files which are compiled from the aforementioned BSV (six files located in hardware/SoC/verilog),
- a set of Verilog files imported in order to implement the SoC, either in simulation or emulation, located in hardware/SoC/src\_Verilog and hardware/SoC/Verilator\_RTL, and
- a set of SystemVerilog files (three generated files located in src/generated/SystemVerilog, and one that is handwritten located in src/handwritten/SystemVerilog).

The Bluespec SystemVerilog is just over 1,000 lines long. The Verilog and SystemVerilog is only around 150 lines long.

RISC-V. RISC-V is the Instruction Set Architecture (ISA) for the fifth generation of RISC processors. It is an open, unencumbered ISA, therefore anyone can use the ISA for any purpose with no cost, and no encumbrance, to design or manufacture FPGA or ASIC-based CPUs. Dozens, and perhaps now, hundreds of RISC-V CPUs have been developed over the past eight years.

The software ecosystem that sits on top of RISC-V is very rich as well, and includes operating systems (Linux, FreeBSD, FreeRTOS, and others), compilers (gcc and clang both fully support RISC-V), and much more.

The RISC-V ISA is semi-formally specified via a set of standards documents and is formally described in a specification in the SAIL language/platform.

The NERV CPU is formally verified against an interpretation of this specification using the riscv-formal assurance framework, also developed by YosysHQ Using riscv-formal, one can prove, using a hardware formal verification tool like JasperGold, OneSpin, or Yosys, that every instruction in the ISA is exactly implemented correctly according to the specification.

The simple, clean, elegant, precise design of the RISC-V ISA is what makes this level of assurance possible. One cannot, in general, formally assured any other flavor of CPU (x86, ARM, MIPS, etc.) against its ISA as easily, or even at all.

The NERV design is located in the HARDENS/hardware/nerv directory, which is, strictly speaking, just a submodule of our project directly imported from YosysHQ's GitHub project.

The RTS System-on-Chip. The RTS SoC is a small, one or three core, CPU. Its design is exactly driven by the requirements that flow down to the hardware via refinement through the specifications previously summarized.

The design of the RTS SoC is located in the HARDENS/hardware/SoC directory<sup>1</sup>. The SoC is written largely in the Bluespec SystemVerilog (BSV) language, which is a high-level Hardware Description Language (HDL) which compiles to the Verilog HDL. The Bluespec tool suite includes a compiler called bsc which can compile BSV to either an executable software emulator of the design or a Verilog RTL implementation. Either can execute the RTS system, though we only use the latter in the project.

Simulating or Emulating the CPU or SoC. In order to execute a Verilog design, such as the RTS CPU or SoC, one use any number of the following choices:

- 1. simulate in a commercial/proprietary RTL simulator, such as those available from Cadence, Synopsys, or Siemens,
- 2. compile to a software simulator using a complementary commercial/proprietary tool from one of those three EDA firms or a handful of others (such as Metrics),
- 3. compile to a software simulator using an open source, freely available RTL compiler such iVerilog, Verilator, or Yosys,
- 4. compile to a hardware FGPA-based emulator using a commercial/proprietary tool chain such as those provided by Xilinx, Intel, Lattice Semiconductor, and others, or
- compile to an open source FGPA-based emulator using an open source, freely available tool chain such as that provided by YosysHQ, Berkeley's FireSim, or others.

For the HARDENS project, we use the Verilator simulator and the YosysHQ and Lattice Semiconductor-based FPGA compilers.

**SoC Design.** The SoC is either one or three core because the RTS software implementation can either run on a single CPU core or can be split across three CPU cores. See section 5.7.2 for more information.

The three CPU design is novel because it closely adheres to the requirements that refine from the system and model-based designs.

Traditional architectures for a three core CPU would either have (a) three completely separate CPUs that have separate memories and communicate via message passing or monitors, or (b) three CPUs that share a single memory and a level two cache in order to communicate via more traditional, ad hoc shared memory memory mechanisms.

For the RTS SoC, we find that only two of the CPUs need to communicate with each in one very small fashion, discussed below. In particular, we arrange the RTS architecture on the hardware in the following way:

<sup>&</sup>lt;sup>1</sup>Located on GitHub at HARDENS/hardware/SoC

- On CPU #1, we place computation that communicates with the outside world over a UART, both for programmability and the RTS user interface.
- On CPU #2, we put instrumentation and actuation communication and computation in order to read sensors, drive actuators, and make instrumentation decisions.
- Finally, on CPU #3, we put the core abstract state machine that is the core computational loop of the RTS.

**Product Configurations.** Based upon our architecture, the RTS can be deployed in one of several different product configurations. The entire system can be deployed in one of three ways:

- On a single FPGA, which emulates either a single CPU or a three core CPU.
- 2. On three FPGAs, each of which is a single independent CPU, and information is transmitted between the two CPUs which must communicate via a simple mechanism like a GPIO line.
- 3. One three normal compute elements, such as a normal Linux machine or a computational container (such as a Docker or Kubernetes instance), each of which either simulates a RISC-V CPU or simply runs the POSIX version of the subsystem. In such a configuration communication between compute elements would take place over, e.g., Ethernet.

The current implementation has much of what is necessary to realize any of these configurations, but the only configuration that is complete and delivered is the POSIX digital twin configuration and much, but not all, of the single FPGA configuration with the three core SoC.

Hardware Divisions of Instrumentation. The divisions of instrumentation are redundantly implemented, as described in the proposal and the system architecture, as two software and two hardware implementations, and one of hardware implementations is implemented by hand and the other is automatically generated from our CRYPTOL model (we discussed generation below in section 5.7.3).

Because the instrumentation is implemented in hardware, as are some of the drivers for the sensors and actuators, for that matter, the FPGA will execute those modules concurrently, independently, and if one of them were to fail for some reason (e.g., were it to deadlock), it will not affect the execution of the other modules.

The source for these two implementations is located in appendix E.7 and in the project filesystem in src/generated/SystemVerilog and src/handwritten/SystemVerilog. These implementations are demonstrated to be functionally equivalent to each other through formal verification, as discussed below in section 5.8.

Current State of the Hardware Implementation. Despite all of the work on formal assurance and system modeling, the hardware implementation is not complete. In particular, we are 90% of the way to completing synthesis and debugging the three core RISC-V SoC, but it (a) does not operate properly, and (b) we are not yet cross-compiling the RTS system to deploy them on the SoC. The reason that we have not finished the hardware implementation is that we have run out of project resources, given the very small budget for the project, and the remaining work is purely engineering, and involves no formal assurance or novel research. If more resources are made available on this topic, we can easily finish up the implementation.

### 5.7.2 Software Components

The software components in the RTS implementation are arranged into 8 header files and 23 implementation files, all of which are implemented in verifiable C. The total size of the implementation is approximately 2,300 lines of code, and that includes all assurance-related code as well.

The actual size of the core behavioral implementation of the RTS (including all product variants and digital twins) is only 1,400 lines of hand-written C code and 700 lines of automatically generated C code.

**Header Files.** All header files are located in src/include. The header files contain type declarations for named C types, functions, and ACSL behavioral specifications of both. The core ACSL behavioral axiomatic specifications are located in src/include/models.acsl. We discuss these model-based ACSL specifications below in section 5.8.3.

All common types and constants are located in src/include/common.h. Every single type declaration and constant is refined directly from the system architecture and CRYPTOL model.

Product line variants are concretized in three macros at the bottom of common.h called VARIANT, VARIANT\_IMPL, and VARIANT\_IMPL2.

There are a handful of helper macros defined to help write terse specifications. They are:

- ShouldTrip in src/include/instrumentation.h,
- DEBUG\_PRINTF in src/include/platform.h,
- ASSERT in src/include/platform.h, and
- MUTEX\_LOCK and MUTEX\_UNLOCK in src/include/platform.h.

**Implementation Files.** The software implementation is written to be portable across any typical POSIX build platform and as a baremetal implementation on an arbitrary ISA. Each device in the instrumentation subsystem is implemented as both a software digital twin (a mock of our real hardware) or as a software

driver to the real hardware. (Recall from the discussion above in section 5.7.1 that each device is also implemented as a hardware driver in parallel.)

Some of the implementation files are used to provide assurance of the low level model(s) of the RTS or its implementation. For example, src/bottom.c is used to formally verify model consistency, and runtime tests are located in the files in the src/tests directory. We discuss their design and use below in section 5.8.

The implementation, as discussed above in section 5.3.3, has several variants. Code that is used to generate implementations of these variants is located in src/variants, and basically amount to setting a handful of variation point constants from the LOBOT model to the right values for the implementation and using #include to import the variant code.

Code used to generate model-based tests and run bisimulation is located in src/self\_test\_data and is discussed below in section 5.8 as well.

The two top-level files that represent the core of the two main variants of the RTS (POSIX and baremetal) are located in src/posix\_main.c and src/rv32\_main.c. The former implements both a single-threaded and concurrent version of the software digital twin. The feature that controls which variant is built is called USE\_PTHREADS. The latter has to include variant BSP-specific header files, I/O definitions, and more, typical of any embedded systems code.<sup>2</sup>

### 5.7.3 Model-derived Components

Two kinds of RTS implementation components are automatically generated from models. Both are critical parts of the instrumentation subsystem, and as described in the original HARDENS proposal, nearly all are a *pair* of implementations of different components of instrumentation—the actuation unit, the actuator, the saturation check, and the instrumentation component—that are meant to be exactly behaviorally equivalent. A discussion of the formal evidence for such is included below in section 5.8.

Some of the assurance artifacts are also automatically generated from models, and are thus model-derived, but they are not discussed here.

In general, each automatically generated software component is created by the CRYPTOL tool, which has the ability to compile executable CRYPTOL models into correct-by-construction implementations in C, JVM, and SystemVerilog. We use two of these three backends; the software-targeting model compiler is called crymp and the hardware-targeting model compiler is called cryptol-verilog. The SAW tool, which we use in this project for formal assurance of some of the software implementation, also has the ability to compile to correct-by-construction implementations as well (in LLVM).

The generate\_sources build rule and its dependencies in the main soft-ware Makefile is how code generation is controlled. It is decomposed into two rules, one to build software (generate\_c and its dependencies) and one to build hardware (generate\_sv).

<sup>&</sup>lt;sup>2</sup>BSP means Board Support Package.

#### 5.7.4 Hand-Written Components

The hand-written components of the RTS software stack include:

- the trivial "bottom" implementation that is used to check CRYPTOL and ACSL specification soundness/consistency (discussed below in section 5.8),
- the software common across all variants, including core data type declarations, functions which interoperate with instrumentation subsystems (reading channels, device values, trips, modes, state, resets, self-testing, etc.), all of which are located in src/common.c,
- the RTS UI, located in src/core.c,
- the RTS self-test functions, located in src/core.c,
- the wrapper around the four different-but-equivalent critical intrumentation subsystems, located in src/sense\_actuate.c, and
- the core abstract state machine states and transitions of the RTS, implemented twice for the two main product variants, as discussed above, located in src/posix\_main.c and src/rv32\_main.c.

Tracing and Understanding Software Implementations and Their Specifications in the RTS. In general, every implementation component—whether it is a datatype declarations, a store reference declaration (that is to say, a memory location that is named, typed, in a fixed location, and holds a particular piece of RTS state), or a function—is specified semi-formally in LANDO (in English) and formally (in ACSL and CRYPTOL). One can trace between these elements using our name-based, refinement-centric traceability methodology.

In this document's appendices (??-?? we provide an explicit means by which to trace between all components and subsystems. In what follows we provide some examples of this traceability.

Reviewing and Tracing Software. One can discover where the core software located in src/common.c is documented by following its dependencies. For a C implementation, one looks at the (transitive) set of header files that are included via C preprocessor #include directives. For example, in the case of common.c, these files are core.h, platform.h, actuate.h, and rts.h. Likewise, core.h, in turn, includes common.h.

These dependencies are depicted in ??. Note how header file dependencies largely mirror package dependencies in the system architecture.

Each type declaration—both data types (such as the various array types in platform.h and structure types in common.h) and function types (such as those found in actuation\_logic.h) in the C code refine isomorphic composite and functional data types, respectively, in either or both the ACSL and CRYPTOL specifications. Likewise, each function further refines those defined in the LANDO specification or the same name.

For example, the Mission Essential Function (MEP) C function Is\_Ch\_Tripped's C type signature is defined in line 37 of instrumentation.h, its meaning is defined in the associated contract on line 35, in the ACSL model in line 49 of models.acsl, which states on line 48 that it refines the CRYPTOL specification RTS::InstrumentationUnit::Is\_Ch\_Tripped which is located on line 138 of InstrumentationUnit.cr, which in turn refines the SysML specification starting on line 146 of RTS\_Static\_Architecture.sysml, which in turn refines the LANDO specification found in instrumentation.lando.

Likewise, you will find alternative implementations of Is\_Ch\_Tripped in hardware in the Verilog files mkInstrumentationHandwritten.v and mkInstrumentation-Generated.v, the Bluespec SystemVerilog files Instrumentation\_Generated\_-BVI.bsv and Instrumentation\_Handwritten\_BVI.bsv, the Verilog generated from CRYPTOL in Is\_Ch\_Tripped.sv and its hand-written sister in Is\_Ch\_Tripped\_Handwritten.sv, etc.

#### 5.8 V & V artifacts

### 5.8.1 Reviewing and Tracing Evidence

To continue with the traceability discussion of the last section, one can trace from source code and specifications to all of the related validation and verification by continuing to follow names in validation and verification files.

So, in the case of Is\_Ch\_Tripped, we can find hardware formal verification artifacts in saw/generated/Is\_Ch\_Tripped.yosys and saw/handwritten/Is\_Ch\_Tripped.yosys, and on lines 10, 11, 36, and 37 of saw/instrumentation.saw.

#### 5.8.2 Specification Consistency

The first critical property to check before anything other is *specification consistency*. A specification is consistent if it contains no logical contradictions; occasions where both a proposition  $\phi$  and  $\phi$  are stated to hold simultaneously.

If any fragment of specification contains an inconsistency, and a verification depends upon that fragment, then the inherent contradiction implies that the precedent of one or more theorems we intend to prove is false, and thus the those theorems trivially hold, since the proposition  $false \to B$  holds for any B.

Such specification inconsistencies are the bane of formal verification practitioners the world-over. When a hidden inconsistency happens, usually through a specification error, suddenly automatic verification becomes very simple, and even the hardest verifications go through immediately. This is a warning sign, and the consistency problem must be addressed.

In order to avoid this circumstance, the methodological mitigation we use in RDE is to always state false theorems (what are called "bottoms") about every goal, requirement, model, and implementation, and try to prove those false theorems are valid (true). If we can ever prove such a fallacy, we know our specifications are inconsistent, and must be corrected.

We thus construct "bottoms" for every layer of our RDE specification. In the case of HARDENS, we must do so in our formal requirements specification (in FRET), in our feature model (in LOBOT), in our denotational and executable model-based specification (in CRYPTOL), in our proof scripts (in SAW), and in our model-based behavioral interface specification language (in ACSL).

Our verification bench must check, preferably automatically, each of these "bottom" theorems, prior to attempting to check any other evidence: any "real" theorem about the system.

For our formal requirements specification, the FRET tool includes a specification consistency checker that does just that. In our LOBOT specification, the check\_bottom property on line 242 of RTS.lobot is this theorem. For our ACSL specification, the "bottom" C implementations of every core function of the system, located in bottom.c, does just that too.

Once all consistency checks pass, we can now focus on using specifications to check the correctness of the RTS.

#### 5.8.3 Model-based Assurance

Correctness checking is based upon *evidence artifacts* which demonstrate that *properties* which imply *requirements* and their associated *goals* are satisfied.

Evidence comes in several forms, ranging from semi-formal and manual to formal and automatic. We demonstrate the use and presentation of this full range of evidence artifacts in the assurance of the RTS.

Historically, especially for document-based assurance methods with manual review of assurance cases, as done in a handful of national and international certification standards—such as the NRC's, the FAA's DO-178, Common Criteria, DoD branch flight certification, and the NSA's "old" style certification—only semi-formal arguments written in natural language (i.e., English) are under evaluation.

While those arguments often call out to, or summarize, external technical evidence artifacts, such as tests or third party peer-review, they do not often refer to formal models, source code, or their properties. With model-based assurance, new forms of evidence become not only possible, but reasonable, as we can now make direct reference to formal models, source code, and their properties.

This evolution is comparable to the difference between an informal argument which appeals to common sense and intution about statistical matters and a formal argument that *uses statistics* to prove a supposition. Likewise, it is the difference between a middle school math book that teaches by example and rote and a university text book which teaches and uses theorem proving techniques.

In computer science and mathematics (especially logic), a similar transition has been underway over the past twenty years, elevating precision and evidence even from this latter example. Mathematics textbooks and top computer science conference papers used to be written only in very precise English—complete with formal definitions, theorems, and proofs (aka formal models and their properties)—until a movement started in *open mechanization*.

Mechanization is the process of making a formal, human-readable, human-writable, human-reasonable model and its properties machine-readable, writable, and reasonable. By "reasonable" we mean the steps taken in making or evaluating a model, a property/theorem, or a proof. Moving from (only) human-based to both human- and machine-based means that a computer double-checks our work. It also means though that we cannot elide, skip steps, or only appeal to a reader's intuition. Every single aspect of a model and proof is laid bare to both the human and the computer.

Mechanization does not mean that the models and proofs are **not** humanreadable or approachable. The tools that are used for these kinds of model-based specifications and arguments are largely designed by and for mathematicians/logicians, after all.

The tools that we use in the creation of the RTS demonstrator are a subset of the tools widely available for mechanized model-based systems engineering. These tools and others are discussed broadly, and in more detail, in ??. The tools we chose to use in HARDENS are those we deem appropriate for the task: they are some of the best tools available, they lean into the kinds of modeling, properties, and evidence necessary for nationally critical infrastructure, and they are open source and freely available.

In what follows we move through each kind of model and evidence present in the RTS. By discussing each flavor separately, we can both demonstrate that the RTS is high-assurance and fulfills its semi-formal requirements and also teach about best practices in the presentation and evaluation of model-based systems.

#### 5.8.4 Kinds of Evidence

To recap our discussion of evidence from earlier chapters, the new kinds of evidence that are available via model-based engineering largely fall into four categories: (1) the application of rigorous patterns of relations between artifacts,

- (2) dynamic demonstration of property validity against models and programs,
- (3) static demonstration of property validity via automated solving, and (4) static demonstration of property validity via mathematical proof.

While each of these forms of evidence is present in the RTS in plurality, we only discuss one or two examples per flavor so as to not be overly pedantic and overwhelm the reader. Given our recommendations in chapter 4, especially those in section 4.3, it should be unnecessary to pedantically discuss in an informal fashion, as we do here, every nook and cranny of every model, property, and piece of evidence.

Instead, a reviewer should be able to find the rhythm of a model-based system's design, implementation, and assurance and, by judicious randomized exploration of artifacts, quickly gain surity or distrust of a system and its assurance. By demanding less from both sides of the reviewer/reviewee relationship, by embedding more in models, the creation, presentation, and review of evidence is significantly less costly and time-consuming that traditional, pedantic-but-informal, processes.

#### 5.8.5 Assurance of the RTS

In this section, we move through each layer of the RTS specification and assurance case, from most informal to most formal, following traceable lines of evidence and refinements.

In the RTS implementation, the file Assurance.md also contains a detailed write-up of the rigorous assurance of the entire system.

- 1. test vectors for self-test implementation
- 2. equivalence proofs of cryptol & implementation (SAW)
- 3. ACSL model refinement of cryptol (in-line with source)

From the Lando Specification. As discussed in section 5.3, the Lando specification contains the transliteration of RFP and IEEE goals and requirements for the RTS. Thus our relations and refinements start with precise English properties expressed in Lando, and refine to specifications in our feature model (in Lobot), formal requirements (in FRET), and our system architecture (in SysMLv2).

Some of these requirements and goals are extremely informal, such as ??:

Evidence for our fulfilling these kinds of requirements is provided only through reference to concrete artifacts, such as project contracts, this report, project communications, slide decks that summarize the material, etc.

Other system or project requirements, especially ones that are semi-formal and can be refined to formal models, are liked in the assurance case to their refinements. For example, the requirement ?? points directly to the system architecture and its software and hardware:

Likewise, several requirements have a formal meaning and are directly traced to formal assurance artifacts, especially in FRET, and hence CRYPTOL, models. A good example of such a requirement is ??, which refines to several different specification and assurance artifacts:

Recall that structural models refine directly to models with refined structure. For example, the LANDO system architecture, instrumentation, and dataflow specifications have this nature, and all directly refine to naturally named structures in other specifications.

From the Lobot Specification. The feature model specification written in LOBOT describes the products derivable from the product line. Its refinement connects to the build system that is used to generate products and to architectural, specification, and code components that help concretize those products.

The RTS build system is found in a set of simple Makefiles. Each build file attends to a separate concern, based upon its location in the filesystem.

- hardware/SoC/firmware/Makefile builds the RTS firmware for the FPGAbased demontrator.
- hardware/SoC/Makefile builds the RTS SoC and its digital twins.

- hardware/nerv/Makefile builds the NERV's digital twin (using iVerilog), basic firmware, and testbench.
- saw/Makefile compiles critical components of the RTS using the LLVM compiler to LLVM bitcode and runs SAW to formally demonstrate assurance of those components.
- specs/Makefile runs the LANDO and LOBOT tools to check all of the high level specifications.
- Makefile runs ...
- models/Makefile runs CRYPTOL to assure all properties to validate (via 10,000 model-based randomly generated tests) and formally verify the CRYPTOL model of the RTS.
- report/Makefile runs the latexmk tool to build the RTS final report (this document).
- src/Makefile builds the RTS "bottom" implementation and all digital twins, generates all model-based test data from CRYPTOL, builds all variants, runs various tools to automatically generate model-based implementations (software and hardware), and the hardware digital twin using verilator.

From the FRET Specification. The FRET specification is encoded in the filesystem using an internal JSON format supported by the FRET tool. That specification is flattened into a human-readable model of all of the RTSFRETish requirements in appendix C.

Each FRET requirement is refined from a SysMLv2 requirement, which in turn is refined from a Lando requirement. Refinement of semi-formal natural language specifications, such as requirements, means that either the text of a given requirement is syntactically identical on both ends of the relation (i.e., the text in the Lando is character-by-character equal to that which is in the SysMLv2), or the refined requirement has more information.

From the SysMLv2 Specification. The main properties *uniquely* described in the SysML specification is the structure of the RTS system. Consequently, the main assurance artifact associated with this specification is solely the structure-preserving refinement that is used upward (abstractly) to the Lando specification, and downward (concretely) to the CRYPTOL and ACSL specifications described below.

A full, rich SysML specification would also include system properties (such as those captured in our FRET specification) as expressed in the SysML model. But those are wholly redundant in the RDE methodology, as they would be nothing more than a transliteration of the syntax of FRET to the syntax of SysML expressions. Thus, they are elided.

From the Cryptol Specification. The CRYPTOL specification, as discussed earlier, contains a transliteration of every FRET requirements and every behavioral property of the system as CRYPTOL first-order properties.

CRYPTOL properties are *theorems* about the CRYPTOL model. Thus, the assurance of the CRYPTOL model is wholly dependent upon the completeness, consistency, and correctness of these theorems.

We demonstrate the assurance of the CRYPTOL model by runtime checking and formally proving every property on the Cryptol model. The assurance script located at models/check\_model.icry loads in the specification of every critical subsystem of the RTS model (e.g., :m RTS::InstrumentationUnit) and either checks or proves all properties therein.

Recall that every FRET property is transliterated to a CRYPTOL property. Consequently, proving every property of the model proves that the model is complete with regards to the properties (and thus the original system requirements), and is consistent (because we cannot prove the false theorem), and is correct (because the properties hold for any realization of the system under all inputs, given we are largely using the prove command everywhere.

The final property, end\_to\_end\_test is a property that specifies how the whole of the RTS holds together. As it is a trace property through the entire system, it cannot be automatically formally proven, but only simulated and runtime verified.

From the ACSL Specification. Key properties of critical components from the aforementioned models are also transliterated, if relevant, into the ACSL model of the software system.

Properties becomes assertions of various kinds—preconditions, postconditions, invariants, and assertions—and thus express the correct behavior of the system at the software refinement level.

We use these models to formally assure the correctness of the hand-written and automatically generated C implementations of these critical components (e.g., those in instrumentation.h). Several kinds of analysis are used, in series, to build up to a full formal assurance case. First we prove that the code contains no underdefined behavior and then we perform full formal verification of the implementations against the contracts.

Normally we would also use these models to automatically generate a modelbased runtime verification harness for the software implementation so as to demonstrate that all checks are valid as runtime assertion checks on all digital twins and on the deployment platform. This project had insufficient resources for us to also add this extra level of assurance.

From the SAW Specification. For C implementations, we use SAW to prove correctness between the Cryptol model and the LLVM bitcode. For SystemVerilog implementations, we use SAW to extract a Verilog module from the Cryptol specification, and then use the Yosys tool to prove equivalence between

the extracted Verilog module and the generated or hand-written SystemVerilog module.

Not only does this establish the functional correctness of the component in question, but writing such specification (that can be precisely checked) ensures that the interface between components is made precise. For example, the final specification must take into account any differences in endianness assumptions between the source (Cryptol) and the target (e.g., the Verilog hardware design).

#### 5.8.6 Hand-written

We use a tool called pexpect to do end-to-end testing of scenarios. Each test case is a transcription of a LANDO scenario that matches UI output. The file tests/README.md explains the end-to-end runtime verification for the RTS in detail.

Each test scenario specified in specs/test\_scenarios.lando is translated into a parametrized software test, either driven directly against the software through function call invocation or, better yet, as driven through the top-level UI.

By driving through the external UI, we can use the same model-based parametrized tests to drive digital twins (like the CRYPTOL model or the software simulation of the RTS in either the Posix or RV32\_bare\_metal configurations of the product line) or directly on the FPGA deployment platform.

Title: Assessment of Model-Based Systems Engineering Processes in a Regulatory Review Context for Digital Instrumentation and Controls of Existing Nuclear Power Plants

#### C.1 Background

Over the past 15 years, Model-Based Systems Engineering (MBSE) has emerged as powerful methodology and practice for realizing and verifying complex embedded systems while providing rigorous evidence of functional and safety compliance. The phrase "Model Based Systems Engineering" has been used in many different contexts to the point where its meaning and purpose is vague. For safety critical systems design, the definition from the systems engineering and the formal methods community is appropriate.

"Model-Based Systems Engineering (MBSE) is the formalized application of modeling to support system requirements, design, analysis, verification and validation activities beginning in the conceptual design phase and continuing throughout development and later life cycle." Because of its capability to address the software and system complexity and productivity challenges of complex distributed embedded systems, MBSE is quickly becoming the preferred engineering paradigm for the development of such systems across a variety of application domains. However, MBSE has not been used in any significant degree in the nuclear industry.

The NRC's guidance for digital I&C has its origins in a document-based waterfall development model. Modern software (SW) engineering environments are increasingly using highly integrated ecosystems of SW and hardware (HW) development tools with less reliance on published documents during development. These approaches tend to view the model as a portable "executable specification." The NRC is investigating the potential utility and impacts of MBSE methods and tools to the established review process of I&C for nuclear power plants (NPPs).

Documents are created by and for people to use (in the nuclear I&C domain) and are mostly natural language descriptions. Electronic representations, such as models, can be statically and dynamically analyzed by electronic tools. Although a human can never be removed from the development process, certain analysis tasks can be performed more quickly and accurately by electronic tools. Such tools may be difficult to qualify using current NRC criteria, which is focused on whether defects in the tool or resulting software would not be detected by other verification and validation activities.

#### C.2 Objective

The objective of this contract/order is to obtain expert technical services in order to develop a better understanding of: (1) how Model-Based Systems Engineering (MBSE) methods and tools can support regulatory reviews of adequate design and design assurance, (2) identify any barriers or gaps associated with MBSE in a regulatory review of Digital I&C for existing NPPs.

#### C.3 Scope of Work

The proposed research approach is for the implementation of a simple protection system using both: (1) highly integrated computer-based engineering development processes, and (2) MBSE. All the modules of the simple protection system would be modeled functionally, and one PPGA-based circuit card would be modeled/designed in detail. The level of detail in the design

Figure 5.1: NRC RFP Page 5

and supporting analysis should address independence of functions. Independence should address interfaces between functions and self-testing implemented on the circuit card, as well as voting between protection system elements.

The final product would be the design itself and the associated evidence to demonstrate its technical soundness. Then the NRC technical staff for I&C would review the "demonstration" material and identify additional information needed or material that is not needed for regulatory purposes.

Different parties have different ideas about what it means to use MBSE. This research is intended to identify and explore an existing state of the practice, and not to develop new engineering practices.

MBSE, with its inherent ability to analyze and simulate many different scenarios may be a superior approach for more complex systems, structures, and components (SSCs). Modern digital systems tend to be more complex because they are SW intensive and include more shared resources, more coupling of resources (e.g., digital communication, heterogeneous computing devices), and sometimes adaptive abilities. For these reasons, MBSE is often needed to design such systems to high levels of design assurance. Therefore, the regulator must be prepared for MBSE applications where non-document-based evidences are part of a safety evaluation.

For relatively simple applications, such as a reactor trip system, MBSE may support more robust analysis methods such as formal methods or model-based safety assurance.

This research is to explore the full scope of MBSE (i.e., it is not limited to simulation-based validation of I&C system designs). The use of models and simulations in the early design phases of new NPPs and validation of I&C system designs (e.g., confirm required behavior and identify unwanted or undesirable interactions) is one aspect of MBSE. For each aspect of MBSE, the kind of engineering artifacts should be identified and described to include their use as evidence of the soundness of the design. The alternate review process of DI&C-ISG-06, Rev. 2 (ML18269A259), could help to enable the use of MBSE.

#### **Base System Architecture:**

- Four redundant divisions of instrumentation, each containing identical designs:
  - o Two instrumentation channels (Pressure and Temperature)
  - Sensor
  - Data acquisition and filtering
  - Setpoint comparison for trip generation
  - Trip output signal generation
  - Two trains of actuation logic, each containing identical designs:

     Two-out-of-four coincidence logic of like trip signals
    - Logic to actuate a first device based on an OR of two instrumentation
- coincidence signals  $\begin{tabular}{c} \end{tabular}$   $\circ$  Logic to actuate a second device based on the remaining instrumentation
- Logic to actuate a second device based on the remaining instrumentation
   coincidence signal

#### Functions to Be Implemented:

Trip on high pressure (sensor to actuation)

Figure 5.2: NRC RFP Page 6

- 2. Trip on high temperature (sensor to actuation)
- Trip on low saturation margin (sensors to actuation)
- Vote on like trips using two-out-of-four coincidence
- Automatically actuate devices Manually actuate each device
- 6.
- Select mutually exclusive maintenance and normal operating modes on a per division basis
- Perform setpoint adjustment in maintenance mode
- Configure the system in maintenance mode to bypass an instrument channel (prevent it from nerating a corresponding active trip output)
- 10. Configure the system in maintenance mode to force an instrument channel to an active trip output state
- 11. Display pressure, temperature and saturation margin
- 12. Display each trip output signal state13. Display indication of each channel in bypass
- 14. Periodic continual self-test of safety signal path (e.g., overlapping from sensor input to actuation output)

#### Characteristics to be demonstrated (based on the requirements of IEEE Std 603-2018):

- 1. Completeness and consistency of requirements
  2. Independence among the four divisions of instrumentation (inability for the behavior of one division to interfere or adversely affect the performance of another)
- 3. Independence among the two instrumentation channels within a division (inability for the
- behavior of one channel to interfere or adversely affect the performance of another)

  4. Independence among the two trains of actuation logic (inability for the behavior of one train to interfere or adversely affect the performance another)
- 5. Completion of actuation whenever coincidence logic is satisfied or manual actuation is initiated
- 6. Independence between periodic self-test functions and trip functions (inability for the behavior of the self-testing to interfere or adversely affect the trip functions)

The Contractor shall implement the system described above using both: (1) highly integrated computer-based engineering development processes, and (2) MBSE. All the modules of the simple protection system would be modeled functionally, and one FPGA-based circuit card would be modeled/designed in detail. The deliverable will be the model-based design itself.

The Contractor shall perform preliminary V&V and testing of the design using model-based engineering and testing methods. The deliverable will be the artifacts as described in the proposal.

Task 3: The Contractor shall participate in an evaluation of the artifacts produced in tasks 1 and 2 with NRC staff. This will consist of:

- An initial kickoff meeting for this task with the NRC staff.
   The NRC staff will then provide initial feedback on the artifacts produced and additional information that would be needed.
- 3. The Contractor shall then attempt to address any issues and provide the additional information within the time for this portion of task 3 (1 month).

Figure 5.3: NRC RFP Page 7

4. A second meeting will be held to discuss the additional information provided.

Task 4: The Contractor shall develop a one-day long virtual presentation on the results of this research that explains the MBSE approach used, the engineered development environment, the development products, and lessons learned from interacting with the regulator. The deliverable will be the presentation and associated materials.

The Contractor shall develop a final report describing the work summarizing the work performed and the results and conclusions derived. The final report shall include findings and recommendations for future research.

#### C.5 <u>Deliverables and Delivery Schedule</u>

| Deliverable      | Due Date                                                                                                                                                                                                                                                                                                                                                                                                            | Format                                                               | Submit to |
|------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------|-----------|
|                  |                                                                                                                                                                                                                                                                                                                                                                                                                     |                                                                      |           |
| Task 1 design    | 4 months after start of work                                                                                                                                                                                                                                                                                                                                                                                        | As appropriate to the tools used.                                    | COR       |
| Task 2 artifacts | 6 months after start of work                                                                                                                                                                                                                                                                                                                                                                                        | As appropriate to the tools used.                                    | COR       |
| Task 3           | The initial kickoff meeting for task 3 will be held within two weeks of delivery of the artifacts and should be scheduled ahead of time.  The NRC will provide input within one month of the kickoff meeting.  The Contractor response is to be provided within one month of receipt of NRC input.  The NRC will provide input and hold the second meeting within one month of receipt of the Contractor responses. | As appropriate to the tools used.                                    | COR       |
| Task 4           | The presentation is to be provided within 11 months of the start of work.                                                                                                                                                                                                                                                                                                                                           | Slides (PowerPoint<br>or Adobe Portable<br>Document Format<br>(PDF)) | COR       |

Figure 5.4: NRC RFP Page 8

```
// title: Reactor Trip System high, assurance demonstrator.
     //\ project : \ \textit{High Assurance Rigorous Digital Engineering for Nuclear Safety (\textit{HARDENS})}
 3
     // copyright (C) 2021 Galois
     // author: Joe Kiniry <kiniry@galois.com>
     system Reactor Trip System (RTS)
     The overall shape of the Reactor Trip System (RTS) is an archetypal
     *sense,compute,actuate* architecture. Sensors are in the 'Sensors'
     subsystem. They are read by the 'Instrumentation' subsystem, which
     contains four separate and independent 'Instrumentation' components. The "Compute" part of the architecture is spread across
12
13
14
15
     the 'Actuation Logic' subsystem, which contains the two 'Voting'
     components which perform the actuation logic itself, and the 'Root'
     subsystem which contains the core computation and I/O components, and
     the two separate and independent devices that drive actuators.
16
17
     subsystem RTS Architecture (Architecture)
     This RTS architecture specification includes all of the core
concepts inherent to NPP Instrumentation and Control systems.
     A system architecture specification often includes a software,
     hardware, network, and data architecture specifications.
     subsystem RTS Hardware Artifacts (Hardware)
     The physical hardware components that are a part of the HARDENS RTS
     demonstrator.
     subsystem RTS Implementation Artifacts (Implementation)
     A summary of the tools, technologies, specifications, and implementations
     relevant to this high, assurance demonstrator's development and assurance.
     subsystem RTS Requirements (Requirements)
     All requirements that the RTS system must fulfill, as driven by the
     IEEE 603,2018 standards and the NRC RFP.
     subsystem RTS Properties (Properties)
     All correctness and security properties of the RTS system are
     specified in this subsystem.
     subsystem IEEE Std 603,2018 Characteristics (Characteristics)
     The IEEE 603,2018 requirements (known as "characteristics" in
     the standard) which the RTS demonstrator system must fulfill.
     relation RTS contains Architecture
     relation RTS contains Hardware
     relation RTS contains Properties
     relation RTS contains Characteristics
```

Figure 5.5: A fragment of the RTS LANDO domain model

```
/\!/\; \textit{Events are (seemingly, atomic, from the point of view of an external}
23456789011
11213145
     \ensuremath{/\!/} observer) interactions/state, transitions of the system. The full
     // set of specified events characterizes every potential externally
     // visible state change that the system can perform.
     // External input actions are those that are triggered by external input on UI.
     events Demonstrator External Input Actions
     Manually Actuate Device
     The user manually actuates a device.
     The user puts an instrumentation division in or takes a division out of 'maintenance' mode.
16
     Perform Setpoint Adjustment
     The user adjusts the setpoint for a particular channel in a particular division in

→ maintenance mode.

19
     Configure Bypass of an Instrument Channel
     The user sets the mode of the channel of an instrumentation division to either bypass or
           → normal mode.
21
22
23
     Configure Active Trip Output State of an Instrument Channel
     The user sets the mode of the channel of an instrumentation division to either trip or
           \hookrightarrow normal mode.
24
25
26
27
28
     // External output actions are those that are triggered by internal
     // state change, which is, in turn, sometimes prompted by external input
     // actions.
     events Demonstrator External Output Actions
```

Figure 5.6: A fragment of the RTS LANDO (external input) events

```
// Scenarios are sequences of events. Scenarios document normal and
 234567
     // abnormal traces of system execution.
     // Test scenarios are scenarios that validate a system conforms to its
     // requirements through runtime verification (testing). Each scenario
     // is refined to a (possibly parametrized) runtime verification
     // property. If a testbench is complete, then every path of a
8
9
10
     \ensuremath{/\!/} system's state machine should be covered by the its set of scenarios.
     scenarios Self, Test Scenarios
11
12
     Normal Self,Test Behavior 1a ,Trip on Mock High Pressure Reading from that Pressure Sensor
13
     The user selects 'maintenance' for an instrumentation division, the
     division's pressure channel is set to 'normal' mode, the pressure
     setpoint is set to a value v, the user simulates a pressure input to
16
     that division exceeding v, the division generates a pressure trip.
17
18
     Normal Self,Test Behavior 1b ,Trip on Environmental High Pressure Reading from that Pressure
           → Sensor
19
     The user selects 'maintenance' for an instrumentation division, the
20
21
22
23
24
     division's pressure channel is set to 'normal' mode, the pressure
     setpoint is set to a value \ensuremath{\mathbf{v}}\xspace, the division reads a pressure sensor
     value division exceeding v, the division generates a pressure trip.
     Normal Self, Test Behavior 2a , Trip on Mock High Temperature Reading from that Temperature
           → Sensor
     The user selects 'maintenance' for an instrumentation division, the
     division's temperature channel is set to 'normal' mode, the
     temperature setpoint is set to a value v, the user simulates a
     temperature input to that division exceeding v, the division generates
     a temperature trip.
```

Figure 5.7: A fragment of the RTS LANDO scenarios

```
-- We use three different C compilers for (cross-)compilation.
 234567
      type compiler =
       { GCC, Clang, CompCert }
     -- We target three different ISAs in software compilation because our
     -- development platforms for the POSIX-based virtual platform is -- either ARM or X86-based and the SoC digital twin and deployment
 89
      -- platform are RISC-V-based.
     type isa =
10
11
       { ARM, X86, RV32 }
12
13
      -- The feature model of the RTS demonstrator itself.
14
15
16
      -- The cost of a demonstrator is expressed in U.S. dollars and is
      -- based upon the value of the board plus all physical devices that -- are attached. A purely virtualized RTS demonstrator has zero
-- hardware cost.
     rts : kind of struct
       with -- Which development board is being used?
            board : dev_board
             -- How much does the hardware for this demonstrator cost in USD?
             cost : nat
             -- What level of assurance does the demonstrator have overall?
            assurance : assurance_level
             -- Is the FPGA being twinned via a Verilog simulator/emulator?
            soc : twin_or_physical
             \operatorname{--} Is the first tempurature sensor a twin or physically present?
            ts1 : twin_or_physical
             -- Is the second tempurature sensor a twin or physically present?
             {\tt ts2} \; : \; {\tt twin\_or\_physical}
             -- Is the first pressure sensor a twin or physically present?
            ps1 : twin_or_physical
             -- Is the second pressure sensor a twin or physically present?
            ps2 : twin_or_physical
             -- Is the first actuator a twin or physically present?
             sa1 : twin_or_physical
             -- Is the second actuator a twin or physically present?
             sa2 : twin_or_physical
             -- Which C compiler is used to (cross-)compile the software?
             comp : compiler
             -- Which ISA is the compiler (cross-)compiling to?
             target : isa
             -- Are all devices twins?
             all_devices_twins : bool
             -- Should sensors be simulated?
             simulate_sensors : bool
```

Figure 5.8: A fragment of the RTS LOBOT feature model



Figure 5.9: An Example Formalized Requirement in FRET

```
Future Time LTL

(LAST V (( VOTE_ACTUATE_DEVICE_1 |
MANUAL_ACTUATE_DEVICE_1 -> ACTUATE_DEVICE_1 ) & (
ACTUATE_DEVICE_1 -> VOTE_ACTUATE_DEVICE_1 |
MANUAL_ACTUATE_DEVICE_1 )))

Target: Actuation_Logic component.

Past Time LTL

(H (( VOTE_ACTUATE_DEVICE_1 | MANUAL_ACTUATE_DEVICE_1 -> ACTUATE_DEVICE_1 ) & ( ACTUATE_DEVICE_1 -> VOTE_ACTUATE_DEVICE_1 | MANUAL_ACTUATE_DEVICE_1 )))

Target: Actuation_Logic component.
```

Figure 5.10: Some Example Requirement Semantics in FRET



Figure 5.11: Realizability Checking in FRET

```
// \ {\it HARDENS} \ {\it Reactor} \ {\it Trip} \ {\it System} \ ({\it RTS}) \ {\it Actuator} \ {\it Unit}
1 2 3 4 5 6 7 8 9 10 1 12 13 14 15 16 7 18 19 20 1 22 3 2 2 6 7 2 8 9 3 3 1
     // A formal model of RTS Actuator behavior written in the Cryptol
      // DSL.
      // @author Alex Bakst <abakst@galois.com>
      // @created November, 2021
      // @refines HARDENS.sysml
     // Grefines RTS.lando
// Grefines RTS_Requirements.json
      module RTS::Actuator where
      type Actuation = Bit
      type Mode = Bit
      /** @requirements
            ACTUATION_LOGIC_MANUAL_DEVICE_{0,1} satisfied by definition
      type Actuator =
       { input: Actuation
       , manualActuatorInput: Actuation }
      SetInput: Actuation -> Actuator -> Actuator
      SetInput on actuator = {actuator | input = on }
      SetManual: Actuation -> Actuator -> Actuator
      SetManual on actuator = {actuator | manualActuatorInput = on}
      ActuateActuator : [2]Actuation -> Actuation
      ActuateActuator inputs = (inputs @ (0:[1])) || (inputs @ (1:[1]))
```

Figure 5.12: Cryptol model of Actuator component

```
// HARDENS Reactor Trip System (RTS) Actuation Unit
 23456789
      // A formal model of RTS Actuation Unit behavior written in the
      // Cryptol DSL.
      //
      module RTS::ActuationUnit where
      import RTS::Utils
      import RTS::InstrumentationUnit
11
      type Input = [3][4]TripPort
12
13
14
15
16
17
18
19
20
21
22
23
24
26
27
28
29
31
33
33
35
36
37
      type ActuationPort = Bit
type ActuationUnit = { output: [2]ActuationPort }
      type CoincidenceLogic = [4]TripPort -> Bit
      type OrLogic = [2] -> Bit
      TemperatureLogic: [4]TripPort -> Bit
      TemperatureLogic ts = Coincidence_2_4 ts
        Coincidence_2_4 : [4]TripPort -> Bit
        Coincidence_2_4 x =
          (a&&b) || ((a||b) && (c||d)) || (c&&d)
          where
            a = (x @ (0:[2])) != 0
            b = (x @ (1:[2])) != 0
            c = (x @ (2:[2])) != 0
            d = (x @ (3:[2])) != 0
        count : \{n\} (fin n, n >= 1) => [n] -> [width n]
        count bs = sum [ if b then 1 else 0 | b <- bs ]
        /** @requirements
               ACTUATION_LOGIC_VOTE_TEMPERATURE
        property actuation_logic_vote_temperature (inp: Input) =
  (count [i != 0 | i <- (inp @ T)] >= 2) == TemperatureLogic (inp @ T)
```

Figure 5.13: Cryptol model of Actuation Unit component

```
NRC Understanding
Provide to the NRC expert technical services in order to develop a better understanding of how Model, Based Systems Engineering (MBSE) methods and tools can support regulatory reviews of adequate design and design assurance.
```

Figure 5.14: An informal project goal: NRC Understanding

```
Demonstrator Parts
Our demonstrator includes high, assurance software and hardware, includes open source RISC, V Central Processing Units.
```

Figure 5.15: A semi-formal project goal: Demonstrator Parts

```
1 // Both formal and rigorous consistency checks of the requirements 2 // will be accomplished by using false theorem checks and proofs in 3 // the Cryptol model and in software and hardware source code; Requirements Consistency Requirements must be shown to be consistent.
```

Figure 5.16: A formal project goal: Requirements Consistency

## Chapter 6

### Conclusion

This final report summarizes the outcomes of the *High Assurance Rigorous Digital Engineering for Nuclear Safety* (HARDENS) project, in which Galois has developed a high-assurance, safety-critical demonstration system for the Nuclear Regulatory Commission using Rigorous Digital Engineering (RDE). The system in question is a Digital Instrumentation and Control (DI&C) system for Nuclear Power Plants (NPPs), and is called the Reactor Trip System (RTS). The report covered the following topics:

- In chapter 2, we covered the topic at a 50,000 ft level: what is this project about, what are the NRC's goals, just what are models and model-based engineering (MBE), what forces have influenced the evolution of models and MBE over the past few decades, how do assurance cases relate to MBE, and how is the system that was built to demonstrate modern MBE—the HARDENS demonstrator—described and assured in what follows.
- chapter 3 contains a top-level summary of model-based engineering in the 2020s, with particular attention on which concepts, tools, and technologies have been successfully adopted in high-end industry, especially for mission-and safety-critical systems development, assurance, and certification. This chapter also includes a gap analysis which details the challenges that remain for widespread adoption of MBE, or deep acceptance in a specific industrial segment, such as the critical infrastructure sector.
- chapter 4 discusses how one should review model-based systems, particularly from the point of view of carefully reviewing large, complex, high-assurance systems automatically and manually using both digital and paper-based means. These kinds of reviews are a natural part of the validation or certification regimes used by NIST and the NSA, as well as international certification regimes such as Common Criteria, but are not traditionally the remit of reviews that take place at the FAA, in the DoD branches (such as flight certification), or at the NRC.

- The HARDENS Reactor Trip System (RTS) Demonstrator is discussed in gory detail in chapter 5.
- After this chapter, a large appendix contains all of the cross-referenced models and code for the entire RTS demonstrator.

Were we to have used proprietary tools instead of, or in addition to, the open source tools that have been used in this project, then we would have chosen to use the following tools:

- Cameo Systems Modeler (CATIA) from Dassault Systèmes would have been used to create and reason about a SysML version 1 model, and generate hypertext digital and paper documentation from that model.
- OSATE2 from the Carnegie Mellon University's Software Engineering Institute (SEI) would have been used to create and reason about an AADL model.<sup>1</sup>
- A broad set of tools from Ansys, including ModelCenter, SCADE, Twin Builder, medina, and others, would have been used to (a) perform tradestudy analysis and, (b) to implement and verify the instrumentation subsystem again using another language/technique for more heterogeneity.
- BigLever's onePLE would have been used to characterize our product line model and drive the aforementioned trade-study.
- And a tool like AdvoCate from NASA or ASCE from Adelard would have been used to document and review our assurance case.

#### 6.1 What is Next for the RTS

This project is likely just the first of many that Galois hopes to do with the NRC. Its technical focus and outcomes are highly aligned with a rich area R&D at Galois that is seeing a lot of attention from the U.S. Government.

**Technical Next Steps.** On the technical side of things, the implementation of the RTS does not wholly conform to our original, ambitious, plans for demonstrating heterogeneous, independent high-assurance implementations.

While the RTS is fault tolerant and does fulfill all core RFP requirements and IEEE characteristics, the three core implementation (which was meant to demonstrate diversity and fault tolerance at the hardware compute level) of the RTS's System-on-Chip (SoC) is not complete. The single core version is complete and demonstrable.

We also intended to demonstrate multiple, heterogeneous techniques for interfacing with sensors and actuators (software and hardware device drivers),

<sup>&</sup>lt;sup>1</sup>In fact, some of this work has already begun outside of the remit of this project with Dr. John Hatcliff and Dr. Robby at Kansas State University.

but those components, too, are not complete. Only single drivers have been experimented with in the FPGA-based demo.

The SoC has seen only lightweight exercising and runtime testing. No model-based testing or formal assurance of the SoC has been completed.

Multiple other projects and agencies have expressed an interest in reusing or extending this line of work. We hope to build on top of this foundation for the NRC, and we expect that, at least, DARPA will be using the RTS as a case study in teaching about, and R&D on, RDE.

**Non-Technical Next Steps.** On the non-technical side of things, there is work to do on matters related to the MBE market, MBE adoption, statues and rule-making around MBE, and more.

A part of the reason for the small market for high-assurance components or subsystems for NPPs are perceived or actual barriers to entry. If such barriers can be lowered by making licensing easier through clear guidance for modern digital I&C design techniques, such as those demonstrated in this project, then a marked market shift could occur.

# Bibliography

- [1] John M. Borky and Thomas H. Bradley. Effective Model-Based Systems Engineering. Springer, 2018.
- [2] Peter H. Feiler and David P. Gluch. Model-Based Engineering with AADL: An Introduction to the SAE Architecture Analysis & Design. Addison-Wesley, 2012.
- [3] Tim Weilkiens et al. Model-Based System Architecture. Wiley, 2022.

## Appendix A

## Lando Models

### A.1 Top-level RTS Domain Engineering Model Structure

Listing A.1: Lando model of the top-level design.

```
// title: Reactor Trip System high, assurance demonstrator.
       // project: High Assurance Rigorous Digital Engineering for Nuclear Safety (HARDENS)
      // copyright (C) 2021 Galois
      // author: Joe Kiniry <kiniry@galois.com>
     | system Reactor Trip System (RTS)( RTS (?? on page ??), RTS (line 224 on page 156), RTS (line 19 on page 137))
| The overall shape of the Reactor Trip System (RTS) is an archetypal
                                                                                           RTS (?? on page ??), RTS
      *sense,compute,actuate* architecture. Sensors are in the 'Sensors'
      subsystem. They are read by the 'Instrumentation' subsystem, which
      contains four separate and independent 'Instrumentation'
       components. The "Compute" part of the architecture is spread across
      the 'Actuation Logic' subsystem, which contains the two 'Voting'
       components which perform the actuation logic itself, and the 'Root
       subsystem which contains the core computation and I/O components, and
      the two separate and independent devices that drive actuators.
     subsystem RTS Architecture (Architecture) ( Architecture (line 26 on page 137),
Architecture (line 7 on page 152), Architecture (line 136 on page 143))
17
      This RTS architecture specification includes all of the core
       concepts inherent to NPP Instrumentation and Control systems.
       A system architecture specification often includes a software,
      hardware, network, and data architecture specifications
     subsystem RTS Hardware Artifacts (Hardware) ( Hardware (line 191 on page 144),
Hardware Artifacts (line 5 on page 146), Hardware (?? on page ??), Hardware (?? on page ??))

| Hardware Artifacts (?? on page ??))
24
25
     The physical hardware components that are a part of the HARDENS RTS
\tilde{2}\tilde{6}
     | subsystem RTS Implementation Artifacts (Implementation)( Artifacts (line 30 on page 137), Artifacts (line 1 on page 147))
| A summary of the tools, technologies, specifications, and implementations
28
      relevant to this high, assurance demonstrator's development and assurance.
| subsystem RTS Requirements (Requirements)( Requirements (line 5 on page 149), Requirements (line 12 on page 149), Requirements (line 31 on page 137))
| All requirements that the RTS system must fulfill, as driven by the
```

```
| IEEE 603,2018 standards and the NRC RFP.
     subsystem RTS Properties (Properties) (\sqsubseteq Properties (line 5 on page 148), Properties
           (line 32 on page 137))
36
    All correctness and security properties of the RTS system are
37
     specified in this subsystem.
38
     subsystem IEEE Std 603,2018 Characteristics (Characteristics)(

on page 149), Characteristics (line 34 on page 138), Characteristics
                                                                                                 (line 27
           on page 149), page 139))
                            Characteristics (line 34 on page 138),
                                                                                               (line 5 on
     The IEEE 603,2018 requirements (known as "characteristics" in
     the standard) which the RTS demonstrator system must fulfill.
     relation RTS (line 6) contains Architecture (line 17)
     relation RTS (line 6) contains Hardware (line 23)
     relation RTS (line 6) contains Properties (line 35)
     relation RTS (line 6) contains Characteristics (line 39)
```

#### A.2 Project Acronyms

Listing A.2: Lando model of the Acronyms.

```
subsystem Proposal Acronyms (Acronyms)
     A list of words formed by combining the initial letters of a multipart name.
 345
     // Source: Frama.C website
     component ISO ANSI C Specification Language (ACSL)
 6
     The ANSI/ISO C Specification Language (ACSL) is a behavioral specification language for C
           → programs.
 \gamma
 8
     /\!/ Source: \ https://csrc.nist.gov/glossary/term/Application\_Programming\_Interface
     component Application Programming Interface (API)
10
     A system access point or library function that has a well, defined syntax and
11
     is accessible from application programs or user code to provide well, defined functionality.
12
     component Application, Specific Integrated Circuit (ASIC) ( ASIC (line 216 on page 144))
14
15
     Custom, designed and/or custom, manufactured integrated circuits.
16
17
     component Commercial Off The Shelf (COTS)
     Software and hardware that already exists and is available from commercial sources.
18
19
     component Central Processing Unit (CPU) ( CPU (line 15 on page 147), CPU (line 206 on
    page 144))
A CPU is the electronic circuitry that executes instructions comprising a computer program.
20
21
22
23
24
25
26
27
28
29
31
32
33
35
36
     component Continuous Verification (CV)(\sqsubseteq CV (line 154 on page 143))
     component Communicating Sequential Processes (CSP)
     component Digital Engineering (DE)
     component Digital Instrumentation \& Control (diandc)
     component Defense Industrial Base (DIB)
     component Department of Defense (DoD)
     component Domain Specific Language (DSL)
     component Electronic Design Automation (EDA)
     component Field Programmable Gate Array (FPGA)(☐ FPGA (?? on page ??), FPGA
           (line 228 on page 144))
```

```
component Gnu Compiler Collection (GCC)
      component Government Furnished Equipment (GFE)
      component Galois Low, energy Asynchronous Secure SoC for Computer Vision (GLASS,CV)
       component General Purpose I/O (GPIO)(☐ GPIO (line 218 on page 144))
       component High, Assurance Rigorous Digital Engineering for Nuclear Safety (HARDENS)
       component Hardware Description Language (HDL)(☐ HDL (line 201 on page 144))
      component Hash, based Message Authentication Code (HMAC)
      component Higher,Order Logic (HOL)
      component Hardware Security Module (HSM)
      component Intelligence Community (IC)
 60
      component Integrated Development Environment (IDE)
 61
62
      component Intellectual Property (IP)
 63
 64
65
      component Instruction Set Architecture (ISA)
 66
      component Intermediate Representation (IR)(☐ IR (line 183 on page 144))
 67
 68
      component Java Modeling Language (JML)
 69
70
71
72
73
74
75
76
77
78
79
      component Low Level Virtual Machine (LLVM)(☐ LLVM (line 184 on page 144))
      component Model, Based Engineering (MBE)
      component Model, Based Systems Engineering (MBSE)
      component Natural Language Processing (NLP)
      component Nuclear Regulatory Commission (NRC)
 80
81
      component National Security Agency (NSA)
 82
83
84
85
86
87
      component Nuclear Power Plant (NPP)
      component Object Constraint Language (OCL)
      component Open Systems Architecture (OSA)
 88
      component Power Performance Area and Security (PPAS)
 89
90
      component Rigorous Digital Engineering (RDE)
 91
 92
      component Register Transfer Level (RTL)(☐ RTL (line 28 on page 147))
 93
 94
      component Reactor Trip System (RTS)( RTS (?? on page ??), RTS (line 224 on page 156), RTS (line 19 on page 137))
                                                                         RTS (?? on page ??),
 95
 96
97
      component Software Analysis Workbench (SAW)
      component Safety Critical Application Development Environment (SCADE)
 99
100
      component Secure Hash Algorithm (SHA)
101
102
      component Satisfiability Modulo Theories (SMT)
103
104
      component Secret Ninja Formal Methods (SNFM)
```

```
105
106
      component Statement of Work (SoW)
107
107
108
109
110
111
      component SystemVerilog (SV)(☐ SystemVerilog (line 203 on page 144))
      component SystemVerilog Assertions (SVA)
112
       component Size Weight and Power (SWaP)(☐ SWaP
                                                         (line 192 on page 144))
113
114
115
       component System Modeling Language (SysML)
116
117
118
119
       component System, on, Chip (SoC)
      component System Security Integration Through Hardware and Firmware (SSITH)
120
121
122
      component User Interface (UI)
      component Unified Modeling Language (UML)
123
124
125
126
127
128
      component Universal Serial Bus (USB)(☐ USB (line 225 on page 144))
      component United States Government (USG)
      component Unified Theories of Programming (UTP)
129
130
131
132
133
134
135
      component Universal Verification Methodology (UVM)
      component User eXperience (UX)
      136
137
      component Vienna Development Method (VDM)
138
      component Very High Speed Integrated Circuit (VHSIC)
139
      component VHSIC Hardware Description Language (VHDL)
```

### A.3 System Architecture

architecture.lando

Listing A.3: Lando model of the architecture.

```
// Architecture
 23
     subsystem RTS System Architecture (RTS_System_Arch) ( RTS_System_Arch (line 19 on
     subsystem Root(☐ Root (?? on page ??))
 \frac{6}{7}
     component Core Finite State Machine (CFSM)(☐ CFSM (?? on page ??))
10
11
12
     component Programming I/O (Programming_IO)(☐ Programming_IO (?? on page ??))
13
14
15
     component UI I/O (UI_IO)(☐ UI_IO (?? on page ??))
16
     component Debugging I/O (Debugging_IO)(☐ Debugging_IO (?? on page ??))
17
     inherit IO
18
     subsystem Actuation Logic(☐ Actuation_Logic (?? on page ??))
```

```
component Voting 1(☐ Voting (line 254 on page 145))
23
       component Voting 2(☐ Voting (line 254 on page 145))
24
25
      component Actuator 1(\sqsubseteq Actuator (line 196 on page 155), Actuator (line 222 on page 144), Actuator (?? on page ??))
26
       component Actuator 2(\sqsubseteq Actuator (line 196 on page 155), Actuator (line 222 on page 144), Actuator (?? on page ??))
27
28
29
       subsystem Computation(☐ Computation (?? on page ??))
30
       component RISC, V CPU 1(☐ RISC-V CPU
31
                                                           (?? on page ??))
32
33
34
35
       component RISC, V CPU 2(☐ RISC-V CPU
                                                           (?? on page ??))
       component RISC, V CPU 3(□ RISC-V CPU (?? on page ??))
36
37
      subsystem Hardware (\subseteq Hardware (?? on page ??), Hardware (line 191 on page 144), Hardware (line 28 on page 137))
39
       subsystem FPGA(☐ FPGA (?? on page ??), FPGA (line 228 on page 144))
40
41
42
43
       component Lattice ECP,5 FGPA Development Board(☐ DevBoard (line 26 on page 146))
      subsystem Actuators ( actuator 2 (line 273 on page 156), Actuator page 144), actuator 1 (line 272 on page 156), Actuator 1 (?? Actuator 2 (?? on page ??), Actuator (line 196 on page 155), page ??), Actuators (?? on page ??))
                                                                                                          (line 222 on
       component Actuator 1(☐ Actuator (line 196 on page 155), Actuator (line 222 on
              page 144), Actuator (?? on page ??))
46
47
       component Actuator 2(\sqsubseteq Actuator (line 196 on page 155), Actuator (line 222 on page 144), Actuator (?? on page ??))
48
49
      subsystem Sensors(☐ Sensor
                                               (line 219 on page 144), Sensors (?? on page ??), Sensor
              (line 21 on page 152))
50
      component Temperature Sensor 1(☐ Temperature Sensor (?? on page ??), Temperature Sensor (line 220 on page 144), Temperature Sensor (line 59 on page 153))
51
52
component Temperature Sensor 2( Temperature Sensor (?? on page ??), Temperature Sensor (line 220 on page 144), Temperature Sensor (line 59 on page 153))
54
55
       component Pressure Sensor 1(☐ Pressure Sensor (line 83 on page 153), Pressure Sensor (?? on page ??), Pressure Sensor (line 221 on page 144), PressureSensor (?? page ??), PressureSensor (line 73 on page 153))
      component Pressure Sensor 2( Pressure Sensor (line 83 on page 153), Pressure Sensor (?? on page ??), Pressure Sensor (line 221 on page 144), PressureSensor (?? page ??), PressureSensor (line 73 on page 153))
58
     59
              page ??),
page ??))
60
61 component Instrumentation 1( Instrumentation (?? on page ??), Instrumentation (? on page ??), Instrumentation (?? on page ??))

CO | page ??))
62
63 component Instrumentation 2( Instrumentation (?? on page ??), Instrumentation on page ??), Instrumentation (? on page ??), Instrumentation (? page ??))
      component Instrumentation 3( Instrumentation (?? on page ??), Instrumentation (?' on page ??), Instrumentation (ine 100 on page 154), Instrumentation (?? on page ??))
                                                                                                                              (??
66
67 component Instrumentation 4(\sqsubseteq Instrumentation (?? on page ??), Instrumentation (??
```

```
on page ??), Instrumentation (line 100 on page 154), Instrumentation (?? on page ??))
68
69
     // Top, level subsystems.
70
    relation RTS_System_Arch (line 3) contains Root (line 5)
    relation RTS_System_Arch (line 3) contains Actuation Logic (line 19)
     relation RTS_System_Arch (line 3) contains Computation (line 29)
     relation RTS_System_Arch (line 3) contains Hardware (line 37)
     relation RTS_System_Arch (line 3) contains Instrumentation (line 59)
     // Nested subsystems.
     relation Hardware (line 37) contains FPGA (line 39)
78
79
     relation Hardware (line 37) contains Actuators (line 43)
     relation Hardware (line 37) contains Sensors (line 49)
80
81
     // Client, supplier relations.
     relation Root (line 5) client Actuation Logic (line 19)
83
     relation Root (line 5) client Computation (line 29)
     relation Computation (line 29) client Hardware (line 37)
    relation Actuation Logic (line 19) client Hardware (line 37)
     relation Instrumentation (line 59) client Hardware (line 37)
    relation Instrumentation (line 59) client Actuation Logic (line 19)
     relation Actuation Logic (line 19) client Instrumentation (line 59)
```

#### A.4 System Dataflow

Listing A.4: Lando model of the dataflow.

```
1 subsystem RTS Implementation Artifacts (Artifacts)(☐ Artifacts
                                                                        (line 30 on page 137),
          Artifacts
                      (line 1 on page 147))
   component Cryptol System Specification (CryptolSpec) ( CryptolSpec (line 257 on
          page 145))
    A specification of a model written in the Cryptol domain, specific
    language (DSL), either as Literate Cryptol, which can be Cryptol
     embedded in Markdown or LaTeX, or plain Cryptol. Cryptol is a strongly
     typed, functional DSL for specifying and reasoning about bit, level
     algorithms and their correctness properties and is mainly used to
     specify cryptographic algorithms. See https://crypto.net/ for more
     information.
11
     component Cryptol Software Compiler (CryptolToC)(☐ CryptolToC (line 7 on page 147))
     \hbox{\tt Multiple versions of a Cryptol software compiler exist which can}\\
14
15
     compile different subsets of the Cryptol language into implementations
     and test benches written in the C, Java, and LLVM languages.
16
17
    component Cryptol Hardware Compiler (CryptolToSystemVerilog) (☐ CryptolToSystemVerilog
          (line 11 on page 147))
18
    Multiple versions of a Cryptol hardware compiler exist which can
19
     compile different subsets of the Cryptol language into implementations
     and test benches written in the VHDL, Verilog, and SystemVerilog.
21
22
     component Software Implementation (Software)(☐ Software (line 267 on page 145))
23
     component Hand, written Software Implementation (SWImpl) (\sqsubseteq HWImpl (line 274 on page 145),
                   (line 269 on page 145))
          SWImpl
25
     inherit Hand, written Software
26
27
     component Synthesized Software Implementation (SynthSW) ( SynthHW (line 275 on page 145),
     SynthSW (line 271 on page 145)) inherit Machine,generated Software
```

```
30 | component Hardware Implementation (Hardware) (\sqsubseteq Hardware (line 191 on page 144),
           Hardware (line 28 on page 137), Hardware (?? on page ??), Implementation (line 273 on page 145))
31
| component Hand, written Hardware Implementation (HWImpl)( HWImpl (line 274 on page 145), | SWImpl (line 269 on page 145))
33
    inherit Hand, written Hardware
     component Synthesized Hardware Implementation (SynthHW)(\sqsubseteq SynthHW (line 275 on page 145),
     SynthSW (line 271 on page 145)) inherit Machine, generated Hardware
36
37
38
     component COTS High,Assurance RV32I RISC,V CPU (CPU)(☐ CPU (line 15 on page 147), CPU
           (line 206 on page 144))
39
     component CompCert Compiler (CompCert)(☐ CompCert (line 16 on page 147))
     component Bluespec Compiler (BSC)(☐ BSC (line 20 on page 147))
     component SymbiFlow Synthesizer (SymbiFlow)(☐ SymbiFlow (line 24 on page 147))
     component Software Binaries (Binaries)( Binary (line 276 on page 145))
     component Demonstrator Verilog (RTL)(☐ RTL (line 28 on page 147))
     component FPGA Bitstream (Bitstream) (□ Bitstream (line 284 on page 145))
    subsystem Dataflow of RTS Implementation Artifacts (Dataflow) ( Dataflow (line 30 on
           page 147))
53
54
55
56
57
58
59
     This specification, which comes from the Galois HARDENS proposal,
     describes the relationships between various levels of specifications,
     implementations, and assurance artifacts for the HARDENS demonstrator.
     indexing
      proposal_figure: 3
       figure_name: Dataflow of RTS Implementation Artifacts.
60
     relation CryptolToC (line 12) client CryptolSpec (line 3)
61
     relation CryptolToSystemVerilog (line 17) client CryptolSpec (line 3)
62
     relation SynthSW (line 27) client CryptolToC (line 12)
     relation SynthHW (line 35) client CryptolToSystemVerilog (line 17)
     relation SynthHW (line 35) client BSC (line 42)
67
68
     relation CompCert (line 40) client SynthSoftImpl
     relation CompCert (line 40) client SoftImpl
70
71
72
73
74
75
76
77
78
     relation BSC (line 42) inherit Compiler
     relation BSC (line 42) client HWImpl (line 32)
     relation SymbiFlow (line 44) client SynthHW (line 35)
     relation SymbiFlow (line 44) client CPU (line 38)
     relation Binaries (line 46) client CompCert (line 40)
     relation RTL (line 48) client SymbiFlow (line 44)
     relation RTL (line 48) contains Soft, core RISC, V CPU
     relation Bitstream (line 50) contains SynthHW (line 35)
     relation Bitstream (line 50) contains CPU (line 38)
     relation Bitstream (line 50) client SymbiFlow (line 44)
```

### A.5 System Events

#### Listing A.5: Lando model of the Events.

```
// Events are (seemingly, atomic, from the point of view of an external
     // observer) interactions/state.transitions of the system. The full
     // set of specified events characterizes every potential externally
     // visible state change that the system can perform.
 456789
     // External input actions are those that are triggered by external input on UI.
     events Demonstrator External Input Actions
     Manually Actuate Device
     The user manually actuates a device.
     Select Operating Mode
13
     The user puts an instrumentation division in or takes a division out of 'maintenance' mode.
14
15
     Perform Setpoint Adjustment
16
     The user adjusts the setpoint for a particular channel in a particular division in
          → maintenance mode.
17
18
     Configure Bypass of an Instrument Channel
19
     The user sets the mode of the channel of an instrumentation division to either bypass or
           → normal mode.
20
21
     Configure Active Trip Output State of an Instrument Channel
22
     The user sets the mode of the channel of an instrumentation division to either trip or
          → normal mode.
24
25
     // state change, which is, in turn, sometimes prompted by external input
26
27
28
29
     // actions.
     events Demonstrator External Output Actions
     Display Pressure (☐ Display Pressure (line 62 on page 139))
30
     The UI displays the current pressure reading for an instrumentation division.
     Display Temperature (☐ Display Temperature (line 63 on page 139))
     The UI displays the current temperature reading for an instrumentation division.
34
35
36
37
     Display Saturation Margin(☐ Display Saturation Margin (line 64 on page 139))
     The UI displays the current saturation margin reading for an instrumentation division.
38
     Display Trip Output Signal State
39
     The UI displays the current trip signal output for a particular channel and instrumentation

→ division.

40
41
     Display Indication of Channel in Bypass(\sqsubseteq Display Indication Of Channel in Bypass
           (line 66 on page 139))
42
    The UI displays the current bypass mode for a particular channel and instrumentation

→ division.

43
44
45
47
48
     // Internal actions are those that are not triggered by external input on UI.
     events Demonstrator Internal Actions
     Trip on High Pressure
     An instrumentation division reads a pressure sensor value that exceeds its setpoint and

→ generates a trip output.

\frac{49}{50}
     Trip on High Temperature
     An instrumentation division reads a temperature sensor value that exceeds its setpoint and
           \hookrightarrow generates a trip output.
52
53
     Trip on Low Saturation Margin
54
55
     An instrumentation division reads temperature and pressure values such that the
     saturation margin is below its setpoint and generates a trip output.
56
     Vote on Like Trips using Two,out,of,four Coincidence(☐ Vote (line 15 on page 138))
```

```
An actuation unit reads two like trip inputs and generates the corresponding automatic

→ actuation signal.

Automatically Actuate Device(□ A (line 19 on page 138))

An actuation unit generates an automatic actuation signal and sends it to the corresponding

→ device.

Self,test of Safety Signal Path(□ T (line 22 on page 138))

The RTS simulates inputs to a pair of instrumentation divisions and checks the corresponding

→ actuation signals.
```

#### A.6 Project Glossary

Listing A.6: Lando model of the glossary.

```
subsystem Proposal Glossary (Glossary)( Glossary
                                                          (line 10 on page 141))
 2
     A list of often difficult or specialized words with their definitions, often placed at the
           → back of a book.
    component Behavioral Interface Specification Language (BISL) ( BISL (1ine 22 on
 4
          page 141))
    A formal, state, based specification language that focuses on the
     specification of the interfaces of discrete modules in a system, and
     often times includes model, based specification constructs to improve
     usability and expressivity.
     component BlueCheck(☐ BlueCheck (line 17 on page 141))
     A property, based testing framework for components written in Bluespec
    SystemVerilog that uses some of the design patterns and ideas from the
13
     QuickCheck.
14
15
     component Coq(\sqsubseteq Coq (line 24 on page 141))
16
     Coq is an interactive theorem prover first released in 1989. It allows
     for expressing mathematical assertions, mechanically checks proofs of
     these assertions, helps find formal proofs, and extracts a certified
     program from the constructive proof of its formal specification. Coq
     works within the theory of the calculus of inductive constructions, a
     derivative of the calculus of constructions. Coq is not an automated
     theorem prover but includes automatic theorem proving tactics
     (procedures) and various decision procedures.
     component Cryptol( ☐ Cryptol (line 25 on page 141))
     Cryptol is a domain specific programming language for cryptography
     developed by Galois. The language was originally developed for use by
     the United States National Security Agency. The language is also used
     by private firms that provide information technology systems, such as
     Amazon and defense contractors in the United States. The programming
     language is used for all aspects of developing and using cryptography,
     such as the design and implementation of new ciphers and the
     verification of existing cryptographic algorithms.
     component DevSecOps(☐ DevSecOps
                                        (line 26 on page 141))
    The use of tools in a user's local and remote design, development,
     validation, verification, maintenance, and evolution environments that
     facilitate the automatic and continuous evaluation by static and
     dynamic means of a system/subsystem/component's behavioral (e.g.,
     safety and correctness) and non, behavioral (e.g., well, formedness and
     security) properties.
    component Digital Instrumentation and Control Systems (DIANDC)(\sqsubseteq DIANC
                                                                               (line 27 on
    page 141)) One of several types of control systems and associated instrumentation
     used for industrial process control. Such systems can range in size
```

```
46
47
48
49
51
52
      from a few modular panel, mounted controllers to large interconnected
      and interactive distributed control systems with many thousands of
      field connections. Systems receive data from remote sensors measuring
      process variables (PVs), compare the collected data with desired
      setpoints (SPs), and derive command functions which are used to
      control a process through the final control elements (FCEs), such as
      control valves.
 53
     component Formal Requirements Elicitation Tool (FRET) ( FRET (line 31 on page 141),
      FRET (line 51 on page 150))
The NASA Formal Requirements Elicitation Tool is used to make writing,
 55
 56
57
      understanding, and debugging formal requirements natural and
      intuitive.
 58
 59
      component PVS(☐ PVS (line 41 on page 141))
 60
      A specification language integrated with support tools and an
      automated theorem prover, developed at the Computer Science Laboratory
      of SRI International. PVS is based on a kernel consisting of an
      extension of Church's theory of types with dependent types, and is
      fundamentally a classical typed higher, order logic.
 66
      component RISC.V
      RISC,V (pronounced "risk,five") is an open standard instruction set
 67
      architecture (ISA) based on established reduced instruction set
      computer (RISC) principles. Unlike most other ISA designs, the RISC,V
      ISA is provided under open source licenses that do not require fees to
      use. A number of companies are offering or have announced RISC,V
      hardware, open source operating systems with RISC,V support are
      available and the instruction set is supported in several popular
      software toolchains.
 76
77
78
79
80
      component Requirements State Modeling Language (RSML)(\sqsubseteq RSML (line 53 on page 141))
      A formal specification language that uses hierarchical finite state
      machines to specify system requirements.
      component SAT(☐ SAT (line 58 on page 141))
      The Boolean satisfiability problem (sometimes called propositional
      satisfiability problem and abbreviated SAT) is the problem of
      determining if there exists an interpretation that satisfies a given
 84
85
      Boolean formula.
      component SAWscript(☐ SAWscript (line 61 on page 141))
 87
88
      The proof script language is used to specify the assumptions and proof
      goals of formal verifications to the SAW tool.
 89
 90
91
      component soft, core
      A CPU or SoC that is implemented in an HDL and synthesized to a
 92
93
      bitstream and loaded onto an FPGA.
 94
95
      component SPARK(☐ SPARK (line 74 on page 142))
      A formally defined computer programming language based on the Ada
      programming language, intended for the development of high integrity
      software used in systems where predictable and highly reliable
 98
      operation is essential. It facilitates the development of applications
 99
      that demand safety, security, or business integrity.
100
101
      component SpeAR(☐ SpeAR (line 77 on page 142))
102
      An integrated development environment for formally specifying and
103
      rigorously analyzing requirements.
104
105
      component Verifier for Concurrent C (VCC)(☐ VCC (line 84 on page 142))
106
      VCC is a program verification tool that proves correctness of
      annotated concurrent {\tt C} programs or finds problems in them. {\tt VCC} extends
108
      \ensuremath{\mathtt{C}} with design by contract features, like pre, and postcondition as
109
      well as type invariants. Annotated programs are translated to logical
110
      formulas using the Boogie tool, which passes them to an automated {\tt SMT}
111 | solver Z3 to check their validity.
```

```
112
113
      component Verified Software Toolchain (VST)(☐ VST (line 92 on page 142))
114
115
      A software toolchain that includes static analyzers to check
      assertions about a {\tt C} program; optimizing compilers to translate a {\tt C}
116
117
      program to machine language; and operating systems and libraries to % \left( 1\right) =\left( 1\right) \left( 1\right) 
      supply context for the C program. The Verified Software Toolchain
118
      project assures with machine, checked proofs that the assertions
119
      claimed at the top of the toolchain really hold in the
120
      machine, language program, running in the operating, system context.
121
122
      component Refinement(☐ Refinement (line 95 on page 142))
123
124
125
      component Property(☐ Property (line 96 on page 142))
126
      component Safety Property(☐ Safety Property (line 97 on page 142))
127
      inherit Property
128
129
       component Correctness Property(☐ Correctness Property (line 98 on page 142))
130
131
132
      component Security Property(☐ Security Property (line 99 on page 142))
133
      inherit Property
134
135
      component Model(☐ Model (line 100 on page 142))
136
137
      component Semi, Formal Model(☐ Semi-Formal Model (line 101 on page 142))
138
      inherit Model
139
      component Formal Model(☐ Formal Model (line 102 on page 142))
140
141
142
143
144
145
146
147
149
150
      component Consistent(☐ Consistent (line 103 on page 142))
      inherit Property
      component Complete(☐ Complete (line 104 on page 142))
      inherit Property
      component Consistent Model(☐ Consistent Model (line 105 on page 142))
      inherit Model Consistent
151
152
       component Complete Model(☐ Complete Model (line 106 on page 142))
153
154
155
      inherit Model Complete
      component Requirement(☐ Requirement (line 121 on page 142))
156
157
158
159
      component Scenario(☐ Scenario (line 122 on page 142))
      component Product(☐ Product (line 123 on page 142))
160
      component Product Line(☐ Product Line (line 124 on page 142))
161
162
163
      component Configure(☐ Configure (line 125 on page 142))
164
165
      component DOORS(☐ DOORS (line 126 on page 142))
166
167
      component Clafer(☐ Clafer (line 127 on page 142))
168
169
170
      component Lobot( Lobot (line 128 on page 142))
\begin{array}{c} 171 \\ 172 \end{array}
      component Lando
173
      component Denotational(☐ Denotational (line 108 on page 142))
174
175
      component Operational(☐ Operational (line 109 on page 142))
176
      component Semantics (☐ Semantics (line 110 on page 142))
```

```
component Risk(☐ Risk (line 146 on page 143))
180
181
182
183
184
185
      component Power(☐ Power (line 147 on page 143))
      component Resource (☐ Resource (line 148 on page 143))
       component Reliability(☐ Reliability (line 149 on page 143))
186
187
       component Rigorous (☐ Rigorous (line 114 on page 142))
188
      A specification that has a precise, unambiguous, formal semantics
189
      grounded in real world formal foundations and systems engineering
190
      artifacts, such as source code and hardware designs.
191
192
      component Collaborative Development Environment (CDE)(\subseteq CDE (line 152 on page 143))
193
194
195
      component Continuous Integration (CI)(☐ CI (line 153 on page 143))
196
      component Continuous Verification (CV)(☐ CV (line 154 on page 143))
197
198
      component Analyzer(☐ Analyzer (line 155 on page 143))
199
200
       component Static Analyzer(☐ Static Analyzer (line 156 on page 143))
201
      inherit Analyzer
202
203
      component Dynamic Analyzer(☐ Dynamic Analyzer (line 157 on page 143))
204
205
      inherit Analyzer
\tilde{206}
      component Finite State Machine (FSM)(☐ FSM (line 129 on page 143))
207
208
      component Deterministic(☐ Deterministic (line 115 on page 142))
209
210
      component Non,deterministic(□ Non-deterministic (line 116 on page 142))
211
212
      component Deterministic Finite State Machine (DFSM) (□ DFSM (line 130 on page 143))
213
      inherit FSM Deterministic
214
215
       component Non,deterministic Finite State Machine (NFSM)(☐ NFSM (line 132 on page 143))
216
217
      inherit FSM Non, deterministic
218
      component Abstract State Machine (ASM)(☐ ASM (line 134 on page 143))
219
      inherit FSM
220
221
      component Design(☐ Design (line 135 on page 143))
222
      component Architecture ( Architecture ( 1 ine 26 on page 137), Architecture ( 1 ine 7 on page 152), Architecture ( 1 ine 136 on page 143))
223
224
225
      component Specification(☐ Specification (line 137 on page 143))
226
227
       component Architecture Specification( Architecture Specification (line 138 on page 143))
228
      inherit Specification
\tilde{2}\tilde{2}\tilde{9}
230
      component Solver(☐ Solver (line 158 on page 143))
231
232
232
233
234
      component Formal Method (FM)(☐ FM (line 117 on page 142))
      component Logical Framework (LF)( LF (line 159 on page 143))
235
236
      component Programming Language (PL) ( PL (line 26 on page 151), PL (line 178 on
           page 143))
237
238
      component Specification Language ( Specification Language (line 164 on page 143))
239
240
241
      component Protocol(☐ Protocol (line 165 on page 143))
      component System Specification ( System Specification (line 166 on page 143))
```

```
243
244
245
246
247
248
249
      | inherit Specification
       component Hand, written(☐ Hand-written (line 167 on page 143))
       component Machine,generated(☐ Machine-generated (line 168 on page 143))
       component Source, level Specification Language ( \sqsubseteq Source-level Specification Language ( line 169 on page 143))
250
     | inherit Specification Language
251
252
       (line 171 on page 143))
| inherit Specification Language
253
254
255
       component System(☐ System (line 139 on page 143))
256
257
       component Distributed System(☐ Distributed System (line 140 on page 143))
258
       inherit System
\tilde{259}
260
       component Concurrent System(☐ Concurrent System (line 141 on page 143))
261
       inherit System
262
263
       component Cryptographic Protocol(☐ Cryptographic Protocol (line 174 on page 143))
\begin{array}{c} 264 \\ 265 \end{array}
266
       component Cryptographic Algorithm (☐ Cryptographic Algorithm (line 175 on page 143))
267
268
       component I/O (IO)(\sqsubseteq IO (line 217 on page 144))
269
270
271
       component General Purpose I/O (GPIO)(☐ GPIO (line 218 on page 144))
       inherit IO
272
273
       component Sensor(☐ Sensor
                                       (line 219 on page 144), Sensors (?? on page ??), Sensor
             (line 21 on page 152))
274
275
      component Actuator(\sqsubseteq actuator2 (line 273 on page 156), Actuator (page 144), actuator1 (line 272 on page 156), Actuator1 (?? Actuator2 (?? on page ??), Actuator (line 196 on page 155), page ??), Actuators (?? on page ??))
                                                                       Actuator (line 222 on tuator1 (?? on page ??), on page 155), Actuator (?? on
276
277
278
       component Solenoid(☐ Solenoid (line 223 on page 144))
       inherit Actuator
279
280
       component Compiler (☐ Compiler (line 185 on page 144))
281
282
       component Synthesizer (☐ Synthesizer (line 200 on page 144))
283
284
285
       component Universal Serial Bus (USB)(☐ USB (line 225 on page 144))
286
       component LED(☐ LED (line 226 on page 144))
287
288
       component Cable(☐ Cable (line 227 on page 144))
289
290
       component Program(☐ Program (line 143 on page 143))
291
292
       component Bitstream(☐ Bitstream (line 284 on page 145))
293
294
      component Field, Programmable Gate Array (FPGA)(☐ FPGA (?? on page ??), FPGA
             (line 228 on page 144))
295
296
       component ECP,5(☐ ECP-5 (line 229 on page 144))
297
       inherit FPGA
298
299
       component Printed Component Board (PCB) ( PCB (line 230 on page 144))
300
301
       component Connector(☐ Connector (line 214 on page 144))
302
303 | component USB Connector(□ USB Connector (line 233 on page 144))
```

```
component USB Mini Connector (USB,Mini)(☐ USB_Mini (line 234 on page 144))
306
      inherit USB Connector
307
308
309
      component High, Assurance (☐ High-Assurance (line 160 on page 143))
310
311
      component C(☐ C (line 180 on page 143))
312
313
      component PMOD(☐ PMOD (line 235 on page 144))
314
315
      component JTAG(☐ JTAG (line 236 on page 144))
316
      component Driver(☐ Driver (line 237 on page 144))
317
318
      component Voting(☐ Voting (line 254 on page 145))
319
320
      component UCB Cable(☐ USB Cable (line 245 on page 145))
321
      inherit USB Cable
322
323
      component Output LED(☐ Output LED (line 16 on page 146))
324
```

#### A.7 System Hardware

Listing A.7: Lando model of the system hardware.

```
1 subsystem RTS Hardware Artifacts( RTS Hardware Artifacts (line 5 on page 146),
Hardware (line 28 on page 137), RTS Hardware Artifacts (?? on page ??))

The physical hardware components that are a part of the HARDENS RTS
     demonstrator.
     component USB Cable(☐ USB Cable (line 245 on page 145))
     A normal USB cable.
     What kind of USB connector is on the start of the cable?
 .
8
9
     What kind of USB connector is on the end of the cable?
10
     relation USB Cable (line 5) inherit USB, Cable
11
12
     component SERDES Test SMA Connectors (J9,J26)( SERDES Test SMA Connector (line 10 on
           page 146))
13
    component Parallel Config Header (J38) ( Parallel Config Header (line 11 on page 146),
14
            J38 (line 28 on page 146))
15
16
     component Versa Expansion Connectors (J39, J40)( Versa Expansion Connector (line 12 on
           page 146))
17
18
     component SPI Flag Configuration Memory (U4)(\sqsubseteq SPI Flag Configuration Memory (line 13 on page 146), U4 (line 30 on page 146))
           page 146),
19
20
     component CFG Switches (SW1)(□ SW1 (line 31 on page 146))
21
     component Input Switches (SW5)(☐ Input Switch (line 15 on page 146), SW5 (line 32 on
22
           page 146))
23
24
25
26
      component Output LEDs (D5,D12)(☐ Output LED (line 16 on page 146))
      component Input Push Buttons (SW2,SW4)(☐ Input Push Button (line 17 on page 146))
27
28
     component 12 V DC Power Input (J37)
30
      component GPIO Headers (J32, J33)( GPIO Headers (line 19 on page 146))
```

```
32 | component PMOD/GPIO Header (J31)(☐ PMOD/GPIO Header (line 20 on page 146),
            (line 37 on page 146))
33
34
     component Microphone Board/GPIO Header (J30)( Microphone Board/GPIO Header (line 21 on
            page 146), J30 (line 38 on page 146))
35
36
     component Prototype Area (☐ Prototype Area (line 39 on page 146))
37
38
     component ECP5,5G Device (U3)( ECP5-5G Device (line 22 on page 146), U3 (line 40 on
            page 146))
39
40
     component JTAG Interface (J1)( JTAG Interface (line 24 on page 146), J1 (line 41 on
            page 146))
41
42
      component Mini USB Programming (J2)( Mini USB Programming (line 25 on page 146), J2
            (line 42 on page 146))
43
44
45
      component Lattice ECP,5 FPGA Development Board (Board)(☐ DevBoard (line 26 on page 146))
     component Temperature Sensor( Temperature Sensor (?? on page ??), Temperature Sensor (line 59 on page 153))

A sensor that is capable of measuring the temperature of its environment.
46
                                                                                           Temperature Sensor
47
48
49
50
     What is your temperature reading in Celsius (C)?
     component Pressure Sensor( Pressure Sensor (1ine 83 on page 153), Pressure Sensor (?? on page ??), Pressure Sensor (1ine 221 on page 144), PressureSensor (? page ??), PressureSensor (1ine 73 on page 153))
     A sensor that is capable of measuring the air pressure of its environment.
51
52
     What is your pressure reading in Pascal (P)?
53
54
55
     component Solenoid Actuator(\sqsubseteq Solenoid Actuator (line 50 on page 146))
     A solenoid actuator capable of being in an open or closed state.
56
57
59
     relation Temperature Sensor (line 46) inherit Sensor
60
     relation Pressure Sensor (line 50) inherit Sensor
     relation Solenoid Actuator (line 54) inherit Actuator
61
62
63
     subsystem Physical Architecture ( Physical Architecture (1ine 2 on page 147))
64
     The physical architecture of the HARDENS RTS demonstrator.
65
66
     component USB UI Cable (UI,C)
67
     The USB cable used to communicate the ASCII UI to/from the board.
69
     component USB Programming Cable (Prog,C)
     The USB cable used to program the board with a bitstream.
     component USB Debugging I/O Cable (Debug,C)
73
74
75
76
77
     The USB cable used to interact with the board in a debugger.
      component Dev Board (Board)
     A PCB developer board used to prototype hardware.
78
79
      // * MOSFET power control kit: https://www.sparkfun.com/products/12959
80
     // * 12 V Latch solenoid: https://www.sparkfun.com/products/15324
81
82
     // * Pressure sensor: https://www.sparkfun.com/products/11084
83
                                                                             (?? on page ??), Ten
(line 59 on page 153))
     component Temperature Sensor 1 (TS1)(☐ Temperature Sensor Sensor (line 220 on page 144), Temperature Sensor The first of two redundant temperature sensors.
84
                                                                                                    Temperature
85
     component Temperature Sensor 2 (TS2)(
Sensor (line 220 on page 144), Temperature Sensor Temperature Sensor
                                                                              (?? on page ??), Ter (line 59 on page 153))
87
                                                                                                    Temperature
88
    The second of two redundant temperature sensors.
89
```

```
90 | component Pressure Sensor 1 (PS1)( Pressure Sensor (line 83 on page 153), Pressure Sensor (?? on page ??), Pressure Sensor (line 221 on page 144), Pressure Sensor (?? on page ??), Pressure Sensor (line 73 on page 153))
     The first of two redundatnt pressure sensors.
      component Pressure Sensor 2 (PS2)( Pressure Sensor (line 83 on page 153), Pressure Sensor (?? on page ??), Pressure Sensor (line 221 on page 144), PressureSensor (?? on page ??), PressureSensor (line 73 on page 153))
 93
      The second of two redundant pressure sensors.
 96
       component Solenoid Actuator 1 (SA1)(☐ Solenoid Actuator (line 50 on page 146))
 97
       The first of two redundant solenoid actuators.
 98
 99
       component Solenoid Actuator 2 (SA2)( Solenoid Actuator (line 50 on page 146))
100
      The second of two redundant solenoid actuators.
101
       component HARDENS Demonstrator (Demonstrator)
103
       The fully assembled HARDENS demonstrator hardware with all component
104
105
      present.
106
       component Developer Machine
107
       The computer used by a developer to interface with the demonstrator,
108
       typically for driving the demonstrator's UI and programming and
109
       debugging the board.
110
111
       relation Demonstrator (line 102) client Board (line 75)
112
       relation Board (line 75) client UI
113
       relation Board (line 75) client UI-C (line 66)
114
       relation Board (line 75) client Prog-C (line 69)
115
      relation Board (line 75) client Debug-C (line 72)
116
      relation Board (line 75) client TS1 (line 84)
117
      relation Board (line 75) client TS2 (line 87)
118
      relation Board (line 75) client PS1 (line 90)
119
      relation Board (line 75) client PS2 (line 93)
120
      relation Board (line 75) client SA1 (line 96)
121
       relation Board (line 75) client SA2 (line 99)
122
       relation UI-C (line 66) client Developer Machine (line 106)
123
       relation Prog-C (line 69) client Developer Machine (line 106)
124
      relation Debug-C (line 72) client Developer Machine (line 106)
125
       relation U3 (line 38) inherit FPGA
      relation Board (line 75) contains ECP5,5G
127
       relation Board (line 75) inherit PCB
      relation FPGA Dev Board contains J2 (line 42)
```

### A.8 System Instrumentation

Listing A.8: Lando model of the system instrumentation.

```
subsystem RTS Instrumentation Architecture
The architecture for the instrumentation (sensors and actuators)
subsystem of the RTS demonstrator.

subsystem RTS Instrumentation Systems Architecture
The systems architecture for the instrumentation subsystem of the RTS
demonstrator. Some of the architecture is implemented in hardware,
and some is implementated in software.

component Instrumentation Implementation (InstImpl) inherit Driver
A software or hardware driver that interfaces with a sensor. In the
RTS demonstrator there are two kinds of sensors: pressure and
temperature.

component Actuator Implementation (ActImpl)
```

```
| inherit Driver
     A software or hardware driver that interfaces with an actuator. In
18
19
20
21
22
23
24
25
26
27
28
29
30
     the RTS demonstrator there is one kind of actuator: a solenoid.
     component Voting Implementation (VoteImpl)
     inherit Voting
     A software or hardware implemenation of our voting algorithm that
     provides fault tolerance for decision, making based upon the attached
     subsystem Instrumentation Software Stack (SWStack)
     inherit Software
     The software stack associated with the instrumentation subsystem.
     {\tt component\ Instrumentation\ Implementation\ 1\ (InstImpl1)\ inherit\ Instrumentation}
           \hookrightarrow Implementation
31
     The first of four sensor drivers for the instrumentation subsystem.
3334567890123445678901235556789
     relation InstImpl1 inherit SWImpl
     relation InstImpl1 inherit High, Assurance
     relation InstImpl1 inherit C
     component Instrumentation Implementation 2 (InstImpl2)
     inherit InstImpl
     The second of four sensor drivers for the instrumentation subsystem.
     There are multiple sensors in the architecture to provide fault
     tolerance.
     component Actuator Implementation 1 (ActImpl1)
     inherit ActImpl
     The first of two actuator drivers for the instrumentation subsystem.
     There are multiple actuators in the architecture to provide fault
     tolerance.
     component Voting Implementation 1 (VoteImpl1)
     inherit VoteImpl
     The first of two implementations of the voting component. Voting is
     used to implement redundancy of instrumentation and control in the RTS
     demonstrator.
     relation SWStack (line 26) client Binaries
     relation Binaries client SWStack (line 26)
     subsystem Instrumentation Actuation and Voting Hardware Stack (HWStack)
     The hardware implementations driving a redundant subset of sensors,
60
     actuators, and voting components.
61
62
     component Instrumentation Implementation 3 (InstImpl3)
63
     inherit InstImpl
64
65
     The third of four sensor drivers for the instrumentation subsystem.
     There are multiple sensors in the architecture to provide fault
66
     component Instrumentation Implementation 4 (InstImpl4)
     inherit InstImpl
70
71
72
73
     The fourth of four sensor drivers for the instrumentation subsystem.
     There are multiple sensors in the architecture to provide fault
     tolerance.
74
75
     component Actuator Implementation 2 (ActImpl2)
     inherit ActImpl
\frac{76}{77}
     The second of two actuator drivers for the instrumentation subsystem.
     There are multiple actuators in the architecture to provide fault
     tolerance.
79
```

component Voting Implementation 2 (VoteImpl2)

```
81 | inherit VoteImpl
82 | The second of two implementations of the voting component. Voting is
83 | used to implement redundancy of instrumentation and control in the RTS
84 | demonstrator.
85 | relation HWStack (line 58) client Bitstream
87 | relation Bitstream client HWStack (line 58)
```

#### A.9 Project Requirements

Listing A.9: Lando model of the project requirements.

```
// All requirements that the RTS system must fulfill, as driven by the
     // IEEE 603,2018 standards and the NRC RFP.
     requirements HARDENS Project High, level Requirements
     // The high, level requirements for the project stipulated by the NRC RFP.
     NRC Understanding (\sqsubseteq NRC Understanding (line 19 on page 149))
     Provide to the NRC expert technical services in order to develop a
     better understanding of how Model, Based Systems Engineering (MBSE)
     methods and tools can support regulatory reviews of adequate design
     and design assurance.
12
     Identify Regulatory Gaps (☐ Identify Regulatory Gaps (line 20 on page 149))
     Identify any barriers or gaps associated with MBSE in a regulatory
     review of Digital Instrumentation and Control Systems for existing
     Nuclear Power Plants.
     Demonstrate(☐ Demonstrate (line 21 on page 149))
     Galois will demonstrate to the Nuclear Regulatory Commission (NRC)
     cutting, edge capabilities in the model, based design, validation, and
     verification of safety, critical, mission, critical, high, assurance
     Demonstrator Parts (☐ Demonstrator Parts (line 22 on page 149))
     Our demonstrator includes high, assurance software and hardware,
     includes open source RISC, V Central Processing Units.
     Demonstrator Groundwork (☐ Demonstrator Groundwork (line 23 on page 149))
     Our demonstrator lays the groundwork for a high, assurance reusable
     product for safety critical Digital Instrumentation and Control
     Systems systems in Nuclear Power Plants.
     requirements NRC Characteristics
     // The requirements driven by the IEEE 603,2018 standard for NPP I&C
     // systems.
     // Both formal and rigorous consistency checks of the requirements
     // will be accomplished by using false theorem checks and proofs in
     // the Cryptol model and in software and hardware source code;
    Requirements Consistency ( Requirements Consistency (line 6 on page 139), Requirements Consistency (line 35 on page 149))
     Requirements must be shown to be consistent.
     // A rigorous completeness validation of the requirements will be
     // accomplished by demonstrating traceability from the project
     // specification (including the RFP text describing the reactor trip
     // system) to the formal models of the system and its properties.
     Requirements Colloquial Completeness ( Requirements Colloquial Completeness page 149), Requirements Colloquial Completeness ( Iine 9 on page 139)
     page 149), Requirements Colloquial Completenes
The system must be shown to fulfill all requirements.
                                                                  (line 9 on page 139))
```

```
50 |// A formal verification of completeness of the requirements will be
     // accomplished by using the chosen requirements checking tool
     Requirements Formal Completeness (line 12 on page 149), Requirements Formal Completeness (line 12 on page 139))
                                                                                     (line 37 on
53
    Requirements must be shown to be formally complete.
54
55
     // This characteristic will be demonstrated architecturally via the
     /\!/\ decoupling\ of\ computation\ across\ the\ two\ RISC, V\ instrumentation
     // cores and two instrumentation units running on the FPGA.
57
58
    Instrumentation Independence (☐ Instrumentation Independence Instrumentation Independence (line 38 on page 149))
                                                                           (line 15 on page 139),
    Independence among the four divisions of instrumentation (inability
60
     for the behavior of one division to interfere or adversely affect the
61
     performance of another).
62
63
     // This characteristic will be demonstrated architecturally by
64
65
     // decoupling the compute and I/O channels of the units from one
     // another.
66
     Channel Independence ([☐ Channel Independence (line 39 on page 149), Channel Independence (line 20 on page 139))
67
    Independence among the two instrumentation channels within a division
     (inability for the behavior of one channel to interfere or adversely
68
69
     affect the performance of another).
70
71
     // This characteristic will be demonstrated architecturally by
72
     // partitioning the actuation logic across software and hardware
73
     // units.
     Actuation Independence (☐ Actuation Independence (line 25 on page 139), Actuation
74
     Independence (line 40 on page 149))
Independence among the two trains of actuation logic (inability for
     the behavior of one train to interfere or adversely affect the
77
     performance of another).
78
79
     /\!/\ \textit{This characteristic will be demonstrated by rigorous validation via}
80
     // runtime verification and formal verification of the model and its
81
      // implementation, as discussed in detail below.
     Actuation Correctness ( Actuation Correctness Correctness (line 41 on page 149))
                                                            (line 30 on page 139), Actuation
     Completion of actuation whenever coincidence logic is satisfied or
84
85
     manual actuation is initiated.
86
     // This characteristic will be demonstrated architecturally by
87
     // partitioning the actuation logic across software and hardware
88
     Self, Test/Trip Independence(☐ Self-Test/Trip Independence
                                                                         (line 34 on page 140),
     Self-Test/Trip Independence (line 42 on page 149))
Independence between periodic self, test functions and trip functions
90
91
      (inability for the behavior of the self, testing to interfere or
     adversely affect the trip functions).
```

#### A.10 System Requirements

```
Listing A.10: Lando model of the requirements.

subsystem Requirements
The requirements for the RTS system are specified in the following requirements specifications:

HARDENS Project High,level Requirements
NRC Characteristics.

// At the moment all system requirements are written in FRET. See the
// top,level [](../README.md) for more information.

// During Task 2 we will reify those same requirements into our Lando
// and SysML specifications as well.
```

### A.11 System Behavioral Scenarios

```
Listing A.11: Lando model of the scenarios.
     // Scenarios are sequences of events. Scenarios document normal and
     // abnormal traces of system execution.
     // Normal scenarios describe the normal behavior of the system when
     // it is not in maintenance or self, test mode.
     scenarios RTS Scenarios
     Normal Behavior 1 ,Stable Normal State
     The system is in the normal operating mode across all instrumentation \ensuremath{\mathsf{I}}
     units, no unit is in test mode, and no unit is in maintenance mode, a
12
13
14
15
16
17
18
19
20
21
22
24
25
27
28
     threshold setpoint v_p has been set for pressure, and a threshold
     setpoint v_t has been set for temperature.
     Normal Behavior 2 ,Event Control
     The system is in a stable normal state and responds to a new event.
     Normal Behavior 3 ,Sense Compute Actuate
     The system is in a stable normal state and receives input from the
     user and reads data from its sensors and, reacts to user input, and if
     necessary, actuates an actuator.
     Normal Behavior 4 , Test Instrumentation
     Test system behavior across all possible combinations of modes,
     commands, pressure values, temperature values, and failure conditions.
     Normal Behavior 5 ,Test Voting
     Test system voting behavior across all possible combinations of vote
     inputs.
```

### A.12 System Test Scenarios

#### Listing A.12: Lando model of the Test scenarios.

```
// Scenarios are sequences of events. Scenarios document normal and
         // abnormal traces of system execution.
  3
         // Test scenarios are scenarios that validate a system conforms to its
  4567
         // requirements through runtime verification (testing). Each scenario
         \begin{picture}(20,0)\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0)
         // property. If a testbench is complete, then every path of a
         // system's state machine should be covered by the its set of scenarios.
         scenarios Self, Test Scenarios
         Normal Self, Test Behavior 1a ,Trip on Mock High Pressure Reading from that Pressure Sensor
13
         The user selects 'maintenance' for an instrumentation division, the
         division's pressure channel is set to 'normal' mode, the pressure
14
15
         setpoint is set to a value \boldsymbol{v}, the user simulates a pressure input to
16
         that division exceeding v, the division generates a pressure trip.
17
18
        Normal Self, Test Behavior 1b , Trip on Environmental High Pressure Reading from that Pressure
                  → Sensor
19
         The user selects 'maintenance' for an instrumentation division, the
20
         division's pressure channel is set to 'normal' mode, the pressure
         setpoint is set to a value v, the division reads a pressure sensor
         value division exceeding v, the division generates a pressure trip.
24
        Normal Self, Test Behavior 2a ,Trip on Mock High Temperature Reading from that Temperature
                  → Sensor
        The user selects 'maintenance' for an instrumentation division, the
26
27
         division's temperature channel is set to 'normal' mode, the
         temperature setpoint is set to a value v, the user simulates a
28
29
         temperature input to that division exceeding v, the division generates
30
31
         Normal Self, Test Behavior 2a , Trip on Environmental High Temperature Reading from that
                  → Temperature Sensor
         The user selects 'maintenance' for an instrumentation division, the
         division's temperature channel is set to 'normal' mode, the
34
35
36
37
38
39
         temperature setpoint is set to a value v, the division reads a
         temperature sensor value division exceeding {\tt v}\xspace, the division generates
         a temperature trip.
         Normal Self, Test Behavior 3a , Trip on Mock Low Saturation Margin
         The user selects 'maintenance' for an instrumentation division, the
         division's saturation channel is set to 'normal' mode, the saturation
margin setpoint is set to a value v, the user simulates pressure and
         temperature inputs to that division such that the saturation margin is
         below {\bf v}, the division generates a saturation margin trip.
        Normal Self, Test Behavior 3a, Trip on Environmental Low Saturation Margin The user selects 'maintenance' for an instrumentation division, the
         division's saturation channel is set to 'normal' mode, the saturation
         margin setpoint is set to a value v, the division reads pressure and
         temperature sensor values in that division such that the saturation
         margin is below v, the division generates a saturation margin trip.
         Normal Self, Test Behavior 4 , Vote on Every Possible Like Trip
         The user selects 'maintenance' for each instrumentation division, the
         user configures a subset of channels to place in active trip output.
        Normal Self,Test Behavior 5a ,Automatically Actuate All Mock Devices in Sequence The user selects 'maintenance' for each instrumentation division, the
         user places enough channels in 'active trip' to actuate a mock device.
59
         Normal Self, Test Behavior 5b , Automatically Actuate All Hardware Devices in Sequence
         The user selects 'maintenance' for each instrumentation division, the
        user places enough channels in 'active trip' to actuate a hardware
```

```
63
        device.
 64
65
          Normal Self, Test Behavior 6 , Manually Actuate Each Device in Sequence
  66
          The user manually actuates each device.
  68
          Normal Self, Test Behavior 7a , Select Maintenance Operating Mode for each Division
  69
          The user selects 'maintenance' mode for each instrumentation division
  70
          Normal Self, Test Behavior 7b , Select Normal Operating Mode for each Division
  73
74
75
          The user exits 'maintenance' mode for each instrumentation division in
  76
          Normal Self, Test Behavior 8 , Perform Each Kind of Setpoint Adjustment
          For each instrumentation division, the user provides a setpoint for \ensuremath{\mathsf{F}}
  78
79
          temperature, then the user provides a setpoint for pressure, then the
          user provides a setpoint for saturation margin.
  80
  81
          Normal Self, Test Behavior 9 , Configure Bypass of Each Instrument Channel in Sequence
          For each instrumentation division, the user puts each channel in
  83
           'normal' and then 'bypass' mode.
 84
85
          Normal Self, Test Behavior 10 , Configure Active Trip Output State of Each Instrument Channel
                   → in Sequence
  86
          For each instrumentation division, the user puts each channel in
           'trip' and then 'normal' mode.
  87
  88
  89
          Normal Self, Test Behavior 11 , Display Pressure Temperature and Saturation Margin
  90
          The user provides inputs for an instrumentation division, then the UI
  91
          displays the updated pressure, temperature and saturation margin.
  92
  93
          Normal Self, Test Behavior 12 , Display Every Trip Output Signal State in Sequence
          The user configures an instrumentation division in 'maintenance',
          selects a channel and places it in 'trip', the UI displays the trip
          state, the user places the channel in 'normal' mode, the UI displays
          the trip state.
  98
  99
          Normal Self, Test Behavior 13 , Display Indication of Every Channel in Bypass in Sequence
100
          The user configures an instrumentation division in 'maintenance', the
101
          user selects a channel and places it in bypass, the UI displays the
102
          bypass state, the user places the channel in normal mode, the UI
103
          displays the updated state.
104
105
          Normal Self, Test Behavior 14 ,Demonstrate Periodic Continual Self, test of Safety Signal Path
106
          The system starts, eventually the UI displays that self test has run.
107
108
          Normal Behavior Full Self, Test
109
          The system selects two instrumentation divisions and a device, the \operatorname{system}
110
          simulates inputs to the selected instrumentation divisions, the system checks
111
          that the correct actuation signal would be sent to the selected device.
112
113
          // Exceptional behaviors are *predictable* system behaviors triggered
114
115
          // by external environment affects. Examples include a CPU, OS,
           // device, or network total or partial failure. E.g., CPU deadlock,
116
          // out, of, memory errors, permanent store partial and total failures,
117
          /\!/\;lack\;of\;space\;in\;permanent\;store,\;partial\;and\;total\;network
118
          // failures, device driver partial or total failures, etc.
119
120
          /\!/ \ \textit{In our architecture, every part of the RTS system, and particularly}
121
          \begin{picture}(60,0)\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0)
122
          // part of the actuation subsystem must be able to fail and the system
123
          // must respond appropriately.
124
125
          // This is not detectable
          Exceptional Behavior 1a , Cause Actuator 1 to Fail
         Manually actuate Actuator 1, the actuator fails, an error is indicated.
```

```
128
129
      // This is not detectable
130
      Exceptional Behavior 1b , Cause Actuator 2 to Fail
131
      Manually actuate Actuator 2, the actuator fails, an error is indicated.
132
133
       // This is not detectable
134
      Exceptional Behavior 1c ,Non,determinisitically Cause an Actuator to Eventually Fail
135
      Repeatedly manually actuate/unactuate an Actuator, the actuator fails, an error is indicated
136
137
       Exceptional Behavior 2a , Cause Temperature Sensor 1 to Fail
138
      Instrumentation units 1 and 2 reports temperature readings that are inconsistent with
            → Instrumentation units 3 and 4, the
139
      discrepancy is indicated on the UI.
140
141
142
       Exceptional Behavior 2b , Cause Temperature Sensor 2 to Fail
      Instrumentation units 1 and 2 reports temperature readings that are inconsistent with
             → Instrumentation units 3 and 4, the
143
144
145
146
      discrepancy is indicated on the UI.
       Exceptional Behavior 2c ,Non,deterministically Cause a Temperature Sensor to Eventually Fail
      Instrumentation units 1 and 2 reports temperature readings that are inconsistent with
             → Instrumentation units 3 and 4, the
147
148
149
150
      discrepancy is indicated on the UI.
      Exceptional Behavior 3a .Cause Pressure Sensor 1 to Fail
      Instrumentation units 1 and 2 reports pressure readings that are inconsistent with
            → Instrumentation units 3 and 4, the
\frac{151}{152}
      discrepancy is indicated on the UI.
153
      Exceptional Behavior 3b ,Cause Pressure Sensor 2 to Fail
154
      Instrumentation units 1 and 2 reports pressure readings that are inconsistent with

→ Instrumentation units 3 and 4, the

155
      discrepancy is indicated on the UI.
156
157
158
      Exceptional Behavior 3c ,Non,deterministically Cause a Pressure Sensor to Eventually Fail Temperature Sensor 1 or Temperature Sensor 2 report inconsistent values,
159
      discrepancy is indicated on the UI.
160
161
       // Can be further refined, e.q.:
162
      // Sensor values are read by Instrumnetation Unit 1, the unit generates the wrong trip signal
163
      Exceptional Behavior 4a , Cause Instrumentation Unit 1 to Fail
\begin{array}{c} 164 \\ 165 \end{array}
      Instrumentation unit 1 fails, self test indicates that a test has failed.
166
       // Can be further refined, e.g.:
167
      // Sensor values are read by Instrummetation Unit 1, the unit generates the wrong trip signal
168
       Exceptional Behavior 4b , Cause Instrumentation Unit 2 to Fail
169
      Instrumentation unit 2 fails, self test indicates that a test has failed.
170
171
      // Can be further refined, e.g.:
172
      /\!/ \ \mathit{Sensor} \ \mathit{values} \ \mathit{are} \ \mathit{read} \ \mathit{by} \ \mathit{Instrummetation} \ \mathit{Unit} \ \mathit{1,} \ \mathit{the} \ \mathit{unit} \ \mathit{generates} \ \mathit{the} \ \mathit{wrong} \ \mathit{trip} \ \mathit{signal}
173
      Exceptional Behavior 4c , Cause Instrumentation Unit 3 to Fail
174
      Instrumentation unit 3 fails, self test indicates that a test has failed.
175
176
       // Can be further refined, e.g.:
      // Sensor values are read by Instrummetation Unit 1, the unit generates the wrong trip signal
       Exceptional Behavior 4d , Cause Instrumentation Unit 4 to Fail
      Instrumentation unit 4 fails, self test indicates that a test has failed.
180
181
       Exceptional Behavior 4e ,Non,Deterministically Cause Instrumentation Unit to Eventually Fail
182
      At least one instrumentation unit fails to generate the appropriate trip signal, self test

→ runs.

183 self test indicates that a test has failed.
```

```
184
185
      Exceptional Behavior 5a , Cause Temperature Demultiplexor 1 to Fail
      At least one of Instrumentation units 1 or 2 report temperature readings inconsistent with

→ instrumentation units 3 and 4.

187
188
      Exceptional Behavior 5b , Cause Temperature Demultiplexor 2 to Fail
189
      At least one of Instrumentation units 3 or 4 report temperature readings inconsistent with

→ instrumentation units 1 and 2.

190
191
      Exceptional Behavior 5c ,Cause Pressure Demultiplexor 1 to Fail
192
      At least one of Instrumentation units 1 and 2 report pressure readings inconsistent with

→ instrumentation units 3 and 4.

194
195
      Exceptional Behavior 5d , Cause Pressure Demultiplexor 2 to Fail
      At least one of Instrumentation units 3 and 4 report pressure readings inconsistent with

→ instrumentation units 1 and 2.

196
197
      Exceptional Behavior 5e ,Cause a Temperature Demultiplexor to Eventually Fail
198
      All instrumentation units report consistent temperature readings, a demultiplexor fails, at
            \hookrightarrow least one of the
199
      instrumentation units reports an inconsistent temperature reading.
200
201
      Exceptional Behavior 5f ,Cause a Pressure Demultiplexor to Eventually Fail
      All instrumentation units report consistent temperature readings, a demultiplexor fails, at
            \rightarrow least one of the
      instrumentation units reports an inconsistent pressure reading.
```

### A.13 System Tool Scenarios

Listing A.13: Lando model of the System Tool scenarios.

```
scenarios Tool Scenarios
     Verify Software
     Formally verify that software or firmware programs fulfill their
     specifications.
     Formally verify that a hardware design fulfills its specifications.
     Formal Equivalence Checking
11
12
13
14
15
     Formally verify that programs written in different languages (even
     across the hardware/software boundary) are equivalent.
     Symbolic Testing
     Improve the assurance of software using symbolic testing.
16
     Backend Solver Libraries
     Provide libraries for symbolic formula representation and solver
     interaction.
     Binary Analysis
     Analyze binaries in a variety of formats and for a host of different
     Instruction Set Architectures.
     Binary Rewriting
     Perform binary analysis and rewriting for a variety of purposes.
     Model, Based Test Generation
     Automatically generate model, based tests for a software, firmware, or
     hardware system.
```

```
Specify Semi, Formal Architecture using Natural Language Processing
33455678994423445678995555555556661
     Specify a systems architectures at a high level leveraging Natural
     Language Processing technology.
     Concretize Model
     Create or generate a new model or an implementation from a semi, formal or formal
     model or implementation by adding extra information, typically turning
     a denotational property into an operational computation, and guarantee
     that the new, refined model behaves identically to the previous,
     Abstract Model
     {\tt Extract\ formal\ models,,,including\ behavioral\ and\ architectural}
     models,,,from source code and binaries, and guarantee that all
     properties of the abstract model hold for the more concrete model or
     implementation.
     Define Refinement Relation
     Define a pair of functions, an abstraction function L: I,>M and
     concretization function C: M,>I, such that they form a refinement
     relation over some property P (roughly, P(c(l(i)))=P(i)) between their
     pair of types M and I.
     Formally Refine a Semi, formal Architecture
     Specify and formally refine a semi, formal architecture.
     Product Line Engineering
     Specify and reason about product lines of hardware, firmware, and/or
     software systems.
     Reason about Products
     Reason about products derived from product lines, particularly
64
65
     automatically generated CPUs and SoCs.
66
     Reason about Non, Behavioral Properties
     Reason about non, behavioral properties of models or implementations,
68
69
70
71
72
73
74
75
76
77
     such as security proofs of cryptographic algorithms and protocols,
     safety and progress properties of concurrent or distributed systems,
     information leakage properties of embedded systems and hardware
     Configure Product Line
     Make feature selections in a feature model in order to specify the
     subset of products from a product line that are of interest.
     Fully Configure Product Line
     Configure a feature model until no open choices exist, thereby
     creating a fully configured feature model that specifies a single
     product.
```

# Appendix B

# Lobot Model

Listing B.1: Lobot-Model of RTS.

```
-- title: Reactor Trip System high-assurance demonstrator.
      -- project: High Assurance Rigorous Digital Engineering for Nuclear Safety (HARDENS)
     -- copyright (C) 2021 Galois
     -- author: Joe Kiniry <kiniry@galois.com>
     nat : kind of int where self >= 0
      -- Our development platforms for running the RTS demonstrator in a
      -- fully virtualized (Twin) mode. If we choose to target a real RV32,
     -- then we will be running on the bare metal.
     type virtualized_platform_runtime =
13
14
15
16
       { Posix, RV32_bare_metal, None }
     -- The developer boards we have to choose from. We are using the
     -- ECP-5 5G 85F variant of the Lattice Semiconductor dev board, and if
     -- we choose to put the demonstrator on a real RV32, we will likely
     -- use the Vega board.
19
20
21
22
23
24
25
26
27
28
29
31
32
35
36
37
38
39
     type dev_board =
       { Virtual, LFE5UM5G_85F_EVN, RV32M1_VEGA, None }
     -- The ECP-5 FPGA comes in several flavors. We are using the 5G \,
     -- variant for this project. Other variants should be able to use the
     -- exact same build chain.
     type fpga =
       { ECP5, ECP5_5G }
     -- We can assign an assurance level of every sub-component of the
      -- system. This definition is made here to provide an enumeration of
     -- assurance levels which we will assign/update later as assurance
     -- work goes on.
     type assurance_level =
       { None, Low, Medium, High }
      -- Every subsystem and the system overall is realized either by a
     -- physical component (e.g., a real sensor, actuator, or FPGA) or a
     -- "Digital Twin", which is a simulation/emulation of the component in
      -- question.
```

```
43 445 467 489 512 53 55 567 89 59
      type twin_or_physical =
        { Twin, Physical }
      -- Twins come in different fidelity levels.
      -- "Perfect" fidelity means that our simulator/emulation is capable of
      -- executing the actual software/hardware of the system, subsystem, or
      -- component in such detail that all requirements can be validated or
      -- verified in the twin as accurately as in the physical realization.
      -- "High" fidelity means that we are executing the actual
      -- software/hardware in question in a simulator or emulator that
      -- replicates most, but not all, of the underlying functionality and
      -- behavior of the device in question. For example, a cycle-accurate -- Verilog simulator is high-fidelity, but is not "Perfect" fidelity
      -- if we are concerned about EM side-channels.
 60
      -- A "Medium" fidelity twin also executes the actual
 61
      -- software/hardware, but elides non-behavioral properties that are
      -- critical to fulfilling all system requirements. A hardware virtual
      -- platform (VP) or an event-based Verilog simulator or emulator are
      -- two examples of medium-fidelity digital twin environments.
 64
 65
 66
      -- A "Low" fidelity twin is an executable model that is usually fully
 67
      -- decoupled from the implementation. In order for the model to be
 68
      -- refinement-consistent with regards to more concrete models or the
 69
      -- software/hardware implementation, all measurable properties of the
 70
71
72
73
74
75
      -- model which relate to system requirements must hold through the
      -- refinement.
      type twin_fidelity =
        { Low, Medium, High, Perfect }
 \frac{76}{77}
       -- We use three different C compilers for (cross-)compilation.
      type compiler =
78
79
80
81
        { GCC, Clang, CompCert }
      -- We target three different ISAs in software compilation because our
      -- development platforms for the POSIX-based virtual platform is
      -- either ARM or X86-based and the SoC digital twin and deployment
 83
      -- platform are RISC-V-based.
 84
85
      type isa =
        { ARM, X86, RV32 }
 87
      -- The feature model of the RTS demonstrator itself.
 89
      -- The cost of a demonstrator is expressed in U.S. dollars and is
90
91
92
      -- based upon the value of the board plus all physical devices that
      -- are attached. A purely virtualized RTS demonstrator has zero
      -- hardware cost.
 93
94
95
      rts : kind of struct
       with -- Which development board is being used?
 96
             board : dev_board
 97
             -- How much does the hardware for this demonstrator cost in USD?
 98
             cost : nat
 99
             -- What level of assurance does the demonstrator have overall?
100
             assurance : assurance_level
101
             -- Is the FPGA being twinned via a Verilog simulator/emulator?
102
             soc : twin_or_physical
103
             -- Is the first tempurature sensor a twin or physically present?
104
             ts1 : twin_or_physical
105
             -- Is the second tempurature sensor a twin or physically present?
106
             ts2 : twin_or_physical
107
             -- Is the first pressure sensor a twin or physically present?
108
             ps1 : twin_or_physical
```

```
109
                            -- Is the second pressure sensor a twin or physically present?
110
                           ps2 : twin_or_physical
111
                             -- Is the first actuator a twin or physically present?
112
                            {\tt sa1} : {\tt twin\_or\_physical}
113
114
                            -- Is the second actuator a twin or physically present?
                           sa2 : twin_or_physical
115
                            -- Which C compiler is used to (cross-)compile the software?
116
                            comp : compiler
117
                             -- Which ISA is the compiler (cross-)compiling to?
 118
                            target : isa
 119
                             -- Are all devices twins?
 120
                            all_devices_twins : bool
121
                            -- Should sensors be simulated?
 122
                            simulate_sensors : bool
123
                            -- Should we use parallel execution?
124
125
                           parallel_execution : bool
                              -- Compile with automatic self-test mode enabled?
126
                            self_test_enabled : bool
 127
                             -- Compile with debugging options?
 128
                            debug : bool
 129
                              -- Is this instance of the RTS fully virtualized and running only in software?
 130
                            virtualized_platform_rt : bool
                            -- What development platform is being used to run this fully virtualized twin?
 131
 132
                           rt : virtualized_platform_runtime
133
                  where
134
                      cost = 0 | cost = 100 | cost = 200
135
                      all_devices_twins <=> ((ts1 = Twin) & (ts2 = Twin) & (ps1 = Twin) & (ps2 = Twin) & (sa1 = Twin)
                                   \hookrightarrow Twin) & (sa2 = Twin))
136
                      (soc = Twin) => all_devices_twins
137
                      virtualized_platform_rt <=> ((soc = Twin) & (board = RV32M1_VEGA) & (rt = None)) ^ ((soc
                                  138
 139
               -- Otodo kiniry Add appropriate constraints for the comp and isa features.
140
141
142
143
144
145
              virtualized_rts_configs : kind of rts
                  where all_devices_twins = true & cost = 0 & board = None & virtualized_platform_rt = true
               -- Virtualized builds do not need a development board.
              check_twin_build_configs : check
146
147
                    on c : virtualized_rts_configs
                    that c.board = None
```

# Appendix C

# FRET Specification

Listing C.1: RTS requirements from FRET.

```
Ε
        "reqid" : "ACTUATION_ACTUATOR_O",
 3
 4
        "parent_reqid" :""
        rationale": "RFP function 5,6\n",
"fulltext": "RTS shall always satisfy\n (Auto_Actuate_0_Actuator_0 | Auto_Actuate_1
 5
 6
              → _Actuator_0 | UI_Manual_Actuate_Actuator_0)\n = Actuate_Actuator_0\n",
 7
        "description" : "ENFORCED: in the interval defined by the entire execution. \nTRIGGER:
              → first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
              \hookrightarrow time points between (and including) the trigger and the end of the interval."
 8
 9
10
        "reqid" : "ACTUATION_ACTUATOR_1",
        "parent_reqid" :""
11
        "rationale": "RFP function 5,6\n",
"fulltext": "RTS shall always satisfy\n (Auto_Actuate_0_Actuator_1 | Auto_Actuate_1
12
13
              \verb"description" : \verb"ENFORCED": in the interval defined by the entire execution. \verb"\nTRIGGER":
14
              \hookrightarrow first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
             \hookrightarrow time points between (and including) the trigger and the end of the interval.
15
16
        "reqid" : "ACTUATION_AUTO_LOGIC_0_ACTUATOR_0",
17
18
        "parent_reqid" : "ACTUATION_ACTUATOR_0",
        "rationale": "RTF function 4,5,RFP actuation logic architecture\n",
"fulltext": "RTS shall always satisfy if (Coincidence_0_T | Coincidence_0_P) then
19
20

→ Auto_Actuate_0_Actuator_0\n",

21
        \hookrightarrow first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
              ← time points between (and including) the trigger and the end of the interval."
22
23
        "reqid" : "ACTUATION_AUTO_LOGIC_0_ACTUATOR_1",
24
25
        "parent_reqid" : "ACTUATION_ACTUATOR_1",
        "rationale" : "RFP function 4,5,RFP actuation logic architecture\n",
27
        "fulltext" : "RTS shall always satisfy if Coincidence_0_S then Auto_Actuate_0_Actuator_1",
28
        "description" : "ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
               first point in the interval. \nREQUIRES: for every trigger, RES must hold at all
              \hookrightarrow time points between (and including) the trigger and the end of the interval."
29
30
31
        "reqid" : "COINCIDENCE_LOGIC_O_T",
        "parent_reqid" : "ACTUATION_AUTO_LOGIC_O_ACTUATOR_O",
        "rationale" : "RFP function 4",
```

```
34
        "fulltext" : "RTS shall always satisfy\n ((Trip_T_0 & Trip_T_1)\n | ((Trip_T_0 | Trip_T_1)
              35
        "description" : "ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
              \hookrightarrow first point in the interval.\nREQUIRES: for every trigger, RES must hold at all

→ time points between (and including) the trigger and the end of the interval.

36
37
        "regid" : "COINCIDENCE_LOGIC_O_P",
38
        "parent_regid" : "ACTUATION_AUTO_LOGIC_O_ACTUATOR_O",
39
         "rationale" : "RFP function 4",
40
        "fulltext" : "RTS shall always satisfy\n ((Trip_P_0 & Trip_P_1)\n | ((Trip_P_0 | Trip_P_1)
41

    ★ (Trip_P_2 | Trip_P_3))\n | (Trip_P_2 & Trip_P_3))\n = Coincidence_0_P\n",
"description" :"ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
42
              \stackrel{\circ}{\hookrightarrow} first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
              ← time points between (and including) the trigger and the end of the interval."
43
44
        "reqid" :"COINCIDENCE_LOGIC_0_S",
"parent_reqid" :"ACTUATION_AUTO_LOGIC_0_ACTUATOR_1",
45
46
        "rationale" :"RFP function 4",
"fulltext" :"RTS shall always satisfy\n ((Trip_S_0 & Trip_S_1)\n | ((Trip_S_0 | Trip_S_1)
47
48

→ & (Trip_S_2 | Trip_S_3))\n | (Trip_S_2 & Trip_S_3))\n = Coincidence_0_S\n",

49
        \hbox{"description"} : \hbox{"ENFORCED: in the interval defined by the entire execution.} \\ \hbox{$\setminus$nTRIGGER:}
              ← first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
              \hookrightarrow time points between (and including) the trigger and the end of the interval."
50
51
52
        "reqid" : "ACTUATION_AUTO_LOGIC_1_ACTUATOR_0",
53
        "parent_reqid" : "ACTUATION_ACTUATOR_0",
54
        "rationale" : "RFP function 4,5,RFP actuation logic architecture\n",
55
        "fulltext" : "RTS shall always satisfy if (Coincidence_1_T | Coincidence_1_P) then

→ Auto_Actuate_1_Actuator_0\n",

56
        "description" : "ENFORCED: in the interval defined by the entire execution. \nTRIGGER:
              ← first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
              → time points between (and including) the trigger and the end of the interval."
57
58
59
        "regid" : "ACTUATION_AUTO_LOGIC_1_ACTUATOR_1",
        "parent_reqid" : "ACTUATION_ACTUATOR_1",
60
61
        "rationale" : "RFP function 4,5,RFP actuation logic architecture\n",
        "fulltext" : "RTS shall always satisfy if Coincidence_1_S then Auto_Actuate_1_Actuator_1",
62
        "description" : "ENFORCED: in the interval defined by the entire execution. \nTRIGGER:
63
               first point in the interval.\nREQUIRES: for every trigger, RES must hold at all

    → time points between (and including) the trigger and the end of the interval.!

64
65
        "reqid" : "COINCIDENCE_LOGIC_1_T",
        "parent_reqid" : "ACTUATION_AUTO_LOGIC_1_ACTUATOR_0",
67
        "rationale" : "RFP function 4",
68
        "fulltext": "RTS shall always satisfy\n ((Trip_T_0 & Trip_T_1)\n | ((Trip_T_0 | Trip_T_1) \

$\in \ \& (Trip_T_2 | Trip_T_3)\n | (Trip_T_2 & Trip_T_3)\\n = Coincidence_1_T\n",
69
70
        "description" : "ENFORCED: in the interval defined by the entire execution. \nTRIGGER:
              \stackrel{	au}{\hookrightarrow} first point in the interval.\nREQUIRES: for every trigger, RES must hold at all

→ time points between (and including) the trigger and the end of the interval.

71
72
        "regid" : "COINCIDENCE_LOGIC_1_P",
73
74
        "parent_reqid" : "ACTUATION_AUTO_LOGIC_1_ACTUATOR_0",
         "rationale" : "RFP function 4",
75
        "fulltext" :"RTS shall always satisfy\n ((Trip_P_0 & Trip_P_1)\n | ((Trip_P_0 | Trip_P_1)
76
        77
              → time points between (and including) the trigger and the end of the interval.
78
79
        "regid" : "COINCIDENCE LOGIC 1 S".
80
        "parent_reqid" : "ACTUATION_AUTO_LOGIC_1_ACTUATOR_1",
```

```
82
         "rationale" : "RFP function 4",
         "fulltext" :"RTS shall always satisfy\n ((Trip_S_0 & Trip_S_1)\n | ((Trip_S_0 | Trip_S_1) \hookrightarrow & (Trip_S_2 | Trip_S_3)\\n | (Trip_S_2 & Trip_S_3)\\n = Coincidence_1_S\\n",
 83
 84
         "description" : "ENFORCED: in the interval defined by the entire execution. \nTRIGGER:
                → first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
               → time points between (and including) the trigger and the end of the interval."
 85
 86
 87
         "regid" : "INSTRUMENTATION_O_T_TRIP",
          "parent_reqid" :"",
 88
         "rationale" :"RFP function 1,2,3,9\n",
"fulltext" :"When\n (!Bypass_T_0 & (T_0 > Setpoint_T_0))\nRTS shall always satisfy
 89
 90

    Trip_T_0\n",

         \hbox{\tt "description"} : \hbox{\tt "ENFORCED: in the interval defined by the entire execution.} \\ \hbox{\tt `nTRIGGER:}
 91
               \hookrightarrow first point in the interval if <b><i>(( ! Bypass_T_0 & ( T_0 > Setpoint_T_0 ) ))
               \hookrightarrow </i></b> is true and any point in the interval where <b<i>((! Bypass_T_0 & (
               \hookrightarrow T_0 > Setpoint_T_0 ) ))</i>> becomes true (from false).\nREQUIRES: for every
               \hookrightarrow trigger, RES must hold at all time points between (and including) the trigger

→ and the end of the interval.'

 92
 93
         "reqid" :"INSTRUMENTATION_O_T_TRIP_UI",
 94
 95
         "parent_reqid" :"",
         "rationale" : "RFP function 12",
 96
         "fulltext" : "RTS shall always satisfy UI_Trip_T_0_Display = Trip_T_0\n",
 97
 98
         "description" : "ENFORCED: in the interval defined by the entire execution. \nTRIGGER:
               → first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
               \hookrightarrow time points between (and including) the trigger and the end of the interval."
99
100
101
         "reqid" : "INSTRUMENTATION_O_P_TRIP",
102
         "parent_reqid" :"",
         "rationale": "RFP function 1,2,3,9\n",
103
         "fulltext" : "When \n (!Bypass_P_0 & (P_0 > Setpoint_P_0)) \nRTS shall always satisfy
104

→ Trip_P_0\n",

105
         "description" : "ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
               → first point in the interval if <b><i>((! Bypass_P_0 & (P_0 > Setpoint_P_0)))
               \hookrightarrow </i></b> is true and any point in the interval where <b<i>(( ! Bypass_P_0 & (
               \hookrightarrow P_0 > Setpoint_P_0 ) ))</i></b> becomes true (from false).\nREQUIRES: for every
               → trigger, RES must hold at all time points between (and including) the trigger
               \hookrightarrow and the end of the interval."
106
107
108
         "reqid" : "INSTRUMENTATION_O_P_TRIP_UI",
109
         "parent_reqid" :"",
                      :"RFP function 12",
110
         "rationale"
         "fulltext" : "RTS shall always satisfy UI_Trip_P_0_Display = Trip_P_0\n",
111
         "description" : "ENFORCED: in the interval defined by the entire execution. \nTRIGGER:
               → first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
               \hookrightarrow time points between (and including) the trigger and the end of the interval."
113
114
         "regid" : "INSTRUMENTATION_O_S_TRIP",
115
         "parent_regid" :""
116
          "rationale" :"RFP function 1,2,3,9\n",
117
         "fulltext" : "When\n (!Bypass_S_0 & (S_0 < Setpoint_S_0))\nRTS shall always satisfy
118
               \hookrightarrow Trip_S_0\n",
         "description" : "ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
119
               \hookrightarrow first point in the interval if <b><i>>((! Bypass_S_0 & (S_0 < Setpoint_S_0 )))
               \hookrightarrow S_0 < Setpoint_S_0 ) ))\checkmark/i></b> becomes true (from false).\nREQUIRES: for every
               \hookrightarrow trigger, RES must hold at all time points between (and including) the trigger

→ and the end of the interval.'

120
121
         "reqid" : "INSTRUMENTATION_O_S_TRIP_UI",
122
          "parent_reqid" :"",
123
         "rationale": "RFP function 12",
124
```

```
125
            "fulltext" : "RTS shall always satisfy UI_Trip_S_0_Display = Trip_S_0\n",
126
            "description" : "ENFORCED: in the interval defined by the entire execution. \nTRIGGER:
                   ← first point in the interval.\nREQUIRES: for every trigger, RES must hold at all

    ← time points between (and including) the trigger and the end of the interval.

127
128
            "reqid" : "INSTRUMENTATION_1_T_TRIP",
129
            "parent_reqid" :"",
130
            "rationale" :"RFP function 1,2,3,9\n",
"fulltext" :"When\n (!Bypass_T_1 & (T_1 > Setpoint_T_1))\nRTS shall always satisfy
131
132
            \label{eq:Trip_T_1\n",} $$ Trip_T_1\n", $$ "description" :"ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
133
                   \hookrightarrow first point in the interval if <b><i>(( ! Bypass_T_1 & ( T_1 > Setpoint_T_1 ) ))
                   \hookrightarrow </i></b> is true and any point in the interval where <br/>b><i>(( ! Bypass_T_1 & (
                   \hookrightarrow T_1 > Setpoint_T_1 ) ))</i></b> becomes true (from false).\nREQUIRES: for every
                   \stackrel{-}{\hookrightarrow} trigger, RES must hold at all time points between (and including) the trigger
                   \hookrightarrow and the end of the interval."
134
135
136
            "reqid" : "INSTRUMENTATION_1_T_TRIP_UI",
137
            "parent_reqid" :"",
            "rationale" : "RFP function 12",
138
            "fulltext" : "RTS shall always satisfy UI_Trip_T_1_Display = Trip_T_1\n",
139
140
            "description" : "ENFORCED: in the interval defined by the entire execution. \nTRIGGER:
                   \hookrightarrow first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
                   → time points between (and including) the trigger and the end of the interval."
141
142
143
            "regid" : "INSTRUMENTATION_1_P_TRIP",
144
            "parent_reqid" :"",
            "rationale" :"RFP function 1,2,3,9\n",
"fulltext" :"When\n (!Bypass_P_1 & (P_1 > Setpoint_P_1))\nRTS shall always satisfy
145
146

→ Trip_P_1\n",

147
            \hbox{"description"}: \hbox{"ENFORCED: in the interval defined by the entire execution.} \\ \hbox{$\backslash$nTRIGGER:}
                    \stackrel{\longleftarrow}{\hookrightarrow} first point in the interval if <b><i>(( ! Bypass_P_1 & ( P_1 > Setpoint_P_1 ) ))
                   \hookrightarrow </i></b> is true and any point in the interval where <b><i>(( ! Bypass_P_1 & (
                   → P_1 > Setpoint_P_1 ) )) //i></b> becomes true (from false).\nREQUIRES: for every
                   → trigger, RES must hold at all time points between (and including) the trigger
                   → and the end of the interval."
148
149
            "reqid" : "INSTRUMENTATION_1_P_TRIP_UI",
150
151
            "parent_reqid" :""
152
            "rationale" : "RFP function 12",
153
            "fulltext" : "RTS shall always satisfy UI_Trip_P_1_Display = Trip_P_1\n",
154
            "description" : "ENFORCED: in the interval defined by the entire execution. \nTRIGGER:
                   → first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
                   \hookrightarrow time points between (and including) the trigger and the end of the interval.
155
156
157
            "regid" : "INSTRUMENTATION_1_S_TRIP",
158
            "parent_reqid" :"",
            "rationale" : "RFP function 1,2,3,9\n",
159
160
            "fulltext" : "When\n (!Bypass_S_1 & (S_1 < Setpoint_S_1))\nRTS shall always satisfy
                   \hookrightarrow Trip_S_1\n",
161
            "description": "ENFORCED: in the interval defined by the entire execution. \nTRIGGER:
                   \hookrightarrow first point in the interval if <b><i>((! Bypass_S_1 & (S_1 < Setpoint_S_1)))
                   → </i>

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 

→ 
                   \hookrightarrow trigger, RES must hold at all time points between (and including) the trigger
                   → and the end of the interval."
162
163
            "reqid" : "INSTRUMENTATION_1_S_TRIP_UI",
164
            "parent_reqid" :"",
165
            rationale":"RFP function 12",
"fulltext":"RTS shall always satisfy UI_Trip_S_1_Display = Trip_S_1\n",
166
167
```

```
168
         "description" : "ENFORCED: in the interval defined by the entire execution. \nTRIGGER:
               \stackrel{\circ}{\hookrightarrow} first point in the interval.\nREQUIRES: for every trigger, RES must hold at all

→ time points between (and including) the trigger and the end of the interval.

169
170
         "regid" : "INSTRUMENTATION_2_T_TRIP",
171
          "parent_regid" :"",
172
          "rationale" :"RFP function 1,2,3,9\n",
173
         "fulltext" : "When\n (!Bypass_T_2 & (T_2 > Setpoint_T_2))\nRTS shall always satisfy
174
         \to Trip_T_2 \setminus n", "description" :"ENFORCED: in the interval defined by the entire execution. \nTRIGGER:
175
               \hookrightarrow first point in the interval if <b><i>(( ! Bypass_T_2 & ( T_2 > Setpoint_T_2 ) ))
               \hookrightarrow </i></b> is true and any point in the interval where <b<i>(( ! Bypass_T_2 & (
               → T 2 > Setpoint T 2 ) ))</i></b> becomes true (from false).\nREQUIRES: for every
               \hookrightarrow trigger, RES must hold at all time points between (and including) the trigger
               → and the end of the interval."
176
177
         "reqid" :"INSTRUMENTATION_2_T_TRIP_UI",
178
179
         "parent_reqid" :"",
         "rationale": "RFP function 12",
"fulltext": "RTS shall always satisfy UI_Trip_T_2_Display = Trip_T_2\n",
180
181
182
         "description" : "ENFORCED: in the interval defined by the entire execution. \nTRIGGER:
               ← first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
               \hookrightarrow time points between (and including) the trigger and the end of the interval."
183
184
185
         "reqid" :"INSTRUMENTATION_2_P_TRIP",
186
         "parent_reqid" :"",
         "rationale" : "RFP function 1,2,3,9\n",
187
         "fulltext" : "When \n (!Bypass_P_2 & (P_2 > Setpoint_P_2)) \nRTS shall always satisfy
188

→ Trip_P_2\n",

189
         "description" : "ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
               \hookrightarrow first point in the interval if <b><i>(( ! Bypass_P_2 & ( P_2 > Setpoint_P_2 ) ))
               \hookrightarrow </i></b> is true and any point in the interval where <b<i>((! Bypass_P_2 & (
               \hookrightarrow P_2 > Setpoint_P_2 ) ))</i></b> becomes true (from false).\nREQUIRES: for every
               → trigger, RES must hold at all time points between (and including) the trigger

→ and the end of the interval."

190
191
         "reqid" : "INSTRUMENTATION_2_P_TRIP_UI",
192
193
         "parent_reqid" :""
         "rationale" : "RFP function 12",
194
195
         "fulltext" : "RTS shall always satisfy UI_Trip_P_2_Display = Trip_P_2\n",
196
         "description" : "ENFORCED: in the interval defined by the entire execution. \nTRIGGER:
                first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
               → time points between (and including) the trigger and the end of the interval."
197
198
199
         "reqid" : "INSTRUMENTATION_2_S_TRIP",
200
         "parent_regid" :""
         "rationale" :"RFP function 1,2,3,9\n",
201
         "fulltext" : "When \n (!Bypass_S_2 & (S_2 < Setpoint_S_2)) \nRTS shall always satisfy
202
               → Trip S 2\n".
203
         "description" : "ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
               \hookrightarrow first point in the interval if <b<i>((! Bypass_S_2 & (S_2 < Setpoint_S_2 )))
               \hookrightarrow </i></b> is true and any point in the interval where <b<i>(( ! Bypass_S_2 & (
               → S_2 < Setpoint_S_2 ) ))</i></b> becomes true (from false).\nREQUIRES: for every
               \hookrightarrow trigger, RES must hold at all time points between (and including) the trigger

→ and the end of the interval.'

204
205
         "reqid" : "INSTRUMENTATION_2_S_TRIP_UI",
206
         "parent_reqid" :"",
207
          "rationale" : "RFP function 12".
208
         "fulltext" : "RTS shall always satisfy UI_Trip_S_2_Display = Trip_S_2\n",  
209
         "description" : "ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
210
               \hookrightarrow first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
```

```
\hookrightarrow time points between (and including) the trigger and the end of the interval."
211
212
213
         "regid" : "INSTRUMENTATION_3_T_TRIP",
214
         "parent_reqid" :""
          "rationale" :"RFP function 1,2,3,9\n",
215
         "fulltext" : "When\n (!Bypass_T_3 & (T_3 > Setpoint_T_3))\nRTS shall always satisfy
216
               217
         "description" : "ENFORCED: in the interval defined by the entire execution. \nTRIGGER:
               \hookrightarrow </i></b> is true and any point in the interval where <b><i>(( ! Bypass_T_3 & (
               \hookrightarrow T_3 > Setpoint_T_3 ) ))</i></b> becomes true (from false).\nREQUIRES: for every
               \hookrightarrow trigger, RES must hold at all time points between (and including) the trigger

→ and the end of the interval."

218
219
         "reqid" : "INSTRUMENTATION_3_T_TRIP_UI",
220
221
         "parent_reqid" :""
         "rationale": "RFP function 12",
"fulltext": "RTS shall always satisfy UI_Trip_T_3_Display = Trip_T_3\n",
222
223
         \hbox{"description"}: \hbox{"ENFORCED: in the interval defined by the entire execution.} \\ \hbox{$\backslash$nTRIGGER:}
224
               ← first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
               \hookrightarrow time points between (and including) the trigger and the end of the interval."
225
226
227
         "reqid" : "INSTRUMENTATION_3_P_TRIP",
228
         "parent_reqid" :"",
         "rationale": "FPF function 1,2,3,9\n",
"fulltext": "When\n (!Bypass_P_3 & (P_3 > Setpoint_P_3))\nRTS shall always satisfy
229
230
               231
         "description" : "ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
               \hookrightarrow first point in the interval if <b><i>(( ! Bypass_P_3 & ( P_3 > Setpoint_P_3 ) ))
               \hookrightarrow </i></b> is true and any point in the interval where <b<i>(( ! Bypass_P_3 & (
               \hookrightarrow P_3 > Setpoint_P_3 ) ))</i></b> becomes true (from false).\nREQUIRES: for every
               → trigger, RES must hold at all time points between (and including) the trigger
               \hookrightarrow and the end of the interval."
232
233
234
         "reqid" :"INSTRUMENTATION_3_P_TRIP_UI",
         "parent_reqid" :"",
235
         "rationale" : "RFP function 12",
         "fulltext" : "RTS shall always satisfy UI_Trip_P_3_Display = Trip_P_3\n",
237
         "description" : "ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
238
               → first point in the interval.\nREQUIRES: for every trigger, RES must hold at all

→ time points between (and including) the trigger and the end of the interval.

239
240
         "reqid" : "INSTRUMENTATION_3_S_TRIP",
241
242
         "parent_regid" :"",
         "rationale": "RFP function 1,2,3,9\n",
"fulltext": "When\n (!Bypass_S_3 & (S_3 < Setpoint_S_3))\nRTS shall always satisfy
243
244

→ Trip_S_3\n",

245
         "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
               \hookrightarrow first point in the interval if <b><i>((! Bypass_S_3 & (S_3 < Setpoint_S_3 )))
               → S_3 < Setpoint_S_3 ) ))</i>></b> becomes true (from false).\nREQUIRES: for every
               \hookrightarrow trigger, RES must hold at all time points between (and including) the trigger

→ and the end of the interval.'

246
247
         "reqid" : "INSTRUMENTATION_3_S_TRIP_UI",
248
         "parent_reqid" :"",
249
          "rationale" : "RFP function 12",
250
         "fulltext" : "RTS shall always satisfy UI_Trip_S_3_Display = Trip_S_3\n",
251
252
         "description" : "ENFORCED: in the interval defined by the entire execution. \nTRIGGER:
               \stackrel{	extstyle 	o}{\hookrightarrow} first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
               \hookrightarrow time points between (and including) the trigger and the end of the interval.
253
       },
```

```
254
255
         "regid" : "INSTRUMENTATION_O_BYPASS_T_Display",
256
          "parent_regid" :"",
          "rationale" :"RFP function 13",
257
         "fulltext" : "RTS shall always satisfy UI_Bypass_T_0_Display = Bypass_T_0\n",
258
          "description" : "ENFORCED: in the interval defined by the entire execution. \nTRIGGER:
259
               → first point in the interval.\nREQUIRES: for every trigger, RES must hold at all

→ time points between (and including) the trigger and the end of the interval.

260
261
         "regid" : "INSTRUMENTATION O BYPASS T".
262
263
         "parent_reqid" :"",
         "rationale" : "RFP function 9:configure in maintenance mode to bypass an instrument
264
               \hookrightarrow channel (this requirement sets the system value from the UI)\n",
265
         "fulltext" : "RTS shall always satisfy\n if UI_Maintenance_0\n then (UI_Bypass_T_0) =
               → Bypass_T_0)\n",
         "description" : "ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
266
               \hookrightarrow first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
               \hookrightarrow time points between (and including) the trigger and the end of the interval."
267
268
         "reqid" : "CONST_INSTRUMENTATION_O_NO_BYPASS_T",
269
270
         "parent_reqid" : "INSTRUMENTATION_O_BYPASS_T",
          "rationale" : "RFP function 9:configure in maintenance mode to bypass an instrument
271
               \hookrightarrow channel (this requirement does not allow bypass to turn on during normal
               → operation)\n",
272
         "fulltext": "When !UI_Maintenance_0 & !Bypass_T_0 RTS shall, until UI_Maintenance_0 &

→ UI_Bypass_T_0, satisfy\n !Bypass_T_0\n",

273
         "description": "ENFORCED: in the interval defined by the entire execution. \nTRIGGER:
               → first point in the interval if <b><i>(! UI_Maintenance_0 & ! Bypass_T_0)</i></b>
               \hookrightarrow is true and any point in the interval where <b><i>(! UI_Maintenance_0 & !
               → Bypass_T_0)</i></b> becomes true (from false).\nREQUIRES: for every trigger, RES
               \hookrightarrow must remain true until (but not necessarily including) the point where the stop
               \hookrightarrow condition holds, or to the end of the interval. If the stop condition never
               \hookrightarrow occurs, RES must hold until the end of the scope, or forever. If the stop
               \hookrightarrow condition holds at the trigger, the requirement is satisfied."
274
275
276
         "reqid" : "CONST_INSTRUMENTATION_O_BYPASS_T",
277
         "parent_reqid" : "INSTRUMENTATION_O_BYPASS_T",
         "rationale": "RFP function 9:configure in maintenance mode to bypass an instrument

ightarrow channel (this requirement does not allow bypass to turn off during normal

→ operation)\n",

279
         "fulltext"
                     :"When !UI_Maintenance_0 & Bypass_T_0 RTS shall, until UI_Maintenance_0 & !

    UI_Bypass_T_0, satisfy\n Bypass_T_0\n",

280
         "description"
                       :"ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
               → first point in the interval if <b><i>(! UI_Maintenance_0 & Bypass_T_0)</i></b>
               \hookrightarrow is true and any point in the interval where <br/> <i>(! UI_Maintenance_0 &
               → Bypass_T_0)</i></b> becomes true (from false).\nREQUIRES: for every trigger, RES
               → must remain true until (but not necessarily including) the point where the stop

→ condition holds, or to the end of the interval. If the stop condition never

               → occurs, RES must hold until the end of the scope, or forever. If the stop

→ condition holds at the trigger, the requirement is satisfied."

281
282
283
         "regid": "INSTRUMENTATION_O_BYPASS_P_Display",
         "parent_reqid" :"",
284
         "rationale" :"RFP function 13",
"fulltext" :"RTS shall always satisfy UI_Bypass_P_0_Display = Bypass_P_0\n",
285
286
287
         "description" : "ENFORCED: in the interval defined by the entire execution. \nTRIGGER:
               \stackrel{	extstyle 	o}{\hookrightarrow} first point in the interval.\nREQUIRES: for every trigger, RES must hold at all

→ time points between (and including) the trigger and the end of the interval.

288
289
         "regid" : "INSTRUMENTATION_O_BYPASS_P",
290
291
         "parent_reqid" :""
          "rationale" : "RFP function 9:configure in maintenance mode to bypass an instrument
292
               \hookrightarrow channel (this requirement sets the system value from the UI)\n,
```

```
293
         "fulltext" : "RTS shall always satisfy\n if UI_Maintenance_0\n then (UI_Bypass_P_0) =
               \hookrightarrow Bypass_P_0)\n",
294
         "description" : "ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
               → first point in the interval.\nREQUIRES: for every trigger, RES must hold at all

    → time points between (and including) the trigger and the end of the interval.

295
296
         "reqid" : "CONST_INSTRUMENTATION_O_NO_BYPASS_P",
297
298
         "parent_reqid" :"INSTRUMENTATION_O_BYPASS_P",
         "rationale" : "RFP function 9:configure in maintenance mode to bypass an instrument
299
               \hookrightarrow channel (this requirement does not allow bypass to turn on during normal
               → operation)\n",
300
         "fulltext" : "When !UI_Maintenance_0 & !Bypass_P_0 RTS shall, until UI_Maintenance_0 &
               \hookrightarrow UI_Bypass_P_0, satisfy\n !Bypass_P_0\n",
         301
               → first point in the interval if <b><i>(! UI_Maintenance_0 & ! Bypass_P_0)</i></b>
               \hookrightarrow is true and any point in the interval where <b><i>(! UI_Maintenance_0 & !
               \hookrightarrow Bypass_P_0)</i></b> becomes true (from false).\nREQUIRES: for every trigger, RES
               \hookrightarrow must remain true until (but not necessarily including) the point where the stop
               \hookrightarrow condition holds, or to the end of the interval. If the stop condition never
               \hookrightarrow occurs, RES must hold until the end of the scope, or forever. If the stop
               \hookrightarrow condition holds at the trigger, the requirement is satisfied."
302
303
         "reqid" : "CONST_INSTRUMENTATION_O_BYPASS_P",
304
305
         "parent_reqid" :"INSTRUMENTATION_0_BYPASS_P"
         "rationale" : "RFP function 9:configure in maintenance mode to bypass an instrument
306
               \hookrightarrow channel (this requirement does not allow bypass to turn off during normal

→ operation)\n",

307
         "fulltext" : "When !UI_Maintenance_0 & Bypass_P_0 RTS shall, until UI_Maintenance_0 & !
               \hookrightarrow UI_Bypass_P_0, satisfy\n Bypass_P_0\n",
308
         "description": "ENFORCED: in the interval defined by the entire execution. \nTRIGGER:
               → first point in the interval if <b><i>(! UI_Maintenance_0 & Bypass_P_0)</i></b>
               \hookrightarrow is true and any point in the interval where <b><i>(! UI_Maintenance_0 &
               ← Bypass_P_0)</i></b> becomes true (from false).\nREQUIRES: for every trigger, RES
               \hookrightarrow must remain true until (but not necessarily including) the point where the stop
               \hookrightarrow condition holds, or to the end of the interval. If the stop condition never
               → occurs, RES must hold until the end of the scope, or forever. If the stop
               \hookrightarrow condition holds at the trigger, the requirement is satisfied."
309
310
         "reqid" : "INSTRUMENTATION_UI_T_O",
311
         "parent_reqid" :""
313
         "rationale" : "RFP function 11",
314
         "fulltext" : "RTS shall always satisfy T_0 = UI_T_0_Display",
315
         "description" : "ENFORCED: in the interval defined by the entire execution. \nTRIGGER:
               \hookrightarrow first point in the interval.\nEQUIRES: for every trigger, RES must hold at all

    → time points between (and including) the trigger and the end of the interval.

316
317
318
         "regid" : "INSTRUMENTATION_O_SETPOINT_T",
319
         "parent_reqid" :"",
          "rationale" : "RFP function 8",
320
321
         "fulltext" : "RTS shall always satisfy\n if UI_Maintenance_0 then Setpoint_T_0 =

    UI_Setpoint_T_0\n",

322
         "description" : "ENFORCED: in the interval defined by the entire execution. \nTRIGGER:
               \stackrel{	ext{1}}{\hookrightarrow} first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
               \hookrightarrow time points between (and including) the trigger and the end of the interval."
323
324
325
         "reqid" : "INSTRUMENTATION_O_MANUAL_TRIP_T",
326
         "parent_reqid" :"",
          "rationale" : "RFP function 10",
327
         "fulltext" : "RTS shall always satisfy\n if UI_Maintenance_0 & UI_Manual_Trip_T_0 then
328
               \hookrightarrow \text{Trip\_T\_0} \\ \texttt{'n''},
         "description" : "ENFORCED: in the interval defined by the entire execution. \nTRIGGER:
329
               \hookrightarrow first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
               \hookrightarrow time points between (and including) the trigger and the end of the interval."
```

```
330
331
332
          "reqid" : "INSTRUMENTATION_UI_P_O",
          "parent_reqid" :"",
333
334
          "rationale" :"RFP function 11",
          "fulltext" : "RTS shall always satisfy P_0 = UI_P_0_Display",
335
          "description" : "ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
336

    → first point in the interval.\nREQUIRES: for every trigger, RES must hold at all

    → time points between (and including) the trigger and the end of the interval."

337
338
          "reqid" : "INSTRUMENTATION_O_SETPOINT_P",
339
340
          "parent_reqid" :"",
          "rationale" : "RFP function 8",
341
          "fulltext" : "RTS shall always satisfy\n if UI_Maintenance_0 then Setpoint_P_0 =
342

→ UI_Setpoint_P_0\n",

343
          \hbox{\tt "description"} : \hbox{\tt "ENFORCED: in the interval defined by the entire execution.} \\ \hbox{\tt `nTRIGGER:}
                \hookrightarrow first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
                \hookrightarrow time points between (and including) the trigger and the end of the interval."
344
345
          "reqid" :"INSTRUMENTATION_O_MANUAL_TRIP_P",
346
347
          "parent_reqid" :"",
          "rationale" : "RFP function 10",
348
          "fulltext" : "RTS shall always satisfy\n if UI_Maintenance_0 & UI_Manual_Trip_P_0 then
349

→ Trip_P_0\n",

          \hbox{"description"}: \hbox{"ENFORCED: in the interval defined by the entire execution.} \\ \hbox{$\  \  \, $n$TRIGGER:}
350
                \hookrightarrow first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
                \hookrightarrow time points between (and including) the trigger and the end of the interval."
351
352
353
          "reqid" : "INSTRUMENTATION_UI_S_O",
354
          "parent_reqid" :"",
          "rationale": "RFP function 11",
"fulltext": "RTS shall always satisfy S_0 = UI_S_0_Display",
355
356
357
          "description" : "ENFORCED: in the interval defined by the entire execution. \nTRIGGER:
                \hookrightarrow first point in the interval.\nREQUIRES: for every trigger, RES must hold at all

    → time points between (and including) the trigger and the end of the interval.

358
359
          "reqid" :"INSTRUMENTATION_O_SETPOINT_S",
360
          "parent_reqid" :""
361
          "rationale" : "RFP function 8",
362
363
          "fulltext" : "RTS shall always satisfy\n if UI_Maintenance_0 then Setpoint_S_0 =

    UI_Setpoint_S_0\n",

364
          "description" : "ENFORCED: in the interval defined by the entire execution. \nTRIGGER:
                → first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
                \hookrightarrow time points between (and including) the trigger and the end of the interval.
365
366
367
          "regid" : "INSTRUMENTATION_O_MANUAL_TRIP_S",
368
          "parent_reqid" :"",
369
          "rationale" : "RFP function 10",
370
          "fulltext" : "RTS shall always satisfy\n if UI_Maintenance_0 & UI_Manual_Trip_S_0 then

→ Trip_S_0\n",

371
          "description": "ENFORCED: in the interval defined by the entire execution. \nTRIGGER:
                \stackrel{	ext{1}}{\hookrightarrow} first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
                \hookrightarrow time points between (and including) the trigger and the end of the interval."
372
373
374
          "reqid" : "INSTRUMENTATION_1_BYPASS_T_Display",
          "parent_reqid" :"",
375
376
          "rationale" : "RFP function 13",
          "fulltext" : "RTS shall always satisfy UI_Bypass_T_1_Display = Bypass_T_1\n",
377
378
          "description" : "ENFORCED: in the interval defined by the entire execution. \nTRIGGER:
                \stackrel{	extstyle 	o}{\hookrightarrow} first point in the interval.\nREQUIRES: for every trigger, RES must hold at all

    → time points between (and including) the trigger and the end of the interval.

379
       },
```

```
380
381
         "regid" : "INSTRUMENTATION_1_BYPASS_T",
382
          "parent_reqid" :"",
          "rationale" : "RFP function 9:configure in maintenance mode to bypass an instrument
383
               384
         "fulltext" : "RTS shall always satisfy\n if UI_Maintenance_1\n then (UI_Bypass_T_1) =
               → Bypass T 1)\n".
385
          "description" : "ENFORCED: in the interval defined by the entire execution. \nTRIGGER:
               → first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
               \hookrightarrow time points between (and including) the trigger and the end of the interval."
386
387
         "regid" : "CONST_INSTRUMENTATION_1_NO_BYPASS_T",
388
          "parent_reqid" :"INSTRUMENTATION_1_BYPASS_T"
389
         "rationale" : "RFP function 9:configure in maintenance mode to bypass an instrument
390
               \hookrightarrow channel (this requirement does not allow bypass to turn on during normal
               → operation)\n".
391
         "fulltext" : "When !UI_Maintenance_1 & !Bypass_T_1 RTS shall, until UI_Maintenance_1 &
               \hookrightarrow UI_Bypass_T_1, satisfy\n !Bypass_T_1\n",
392
         "description" : "ENFORCED: in the interval defined by the entire execution.\nTRIGGER:

→ first point in the interval if <b><i>(! UI_Maintenance_1 & ! Bypass_T_1)</i></b>

→ is true and any point in the interval where <b><i>(! UI_Maintenance_1 & !

               \hookrightarrow Bypass_T_1)</i></b> becomes true (from false).\nREQUIRES: for every trigger, RES
               \hookrightarrow must remain true until (but not necessarily including) the point where the stop
               \hookrightarrow condition holds, or to the end of the interval. If the stop condition never
               \hookrightarrow occurs, RES must hold until the end of the scope, or forever. If the stop

    ⇔ condition holds at the trigger, the requirement is satisfied."

393
394
395
         "reqid" : "CONST_INSTRUMENTATION_1_BYPASS_T"
396
         "parent_reqid" :"INSTRUMENTATION_1_BYPASS_T"
397
         "rationale" : "RFP function 9:configure in maintenance mode to bypass an instrument
               \hookrightarrow channel (this requirement does not allow bypass to turn off during normal
               → operation)\n"
398
         "fulltext": "When !UI_Maintenance_1 & Bypass_T_1 RTS shall, until UI_Maintenance_1 & !
               \hookrightarrow UI_Bypass_T_1, satisfy\n Bypass_T_1\n",
         "description": "ENFORCED: in the interval defined by the entire execution. \nTRIGGER:
399
                → first point in the interval if <b><i>(! UI_Maintenance_1 & Bypass_T_1)</i></b>
               \hookrightarrow is true and any point in the interval where <b><i>(! UI_Maintenance_1 &
               \hookrightarrow Bypass_T_1)</i></b> becomes true (from false).\nREQUIRES: for every trigger, RES
               \hookrightarrow must remain true until (but not necessarily including) the point where the stop
               \hookrightarrow condition holds, or to the end of the interval. If the stop condition never
               → occurs, RES must hold until the end of the scope, or forever. If the stop

→ condition holds at the trigger, the requirement is satisfied."

400
401
402
         "reqid" : "INSTRUMENTATION_1_BYPASS_P_Display",
403
         "parent_reqid" :""
         "rationale" : "RFP function 13",
404
         "fulltext" : "RTS shall always satisfy UI_Bypass_P_1_Display = Bypass_P_1\n",
405
         "description" : "ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
406
               → first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
               ← time points between (and including) the trigger and the end of the interval.
407
408
409
         "regid" : "INSTRUMENTATION_1_BYPASS_P",
         "parent_reqid" :"",
410
         "rationale": "RFP function 9:configure in maintenance mode to bypass an instrument
411

    ⇔ channel (this requirement sets the system value from the UI)\n".

412
         "fulltext" : "RTS shall always satisfy\n if UI_Maintenance_1\n then (UI_Bypass_P_1) =
               \hookrightarrow Bypass_P_1)\n",
         "description" : "ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
413
               \hookrightarrow first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
               \hookrightarrow time points between (and including) the trigger and the end of the interval.
414
415
         "regid": "CONST_INSTRUMENTATION_1_NO_BYPASS_P",
416
         "parent_reqid" :"INSTRUMENTATION_1_BYPASS_P",
417
```

```
418
         "rationale" : "RFP function 9:configure in maintenance mode to bypass an instrument
               ← channel (this requirement does not allow bypass to turn on during normal

→ operation)\n".

419
         "fulltext": "When !UI_Maintenance_1 & !Bypass_P_1 RTS shall, until UI_Maintenance_1 &
               \hookrightarrow UI_Bypass_P_1, satisfy\n !Bypass_P_1\n",
420
         "description" : "ENFORCED: in the interval defined by the entire execution. \nTRIGGER:
               → first point in the interval if <b><i>(! UI_Maintenance_1 & ! Bypass_P_1)</i></b>

    → is true and any point in the interval where <b><i>(! UI_Maintenance_1 & !

               → Bypass_P_1)</i></b> becomes true (from false).\nREQUIRES: for every trigger, RES
               \hookrightarrow must remain true until (but not necessarily including) the point where the stop
               \hookrightarrow condition holds, or to the end of the interval. If the stop condition never
               \hookrightarrow occurs, RES must hold until the end of the scope, or forever. If the stop
               421
422
         "regid": "CONST_INSTRUMENTATION_1_BYPASS_P",
423
         "parent_reqid" : "INSTRUMENTATION_1_BYPASS_P",
424
         "rationale": "RFP function 9:configure in maintenance mode to bypass an instrument
425
               \hookrightarrow channel (this requirement does not allow bypass to turn off during normal
               → operation)\n",
426
         "fulltext" : "When !UI_Maintenance_1 & Bypass_P_1 RTS shall, until UI_Maintenance_1 & !

→ UI_Bypass_P_1, satisfy\n Bypass_P_1\n",

427
         "description" : "ENFORCED: in the interval defined by the entire execution.\nTRIGGER:

→ first point in the interval if <b><i>(! UI_Maintenance_1 & Bypass_P_1)</i></b>

               \hookrightarrow is true and any point in the interval where <br/> <br/>i>(! UI_Maintenance_1 &
               → Bypass_P_1)</i></b> becomes true (from false).\nREQUIRES: for every trigger, RES
               → must remain true until (but not necessarily including) the point where the stop
               \hookrightarrow condition holds, or to the end of the interval. If the stop condition never
               \hookrightarrow occurs, RES must hold until the end of the scope, or forever. If the stop
               \hookrightarrow condition holds at the trigger, the requirement is satisfied."
428
429
430
         "reqid" : "INSTRUMENTATION_UI_T_1",
431
         "parent_reqid" :""
432
         "rationale" : "RFP function 11",
433
         "fulltext" : "RTS shall always satisfy T_1 = UI_T_1_Display",
         "description" : "ENFORCED: in the interval defined by the entire execution. \nTRIGGER:
434
                first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
               \hookrightarrow time points between (and including) the trigger and the end of the interval."
435
436
         "reqid" : "INSTRUMENTATION_1_SETPOINT_T",
437
438
         "parent_reqid" :""
439
         "rationale" : "RFP function 8",
440
         "fulltext" : "RTS shall always satisfy\n if UI_Maintenance_1 then Setpoint_T_1 =
                → UI_Setpoint_T_1\n",
441
         "description": "ENFORCED: in the interval defined by the entire execution. \nTRIGGER:
               first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
               → time points between (and including) the trigger and the end of the interval."
442
443
444
         "reqid" : "INSTRUMENTATION_1_MANUAL_TRIP_T",
         "parent_regid" :"",
445
         "rationale": "RTP function 10",
"fulltext": "RTS shall always satisfy\n if UI_Maintenance_1 & UI_Manual_Trip_T_1 then
446
447
               \hookrightarrow Trip_T_1\n",
         "description" : "ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
448
               → first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
               \hookrightarrow time points between (and including) the trigger and the end of the interval.
449
450
         "regid" : "INSTRUMENTATION UI P 1".
451
         "parent_reqid" :"",
452
         "rationale" :"RFP function 11",
"fulltext" :"RTS shall always satisfy P_1 = UI_P_1_Display",
453
454
455
         "description" : "ENFORCED: in the interval defined by the entire execution. \nTRIGGER:
               \hookrightarrow first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
               \hookrightarrow time points between (and including) the trigger and the end of the interval."
```

```
456
457
          "regid" : "INSTRUMENTATION_1_SETPOINT_P",
458
          "parent_reqid" :"",
459
          "rationale" :"RTS shall always satisfy\n if UI_Maintenance_1 then Setpoint_P_1 =
460
461

    UI_Setpoint_P_1\n",

462
          "description" : "ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
                → first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
                \hookrightarrow time points between (and including) the trigger and the end of the interval."
463
464
          "regid" : "INSTRUMENTATION 1 MANUAL TRIP P".
465
          "parent_reqid" :"",
466
          rationale": "RFP function 10",
"fulltext": "RTS shall always satisfy\n if UI_Maintenance_1 & UI_Manual_Trip_P_1 then
467
468
                \hookrightarrow Trip_P_1\n",
          \hbox{"description"}: \hbox{"ENFORCED: in the interval defined by the entire execution.} \\ \hbox{$\backslash$nTRIGGER:}
469
                \hookrightarrow first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
                \hookrightarrow time points between (and including) the trigger and the end of the interval."
470
471
          "reqid" : "INSTRUMENTATION_UI_S_1",
472
473
          "parent_reqid" :""
          "rationale": "RTF function 11",
"fulltext": "RTS shall always satisfy S_1 = UI_S_1_Display",
474
475
476
          \hbox{"description"}: \hbox{"ENFORCED}\colon \hbox{in the interval defined by the entire execution.} \land \hbox{nTRIGGER}:
                \hookrightarrow first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
                ← time points between (and including) the trigger and the end of the interval."
477
478
479
          "reqid" : "INSTRUMENTATION_1_SETPOINT_S",
480
          "parent_reqid" :"",
          "rationale": "RFF function 8",
"fulltext": "RTS shall always satisfy\n if UI_Maintenance_1 then Setpoint_S_1 =
481
482

    UI_Setpoint_S_1\n",

483
          "description" : "ENFORCED: in the interval defined by the entire execution. \nTRIGGER:
                 \rightarrow first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
                \hookrightarrow time points between (and including) the trigger and the end of the interval."
484
485
486
          "reqid" : "INSTRUMENTATION_1_MANUAL_TRIP_S",
487
          "parent_reqid" :"",
488
          "rationale" : "RFP function 10",
489
          "fulltext" : "RTS shall always satisfy\n if UI_Maintenance_1 & UI_Manual_Trip_S_1 then
                 → Trip_S_1\n",
490
          "description" : "ENFORCED: in the interval defined by the entire execution. \nTRIGGER:
                first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
                → time points between (and including) the trigger and the end of the interval."
491
492
493
          "reqid" : "INSTRUMENTATION_2_BYPASS_T_Display",
494
          "parent_reqid" :"",
          "rationale" :"RFP function 13",
"fulltext" :"RTS shall always satisfy UI_Bypass_T_2_Display = Bypass_T_2\n",
495
496
497
          "description" : "ENFORCED: in the interval defined by the entire execution. \nTRIGGER:
                → first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
                → time points between (and including) the trigger and the end of the interval."
498
499
500
          "reqid" : "INSTRUMENTATION_2_BYPASS_T",
          "parent_reqid" :"",
501
          "rationale" : "RFP function 9:configure in maintenance mode to bypass an instrument
502

    ⇔ channel (this requirement sets the system value from the UI)\n",

503
          "fulltext" : "RTS shall always satisfy\n if UI_Maintenance_2\n then (UI_Bypass_T_2) = \frac{1}{2}
          \hookrightarrow Bypass_T_2)\n", "description" :"ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
504
                → first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
```

```
\hookrightarrow time points between (and including) the trigger and the end of the interval."
505
506
507
          "regid" : "CONST_INSTRUMENTATION_2_NO_BYPASS_T",
508
          "parent_regid" : "INSTRUMENTATION_2_BYPASS_T",
          "rationale" : "RFP function 9:configure in maintenance mode to bypass an instrument
509
               \hookrightarrow channel (this requirement does not allow bypass to turn on during normal

→ operation)\n",

510
          "fulltext" : "When !UI_Maintenance_2 & !Bypass_T_2 RTS shall, until UI_Maintenance_2 &
               \hookrightarrow UI_Bypass_T_2, satisfy\n !Bypass_T_2\n"
511
          "description" : "ENFORCED: in the interval defined by the entire execution. \nTRIGGER:
               ← first point in the interval if <b><i>(! UI_Maintenance_2 & ! Bypass_T_2)</i></b>

→ is true and any point in the interval where <b><i>(! UI_Maintenance_2 & !

               \hookrightarrow Bypass_T_2)</i></b> becomes true (from false).\nREQUIRES: for every trigger, RES
               \hookrightarrow must remain true until (but not necessarily including) the point where the stop
               \hookrightarrow condition holds, or to the end of the interval. If the stop condition never
               \hookrightarrow occurs, RES must hold until the end of the scope, or forever. If the stop
               \hookrightarrow condition holds at the trigger, the requirement is satisfied."
512
513
          "reqid" : "CONST_INSTRUMENTATION_2_BYPASS_T",
514
515
          "parent regid" : "INSTRUMENTATION 2 BYPASS T"
          "rationale": "RFP function 9:configure in maintenance mode to bypass an instrument
516
                \hookrightarrow channel (this requirement does not allow bypass to turn off during normal

→ operation)\n",

517
          "fulltext" : "When !UI_Maintenance_2 & Bypass_T_2 RTS shall, until UI_Maintenance_2 & !
                \hookrightarrow UI_Bypass_T_2, satisfy\n Bypass_T_2\n"
518
          "description" : "ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
                → first point in the interval if <b><i>(! UI_Maintenance_2 & Bypass_T_2)</i></b>
               \hookrightarrow is true and any point in the interval where <b><i>(! UI_Maintenance_2 &
               ⇒ Bypass_T_2)</i></b> becomes true (from false).\nREQUIRES: for every trigger, RES
               \hookrightarrow must remain true until (but not necessarily including) the point where the stop
               \hookrightarrow condition holds, or to the end of the interval. If the stop condition never
               \hookrightarrow occurs, RES must hold until the end of the scope, or forever. If the stop
               \hookrightarrow condition holds at the trigger, the requirement is satisfied."
519
520
521
          "regid": "INSTRUMENTATION_2_BYPASS_P_Display",
522
          "parent_reqid" :"",
523
          "rationale" : "RFP function 13",
          "fulltext" : "RTS shall always satisfy UI_Bypass_P_2_Display = Bypass_P_2\n",
524
525
          "description" : "ENFORCED: in the interval defined by the entire execution. \nTRIGGER:
                → first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
                ← time points between (and including) the trigger and the end of the interval.
526
527
528
          "reqid" : "INSTRUMENTATION_2_BYPASS_P",
529
          "parent_reqid" :"",
530
          "rationale" : "RFP function 9:configure in maintenance mode to bypass an instrument
                \hookrightarrow channel (this requirement sets the system value from the UI)\n",
          "fulltext" : "RTS shall always satisfy\n if UI_Maintenance_2\n then (UI_Bypass_P_2) =
531
               \hookrightarrow Bypass_P_2)\n",
532
          "description" : "ENFORCED: in the interval defined by the entire execution. \nTRIGGER:
                \stackrel{	ext{i}}{\hookrightarrow} first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
               → time points between (and including) the trigger and the end of the interval."
533
534
535
          "reqid" : "CONST_INSTRUMENTATION_2_NO_BYPASS_P",
          "parent_reqid" :"INSTRUMENTATION_2_BYPASS_P"
536
          "rationale" : "RFP function 9:configure in maintenance mode to bypass an instrument
537
                \hookrightarrow channel (this requirement does not allow bypass to turn on during normal
                → operation)\n".
538
          "fulltext": "When !UI_Maintenance_2 & !Bypass_P_2 RTS shall, until UI_Maintenance_2 &
               \hookrightarrow UI_Bypass_P_2, satisfy\n !Bypass_P_2\n",
          "description" : "ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
539

→ first point in the interval if <b><i>(! UI_Maintenance_2 & ! Bypass_P_2)</i></b>

               \hookrightarrow is true and any point in the interval where <br/> <br/>i>(! UI_Maintenance_2 & !
                \hookrightarrow Bypass_P_2)</i></b> becomes true (from false).\nREQUIRES: for every trigger, RES
```

```
\hookrightarrow must remain true until (but not necessarily including) the point where the stop
               → occurs, RES must hold until the end of the scope, or forever. If the stop

→ condition holds at the trigger, the requirement is satisfied.'

540
541
         "regid" : "CONST_INSTRUMENTATION_2_BYPASS_P"
542
         "parent_reqid" :"INSTRUMENTATION_2_BYPASS_P",
543
         "rationale": "RFP function 9:configure in maintenance mode to bypass an instrument
544
               \hookrightarrow channel (this requirement does not allow bypass to turn off during normal

→ operation)\n",

545
         "fulltext" : "When !UI_Maintenance_2 & Bypass_P_2 RTS shall, until UI_Maintenance_2 & !
               \hookrightarrow UI_Bypass_P_2, satisfy\n Bypass_P_2\n",
         "description" : "ENFORCED: in the interval defined by the entire execution. \nTRIGGER:
546

→ first point in the interval if <b><i>(! UI_Maintenance_2 & Bypass_P_2)</i></b>

               \hookrightarrow is true and any point in the interval where <b<<i>! UI_Maintenance_2 &
               \hookrightarrow Bypass_P_2)</i></b> becomes true (from false).\nREQUIRES: for every trigger, RES
               \hookrightarrow must remain true until (but not necessarily including) the point where the stop
               \hookrightarrow condition holds, or to the end of the interval. If the stop condition never
               \hookrightarrow occurs, RES must hold until the end of the scope, or forever. If the stop
               \hookrightarrow condition holds at the trigger, the requirement is satisfied."
547
548
         "reqid" :"INSTRUMENTATION_UI_T_2",
549
550
         "parent_reqid" :"",
         "rationale": "RTF function 11",
"fulltext": "RTS shall always satisfy T_2 = UI_T_2_Display",
551
552
553
         "description" : "ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
               \hookrightarrow first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
               \hookrightarrow time points between (and including) the trigger and the end of the interval."
554
555
556
         "reqid" : "INSTRUMENTATION_2_SETPOINT_T",
557
         "parent_reqid" :""
558
         "rationale" : "RFP function 8",
559
         "fulltext" : "RTS shall always satisfy\n if UI_Maintenance_2 then Setpoint_T_2 = 0
                → UI_Setpoint_T_2\n",
560
         "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
               → first point in the interval.\nREQUIRES: for every trigger, RES must hold at all

    → time points between (and including) the trigger and the end of the interval.

561
562
         "reqid" : "INSTRUMENTATION_2_MANUAL_TRIP_T",
563
564
         "parent_reqid" :"",
565
         "rationale" : "RFP function 10",
         "fulltext" : "RTS shall always satisfy\n if UI_Maintenance_2 & UI_Manual_Trip_T_2 then
566
               \hookrightarrow Trip_T_2\n",
567
         "description" : "ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
               → first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
               → time points between (and including) the trigger and the end of the interval."
568
569
570
         "regid": "INSTRUMENTATION_UI_P_2",
         "parent_regid" :""
571
         "rationale" : "RFP function 11",
572
         "fulltext" : "RTS shall always satisfy P_2 = UI_P_2_Display",
573
         "description" : "ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
574

→ first point in the interval.\nREQUIRES: for every trigger, RES must hold at all

               \hookrightarrow time points between (and including) the trigger and the end of the interval.
575
576
         "regid" : "INSTRUMENTATION 2 SETPOINT P".
577
          "parent_reqid" :"",
578
         rationale" :"RFP function 8",
"fulltext" :"RTS shall always satisfy\n if UI_Maintenance_2 then Setpoint_P_2 =
579
580

    UI_Setpoint_P_2\n",

         "description": "ENFORCED: in the interval defined by the entire execution. \nTRIGGER:
581
               \hookrightarrow first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
```

```
\hookrightarrow time points between (and including) the trigger and the end of the interval."
582
583
584
          "regid" : "INSTRUMENTATION_2_MANUAL_TRIP_P",
585
          "parent_reqid" :""
          "rationale" : "RFP function 10",
586
          "fulltext" : "RTS shall always satisfy\n if UI_Maintenance_2 & UI_Manual_Trip_P_2 then
587

→ Trip_P_2\n",

588
          "description" : "ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
               \stackrel{	extstyle 	op}{\hookrightarrow} first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
               \hookrightarrow time points between (and including) the trigger and the end of the interval.'
589
590
          "reqid" :"INSTRUMENTATION_UI_S_2",
591
592
          "parent_reqid" :"",
          "rationale" :"RFP function 11".
593
          "fulltext" : "RTS shall always satisfy S_2 = UI_S_2_Display",
594
595
          "description" : "ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
               \hookrightarrow first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
               \hookrightarrow time points between (and including) the trigger and the end of the interval."
596
597
          "reqid" :"INSTRUMENTATION_2_SETPOINT_S",
598
599
          "parent_reqid" :""
         "rationale": "RTP function 8",
"fulltext": "RTS shall always satisfy\n if UI_Maintenance_2 then Setpoint_S_2 =
600
601

    UI_Setpoint_S_2\n",

602
          "description" : "ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
               → first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
               \hookrightarrow time points between (and including) the trigger and the end of the interval."
603
604
605
          "reqid" : "INSTRUMENTATION_2_MANUAL_TRIP_S",
606
          "parent_reqid" :""
607
          "rationale" : "RFP function 10",
608
          "fulltext" : "RTS shall always satisfy\n if UI_Maintenance_2 & UI_Manual_Trip_S_2 then
                 → Trip_S_2\n",
609
          "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
               → first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
               \hookrightarrow time points between (and including) the trigger and the end of the interval.'
610
611
          "reqid" : "INSTRUMENTATION_3_BYPASS_T_Display",
          "parent_reqid" :"",
613
614
          "rationale" : "RFP function 13",
          "fulltext" : "RTS shall always satisfy UI_Bypass_T_3_Display = Bypass_T_3\n",
615
616
          "description" : "ENFORCED: in the interval defined by the entire execution. \nTRIGGER:
                first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
               → time points between (and including) the trigger and the end of the interval."
617
618
619
          "reqid" : "INSTRUMENTATION_3_BYPASS_T",
          "parent_reqid" :"",
620
621
          "rationale": "RFP function 9:configure in maintenance mode to bypass an instrument

    ⇔ channel (this requirement sets the system value from the UI)\n",

622
          "fulltext" : "RTS shall always satisfy\n if UI_Maintenance_3\n then (UI_Bypass_T_3) =
               \hookrightarrow Bypass_T_3)\n",
623
          "description" : "ENFORCED: in the interval defined by the entire execution.\nTRIGGER:

    → first point in the interval.\nREQUIRES: for every trigger, RES must hold at all

    → time points between (and including) the trigger and the end of the interval.!

624
625
          "reqid" : "CONST_INSTRUMENTATION_3_NO_BYPASS_T",
626
          "parent_regid" : "INSTRUMENTATION_3_BYPASS_T",
627
          "rationale" : "RFP function 9:configure in maintenance mode to bypass an instrument
628
                \hookrightarrow channel (this requirement does not allow bypass to turn on during normal
               → operation)\n",
```

```
629
         "fulltext" : "When !UI_Maintenance_3 & !Bypass_T_3 RTS shall, until UI_Maintenance_3 &

→ UI_Bypass_T_3, satisfy\n !Bypass_T_3\n",

         "description": "ENFORCED: in the interval defined by the entire execution. \nTRIGGER:
630
               → first point in the interval if <b><i>(! UI_Maintenance_3 & ! Bypass_T_3)</i></b>

→ is true and any point in the interval where <b><i>(! UI_Maintenance_3 & !

              → Bypass_T_3)</i></b> becomes true (from false).\nREQUIRES: for every trigger, RES
               \hookrightarrow must remain true until (but not necessarily including) the point where the stop
              \hookrightarrow condition holds, or to the end of the interval. If the stop condition never
               → occurs, RES must hold until the end of the scope, or forever. If the stop
               \hookrightarrow condition holds at the trigger, the requirement is satisfied."
631
632
         "regid" : "CONST_INSTRUMENTATION_3_BYPASS_T",
633
         "parent_regid" :"INSTRUMENTATION_3_BYPASS_T"
634
         "rationale" : "RFP function 9:configure in maintenance mode to bypass an instrument
635
               \hookrightarrow channel (this requirement does not allow bypass to turn off during normal
               → operation)\n".
636
         "fulltext" : "When !UI_Maintenance_3 & Bypass_T_3 RTS shall, until UI_Maintenance_3 & !
               \hookrightarrow UI_Bypass_T_3, satisfy\n Bypass_T_3\n",
637
         "description" : "ENFORCED: in the interval defined by the entire execution. \nTRIGGER:

→ first point in the interval if <b><i>(! UI_Maintenance_3 & Bypass_T_3)</i></b>

               \hookrightarrow is true and any point in the interval where <b><i>(! UI_Maintenance_3 &
               \hookrightarrow Bypass_T_3)</i></b> becomes true (from false).\nREQUIRES: for every trigger, RES
              \hookrightarrow must remain true until (but not necessarily including) the point where the stop
              \hookrightarrow condition holds, or to the end of the interval. If the stop condition never
               \hookrightarrow occurs, RES must hold until the end of the scope, or forever. If the stop

    ⇔ condition holds at the trigger, the requirement is satisfied."

638
639
640
         "reqid" : "INSTRUMENTATION_3_BYPASS_P_Display",
         "parent_reqid" :""
641
         "rationale": "RFP function 13",
"fulltext": "RTS shall always satisfy UI_Bypass_P_3_Display = Bypass_P_3\n",
642
643
644
         "description" : "ENFORCED: in the interval defined by the entire execution.\nTRIGGER:

ightarrow first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
               \hookrightarrow time points between (and including) the trigger and the end of the interval."
645
646
         "reqid" :"INSTRUMENTATION_3_BYPASS_P",
647
         "parent_reqid" :"",
648
         "rationale" : "RFP function 9:configure in maintenance mode to bypass an instrument
649
                → channel (this requirement sets the system value from the UI)\n",
         "fulltext" : "RTS shall always satisfy\n if UI_Maintenance_3\n then (UI_Bypass_P_3) =
650
               \rightarrow Bypass_P_3)\n",
651
         "description" : "ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
                first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
               → time points between (and including) the trigger and the end of the interval."
652
653
654
         "reqid" : "CONST_INSTRUMENTATION_3_NO_BYPASS_P",
         "parent_regid" :"INSTRUMENTATION_3_BYPASS_P",
655
656
         "rationale" : "RFP function 9:configure in maintenance mode to bypass an instrument

→ operation)\n",

657
         "fulltext": "When !UI_Maintenance_3 & !Bypass_P_3 RTS shall, until UI_Maintenance_3 &

→ UI_Bypass_P_3, satisfy\n !Bypass_P_3\n",

         "description" : "ENFORCED: in the interval defined by the entire execution. \nTRIGGER:
658
               → first point in the interval if <b><i>(! UI_Maintenance_3 & ! Bypass_P_3)</i>
               \hookrightarrow is true and any point in the interval where <b><i>(! UI_Maintenance_3 & !
               → Bypass_P_3)</i></b> becomes true (from false).\nREQUIRES: for every trigger, RES
               \hookrightarrow must remain true until (but not necessarily including) the point where the stop
              \hookrightarrow condition holds, or to the end of the interval. If the stop condition never
               → occurs, RES must hold until the end of the scope, or forever. If the stop

→ condition holds at the trigger, the requirement is satisfied."

659
660
         "regid" : "CONST_INSTRUMENTATION_3_BYPASS_P"
661
         "parent_reqid" :"INSTRUMENTATION_3_BYPASS_P",
662
```

```
663
          "rationale" : "RFP function 9:configure in maintenance mode to bypass an instrument
                \hookrightarrow channel (this requirement does not allow bypass to turn off during normal

→ operation)\n".

664
          "fulltext": "When !UI_Maintenance_3 & Bypass_P_3 RTS shall, until UI_Maintenance_3 & !

→ UI_Bypass_P_3, satisfy\n Bypass_P_3\n",

          "description" : "ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
665
                → first point in the interval if <b><i>(! UI_Maintenance_3 & Bypass_P_3)</i></b>

→ is true and any point in the interval where <b><i>(! UI_Maintenance_3 &
                → Bypass_P_3)</i></b> becomes true (from false).\nREQUIRES: for every trigger, RES
               \hookrightarrow must remain true until (but not necessarily including) the point where the stop
               \hookrightarrow condition holds, or to the end of the interval. If the stop condition never
               \hookrightarrow occurs, RES must hold until the end of the scope, or forever. If the stop
                666
667
          "reqid" : "INSTRUMENTATION_UI_T_3",
668
          "parent_reqid" :"",
669
         "rationale" :"RFP function 11",
"fulltext" :"RTS shall always satisfy T_3 = UI_T_3_Display",
670
671
672
          \hbox{\tt "description"} : \hbox{\tt "ENFORCED: in the interval defined by the entire execution.} \\ \hbox{\tt `nTRIGGER:}
                \hookrightarrow first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
                \hookrightarrow time points between (and including) the trigger and the end of the interval."
673
674
          "reqid" :"INSTRUMENTATION_3_SETPOINT_T",
675
676
          "parent_reqid" :""
          "rationale" :"RTS shall always satisfy\n if UI_Maintenance_3 then Setpoint_T_3 =
677
678

    UI_Setpoint_T_3\n",

679
          \hbox{"description"}: \hbox{"ENFORCED: in the interval defined by the entire execution.} \\ \hbox{$\backslash$nTRIGGER:}

ightarrow first point in the interval.\nREQUIRES: for every trigger, RES must hold at all

    → time points between (and including) the trigger and the end of the interval.

680
681
682
          "regid" : "INSTRUMENTATION_3_MANUAL_TRIP_T",
683
          "parent_reqid" :""
         "rationale": "RFP function 10",
"fulltext": "RTS shall always satisfy\n if UI_Maintenance_3 & UI_Manual_Trip_T_3 then
684
685
                \hookrightarrow Trip_T_3\n",
          \hbox{"description"} : \hbox{"ENFORCED: in the interval defined by the entire execution.} \\ \hbox{$\backslash$ nTRIGGER:}
686
                → first point in the interval.\nREQUIRES: for every trigger, RES must hold at all

    → time points between (and including) the trigger and the end of the interval.!

687
688
689
          "reqid" : "INSTRUMENTATION_UI_P_3",
690
          "parent_regid" :""
          "rationale" : "RFP function 11",
          "fulltext" : "RTS shall always satisfy P_3 = UI_P_3_Display",
692
693
          "description" : "ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
                \hookrightarrow first point in the interval.\nEQUIRES: for every trigger, RES must hold at all

    → time points between (and including) the trigger and the end of the interval.

694
695
696
          "regid" : "INSTRUMENTATION_3_SETPOINT_P",
697
          "parent_reqid" :"",
          "rationale" :"RFP function 8",
"fulltext" :"RTS shall always satisfy\n if UI_Maintenance_3 then Setpoint_P_3 =
698
699

    UI_Setpoint_P_3\n",

700
          "description" : "ENFORCED: in the interval defined by the entire execution. \nTRIGGER:
                → first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
                \hookrightarrow time points between (and including) the trigger and the end of the interval."
701
702
          "regid" : "INSTRUMENTATION_3_MANUAL_TRIP_P",
703
          "parent_reqid" :"",
704
          rationale": "RFP function 10",
"fulltext": "RTS shall always satisfy\n if UI_Maintenance_3 & UI_Manual_Trip_P_3 then
705
706
                \hookrightarrow Trip_P_3\n",
```

```
707
         "description" : "ENFORCED: in the interval defined by the entire execution. \nTRIGGER:
               \stackrel{\circ}{\hookrightarrow} first point in the interval.\nREQUIRES: for every trigger, RES must hold at all

    → time points between (and including) the trigger and the end of the interval.

708
709
         "regid" : "INSTRUMENTATION_UI_S_3",
710
         "parent_reqid" :"",
711
          "rationale" :"RFP function 11",
712
         "fulltext" : "RTS shall always satisfy S_3 = UI_S_3_Display",
713
         "description" : "ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
714
               → first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
               \hookrightarrow time points between (and including) the trigger and the end of the interval."
715
716
         "regid" : "INSTRUMENTATION_3_SETPOINT_S",
717
         "parent_reqid" :""
718
         "rationale" :"RFP function 8",
"fulltext" :"RTS shall always satisfy\n if UI_Maintenance_3 then Setpoint_S_3 =
719
720
               \hookrightarrow UI_Setpoint_S_3\n",
721
         "description" : "ENFORCED: in the interval defined by the entire execution. \nTRIGGER:
               \hookrightarrow first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
               \hookrightarrow time points between (and including) the trigger and the end of the interval."
722
723
         "reqid" :"INSTRUMENTATION_3_MANUAL_TRIP_S",
724
725
         "parent_reqid" :""
         "rationale": "RTP function 10",
"fulltext": "RTS shall always satisfy\n if UI_Maintenance_3 & UI_Manual_Trip_S_3 then
726
727
               \hookrightarrow Trip_S_3\n",
728

ightarrow first point in the interval.\nREQUIRES: for every trigger, RES must hold at all

    → time points between (and including) the trigger and the end of the interval.

729
730
```

#### Listing C.2: Requirements from FRET.

```
1
    Ε
 2
 3
        "regid" : "INSTRUMENTATION_SET_MANUAL_TRIP_TEMPERATURE",
        "parent_reqid" :"INSTRUMENTATION_TRIP_TEMPERATURE",
 4
 5
                    :"RFP [10]"
        "fulltext" : "Upon MAINTENANCE & TEMPERATURE_MODE = 2Instrumentation shall, until
               → MAINTENANCE & !(TEMPERATURE_MODE = 2), satisfy TRIP_TEMPERATURE",
        "description" : "ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
              → first point in the interval if <b><i>(MAINTENANCE & TEMPERATURE_MODE = 2)</i></b
              \hookrightarrow > is true and any point in the interval where <b><i>(MAINTENANCE &
              → TEMPERATURE_MODE = 2)</i></b> becomes true (from false).\nREQUIRES: for every
              \hookrightarrow trigger, RES must remain true until (but not necessarily including) the point
              \hookrightarrow where the stop condition holds, or to the end of the interval. If the stop
              ← condition never occurs, RES must hold until the end of the scope, or forever. If

→ the stop condition holds at the trigger, the requirement is satisfied."

 8
 9
10
        "reqid" : "INSTRUMENTATION_SENSOR_TRIP_PRESSURE",
        "parent_regid" : "INSTRUMENTATION_TRIP_PRESSURE",
11
        "rationale": "RFP [1]",
12
        "fulltext": "Upon MAINTENANCE & PRESSURE_MODE = 1Instrumentation shall, until MAINTENANCE
13

→ & !(PRESSURE_MODE = 1), satisfy (if SENSOR_PRESSURE > SETPOINT_PRESSURE then

              ← TRIP_PRESSURE) & (if TRIP_PRESSURE then SENSOR_PRESSURE > SETPOINT_PRESSURE)",
        "description": "ENFORCED: in the interval defined by the entire execution. \nTRIGGER:
14
              → first point in the interval if <b><i>(MAINTENANCE & PRESSURE_MODE = 1)</i></b>
             \hookrightarrow is true and any point in the interval where <b><i>(MAINTENANCE & PRESSURE_MODE =
             → 1)</i></b> becomes true (from false).\nREQUIRES: for every trigger, RES must
              \hookrightarrow remain true until (but not necessarily including) the point where the stop
              \hookrightarrow condition holds, or to the end of the interval. If the stop condition never
              \hookrightarrow occurs, RES must hold until the end of the scope, or forever. If the stop
```

```
→ condition holds at the trigger, the requirement is satisfied."

15
16
17
        "regid": "INSTRUMENTATION_SET_SETPOINT_PRESSURE",
18
        "parent_regid" : "INSTRUMENTATION_TRIP_PRESSURE",
         "rationale" : "RFP [8]",
19
        "fulltext" : "Upon (MAINTENANCE & SET_SETPOINT_PRESSURE) Instrumentation shall, until
20
              → MAINTENANCE & SET_SETPOINT_PRESSURE, satisfy SETPOINT_PRESSURE =
              → INPUT SETPOINT PRESSURE".
21
        "description" : "ENFORCED: in the interval defined by the entire execution. \nTRIGGER:
              → first point in the interval if <b><i>(( MAINTENANCE & SET_SETPOINT_PRESSURE ))</
              \hookrightarrow i></b> is true and any point in the interval where <b><i>(( MAINTENANCE &
              → SET_SETPOINT_PRESSURE ))</i></b> becomes true (from false).\nREQUIRES: for every
              \hookrightarrow trigger, RES must remain true until (but not necessarily including) the point
              \hookrightarrow where the stop condition holds, or to the end of the interval. If the stop
              \hookrightarrow condition never occurs, RES must hold until the end of the scope, or forever. If
              \hookrightarrow the stop condition holds at the trigger, the requirement is satisfied."
22
23
24
        "reqid" : "INSTRUMENTATION_SENSOR_TRIP_SATURATION",
25
        "parent_reqid" : "INSTRUMENTATION_TRIP_SATURATION",
        "rationale" : "RFP [3]",
26
        "fulltext" : "Upon MAINTENANCE & SATURATION_MODE = 1Instrumentation shall, until
27
               \hookrightarrow MAINTENANCE & !(SATURATION_MODE = 1) satisfy (if SATURATION_FUNCTION_VALUE <
              \hookrightarrow SETPOINT_SATURATION then TRIP_SATURATION) & (if TRIP_SATURATION then

→ SATURATION_FUNCTION_VALUE < SETPOINT_SATURATION)",</p>
28
        "description" : "ENFORCED: in the interval defined by the entire execution. \nTRIGGER:

→ first point in the interval if <b><i>(MAINTENANCE & SATURATION_MODE = 1)</i></b>
              \hookrightarrow is true and any point in the interval where <b><i>(MAINTENANCE &
              \hookrightarrow SATURATION_MODE = 1)</i></b> becomes true (from false).\nREQUIRES: for every
              \hookrightarrow trigger, RES must remain true until (but not necessarily including) the point
              \hookrightarrow where the stop condition holds, or to the end of the interval. If the stop
              \hookrightarrow condition never occurs, RES must hold until the end of the scope, or forever. If
              \hookrightarrow the stop condition holds at the trigger, the requirement is satisfied."
29
30
        "reqid" : "INSTRUMENTATION_SET_MANUAL_TRIP_PRESSURE",
31
32
        "parent_reqid" :"INSTRUMENTATION_TRIP_PRESSURE",
        "rationale" : "RFP [10]",
33
34
        "fulltext" : "Upon MAINTENANCE & PRESSURE_MODE = 2Instrumentation shall, until MAINTENANCE

→ & !(PRESSURE_MODE = 2), satisfy TRIP_PRESSURE",
35
        "description" : "ENFORCED: in the interval defined by the entire execution. \nTRIGGER:
              → first point in the interval if <b><i>(MAINTENANCE & PRESSURE_MODE = 2)</i></b>
              \hookrightarrow is true and any point in the interval where <br/> <i>(MAINTENANCE & PRESSURE_MODE =
              → 2)</i></b> becomes true (from false).\nREQUIRES: for every trigger, RES must
              \hookrightarrow remain true until (but not necessarily including) the point where the stop
              → condition holds, or to the end of the interval. If the stop condition never
              \hookrightarrow occurs, RES must hold until the end of the scope, or forever. If the stop

→ condition holds at the trigger, the requirement is satisfied."

36
37
38
        "reqid" : "INSTRUMENTATION_SET_BYPASS_SATURATION",
        "parent_regid" : "INSTRUMENTATION_TRIP_SATURATION",
39
        "rationale" :"",
"fulltext" :"Upon MAINTENANCE & SATURATION_MODE = OInstrumentation shall, until
40
41
              → MAINTENANCE & !(SATURATION_MODE = 0), satisfy !TRIP_SATURATION",
42
         "description" : "ENFORCED: in the interval defined by the entire execution. \nTRIGGER:
              → first point in the interval if <b><i>(MAINTENANCE & SATURATION_MODE = 0)</i></b>
              \stackrel{\text{\footnotemark}}{\hookrightarrow} is true and any point in the interval where <br/> <br/>i>(MAINTENANCE &
              → SATURATION MODE = 0)</i></b> becomes true (from false).\nREQUIRES: for every
              \hookrightarrow trigger, RES must remain true until (but not necessarily including) the point
              \hookrightarrow where the stop condition holds, or to the end of the interval. If the stop
              → condition never occurs, RES must hold until the end of the scope, or forever. If
              \hookrightarrow the stop condition holds at the trigger, the requirement is satisfied.
43
44
        "regid" : "ACTUATION_LOGIC_DEVICE_O",
45
        "parent_reqid" :"",
46
```

```
47
        "rationale" : "RFP [5,6]",
        "fulltext" : "Actuation_Logic shall always satisfy ((VOTE_ACTUATE_DEVICE_0 |
48
              → MANUAL_ACTUATE_DEVICE_0) => ACTUATE_DEVICE_0) & (ACTUATE_DEVICE_0 => (

→ VOTE_ACTUATE_DEVICE_0 | MANUAL_ACTUATE_DEVICE_0))",
49
        "description": "ENFORCED: in the interval defined by the entire execution. \nTRIGGER:
              → first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
              → time points between (and including) the trigger and the end of the interval.'
50
51
        "reqid" : "INSTRUMENTATION_SET_SETPOINT_SATURATION",
52
        "parent_reqid" :"INSTRUMENTATION_TRIP_SATURATION",
53
        "rationale": "RFP [8]",
54
        "fulltext" : "Upon (MAINTENANCE & SET_SETPOINT_SATURATION) Instrumentation shall, until
55
              → MAINTENANCE & SET_SETPOINT_SATURATION, satisfy SETPOINT_SATURATION =
              → INPUT_SETPOINT_SATURATION",
56
        "description" : "ENFORCED: in the interval defined by the entire execution. \nTRIGGER:
              \hookrightarrow first point in the interval if <b><i>(( MAINTENANCE & SET_SETPOINT_SATURATION ))
              \hookrightarrow </i></b> is true and any point in the interval where <b><i>(( MAINTENANCE &
              → SET_SETPOINT_SATURATION ))</i></b> becomes true (from false).\nREQUIRES: for
              \hookrightarrow every trigger, RES must remain true until (but not necessarily including) the
              \hookrightarrow point where the stop condition holds, or to the end of the interval. If the stop
                  condition never occurs. RES must hold until the end of the scope, or forever.
              \hookrightarrow If the stop condition holds at the trigger, the requirement is satisfied."
57
58
        "reqid" : "INSTRUMENTATION_SET_BYPASS_PRESSURE",
59
60
        "parent_reqid" : "INSTRUMENTATION_TRIP_PRESSURE",
61
        "rationale": "RFP [9]",
"fulltext": "Upon MAINTENANCE & PRESSURE_MODE = 0Instrumentation shall, until MAINTENANCE
62

→ & !(PRESSURE_MODE = 0), satisfy !TRIP_PRESSURE",
63
        "description" : "ENFORCED: in the interval defined by the entire execution. \nTRIGGER:
              → first point in the interval if <b><i>(MAINTENANCE & PRESSURE_MODE = 0)</i></b>
              \hookrightarrow is true and any point in the interval where <br/> <i>(MAINTENANCE & PRESSURE_MODE =
              → 0)</i></b> becomes true (from false).\nREQUIRES: for every trigger, RES must
              \hookrightarrow remain true until (but not necessarily including) the point where the stop
              → condition holds, or to the end of the interval. If the stop condition never
              \hookrightarrow occurs, RES must hold until the end of the scope, or forever. If the stop

→ condition holds at the trigger, the requirement is satisfied.

64
65
        "reqid" : "INSTRUMENTATION_SET_MANUAL_TRIP_SATURATION",
        "parent_reqid" : "INSTRUMENTATION_TRIP_SATURATION",
67
        "rationale" : "RFP [10]",
68
69
        "fulltext" : "Upon MAINTENANCE & SATURATION_MODE = 2Instrumentation shall, until

→ MAINTENANCE & !(SATURATION_MODE = 2), satisfy TRIP_SATURATION",

        "description" : "ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
70
              → first point in the interval if <b><i>(MAINTENANCE & SATURATION_MODE = 2)</i></b>
              \hookrightarrow is true and any point in the interval where <b><i>(MAINTENANCE &
              → SATURATION_MODE = 2)</i></b> becomes true (from false).\nREQUIRES: for every
              → trigger, RES must remain true until (but not necessarily including) the point
              → where the stop condition holds, or to the end of the interval. If the stop
              → condition never occurs, RES must hold until the end of the scope, or forever. If

    → the stop condition holds at the trigger, the requirement is satisfied."

71
72
73
        "regid" : "ACTUATION_LOGIC_VOTE_TEMPERATURE";
        "parent_regid" : "ACTUATION_LOGIC_VOTE_DEVICE_0",
74
        "rationale": "RFP Actuation Logic Architecture, [2,4]",
"fulltext": "Actuation_Logic shall always satisfy (((TRIP_TEMPERATURE_0 &
75
76
              → TRIP_TEMPERATURE_1) | ((TRIP_TEMPERATURE_0 | TRIP_TEMPERATURE_1) & (
              → TRIP_TEMPERATURE_2 | TRIP_TEMPERATURE_3)) | (TRIP_TEMPERATURE_2 &
              → TRIP_TEMPERATURE_3)) => VOTE_TRIP_TEMPERATURE) & (VOTE_TRIP_TEMPERATURE => ((
              → TRIP_TEMPERATURE_0 & TRIP_TEMPERATURE_1) | ((TRIP_TEMPERATURE_0 |
              → TRIP_TEMPERATURE_1) & (TRIP_TEMPERATURE_2 | TRIP_TEMPERATURE_3)) | (
              → TRIP_TEMPERATURE_2 & TRIP_TEMPERATURE_3)))",
        \hbox{\tt "description"} : \hbox{\tt "ENFORCED: in the interval defined by the entire execution.} \\ \hbox{\tt `nTRIGGER:}
77
              \hookrightarrow first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
              \hookrightarrow time points between (and including) the trigger and the end of the interval."
```

```
78
 79
 80
          "reqid" : "ACTUATION_LOGIC_DEVICE_1",
          "parent_reqid" :"",
 81
          "rationale": "RFP [5,6]",
"fulltext": "Actuation_Logic shall always satisfy (VOTE_ACTUATE_DEVICE_1 |
 82
 83
                 → MANUAL_ACTUATE_DEVICE_1 => ACTUATE_DEVICE_1) & (ACTUATE_DEVICE_1 => 
→ VOTE_ACTUATE_DEVICE_1 | MANUAL_ACTUATE_DEVICE_1)",
 84
          "description" : "ENFORCED: in the interval defined by the entire execution. \nTRIGGER:
                 \stackrel{	extstyle 	o}{\hookrightarrow} first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
                 \hookrightarrow time points between (and including) the trigger and the end of the interval.'
 85
 86
          "reqid" : "ACTUATION_LOGIC_VOTE_PRESSURE",
 87
          "parent_reqid" :"ACTUATION_LOGIC_VOTE_DEVICE_O",
"rationale" :"RFP Actuation Logic Architecture, [1,4]",
 88
 89
          "fulltext" :"Actuation_Logic shall always satisfy (IF ((TRIP_PRESSURE_0 & TRIP_PRESSURE_1

\( \to \) | ((TRIP_PRESSURE_0 | TRIP_PRESSURE_1) & (TRIP_PRESSURE_2 | TRIP_PRESSURE_3))

\( \to \) | (TRIP_PRESSURE_2 & TRIP_PRESSURE_3)) THEN VOTE_TRIP_PRESSURE) & (IF
 90
                → VOTE_TRIP_PRESSURE THEN ((TRIP_PRESSURE_0 & TRIP_PRESSURE_1) | ((TRIP_PRESSURE_
→ 0 | TRIP_PRESSURE_1) & (TRIP_PRESSURE_2 | TRIP_PRESSURE_3)) | (TRIP_PRESSURE_2 &

→ TRIP PRESSURE 3)))".
 91
          \hbox{"description"}: \hbox{"ENFORCED: in the interval defined by the entire execution.} \\ \hbox{$\backslash$nTRIGGER:}
                 ← first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
                 \hookrightarrow time points between (and including) the trigger and the end of the interval."
 92
 93
 94
          "reqid" : "INSTRUMENTATION_TRIP_TEMPERATURE",
 95
          "parent_reqid" :""
          "rationale" : "RFP [3,10]",
 96
          "fulltext" : "Instrumentation shall always satisfy true",
 97
 98
          \hbox{"description"}: \hbox{"ENFORCED: in the interval defined by the entire execution.} \\ \hbox{$\backslash$nTRIGGER:}
                 \hookrightarrow first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
                 \hookrightarrow time points between (and including) the trigger and the end of the interval."
99
100
101
          "reqid" : "INSTRUMENTATION_RESET",
102
          "parent_reqid" :"",
          "rationale":"",
103
104
          "fulltext" : "AFTER RESET Instrumentation shall immediately satisfy (MAINTENANCE &
                 → PRESSURE_TRIP_MODE = 0& TEMPERATURE_TRIP_MODE = 0& SATURATION_TRIP_MODE = 0)",
          "description" : "ENFORCED: in the interval (if defined) starting strictly after the first
105

→ first point in the interval.\nREQUIRES: for every trigger, if trigger holds

→ then RES also holds at the same time point."

106
107
          "reqid" : "INSTRUMENTATION_TRIP_SATURATION",
108
109
          "parent_regid" :"",
          "rationale": "RFP [2,10]",
"fulltext": "Instrumentation shall always satisfy true",
110
111
112
          "description" : "ENFORCED: in the interval defined by the entire execution. \nTRIGGER:
                 → first point in the interval.\nREQUIRES: for every trigger, RES must hold at all

    → time points between (and including) the trigger and the end of the interval.

113
114
          "reqid" : "CORE_UI_INSTRUMENTATION",
115
          "parent_reqid" :""
116
           "rationale" : "RFP [11,12,13]",
117
          "fulltext" : "Core shall always satisfy forAll_instr_i & INSTRUMENTATION_i_PRESSURE =
118
                 → UI_i_PRESSURE & INSTRUMENTATION_i_TEMPERATURE = UI_i_TEMPERATURE &
                 → INSTRUMENTATION_i_SATURATION = UI_i_SATURATION &
                 → INSTRUMENTATION_i_BYPASS_PRESSURE = UI_i_BYPASS_PRESSURE &
                → INSTRUMENTATION_i_BYPASS_TEMPERATURE = UI_i_BYPASS_TEMPERATURE &
                → INSTRUMENTATION_i_TRIP_PRESSURE = UI_i_TRIP_PRESSURE &
                 \hookrightarrow {\tt INSTRUMENTATION\_i\_TRIP\_TEMPERATURE} = {\tt UI\_i\_TRIP\_TEMPERATURE} \&
                 → INSTRUMENTATION_i_TRIP_SATURATION = UI_i_TRIP_SATURATION".
119
          "description" : "ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
```

```
\hookrightarrow first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
               ← time points between (and including) the trigger and the end of the interval."
120
121
122
          "reqid" : "SELF_TEST",
          "parent_reqid" :"",
123
          "rationale":"",
"fulltext":"Upon TEST_FAIL Core shall always satisfy OUTPUT_TEST_FAIL",
124
125
126
          "description" : "ENFORCED: in the interval defined by the entire execution. \nTRIGGER:
               → first point in the interval if <b><i>(TEST_FAIL)</i></b> is true and any point

→ in the interval where <b><i>(TEST_FAIL)</i></b> becomes true (from false).\

               \hookrightarrow nREQUIRES: for every trigger, RES must hold at all time points between (and
               \hookrightarrow including) the trigger and the end of the interval."
127
128
          "reqid" : "INSTRUMENTATION_SET_MAINTENANCE",
129
          "parent_reqid" :"",
130
         "rationale": "RFP [7]",
"fulltext": "Upon SET_MAINTENANCE Instrumentation shall, until UNSET_MAINTENANCE, satisfy
131
132

→ MAINTENANCE"

133
          "description" : "ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
               ← first point in the interval if <b><i>(SET_MAINTENANCE)</i></b> is true and any
               \hookrightarrow point in the interval where <b<i>(SET_MAINTENANCE)</i><br/>/i><br/>/b> becomes true (from
               \hookrightarrow false).\nREQUIRES: for every trigger, RES must remain true until (but not
               \hookrightarrow necessarily including) the point where the stop condition holds, or to the end
               \hookrightarrow of the interval. If the stop condition never occurs, RES must hold until the end
               \,\hookrightarrow\, of the scope, or forever. If the stop condition holds at the trigger, the
               \hookrightarrow requirement is satisfied."
134
135
136
          "reqid" : "ACTUATION_LOGIC_MANUAL_DEVICE_O",
137
          "parent_reqid" : "ACTUATION_LOGIC_DEVICE_0",
138
          "rationale" : "RFP 6",
139
          "fulltext" : "Upon SET_MANUAL_ACTUATE_DEVICE_0 Actuation_Logic shall, until
                → UNSET_MANUAL_ACTUATE_DEVICE_0, satisfy MANUAL_ACTUATE_DEVICE_0",
140
          "description" : "ENFORCED: in the interval defined by the entire execution. \nTRIGGER:
               → first point in the interval if <b><i>(SET_MANUAL_ACTUATE_DEVICE_0)</i></b> is

    → true and any point in the interval where <b><i>(SET_MANUAL_ACTUATE_DEVICE_0)</i>

               \hookrightarrow ></b> becomes true (from false).\nREQUIRES: for every trigger, RES must remain
               → true until (but not necessarily including) the point where the stop condition
               \hookrightarrow holds, or to the end of the interval. If the stop condition never occurs, RES
               \hookrightarrow must hold until the end of the scope, or forever. If the stop condition holds at

    → the trigger, the requirement is satisfied."

141
142
          "reqid" : "ACTUATION_LOGIC_VOTE_SATURATION";
143
144
          "parent_reqid" : "ACTUATION_LOGIC_VOTE_DEVICE_1",
                      :"RFP Actuation Logic Architecture, [3,4]",
145
          "fulltext" : "Actuation_Logic shall always satisfy (((TRIP_SATURATION_0 & TRIP_SATURATION_
146

→ 1) | (( TRIP_SATURATION_0 | TRIP_SATURATION_1) & (TRIP_SATURATION_2 |

                → TRIP_SATURATION_3)) | (TRIP_SATURATION_2 & TRIP_SATURATION_3)) =>
               → VOTE_TRIP_SATURATION) & (VOTE_TRIP_SATURATION => ((TRIP_SATURATION_0 &
               → TRIP_SATURATION_1) | (( TRIP_SATURATION_0 | TRIP_SATURATION_1) & (
               → TRIP_SATURATION_2 | TRIP_SATURATION_3)) | (TRIP_SATURATION_2 & TRIP_SATURATION_3
147
          "description": "ENFORCED: in the interval defined by the entire execution. \nTRIGGER:
               \stackrel{\circ}{\hookrightarrow} first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
               → time points between (and including) the trigger and the end of the interval."
148
149
          "reqid" : "ACTUATION_LOGIC_MANUAL_DEVICE_1",
150
          "parent_regid" : "ACTUATION_LOGIC_DEVICE_1",
151
          "rationale" :"RFP 6",
152
          "fulltext" : "Upon SET_MANUAL_ACTUATE_DEVICE_1 Actuation_Logic shall, until
153
               → UNSET_MANUAL_ACTUATE_DEVICE_1, satisfy MANUAL_ACTUATE_DEVICE_1",
          "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER:

→ first point in the interval if <b><i>(SET_MANUAL_ACTUATE_DEVICE_1)</i></b>
154
               \hookrightarrow true and any point in the interval where <b><i>(SET_MANUAL_ACTUATE_DEVICE_1)</i
```

```
\hookrightarrow ></b> becomes true (from false).\nREQUIRES: for every trigger, RES must remain
              \hookrightarrow true until (but not necessarily including) the point where the stop condition

→ holds, or to the end of the interval. If the stop condition never occurs, RES

              → must hold until the end of the scope, or forever. If the stop condition holds at

    → the trigger, the requirement is satisfied."

155
156
         "regid" : "ACTUATION_LOGIC_VOTE_DEVICE_1",
157
         "parent_reqid" : "ACTUATION_LOGIC_DEVICE_1",
158
         "rationale" : "RFP 5",
159
         "fulltext": "Upon VOTE_TRIP_SATURATION Actuation_Logic shall always satisfy
160

    ∨OTE_ACTUATE_DEVICE_1",

161
         "description": "ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
              → first point in the interval if <b><i>(VOTE_TRIP_SATURATION)</i></b> is true and
              \hookrightarrow any point in the interval where <br/>b><i>(VOTE_TRIP_SATURATION)</i></b> becomes
              \hookrightarrow true (from false).\nREQUIRES: for every trigger, RES must hold at all time
              \hookrightarrow points between (and including) the trigger and the end of the interval.
162
163
164
         "regid" : "INSTRUMENTATION SET BYPASS TEMPERATURE"
         "parent_reqid" : "INSTRUMENTATION_TRIP_TEMPERATURE",
165
         "rationale" : "RFP [9]".
166
         "fulltext" : "Upon MAINTENANCE & TEMPERATURE_MODE = 0Instrumentation shall, until
167

→ MAINTENANCE & !(TEMPERATURE_MODE = 0), satisfy !TRIP_TEMPERATURE"

168
         "description" : "ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
              ← first point in the interval if <b><i>(MAINTENANCE & TEMPERATURE_MODE = 0)</i></b>
              → TEMPERATURE_MODE = 0)</i></b> becomes true (from false).\nREQUIRES: for every
              \hookrightarrow trigger, RES must remain true until (but not necessarily including) the point
              \hookrightarrow where the stop condition holds, or to the end of the interval. If the stop
              \hookrightarrow condition never occurs, RES must hold until the end of the scope, or forever. If
              \hookrightarrow the stop condition holds at the trigger, the requirement is satisfied."
169
170
171
         "regid" : "INSTRUMENTATION_TRIP_PRESSURE",
172
         "parent_reqid" :""
         "rationale": "RFP [1,10]",
"fulltext": "Instrumentation shall always satisfy true",
173
174
         "description" : "ENFORCED: in the interval defined by the entire execution. \nTRIGGER:
175

ightarrow first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
              \hookrightarrow time points between (and including) the trigger and the end of the interval."
176
177
178
         "reqid" : "ACTUATION_LOGIC_VOTE_DEVICE_0",
179
         "parent_reqid" : "ACTUATION_LOGIC_DEVICE_0",
180
         "rationale'
                    :"RFP 5",
         "fulltext" : "Upon VOTE_TRIP_TEMPERATURE | VOTE_TRIP_SATURATION Actuation_Logic shall
181
                → always satisfy VOTE_ACTUATE_DEVICE_O",
182
         "description" : "ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
              → first point in the interval if <b><i>(VOTE_TRIP_TEMPERATURE |
              → VOTE_TRIP_SATURATION)</i></b> is true and any point in the interval where <b><i

→ >(VOTE_TRIP_TEMPERATURE | VOTE_TRIP_SATURATION)

√i></b> becomes true (from false)
              \hookrightarrow ).\nREQUIRES: for every trigger, RES must hold at all time points between (and

→ including) the trigger and the end of the interval."

183
184
         "reqid" : "INSTRUMENTATION_SENSOR_TRIP_TEMPERATURE",
185
         "parent_reqid" : "INSTRUMENTATION_TRIP_TEMPERATURE",
186
         "rationale" : "RFP [2]",
187
         "fulltext" : "Upon MAINTENANCE & TEMPERATURE_MODE = 1Instrumentation shall, until
188
              → MAINTENANCE & !(TEMPERATURE_MODE = 1), satisfy (if SENSOR_TEMPERATURE >
              → SETPOINT_TEMPERATURE then TRIP_TEMPERATURE) & (if TRIP_TEMPERATURE then

→ SENSOR_TEMPERATURE > SETPOINT_TEMPERATURE)",
         "description" : "ENFORCED: in the interval defined by the entire execution. \nTRIGGER:
189
              → first point in the interval if <b><i>(MAINTENANCE & TEMPERATURE_MODE = 1)</i>
              \hookrightarrow > is true and any point in the interval where <b><i>(MAINTENANCE &
              → TEMPERATURE MODE = 1)</i></b>
becomes true (from false).\nREQUIRES: for every
```

```
\hookrightarrow where the stop condition holds, or to the end of the interval. If the stop

→ condition never occurs, RES must hold until the end of the scope, or forever. If

    → the stop condition holds at the trigger, the requirement is satisfied."

190
191
192
           "reqid" : "INSTRUMENTATION_SET_SETPOINT_TEMPERATURE",
          "parent_reqid":"INSTRUMENTATION_TRIP_TEMPERATURE",
"rationale":"RFP [8]",
"fulltext":"Upon (MAINTENANCE & SET_SETPOINT_TEMPERATURE) Instrumentation shall, until
193
194
195
                 → MAINTENANCE & SET_SETPOINT_TEMPERATURE, satisfy SETPOINT_TEMPERATURE = 
→ INPUT_SETPOINT_TEMPERATURE",
196
           \hbox{"description"}: \hbox{"ENFORCED: in the interval defined by the entire execution.} \\ \hbox{$\backslash$ nTRIGGER:}
                 → first point in the interval if <b><i>(( MAINTENANCE & SET_SETPOINT_TEMPERATURE )
                 \hookrightarrow )</i></b> is true and any point in the interval where <b><i>(( MAINTENANCE &
                 \hookrightarrow SET_SETPOINT_TEMPERATURE ))</i><br/>b becomes true (from false).\nREQUIRES: for
                 \hookrightarrow every trigger, RES must remain true until (but not necessarily including) the
                 \hookrightarrow point where the stop condition holds, or to the end of the interval. If the stop
                 \hookrightarrow condition never occurs, RES must hold until the end of the scope, or forever.
                 \hookrightarrow If the stop condition holds at the trigger, the requirement is satisfied."
197
198
```

# Appendix D

# SysMLv2 Model

# D.1 Top-level SysMLv2 Architecture Specification

Listing D.1: Listing SysML Model of HARDENS.

```
# Reactor Trip System (RTS) High, assurance Demonstrator
     ## project: High Assurance Rigorous Digital Engineering for Nuclear Safety (HARDENS)
      ### copyright (C) 2021 Galois
     ### author: Joe Kiniry <kiniry@qalois.com>
 8
9
     * The overall shape of the Reactor Trip System (RTS) is an archetypal
     * *sense, compute, actuate* architecture. Sensors are in the 'Sensors'
     * subsystem. They are read by the 'Instrumentation' subsystem, which
     * contains four separate and independent 'Instrumentation'
     * components. The "Compute" part of the architecture is spread across
     * the 'Actuation Logic' subsystem, which contains the two 'Voting'
     * components which perform the actuation logic itself, and the 'Root'
     * subsystem which contains the core computation and I/O components, and
      st the two separate and independent devices that drive actuators.
19 package id RTS 'Reactor Trip System' {(\supseteq RTS (line 6 on page 85), RTS (line 94 on
          page 87))
      private import 'Semantic Properties'::*;
21
      import 'Project Glossary'::*;
      import 'RTS Viewpoints and Views'::*;
      import 'RTS Architecture'::*;
26
      package id Architecture 'RTS Architecture'; ( Architecture (line 223 on page 96),
            Architecture (line 17 on page 85))
27
      alias Arch for Architecture;
      package id Hardware 'RTS Hardware Artifacts';( Hardware (line 37 on page 89),
            Hardware Artifacts (line 1 on page 98),
Hardware (line 30 on page 91))
            Hardware
      alias HW for Hardware;
30
      package id Artifacts 'RTS Implementation Artifacts'; ( Implementation (line 27 on
      page 85), Artifacts (line 1 on page 90))
package id Requirements 'RTS Requirements';(
Requirements (line 31 on page 85))
31
32
      package id Properties 'RTS Properties';( Properties (line 35 on page 86))
      alias Props for Properties;
```

```
34 | package id Characteristics 'IEEE Std 603,2018 Characteristics';(☐ Characteristics (line 39 on page 86))
35 | comment TopLevelPackages about Architecture, Hardware, Properties, Characteristics
36 | /* These are the core top, level subsystems characterizing HARDEN work. */
37 |}
```

### D.2 RTS Actions

Listing D.2: Listing SysML Model of RTS\_Actions.

```
234567
      * The set of all atomic external or internal actions that the RTS
      st system can take. Note that every scenario must be describable by
      st a sequence of actions.
     package id Actions 'RTS Actions' {
       package id Internal 'RTS Internal Actions' {
 8
         action def id IA 'Intenral Action' {
           doc /* Actions internal to the RTS */
10
11
         action id Trip 'Signal Trip' : IA {
12
          in item division;
13
          in item channel;
14
15
         action id Vote 'Vote on Like Trips using Two,out,of,four Coincidence' : IA \{( \supseteq Vote \ on \ A) \in A \}
               Like Trips using Two-out-of-four Coincidence
                                                               (line 57 on page 92))
16
           in item divisions[2];
17
          in item channel;
18
19
         action id A 'Automatically Actuate Device' : IA {( Automatically Actuate Device
               (line 60 on page 93))
20
           in item device;
21
22
         action id T 'Self, test of Safety Signal Path' : IA; ( Self-test of Safety Signal Path
               (line 63 on page 93))
23456789012334567890412344567890
       }
       package id External 'RTS External Actions' {
         package 'UI Actions' {
           action def id UIA 'UI Action' {
            doc /* Actions exhibited by the RTS UI, either inbound or outbound. */
           // Odesign kiniry These should both be specializations of UIA, but {\it I}
           // don't know how to write that in SysML yet.
           action def id UI_IA 'UI Input Action';
           action def id UI_OA 'UI Output Action';
           // Input actions.
           action id A Actuate : UI_IA {
            in item actuator;
            in item on_off;
           action id M 'Set Maintenance Mode' : UI_IA {
            in item division:
            in item on_off;
           action id B 'Set Mode' : UI_IA {
            in item division;
            in item trip_mode;
           action id S 'Set Setpoint' : UI_IA {
            in item division;
            in item channel;
```

```
51
             in item value;
52
53
54
55
56
57
           action id V 'Sensor Value' : UI_IA {
             doc /* Simulate a sensor reading */
             in item division;
             in item channel:
             in item value;
58
           action id Q 'Quit' : UI_IA;
60
61
           // Output actions.
62
           action id 'Display Pressure' : UI_OA; ( Display Pressure (line 29 on page 92))
63
           action id 'Display Temperature' : UI_OA; (\supseteq Display Temperature (line 32 on
                 page 92))
64
            action id 'Display Saturation Margin' : UI_OA; ( Display Saturation Margin
           on page 92)
action id 'Display Trip Ouput Signal State' : UI_OA;
65
           action id 'Display Indication Of Channel in Bypass' : UI_OA;( Display Indication of
66
           Channel in Bypass (line 41 on page 92)) action id 'Display Actuation State' : UI_OA;
67
68
69
       }
70
```

#### D.3 RTS Characteristics

Listing D.3: Listing SysML Model of RTS\_Characteristics.

```
/**
 2
      * The IEEE 603,2018 requirements (known as "characteristics" in
 3
      * the standard) which the RTS demonstrator system must fulfill.
      */
 4
5
     package id Characteristics 'IEEE Std 603,2018 Characteristics' {( Characteristics
       (line 39 on page 86))
requirement def 'Requirements Consistency' {( Requirements Consistency (line 40 on
 6
            page 102))
 \gamma
         \operatorname{doc} /* Requirements must be shown to be consistent. */
 8
 9
       requirement def 'Requirements Colloquial Completeness' {( Requirements Colloquial Completeness (line 47 on page 102))
10
         doc /* The system must be shown to fulfill all requirements. */
11
12
       requirement def 'Requirements Formal Completeness' {( Requirements Formal Completeness
             (line 52 on page 103))
13
         doc /* Requirements must be shown to be formally complete. */
14
15
       requirement def 'Instrumentation Independence' {( Instrumentation Independence
             (line 58 on page 103))
16
17
         \verb"doc'* Independence among the four divisions of instrumentation (inability
               for the behavior of one division to interfere or adversely affect the
18
               performance of another). */
19
20
       requirement def 'Channel Independence' (( Channel Independence (line 66 on page 103))
21
         doc /* Independence among the two instrumentation channels within a division
22
                (inability for the behavior of one channel to interfere or adversely
23
                affect the performance of another). */
24
25
       requirement def 'Actuation Independence' {( Actuation Independence (line 74 on
            page 103))
26
27
         doc /* Independence among the two trains of actuation logic (inability for
               the behavior of one train to interfere or adversely affect the
28
               performance of another). */
29
       requirement def 'Actuation Correctness' {( Actuation Correctness
                                                                               (line 82 on
            page 103))
```

```
31 | doc /* Completion of actuation whenever coincidence logic is satisfied or
32 | manual actuation is initiated. */
33 | requirement def 'Self,Test/Trip Independence' {( Self-Test/Trip Independence on page 103))}
35 | doc /* Independence between periodic self, test functions and trip functions
36 | (inability for the behavior of the self, testing to interfere or
37 | adversely affect the trip functions). */
38 | }
39 |
```

### D.4 RTS Contexts

Listing D.4: Listing SysML Model of RTS\_Contexts.

```
package 'RTS System Contexts' {
 23456789
       import 'RTS Architecture'::*;
       import 'Kiniry RTS System Architecture Draft'::*;
       // This specification is meant to frame the RTS in the larger context of
       // deployment into a Nuclear Power Plant.
       // Definitions of system contexts.
10
11
12
13
14
15
       // Introduce the RTS context.
       part def 'Reactor Trip System Context';
       alias RTSC for 'Reactor Trip System Context';
       // Introduce the NPP context.
       part def 'Nuclear Power Plant Context';
16
17
       alias NPPC for 'Nuclear Power Plant Context';
18
19
       part def 'Nuclear Power Plant Operator';
       part def 'Nuclear Power Plant Certifier';
20
21
22
23
24
25
26
27
28
29
31
32
31
32
35
       // Definitions of relevant connections
       connection def 'Digital Instrumentation and Control' {
         end: RTSC[1];
         end: NPPC[1];
       alias DIandC for 'Digital Instrumentation and Control';
       connection def 'NPP Operation' {
         end: 'Nuclear Power Plant Operator'[*];
         end: DIandC[1];
       connection def 'NPP Certification Authority' {
         end: 'NPPC'[1];
         end: 'Nuclear Power Plant Certifier'[1..*];
36
37
```

### D.5 RTS Glossary

Listing D.5: Listing SysML Model of RTS\_Glossary.

```
1 /*
```

```
# Reactor Trip System (RTS) High, assurance Demonstrator
      ## project: High Assurance Rigorous Digital Engineering for Nuclear Safety (HARDENS)
      ### copyright (C) 2021,2022 Galois
 456789
      ### author: Joe Kiniry <kiniry@qalois.com>
     // @see https://github.com/GaloisInc/HARDENS/issues/30
     package id Glossary 'Project Glossary' {(☐ Glossary
                                                             (line 1 on page 93))
       // @design Eliminate all redundancy with concepts in KerML or SysML domain
12
       // libraries.
13
       private import ScalarValues::*;
14
15
       private import KerML::*;
16
       // Original proposal glossary.
17
       part def BlueCheck; (☐ BlueCheck
                                          (line 10 on page 93))
18
       /** A formal, state, based specification language that focuses on the
19
           specification of the interfaces of discrete modules in a system, and
20
           often times includes model, based specification constructs to improve
21
           usability and expressivity. */
22
       abstract item id BISL 'Behavioral Interface Specification Language'; ( BISL (line 4 on
            page 93))
23
       abstract part def Computer;
24
25
       abstract part def Coq;(☐ Coq
                                       (line 15 on page 93))
       abstract part def Cryptol; (☐ Cryptol (line 25 on page 93))
26
       abstract item def DevSecOps;(☐ DevSecOps (line 35 on page 93))
27
       abstract item def id DIANC 'Digital Instrumentation and Control Systems'; ( DIANDC
             (line 43 on page 93))
28
       /** The NASA Formal Requirements Elicitation Tool is used to make writing,
29
           understanding, and debugging formal requirements natural and
30
31
       part def id FRET 'Formal Requirements Elicitation Tool';( FRET (line 54 on page 94))
32
       /** An Instruction Set Architecture, or ISA for short, is the set of
33
           instructions that a given kind of CPU can understand. Example ISAs
34536
3738
3941
445
445
449
455
555
555
555
59
           include x86, x64, MIPS, RISC, RISC, V, AVR, etc. */
       attribute def id ISA 'Instruction Set Architecture';
       /** A specification language integrated with support tools and an
          automated theorem prover, developed at the Computer Science Laboratory
           of SRI International. PVS is based on a kernel consisting of an
           extension of Church's theory of types with dependent types, and is
           fundamentally a classical typed higher, order logic. */
       part def PVS;(☐ PVS (line 59 on page 94))
       /** RISC, V (pronounced ''risk, five'') is an open standard instruction set
          architecture (ISA) based on established reduced instruction set
           computer (RISC) principles. Unlike most other ISA designs, the RISC, V
           ISA is provided under open source licenses that do not require fees to
           use. A number of companies are offering or have announced RISC, V
          hardware, open source operating systems with RISC, V support are
          available and the instruction set is supported in several popular
           software toolchains. */
       attribute def RISC_V_ISA :> ISA;
       /** A formal specification language that uses hierarchical finite state
           machines to specify system requirements. */
       part def id RSML 'Requirements State Modeling Language';( RSML
       /** The Boolean satisfiability problem (sometimes called propositional
          satisfiability problem and abbreviated SAT) is the problem of
           determining if there exists an interpretation that satisfies a given
          Boolean formula. */
       abstract item def SAT;(☐ SAT (line 80 on page 94))
       /** The proof script language is used to specify the assumptions and proof
60
          goals of formal verifications to the SAW tool. */
61
       part def SAWscript; ( SAWscript (line 86 on page 94))
62
       /** A CPU or SoC that is implemented in an HDL and synthesized to a
63
          bitstream and loaded onto an FPGA. */
64
65
       abstract item def 'Soft Core' {
         // size: estimated number of gates
         // complexity: measured complexity metric
```

```
67
          // hdls: which HDLs are used in the design
 68
 69
         /** A formally defined computer programming language based on the Ada
 70
            programming language, intended for the development of high integrity
 71
72
             software used in systems where predictable and highly reliable
            operation is essential. It facilitates the development of applications
 73
74
75
76
             that demand safety, security, or business integrity. */
        part def SPARK; (☐ SPARK (line 94 on page 94))
         /** An integrated development environment for formally specifying and
            rigorously analyzing requirements. */
 \gamma\gamma
         part def SpeAR; ( SpeAR (line 101 on page 94))
 78
79
         /** VCC is a program verification tool that proves correctness of
            annotated concurrent C programs or finds problems in them. VCC extends
 80
            \it C with design by contract features, like pre, and postcondition as
 81
            well as type invariants. Annotated programs are translated to logical
 82
            formulas using the Boogie tool, which passes them to an automated SMT
 83
            solver Z3 to check their validity. */
        part def id VCC 'Verifier for Concurrent C'; ( VCC (line 105 on page 94))
 85
         /** A software toolchain that includes static analyzers to check
 86
            assertions about a C program; optimizing compilers to translate a C
 87
            program to machine language; and operating systems and libraries to
            supply context for the C program. The Verified Software Toolchain
 89
            project assures with machine, checked proofs that the assertions
 90
            claimed at the top of the toolchain really hold in the
 91
            92
        part def id VST 'Verified Software Toolchain';( VST (line 113 on page 95))
 93
 94
95
         // Mathematical modeling concepts in RDE.
        abstract item def Refinement:> Relationship;( Refinement (line 122 on page 95))
abstract item def Property:> BooleanExpression;( Property (line 124 on page 95))
abstract item def 'Safety Property' :> Property;( Safety Property (line 126 on
 96
 97
              page 95))
 98 |
        abstract item def 'Correctness Property' :> Property; (☐ Correctness Property
              on page 95))
 99 |
        abstract item def 'Security Property' :> Property; ( Security Property (line 132 on
              page 95))
100
         abstract item def Model;(☐ Model (line 135 on page 95))
         abstract item def 'Semi, Formal Model' :> Model; ( Semi-Formal Model (line 137 on
101
              page 95))
102
         abstract item def 'Formal Model' :> Model;(☐ Formal Model (line 140 on page 95))
         abstract item def Consistent :> Property;( Consistent (line 143 on page 95))
103
\begin{array}{c} 104 \\ 105 \end{array}
         abstract item def Complete :> Property;( Complete (line 146 on page 95))
        abstract item def 'Consistent Model' :> Consistent, Model;(☐ Consistent Model
                                                                                                (line 149
              on page 95))
106
         abstract item def 'Complete Model' :> Complete, Model; ( Complete Model (line 152 on
              page 95))
107
         abstract item def 'Consistent and Complete Model' :> 'Consistent Model', 'Complete Model';
108
         abstract item def Denotational;(☐ Denotational (line 173 on page 95))
109
        abstract item def Operational;(☐ Operational (line 175 on page 95))
abstract item def Semantics;(☐ Semantics (line 177 on page 95))
110
111
         /** A specification that has a precise, unambiguous, formal semantics
112
            grounded in real world formal foundations and systems engineering
113
            artifacts, such as source code and hardware designs. */
114
115
        abstract item def Rigorous; ( Rigorous (line 187 on page 96)) abstract item def Deterministic; ( Deterministic (line 208 on page 96))
116
         abstract item def 'Non,deterministic';( Non-deterministic (line 210 on page 96))
117
         abstract part def id FM 'Formal Method';(☐ FM (line 232 on page 96))
\begin{array}{c} 118 \\ 119 \end{array}
         // Systems modeling concepts in RDE.
120
         // Odesign Probably in KerML or SysML domain libraries.
121
         abstract item def Requirement; ( Requirement (line 155 on page 95))
        abstract item def Scenario; ( Scenario ( (line 157 on page 95)) abstract item def Product; ( Product ( (line 159 on page 95))
122
123
124
         abstract item def 'Product Line'; ( Product Line (line 161 on page 95))
125
         abstract item def Configure; ( Configure (line 163 on page 95))
126
        part def DOORS;(\supseteq DOORS (line 165 on page 95))
127
         part def Clafer; ( Clafer (line 167 on page 95))
        part def Lobot; (☐ Lobot (line 169 on page 95))
```

```
129
        abstract item def id FSM 'Finite State Machine'; ( FSM (line 206 on page 96))
130
        abstract item def id DFSM 'Deterministic Finite State Machine' ( DFSM (line 212 on
              page 96))
131
          :> FSM, Deterministic;
132
        abstract item def id NFSM 'Non,deterministic Finite State Machine' ( NFSM (line 215 on
          page 96))
:> FSM, 'Non,deterministic';
133
134
135
        abstract item def id ASM 'Abstract State Machine';( ASM (line 218 on page 96))
        abstract part def Design; (☐ Design (line 221 on page 96))
136
        abstract part def Architecture; ( Architecture (line 223 on page 96), Architecture
              (line 17 on page 85))
137
        abstract part def Specification; (☐ Specification (line 225 on page 96))
        abstract part def 'Architecture Specification' :> Specification; ( Architecture
138
        Specification (line 227 on page 96))
abstract part def System;(☐ System (line 255 on page 97))
139
140
        abstract part def 'Distributed System' :> System; ( Distributed System (line 257 on
             page 97))
141 |
        abstract part def 'Concurrent System' :> System; (☐ Concurrent System (line 260 on
              page 97))
142
143
144
145
146
147
148
149
150
        abstract part def Algorithm;
        abstract part def Program; (☐ Program (line 290 on page 97))
        // Concepts related to measurable abstractions of systems.
        abstract item def Risk;(☐ Risk (line 179 on page 96))
abstract item def Power;(☐ Power (line 181 on page 96))
        abstract item def Resource; (☐ Resource (line 183 on page 96))
        abstract item def Reliability; ( Reliability (line 185 on page 96))
151
        // Assurance concepts and techonlogies.
152
        abstract item def id CDE 'Collaborative Development Environment'; ( CDE (line 192 on
             page 96))
        page 307)
abstract item def id CI 'Continuous Integration'; ( CI (line 194 on page 96))
abstract item def id CV 'Continuous Verification'; ( CV (line 22 on page 86),
153 I
154
             (line 196 on page 96))
155 |
        abstract item def Analyzer; (☐ Analyzer (line 198 on page 96))
156
        abstract item def 'Static Analyzer' :> Analyzer; ( | Static Analyzer (line 200 on
              page 96))
157 |
        abstract item def 'Dynamic Analyzer' :> Analyzer; ( Dynamic Analyzer (line 203 on
              page 96))
        abstract part def Solver; ( Solver (line 230 on page 96)) abstract part def id LF 'Logical Framework'; ( LF (line 234 on page 96))
158
159
160
        abstract item def 'High, Assurance'; ( High-Assurance (line 308 on page 98))
161
162
         // Concepts relevant to languages and protocols.
163
        abstract part def Language;
164
        abstract part def 'Specification Language' :> Language; ( Specification Language
              (line 238 on page 96))
        abstract part def Protocol;(☐ Protocol (line 240 on page 96))
165
        abstract part def 'System Specification' :> Specification; ( System Specification
166
              (line 242 on page 96))
167
        abstract item def 'Hand, written'; ( Hand-written (line 245 on page 97))
168
         abstract item def 'Machine,generated';( Machine-generated (line 247 on page 97))
169
        abstract part def 'Source, level Specification Language' ( Source-level Specification
              Language (line 249 on page 97))
170
          :> 'Specification Language';
        abstract part def 'Model, based Specification Language' (☐ Model-based Specification Language (line 252 on page 97))
171
172
          :> 'Specification Language';
173
        abstract item def Cryptological;
        abstract item def 'Cryptographic Protocol' :> Protocol, Cryptological;(☐ Cryptographic Protocol (line 263 on page 97))
174
175 |
        abstract item def 'Cryptographic Algorithm' :> Algorithm, Cryptological;( Cryptographic
              Algorithm
                         (line 266 on page 97))
176
177
        // Software engineering.
        abstract item def id PL 'Programming Language' :> Language; ( PL (line 236 on page 96))
178
179
        abstract item def 'Source Code';
180
        abstract part def C :> 'PL';(☐ C
                                               (line 310 on page 98))
181
        abstract part def C_Source :> C, 'Source Code';
182
        abstract item def 'Object Code';
```

```
abstract item def id IR 'Intermediate Representation'; (\square IR (line 66 on page 87)) abstract item def id LLVM 'Low,Level Virtual Machine' :> IR; (\square LLVM (line 70 on
183
184
                page 87))
185
          abstract item def Compiler {(☐ Compiler (line 280 on page 97))
186
            item input: Language[1..*];
187
           item output: Language[1..*];
188
189
190
          // Hardware design.
         abstract item def Hardware; ( Hardware (line 37 on page 89), Hardware (line 23 on page 85), Hardware (line 30 on page 91))
abstract item def SWaP {( SWaP (line 112 on page 88))
191
192
193
            // attribute size:
194
195
            // attribute weight:
           // attribute power:
196
197
          abstract item def Hard :> SWaP:
         abstract item def 'Soft Core Hardware' :> Hardware, 'Soft Core';
198
199
          abstract item def 'Physical Hardware' :> Hardware, Hard;
200
          abstract part def Synthesizer :> Compiler;(☐ Synthesizer
                                                                                     (line 282 on page 97))
201
          abstract item def id HDL 'Hardware Design Language';(☐ HDL (line 50 on page 87))
202
          abstract part def BluespecSystemVerilog :> HDL;
203
          abstract part def SystemVerilog :> HDL;(☐ SV (line 108 on page 88))
204
205
          abstract part def Verilog :> SystemVerilog;(☐ Verilog (line 134 on page 88))
          abstract part def Chisel :> HDL;
         abstract part def id CPU 'Central Processing Unit'; ( CPU (line 38 on page 91), CPU
206
                 (line 19 on page 86))
207
208
          // Hardware engineering concepts.
209
          abstract part def Component;
210
          abstract part def Switch :> Component;
211
          abstract part def Button :> Component;
212
         abstract part def Header :> Component;
213
          abstract part def Interface :> Component;
214
          abstract part def Connector :> Component;(☐ Connector (line 301 on page 97))
215
          abstract part def Memory :> Component;
          abstract part def ASIC :> Component; ( ASIC (line 13 on page 86)) abstract item def id IO 'I/O'; ( IO (line 268 on page 97))
216
217
218
          abstract part def id GPIO 'General Purpose I/O'; ( GPIO (line 46 on page 87), GPIO
                (line 270 on page 97))
219 |
          abstract part def Sensor; ( Sensors (line 49 on page 89), Sensor (line 273 on
                page 97))
220 |
          abstract part def 'Temperature Sensor';( Temperature Sensor 1 (line 51 on page 89),
          Temperature Sensor (line 46 on page 99), Temperature Sensor 2 (line 55 page 89), TS1 (line 84 on page 99), TS2 (line 87 on page 99))
abstract part def 'Pressure Sensor'; Pressure Sensor 2 (line 57 on page 89)
                                                                                                      (line 53 on
221
         Pressure Sensor (line 50 on page 99), PS2 (line 57 on page 89),
(line 90 on page 100), Pressure Sensor 1 (line 55 on page 89)

abstract part def Actuator; ( Actuator 2 (line 47 on page 89), Actuator 1 (line 45 on page 89), Actuator (line 275 on page 97), Actuators (line 43 on page 89))

abstract part def Solenoid :> Actuator; ( Solenoid (line 277 on page 97))
222 |
223
224
225
          abstract item def Bus:
          abstract part def id USB 'Universal Serial Bus' :> Bus;(\supseteq USB (line 124 on page 88),
          USB (line 284 on page 97))
abstract part def LED;( LED (line 286 on page 97))
abstract part def Cable;( Cable (line 288 on page 97))
226
227
          abstract part def id FPGA 'Field, Programmable Gate Array' :> ASIC; ( FPGA
228
                                                                                                           (line 38 on
         page 86), FPGA (line 294 on page 97), FPGA (line 39 on page 89)) abstract part def 'ECP,5' :> FPGA;( ECP-5 (line 296 on page 97))
229
230
          abstract part def id PCB 'Printed Circuit Board' {( PCB (line 299 on page 97))
231
           part components: Component[*];
232
233
         abstract part def 'USB Connector' :> USB, Connector; ( USB Connector (line 303 on
                page 97))
234 |
          abstract part def id USB_Mini 'USB Mini Connector' :> 'USB Connector'; ( USB-Mini
                 (line 305 on page 98))
235
          abstract part def PMOD;(☐ PMOD (line 312 on page 98))
         abstract part def JTAG :> Protocol;( JTAG (line 314 on page 98))
abstract part def Driver;( Driver (line 316 on page 98))
236
```

```
238
        port def USB_In {
239
          in item 'USB Connector';
240
241
242
243
244
245
        port def USB_Out {
          out item 'USB Connector';
         /** A normal USB cable. */
        abstract part def 'USB Cable' :> USB, Cable {(] USB Cable (line 5 on page 98), UCB
              Cable (line 320 on page 98))
246
247
248
249
250
           /** What kind of USB connector is on the start of the cable? */
           port start_connector: USB_In;
           /** What kind of USB connector is on the end of the cable? */
          port end_connector: USB_Out;
251
        port def 'Output LED' :> LED;
252
253
         // Safety, critical concepts.
254
        abstract item def Voting; (☐ Voting (line 318 c page 89), Voting 1 (line 21 on page 89))
                                                  (line 318 on page 98), Voting 2 (line 23 on
255
256
         // Artifacts specific to RDE.
257
         abstract part def id CryptolSpec 'Cryptol System Specification' (] CryptolSpec (line 3
         on page 90))
:> Cryptol, 'System Specification' {
258
259
           attribute literate: Boolean;
260
261
         attribute def Languages {
262
          attribute languages: String[*];
263
264
        abstract part def id Impl 'Implementation' {
265
          attribute languages: Languages[*];
266
267
        abstract part def id Software 'Software Implementation' ( Software (line 22 on
              page 90))
268
           :> Implementation;
269
         abstract part def id SWImpl 'Hand, written Software Implementation' ( HWImpl
                              SWImpl
              on page 91),
                                        (line 24 on page 90))
270
           :> Software, 'Hand, written';
271
        abstract part def id SynthSW 'Synthesized Software Implementation' (☐ SynthSW on page 90), SynthHW (line 35 on page 91))
                                                                                                  (line 27
272
           :> Software, 'Machine, generated';
273
         abstract part def 'Hardware Implementation';( Hardware (line 30 on page 91))
274
        abstract part def id HWImpl 'Hand, written Hardware Implementation'; ( HWImpl
                                                                                                (line 32
              on page 91), SWImpl
                                        (line 24 on page 90))
        abstract part def id SynthHW 'Synthesized Hardware Implementation';(

SynthSW (line 27 on page 90), SynthHW (line 35 on page 91))

abstract part def id Binary 'Software Binaries' {(
Binaries (line 46 on page 91))
275 |
276
277
          attribute verified_compilation: Boolean;
278
          attribute secure_compilation: Boolean;
279
          attribute isa: ISA;
280
281
        part def RISCV_Binary :> Binary {
282
          // :>> isa = RISC_V_ISA;
283
284
        abstract part def id Bitstream 'FPGA Bitstream' {( Bitstream (line 50 on page 91),
              Bitstream (line 292 on page 97))
285
           attribute proprietary_flow: Boolean;
286
287
288
         // NRC concepts.
289
        abstract part def 'NRC Certification Regulations';
290
```

#### D.6 RTS Hardware Artifacts

Listing D.6: Listing SysML Model of RTS\_Hardware\_Artifacts.

```
2
      * The physical hardware components that are a part of the HARDENS RTS
 3
      * demonstrator.
 4 5
      */
     package 'RTS Hardware Artifacts' {( RTS Hardware Artifacts (line 1 on page 98),
       Hardware (line 23 on page 85))
private import 'Project Glossary'::*;
       //import Architecture::RTS_System_Arch::Hardware::*;
       private import ScalarValues::*;
10
       part def 'SERDES Test SMA Connector' :> Connector; ( J9-J26 (line 12 on page 98))
       part def 'Parallel Config Header' :> Header;( 338 (line 14 on page 98))
part def 'Versa Expansion Connector' :> Connector;( 339-340 (line 16 on page 98))
11
       part def 'SPI Flag Configuration Memory' :> Memory; ( U4 (line 18 on page 98))
13
14
15
       part def 'CFG Switch' :> Switch;
       part def 'Input Switch' :> Switch;(☐ SW5 (line 22 on page 98))
16
       part def 'Output LED' :> LED; ( D5-D12 (line 24 on page 98), Output LED
       on page 98))
part def 'Input Push Button' :> Button;( SW2-SW4 (line 26 on page 98))
17
       part def '12 V DC Power Input' :> Power;
18
19
       part def 'GPIO Headers' :> Header, GPIO;(□
                                                        J32-J33 (line 30 on page 98))
       part def 'PMOD/GPIO Header' :> Header, PMOD, GPIO; [ J31 (line 32 on page 99)) part def 'Microphone Board/GPIO Header' :> Header; [ J30 (line 34 on page 99))
20
21
22
       part def 'ECP5,5G Device' :> FPGA;( U3 (line 38 on page 99))
23
24
25
       part def id DevBoard 'Lattice ECP,5 FPGA Development Board' :> PCB {( Lattice ECP-5 FGPA
26
         Development Board (line 41 on page 89), Board (line 44 opart J9_J26: 'SERDES Test SMA Connector'[16] subsets components;
                                                             Board (line 44 on page 99))
27
28
         part J38 : 'Parallel Config Header' subsets components;( J38 (line 14 on page 98))
29
         part J39_J40 : 'Versa Expansion Connector' [2] subsets components;
30
         part U4: 'SPI Flag Configuration Memory' subsets components; ( U4
         page 98))
part SW1 : 'CFG Switch' subsets components;(☐ SW1 (line 20 on page 98))
31
         part SW5 : 'Input Switch' subsets components;( SW5 (line 22 on page 98))
32
33
         part D5_D12 : 'Output LED'[8] subsets components;
34
35
         part SW2_SW4 : 'Input Push Button' [3] subsets components;
         part J37 : '12 V DC Power Input' subsets components;
36
         part J5_J8_J32_J33 : 'GPIO Headers'[4] subsets components;
37
         part J31 : 'PMOD/GPIO Header' subsets components; ( J31 (line 32 on page 99))
38
         part J30 : 'Microphone Board/GPIO Header' subsets components;(  J30  (line 34 on
         page 99))
part 'Prototype Area';( Prototype Area (line 36 on page 99))
39
         part U3 : 'ECP5,5G Device' subsets components; [ U3 (line 38 on page 99))
part J1 : 'JTAG Interface' subsets components; [ J1 (line 40 on page 99))
4012344567890
442444567890
         part J2: 'Mini USB Programming' subsets components;( J2 (line 42 on page 99))
       enum def SolenoidState {
         OPEN:
         CLOSED:
        /** A solenoid actuator capable of being in an open or closed state. */
       part def 'Solenoid Actuator' :> Actuator {( SA1 (line 99 on page 100), Solenoid Actuator (
                                                                 (line 96 on page 100),
                                                              (line 54 on page 99))
51
52
53
54
55
         item actuator_state;
         /** Open! */
         port open;
          /** Close! */
         port close;
56
```

## D.7 RTS Implementation Artifacts

Listing D.7: Listing SysML Model of RTS\_Implementation\_Artifacts.

```
1 | package id Artifacts 'RTS Implementation Artifacts' {(\supseteq Implementation
       page 85), Artifacts (line 1 on page 90))
private import ScalarValues::*;
 3
       private import 'Project Glossary'::*;
 45
       // @design Remove concepts in general Glossary that duplicate or
       // overlap with these concepts. Move abstract items to Glossary.
       on page 90))
 \frac{8}{9}
         ref item input: CryptolSpec redefines input;
        ref item output: C_Source redefines output;
10
11
      part def id CryptolToSystemVerilog 'Cryptol Hardware Compiler' :> Compiler {(☐
         CryptolToSystemVerilog (line 17 on page 90))
ref item input: CryptolSpec redefines input;
12
13
         ref item output: SystemVerilog redefines output;
14
15
       }
      part def id CPU 'COTS High, Assurance RV32I RISC, V CPU' :> CPU, RISC_V_ISA; (☐ CPU (line 38 on page 91), CPU (line 19 on page 86))
part def id CompCert 'CompCert Compiler' :> Compiler {(☐ CompCert (line 40 on page 91))
         ref item input: C_Source redefines input;
18
         ref item output: RISCV_Binary redefines output;
19
20
       part def id BSC 'Bluespec Compiler' :> Compiler {(☐ BSC (line 42 on page 91))
        ref item input: BluespecSystemVerilog redefines input;
         ref item output: SystemVerilog redefines output;
23
       }
24
       part def id SymbiFlow 'SymbiFlow Synthesizer' :> Synthesizer {(\supseteq SymbiFlow (line 44 on
         page 91))
ref item input: SystemVerilog redefines input;
25
26
        ref item output: Bitstream redefines output;
27
28
       part def id RTL 'Demonstrator Verilog';( RTL (line 92 on page 87), RTL
                                                                                            (line 48 on
       page 91))
part def 'Demonstrator Bitstream' :> Bitstream;
29
30
       package id Dataflow 'Dataflow of RTS Implementation Artifacts' {( Dataflow
                                                                                            (line 52 on
31
         private import 'RTS Implementation Artifacts'::*;
32
33
         part def 'HARDENS Cryptol System Specification' :> CryptolSpec {
34
35
          // :>> literate = true;
         // bind 'HARDENS Cryptol System Specification'.output = CryptolToC.input;
```

## D.8 RTS Physical Architecture

Listing D.8: Listing SysML Model of RTS\_Physical\_Architecture.

```
1 ///** The physical architecture of the HARDENS RTS demonstrator. */
2 package 'Physical Architecture' {(☐ Physical Architecture (line 63 on page 99))
3 import 'Project Glossary'::*;
4 import 'RTS Hardware Artifacts'::*;
6 // /** A PCB developer board used to prototype hardware. */
7 // part 'HARDENS Demonstrator Board': DevBoard;
8 // /** The USB cable used to communicate the ASCII UI to/from the board. */
```

```
| // part id UI_C 'USB UI Cable' : 'USB Cable';
// /** The USB cable used to program the board with a bitstream. */
// part id Prog_C 'USB Programming Cable' : 'USB Cable';
// /** The USB cable used to interact with the board in a debugger. */
// part id Debug_C 'USB Debugging I/O Cable' : 'USB Cable';
 // // @trace #11 https://github.com/GaloisInc/HARDENS/issues/11
// part def id MPL3115A2 'SparkFun Altitude/Pressure Sensor Breakout' :>
// PCB, 'Pressure Sensor';
// // 4x https://www.sparkfun.com/products/11084
// part def 'SparkFun MOSFET Power Control Kit' :> PCB, Power;
// // 4x https://www.sparkfun.com/products/12959
// part def id TMP102 'SparkFun Digital Temperature Sensor Breakout' :>
// PCB, 'Temperature Sensor';
// // 4x https://www.sparkfun.com/products/13314
 // part def 'Small Push, Pull Solenoid ,12VDC' :> 'Solenoid Actuator';
 //\ //\ 4x\ https://www.adafruit.com/product/412
// part def '1N4001 Diode';
 // // 1x https://www.adafruit.com/product/755
// /** The first of two redundant temperature sensors. */
 // part id TS1 'Temperature Sensor 1' : TMP102;
// /** The second of two redundant temperature sensors. */
// part id TS2 'Temperature Sensor 2' : TMP102;
// /** The first of two redundant pressure sensors. */
 // part id PS1 'Pressure Sensor 1' : MPL3115A2;
 // /** The second of two redundant pressure sensors. */
 // part id PS2 'Pressure Sensor 2' : MPL3115A2;
 // /** The first of two redundant solenoid actuators. */
 // part id SA1 'Solenoid Actuator 1' : 'Small Push, Pull Solenoid ,12VDC';
 // /** The second of two redundant solenoid actuators. */
 // part id SA2 'Solenoid Actuator 2' : 'Small Push, Pull Solenoid , 12VDC';
 // /** The computer used by a developer to interface with the demonstrator,
 /\!/\ typically\ for\ driving\ the\ demonstrator's\ UI\ and\ programming\ and
 // debugging the board. */
 // part def 'Developer Machine':> Computer;
 ///** The fully assembled HARDENS demonstrator hardware with all component present. */
// part id Demonstrator 'HARDENS Demonstrator';
// connection def DevMachineToDevBoard {
 // end: Computer;
// end: PCB;
 117
 // connection: DevMachineToDevBoard connect 'Developer Machine' to Board;
```

## D.9 RTS Properties

Listing D.9: Listing SysML Model of RTS\_Properties.

```
1
/**
2 * All correctness and security properties of the RTS system are
3 * specified in this subsystem.
4 */
5 package id Properties 'RTS Properties' {(☐ Properties (line 35 on page 86))}
6 }
```

## D.10 RTS Requirements

Listing D.10: Listing SysML Model of RTS\_Requirements.

```
/**
 23
      * All requirements that the RTS system must fulfill, as driven by the
      * IEEE 603,2018 standards and the NRC RFP.
 45
     package id Requirements 'RTS Requirements' {( Requirements (line 31 on page 85))
 6
       // Note that we do not specify documentation comments here as they
       // are specified in the Lando specification. If we do not include
 8
       // additional specifications here on the refinement from the higher, level
       /\!/\ specification\ (in\ this\ case,\ Sys ML\ refines\ Lando),\ then\ the\ higher, level
10
       // specification's comments/specifications refine too (an hence are
       // just copied verbatim).
12
       package id Requirements 'HARDENS Project High, level Requirements' {( Requirements
             (line 31 on page 85))
13
         import 'Project Glossary'::*;
14
15
         import 'RTS Stakeholders'::*;
16
17
         requirement def 'Project Requirements' {
           subject 'NRC staff' : 'NRC Customer';
19
         requirement 'NRC Understanding': 'Project Requirements'; ( NRC Understanding (line 7
               on page 102))
20 |
         requirement 'Identify Regulatory Gaps' : 'Project Requirements';( Identify Regulatory Gaps (line 13 on page 102))
requirement Demonstrate : 'Project Requirements';( Demonstrate (line 18 on
21 |
               page 102))
22 |
         requirement 'Demonstrator Parts' : 'Project Requirements'; ( Demonstrator Parts
               (line 24 on page 102))
23 |
         requirement 'Demonstrator Groundwork': 'Project Requirements'; ( Demonstrator
               Groundwork (line 28 on page 102))
\frac{24}{25}
26
      // those found in the Characteristics specification.
27
      package id Characteristics 'NRC Characteristics' {(  Characteristics (line 39 on
        page 86))
import 'Project Glossary'::*;
28
29
        import 'RTS Stakeholders'::*;
30
31
        requirement def 'NRC Characteristic' {
32
          //subject expert: 'NRC Certification SME';
33
          //subject regulation: 'NRC Certification Regulations';
34
35
        requirement 'Requirements Consistency': 'NRC Characteristic';( Requirements
                             (line 40 on page 102))
              Consistency
36 |
        requirement 'Requirements Colloquial Completeness' : 'NRC Characteristic';(
        Requirements Colloquial Completeness (line 47 on page 102))
requirement 'Requirements Formal Completeness': 'NRC Characteristic';( Requirements
Formal Completeness (line 52 on page 103))
37 |
38 |
        requirement 'Instrumentation Independence': 'NRC Characteristic'; ( Instrumentation
        Independence (line 58 on page 103))
requirement 'Channel Independence': 'NRC Characteristic';(
Channel Independence
39 |
              (line 66 on page 103))
40 |
        requirement 'Actuation Correctness': 'NRC Characteristic';( Actuation Correctness
41 |
              (line 82 on page 103))
42 |
        requirement 'Self, Test/Trip Independence': 'NRC Characteristic';( Self-Test/Trip
              {\bf Independence}
                              (line 89 on page 103))
43
44
45
46
48
      /\!/\ \mathit{Note that formal requirements expressed externally must be traceable}
      \ensuremath{/\!/} to this system model, but need not be repeated in whole here. Model
      // elements that are expressed in both the \mathit{SysML} and \mathit{FRET} models must
      // be in a refinement relationship with each other (e.g., in this case study, // SysML \sqsubseteq FRET.
      package 'Formal Requirements' {
        import 'Project Glossary'::*;
```

```
51 | requirement def id FRET 'FRET Requirements' {(☐ FRET (line 54 on page 94))
52 | doc /* RTS requirements formalized in the FRET tool. */
53 | }
54 | 55 | requirement ACTUATION_ACTUATOR_0 : FRET;
56 | }
57 | }
```

#### D.11 RTS Scenarios

Listing D.11: Listing SysML Model of RTS\_Scenarios.

```
234567
      * The set of all scenarios that describe interesting end, to, end executions
      st of the RTS system. The full set of scenarios must include all normal
      st behavior (online and during self, test) and exceptional behavior.
     package id Scenarios 'RTS Scenarios' {
       package id Normal 'RTS Normal Behavior Scenarios' {
 .
8
9
         import 'RTS Architecture'::'RTS System Architecture'::RTS;
10
         item def 'RTS User';
         use case def id NB 'Normal Behavior' {
           subject RTS;
13
14
15
16
17
           actor user : 'RTS User';
           objective {
             doc /* @see test_scenarios.lando */
           }
         }
18
19
20
21
22
23
24
25
26
         // @design kiniry Actually, ST should specialize NB. I don't know how
         // to express that in SysML yet.
         use case def id ST 'Normal Behavior Under Self, Test' {
             subject RTS;
             actor tester : 'RTS User';
         package 'Self,test Scenarios' {
           import Normal::ST;
           use case '1a ,Trip on Mock High Pressure Reading from that Pressure Sensor' : NB;
\tilde{27}
           use case '1b ,Trip on Environmental High Pressure Reading from that Pressure Sensor' :
                 \hookrightarrow NB;
28
           use case '2a ,Trip on Mock High Temperature Reading from that Temperature Sensor': NB;
\tilde{29}
           use case '2a ,Trip on Environmental High Temperature Reading from that Temperature
                 → Sensor': NB;
30
           use case '3a ,Trip on Mock Low Saturation Margin' : NB;
31
           use case '3a ,Trip on Environmental Low Saturation Margin' : NB;
32
33
34
35
36
37
38
39
40
           use case '4 ,Vote on Every Possible Like Trip' : NB;
           use case '5a ,Automatically Actuate All Mock Devices in Sequence' : NB;
           use case '5b ,Automatically Actuate All Mock Devices in Sequence' : NB;
           use case '6 ,Manually Actuate Each Device in Sequence' : NB;
           use case '7a ,Select Maintenance Operating Mode for each Division' : NB;
           use case '7b ,
Select Normal Operating Mode for each Division' : 
 \ensuremath{\mathtt{NB}}\xspace;
           use case '8 , Perform Each Kind of Setpoint Adjustment' : NB;
           use case '9 ,Configure Bypass of Each Instrument Channel in Sequence' : NB;
           use case '10 ,Configure Active Trip Output State of Each Instrument Channel in Sequence
                 \hookrightarrow ': NB;
           use case '11 ,Display Pressure, Temperature, and Saturation Margin' : NB;
           use case '13 ,Display Indication of Every Channel in Bypass in Sequence' : NB;
           use case '14 ,Demonstrate Periodic Continual Self, test of Safety Signal Path' : NB;
           use case 'Full Self, Test' : NB;
         package 'RTS Scenarios' {
```

```
48
49
50
51
52
53
54
55
56
57
        }
       package id Exceptional 'RTS Exceptional Behavior Scenarios' {
         use case def id EB 'Exceptional Behavior' {
           subject RTS;
           objective {
             doc /* @see test_scenarios.lando */
           }
         use case '1a ,Cause Actuator 1 to Fail' : EB;
58
59
         use case '1b ,Cause Actuator 2 to Fail' : EB;
         use case '1c ,Non,determinisitically Cause an Actuator to Eventually Fail' : EB;
60
         use case '2a ,Cause Temperature Sensor 1 to Fail' : \ensuremath{\mathtt{EB}};
61
62
         use case '2b ,Cause Temperature Sensor 2 to Fail' : EB;
         use case '2c ,Non,deterministically Cause a Temperature Sensor to Eventually Fail' : EB;
63
         use case '3a ,Cause Pressure Sensor 1 to Fail' : EB;
64
         use case '3b ,Cause Pressure Sensor 2 to Fail' : EB;
         use case '3c ,Non,deterministically Cause a Pressure Sensor to Eventually Fail' : EB;
66
         use case '4a ,Cause Instrumentation Unit 1 to Fail' : EB;
         use case '4b , Cause Instrumentation Unit 2 to Fail' : EB;
         use case '4c ,Cause Instrumentation Unit 3 to Fail' : EB;
         use case '4d ,Cause Instrumentation Unit 4 to Fail' : EB;
         use case '4e ,Non,Deterministically Cause Instrumentation Unit to Eventually Fail' : EB;
         // Oreview kinity I actually don't know if we are fault tolerant to' : EB;
72
73
74
75
76
77
         // failure in these components. Please review Cabakst.
         use case '5a ,Cause Temperature Demultiplexor 1 to Fail' : EB;
         use case '5b ,Cause Temperature Demultiplexor 2 to Fail' : EB;
         use case '5b ,Cause a Temperature Demultiplexor to Eventualy Fail' : EB;
```

#### D.12 RTS Stakeholders

Listing D.12: Listing SysML Model of RTS\_Stakeholders.

```
package 'RTS Stakeholders'
 2
 3
       // NRC Stakeholders
       part def 'NRC Customer';
 456789
       part def 'NRC Assurance SME' :> 'NRC Customer';
       part def 'NRC Certification SME' :> 'NRC Customer';
       // Galois Stakeholders
       part def 'Galois Employee' {
         attribute
           name: ScalarValues::String;
           email: ScalarValues::String;
13
       part def 'Galois PI' :> 'Galois Employee';
part def 'Galois PL' :> 'Galois Employee';
16
17
       part def 'Galois Research Engineer' :> 'Galois Employee';
       part def 'Galois Software and Assurance Research Engineer'
         :> 'Galois Research Engineer';
       part def 'Galois Hardware Research Engineer' :> 'Galois Research Engineer';
20
21
22
23
24
25
       part PI : 'Galois PI' {
         attribute
           redefines name = "Joe Kiniry";
           redefines email = "kiniry@galois.com";
26
27
       part PL : 'Galois PL' {(☐ PL (line 236 on page 96))
         attribute
```

```
redefines name = "Andrew Bivin";
          redefines email = "abivin@galois.com";
part SARE : 'Galois Software and Assurance Research Engineer' {
        attribute
          redefines name = "Alex Bakst";
          redefines email = "abakst@galois.com";
      part HRE : 'Galois Hardware Research Engineer' {
          redefines name = "Michal Podhradsky";
          redefines email = "mpodhradsky@galois.com";
      concern 'requirement traceability' {
        doc /* Will all requirements be traceable from project requirement
            * or NRC characteristic to assurance evidence demonstrated in a
             * report? */
        stakeholder 'Customer';
        stakeholder 'Galois Employee';
      // or from Galois or the Galois HARDENS team.
```

#### D.13 RTS Static Architecture

Listing D.13: Listing SysML Model of RTS\_Static\_Architecture.

```
/**
 2
     * This RTS architecture specification includes all of the core
 \tilde{3}
      *\ concepts\ inherent\ to\ \textit{NPP Instrumentation and Control systems}.
      * A system architecture specification often includes a software,
 45
6
      st hardware, network, and data architecture specifications.
     package id Architecture 'RTS Architecture' {( Architecture (line 223 on page 96),
           Architecture
                          (line 17 on page 85))
 \frac{8}{9}
       //import RTS::*;
       //import 'Project Glossary'::*;
10
11
       //import Artifacts::*;
       //import 'RTS Hardware Artifacts'::*;
12
13
14
15
       part def Base_RTS_System_Architecture_Context {
       // overall RTS architecture shape from
16
       /** Note that this is the *systems* architecture, which is different
18
           than our software, hardware, or data architectures. */
19
       package id RTS_System_Arch 'RTS System Architecture' {(\supseteq RTS_System_Arch (line 3 on
            page 88))
20
21
         package Sensor {( Sensors (line 49 on page 89), Sensor (line 273 on page 97))
22
          private import Quantities::*;
23
24
25
26
27
28
29
           /** Generic sensor port */
           port def SensorOutPort {
               out value : ScalarQuantityValue;
           /** Generic sensor */
30
           part def GenericSensor {
             attribute currentValue : ScalarQuantityValue;
```

```
attribute sensorAddress : ScalarValues::Integer;
33
34
35
36
37
38
39
44
44
45
46
47
48
49
55
55
55
55
57
               port output: SensorOutPort;
              * A demultiplexer for sending one sensor signal to multiple
              part def Demux {
               port input: ~SensorOutPort;
                // Using vector notation doesn't seem to work in connections
                port output1: SensorOutPort;
                port output2: SensorOutPort;
             }
           /** A generic temperature sensor. */
           package TempSensor {
              import Sensor::*;
              import ISQThermodynamics::TemperatureValue;
              /** Temperature port */
              port def TemperatureOutPort :> SensorOutPort {
                  redefines value: TemperatureValue;
58
              /** A sensor that is capable of measuring the temperature of its environment. */
             part def 'Temperature Sensor': > GenericSensor {(] Temperature Sensor 1 (line 51 on page 89), Temperature Sensor (line 46 on page 99), Temperature Sensor 2 (line 53 on page 89), TS1 (line 84 on page 99), TS2 (line 87 on page 99))

/** What is your temperature reading in Celsius (C)? */
59
60
61
                redefines currentValue: TemperatureValue;
62
               redefines output: TemperatureOutPort;
63
64
65
             part def TempDemux :> Demux {
66
               redefines input: ~TemperatureOutPort;
                redefines output1: TemperatureOutPort;
67
68
                redefines output2: TemperatureOutPort;
69
70
71
           }
72
           /** A generic pressure sensor. */
           package PressureSensor {(☐ Pressure Sensor 2 (line 57 on page 89), Pressure Sensor (line 50 on page 99), PS2 (line 93 on page 100), PS1 (line 90 on page 100), Pressure Sensor 1 (line 55 on page 89))
73
74
75
76
77
78
79
              import Sensor::*;
              import ISQMechanics::PressureValue;
              /** Pressure port */
              port def PressureOutPort :> SensorOutPort {
                  redefines value: PressureValue;
80
81
82
              /** A sensor that is capable of measuring the air pressure of its environment. */
83
             part def 'Pressure Sensor' :> GenericSensor {(] Pressure Sensor 2 (line 57 on page 89), Pressure Sensor (line 50 on page 99), PS2 (line 93 on page 100), PS1 (line 90 on page 100), Pressure Sensor 1 (line 55 on page 89))
                /** What is your pressure reading in Pascal (P)? */
                redefines currentValue: PressureValue;
86
               redefines output: PressureOutPort;
87
88
89
              part def PressureDemux :> Demux {
90
               redefines input: "PressureOutPort;
91
                redefines output1: PressureOutPort;
92
                redefines output2: PressureOutPort;
```

```
93
             }
 94
95
 96
            /**
 97
             st The Instrumentation subsystem contains all of the sensors for an
 98
             * NPP I&C system.
 99
            package Instrumentation {(☐ Instrumentation 3 (line 65 on page 89), Instrumentation 2 (line 63 on page 89), Instrumentation 1 (line 61 on page 89), Instrumentation (line 59 on page 89), Instrumentation 4 (line 67 on page 89))(☐ Instrumentation (?? on page ??))
private import ScalarValues::Real;
100
                                                                                                      Instrumentation
101
              private import ScalarValues::Boolean;
private import TempSensor::*;
102
103
104
              private import PressureSensor::*;
105
106
              port def TripPort {
              out trip : Boolean;
}
107
108
109
110
              port def BypassPort {
              out trip : Boolean;
111
112
113
114
115
              enum def TripMode {
                enum Bypass;
116
                enum Operate;
117
                enum Manual;
118
119
120
              enum def Channel {
121
                enum Temperature;
122
                enum Pressure;
123
                enum Saturation;
124
125
126
              attribute def TripModeCommand {
127
                attribute mode: TripMode;
128
                attribute channel: Channel;
129
130
131
              port def TripModePort {
               out mode: TripModeCommand;
132
133
134
135
              part def InstrumentationUnit {
136
137
                // setpoints
                {\tt attribute} \ {\tt tempSetpoint} \ : \ {\tt TemperatureValue};
138
                attribute pressureSetpoint : PressureValue;
139
140
141
142
143
144
145
147
148
                attribute saturationLimit : Real;
                // mode selectors
                attribute maintenanceMode : Boolean;
                attribute temperatureTripMode: TripMode;
                attribute pressureTripMode: TripMode;
                attribute saturationTripMode: TripMode;
                // Inputs
                port temperatureInput: ~TemperatureOutPort;
150
                port pressureInput: ~PressureOutPort;
151
                port tripMode: ~TripModePort;
152
153
                // Outputs
154
155
                port pressureTripOut:TripPort;
                port temperatureTripOut:TripPort;
156
                port saturationTripOut:TripPort;
```

```
157
158
               port setMaintenanceMode: ~EventControl::MaintenancePort;
159
160
               port newTemperatureSetpoint: ~TemperatureOutPort;
161
               port newPressureSetpoint: ~PressureOutPort;
162
               port newSaturationSetpoint : ~SensorOutPort;
163
            }
164
165
166
           package Actuation {(☐ Actuation (?? on page ??))
167
             import Instrumentation::*;
168
169
             port def ActuationPort {
             out actuate: ScalarValues::Boolean;
170
171
172
173
             part def CoincidenceLogic {
174
              port channel1: "TripPort;
port channel2: "TripPort;
175
              port channel3: ~TripPort;
176
177
              port channel4: ~TripPort;
178
              port actuate: ActuationPort;
179
180
             part def OrLogic {
181
              port channel1: ~TripPort;
port channel2: ~TripPort;
182
183
              port actuate: ActuationPort;
184
185
186
           part def ActuationUnit {
187
             part temperatureLogic : CoincidenceLogic;
188
              part pressureLogic : CoincidenceLogic;
189
              part saturationLogic : CoincidenceLogic;
190
191
              part tempPressureTripOut : OrLogic:
192
193
              {\tt connect\ temperature Logic.actuate\ to\ temp Pressure Trip Out.channel 1;}
194
195
              {\tt connect\ pressureLogic.actuate\ to\ tempPressureTripOut.channel2;}
             part def Actuator {(  Actuator 2 (line 47 on page 89), Actuator 1 (line 45 on page 89), Actuator (line 275 on page 97), Actuators (line 43 on page 89))
196
                page 89), Actuator (line 275 on 
// Actuate if either of these are true
197
198
               port input: ActuationPort;
port manualActuatorInput: ~ActuationPort;
199
200
              }
201
           }
202
203
           package EventControl {
204
           import ScalarValues::Boolean;
205
206
            out maintenance: Boolean;
}
             port def MaintenancePort {
207
208
209
210
211
             part def ControlUnit {
               // Maintenance mode select x \not = instrumentation units
212
213
               port maintenanceMode: MaintenancePort[4];
               // Trip mode select x 4 instrumentation units
214
               port tripMode: Instrumentation::TripModePort[4];
215
               // New setpoints x 4 instrumentation units
216
               port newPressureSetpoint: PressureSensor::PressureOutPort[4];
217
               port newTemperatureSetpoint: TempSensor::TemperatureOutPort[4];
218
               port newSaturationSetpoint: PressureSensor::PressureOutPort[4];
219
               // Toggle actuator x2 actuators
220
               port manualActuatorInput: Actuation::ActuationPort[2];
221
            }
           }
```

```
223
          part RTS {(\supseteq RTS (line 6 on page 85), RTS (line 94 on page 87))(\sqsubseteq RTS (line 36 on page 163))
224
225
            part eventControl : EventControl::ControlUnit;
226
227
            import Instrumentation::*;
228
            part instrumentationAndSensing {
229
              part pressureSensor1 : PressureSensor::'Pressure Sensor';
230
              part pressureSensor2 : PressureSensor::'Pressure Sensor';
231
232
              part tempSensor1 : TempSensor::'Temperature Sensor';
233
              part tempSensor2 : TempSensor::'Temperature Sensor';
234
235
236
237
238
              part instrumentationUnit1 : InstrumentationUnit;
              part instrumentationUnit2 : InstrumentationUnit;
              part instrumentationUnit3 : InstrumentationUnit;
              part instrumentationUnit4 : InstrumentationUnit;
239
240
241
242
243
245
246
247
248
249
250
              part tempDemux1 : TempSensor::Demux;
              part tempDemux2 : TempSensor::Demux;
              part pressureDemux1 : PressureSensor::Demux;
              part pressureDemux2 : PressureSensor::Demux;
              // Temp sensor 1
              connect tempSensor1.output to tempDemux1.input;
              connect tempDemux1.output1 to instrumentationUnit1.temperatureInput;
              connect tempDemux1.output2 to instrumentationUnit2.temperatureInput;
251
              // Temp sensor 2
252
              connect tempSensor2.output to tempDemux2.input;
253
254
255
256
              connect tempDemux2.output1 to instrumentationUnit3.temperatureInput;
              connect tempDemux2.output2 to instrumentationUnit4.temperatureInput;
              // Pressure sensor 1
257
258
              connect pressureSensor1.output to pressureDemux1.input;
              connect pressureDemux1.output1 to instrumentationUnit1.pressureInput;
259
              connect pressureDemux1.output2 to instrumentationUnit2.pressureInput;
260
261
              // Pressure sensor 2
262
              connect pressureSensor2.output to pressureDemux2.input;
263
              connect pressureDemux1.output1 to instrumentationUnit3.pressureInput;
\frac{264}{265}
              connect pressureDemux1.output2 to instrumentationUnit4.pressureInput;
\tilde{2}66
267
            import Actuation::*;
268
            part actuation {(☐ Actuation (?? on page ??))
269
              part actuationUnit1 : ActuationUnit;
270
              part actuationUnit2 : ActuationUnit;
271
272
              part actuator1 : Actuator; (☐ Actuators (line 275 on page 97))
                                                           (line 43 on page 89).
                                                                                     Actuator
273 |
              part actuator2 : Actuator;(⊒
                                              Actuators
                                                           (line 43 on page 89),
                    (line 275 on page 97))
274
275
276
              part actuateActuator1 : OrLogic;
              part actuateActuator2 : OrLogic;
277
278
279
              // connect actuators
              // Actuator 1 ,temp or pressure trip
280
              connect actuationUnit1.tempPressureTripOut.actuate to actuateActuator1.channel1;
281
              connect actuationUnit2.tempPressureTripOut.actuate to actuateActuator1.channel2;
282
              connect actuateActuator1.actuate to actuator1.input;
283
284
285
              // Actuator 2 , Saturation
              connect actuationUnit1.saturationLogic.actuate to actuateActuator2.channel1;
286
              connect actuationUnit2.saturationLogic.actuate to actuateActuator2.channel2;
```

```
287
              connect actuateActuator2.actuate to actuator2.input;
288
289
290
            // connect Control units
291
            // Actuators manual override
\tilde{2}\tilde{9}\tilde{2}
            connect eventControl.manualActuatorInput[1] to actuation.actuator1.manualActuatorInput;
293
            \verb|connect| eventControl.manualActuatorInput[2]| to actuation.actuator2.manualActuatorInput; \\
294
295
            // Instrumentation mode select
296
            {\tt connect} eventControl.maintenanceMode[1] to instrumentationAndSensing.

→ instrumentationUnit1.setMaintenanceMode;
297
            connect eventControl.maintenanceMode[2] to instrumentationAndSensing.

→ instrumentationUnit2.setMaintenanceMode:
298
            connect eventControl.maintenanceMode[3] to instrumentationAndSensing.

→ instrumentationUnit3.setMaintenanceMode;

299
            connect eventControl.maintenanceMode[4] to instrumentationAndSensing.
                  instrumentationUnit4.setMaintenanceMode:
300
301
            // Instrumentation pressure setpoint
302
            {\tt connect\ eventControl.newPressureSetpoint[1]\ to\ instrumentation And Sensing.}
                  instrumentationUnit1.newPressureSetpoint;
303
            \verb|connect| eventControl.newPressureSetpoint[2]| to instrumentationAndSensing.\\

→ instrumentationUnit2.newPressureSetpoint;

304
            connect eventControl.newPressureSetpoint[3] to instrumentationAndSensing.
                   → instrumentationUnit3.newPressureSetpoint;
305
            connect eventControl.newPressureSetpoint[4] to instrumentationAndSensing.

→ instrumentationUnit4.newPressureSetpoint;

306
307
            // Instrumentation temperature setpoint
308
            connect eventControl.newTemperatureSetpoint[1] to instrumentationAndSensing.
                  instrumentationUnit1.newTemperatureSetpoint;
309
            {\tt connect\ eventControl.newTemperatureSetpoint[2]\ to\ instrumentationAndSensing.}
                  \hookrightarrow \texttt{instrumentationUnit2.newTemperatureSetpoint;}
310
            {\tt connect\ eventControl.newTemperatureSetpoint[3]\ to\ instrumentationAndSensing.}

→ instrumentationUnit3.newTemperatureSetpoint;

311
            connect eventControl.newTemperatureSetpoint[4] to instrumentationAndSensing.

instrumentationUnit4.newTemperatureSetpoint;
312
313
            // Instrumentation saturation setpoint
314
            connect eventControl.newSaturationSetpoint[1] to instrumentationAndSensing.
                  instrumentationUnit1.newSaturationSetpoint;
315
            connect eventControl.newSaturationSetpoint[2] to instrumentationAndSensing.
                  → instrumentationUnit2.newSaturationSetpoint;
316
            connect eventControl.newSaturationSetpoint[3] to instrumentationAndSensing.
                  → instrumentationUnit3.newSaturationSetpoint;
317
            connect eventControl.newSaturationSetpoint[4] to instrumentationAndSensing.

→ instrumentationUnit4.newSaturationSetpoint;

318
319
            // Instrumentation trip mode
320
            // Bypass temperature
391
            {\tt connect\ eventControl.tripMode[1]\ to\ instrumentationAndSensing.instrumentationUnit1.}

→ tripMode;

322
            \verb|connect| eventControl.tripMode[2]| to instrumentationAndSensing.instrumentationUnit2.\\
323
            \verb|connect| eventControl.tripMode[3]| to instrumentationAndSensing.instrumentationUnit3.\\

→ tripMode;

324
            \verb|connect| eventControl.tripMode[4]| to instrumentationAndSensing.instrumentationUnit4.\\

→ tripMode;

325
326
            // Trip on pressure above the setpoint
327
            // Actuation unit 1
328
            {\tt connect instrumentationAndSensing.instrumentationUnit1.pressureTripOut\ to\ actuation.}

→ actuationUnit1.pressureLogic.channel1;
329
            {\tt connect instrumentationAndSensing.instrumentationUnit2.pressureTripOut\ to\ actuation.}

→ actuationUnit1.pressureLogic.channel2;

330
            \verb|connect| instrumentation And Sensing.instrumentation Unit 3. pressure Trip Out to actuation.\\

→ actuationUnit1.pressureLogic.channel3;
```

```
331
            connect instrumentationAndSensing.instrumentationUnit4.pressureTripOut to actuation.

→ actuationUnit1.pressureLogic.channel4;

332
            // Actuation unit 2
333
            connect instrumentationAndSensing.instrumentationUnit1.pressureTripOut to actuation.

→ actuationUnit2.pressureLogic.channel1;
334
            \verb|connect| instrumentationAndSensing.instrumentationUnit2.pressureTripOut to actuation.\\

→ actuationUnit2.pressureLogic.channel2;

335
            {\tt connect\ instrumentationAndSensing.instrumentationUnit3.pressureTripOut\ to\ actuation.}
                   → actuationUnit2.pressureLogic.channel3;
336
            connect instrumentationAndSensing.instrumentationUnit4.pressureTripOut to actuation.

→ actuationUnit2.pressureLogic.channel4;

337
338
            // Trip on temperature above the setpoint
339
            // Actuation unit 1
340
            connect instrumentationAndSensing.instrumentationUnit1.temperatureTripOut to actuation.

→ actuationUnit1.temperatureLogic.channel1;

341
            \verb|connect| instrumentationAndSensing.instrumentationUnit2.temperatureTripOut to actuation.\\

→ actuationUnit1.temperatureLogic.channel2;

342
            \verb|connect| instrumentation And Sensing.instrumentation Unit 3. temperature Trip Out to actuation. \\
                  \hookrightarrow \texttt{actuationUnit1.temperatureLogic.channel3;}
343
            {\tt connect instrumentationAndSensing.instrumentationUnit4.temperatureTripOut\ to\ actuation.}
                   ⇒ actuationUnit1.temperatureLogic.channel4;
            // Actuation unit 2
            {\tt connect instrumentationAndSensing.instrumentationUnit1.temperatureTripOut\ to\ actuation.}
                   → actuationUnit2.temperatureLogic.channel1;
346
            \verb|connect| instrumentation And Sensing.instrumentation Unit 2. temperature Trip Out to actuation.\\
                    actuationUnit2.temperatureLogic.channel2;
347
            connect instrumentationAndSensing.instrumentationUnit3.temperatureTripOut to actuation.
                    actuationUnit2.temperatureLogic.channel3;
348
            connect instrumentationAndSensing.instrumentationUnit4.temperatureTripOut to actuation.

  actuationUnit2.temperatureLogic.channel4;
349
350
            // Trip on saturation above the setpoint
351
            // Actuation unit 1
            \verb|connect| instrumentation And Sensing.instrumentation Unit 1. \verb|saturation Trip Out to actuation.|\\

→ actuationUnit1.saturationLogic.channel1;

353
            {\tt connect instrumentationAndSensing.instrumentationUnit2.saturationTripOut\ to\ actuation.}

→ actuationUnit1.saturationLogic.channel2;

354
            {\tt connect instrumentationAndSensing.instrumentationUnit3.saturationTripOut\ to\ actuation.}

→ actuationUnit1.saturationLogic.channel3;

355
            \verb|connect| instrumentation And Sensing.instrumentation Unit 4. saturation Trip Out to actuation.\\
                    actuationUnit1.saturationLogic.channel4;
356
            // Actuation unit 2
357
            \verb|connect| instrumentation And Sensing.instrumentation Unit 1. saturation Trip Out to actuation.\\
                   → actuationUnit2.saturationLogic.channel1;
358
            {\tt connect instrumentationAndSensing.instrumentationUnit2.saturationTripOut\ to\ actuation.}

    actuationUnit2.saturationLogic.channel2;
359
            {\tt connect instrumentationAndSensing.instrumentationUnit3.saturationTripOut\ to\ actuation.}

→ actuationUnit2.saturationLogic.channel3:
360
            connect instrumentationAndSensing.instrumentationUnit4.saturationTripOut to actuation.

→ actuationUnit2.saturationLogic.channel4;

361
362
363
        } // package id RTS_System_Arch 'RTS System Architecture'
364
      } // package id Architecture 'RTS Architecture'
```

## D.14 RTS Viewpoints

Listing D.14: Listing SysML Model of RTS\_Viewpoints.

```
1 import Views::*;
2 3 package 'RTS Viewpoints and Views' {
```

```
import 'RTS Stakeholders'::*;
   4
5
   \frac{6}{7}
                   // Viewpoints and view definitions specify the different points of view
                   // that a system may be viewed from, and which parts of the system model
   89
                   // attend to each view. We will specify viewpoints for a few kinds
                   // of NRC actors, various kinds of HARDENS performers, various kinds of
 10
                  \begin{picture}(60,0)\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0){\line(0,0){100}}\put(0,0)
 11
                  // outcomes, and other government and industry parties interested in RDE.
12
13
                  viewpoint 'NRC General Customer Viewpoint' {}
1415
1617
189
22122
2222
2233
2333
335
339
4412
4434
4434
                  view def 'NRC General Customer View Definition' {}
                  viewpoint 'NRC Assurance Customer Viewpoint' {}
                  view def 'NRC Assurance Customer View Definition' {}
                  viewpoint 'Galois Performer Viewpoint' {}
                  view def 'Galois Performer View Definition' {}
                  view 'Galois PI View' : 'Galois Performer View Definition' {}
                  view 'Galois PL View' : 'Galois Performer View Definition' {}
                  view 'Galois Software Engineer View' : 'Galois Performer View Definition' {}
                  view 'Galois Hardware Engineer View' : 'Galois Performer View Definition' {}
                  view 'Galois Assurance Engineer View' : 'Galois Performer View Definition' {}
                  viewpoint 'Galois Principal View' {}
                  viewpoint 'Galois Executive View' {}
                  viewpoint 'Galois Customer Specialist View' {}
                  viewpoint 'Galois Research Engineering View' {}
                   viewpoint 'General Party interested in Rigorous Digital Engineering' {}
```

## D.15 Semantic Properties

Listing D.15: SysMLv2 Model of Semantic Properties.

```
/** Semantic properties are annotation to model and system artifacts
 2
         used to semantically markup those artifacts for documentation,
 34567
         traceability, and more. */
     package 'Semantic Properties' {
       \operatorname{doc} /* Semantic Properties are used to document arbitrary
              constructs in our specifications and implementations.
              {\tt Qsee\ https://www.kindsoftware.com/documents/white papers/code\_standards/properties.}
 \frac{8}{9}
       import ScalarValues::*;
10
11
       attribute def id SP 'Semantic Property';
12
       attribute def id SPD 'Semantic Property with Description' :>
13
         'Semantic Property' {
         attribute description: String;
```

```
16
       attribute def Exception :> String;
17
package 'Meta,Information' {
        attribute def Author :> SP {
          author: String;
        attribute def Lando :> SP {
         summary: String;
        attribute def Bug :> SPD;
        attribute def Copyright :> SP {
         copyright: String;
        attribute def Description :> SPD;
        attribute def History :> SPD;
         attribute def License :> SP {
          license: String;
        attribute def Title :> SP {
          title: String;
       attribute def 'Author Description Scope Triple' :> SPD {
         import 'Meta.Information'::*:
         attribute author: Author;
        attribute scope: Boolean;
       package 'Pending Work' {
         attribute def Idea :> 'Author Description Scope Triple' {
          classifier: String;
        attribute def Review :> 'Author Description Scope Triple';
        attribute def Todo :> 'Author Description Scope Triple';
       attribute def 'Rich Assertion' :> SPD {
         attribute label: String;
         attribute expression: Boolean;
        attribute exception : Exception;
       attribute def 'Expression Description Pair' :> SPD {
        attribute expression: Boolean;
61
62
63
       package 'Formal Specifications' {
        import Collections::*;
64
65
         enum def 'Modifies Frame' {
          SINGLE_ASSIGNMENT;
66
67
          EXPRESSION;
68
69
        attribute def Ensures :> 'Rich Assertion';
70
         attribute def Generate :> 'Expression Description Pair';
71
72
73
74
75
76
77
78
79
         attribute def Invariant :> 'Expression Description Pair' {
          exception: Exception;
         attribute def Modify :> 'Expression Description Pair' {
          enum kind: 'Modifies Frame';
        attribute def requires :> 'Rich Assertion';
       package 'Concurrency Control' {
80
        import Collections::*;
```

```
82
          attribute def Locks :> Set;
 83
          attribute def Timeout {
 84
85
           attribute timeout: Natural;
           attribute exception: String;
 86
87
          attribute def 'Concurrency Semantic Property' :> 'Semantic Property' {
 88
           attribute locks: Locks;
 89
            attribute failure: Exception;
 90
91
            attribute atomic: Boolean;
            attribute special: String;
 92
           attribute timeout: Timeout;
 93
 94
95
          attribute def Concurrent :> 'Concurrency Semantic Property' {
           attribute threadcountlimit: Positive;
 96
           attribute broken: Boolean;
 97
 98
          attribute def Sequential :> 'Concurrency Semantic Property';
 99
          attribute def Guarded :> 'Concurrency Semantic Property' {
100
           attribute semaphore_count: Positive;
101
102
103
104
105
        package 'Usage Information' {
          attribute def 'Parameter Spec' {
106
           parameter_name: String;
107
            precondition: Boolean;
108
           description: String;
109
110
          attribute def Return :> String;
111
          attribute def Exception :> 'Expression Description Pair' {
112
           exception: Exception;
113
         }
114
115
116
        package Versioning {
117
          attribute def Version :> String;
118
          attribute def Deprecated :> String;
119
          attribute def Since :> String;
120
121
122
        attribute def 'Feature Name Description Pair' {
123
         feature_name: String;
124
125
         description: String;
126
        package Inheritance {
127
          attribute def Hides :> 'Feature Name Description Pair';
128
          attribute def Overrides :> 'Feature Name Description Pair';
129
130
131
        package Documentation {
132
          attribute def Design :> 'Author Description Scope Triple';
133
          attribute def Equivalent :> String;
134
135
          attribute def Example :> String;
         attribute def See :> String;
136
137
138
        package Dependencies {
139
140
141
142
143
144
145
147
          import Collections::*;
          attribute def References :> 'Expression Description Pair';
          // Note that we rename 'use' to 'uses' to avoid SysML keyword conflict.
         attribute def Uses :> 'Expression Description Pair';
        package Miscellaneous {
          attribute def Guard :> 'Expression Description Pair';
          attribute def Values :> 'Expression Description Pair';
```

```
148 attribute def 'Time Complexity' :> 'Expression Description Pair';
149 attribute def 'Space Complexity' :> 'Expression Description Pair';
150 }
151
```

## Appendix E

# Cryptol Model

## E.1 Top-level RTS Cryptol model

Listing E.1: Listing Cryptol Model of RTS.

```
// HARDENS Reactor Trip System (RTS)
23
45
67
89
10
    // A formal model of RTS behavior written in the Cryptol DSL.
    // @author Alex Bakst <abakst@galois.com>
    // @created November, 2021
    // @refines HARDENS.sysml
    // @refines RTS.lando
    // @refines RTS_Requirements.json
    module RTS where
    import RTS::Utils
    import RTS::InstrumentationUnit
    import RTS::InstrumentationUnit as I
    import RTS::ActuationUnit
    import RTS::ActuationUnit as AU
    import RTS::Actuator
    import RTS::Actuator as A
    type Device = [1]( \supseteq Device (?? on page ??))
     type Division = [2]
    type Logic = [1]
    DO, D1: Device
    DO = 0
    D1 = 1
    type EventType = [2]
    // Event Type Values
EVENT_MAINTENANCE, EVENT_TRIP_MODE, EVENT_SETPOINT, EVENT_ACTUATE : EventType
    EVENT_MAINTENANCE = 0
    EVENT_TRIP_MODE = 1
    EVENT_SETPOINT = 2
    EVENT_ACTUATE = 3
   type RTS =( RTS
                          (?? on page ??), RTS (?? on page ??), RTS (line 224 on
         page 156))
37
      { control: Control
      , instrumentation: Instrumentation
```

```
, actuation: Actuation
         , ui: UI
}
 40142344567489012355565589
       type UI =
          { instrumentation_values: [4][NChannels][32]
         . _____mentation_bypass: [4][NChannels, instrumentation_trip: [4][NChannels]}
         , instrumentation_bypass: [4][NChannels]
       type Control =
        f self_test: Bit // Are we running an end-to-end test?
, self_test_instrs: [2]Division // Which instrumentation units are we poking?
, self_test_channel: Channel // Which channel are we poking?
, self_test_logic: Logic // Which actuation logic unit are we observing?
         , self_test_dev: Device // Which actuator are we observing?
         , self_test_timer: [32]
         , self_test_fail: Bit
       type Actuation =
 60
         { units: [2]ActuationUnit
         , actuators: [2]Actuator
 61
 62
 63
 64
       type Instrumentation =
 65
         { units: [4]InstrumentationUnit }
 66
 67
       type Event =
 68
         { event: EventType // The event tag
         , ch: Channel // Which channel
 69
         , dev: Device // Which device
         , unit: Division // Which Instrumentation unit
 72
73
74
75
76
77
         , setpoint: [32]
         , mode: I::Mode
        , on_off: Bit
       // @refines ControlUnit
 78
79
       Event_Control: Event -> RTS -> RTS
       Event_Control e rts =
 80
         if e.event == EVENT_MAINTENANCE then
           on_instr_units rts (\units -> update units (e.unit) (Set_Maintenance e.on_off (units @ e.
                  → unit)))
 82
         else if (e.event == EVENT_TRIP_MODE) && (ch < 'NChannels) && (e.mode < 'NModes) then
 83
           on_instr_units rts (\units -> update units (e.unit) (Set_Mode ch e.mode (units @ e.unit))
                   \hookrightarrow )
 84
85
         else if (e.event == EVENT_SETPOINT) && (ch < 'NChannels) then
           on_instr_units rts (\units -> update units (e.unit) (Set_Setpoint ch e.setpoint (units @
                  \hookrightarrow e.unit)))
 86
         else if (e.event == EVENT_ACTUATE) then
 87
           {rts| actuation =
 88
              \{ \texttt{rts.actuation} \ | \ \texttt{actuators} \ \texttt{=} \ \texttt{update} \ \texttt{rts.actuation.actuators} \ \texttt{dev} \ (\texttt{SetManual} \ \texttt{e.on\_off} \ (\texttt{SetManual} \ \texttt{e.on\_off}) \}
                     rts.actuation.actuators @ dev))} }
         else rts
 90
         where
           ch : Channel
           ch = e.ch
 93
           dev : Device
 94
95
           dev = e.dev
 96
           on_instr_units r f = \{r | instrumentation = \{units = f r.instrumentation.units \}\}
 97
 98
       Sense_Actuate:
 99
          [4]I::Input ->
100
          [4] I:: Command ->
```

```
101
        RTS ->
102
        RTS
103
      Sense_Actuate inputs icmds rts =
104
        { rts | control = { rts.control | self_test_fail = test_fail }
105
106
              , instrumentation = { units = instrumentation' }
              , actuation = { units = actuation_logic', actuators = actuators' }
              }
107
108
109
          // The two instrumentation units under test
110
          i0 = rts.control.self_test_instrs @ 0
111
          i1 = rts.control.self_test_instrs @ 1
112
          test_ch = rts.control.self_test_channel
          test_dev = rts.control.self_test_dev
113
114
115
          test_logic = rts.control.self_test_logic
116
          // Each instrumentation unit runs
117
          instrumentation' = [ I::Step input cmd i | i <- rts.instrumentation.units | input <-

→ inputs | cmd <- icmds ]
</p>
118
          output_trips: [3][4]TripPort
119
          output_trips = [[ instr.output_trip @ ch | instr <- instrumentation' ] | ch <- [0..2]]</pre>
120
121
          // Mask trips from the instrs under test at the channel under test. This is passed
122
          // to the voting components _not_ under test (so that we do not count any test-generated
               \hookrightarrow trips)
123
          output_trips_masked, output_trips_test: [3][4]TripPort
          output_trips_masked = MaskTripFrom (\i ch -> elem i [i0, i1] && (ch == test_ch))
124
                → output trips
125
          output_trips_test = MaskTripFrom (\i ch -> ~ (elem i [i0, i1] && (ch == test_ch)))
                \hookrightarrow \mathtt{output\_trips}
126
127
          // Now run the voting logic
          actuation_logic': [2]ActuationUnit
actuation_logic' = [ AU::TripInput (Select_trips 1) logic | logic <- rts.actuation.units
128
129
                130
131
          // Mask out the output of the voting unit we are *not* testing, and then use *this* value
132
          // for testing device actuation
133
          test_actuation_logic : [2]ActuationUnit
134
          test_actuation_logic = [ { output = [ if (test_logic == 1) && (test_dev == d) then logic.
                → output @ d else 0 | d <- [0..1] ]}</pre>
135
                                 | logic <- actuation_logic' | 1 <- [0..1]
136
137
                                1
138
          Select_trips 1 = if rts.control.self_test then
139
                             (if 1 == test_logic then output_trips_test else output_trips_masked)
140
141
142
143
144
145
                          else
                             output_trips
          // This is the output to the devices
          actuators' : [2]Actuator
          actuators' = [ A::SetInput (A::ActuateActuator [ logic.output @ d | logic <-

    actuation_logic']) a | a <- rts.actuation.actuators | d <- [0...]]
</pre>
146
147
          actuators_test : [2]Actuator
148
          actuators_test = [ A::SetInput (A::ActuateActuator [ logic.output @ d | logic <-

        ← test_actuation_logic ]) a | a <- rts.actuation.actuators | d <- [0...] ]
</p>
149
150
          old_vote = (rts.actuation.units @ test_logic).output @ test_dev
151
          expect = (old_vote != 0) || ShouldActuate test_ch inputs rts.instrumentation.units [i0,i1
                \hookrightarrow ]
152
          test_fail = expect != (actuators_test @ test_dev).input
153
154
155
      // @review kiniry Shouldn't this/these be private?
      MaskTripFrom: {idx} (Integral idx, Literal 0 idx) =>
156
       (idx -> Channel -> Bit) -> [3][4][8] -> [3][4][8]
157
      MaskTripFrom p trips =
       [ [ if p j ch then 0 else ch_trip | ch_trip <- trip | j <- [0...] ]
```

```
159
        | trip <- trips
160
        | ch <- [0..2]
161
162
163
      Test_Instrumentation : \{n\} (fin n) =>
        [n]([8], [2][32], Channel) \rightarrow [2] \rightarrow RTS \rightarrow RTS
164
165
      Test_Instrumentation tests i rts = {rts | control = {rts.control|self_test_fail = ~ (all
            → Run_test tests)}}
166
167
          Run_test: ([8],[2][32],Channel) -> Bit
168
          Run_test (trip,vals,ch) = (rts.instrumentation.units @ i)
169
                              >>>> Set_Maintenance True
170
                              >>>> Set_Mode ch Operate
171
                              >>>> Set Maintenance False
172
                              >>>> (\in -> I::Step vals I::NoCommand in)
173
                              >>>> (\in -> trip == (in.output_trip @ ch))
174
175
      Test\_Voting: \ \{n\} \ (fin \ n) \ \Rightarrow \ [n] \ (Bit, \ [1], \ AU::Input) \ \Rightarrow \ [1] \ \rightarrow \ RTS \ \Rightarrow \ RTS
      Test_Voting tests 1 rts = {rts | control = {rts.control|self_test_fail = ~ (all Run_test
176
177
178
          Run_test (on,d,trips) = (rts.actuation.units @ 1)
179
                            >>>> AU::TripInput trips
180
                            >>>> \a -> (a.output @ d) == on
181
182
      SelfTestOracle: [4]I::Input -> [4][3][32] -> [2][2] -> [2]
183
      SelfTestOracle inputs setpoints [i0,i1] = [(ts == 0b11) || (ps == 0b11), ss == 0b11]
\frac{184}{185}
           ts,ps,ss:[2]
186
            \texttt{ts = [ValueShouldTrip T i s | i \leftarrow inputs @@ [i0,i1] | s \leftarrow setpoints @@ [i0,i1]] }  
187
           ps = [ValueShouldTrip P i s | i <- inputs @@ [i0,i1] | s <- setpoints @@ [i0,i1]]
188
           ss = [ValueShouldTrip S i s | i <- inputs @@ [i0,i1] | s <- setpoints @@ [i0,i1]]
189
190
      // Helpful for testcase generation. The 'off' parameter is used
191
      // to generate a second instrumentation division ID that's guaranteed
      // to be different from the first one (i1)
192
193
      SelfTestOracleHalf: [4][2][16] -> [4][3][16] -> [2] -> [2] -> [2]
194
      SelfTestOracleHalf inputs setpoints i1 off =
195
        SelfTestOracle (map (map extend) inputs) (map (map extend) setpoints) [i1, i2]
196
197
          i2 = i1 + 1 + (off \% 3)
198
          extend v = zero # v
199
200
201
          property sense_to_actuate_0 rts (sensors : [4][2][32]) cmds =
202
              ~rts.control.self test ==> (
                sum [ if Is_Tripped T i then 1 else 0 | i <- rts'.instrumentation.units ] >= 2
203
204
              v sum [ if Is_Tripped P i then 1 else 0 | i <- rts'.instrumentation.units ] >= 2
205
              ∨ or [ a.output @ DO | a <- rts.actuation.units ]</pre>
206
              /* ----- */ ==
207
              (rts'.actuation.actuators @ D0).input
208
209
210
              rts' = rts >>>> Sense_Actuate sensors cmds
211
212
          property sense_to_actuate_1 rts (sensors : [4][2][32]) cmds =
213
              "rts.control.self test ==> (
214
                 sum [ if Is_Tripped S i then 1 else 0 | i <- rts'.instrumentation.units ] >= 2
\tilde{2}15
              \vee or [ a.output @ D1 | a <- rts.actuation.units ]
216
              /* ----- */ ==
\tilde{2}\tilde{1}\tilde{7}
              (rts'.actuation.actuators @ D1).input
218
219
              rts' = rts >>>> Sense_Actuate sensors cmds
220
221
222
          property end_to_end_test (ch : [2]) rts i1 i2 vote sensors =
```

```
223
             ( ~rts.control.self_test_fail
224
225
               \wedge (i1 != i2)
               \wedge and [ (a.output == 0) | a <- rts.actuation.units ]
226
               \wedge (ch < 3 /* not provable if ch == S */))// \wedge (ch != S) // Add this to make it
                     \hookrightarrow provable
227
            /* -----*/ ==>
\tilde{228}
               "rts'.control.self_test_fail
229
           where
230
             rts' = RunEndToEnd rts i1 i2 ch vote (repeat sensors)
231
232
          property end_to_end_test_non_interference (ch : [2]) rts (sensors: [4][2][32]) =
233
               rts.control.self_test_fail
234
             // Start in a state where we haven't actuated
235
             \wedge and [ (a.output == 0) | a <- rts.actuation.units ]
236
             \wedge ch < 3
237
             // Check if enough of the non-tested instrumentation (which may be all of them!) thinks
                   \hookrightarrow we should
238
             // actuate
239
             ^ sum [ if (~rts.control.self_test || ~elem i [i1,i2]) && ChShouldTrip ch vs instr
                   \hookrightarrow then 1 else 0
240
241
242
243
244
245
246
247
248
250
251
252
                   | vs <- sensors
                    | instr <- rts.instrumentation.units
                    | i <- [0...]
                   ] >= 2
            (rts'.actuation.actuators @ (if ch == S then D1 else D0)).input
            where
              i1 = rts.control.self_test_instrs@0
              i2 = rts.control.self_test_instrs@1
              rts' = rts >>>> Sense_Actuate sensors (repeat I::NoCommand)
          property test_instrumentation_ok i rts vs (ch : Channel) =
              (rts.control.self_test_fail) ==> (
253
254
255
                (ch < 3) ==>
                (~(Test_Instrumentation [(pass, vs, ch)] i rts).control.self_test_fail)
              )
256
            where
257
              pass: [8]
258
              pass = if ChShouldTrip ch vs {(rts.instrumentation.units @ i) | mode = repeat Operate
                   \hookrightarrow } then 1 else 0
259
260
          property test_voting_ok d ts l rts =
261
             ("rts.control.self_test_fail && and [ a.output == 0 | a <- rts.actuation.units ]) ==>
262
             ((Test_Voting [(expect, d, ts)] 1 rts).control.self_test_fail)
263
            where
\begin{array}{c} 264 \\ 265 \end{array}
              expect =
                if d == D0 then
266
                    (sum [ if (t != 0) then 1 else 0 | t <- ts @ T ] >= 2)
267
                 || (sum [ if (t != 0) then 1 else 0 | t <- ts @ P ] >= 2)
268
                else
\tilde{2}69
                     sum [ if (t != 0) then 1 else 0 | t <- ts @ S ] >= 2
270
271
          I : ([4]InstrumentationUnit -> [4]InstrumentationUnit) -> RTS -> RTS
272
273
           I f rts = {rts|instrumentation = { units = f rts.instrumentation.units }}
274
275
          RunEndToEnd rts i1 i2 ch vote sensors = rts'
276
             mkTestCore : [4]InstrumentationUnit -> Control
277
             mkTestCore instrs = {rts.control| self_test = True,
278
279
                                              self_test_instrs = [i1, i2],
                                              self_test_channel = ch,
280
                                              self_test_logic = vote,
281
                                              self_test_dev = dev }
282
             dev = if (ch == T) \mid \mid (ch == P) then D0 else D1
283
             rts' = rts
```

```
284
               >>>> I (\instrs -> [ if (i == i1) || (i == i2) then Set_Maintenance True instr else
                     → instr | instr <- instrs | i <- [0..3] ])</pre>
285
               >>>> I (\instrs -> [ if (i == i1) || (i == i2) then Set_Mode ch Operate instr else
                     → instr | instr <- instrs | i <- [0..3] ])</pre>
286
               >>>> (\r -> {r | control = (mkTestCore r.instrumentation.units) })
287
               >>>> Sense_Actuate sensors cmds
288
             cmds = repeat I::NoCommand
289

    \begin{array}{c}
      290 \\
      291
    \end{array}

           ShouldActuate: Channel -> [4][2][32] -> [4]InstrumentationUnit -> [2][2] -> Bit
           ShouldActuate ch sensors instrumentation test_instrs =
292
             numBits [ ChShouldTrip ch vs instr
293
                     | vs <- sensors @@ test_instrs | instr <- instrumentation @@ test_instrs ] >= 2
\frac{294}{295}
          ChShouldTrip ch vs instr =
296
            if In_Mode ch Operate instr then
297
              ValueShouldTrip ch vs (instr.setpoints)
298
\tilde{2}99
              In_Mode ch Manual instr
300
301
          ValueShouldTrip ch vs sp =
302
              if (ch == T) || (ch == P)
303
              then (sp @ ch) < (vs @ ch)
304
              else (sp @ ch) >$ Saturation (vs @ T) (vs @ P)
```

## E.2 Cryptol model of the Actuation Unit

Listing E.2: Listing Cryptol Model of ActuationUnit.

```
// HARDENS Reactor Trip System (RTS) Actuation Unit
 23
     \ensuremath{/\!/}\ \mbox{A}\ \mbox{formal model of RTS}\ \mbox{Actuation Unit behavior written in the}
     // Cryptol DSL.
 456789
     // @author Alex Bakst <abakst@galois.com>
     // @created November, 2021
     // @refines HARDENS.sysml
     // @refines RTS.lando
     // @refines RTS_Requirements.json
10
11
12
13
14
15
     module RTS::ActuationUnit where
     import RTS::Utils
     import RTS::InstrumentationUnit
     type Input = [3][4]TripPort
     type ActuationPort = Bit
     type ActuationUnit = { output: [2]ActuationPort }
     type CoincidenceLogic = [4]TripPort -> Bit
20
21
22
23
24
25
26
27
     type OrLogic = [2] -> Bit
     TripInput: [3][4]TripPort -> ActuationUnit -> ActuationUnit
     TripInput trips actuationUnit =
       { output = [ d0, d1 ] }
       where
         d0 = Actuate_D0 trips (actuationUnit.output @ 0)
         d1 = Actuate_D1 trips (actuationUnit.output @ 1)
     Actuate_DO: Input -> Bit -> Bit
     Actuate_DO trips old = dO || old
       where
32
         d0 = TempPressureTripOut [TemperatureLogic temperatureTrips,
33
                                   PressureLogic pressureTrips]
         temperatureTrips = trips @ (0:[2])
```

```
35
          pressureTrips = trips @ (1:[2])
 37
      Actuate_D1: Input -> Bit -> Bit
Actuate_D1 trips old = d1 || old
          d1 = SaturationLogic saturationTrips
          saturationTrips = trips @ (2:[2])
      TemperatureLogic: [4]TripPort -> Bit
      TemperatureLogic ts = Coincidence_2_4 ts
      PressureLogic: [4]TripPort -> Bit
      PressureLogic ts = Coincidence_2_4 ts
      SaturationLogic: [4]TripPort -> Bit
      SaturationLogic ts = Coincidence_2_4 ts
      TempPressureTripOut: [2] -> Bit
      TempPressureTripOut ts = (ts @ (0:[1])) || (ts @ (1:[1]))
      private
        Coincidence_2_4 : [4]TripPort -> Bit
        Coincidence_2_4 x = (a&&b) || ((a||b) && (c||d)) || (c&&d)
          where
 60
            a = (x @ (0:[2])) != 0
 61
            b = (x @ (1:[2])) != 0
 62
            c = (x @ (2:[2])) != 0
 63
            d = (x @ (3:[2])) != 0
 64
65
        count : \{n\} (fin n, n >= 1) => [n] -> [width n]
 66
        count bs = sum [ if b then 1 else 0 | b <- bs ]</pre>
 67
 68
        /** @requirements
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
88
89
91
91
92
93
95
              ACTUATION_LOGIC_VOTE_TEMPERATURE
        property actuation_logic_vote_temperature (inp: Input) =
          (count [i != 0 | i <- (inp @ T)] >= 2) == TemperatureLogic (inp @ T)
        /** @requirements
              ACTUATION_LOGIC_VOTE_PRESSURE
        roperty actuation_logic_vote_pressure (inp: Input) =
  (count [i != 0 | i <- (inp @ P)] >= 2) == PressureLogic (inp @ P)
        /** @requirements
              ACTUATION_LOGIC_VOTE_SATURATION
        property actuation_logic_vote_saturation (inp: Input) =
          (count [i != 0 | i <- (inp @ S)] >= 2) == SaturationLogic (inp @ S)
        /** @requirements
              ACTUATION_LOGIC_DEVICE_O
              ACTUATION_LOGIC_VOTE_DEVICE_O
              ACTUATION_LOGIC_VOTE_MANUAL_DEVICE_O
        property actuation_logic_device_0 (inp: Input) (act: ActuationUnit) =
             act.output @ 0
          \lor \ \texttt{TempPressureTripOut} \ [\texttt{TemperatureLogic (inp @ T), PressureLogic (inp @ P)}]
          == /* ----- */
          act'.output @ 0
 96
          where act' = TripInput inp act
 97
 98
        /** @requirements
 99
              ACTUATION_LOGIC_DEVICE_1
100
              ACTUATION\_LOGIC\_VOTE\_DEVICE\_1
```

## E.3 Cryptol model of the Actuator

Listing E.3: Listing Cryptol Model of Actuator.

```
// HARDENS Reactor Trip System (RTS) Actuator Unit
23456789101123145161789222345627289
     // A formal model of RTS Actuator behavior written in the Cryptol
     // DSL.
     11
     // @author Alex Bakst <abakst@galois.com>
     // @created November, 2021
     // @refines HARDENS.sysml
     // @refines RTS.lando
     // @refines RTS_Requirements.json
     module RTS::Actuator where
     type Actuation = Bit
     type Mode = Bit
     /** @requirements
           ACTUATION_LOGIC_MANUAL_DEVICE_{0,1} satisfied by definition
       { input: Actuation
      , manualActuatorInput: Actuation }
     SetInput: Actuation -> Actuator -> Actuator
     SetInput on actuator = {actuator | input = on }
     SetManual: Actuation -> Actuator -> Actuator
     SetManual on actuator = {actuator | manualActuatorInput = on}
30
     ActuateActuator : [2]Actuation -> Actuation
     ActuateActuator inputs = (inputs @ (0:[1])) || (inputs @ (1:[1]))
```

## E.4 Cryptol model of the Instrumentation Unit

Listing E.4: Listing Cryptol Model of InstrumentationUnit.

```
1 // HARDENS Reactor Trip System (RTS) Instrumentation Unit
2 // A formal model of RTS Instrumentation behavior written in the
3 // Cryptol DSL.
4 //
5 // Gauthor Alex Bakst <abakst@galois.com>
6 // @created November, 2021
7 // @refines HARDENS.sysml
8 // @refines RTS.lando
9 // @refines RTS.Requirements.json
```

```
module RTS::InstrumentationUnit where
12
13
14
15
     import RTS::Utils
     type Input = [2][32]
16
     type NChannels = 3
17
     type Channel = [lg2 NChannels]
     type TripPort = [8]
     type NModes = 3
     type Mode = [lg2 NModes]
     type CommandType = [1g2 NCommands]
22
23
24
25
     type NCommands = 4
     type Command =
       { command: CommandType
      , channel: Channel
26
27
      , mode: Mode
      , setpoint: [32]
     ...point: [;
, on_off: Bit
}
28
29
30
     Set_Mode_Cmd, Set_Maintenance_Cmd, Set_Setpoint_Cmd, Null_Cmd : CommandType
32
33
34
35
36
37
38
     Set_Mode_Cmd = 0
     Set_Maintenance_Cmd = 1
     Set_Setpoint_Cmd = 2
     Null\_Cmd = 3
     T,P,S : Channel
     T = 0 // Temperature
39
     P = 1 // Pressure
S = 2 // Saturation
     Bypass, Operate, Manual: Mode
     Bypass = 0 // Do not generate a "trip"
     Operate = 1 // Generate "trip" on setpoint violation
     Manual = 2 // Force "trip" generation
     type InstrumentationUnit =
       { setpoints: [NChannels][32]
      , reading: [NChannels][32]
      , mode: [NChannels] Mode
      , sensor_trip: [NChannels]
      , output_trip: [NChannels][8]
      , maintenance: Bit
     NoCommand: Command
     NoCommand = { command= Null_Cmd, channel= zero, mode= zero, setpoint= zero, on_off= zero }
58
59
     Initial: InstrumentationUnit
60
    Initial =
      { setpoints = zero
      , reading = zero
      , mode = zero
63
64
65
      , sensor_trip = zero
      , output_trip = repeat zero
, maintenance = ~zero
66
67
68
69
70
     Step: Input -> Command -> InstrumentationUnit -> InstrumentationUnit
     Step inp cmd instr =
           Handle_Input inp instr
72
       >>>> Handle_Command cmd
73
       >>>> Step_Trip_Signals
       >>>> OutputTrips
       where
```

```
76
          OutputTrips state =
            { state | output_trip = [ zero # [Is_Ch_Tripped (state.mode @ ch) (state.sensor_trip @
                 \hookrightarrow ch)] | ch <- [0..2] ] }
 78
 79
      // Orefines sensor input ports
 80
      Handle_Input: Input -> InstrumentationUnit -> InstrumentationUnit
 81
      Handle_Input sensors instr = { instr | reading = vals }
 82
 83
          vals: [3][32]
 84
85
          // O and 1 should be T and P, but this causes problems for crymp
          vals = [ sensors @ 0
               , sensors @ 1
                , Saturation (sensors @ 0) (sensors @ 1)
 88
 89
 90
      // @refines mode, tripmode, setpoint input port attributes
Handle_Command: Command -> InstrumentationUnit -> InstrumentationUnit
 91
 92
      Handle_Command cmd instr =
 93
        if (cmd.command == Set_Mode_Cmd) && (cmd.channel < 'NChannels) then</pre>
 94
95
          Set_Mode cmd.channel cmd.mode instr
        else if cmd.command == Set_Maintenance_Cmd then
 96
         Set_Maintenance cmd.on_off instr
 97
        else if (cmd.command == Set_Setpoint_Cmd) && (cmd.channel < 'NChannels) then
 98
         Set_Setpoint cmd.channel cmd.setpoint instr
 99
       else
100
          instr
101
102
      103
      // Queries, "Setters", "Getters", etc
104
105
      106
      Get_Reading: InstrumentationUnit -> [NChannels][32]
107
      Get_Reading instr = instr.reading
108
109
      In Maintenance: InstrumentationUnit -> Bit
110
      In_Maintenance instr = instr.maintenance
111
112
      Set_Maintenance: Bit -> InstrumentationUnit -> InstrumentationUnit
113
      Set_Maintenance on instr = { instr | maintenance = on }
114
115
      Set_Mode: Channel -> Mode -> InstrumentationUnit -> InstrumentationUnit
116
      Set Mode ch mode i =
117
        if In_Maintenance i && (mode <= 2) then
118
          {i | mode = update i.mode ch mode}
119
        else
120
121
122
      In_Mode: Channel -> Mode -> InstrumentationUnit -> Bit
123
124
125
      In_Mode ch mode instr = (instr.mode @ ch) == mode
      Get_Setpoint: Channel -> InstrumentationUnit -> [32]
126
      Get_Setpoint ch instr = instr.setpoints @ ch
127
128
      Set_Setpoint: Channel -> [32] -> InstrumentationUnit -> InstrumentationUnit
129
      Set_Setpoint ch val instr = { instr | setpoints = update instr.setpoints ch val }
130
131
      Get_Tripped: InstrumentationUnit -> [NChannels][8]
132
      Get_Tripped instr = [zero # [Is_Tripped T instr], zero # [Is_Tripped P instr], zero # [
            → Is_Tripped S instr]]
133
134
135
      Is_Tripped: Channel -> InstrumentationUnit -> Bit
      Is_Tripped ch instr = In_Mode ch Manual instr
136
                       || (In_Mode ch Operate instr && (instr.sensor_trip @ ch))
137
138
      Is_Ch_Tripped : Mode -> Bit -> Bit
139 | Is_Ch_Tripped mode sensor_tripped =
```

```
140
141
142
143
144
145
146
147
148
150
         // @bug abakst Constants should be replaced, but this causes
         // problems for crymp: 2 = Manual, 1 = Operate (mode == 2) || ((mode == 1) && sensor_tripped)
       {\tt Step\_Trip\_Signals:}
        InstrumentationUnit ->
        {\tt Instrumentation Unit}
       Step_Trip_Signals state =
        { state | sensor_trip = sensor_trips }
           sensor_trips = Generate_Sensor_Trips state.reading state.setpoints
151
152
       Saturation : [32] -> [32] -> [32]
153
154
155
       Saturation t p = p - sat_pressure
         where sat_pressure = PressureTable t
156
       PressureTable : [32] -> [32]
157
       PressureTable temp = sat_pressure
158
159
           idx = if temp < 35 then 0 else (temp-35)/5
160
           sat_pressure =
161
            if idx < 52 then Table @ idx else Table @ (51 : [lg2 52])
162
163
           // Table in 10^-5 lb/in^2
164
           //\ https://mfathi.iut.ac.ir/sites/mfathi.iut.ac.ir/files/files\_course/
                 \hookrightarrow table_of_saturation_vapor_0.pdf
165
           Table: [52][32]
166
           Table = [0009998,
167
                    0012163,
168
                    0014753,
169
                    0017796,
170
                    0021404,
171
                    0025611,
172
                    0030562,
173
                    0036292.
174
175
                    0042985,
                    0050683,
176
177
                    0059610,
                    0069813,
178
                    0081567,
179
                    0094924,
180
                    0110218,
181
                    0127500,
182
                    0147160,
183
                    0169270,
184
185
                    0194350,
                    0222300,
186
187
                    0253820,
                    0288920,
188
                    0328250.
189
                    0371840,
190
                    0420470,
191
                    0474140,
192
                    0533740,
193
                    0599260,
194
195
                    0671730,
                    0751100,
196
197
                    0838550.
                    0934000.
198
                    1038600.
199
                    1152600,
200
                    1277600,
201
                    1413200,
202
                    1469600,
203
                    1718600,
204
                    1892100,
```

```
205
                   2079100,
206
                   2280400,
207
                   2496800.
208
                   2731900.
209
210
                   2984000.
                   3253900.
211
                   3542700.
212
                   3854600,
213
214
                   4542300,
215
                   4920000,
216
                   5325900,
217
                   5775200
218
219
220
       Generate_Sensor_Trips : [NChannels][32] -> [NChannels][32] -> [NChannels]
221
      Generate_Sensor_Trips vals setpoints =
222
          // @bug abakst '2' should be 'S', but this causes problems for crymp
223
          // See 'Is_Ch_Tripped' above as well.
224
          [ Trip vals setpoints 0, Trip vals setpoints 1, Trip vals setpoints 2 ]
225
226
       Trip: [NChannels][32] -> [NChannels][32] -> Channel -> Bit
227
       Trip vals setpoints ch = if ch == 2 then v <$ sp else sp < v
228
        where v = vals @ ch
229
              sp = setpoints @ ch
230
231
       private
232
        /** @requirements
\tilde{2}\tilde{3}\tilde{3}
              INSTRUMENTATION_RESET
234
        property instrumentation_reset =
235
236
          In_Maintenance Initial
237
          ∧ In_Mode P Bypass Initial
238
          ∧ In_Mode T Bypass Initial
239
          ∧ In_Mode S Bypass Initial
240
241
242
243
244
245
246
247
248
250
251
252
253
        /** @requirements
              INSTRUMENTATION_TRIP_PRESSURE
        property instrumentation_trip_pressure (inp: Input) (instr: InstrumentationUnit) =
             In_Mode P Manual instr

∨ (In_Mode P Operate instr ∧ inp @ P > Get_Setpoint P instr')

          (Is_Tripped P instr')
            where instr' = Handle_Input inp instr >>>> Step_Trip_Signals
         /** @requirements
              INSTRUMENTATION_TRIP_TEMPERATURE
254
255
        property instrumentation_trip_temperature (inp: Input) (instr: InstrumentationUnit) =
                In_Mode T Manual instr
256
           ∨ (In_Mode T Operate instr ∧ inp @ T > Get_Setpoint T instr')
257
258
          (Is_Tripped T instr')
259
            where instr' = Handle_Input inp instr >>>> Step_Trip_Signals
260
\tilde{2}61
        /** @requirements
262
              INSTRUMENTATION_TRIP_SATURATION
263

  \begin{array}{c}
    \hline{264} \\
    \hline{265}
  \end{array}

        property instrumentation_trip_saturation (inp: Input) (instr: InstrumentationUnit) =
              In_Mode S Manual instr
266
              \lor (In_Mode S Operate instr \land Saturation (inp @ T) (inp @ P) <$ Get_Setpoint S instr')
267
268
          (Is_Tripped S instr')
269
            where instr' = Handle_Input inp instr >>>> Step_Trip_Signals
270
```

```
271
272
          /** @requirements
                 INSTRUMENTATION_SET_MANUAL_TRIP_TEMPERATURE
273
274
275
276
277
                 INSTRUMENTATION_SET_MANUAL_TRIP_PRESSURE
                 INSTRUMENTATION_SET_MANUAL_TRIP_SATURATION
          property instrumentation_set_manual_trip (instr: InstrumentationUnit) =
             In_Maintenance instr ==> (
278
279
              (Is_Tripped T trippedT \ ~ (instr.sensor_trip @ T))
\(\text{(Is_Tripped P trippedP \ ~ (instr.sensor_trip @ P))}
\(\text{(Is_Tripped S trippedS \ ~ (instr.sensor_trip @ S))}
\(\text{(Is_Tripped S trippedS \ ~ (instr.sensor_trip @ S))}
\(\text{(Is_Tripped S trippedS \ ~ (instr.sensor_trip @ S))}
\)
280
281
282
             where
283
284
285
               trippedT = Set_Mode T Manual instr
               trippedP = Set_Mode P Manual instr
               trippedS = Set_Mode S Manual instr
\tilde{286}
287
288
           /** @requirements
                  INSTRUMENTATION_SET_SETPOINT_TEMPERATURE
289
290
                   INSTRUMENTATION_SET_SETPOINT_PRESSURE
                   INSTRUMENTATION_SET_SETPOINT_SATURATION
291
292
          property get_set_setpoint_correct (instr: InstrumentationUnit) (val: [32]) =
293
                Get_Setpoint T (Set_Setpoint T val instr) == val
294
             ∧ Get_Setpoint P (Set_Setpoint P val instr) == val
295
             \land \  \, \mathsf{Get\_Setpoint} \  \, \mathsf{S} \  \, \mathsf{(Set\_Setpoint} \  \, \mathsf{S} \  \, \mathsf{val} \  \, \mathsf{instr}) \, = \! \mathsf{val}
\tilde{296}
\tilde{297}
          /** @requirements
298
299
300
                  INSTRUMENTATION_SET_BYPASS_TEMPERATURE
                   INSTRUMENTATION\_SET\_BYPASS\_PRESSURE
                   INSTRUMENTATION_SET_BYPASS_SATURATION
301
302
          property set_bypass_correct (instr: InstrumentationUnit) =
303
                In_Maintenance instr ==> (
304
                       Is_Tripped T (Set_Mode T Bypass instr)
305
                  \wedge ~ Is_Tripped P (Set_Mode P Bypass instr)
306
                  ∧ ~ Is_Tripped S (Set_Mode S Bypass instr)
307
308
309
          property step_state_const (inp: Input) (instr: InstrumentationUnit) =
310
311
                  instr.mode == instr'.mode
               ∧ instr.setpoints == instr'.setpoints
312
313
               ∧ instr.maintenance == instr'.maintenance
               where instr' = Handle_Input inp instr >>>> Step_Trip_Signals
314
315
          // Not connected to a high level requirement because this simply establishes // the connection between 'Is_Tripped' and 'Is_Ch_Tripped' (which is more
316
317
          // convenient for synthesis)
318
          property is_ch_trip_correct instr =
319
                Is_Tripped T instr == Is_Ch_Tripped (instr.mode @ T) (instr.sensor_trip @ T)
320
               Is_Tripped P instr == Is_Ch_Tripped (instr.mode @ P) (instr.sensor_trip @ P)
321
             ∧ Is_Tripped S instr == Is_Ch_Tripped (instr.mode @ S) (instr.sensor_trip @ S)
```

## E.5 Cryptol Utility Functions

Listing E.5: Listing Cryptol Model of Utils.

```
1 // HARDENS Reactor Trip System (RTS) Utility Functions
2 // In support of a formal model of RTS system behavior written in the
3 // Cryptol DSL.
4 //
5 // @author Alex Bakst <abakst@galois.com>
6 // @created November, 2021
```

```
7 8 module RTS::Utils where
9 infixl 5 >>>> 11 (>>>>) x f = f x
12 13 numBits: {n} (fin n) => [n] -> Integer
14 numBits lst = sum [ if b then 1 else 0 | b <- lst ]
```

### E.6 SAW Model

#### E.6.1 SAWscript to test the Actuator

Listing E.6: Listing Saw Model of actuator.

```
include "common.saw";

cryptol_add_path "../models";

actuator_cryp <- cryptol_load "../models/RTS/Actuator.cry";

actuator_gen <- llvm_load_module "generated/actuator_impl.bc";

let actuate_actuator_ref = {{ actuator_cryp::ActuateActuator }};

let actuate_actuator_spec = do {
   input <- llvm_fresh_var "inp" (llvm_int 8);
   let expected = {{ (zero # [actuate_actuator_ref (take (reverse input))]) : [8] }};

llvm_execute_func [llvm_term input];
   llvm_return (llvm_term expected);
};

llvm_verify actuator_gen "ActuateActuator" [] false actuate_actuator_spec z3;</pre>
```

#### E.6.2 SAWscript to test the Actuation Unit

Listing E.7: Listing Saw Model of actuation\_unit.

```
include "common.saw";
23
45
67
89
10
11
12
13
14
15
     cryptol_add_path "../models";
     actuate_unit_cryp <- cryptol_load "../models/RTS/ActuationUnit.cry";</pre>
     actuate_unit_gen <- llvm_load_module "generated/actuation_unit_impl.bc";</pre>
     let actuate_d0_ref = {{ actuate_unit_cryp::Actuate_D0 }};
     let actuate_d1_ref = {{ actuate_unit_cryp::Actuate_D1 }};
     let actuate_d_spec f = do {
         (trips, ptr_trips) <- ptr_to_fresh "trips" (llvm_array 3 (llvm_array 4 (llvm_int 8)));</pre>
         old_trip <- llvm_fresh_var "old" (llvm_int 8);</pre>
         llvm_precond {{ (old_trip == 0) || (old_trip == 1) }};
         llvm_execute_func [ptr_trips, llvm_term old_trip];
         let expected = {{ (zero # [f trips (0 != old_trip)]) : [8] }};
         1lvm_return (llvm_term expected);
     let actuate_d0 = actuate_d_spec actuate_d0_ref;
    let actuate_d1 = actuate_d_spec actuate_d1_ref;
```

```
22 | 23 | llvm_verify actuate_unit_gen "Actuate_DO" [] false actuate_d0 z3; 24 | llvm_verify actuate_unit_gen "Actuate_D1" [] false actuate_d1 z3;
```

#### E.6.3 SAWscript to test the Instrumentation Unit

Listing E.8: Listing Saw Model of instrumentation.

```
include "common.saw":
     enable_experimental;
     cryptol_add_path "../models";
     instrumentation_cryp <- cryptol_load "../models/RTS/InstrumentationUnit.cry";</pre>
     instrumentation_gen <- llvm_load_module "generated/instrumentation_impl.bc"
     instrumentation_hand <- llvm_load_module "handwritten/instrumentation_impl.bc";</pre>
     let is_ch_tripped_ref = {{ instrumentation_cryp::Is_Ch_Tripped }};
11
12
13
14
15
16
     write_verilog "Is_Ch_Tripped.v" is_ch_tripped_ref;
     let generate_sensor_trips_ref = {{ instrumentation_cryp::Generate_Sensor_Trips }};
     write_verilog "Generate_Sensor_Trips.v" generate_sensor_trips_ref;
     let is_ch_tripped_spec = do {
17
        mode <- llvm_fresh_var "mode" (llvm_int 8);</pre>
         sensor_tripped <- llvm_fresh_var "sensor_tripped" (llvm_int 8);</pre>
19
         llvm_precond {{ elem mode [0, 1, 2] }};
         llvm_precond {{ elem sensor_tripped [0, 1] }};
21
         llvm_execute_func [llvm_term mode, llvm_term sensor_tripped];
         let expected = {{ (zero # [is_ch_tripped_ref (drop mode) (0 != sensor_tripped)]) : [8]
               → }}:
23
24
25
26
27
28
29
31
32
33
34
35
37
         llvm_return (llvm_term expected);
     let generate_sensor_trips_spec = do {
         (vals, ptr_vals) <- ptr_to_fresh "vals" (llvm_array 3 (llvm_int 32));</pre>
         (setpoints, ptr_setpoints) <- ptr_to_fresh "setpoints" (llvm_array 3 (llvm_int 32));
         llvm_precond {{ (vals @ instrumentation_cryp::S) < 0x80000000 }};</pre>
         llvm_execute_func [ptr_vals, ptr_setpoints];
         let reference_val = {{ generate_sensor_trips_ref vals setpoints }};
         let expected = {{ (zero # reverse reference_val) : [8] }};
         llvm_return (llvm_term expected);
     llvm_verify instrumentation_gen "Is_Ch_Tripped" [] false is_ch_tripped_spec z3;
     llvm_verify instrumentation_hand "Is_Ch_Tripped" [] false is_ch_tripped_spec z3;
     llvm_verify instrumentation_gen "Generate_Sensor_Trips" [] false generate_sensor_trips_spec
39
     llvm_verify instrumentation_hand "Generate_Sensor_Trips" [] false generate_sensor_trips_spec
```

### E.6.4 SAWscript to test the Saturation

Listing E.9: Listing Saw Model of saturation.

```
1 include "common.saw";
2 enable_experimental;
3
4 cryptol_add_path "../models";
```

```
instrumentation_cryp <- cryptol_load "../models/RTS/InstrumentationUnit.cry";
saturation_gen <- llvm_load_module "generated/saturation_impl.bc";

let saturation_ref = {{ instrumentation_cryp::Saturation }};

let saturation_spec = do {
    t <- llvm_fresh_var "t" (llvm_int 32);
    p <- llvm_fresh_var "p" (llvm_int 32);
    llvm_execute_func [llvm_term t, llvm_term p];
    llvm_return (llvm_term {{ saturation_ref t p }});
};

llvm_verify saturation_gen "Saturation" [] false saturation_spec z3;</pre>
```

#### E.6.5 SAWscript some standard definitions

Listing E.10: Listing Saw Model of common.

```
1  let alloc_init ty v = do {
2     p <- llvm_alloc ty;
3     llvm_points_to p v;
4     return p;
5     };
6     
7  let ptr_to_fresh n ty = do {
8          x <- llvm_fresh_var n ty;
9          p <- alloc_init ty (llvm_term x);
10     return (x, p);
11  };</pre>
```

## E.7 HDL Implementation

#### E.7.1 HDL model of Instrumentation

Listing E.11: Listing Verilog Model of instrumentation\_impl.

```
module Is_Ch_Tripped
 23456789
          #(localparam Log2Modes = 2)
          ( input logic [Log2Modes - 1:0] mode,
            input logic sensor_tripped,
            output logic out
        assign out = (mode == 2) || ((mode == 1) & sensor_tripped);
10
11
12
13
14
15
16
     module Generate_Sensor_Trips
         #(localparam NChannels = 3)
          ( input logic [NChannels * 32 - 1:0] vals,
 input logic [NChannels * 32 - 1:0] setpoints,
            output logic [NChannels - 1:0] out
        for (ch = 0; ch < NChannels; ch = ch + 1) begin
           localparam rev_ch = NChannels - ch - 1;
            logic [31:0]v = vals[(rev_ch*32) + 31 -: 32];
           logic [31:0]sp = setpoints[(rev_ch*32) + 31 -: 32];
            // SAW caught a bug here, originally used
21
            // 'rev_ch' in the conditional
```

```
23 if (ch == 2) begin
24 assign out[rev_ch] = $signed(v) < $signed(sp);
25 end else begin
26 assign out[rev_ch] = sp < v;
27 end
28 end
29 endmodule
```

#### E.7.2 HDL model of Actuator

Listing E.12: Listing Verilog Model of actuator\_impl.

```
module ActuateActuator
( input logic [1:0] inputs,
    output logic out
);
// ../models/RTS/Actuator.cry:31:1--31:16
assign out = inputs[1] | inputs[0];
endmodule
```

#### E.7.3 HDL model of Actuation Unit

Listing E.13: Listing Verilog Model of actuation\_unit\_impl.

```
module Coincidence_2_4
 23456789
         ( input logic [31:0] x,
           output logic out
         logic a;
         logic b;
         logic c;
         logic d;
         // ../models/RTS/ActuationUnit.cry:60:7--60:8
         assign a = x[31:24] != 8'h0;
11
12
13
14
15
16
17
         // ../models/RTS/ActuationUnit.cry:61:7--61:8
         assign b = x[23:16] != 8'h0;
         // ../models/RTS/ActuationUnit.cry:62:7--62:8
         assign c = x[15:8] != 8'h0;
         // ../models/RTS/ActuationUnit.cry:63:7--63:8
         assign d = x[7:0] != 8'h0;
         // ../models/RTS/ActuationUnit.cry:57:3--57:18
18
19
         assign out = a & b | ((a | b) & (c | d) | c & d);
     endmodule
20
21
22
23
24
25
26
27
28
29
31
32
33
34
35
     module TemperatureLogic
         (input logic [31:0] ts,
           output logic out
         // ../models/RTS/ActuationUnit.cry:44:1--44:17
         Coincidence_2_4 Coincidence_2_4_inst1 (.x(ts),
                                                .out(out));
      endmodule
     module PressureLogic
         (input logic [31:0] ts,
           output logic out
         // ../models/RTS/ActuationUnit.cry:47:1--47:14
         Coincidence_2_4 Coincidence_2_4_inst1 (.x(ts),
                                                .out(out));
     module TempPressureTripOut
```

```
37
         ( input logic [1:0] ts,
output logic out
         // ../models/RTS/ActuationUnit.cry:53:1--53:20
         assign out = ts[1] | ts[0];
     endmodule
     module Actuate_D0
         ( input logic [95:0] trips,
           input logic old,
           output logic out
         logic [31:0] temperatureTrips;
         logic [31:0] pressureTrips;
         logic d0;
         // ../models/RTS/ActuationUnit.cry:34:5--34:21
         assign temperatureTrips[31:0] = trips[95:64];
         // ../models/RTS/ActuationUnit.cry:35:5--35:18
         assign pressureTrips[31:0] = trips[63:32];
         // ../models/RTS/ActuationUnit.cry:32:5--32:7
         logic TemperatureLogic_out;
         TemperatureLogic TemperatureLogic_inst1 (.ts(temperatureTrips),
                                                .out(TemperatureLogic_out));
         logic PressureLogic_out;
         \label{logic_pressure_logic_inst1} PressureLogic\_inst1 \ (.ts(pressureTrips),
61
                                           .out(PressureLogic_out));
62
         TempPressureTripOut TempPressureTripOut_inst1 (.ts({TemperatureLogic_out,
               → PressureLogic_out}),
63
                                                      .out(d0));
64
65
         // ../models/RTS/ActuationUnit.cry:30:1--30:11
         assign out = d0 | old;
66
      endmodule
67
     module SaturationLogic
68
         (input logic [31:0] ts,
69
70
71
72
73
74
75
76
77
78
80
81
82
83
84
85
86
           output logic out
         // ../models/RTS/ActuationUnit.cry:50:1--50:16
         Coincidence_2_4 Coincidence_2_4_inst1 (.x(ts),
                                              .out(out));
     endmodule
     module Actuate_D1
         (input logic [95:0] trips,
           input logic old,
           output logic out
         logic [31:0] saturationTrips;
         logic d1;
         // ../models/RTS/ActuationUnit.cry:41:5--41:20
         assign saturationTrips[31:0] = trips[31:0];
         // ../models/RTS/ActuationUnit.cry:40:5--40:7
         SaturationLogic SaturationLogic_inst1 (.ts(saturationTrips),
                                              .out(d1));
87
         // ../models/RTS/ActuationUnit.cry:38:1--38:11
         assign out = d1 | old;
      endmodule
```

Listing E.14: Listing Verilog Model of nerv.

```
1 /*
2 * NERV -- Naive Educational RISC-V Processor
3 *
4 * Copyright (C) 2020 Claire Xenia Wolf <claire@yosyshq.com>
5 *
6 * Permission to use, copy, modify, and/or distribute this software for any
7 * purpose with or without fee is hereby granted, provided that the above
8 * copyright notice and this permission notice appear in all copies.
9 *
```

```
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
      * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11
12
      * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13
      *\ \textit{ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES}
14
15
      * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
      * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16
17
      * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18
19
module nerv #(
            parameter [31:0] RESET_ADDR = 32'h 0000_0000,
            parameter integer NUMREGS = 32
     ) (
             input clock,
             input reset,
             input stall,
             output trap,
     'ifdef NERV_RVFI
            output reg rvfi_valid,
            output reg [63:0] rvfi_order,
            output reg [31:0] rvfi_insn,
            output reg rvfi_trap,
            output reg rvfi_halt,
            output reg rvfi_intr,
             output reg [ 1:0] rvfi_mode,
             output reg [ 1:0] rvfi_ixl,
             output reg [ 4:0] rvfi_rs1_addr,
             output reg [ 4:0] rvfi_rs2_addr,
            output reg [31:0] rvfi_rs1_rdata,
            output reg [31:0] rvfi_rs2_rdata,
            output reg [ 4:0] rvfi_rd_addr,
            output reg [31:0] rvfi_rd_wdata,
            output reg [31:0] rvfi_pc_rdata,
             output reg [31:0] rvfi_pc_wdata,
            output reg [31:0] rvfi_mem_addr,
             output reg [ 3:0] rvfi_mem_rmask,
             output reg [ 3:0] rvfi_mem_wmask,
             output reg [31:0] rvfi_mem_rdata,
             output reg [31:0] rvfi_mem_wdata,
      'endif
             // we have 2 external memories
             // one is instruction memory
            output [31:0] imem_addr,
            input [31:0] imem_data,
             // the other is data memory
             output dmem_valid,
60
             output [31:0] dmem_addr,
61
             output [ 3:0] dmem_wstrb,
62
            output [31:0] dmem_wdata,
63
             input [31:0] dmem_rdata
64
65
     );
            reg mem_wr_enable;
reg [31:0] mem_wr_addr;
66
67
68
69
70
71
72
73
74
75
            reg [31:0] mem_wr_data;
            reg [3:0] mem_wr_strb;
             reg mem_rd_enable;
            reg [31:0] mem_rd_addr;
            reg [4:0] mem_rd_reg;
            reg [4:0] mem_rd_func;
            reg mem_rd_enable_q;
```

```
\frac{76}{77}
               reg [4:0] mem_rd_reg_q;
               reg [4:0] mem_rd_func_q;
 78
79
               // delayed copies of mem_rd
 80
81
82
83
84
85
86
87
88
89
90
               always @(posedge clock) begin
                       if (!stall) begin
                                mem_rd_enable_q <= mem_rd_enable;</pre>
                                mem_rd_reg_q <= mem_rd_reg;</pre>
                                mem_rd_func_q <= mem_rd_func;</pre>
                        end
                       if (reset) begin
                                mem_rd_enable_q <= 0;</pre>
                        end
               end
 91
92
               // memory signals
               assign dmem_valid = mem_wr_enable || mem_rd_enable;
 \tilde{93}
               assign dmem_addr = mem_wr_enable ? mem_wr_addr : mem_rd_enable ? mem_rd_addr : 32'h x
 94
95
96
97
               assign dmem_wstrb = mem_wr_enable ? mem_wr_strb : mem_rd_enable ? 4'h 0 : 4'h x;
               assign dmem_wdata = mem_wr_enable ? mem_wr_data : 32'h x;
               // registers, instruction reg, program counter, next pc
reg [31:0] regfile [0:NUMREGS-1];
 98
 99
               wire [31:0] insn:
100
               reg [31:0] npc;
101
102
               reg [31:0] pc;
103
               reg [31:0] imem_addr_q;
104
105
               always @(posedge clock) begin
106
                       imem_addr_q <= imem_addr;</pre>
107
108
109
               // instruction memory pointer
110
111
               assign imem_addr = (stall || trap || mem_rd_enable_q) ? imem_addr_q : npc;
               assign insn = imem_data;
112
113
               // rs1 and rs2 are source for the instruction
114
115
               wire [31:0] rs1_value = !insn_rs1 ? 0 : regfile[insn_rs1];
wire [31:0] rs2_value = !insn_rs2 ? 0 : regfile[insn_rs2];
116
117
               // components of the instruction
118
               wire [6:0] insn_funct7;
119
               wire [4:0] insn_rs2;
120
               wire [4:0] insn_rs1;
121
               wire [2:0] insn_funct3;
122
               wire [4:0] insn_rd;
123
124
125
               wire [6:0] insn_opcode;
               // split R-type instruction - see section 2.2 of RiscV spec
126
               assign {insn_funct7, insn_rs2, insn_rs1, insn_funct3, insn_rd, insn_opcode} = insn;
127
128
129
               // setup for I, S, B & J type instructions
               // I - short immediates and loads
130
               wire [11:0] imm_i;
131
132
133
134
               assign imm_i = insn[31:20];
               // S - stores
               wire [11:0] imm_s;
135
               assign imm_s[11:5] = insn_funct7, imm_s[4:0] = insn_rd;
136
137
               // B - conditionals
138
               wire [12:0] imm_b;
               assign {imm_b[12], imm_b[10:5]} = insn_funct7, {imm_b[4:1], imm_b[11]} = insn_rd, \hookrightarrow imm_b[0] = 1'b0;
139
```

```
// J - unconditional jumps
              wire [20:0] imm_j;
              assign \{imm_j[20], imm_j[10:1], imm_j[11], imm_j[19:12], imm_j[0]\} = \{insn[31:12], 1'\}
                   → b0);
144
145
146
147
148
149
150
             wire [31:0] imm_i_sext = $signed(imm_i);
             wire [31:0] imm_s_sext = $signed(imm_s);
              wire [31:0] imm_b_sext = $signed(imm_b);
              wire [31:0] imm_j_sext = $signed(imm_j);
              // opcodes - see section 19 of RiscV spec
151
             localparam OPCODE_LOAD = 7'b 00_000_11;
152
              localparam OPCODE_STORE = 7'b 01_000_11;
153
154
155
156
             localparam OPCODE_MADD = 7'b 10_000_11;
             localparam OPCODE_BRANCH = 7'b 11_000_11;
              localparam OPCODE_LOAD_FP = 7'b 00_001_11;
157
              localparam OPCODE_STORE_FP = 7'b 01_001_11;
158
              localparam OPCODE_MSUB = 7'b 10_001_11;
159
              localparam OPCODE_JALR = 7'b 11_001_11;
160
161
              localparam OPCODE_CUSTOM_0 = 7'b 00_010_11;
              localparam OPCODE_CUSTOM_1 = 7'b 01_010_11;
162
              localparam OPCODE_NMSUB = 7'b 10_010_11;
163
164
              localparam OPCODE_RESERVED_0 = 7'b 11_010_11;
165
166
              localparam OPCODE_MISC_MEM = 7'b 00_011_11;
167
              localparam OPCODE_AMO = 7'b 01_011_11;
168
              localparam OPCODE_NMADD = 7'b 10_011_11;
169
              localparam OPCODE_JAL = 7'b 11_011_11;
170
171
              localparam OPCODE_OP_IMM = 7'b 00_100_11;
172
              localparam OPCODE_OP = 7'b 01_100_11;
173
             localparam OPCODE_OP_FP = 7'b 10_100_11;
174
175
              localparam OPCODE_SYSTEM = 7'b 11_100_11;
176
177
             localparam OPCODE_AUIPC = 7'b 00_101_11;
              localparam OPCODE_LUI = 7'b 01_101_11;
              localparam OPCODE_RESERVED_1 = 7'b 10_101_11;
178
179
              localparam OPCODE_RESERVED_2 = 7'b 11_101_11;
180
181
              localparam OPCODE_OP_IMM_32 = 7'b 00_110_11;
182
              localparam OPCODE_OP_32 = 7'b 01_110_11;
183
              localparam OPCODE_CUSTOM_2 = 7'b 10_110_11;
184
185
             localparam OPCODE_CUSTOM_3 = 7'b 11_110_11;
186
187
              // next write, next destination (rd), illegal instruction registers
             reg next_wr;
188
             reg [31:0] next_rd;
189
             reg illinsn;
190
191
             reg trapped;
192
             reg trapped_q;
193
             assign trap = trapped;
194
195
             always @* begin
196
197
                     // advance pc
npc = pc + 4;
198
199
                     // defaults for read, write
200
                     next_wr = 0;
201
                     next_rd = 0;
202
                     illinsn = 0;
203
204
                     mem_wr_enable = 0;
```

```
205
                      mem_wr_addr = 'hx;
                      mem_wr_data = 'hx;
206
207
                      mem_wr_strb = 'hx;
208
209
210
                      mem_rd_enable = 0;
mem_rd_addr = 'hx;
211
                      mem_rd_reg = 'hx;
212
213
                      mem_rd_func = 'hx;
214
                      // act on opcodes
215
                      case (insn_opcode)
216
                              // Load Upper Immediate
                              OPCODE_LUI: begin
217
218
219
                                     next_wr = 1;
next_rd = insn[31:12] << 12;</pre>
220
                              end
221
                              // Add Upper Immediate to Program Counter
222
                              OPCODE_AUIPC: begin
223
                                     next_wr = 1;
224
                                     next_rd = (insn[31:12] << 12) + pc;
225
                              end
226
                              // Jump And Link (unconditional jump)
227
                              OPCODE_JAL: begin
228
                                     next_wr = 1;
                                     next_rd = npc;
229
\tilde{230}
                                     npc = pc + imm_j_sext;
231
                                     if (npc & 32'b 11) begin
232
                                             illinsn = 1;
npc = npc & ~32'b 11;
233
234
235
                              end
236
                              // Jump And Link Register (indirect jump)
237
                              OPCODE_JALR: begin
238
                                     case (insn_funct3)
239
                                             3'b 000 /* JALR */: begin
240
241
242
243
244
245
246
247
                                                     next_wr = 1;
                                                     next_rd = npc;
                                                     npc = (rs1_value + imm_i_sext) & ~32'b 1;
                                             end
                                             default: illinsn = 1;
                                      endcase
                                     if (npc & 32'b 11) begin
                                             illinsn = 1;
                                             npc = npc & ~32'b 11;
249
250
                                     end
                              end
\tilde{251}
                              // branch instructions: Branch If Equal, Branch Not Equal, Branch Less
                                    \hookrightarrow Than, Branch Greater Than, Branch Less Than Unsigned, Branch
                                    \hookrightarrow Greater Than Unsigned
252
                              OPCODE_BRANCH: begin
253
                                     case (insn_funct3)
254
                                             3'b 000 /* BEQ */: begin if (rs1_value == rs2_value) npc
                                                   → = pc + imm_b_sext; end
255
                                             3'b 001 /* BNE */: begin if (rs1_value != rs2_value) npc
                                                   256
                                             3'b 100 /* BLT */: begin if ($signed(rs1_value) <

    $signed(rs2_value)) npc = pc + imm_b_sext; end

                                             3'b 101 /* BGE */: begin if ($signed(rs1_value) >=
257
                                                   \hookrightarrow $signed(rs2_value)) npc = pc + imm_b_sext; end
258
                                             3'b 110 /* BLTU */: begin if (rs1_value < rs2_value) npc
                                                   → = pc + imm_b_sext; end
                                             3'b 111 /* BGEU */: begin if (rs1_value >= rs2_value)
259
                                                   → npc = pc + imm_b_sext; end
260
                                             default: illinsn = 1;
261
                                      endcase
262
                                     if (npc & 32'b 11) begin
263
                                             illinsn = 1;
```

```
264
265
                                       npc = npc & ~32'b 11;
                                 end
266
                          end
267
                          // load from memory into rd: Load Byte, Load Halfword, Load Word, Load
                               \hookrightarrow Byte Unsigned, Load Halfword Unsigned
268
                          OPCODE_LOAD: begin
269
270
                                 mem_rd_addr = rs1_value + imm_i_sext;
                                 casez ({insn_funct3, mem_rd_addr[1:0]})
271
                                       5'b 000_zz /* LB */,
272
                                       5'b 001_z0 /* LH */,
273
                                       5'b 010_00 /* LW */,
274
                                       5'b 100_zz /* LBU */,
275
                                       5'b 101_z0 /* LHU */: begin
276
                                              mem_rd_enable = 1;
277
                                              mem_rd_reg = insn_rd;
278
                                              mem_rd_func = {mem_rd_addr[1:0], insn_funct3};
\tilde{279}
                                              mem_rd_addr = {mem_rd_addr[31:2], 2'b 00};
280
                                        end
281
                                       default: illinsn = 1;
282
                                 endcase
283
                          end
284
                          // store to memory instructions: Store Byte, Store Halfword, Store Word
285
                          OPCODE_STORE: begin
286
                                mem wr addr = rs1 value + imm s sext:
287
                                 288
289
                                       5'b 001_z0 /* SH */,
290
                                       5'b 010_00 /* SW */: begin
291
                                              mem_wr_enable = 1;
292
                                              mem_wr_data = rs2_value;
293
                                              mem_wr_strb = 4'b 1111;
294
                                              case (insn_funct3)
295
                                                     3'b 000 /* SB */: begin mem_wr_strb = 4'b
                                                          → 0001; end
296
                                                     3'b 001 /* SH */: begin mem_wr_strb = 4'b
                                                          → 0011; end
297
                                                     3'b 010 /* SW */: begin mem_wr_strb = 4'b
                                                          → 1111; end
298
                                              endcase
299
                                              mem_wr_data = mem_wr_data << (8*mem_wr_addr[1:0])
200
                                               mem_wr_strb = mem_wr_strb << mem_wr_addr[1:0];</pre>
301
                                              mem_wr_addr = {mem_wr_addr[31:2], 2'b 00};
302
303
                                       default: illinsn = 1;
304
                                 endcase
305
                          end
306
                          // immediate ALU instructions: Add Immediate, Set Less Than Immediate,
                               \hookrightarrow Set Less Than Immediate Unsigned, XOR Immediate,
307
                          // OR Immediate, And Immediate, Shift Left Logical Immediate, Shift
                               \hookrightarrow Right Logical Immediate, Shift Right Arithmetic Immediate
308
                          OPCODE_OP_IMM: begin
309
                                 casez ({insn_funct7, insn_funct3})
310
                                       10'b zzzzzzz_000 /* ADDI */: begin next_wr = 1; next_rd
                                             311
                                        10'b zzzzzzz_010 /* SLTI */: begin next_wr = 1; next_rd
                                            312
                                        10'b zzzzzzz_011 /* SLTIU */: begin next_wr = 1; next_rd
                                            313
                                        10'b zzzzzzz_100 /* XORI */: begin next_wr = 1; next_rd
                                            314
                                        10'b zzzzzz_110 /* ORI */: begin next_wr = 1; next_rd =

→ rs1_value | imm_i_sext; end

315
                                        10'b zzzzzz_111 /* ANDI */: begin next_wr = 1; next_rd
                                             316
                                        10'b 0000000_001 /* SLLI */: begin next_wr = 1; next_rd
                                             \hookrightarrow = rs1_value << insn[24:20]; end
```

```
317
                                          10'b 0000000_101 /* SRLI */: begin next_wr = 1; next_rd
                                               \hookrightarrow = rs1_value >> insn[24:20]; end
318
                                          10'b 0100000_101 /* SRAI */: begin next_wr = 1; next_rd
                                               319
                                          default: illinsn = 1;
320
                                   endcase
321
                            end
322
                           OPCODE_OP: begin
323
                           // ALU instructions: Add, Subtract, Shift Left Logical, Set Left Than,
                                   Set Less Than Unsigned, XOR, Shift Right Logical,
324
325
                            // Shift Right Arithmetic, OR, AND
                                   case ({insn_funct7, insn_funct3})
326
                                          10'b 0000000_000 /* ADD */: begin next_wr = 1; next_rd =
                                                 rs1_value + rs2_value; end
                                          10'b 0100000_000 /* SUB */: begin next_wr = 1; next_rd =
327
                                               → rs1_value - rs2_value; end
328
                                          10'b 0000000_001 /* SLL */: begin next_wr = 1; next_rd =
                                          329
                                               \hookrightarrow $signed(rs1_value) < $signed(rs2_value); end
330
                                          10'b 0000000_011 /* SLTU */: begin next_wr = 1; next_rd
                                               \hookrightarrow = rs1_value < rs2_value; end
331
                                          10'b 0000000_100 /* XOR */: begin next_wr = 1; next_rd =

→ rs1_value ^ rs2_value; end

332
                                          10'b 0000000_101 /* SRL */: begin next_wr = 1; next_rd =
                                                → rs1_value >> rs2_value[4:0]; end
333
                                          10'b 0100000_101 /* SRA */: begin next_wr = 1; next_rd =
                                                \hookrightarrow $signed(rs1_value) >>> rs2_value[4:0]; end
334
                                          10'b 0000000_110 /* OR */: begin next_wr = 1; next_rd =
                                               → rs1_value | rs2_value; end
335
                                          10'b 0000000_111 /* AND */: begin next_wr = 1; next_rd =

→ rs1_value & rs2_value; end

336
                                          default: illinsn = 1;
337
                                   endcase
338
                            end
339
                           default: illinsn = 1;
340
341
342
                    endcase
                    // if last cycle was a memory read, then this cycle is the 2nd part of it and
                           → imem_data will not be a valid instruction
343
344
345
346
347
348
350
351
352
                    if (mem_rd_enable_q) begin
                           npc = pc;
                           next_wr = 0;
                           illinsn = 0;
                           mem_rd_enable = 0;
                           mem_wr_enable = 0;
                    end
                    // reset
                    if (reset || reset_q) begin
353
                           npc = RESET_ADDR;
                           next_wr = 0;
355
                           illinsn = 0;
356
                           mem_rd_enable = 0;
357
                           mem_wr_enable = 0;
358
                    end
359
             end
360
361
             reg reset_q;
362
             reg [31:0] mem_rdata;
363
      'ifdef NERV_RVFI
364
             reg rvfi_pre_valid;
365
             reg [ 4:0] rvfi_pre_rd_addr;
366
             reg [31:0] rvfi_pre_rd_wdata;
367
      'endif
368
369
             // mem read functions: Lower and Upper Bytes, signed and unsigned
```

```
370
              always @* begin
371
                      mem_rdata = dmem_rdata >> (8*mem_rd_func_q[4:3]);
372
                      case (mem_rd_func_q[2:0])
373
                              3'b 000 /* LB */: begin mem_rdata = $signed(mem_rdata[7:0]); end
374
375
                              3'b 001 /* LH */: begin mem_rdata = $signed(mem_rdata[15:0]); end
                              3'b 100 /* LBU */: begin mem_rdata = mem_rdata[7:0]; end
376
377
                              3'b 101 /* LHU */: begin mem_rdata = mem_rdata[15:0]; end
                      endcase
378
379
              end
380
              // every cycle
381
              always @(posedge clock) begin
382
                      reset_q <= reset;
383
                      trapped_q <= trapped;</pre>
384
385
                      // increment pc if possible
386
                      if (!trapped && !stall && !reset && !reset_q) begin
387
                              if (illinsn)
388
                                      trapped <= 1;</pre>
389
                              pc <= npc;
390
       'ifdef NERV_RVFI
391
                              rvfi_pre_valid <= !mem_rd_enable_q;</pre>
392
                              rvfi_order <= rvfi_order + 1;</pre>
393
                              rvfi_insn <= insn;
394
                              rvfi_trap <= illinsn;</pre>
395
                              rvfi_halt <= illinsn;</pre>
396
397
                              rvfi_intr <= 0;</pre>
                              rvfi_mode <= 3;</pre>
398
                              rvfi_ixl <= 1;
399
                              rvfi_rs1_addr <= insn_rs1;</pre>
400
401
402
                              rvfi_rs2_addr <= insn_rs2;</pre>
                              rvfi_rs1_rdata <= rs1_value;</pre>
                              rvfi_rs2_rdata <= rs2_value;
403
                              rvfi_pre_rd_addr <= next_wr ? insn_rd : 0;</pre>
404
405
405
                              rvfi_pre_rd_wdata <= next_wr && insn_rd ? next_rd : 0;</pre>
                              rvfi_pc_rdata <= pc;</pre>
406
                              rvfi_pc_wdata <= npc;
407
                              if (dmem_valid) begin
408
                                      rvfi_mem_addr <= dmem_addr;</pre>
409
                                      case ({mem_rd_enable, insn_funct3})
410
                                              4'b 1_000 /* LB */: begin rvfi_mem_rmask <= 4'b 0001 <<
                                                     → mem_rd_func[4:3]; end
411
                                              4'b 1_001 /* LH */: begin rvfi_mem_rmask <= 4'b 0011 <<
                                                    → mem_rd_func[4:3]; end
412
                                              4'b 1_010 /* LW */: begin rvfi_mem_rmask <= 4'b 1111 <<

→ mem_rd_func[4:3]; end
413
                                              4'b 1_100 /* LBU */: begin rvfi_mem_rmask <= 4'b 0001 <<
                                                    → mem_rd_func[4:3]; end
414
                                              4'b 1_101 /* LHU */: begin rvfi_mem_rmask <= 4'b 0011 <<
                                                    → mem_rd_func[4:3]; end
415
416
                                              default: rvfi_mem_rmask <= 0;</pre>
                                      endcase
417
418
                                      rvfi_mem_wmask <= dmem_wstrb;</pre>
                                      rvfi_mem_wdata <= dmem_wdata;</pre>
419
420
421
422
423
424
425
427
                              end else begin
                                      rvfi_mem_addr <= 0;</pre>
                                      rvfi_mem_rmask <= 0;</pre>
                                      rvfi_mem_wmask <= 0;
                                      rvfi_mem_wdata <= 0;
                              end
       'endif
                              // update registers from memory or rd (destination)
                              if (mem_rd_enable_q || next_wr)
428
                                      regfile[mem_rd_enable_q ? mem_rd_reg_q : insn_rd] <=</pre>
                                             → mem_rd_enable_q ? mem_rdata : next_rd;
429
                      end
```

```
// reset
                          if (reset || reset_q) begin
                                   pc <= RESET_ADDR - (reset ? 4 : 0);</pre>
                                    trapped <= 0;
        'ifdef NERV_RVFI
                                    rvfi_pre_valid <= 0;
                                    rvfi_order <= 0;
        'endif
                          end
                 end
        'ifdef NERV_RVFI
                 always @* begin
                          if (mem_rd_enable_q) begin
                                   rvfi_rd_addr = mem_rd_reg_q;
                                   rvfi_rd_wdata = mem_rd_reg_q ? mem_rdata : 0;
                           end else begin
                                   rvfi_rd_addr = rvfi_pre_rd_addr;
                                   rvfi_rd_wdata = rvfi_pre_rd_wdata;
                          end
                          rvfi_valid = rvfi_pre_valid && !stall && !reset && !reset_q && !trapped_q;
                          rvfi_mem_rdata = dmem_rdata;
                 end
         endif
        'ifdef NERV_DBGREGS
                 wire [31:0] dbg_reg_x0 = 0;
                 wire [31:0] dbg_reg_x1 = regfile[1];
                 wire [31:0] dbg_reg_x2 = regfile[2];
                 wire [31:0] dbg_reg_x3 = regfile[3];
                wire [31:0] dbg_reg_x4 = regfile[4];
wire [31:0] dbg_reg_x5 = regfile[5];
461
462
463
464
465
467
                wire [31:0] dbg_reg_x6 = regfile[6];
wire [31:0] dbg_reg_x7 = regfile[7];
wire [31:0] dbg_reg_x8 = regfile[8];
wire [31:0] dbg_reg_x9 = regfile[9];
                 wire [31:0] dbg_reg_x10 = regfile[10];
468
469
471
472
473
475
476
478
481
481
                 wire [31:0] dbg_reg_x11 = regfile[11];
                 wire [31:0] dbg_reg_x12 = regfile[12];
                 wire [31:0] dbg_reg_x13 = regfile[13];
                 wire [31:0] dbg_reg_x14 = regfile[14];
                 wire [31:0] dbg_reg_x15 = regfile[15];
                 wire [31:0] dbg_reg_x16 = regfile[16];
                wire [31:0] dbg_reg_x17 = regfile[17];
wire [31:0] dbg_reg_x18 = regfile[18];
wire [31:0] dbg_reg_x19 = regfile[19];
                 wire [31:0] dbg_reg_x20 = regfile[20];
                 wire [31:0] dbg_reg_x21 = regfile[21];
                 wire [31:0] dbg_reg_x22 = regfile[22];
                 wire [31:0] dbg_reg_x23 = regfile[23];
                 wire [31:0] dbg_reg_x24 = regfile[24];
                 wire [31:0] dbg_reg_x25 = regfile[25];
                wire [31:0] dbg_reg_x26 = regfile[26];
wire [31:0] dbg_reg_x27 = regfile[27];
483
484
485
486
487
488
489
490
                wire [31:0] dbg_reg_x28 = regfile[28];
wire [31:0] dbg_reg_x29 = regfile[29];
                 wire [31:0] dbg_reg_x30 = regfile[30];
                 wire [31:0] dbg_reg_x31 = regfile[31];
        'endif
        endmodule
```

Listing E.15: Listing Verilog Model of testbench.

```
1 /* 2 * NERV -- Naive Educational RISC-V Processor
```

```
* Copyright (C) 2020 N. Engelhardt <nak@yosyshq.com>
 456789
      *\ \textit{Permission to use, copy, modify, and/or distribute this software for any}
      st purpose with or without fee is hereby granted, provided that the above
      * copyright notice and this permission notice appear in all copies.
10
      * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11
      * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
      * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
      * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14
15
      * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
      * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16
17
      * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
     module testbench;
     localparam TIMEOUT = (1<<10);</pre>
     reg clock;
     wire LEDR_N, LEDG_N, LED1, LED2, LED3, LED4, LED5;
     always #5 clock = clock === 1'b0;
     top dut (
             .CLK(clock),
             .LEDR_N(LEDR_N),
             .LEDG_N(LEDG_N),
             .LED1(LED1),
             .LED2(LED2),
             .LED3(LED3),
             .LED4(LED4),
             .LED5(LED5)
     );
     initial begin
             if ($test$plusargs("vcd")) begin
                    $dumpfile("testbench.vcd");
                    $dumpvars(0, testbench);
             end
     end
     reg [31:0] cycles = 0;
     always @(posedge\ clock) begin
             cycles <= cycles + 32'h1;
             if (cycles >= TIMEOUT) begin
                    $display("Simulated %Od cycles", cycles);
                    $finish;
     end
     endmodule
```

Listing E.16: Listing Verilog Model of testbench.

```
1 /*
2 * NERV -- Naive Educational RISC-V Processor
3 *
4 * Copyright (C) 2020 N. Engelhardt <nak@yosyshq.com>
5 *
6 * Permission to use, copy, modify, and/or distribute this software for any
7 * purpose with or without fee is hereby granted, provided that the above
8 * copyright notice and this permission notice appear in all copies.
```

```
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11
      * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
      * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13
      *\ \textit{ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES}
14
15
      * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
      st ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16
      * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17
18
module testbench;
     localparam TIMEOUT = (1<<10);</pre>
     reg clock;
     wire LEDR_N, LEDG_N, LED1, LED2, LED3, LED4, LED5;
     always #5 clock = clock === 1'b0;
     top dut (
             .CLK(clock),
             .LEDR_N(LEDR_N),
             .LEDG_N(LEDG_N),
             .LED1(LED1),
             .LED2(LED2),
             .LED3(LED3).
             .LED4(LED4),
             .LED5(LED5)
     initial begin
             if ($test$plusargs("vcd")) begin
                    $dumpfile("testbench.vcd");
                    $dumpvars(0, testbench);
             end
     end
     reg [31:0] cycles = 0;
     always @(posedge clock) begin
             cycles <= cycles + 32'h1;
             if (cycles >= TIMEOUT) begin
                    $display("Simulated %Od cycles", cycles);
                    $finish:
             end
     end
     endmodule
```

Listing E.17: Listing Verilog Model of wrapper.

```
/*

* NERV -- Naive Educational RISC-V Processor

*

* Copyright (C) 2020 Claire Xenia Wolf <claire@yosyshq.com>

*

* Permission to use, copy, modify, and/or distribute this software for any

* purpose with or without fee is hereby granted, provided that the above

* copyright notice and this permission notice appear in all copies.

*

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* **

* *
```

```
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16
      * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
     module rvfi_wrapper (
            input clock,
            input reset,
             'RVFI_OUTPUTS
     );
             (* keep *) 'rvformal_rand_reg stall;
             (* keep *) 'rvformal_rand_reg [31:0] imem_data;
            (* keep *) 'rvformal_rand_reg [31:0] dmem_rdata;
             (* keep *) wire [31:0] imem_addr;
            (* keep *) wire dmem_valid;
             (* keep *) wire [31:0] dmem_addr;
             (* keep *) wire [ 3:0] dmem_wstrb;
            (* keep *) wire [31:0] dmem_wdata;
            nerv uut (
                    .clock (clock ),
                    .reset (reset ),
                    .stall (stall ),
                    .imem_addr (imem_addr ),
                    .imem_data (imem_data ),
                    .dmem_valid (dmem_valid),
                    .dmem_addr (dmem_addr ),
                    .dmem_wstrb (dmem_wstrb),
                    .dmem_wdata (dmem_wdata),
                    .dmem_rdata (dmem_rdata),
                    'RVFI_CONN
            );
     'ifdef NERV_FAIRNESS
            reg [2:0] stalled = 0;
            always @(posedge clock) begin
                    stalled <= {stalled, stall};
                    assume (~stalled);
            end
     'endif
60
     endmodule
```

Listing E.18: Listing Verilog Model of instrumentation\_impl.

```
module Is_Ch_Tripped
23456789
10
         #(localparam Log2Modes = 2)
         ( input logic [Log2Modes - 1:0] mode,
           input logic sensor_tripped,
           output logic out
        assign out = (mode == 2) || ((mode == 1) & sensor_tripped);
     module Generate_Sensor_Trips
11
12
13
         #(localparam NChannels = 3)
         ( input logic [NChannels * 32 - 1:0] vals,
           input logic [NChannels * 32 - 1:0] setpoints,
14
15
           output logic [NChannels - 1:0] out
         );
16
        for (ch = 0; ch < NChannels; ch = ch + 1) begin
```

#### Listing E.19: Listing Verilog Model of testbench.

```
23456789
      * NERV -- Naive Educational RISC-V Processor
      * Copyright (C) 2020 N. Engelhardt <nak@yosyshq.com>
      st Permission to use, copy, modify, and/or distribute this software for any
      * purpose with or without fee is hereby granted, provided that the above
      * copyright notice and this permission notice appear in all copies.
      * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11
      * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
      * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13
14
15
16
17
      * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
      * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
      * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
      * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
189012234567899013333336789901423445647890
     module testbench;
     localparam TIMEOUT = (1<<10);</pre>
     reg clock;
     wire LEDR_N, LEDG_N, LED1, LED2, LED3, LED4, LED5;
     always #5 clock = clock === 1'b0;
     top dut (
             .CLK(clock),
             .LEDR_N(LEDR_N),
             .LEDG_N(LEDG_N),
             .LED1(LED1),
             .LED2(LED2).
             .LED3(LED3),
             .LED4(LED4),
             .LED5(LED5)
     );
     initial begin
             if ($test$plusargs("vcd")) begin
                     $dumpfile("testbench.vcd");
                     $dumpvars(0, testbench);
             end
     end
     reg [31:0] cycles = 0;
     always @(posedge clock) begin
             cycles <= cycles + 32'h1;
             if (cycles >= TIMEOUT) begin
```

#### Listing E.20: Listing Verilog Model of nervsoc.

```
1234567
      * NERV -- Naive Educational RISC-V Processor
      * Copyright (C) 2020 Claire Xenia Wolf <claire@yosyshq.com>
      st Permission to use, copy, modify, and/or distribute this software for any
      * purpose with or without fee is hereby granted, provided that the above
 .
8
9
      * copyright notice and this permission notice appear in all copies.
10
      * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES

* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11
12
      * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13
      * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14
15
       * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
      * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16
      * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17
module nervsoc (
             input clock,
             input reset,
             output reg [31:0] leds
     );
             reg [31:0] imem [0:1023];
             reg [31:0] dmem [0:1023];
             wire stall = 0:
             wire trap;
             wire [31:0] imem_addr;
             reg [31:0] imem_data;
             wire dmem_valid;
             wire [31:0] dmem_addr;
             wire [3:0] dmem_wstrb;
             wire [31:0] dmem_wdata;
             reg [31:0] dmem_rdata;
             initial begin
                     $readmemh("firmware.hex", imem);
             end
             always @(posedge clock)
                     imem_data <= imem[imem_addr[31:2]];</pre>
             always @(posedge clock) begin
                     if (dmem_valid) begin
                             if (dmem_addr == 32'h 0100_0000) begin
                                    if (dmem_wstrb[0]) leds[ 7: 0] <= dmem_wdata[ 7: 0];
                                     if (dmem_wstrb[1]) leds[15: 8] <= dmem_wdata[15: 8];</pre>
                                    if (dmem_wstrb[2]) leds[23:16] <= dmem_wdata[23:16];</pre>
                                    if (dmem_wstrb[3]) leds[31:24] <= dmem_wdata[31:24];</pre>
                             end else begin
                                     if (dmem_wstrb[0]) dmem[dmem_addr[31:2]][ 7: 0] <= dmem_wdata[</pre>
                                           → 7: 0];
```

```
56
                                     if (dmem_wstrb[1]) dmem[dmem_addr[31:2]][15: 8] <= dmem_wdata</pre>
                                           57
                                     if (dmem_wstrb[2]) dmem[dmem_addr[31:2]][23:16] <= dmem_wdata

→ [23:16]:

58
                                     if (dmem_wstrb[3]) dmem[dmem_addr[31:2]][31:24] \leftarrow dmem_wdata

→ [31:24];
59
                             end
60
                             dmem_rdata <= dmem[dmem_addr[31:2]];</pre>
61
                     end
62
             end
             nerv cpu (
                     .clock (clock ),
66
                     .reset (reset ),
67
68
69
70
71
72
73
74
75
76
77
78
                     .stall (stall ),
                     .trap (trap ),
                     .imem_addr (imem_addr ),
                     .imem_data (imem_data ),
                     .dmem_valid(dmem_valid),
                     .dmem_addr (dmem_addr ),
                     .dmem_wstrb(dmem_wstrb),
                     .dmem_wdata(dmem_wdata),
                     .dmem_rdata(dmem_rdata)
             ):
     endmodule
```

# E.8 BlueSpec Implementations

Listing E.21: Listing Verilog Model of FpgaTop.

```
1234567
       import NervSoC :: *;
      import I2C :: *;
      import RS232 :: *;
      import GetPut::*;
      interface FpgaTop_IFC;
    (* prefix = "" *)
           interface RS232 rs232;
//(* prefix = "" *)
10
11
12
           //interface I2C_Pins i2c;
13
14
15
16
17
           (* always_ready *)
           method Bit#(8) leds();
       endinterface
       (* synthesize *)
18
      module mkFpgaTop_IFC(FpgaTop_IFC);
           // Divisor of 10 for baudrate of 76800
UART #(4) uart <- mkUART(8, NONE, STOP_1, 10);
19
20
21
22
23
24
25
26
27
           /\!/I2CController \;\#(1)\;\;i2c\_controller \;\gets \;mkI2CController();
           NervSoC_IFC nerv_soc <- mkNervSoC;</pre>
           rule uart_transmit;
               let val <- nerv_soc.get_uart_tx_byte();</pre>
                uart.rx.put(val);
28
29
           Reg #(Bit #(12)) rg_console_in_poll <- mkReg (0);</pre>
```

Listing E.22: Listing Verilog Model of Actuation\_Generated\_BVI.

```
123456789
     package Actuation_Generated_BVI;
      import Clocks :: *;
      import Actuation::*;
      (* synthesize *)
     module mkActuationGenerated(Actuation_IFC);
         ActuationD0_IFC a0 <- mkActuationGeneratedD0();</pre>
         ActuationD1_IFC a1 <- mkActuationGeneratedD1();</pre>
10
11
         interface ActuationD0_IFC d0;
             method actuate_d0 = a0.actuate_d0();
          endinterface
         interface ActuationD1_IFC d1;
             method actuate_d1 = a1.actuate_d1();
16
17
18
19
20
21
22
23
24
25
26
27
28
29
31
32
33
34
35
37
         endinterface
     endmodule
     import "BVI" Actuate_D0 =
     module mkActuationGeneratedD0 (ActuationD0_IFC);
         default_clock ();
         default_reset ();
         method out actuate_d0 (trips, old);
         schedule (actuate_d0) CF (actuate_d0);
     endmodule
     import "BVI" Actuate_D1 =
     module mkActuationGeneratedD1 (ActuationD1_IFC);
         default_clock ();
         default_reset ();
         method out actuate_d1 (trips, old);
         schedule (actuate_d1) CF (actuate_d1);
      endmodule
      endpackage
```

Listing E.23: Listing Verilog Model of Nerv\_BVI.

```
1 // Copyright (c) 2022 Rishiyur S. Nikhil 2 package Nerv_BVI;
```

```
/\!/\ \mathit{Module\ mkNerv\_BVI\ imports\ the\ SystemVerilog\ module\ nerv.sv\ so\ that}
     // it can be used in BSV.
     // nerv.sv is from: https://github.com/YosysHQ/nerv
10
11
     // Import from BSV library
12
13
14
15
     import Clocks :: *;
16
     // BSV "raw" interface for nerv.sv (nerv CPU)
17
18
19
     interface Nerv_BVI_IFC;
        (* always_ready, always_enabled *)
20
        method Action m_stall (Bool b);
21
22
        (* always_ready *)
       method Bool m_trap;
23
24
25
26
27
28
        (* always_ready *)
        method Bit #(32) m_imem_addr;
        (* always_ready, always_enabled *)
       method Action m_imem_data (Bit #(32) xi);
29
        (* always_ready *)
method Bool m_dmem_valid;
        (* always_ready *)
        method Bit #(32) m_dmem_addr;
        (* always_ready *)
        method Bit #(4) m_dmem_wstrb;
        (* always_ready *)
        method Bit #(32) m_dmem_wdata;
        (* always_ready, always_enabled *)
        method Action m_dmem_rdata (Bit #(32) xd);
     endinterface
     // -----
     import "BVI" nerv =
     module mkNerv_BVI (Nerv_BVI_IFC);
        default_clock (clock);
        // BSV's default reset (including this module's reset) is active low
        // The imported nerv.sv's reset is active high.
        default_reset (reset) <- invertCurrentReset;</pre>
        method m_stall (stall) enable ((*inhigh*) ENO); // BSV -> Verilog
        method trap m_trap; // BSV <- Verilog</pre>
        method imem_addr m_imem_addr; // BSV <- Verilog</pre>
        method m_imem_data (imem_data) enable ((*inhigh*) EN1); // BSV -> Verilog
        method dmem_valid m_dmem_valid; // BSV <- Verilog</pre>
        method dmem_addr m_dmem_addr; // BSV <- Verilog</pre>
        method dmem_wstrb m_dmem_wstrb; // BSV <- Verilog</pre>
        method dmem_wdata m_dmem_wdata; // BSV <- Verilog method m_dmem_rdata (dmem_rdata) enable ((*inhigh*) EN2); // BSV -> Verilog
60
61
62
63
        \frac{64}{65}
        // This is ok if everything is registered, but dicey if there are
        // combinational paths weaving in and out of the module.
66
          schedule
67
          (m_stall,
68
           m_trap,
69
           m_imem_addr,
           m_imem_data,
```

## Listing E.24: Listing Verilog Model of Nerv.

```
// Copyright (c) 2022 Rishiyur S. Nikhil
 1234567
     package Nerv;
     // Module mkNerv is a thin wrapper around mkNerv_BVI to make DMem
     // outputs (strobe and data) into a struct
8
9
10
11
12
13
14
15
     // Import from BSV library
     // Local imports
16
17
     import Nerv_BVI :: *;
// Interface for nerv as we might like to see it in {\it BSV}
     typedef struct {
        Bit #(4) wstrb;
        Bit #(32) wdata;
     DmemWrite
     deriving (Bits, Eq, FShow);
     interface Nerv_IFC;
        (* always_ready, always_enabled *)
        method Action m_stall (Bool b);
        (* always_ready *)
        method Bool m_trap;
        (* always_ready *)
        method Bit #(32) m_imem_addr;
        (* always_ready, always_enabled *)
        method Action m_imem_data (Bit #(32) xi);
        method Bit #(32) m_dmem_addr;
        method DmemWrite m_get_dmem;
        (* always_ready, always_enabled *)
        method Action m_dmem_rdata (Bit #(32) xd);
```

```
467
489
490
553
555
560
560
       method Bool m_dmem_valid;
     endinterface
     // -----
     (* synthesize *)
    module mkNerv (Nerv_IFC);
       Nerv_BVI_IFC nerv_BVI <- mkNerv_BVI;</pre>
       method Action m_stall (Bool b) = nerv_BVI.m_stall (b);
       method Bool m_trap = nerv_BVI.m_trap;
       method Bool m_dmem_valid = nerv_BVI.m_dmem_valid;
61
       method Bit #(32) m_imem_addr = nerv_BVI.m_imem_addr;
62
       method Action m_imem_data (Bit #(32) xi) = nerv_BVI.m_imem_data (xi);
63
64
65
       method Bit #(32) m_dmem_addr () if (nerv_BVI.m_dmem_valid);
         return nerv_BVI.m_dmem_addr;
66
       endmethod
67
68
       method DmemWrite m_get_dmem () if (nerv_BVI.m_dmem_valid);
69
         return DmemWrite {wstrb: nerv_BVI.m_dmem_wstrb,
70
71
72
73
74
75
76
77
78
                         wdata: nerv_BVI.m_dmem_wdata};
       method Action m_dmem_rdata (Bit #(32) xd) = nerv_BVI.m_dmem_rdata (xd);
     // -----
     endpackage
```

Listing E.25: Listing Verilog Model of Instrumentation\_Handwritten\_BVI.

```
package Instrumentation_Handwritten_BVI;
23456789
10
      import Clocks :: *;
      import Instrumentation::*;
      (* synthesize *)
     module mkInstrumentationHandwritten(Instrumentation_IFC);
         ChannelTripped_IFC i_channel <- mkInstrHandwrittenIsChannelTripped();</pre>
         SensorTrips_IFC i_sensors <- mkInstrHandwrittenGenerateSensorTrips();</pre>
11
         interface ChannelTripped_IFC channel;
12
             method is_channel_tripped = i_channel.is_channel_tripped();
13
14
15
16
17
         endinterface
         interface SensorTrips_IFC sensors;
             method generate_sensor_trips = i_sensors.generate_sensor_trips();
         {\tt endinterface}
     endmodule
18
19
20
21
22
23
24
25
26
27
28
29
     import "BVI" Is_Ch_Tripped_Handwritten =
     module mkInstrHandwrittenIsChannelTripped (ChannelTripped_IFC);
         default_clock ();
         default reset ():
         method out is_channel_tripped (mode, sensor_tripped);
         schedule (is_channel_tripped) CF (is_channel_tripped);
     endmodule
     import "BVI" Generate_Sensor_Trips_Handwritten =
     module mkInstrHandwrittenGenerateSensorTrips (SensorTrips_IFC);
30
         default_clock ();
```

## Listing E.26: Listing Verilog Model of Instrumentation.

```
package Instrumentation;
 234567
     import Vector :: *;
     // Instrumentation interface
     interface Instrumentation IFC:
         interface ChannelTripped_IFC channel;
8
9
10
11
12
13
14
15
         interface SensorTrips_IFC sensors;
     endinterface
      // Sub-interface for each implemented function
     interface ChannelTripped_IFC;
         (* always_ready *)
         method Bool is_channel_tripped (Bit#(2) mode,
                                         Bool sensor_tripped);
16
17
18
19
20
21
22
23
24
     endinterface
     interface SensorTrips_IFC;
         (* always_ready *)
         method Bit#(3) generate_sensor_trips (Vector#(3, Bit#(32)) vals,
                                               Vector#(3, Bit#(32)) setpoints);
      endpackage
```

#### Listing E.27: Listing Verilog Model of Top.

```
28
29
                                                                                                                                                           Bit #(8) data);
30
31
32
33
34
35
36
37
             (* clock_prefix="CLK", reset_prefix="RST_N" *)
             (* synthesize *)
             module mkTop (Empty);
                    Reg #(Bit #(8)) rg_gpio <- mkReg (0);</pre>
                    NervSoC_IFC nerv_soc <- mkNervSoC;</pre>
38
39
41
42
44
45
47
                    // I/O peripherals
                    // @podhrmic TODO: check the prescalers
                    // and look into proper use of I2C module
                   I2CController #(1) i2c_controller <- mkI2CController();
UART #(4) uart <- mkUART(8, NONE, STOP_1, 16);</pre>
                    //uart.RS232.sout ?
                    // Based on https://github.com/bluespec/Piccolo/blob/master/src_Testbench/Top/Top_HW_Side.
48
49
50
                    \begin{tabular}{ll} \beg
                    // Note: rg_console_in_poll is used to poll only every N cycles, whenever it wraps around
                                 \hookrightarrow to 0.
51
52
53
54
55
56
57
58
                    // Note: if the SoC starts dropping bytes, try increasing the register size \,
                    Reg #(Bit #(12)) rg_console_in_poll <- mkReg (0);</pre>
              'ifdef SIMULATION
                    begin
                    rule uart_rx;
                          if (rg_console_in_poll == 0) begin
                                 Bit #(8) ch <- c_trygetchar (?);
                                 if (ch != 0) begin
 59
                                       nerv_soc.set_uart_rx_byte(ch);
60
                                 end
61
                           end
62
63
                          rg_console_in_poll <= rg_console_in_poll + 1;</pre>
                    endrule
64
65
                    end
              'else
66
                    // FPGA
 67
                    begin
 68
                    rule uart_rx;
 69
                          if (rg_console_in_poll == 0) begin
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
                                 Bit #(8) ch <- uart.tx.get();
                                 if (ch != 0) begin
                                       nerv_soc.set_uart_rx_byte(ch);
                                 end
                          end
                          rg_console_in_poll <= rg_console_in_poll + 1;</pre>
                    endrule
              'endif
                   rule uart_tx;
  let val <- nerv_soc.get_uart_tx_byte();</pre>
              'ifdef SIMULATION
                          c_putchar(val);
              'else
                          uart.rx.put(val);
              'endif
                    endrule
88
89
                    Reg #(Bit #(8)) rg_i2c_resp <- mkRegU();</pre>
 90
                    Reg #(Bool) rg_i2c_complete <- mkReg(False);</pre>
                    rule i2c_request(!rg_i2c_complete);
```

```
92
             let request <- nerv_soc.i2c_get_request();</pre>
 93
             let val <- c_i2c_request(request.address, request.data);</pre>
 94
95
             rg_i2c_resp <= val;
             rg_i2c_complete <= True;</pre>
 96
97
          endrule
 98
          rule i2c_response(rg_i2c_complete);
 99
            let response = I2CResponse { data: rg_i2c_resp};
100
             nerv_soc.i2c_give_response(response);
101
            rg_i2c_complete <= False;
102
          endrule
103
104
105
          rule rl_leds;
            let gpio = nerv_soc.gpio;
if (gpio != rg_gpio) $display ("GPIO: %032b", gpio);
106
107
            rg_gpio <= gpio;
108
          endrule
109
110
       endmodule
111
112
```

#### Listing E.28: Listing Verilog Model of NervSoC.

```
// Copyright (c) 2022 Rishiyur S. Nikhil, Michal Podhradsky
    package NervSoC;
 2345678
    // Module mkNervSoC is a BSV version of nervsoc.sv
    /\!/ nervsoc.sv \ is \ from: \ https://github.com/YosysHQ/nerv
    // -----
    // Import from BSV library
    import RegFile :: *;
    import Vector :: *;
13
    import I2C :: *;
14
15
    import BRAM :: *;
    import BRAMCore :: *;
16
17
    // -----
18
    // Local imports
19
    import Nerv :: *;
20
    import Instrumentation::*;
21
22
23
24
25
    import Instrumentation_Handwritten_BVI::*;
    import Instrumentation_Generated_BVI::*;
    import Actuation::*;
    import Actuation_Generated_BVI::*;
    // -----
26
27
    // A small NERV SoC
28
29
    interface NervSoC_IFC;
       // This sets the name of the result
30
      method Bit #(8) gpio;
31
       // TX -> a byte to be send
      method ActionValue#(Bit #(8)) get_uart_tx_byte;
33
      // RX -> a byte to be received
      method Action set_uart_rx_byte(Bit #(8) rx);
       // I2C methods
36
37
38
39
       method ActionValue #(I2CRequest) i2c_get_request;
       method Action i2c_give_response(I2CResponse r);
    endinterface
40
    typedef enum { REQ_I, PUSH_I, REQ_D, PUSH_D, STOP } State deriving(Bits,Eq);
    (* synthesize *)
```

```
module mkNervSoC (NervSoC_IFC);
        * Instantiate interfaces
        Nerv_IFC nerv <- mkNerv;</pre>
        Instrumentation_IFC instr_hand <- mkInstrumentationHandwritten();</pre>
        Instrumentation_IFC instr_gen <- mkInstrumentationGenerated();</pre>
       Actuation_IFC actuation_gen <- mkActuationGenerated();</pre>
        // For debugging only
       Bool show_exec_trace = False;
       Bool show_load_store = False;
        60
        * IO memory map
 61
        62
 63
       Bit #(32) gpio_addr = 32'h 0100_0000;
64
65
       Bit #(32) uart_reg_addr_tx = 32'h 0200_0000;
       Bit #(32) uart_reg_addr_rx = 32'h 0200_0004;
 66
 67
       Bit #(32) uart_reg_addr_dr = 32'h 0200_0008;
68
69
       Bit #(32) i2c_reg_addr_base = 32'h 0300_0000;
       Bit #(32) i2c_reg_addr_data = 32'h 0300_0004; // I2C fifo has up to 16 bytes (4 registers)
 70
 71
       Bit #(32) i2c_reg_addr_stat = 32'h 0300_0008; // I2C status reg (transaction complete 1bit

→ , transaction error 1bit, error type 2bits)

 72
 73
       Bit #(32) clock_reg_adrr_lower = 32'h 0400_0000; // System ticks
 74
75
       Bit #(32) clock_reg_adrr_upper = 32'h 0400_0004;
 76
       Bit #(32) instr_reg_addr_hand_base = 32'h 0500_0000; // Handwritten Instrumentation base
            \hookrightarrow register
 \gamma\gamma
       Bit #(32) instr_reg_addr_hand_instr_val_0 = 32'h 0500_0004;
 78
       Bit #(32) instr_reg_addr_hand_instr_val_1 = 32'h 0500_0008;
 79
       Bit #(32) instr_reg_addr_hand_instr_val_2 = 32'h 0500_000C;
 80
       Bit #(32) instr_reg_addr_hand_setpoint_val_0 = 32'h 0500_0010;
 81
       Bit #(32) instr_reg_addr_hand_setpoint_val_1 = 32'h 0500_0014;
 82
       Bit #(32) instr_reg_addr_hand_setpoint_val_2 = 32'h 0500_0018;
 83
       Bit #(32) instr_reg_addr_hand_res = 32'h 0500_001C;
84
85
       Bit #(32) instr_reg_addr_gen_base = 32'h 0500_0020; // Generated Instrumentation base
             → reaister
 86
       Bit #(32) instr_reg_addr_gen_instr_val_0 = 32'h 0500_0024;
87
       Bit #(32) instr_reg_addr_gen_instr_val_1 = 32'h 0500_0028;
 88
       Bit #(32) instr_reg_addr_gen_instr_val_2 = 32'h 0500_002C;
89
       Bit #(32) instr_reg_addr_gen_setpoint_val_0 = 32'h 0500_0030;
 90
       Bit #(32) instr_reg_addr_gen_setpoint_val_1 = 32'h 0500_0034;
91
       Bit #(32) instr_reg_addr_gen_setpoint_val_2 = 32'h 0500_0038;
 92
       Bit #(32) instr_reg_addr_gen_res = 32'h 0500_003C;
93
 94
       Bit #(32) actuation_reg_addr_gen_base = 32'h 0500_0040; // Generated Actuation base
             \hookrightarrow register
 95
       Bit #(32) actuation_reg_addr_gen_trip_0 = 32'h 0500_0044;
 96
       Bit #(32) actuation_reg_addr_gen_trip_1 = 32'h 0500_0048;
       Bit #(32) actuation_reg_addr_gen_trip_2 = 32'h 0500_004C;
97
98
       Bit #(32) actuation_reg_addr_gen_res = 32'h 0500_0050;
99
100
       Bit #(32) io_top_addr = 32'h 0500_0050;
101
102
103
        104
        * IO registers
```

```
105
        106
107
        Reg #(Bit #(32)) rg_gpio <- mkReg(0);
108
        Reg #(Bit #(8)) rg_uart_tx <- mkReg(0);</pre>
109
        Reg #(Bit #(8)) rg_uart_rx <- mkReg(0);</pre>
110
        Reg #(Bool) rg_uart_rx_data_ready <- mkReg(False);</pre>
        Reg #(Bool) rg_uart_tx_data_ready <- mkReg(False);</pre>
111
112
        Reg #(Bit #(8)) rg_i2c_addr <- mkReg(0);</pre>
113
        Reg #(Bit #(32)) rg_i2c_data <- mkReg(0);</pre>
114
115
        Reg #(Bit #(32)) rg_i2c_status <- mkReg(0);</pre>
        Reg #(Bool) rg_i2c_transaction_ready <- mkReg(False);</pre>
        Reg #(Bit #(32)) rg_i2c_transaction_complete <- mkReg(0);</pre>
116
        Vector#(3, Reg#(Bit #(32))) instr_hand_vals <- replicateM( mkReg(0) );
117
118
        Vector#(3, Reg#(Bit #(32))) instr_hand_setpoints <- replicateM( mkReg(0) );</pre>
119
        Vector#(3, Reg#(Bit #(32))) instr_gen_vals <- replicateM( mkReg(0) );</pre>
120
        121
        Vector#(3, Reg#(Bit #(32))) actuation_trips <- replicateM( mkReg(0) );</pre>
122
        Reg #(Bit #(32)) rg_actuation_res <- mkReg(0);</pre>
123
        Reg #(Bit #(32)) rg_instr_hand_res <- mkReg(0);</pre>
\frac{124}{125}
        Reg #(Bit #(32)) rg_instr_gen_res <- mkReg(0);</pre>
126
        RWire#(Bit #(64)) rw_tick <- mkRWire();</pre>
        Reg#(Bit#(30)) rg_dmem_addr <- mkReg(0);
Reg#(Bit#(32)) rg_dmem_put_data <- mkReg(0);
127
128
129
130
131
        132
        * Memory Definition
133
        134
135
        // Memory size
136
        Integer imemory_size = 'h07000;
137
        Integer dmemory_size = 'h07000;
138
139
        // Nerv has Harward architecture (separate data and instruction memory),
140
141
142
143
144
145
        /\!/ so in order to properly initialize global symbols, we need to load
        // the hex file into *both* memories.
        // NOTE: BRAM has size defined as 'reg [DATA_WIDTH-1:0] RAM[0:MEMSIZE-1];'
        // while RegFileLoad was 'reg [data_width - 1 : 0] arr[lo:hi];'
        // The size+1 is simply to make the current hex file fit.
        BRAM_PORT#(Bit#(30), Bit#(32)) dmem_bram <- mkBRAMCore1Load(dmemory_size+1, False,"
              → dmem_contents.memhex32", False);
146
        BRAM_PORT#(Bit#(30), Bit#(32)) imem_bram <- mkBRAMCore1Load(imemory_size+1, False,"

    imem_contents.memhex32", False);
147
148
149
150
        Reg #(Bit #(32)) rg_imem_addr <- mkReg (0);
        Reg #(Bit #(32)) rg_imem_data <- mkRegU;</pre>
        Reg #(Bit #(32)) rg_dmem_rdata <- mkRegU;</pre>
151
        Reg #(Bool) rg_update_dmem <- mkReg(False);</pre>
152
        Reg #(Bit #(64)) rg_tick <- mkReg (0);</pre>
153
        Reg#(State) state <- mkReg(REQ_I);</pre>
\begin{array}{c} 154 \\ 155 \end{array}
156
        157
        * Function definitions
158
        159
160
        function Bit #(8) strb2byte (Bit #(1) b) = signExtend (b);
161
162
        // GPIO update
163
        function ActionValue#(Bit#(32)) fn_gpio(Bit#(32) mask, Bit#(32) wdata)
164
           = actionvalue
165
             let gpio_val = ((rg_gpio & (~ mask)) | (wdata & mask));
166
             rg_gpio <= gpio_val;
167
             return gpio_val;
168
           endactionvalue;
```

```
169
170
171
172
173
174
175
         function ActionValue#(Bit#(32)) fn_uart(Bit#(32) addr, Bit#(32) wdata)
            = actionvalue
               case (addr)
  // Write a byte to serial port
                  uart_reg_addr_tx:
176
                     begin
177
                        rg_uart_tx <= wdata[7:0];
178
                        rg_uart_tx_data_ready <= True;
179
                        return signExtend(wdata[7:0]);
180
                     end
181
                  // Receive data from serial port
182
183
                  // Note: might be 0 or stale, check uart_reg_addr_dr first
                  uart_reg_addr_rx:
184
                     begin
185
                        rg_uart_rx_data_ready <= False;
186
                        return signExtend(rg_uart_rx);
187
                     end
188
                  uart_reg_addr_dr:
189
                     begin
190
                       if (rg_uart_rx_data_ready)
191
                          return 1;
192
                        else
193
                          return 0:
194
                     end
195
                  default:
196
                     return 'hFFFF;
197
               endcase
198
            endactionvalue;
199
200
201
         function ActionValue#(Bit#(32)) fn_i2c(Bit#(32) addr, Bit#(32) mask, Bit#(32) wdata)
202
            = actionvalue
203
               case (addr)
204
                  i2c_reg_addr_base:
205
                     begin
206
                        ^{\prime\prime} // Only 8 bytes for the address, the rest is ignored
207
                        rg_i2c_addr <= wdata[7:0];
208
                        rg_i2c_transaction_ready <= True;
209
                        return wdata;
210
211
                     end
                  i2c_reg_addr_data:
212
                     begin
213
                        if (mask == 0)
214
215
216
217
218
219
220
                        begin
                           // Read rg_i2c_data
                           return rg_i2c_data;
                        end
                        else
                        begin
                           // Write to rg_i2c_data
221
                          rg_i2c_data <= wdata;
222
                          return wdata;
223
                        end
224
225
                     end
                  i2c_reg_addr_stat:
226
                     begin
227
                        rg_i2c_transaction_complete <= 0;</pre>
228
                        return rg_i2c_transaction_complete;
229
                     \quad \text{end} \quad
230
               endcase
231
            endactionvalue;
232
233
234
         function Bit#(32) fn_clock(Bit#(32) addr);
```

```
235
             if (addr == clock_reg_adrr_lower)
236
               return rg_tick[31:0];
237
             else
238
               return rg_tick[63:32];
\tilde{2}39
          {\tt endfunction}
240
241
242
          // Instrumentation handwritten
          function ActionValue#(Bit#(32)) fn_instrumentation_handwritten(Bit#(32) addr, Bit#(32)
                → mask, Bit#(32) wdata)
243
244
245
246
247
248
249
250
          = actionvalue
            let val = 0;
             case (addr)
                instr_reg_addr_hand_base:
                   begin
                   //\ wdata[0]\ -\ fnc\ select\ (\ 0\ -\ is\_channel\_tripped\ |\ 1\ -\ generate\_sensor\_trips)
                   // wdata[2:1] - mode
                   // wdata[3] - sensor_tripped
251
                   // rg_instr_hand_res[2:0] - result
// rg_instr_hand_res[31] - fnc select ( 0 - is_channel_tripped | 1 -
252

→ generate_sensor_trips)

253
                   if (wdata[0] == 0)
254
255
                      begin
                         // is_channel_tripped
256
                         // method Bool is_channel_tripped (Bit #(2) mode, Bool sensor_tripped);
257
                         let mode = wdata[2:1]:
258
                         let sensor_tripped = unpack(wdata[3]);
259
                         rg_instr_hand_res <= signExtend( pack(instr_hand.channel.is_channel_tripped(</pre>
                               → mode, sensor_tripped)) );
260
                      end
261
                   else
\tilde{2}\tilde{6}2
                      begin
263
                         // generate_sensor_trips
264
                         // NOTE: the values and setpoints are in reverse order.
265
                         Vector#(3, Bit#(32)) vals = newVector;
266
                         vals[2] = instr_hand_vals[0];
267
                         vals[1] = instr_hand_vals[1];
                        vals[0] = instr_hand_vals[2];
268
269
\tilde{270}
                         Vector#(3, Bit#(32)) setpoints = newVector;
271
                         setpoints[2] = instr_hand_setpoints[0];
272
                         setpoints[1] = instr_hand_setpoints[1];
273
274
                         setpoints[0] = instr_hand_setpoints[2];
275
276
                         let res = signExtend(pack(
                                    instr_hand.sensors.generate_sensor_trips(vals, setpoints)
277
                                 )):
278
                        res[31] = 1;
279
                        rg_instr_hand_res <= res;</pre>
280
                      end
281
                   end
282
                instr_reg_addr_hand_instr_val_0:
283
                   begin
284
285
                     instr_hand_vals[0] <= ((instr_hand_vals[0] & (~ mask)) | (wdata & mask));</pre>
286
                instr_reg_addr_hand_instr_val_1:
287
                   begin
288
                     instr_hand_vals[1] <= ((instr_hand_vals[1] & (~ mask)) | (wdata & mask));</pre>
289
                   end
\tilde{290}
                \verb|instr_reg_addr_hand_instr_val_2|:
291
                   begin
292
                     instr_hand_vals[2] <= ((instr_hand_vals[2] & (~ mask)) | (wdata & mask));</pre>
293
                   end
294
                instr_reg_addr_hand_setpoint_val_0:
295
                   begin
296
                     instr_hand_setpoints[0] <= ((instr_hand_setpoints[0] & (~ mask)) | (wdata &
                            \hookrightarrow mask));
```

```
297
                  end
298
               instr_reg_addr_hand_setpoint_val_1:
299
                  begin
300
                     instr_hand_setpoints[1] <= ((instr_hand_setpoints[1] & (~ mask)) | (wdata &</pre>
                            \hookrightarrow mask));
301
                  end
302
303
               instr_reg_addr_hand_setpoint_val_2:
                  begin
304
                     instr_hand_setpoints[2] <= ((instr_hand_setpoints[2] & (~ mask)) | (wdata &
305
306
               instr_reg_addr_hand_res:
307
                  begin
308
                     val = rg_instr_hand_res;
309
                  end
310
             endcase
311
             return val;
312
313
          endactionvalue;
314
          // Instrumentation generated
315
         function ActionValue#(Bit#(32)) fn_instrumentation_generated(Bit#(32) addr, Bit#(32) mask,
316
          = actionvalue
317
            let val = 0;
318
             case (addr)
319
               instr_reg_addr_gen_base:
320
                  begin
321
                   // wdata[0] - fnc select ( 0 - is_channel_tripped | 1 - generate_sensor_trips)
322
                   // wdata[2:1] - mode
323
324
                   // wdata[3] - sensor_tripped
                  // rg_instr_gen_res[2:0] - result
// rg_instr_gen_res[31] - fnc select ( 0 - is_channel_tripped | 1 -
325

→ generate_sensor_trips)

326
                   if (wdata[0] == 0)
327
                     begin
328
                      // is_channel_tripped
329
                     // method Bool is_channel_tripped (Bit #(2) mode, Bool sensor_tripped);
330
                     let mode = wdata[2:1];
331
                     let sensor_tripped = unpack(wdata[3]);
332
333
                     rg_instr_gen_res <= zeroExtend(pack(</pre>
                                          instr_gen.channel.is_channel_tripped(mode, sensor_tripped)
334
                                          ));
335
                     end
336
                  else
337
                     begin
338
                        // generate_sensor_trips
339
340
341
342
344
345
347
349
                        // NOTE: the values and setpoints are in reverse order.
                        Vector#(3, Bit#(32)) vals = newVector;
                        vals[2] = instr_gen_vals[0];
vals[1] = instr_gen_vals[1];
                        vals[0] = instr_gen_vals[2];
                        Vector#(3, Bit#(32)) setpoints = newVector;
                        setpoints[2] = instr_gen_setpoints[0];
                        setpoints[1] = instr_gen_setpoints[1];
                        setpoints[0] = instr_gen_setpoints[2];
                        let res = zeroExtend(pack(
350
                                    instr_gen.sensors.generate_sensor_trips(vals, setpoints)
351
                                 ));
352
353
354
                        res[31] = 1;
                        rg_instr_gen_res <= res;</pre>
                     end
355
                  end
356
               instr_reg_addr_gen_instr_val_0:
357
                  begin
                     instr_gen_vals[0] <= ((instr_gen_vals[0] & (~ mask)) | (wdata & mask));</pre>
```

```
359
                  end
360
               instr_reg_addr_gen_instr_val_1:
361
                  begin
362
                     instr_gen_vals[1] <= ((instr_gen_vals[1] & (~ mask)) | (wdata & mask));</pre>
363
364
                  end
               instr_reg_addr_gen_instr_val_2:
365
366
                     instr_gen_vals[2] <= ((instr_gen_vals[2] & (~ mask)) | (wdata & mask));</pre>
367
368
               instr_reg_addr_gen_setpoint_val_0:
369
370
                     instr_gen_setpoints[0] <= ((instr_gen_setpoints[0] & (~ mask)) | (wdata & mask)
                            → ):
371
                  end
372
               \verb|instr_reg_addr_gen_setpoint_val_1|:
373
374
                  begin
                     instr_gen_setpoints[1] <= ((instr_gen_setpoints[1] & (~ mask)) | (wdata & mask)
                            → );
375
                  end
376
               instr_reg_addr_gen_setpoint_val_2:
377
                  begin
378
                     instr_gen_setpoints[2] <= ((instr_gen_setpoints[2] & (~ mask)) | (wdata & mask)
379
                  end
380
               instr_reg_addr_gen_res:
381
                  begin
382
                     val = rg_instr_gen_res;
383
                  end
384
            endcase
385
            return val;
386
         endactionvalue;
387
388
         // Actuation Generated
389
         function ActionValue#(Bit#(32)) fn_actuation(Bit#(32) addr, Bit#(32) mask, Bit#(32) wdata)
390
            = actionvalue
391
            let val = 0;
392
            case (addr)
393
               \verb|actuation_reg_addr_gen_base|:
394
395
                  {\tt begin}
                     // base - trigger the actuation
396
                     Bool old = unpack(wdata[0]);
397
                     Vector#(3, Bit#(32)) trips = newVector;
398
                     trips[0] = actuation_trips[0];
399
                     trips[1] = actuation_trips[1];
400
                     trips[2] = actuation_trips[2];
401
402
403
404
405
406
                     // wdata[0] - value of 'old' argument
                     // wdata[1] - which actuator to actuate
                     if (wdata[1] == 0)
                        begin
                           rg_actuation_res <= zeroExtend( pack(actuation_gen.d0.actuate_d0(trips,
                                 → old)) );
407
408
409
410
411
                     else
                        begin
                           // Actuate D1
                           rg_actuation_res <= zeroExtend( pack(actuation_gen.d1.actuate_d1(trips,</pre>
                                 → old)) );
412
413
414
415
416
                  end
               \verb|actuation_reg_addr_gen_trip_0|:
                     // Set value for trip value 0
                     actuation_trips[0] <= ((actuation_trips[0] & (~ mask)) | (wdata & mask));</pre>
417
418
               actuation_reg_addr_gen_trip_1:
```

```
begin
                   // Set value for trip value 1
                   actuation_trips[1] <= ((actuation_trips[1] & (~ mask)) | (wdata & mask));</pre>
                end
             actuation_reg_addr_gen_trip_2:
                {\tt begin}
                   // Set value for trip value 2
                   actuation_trips[2] <= ((actuation_trips[2] & (~ mask)) | (wdata & mask));</pre>
             actuation_reg_addr_gen_res:
                begin
                  // Get actuation results
                  val = rg_actuation_res;
                end
           endcase
           return val;
           endactionvalue;
        * State machine
        // default state: request a new instruction from m_imem_addr
        rule stateReqI (state == REQ_I);
           imem_bram.put(False, nerv.m_imem_addr [31:2], 0);
           \verb"nerv.m_stall" (True); // \textit{stall CPU until the fetch is done}
           rg_tick <= rg_tick + 1;
           nerv.m_dmem_rdata (rg_dmem_rdata);
           state <= PUSH_I;</pre>
        endrule
        // push the new instruction from the memory to the CPU
        rule statePushI (state == PUSH_I);
           nerv.m imem data (imem bram.read()):
           if (nerv.m_dmem_valid)
             state <= REO D:
           else
             state <= STOP;
        endrule
        // request data from a new data memory address
        rule stateReqD (state == REQ_D);
           dmem_bram.put(False, nerv.m_dmem_addr [31:2], 0);
           state <= PUSH_D;
        endrule
        // push new data into the CPU
        rule statePushD (state == PUSH_D);
           let d_addr = nerv.m_dmem_addr;
           let mem_data = dmem_bram.read();
           let dmw = nerv.m_get_dmem;
           let wstrb = dmw.wstrb;
           let wdata = dmw.wdata;
           let mask = {strb2byte (wstrb [3]),
               strb2byte (wstrb [2]),
               strb2byte (wstrb [1]),
               strb2byte (wstrb [0])};
           let put_data = ((mem_data & (~ mask)) | (wdata & mask));
           if (show_load_store)
             $display ("DMem addr 0x%0h wstrb 0x%0h wdata 0x%0h mask 0x%0h put_data 0x%0h" ,

→ d_addr[31:2], wstrb, wdata, mask, put_data);

           // a priority encoder that takes the first arm whose condition is true.
           case (True)
```

```
485
486
487
488
490
491
492
493
494
495
500
501
502
              // GPIO update
              (gpio_addr == d_addr):
                 put_data <- fn_gpio(mask, wdata);</pre>
              // UART
              (uart_reg_addr_tx <= d_addr && d_addr < i2c_reg_addr_base):</pre>
                 put_data <- fn_uart(d_addr, wdata);</pre>
              // I2C
              (i2c_reg_addr_base <= d_addr && d_addr < clock_reg_adrr_lower):</pre>
                put_data <- fn_i2c(d_addr, mask, wdata);</pre>
              (clock_reg_adrr_lower <= d_addr && d_addr < instr_reg_addr_hand_base):</pre>
                 put_data = fn_clock(d_addr);
              // Instrumentation handwritten
              (instr_reg_addr_hand_base <= d_addr && d_addr < instr_reg_addr_gen_base):</pre>
                 put_data <- fn_instrumentation_handwritten(d_addr, mask, wdata);</pre>
              // Instrumentation generated
              (instr_reg_addr_gen_base <= d_addr && d_addr < actuation_reg_addr_gen_base):</pre>
                 put_data <- fn_instrumentation_generated(d_addr, mask, wdata);</pre>
503
              // Actuation Generated
504
              (actuation_reg_addr_gen_base <= d_addr && d_addr <= io_top_addr):
505
                put_data <- fn_actuation(d_addr, mask, wdata);</pre>
506
              default:
507
508
                 // Regular memory read (no IO)
                 begin
509
510
511
512
513
514
515
516
517
                   dmem_bram.put(True, d_addr [31:2], put_data);
                 end
           endcase
            // RDATA are always updated
           rg_dmem_rdata <= put_data;
           state <= STOP;
         endrule
         rule stateStop (state == STOP);
518
519
520
521
522
523
524
525
           nerv.m_dmem_rdata (rg_dmem_rdata);
           nerv.m_stall (False); // un-stall the CPU
           state <= REQ_I;</pre>
         endrule
         * Terminate if trapped
526
527
         */
528
        rule trap;
529
530
531
532
533
           if (nerv.m_trap)
           begin
              $display ("Trapped");
              $finish(0);
           end
534
         endrule
535
536
537
539
541
542
545
547
549
550
         * SOC Interface
         // set GPIO
         method Bit #(8) gpio = rg_gpio[7:0];
         // TX -> a byte to be send
         method ActionValue#(Bit #(8)) get_uart_tx_byte () if (rg_uart_tx_data_ready);
           begin
              rg_uart_tx_data_ready <= False;
              return rg_uart_tx;
           end
         endmethod
```

```
551
552
553
554
555
556
557
558
559
560
           // Rx -> a byte to be received
           method Action set_uart_rx_byte(Bit #(8) rx);
              begin
                 rg_uart_rx_data_ready <= True;
                 rg_uart_rx <= rx;
              \quad \text{end} \quad
           endmethod
           // I2C methods
561
           method ActionValue #(I2CRequest) i2c_get_request () if (rg_i2c_transaction_ready);
562
              begin
563
                 let r = I2CRequest {
564
565
                       write: unpack(rg_i2c_addr[0]),
                       address: rg_i2c_addr[7:0], // Unclear what this is for
566
567
                       slaveaddr: rg_i2c_addr[7:1],
                       data: rg_i2c_data[7:0]
568
                    };
569
570
571
572
573
574
575
576
577
578
580
581
582
583
                 rg_i2c_transaction_ready <= False;</pre>
                 return r;
              end
           endmethod
           method Action i2c_give_response(I2CResponse r);
              begin
                 rg_i2c_data <= signExtend(r.data);</pre>
                 rg_i2c_transaction_complete <= 1;</pre>
              end
           endmethod
        endmodule
584
        endpackage
```

Listing E.29: Listing Verilog Model of Actuation.

```
package Actuation;
 234567
     import Vector :: *;
     // Actuation interface
     interface Actuation_IFC;
        interface ActuationD0_IFC d0;
         interface ActuationD1_IFC d1;
     endinterface
10
11
     interface ActuationD0_IFC;
12
13
14
15
16
17
         (* always_ready *)
         method Bool actuate_d0 (Vector#(3, Bit#(32)) trips,
                                Bool old);
     endinterface
     interface ActuationD1_IFC;
18
         (* always_ready *)
19
         method Bool actuate_d1 (Vector#(3, Bit#(32)) trips,
20
21
                                Bool old);
     endinterface
     endpackage
```

Listing E.30: Listing Verilog Model of Instrumentation\_Generated\_BVI.

```
1 package Instrumentation_Generated_BVI;
```

```
23456789
     import Clocks :: *;
     import Instrumentation::*;
      (* synthesize *)
     module mkInstrumentationGenerated(Instrumentation_IFC);
         ChannelTripped_IFC i_channel <- mkInstrGeneratedIsChannelTripped();</pre>
         SensorTrips_IFC i_sensors <- mkInstrGeneratedGenerateSensorTrips();</pre>
         interface ChannelTripped_IFC channel;
             method is_channel_tripped = i_channel.is_channel_tripped();
13
14
15
16
17
18
19
         endinterface
         interface SensorTrips_IFC sensors;
             method generate_sensor_trips = i_sensors.generate_sensor_trips();
         endinterface
     endmodule
     import "BVI" Is_Ch_Tripped_Generated =
20
21
22
23
24
25
26
27
28
29
31
32
35
36
37
     module mkInstrGeneratedIsChannelTripped (ChannelTripped_IFC);
         default_clock ();
         default_reset ();
         method out is_channel_tripped (mode, sensor_tripped);
         schedule (is_channel_tripped) CF (is_channel_tripped);
     import "BVI" Generate_Sensor_Trips_Generated =
     module mkInstrGeneratedGenerateSensorTrips (SensorTrips_IFC);
         default_clock ();
         default_reset ();
         method out generate_sensor_trips (vals, setpoints);
         schedule (generate_sensor_trips) CF (generate_sensor_trips);
     endmodule
     endpackage
```

# E.9 ACSL Model

# E.9.1 ACSL Model of the Actuation Unit

Listing E.31: Listing C Model of models.

```
#ifndef MODELS_ACSL_
 23456789
     #define MODELS ACSL
     #include <stdint.h>
     /* axiomatic Actuator {
        // Refines RTS::Actuator::ActuateActuator
        logic boolean ActuateActuator(uint8_t input) =
          ((input & Ox1) != 0) || ((input & Ox2) != 0);
        axiomatic ActuationUnit {
        // Refines RTS::ActuationUnit::Coincidence_2_4
        logic\ boolean\ Coincidence\_2\_4(uint8\_t\ *trips) =
16
17
          \let a = trips[0] != 0;
          \let b = trips[1] != 0;
18
          \let c = trips[2] != 0;
          \let d = trips[3] != 0;
```

```
20
           (aUUb) || ((a||b) UU (c||d)) || (cUUd);
21222267890123334567899012344567890123345678990123334556789012344567890123
         // Refines RTS::ActuationUnit::Actuate_D0
         logic\ boolean\ Actuate\_DO(uint8\_t\ *tripsT,\ uint8\_t\ *tripsP,\ uint8\_t\ *tripsS,\ boolean\ old) = 0
           {\it Coincidence\_2\_4(tripsT)~||~Coincidence\_2\_4(tripsP)~||~old;}
         // Refines RTS::ActuationUnit::Actuate_D1
         logic boolean Actuate_D1(uint8_t *tripsT, uint8_t *tripsP, uint8_t *tripsS, boolean old) =
           Coincidence_2_4(tripsS) || old;
         axiomatic Instrumentation {
         // Refines RTS::InstrumentationUnit::Trip
         logic\ boolean\ Trip(uint32\_t\ *vals,\ uint32\_t\ *setpoints,\ integer\ channel) =
           channel == 2 ? ((int)vals[channel] < (int)setpoints[channel])</pre>
                        : (setpoints[channel] < vals[channel]);
         // Refines RTS::InstrumentationUnit::Generate_Sensor_Trips
         logic integer Generate_Sensor_Trips(uint32_t *vals, uint32_t *setpoints) =
           \let t = Trip(vals, setpoints, T);
           \let p = Trip(vals, setpoints, P);
           \let s = Trip(vals, setpoints, S);
(t ? 1 : 0) + (p ? 2 : 0) + (s ? 4 : 0);
         // Refines RTS::InstrumentationUnit::Is_Ch_Tripped
         logic boolean Is_Ch_Tripped(integer mode, boolean tripped) =
           (mode == 2) || ((mode == 1) && tripped);
        */
      #endif
```

Listing E.32: Various common definitions.

```
#ifndef COMMON_H_
 2
    #define COMMON_H_
 34567
    #include <stdint.h>
    /\!/\ \textit{Constants derived from architecture and Cryptol model }/\!/
    // Instrumentation
11
    // Trip modes:
12
    #define NINSTR 4
13
14
15
16
    #define NMODES 3
    #define BYPASS 0
    #define OPERATE 1
    #define TRIP 2
17
18
    // Command Types
19
    #define SET_MODE 0
20
21
22
23
24
25
26
27
    #define SET_MAINTENANCE 1
    #define SET_SETPOINT 2
    //\ {\it Channel/Trip\ signal\ IDs}
    #define NTRIP 3
    #define T 0
    #define P 1
    #define S 2
28
29
    // Actuation
```

```
| #define NVOTE_LOGIC 2
     #define NDEV 2
32
33
34
35
36
37
     // Core
     // Command Types
     #define INSTRUMENTATION_COMMAND O
     #define ACTUATION_COMMAND 1
38
39
     #define BIT(_test, _value) ((_test) ? (0x8 | (_value)) : _value)
     #define VALID(_value) (!(0x8 & (_value)))
#define VAL(_value) (0x1 & value)
     #define NLINES 21
    #define LINELENGTH 64
     // RTS Command Definitions //
     // Instrumentation
     struct set_mode {
     uint8_t channel;
      uint8_t mode_val;
    struct set_maintenance {
     uint8_t on;
    struct set_setpoint {
      uint8_t channel;
58
     uint32_t val;
59
    struct instrumentation_command {
61
     uint8_t type;
62
     uint8_t valid;
63
     union {
64
65
       struct set mode mode:
        struct set_maintenance maintenance;
66
       struct set_setpoint setpoint;
67
     } cmd;
68
    };
69
70
71
72
73
74
75
     // Actuation
     struct actuation_command {
        uint8_t device;
        uint8_t on;
76
     // Root command structure
    struct rts_command {
78
79
     uint8_t type;
      uint8_t instrumentation_division;
80
81
       struct instrumentation_command instrumentation;
        struct actuation_command act;
     } cmd;
    };
    // Redefine variable bit-width types:
     #define _ExtInt_1 char
    #define _ExtInt_2 char
     #define _ExtInt_3 char
90
     #define _ExtInt_4 char
     #define _ExtInt_6 char
92
     #define _ExtInt_8 char
     #define _ExtInt_32 int
     #define _ExtInt(w) _ExtInt_##w
```

```
96 // Generate names for implementation variants
97 #define VARIANT(source,lang,f) VARIANT_IMPL(source,lang,f)
98 #define VARIANT_IMPL(source,lang,f) f ## _ ## source ## _ ## lang
99 #define VARIANT_IMPL2(source,lang,f) source ## lang ## f
100
101 #endif // COMMON_H_
```

Listing E.33: Various core definitions.

```
#ifndef CORE_H_
 23456789
     #define CORE_H_
     #include "common.h"
     #ifndef SELF_TEST_PERIOD_SEC
     #define SELF_TEST_PERIOD_SEC 20
     #endif
10
11
     #define NDIVISIONS 4
12
13
     #ifndef T_THRESHOLD // degrees F
     #define T_THRESHOLD 3
14
15
16
     #ifndef P_THRESHOLD // 10^-5 lb/in^2
     #define P_THRESHOLD 100
18
     #endif
19
20
21
22
23
24
25
26
27
28
29
     struct ui_values {
      uint32_t values[NDIVISIONS][NTRIP];
      uint8_t bypass[NDIVISIONS][NTRIP];
      uint8_t trip[NDIVISIONS][NTRIP];
       uint8_t maintenance[NDIVISIONS];
      char display[NLINES][LINELENGTH+1];
      uint8_t actuators[2][NDEV];
     };
struct test_state {
      uint32_t test;
      uint32_t test_timer_start;
       uint8_t self_test_running;
       uint8_t self_test_expect;
       uint8_t failed;
       uint8_t test_device_result[2];
       uint8_t test_instrumentation[2];
       uint8_t test_actuation_unit;
       uint8_t test_device;
       uint8_t test_instrumentation_done[4];
       uint8_t test_actuation_unit_done[2];
       uint8_t test_device_done[2];
       uint32_t test_setpoints[4][3];
      uint32_t test_inputs[4][2];
      uint8_t actuation_old_vote;
     struct core_state {
      struct ui_values ui;
       struct test_state test;
56
       uint8_t error;
```

### Listing E.34: The actuate interface.

```
#ifndef ACTUATE_H_
 2345
     #define ACTUATE H
     #include <stdint.h>
     #include "models.acsl"
 _{\gamma}^{6}
     // Combine the votes from both actuate logic components
     // and tell the hardware device to actuate (or unactuate)
     int actuate_devices(void);
10
11
     // Return whether or not a device with the provided votes should be actuated
     // Bit i = vote by logic unit i
13
     // This function is generated directly from the Cryptol model
14
15
     /*@ assigns \nothing;
      @ ensures \result == 0 // \result == 1;
16
17
       @ ensures \result == 1 <==> ((vs & 0x01) // (vs & 0x02));
       @ ensures ActuateActuator(vs) <==> \result == 1;
18
19
     uint8_t ActuateActuator(uint8_t vs);
20
21
     int actuate_devices_generated_C(void);
22
23
     #endif // ACTUATE_H_
```

# Listing E.35: Interface of the actuation logic.

```
#ifndef ACTUATION H
 23
     #define ACTUATION_H_
 45
     #include "stdint.h"
     #include "common.h"
     #include "instrumentation.h"
     #include "core.h"
     #include "models.acsl"
10
     /*@requires \valid(&trips[0.. NINSTR -1]);
11
12
       @assigns \nothing;
       @ensures (\result != 0) <==> Coincidence_2_4(trips);
13
14
15
     uint8_t Coincidence_2_4(uint8_t trips[4]);
16
     /*@requires \valid(@trips[0.. NTRIP - 1][0.. NINSTR - 1]);
17
      @requires \valid(trips + (0.. NTRIP-1));
18
       @assigns \nothing;
19
      @ensures (\result != 0) <==> Actuate_DO(&trips[T][0], &trips[P][0], &trips[S][0], old != 0);
20
21
22
23
24
25
     uint8_t Actuate_D0(uint8_t trips[3][4], uint8_t old);
     /*@requires \valid(&trips[0.. NTRIP-1][0.. NINSTR-1]);
       @requires \valid(trips + (0.. NTRIP-1));
       @assigns \nothing;
26
       @ensures (\result != 0) <==> Actuate_D1(&trips[T][0], &trips[P][0], &trips[S][0], old != 0);
27
```

```
uint8_t Actuate_D1(uint8_t trips[3][4], uint8_t old);
30
31
32
33
34
35
36
37
     struct actuation_logic {
         uint8_t vote_actuate[NDEV];
         uint8_t manual_actuate[NDEV];
     extern struct actuation_logic actuation_logic[2];
      /* The main logic of the actuation unit */
38
39
41
42
44
45
47
48
      /*@requires \valid(state);
       @requires logic_no <= 1;</pre>
        @assigns state->manual_actuate[0.. NDEV-1];
       @assigns state->vote_actuate[0.. NDEV-1];
       @assigns core.test.actuation_old_vote;
       {\tt Qassigns\ core.test.test\_actuation\_unit\_done[logic\_no];}
      int actuation_unit_step(uint8_t logic_no, struct actuation_logic *state);
      #endif // ACTUATION_H_
```

## Listing E.36: Instrumentation definitions.

```
#ifndef INSTRUMENTATION_H_
 234567
     #define INSTRUMENTATION_H_
     #include "common.h"
     #include "core.h"
     #include "models.acsl"
 8
     #define ShouldTrip(_vals, _setpoints, _ch) \
       ((_ch == T && _vals[T] > _setpoints[T]) \
10
        || (_ch == P && _vals[P] > _setpoints[P]) \
11
        || (_ch == S && (int)_vals[S] < (int)_setpoints[S]))
12
13
     /*@ assians \nothina: */
14
15
     uint32_t Saturation(uint32_t x, uint32_t y);
16
17
     /*@requires \valid(vals + (0.. NTRIP-1));
       @requires \valid(setpoints + (0.. NTRIP-1));
18
       @assigns \nothing;
19
       @ensures \result == (uint8_t)Generate_Sensor_Trips(vals, setpoints);
20
21
22
23
24
25
26
27
28
29
31
     uint8_t Generate_Sensor_Trips(uint32_t vals[3], uint32_t setpoints[3]);
     /*@requires \valid(vals + (0.. NTRIP-1));
       @requires \valid(setpoints + (0.. NTRIP-1));
       @requires ch < NTRIP:
       @assigns \nothing;
       @ensures \result == 0 // \result == 1;
      \textit{Qensures (\result == 1) <==> Trip(vals, setpoints, ch);}
     uint8_t Trip(uint32_t vals[3], uint32_t setpoints[3], uint8_t ch);
     /*@requires mode < NMODES;</pre>
33
       @requires trip <= 1;
34
35
       @assigns \nothing;
      @ensures (\result != 0) <==> Is_Ch_Tripped(mode, trip != 0);
36
37
38
39
     uint8_t Is_Ch_Tripped(uint8_t mode, uint8_t trip);
     struct instrumentation_state {
40
       uint32_t reading[NTRIP];
       uint32_t test_reading[NTRIP];
       uint32_t setpoints[NTRIP];
```

```
uint8_t sensor_trip[NTRIP];
       uint8 t mode[NTRIP]:
       uint8_t maintenance;
       uint8_t test_complete;
      void instrumentation_init(struct instrumentation_state *state);
      /*@requires \valid(state);
       @requires \valid(state->reading + (0.. NTRIP-1));
        @requires \valid(state->test_reading + (0.. NTRIP-1));
       @requires \valid(state->setpoints + (0.. NTRIP-1));
       @requires \valid(state->sensor_trip + (0.. NTRIP-1));
       @requires state->mode[T] \in {BYPASS, OPERATE, TRIP};
@requires state->mode[P] \in {BYPASS, OPERATE, TRIP};
58
59
        @requires state->mode[S] \in {BYPASS, OPERATE, TRIP};
        @requires div < NTRIP;
60
        @assigns state->reading[0.. NTRIP-1];
61
        @assigns state->test_reading[0.. NTRIP-1];
       @assigns state->setpoints[0.. NTRIP-1];
63
       @assigns state->sensor_trip[0.. NTRIP-1];
64
65
       @assigns state->maintenance;
       @assigns state->mode[0.. NTRIP-1];
66
       @assigns core.test.test_instrumentation_done[div];
       @ensures state->mode[T] \in {BYPASS, OPERATE, TRIP};
@ensures state->mode[P] \in {BYPASS, OPERATE, TRIP};
67
68
69
       @ensures state->mode[S] \in {BYPASS, OPERATE, TRIP};
70
71
     int instrumentation_step(uint8_t div, struct instrumentation_state *state);
72
     #endif // INSTRUMENTATION_H_
```

Listing E.37: Listing Interface Model of platform.

```
#ifndef PLATFORM_H_
 2
     #define PLATFORM_H_
     #include <stdint.h>
 345
     #include "common.h'
 6
7
     #include "core.h"
     #include "instrumentation.h"
     #include "actuation_logic.h"
10
     // channel -> sensor # -> val
11
     extern uint32_t sensors[2][2];
12
     // channel -> sensor # -> demux output # -> val
13
     extern uint32_t sensors_demux[2][2][2];
14
15
     extern uint8_t trip_signals[NTRIP][4];
16
     {\tt extern \ struct \ instrumentation\_command \ inst\_command\_buf[4];}
17
18
     extern uint8_t actuator_state[NDEV];
19
     extern uint8_t device_actuation_logic[2][NDEV];
20
21
     extern struct actuation_command *act_command_buf[2];
22
     //EI mode:
23
     // mode = 0 => no error
     // mode = 1 => error
     // mode = 2 => nondet error
     extern uint8_t error_instrumentation_mode[NINSTR];
     extern uint8_t error_instrumentation[NINSTR];
     // ES ch mode:
     // mode = 0 => no error
30
     // mode = 1 => demux error (out 0)
     // mode = 2 => demux error (out 1)
     // mode = 3 => sensor error (error in both demux outs)
```

```
| // mode = 4 => nondet sensor error
     // mode = 5 => nondet demux error
     extern uint8_t error_sensor_mode[2][2];
36
37
38
39
     extern uint8_t error_sensor[2][2];
     extern uint8_t error_sensor_demux[2][2][2];
     #ifdef DEBUG
#define DEBUG_PRINTF(X) printf X
     #define DEBUG_PRINTF(X)
     #endif
     #ifdef PLATFORM_HOST
     #include <assert.h>
     #define ASSERT(x) assert(x)
     #else
     #define ASSERT(x)
     #endif // PLATFORM_HOST
     #if defined(PLATFORM_HOST) && defined(USE_PTHREADS)
     #include <pthread.h>
     extern pthread_mutex_t display_mutex;
     extern pthread_mutex_t mem_mutex;
#define MUTEX_LOCK(x) pthread_mutex_lock(x)
     \hbox{\tt\#define MUTEX\_UNLOCK(x)} \ \ pthread\_mutex\_unlock(x)
     #else
     #define MUTEX_LOCK(x)
60
     #define MUTEX_UNLOCK(x)
61
     #endif // defined(PLATFORM_HOST) & defined(USE_PTHREADS)
62
     64
65
     66
67
     /*@requires \valid(val);
68
      @requires div < NINSTR;
69
      @requires channel < NTRIP;
70
71
      Qassigns *val;
      @ensures -1 <= \result <= 0;</pre>
72
73
      @ensures \result == 0 ==> *val <= 0x80000000;
     int read_instrumentation_channel(uint8_t div, uint8_t channel, uint32_t *val);
     int get_instrumentation_value(uint8_t division, uint8_t ch, uint32_t *value);
     int get_instrumentation_trip(uint8_t division, uint8_t ch, uint8_t *value);
int get_instrumentation_mode(uint8_t division, uint8_t ch, uint8_t *value);
78
79
     int get_instrumentation_maintenance(uint8_t division, uint8_t *value);
80
81
     // Reading actuation signals
82
     /*@ requires i <= 1;
      @ requires device < NDEV;
84
      @ requires \valid(value);
      @ assigns *value;
86
      @ ensures (\result == 0) ==> (*value == 0 || *value == 1);
87
      @ ensures (\result != 0) ==> (*value == \old(*value));
88
89
     int get_actuation_state(uint8_t i, uint8_t device, uint8_t *value);
90
91
92
93
     /*@requires \valid(&arr[0.. NTRIP-1][0.. NINSTR-1]);
      @assigns *(arr[0.. NTRIP-1]+(0.. NINSTR-1));
94
95
     int read_instrumentation_trip_signals(uint8_t arr[3][4]);
```

```
99
100
      int reset_actuation_logic(uint8_t logic_no, uint8_t device_no, uint8_t reset_val);
101
102
      /*@requires logic_no < NVOTE_LOGIC;</pre>
103
104
        {\it @requires~device\_no~<~NDEV;}
        Cassigns \nothing; // Not entirely true, but we'll never mention that state
105
       @ensures -1 <= \result <= 0;
106
107
      int set_output_actuation_logic(uint8_t logic_no, uint8_t device_no, uint8_t on);
108
109
      /*@requires division < NINSTR;</pre>
110
        @requires channel < NTRIP;
111
        {\tt Qassigns \ } \verb| nothing; // \ \verb| Not entirely true, but we'll never mention that state \\
112
113
      int set_output_instrumentation_trip(uint8_t division, uint8_t channel, uint8_t val);
114
115
      /*@ requires device_no <= 1;</pre>
116
       @ assigns \nothing;
117
118
      int set_actuate_device(uint8_t device_no, uint8_t on);
119
120
      // Sending commands between components //
121
122
123
      /**
124
125
      * Read RTS command from the user
       * Platform specific
126
127
      int read_rts_command(struct rts_command *cmd);
128
129
      /* Communicate with instrumentation division */
130
131
      /*@requires division < NINSTR;
132
       @requires \valid(cmd);
133
       @assigns cmd->type, cmd->cmd;
134
135
       @ensures -1 <= \result <= 1;
136
      int read_instrumentation_command(uint8_t division, struct instrumentation_command *cmd);
137
138
      /*@requires division < NINSTR;
139
       @requires \valid(cmd);
140
141
142
143
144
145
146
        Cassigns \nothing; // not entirely true, but we'll never mention that state
        @ensures -1 <= \result <= 0;
      int send_instrumentation_command(uint8_t division, struct instrumentation_command *cmd);
      * Read external command, setting *cmd. Does not block.
147
148
       * Platform specific
149
150
      /*@requires \valid(cmd);
       @assigns cmd->on;
151
       @assigns cmd->device;
152
       @ensures -1 <= \result <= 1;</pre>
153
154
155
      int read actuation command(uint8 t id. struct actuation command *cmd):
156
157
       * Physically set actuator to a new value
158
       * Platform specific
159
160
      int send_actuation_command(uint8_t actuator,
161
                              struct actuation_command *cmd);
162
163
```

```
165
     | // Self Test state //
166
      167
168
      /*@ assigns \nothing; */
169
170
      uint8_t is_test_running(void);
171
      /*@ assigns \nothing; */
172
      void set_test_running(int val);
173
174
175
      /*@ assigns \nothing;
       @ ensures \result < NDEV;
176
177
      uint8_t get_test_device(void);
178
179
      /*@ requires \valid(id) & \valid(&id[1]);
180
       @ assigns id[0], id[1];
@ ensures id[0] < NINSTR;
181
182
       @ ensures id[1] < NINSTR;</pre>
183
184
185
      void get_test_instrumentation(uint8_t *id);
186
      /*@ requires \valid(setpoints + (0.. NTRIP-1));
187
       @ requires id < NINSTR;
188
       @ assigns setpoints[0.. NTRIP-1];
189
       @ ensures -1 <= \result <= 0;
190
191
      int get_instrumentation_test_setpoints(uint8_t id, uint32_t *setpoints);
192
193
      /*@ requires div < NINSTR;</pre>
194
195
       @ assigns core.test.test_instrumentation_done[div];
        @ ensures core.test.test_instrumentation_done[div] == v;
196
197
      void set_instrumentation_test_complete(uint8_t div, int v);
198
199
      /*@ requires id < NINSTR;</pre>
200
       @ assigns \setminus nothing;
201
202
      int is_instrumentation_test_complete(uint8_t id);
203
204
205
      /*@ requires div < NINSTR;</pre>
       @ requires channel < NTRIP;
206
       @ requires \valid(val);
207
       @ assigns *val;
208
       @ ensures -1 <= \result <= 0;
209
210
      int read_test_instrumentation_channel(uint8_t div, uint8_t channel, uint32_t *val);
211
\tilde{2}12
      /*@ assigns \nothing;
213
       @ ensures \result < NVOTE_LOGIC;</pre>
214
215
      uint8_t get_test_actuation_unit(void);
216
217
      // NOTE: this is actually never used (only in 'bottom.c')
218
      int is_actuation_unit_under_test(uint8_t id);
219
220
      /*@ requires div < NVOTE LOGIC:
221
       @ assigns core.test.test_actuation_unit_done[div];
222
       @ ensures core.test.test_actuation_unit_done[div] == v;
223
224
225
      void set_actuation_unit_test_complete(uint8_t div, int v);
226
      /*@ requires id < NVOTE_LOGIC;</pre>
227
       @ assigns core.test.actuation_old_vote;
228
       @ ensures core.test.actuation_old_vote == v;
229
230
     void set_actuation_unit_test_input_vote(uint8_t id, int v);
```

```
231
232
      /*@ requires id < NVOTE_LOGIC;</pre>
233
       @ assigns \nothing;
234
235
236
237
238
239
240
241
242
243
244
245
247
248
251
251
252
      int is_actuation_unit_test_complete(uint8_t id);
      /*@ requires dev < NDEV;
       @ assigns core.test.test_device_result[dev];
        @ ensures core.test.test_device_result[dev] == result;
      void set_actuate_test_result(uint8_t dev, uint8_t result);
      /*@ requires dev < NDEV;</pre>
       @ assigns core.test.test_device_done[dev];
       @ ensures core.test.test_device_done[dev] == v;
      void set_actuate_test_complete(uint8_t dev, int v);
      /*@ requires dev < NDEV;
       @ assigns \nothing;
      int is_actuate_test_complete(uint8_t dev);
253
254
255
      // General Utilities //
256
257
258
259
      * Return uptime in seconds
260
       * Platform specific
261
262
      uint32_t time_in_s(void);
263
264
265
       * Update user display
266
       * Platform specific
267
268
      void update_display(void);
269
270
271
272
273
       * Poll sensors for new values
       * Platform specific
274
275
      void update_sensors(void);
      #endif // PLATFORM_H_
```

Listing E.38: Listing Interface of RTS.

```
#ifndef RTS_H_

#ifndef RTS_H_

#include <stdint.h>

#include "instrumentation.h"

#include "actuation_logic.h"

#include "actuate.h"

#include "actuation_logic.h"

#include "actuation_logic.h"
```

Listing E.39: Listing Interface Model of sense\_actuate.

```
1 #ifndef SENSE_ACTUATE_H_
```

```
| #define SENSE_ACTUATE_H_
     #include "common.h"
#include "instrumentation.h"
#include "actuation_logic.h"
      /*\ Initialize\ state\ for\ core\ `core\_id'.
      * requires instrumentation is an array of NINSTRUMENTATION/NCORE_ID instrumentation structs
      * requires actuation_logic is an array of NACTUATION_LOGIC/NCORE_ID actuation_logic structs
       * returns < 0 on error
13
14
15
16
17
      int sense_actuate_init(int core_id,
                              {\tt struct\ instrumentation\_state\ *instrumentation},
                              struct actuation_logic *actuation);
      /* Advance state for core 'core_id'.
18
       *\ requires\ instrumentation\ is\ an\ array\ of\ {\it NINSTRUMENTATION/NCORE\_ID}\ instrumentation\ structs
19
       * requires actuation_logic is an array of NACTUATION_LOGIC/NCORE_ID actuation_logic structs
20
21
22
23
24
25
26
27
      * returns < 0 on error
      int \ sense\_actuate\_step\_0 (struct \ instrumentation\_state \ *instrumentation,
                                struct actuation_logic *actuation);
      \verb|int sense_actuate_step_1| (\verb|struct instrumentation_state *| instrumentation|) \\
                                struct actuation_logic *actuation);
      #endif // SENSE_ACTUATE_H_
```

## Appendix F

## Software Implementation

Listing F.1: C implementation of rv32\_main.

```
* Main program entry for RTS
     // System includes
     #include <stdint.h>
     #include <stdlib.h>
     #include <string.h>
     // Board includes
     #include "bsp.h"
10
11
12
13
14
15
16
     #include "printf.h"
     // RTS includes
     #include "common.h"
     #include "core.h"
     #include "instrumentation.h"
     #include "actuation_logic.h"
     #include "sense_actuate.h"
19
20
21
22
23
24
25
26
27
28
29
31
33
34
35
37
38
40
41
42
     #include "platform.h"
     #include "actuation_logic.h"
     extern struct instrumentation_state instrumentation[4];
     void update_display()
{
     #if CLEAR_SCREEN
      // This starts printing from the top of the screen
      printf("\e[s\e[1;1H");//\e[2J");
     #endif
      for (int line = 0; line < NLINES; ++line) {</pre>
     #if CLEAR_SCREEN
        printf("\e[0K");
     #endif
      printf("%s%s", core.ui.display[line], line == NLINES-1 ? "" : "\n"); }
     #if CLEAR_SCREEN
     int read_rts_command(struct rts_command *cmd)
```

```
43 445 467 489 512 53 55 567 89 59
        int ok = 0;
      #ifndef ENABLE_SELF_TEST
        const char delimiter[2] = " ";
        char line[254] = \{0\};
        char *token = NULL;
        int linelen = 0;
        printf("\nEnter command and press enter:\n");
        memset(line,0,sizeof(line));
        for (unsigned int i = 0; i < sizeof(line); i++) {</pre>
         line[i] = soc_getchar();
          linelen = i;
          if (line[i] == 0 || line[i] == '\n') {
           break;
        printf(">>>%s<<<[%d]\n",line, linelen);</pre>
 60
 61
      #if CLEAR_SCREEN
       printf("\e[%d;1H\e[2K> ", NLINES+1);
 63
64
65
        if (linelen < 4) {
 66
         // Too short to be a valid command. "A 1 1\n" is the shortest command
 67
         return ok;
 68
 69
 70
        /* get the first token */
 71
        printf("About to call strtok\n");
 72
        token = strtok(line, delimiter);
 73
74
75
        printf("strtok called\n");
        if (token != NULL) {
 76
77
          printf("Command = %s\n",token);
          switch (token[0]) {
78
79
80
81
            case 'A':
             cmd->type = ACTUATION_COMMAND;
              // "A %hhd %hhd", &device, &on
              token = strtok(NULL, delimiter);
 82
              if (token != NULL) {
 83
               printf("cmd->cmd.act.device = %s\n",token);
               cmd->cmd.act.device = (uint8_t)atoi(token);
                token = strtok(NULL, delimiter);
86
87
88
89
90
91
92
               if (token != NULL) {
                 printf("cmd->cmd.act.on = %s\n",token);
                 cmd->cmd.act.on = (uint8 t)atoi(token);
                 printf("ACTUATION_COMMAND dev=%u on=%u\n",
                      cmd->cmd.act.device, cmd->cmd.act.on);
                 ok = 1;
               }
93
94
95
             break;
            case 'M':
 96
             cmd->type = INSTRUMENTATION_COMMAND;
 97
             cmd->cmd.instrumentation.type = SET_MAINTENANCE;
 98
              // "M %hhd %hhd", &div, &on
 99
              token = strtok(NULL, delimiter);
100
              if (token != NULL) {
101
                printf("cmd->instrumentation_division = %s\n",token);
102
                cmd->instrumentation_division = (uint8_t)atoi(token);
103
                token = strtok(NULL, delimiter);
104
                if (token != NULL) {
105
                 printf("cmd->cmd.instrumentation.cmd.maintenance.on = %s\n",token);
106
                 cmd->cmd.instrumentation.cmd.maintenance.on = (uint8_t)atoi(token);
                 printf("INSTRUMENTATION_COMMAND MAINTENANCE div=%u on=%u\n",
107
108
                       cmd->instrumentation_division,
```

```
109
                       cmd->cmd.instrumentation.cmd.maintenance.on);
110
                 ok = 1;
111
               }
112
              }
113
              break;
114
            case 'B':
115
              cmd->type = INSTRUMENTATION_COMMAND;
116
              cmd->cmd.instrumentation.type = SET_MODE;
117
              // "B %hhd %hhd %hhd", &div, &ch, &mode
118
              token = strtok(NULL, delimiter);
119
              if (token != NULL) {
120
                printf("cmd->instrumentation_division = %s\n",token);
121
                cmd->instrumentation_division = (uint8_t)atoi(token);
122
                token = strtok(NULL, delimiter);
123
                if (token != NULL) {
124
                 printf("cmd->cmd.instrumentation.cmd.mode.channel = %s\n",token);
125
                  cmd->cmd.instrumentation.cmd.mode.channel = (uint8_t)atoi(token);
126
                  token = strtok(NULL, delimiter);
127
                  if (token != NULL) {
128
                   printf("cmd->cmd.instrumentation.cmd.mode.mode_val = %s\n",token);
129
                   cmd->cmd.instrumentation.cmd.mode.mode_val = (uint8_t)atoi(token);
130
                   printf("INSTRUMENTATION_COMMAND MODE div=%u channel=%u mode=%u\n",
131
                       cmd->instrumentation_division,
132
                       cmd->cmd.instrumentation.cmd.mode.channel.
133
                       cmd->cmd.instrumentation.cmd.mode.mode_val);
134
                   ok = 1;
135
                 7
136
               }
137
              }
138
              break;
139
            case 'S':
140
141
142
143
144
145
146
              cmd->type = INSTRUMENTATION_COMMAND;
              cmd->cmd.instrumentation.type = SET_SETPOINT;
             // "S %hhd %hhd %d", &div, &ch, &val
token = strtok(NULL, delimiter);
              if ((token != NULL) && (token[0] != '\n')) {
                printf("cmd->instrumentation_division = %s\n",token);
                cmd->instrumentation_division = (uint8_t)atoi(token);
                token = strtok(NULL, delimiter);
                if ((token != NULL) && (token[0] != '\n')) {
                 printf("cmd->cmd.instrumentation.cmd.setpoint.channel = %s\n",token);
                 cmd->cmd.instrumentation.cmd.setpoint.channel = (uint8_t)atoi(token);
151
                  token = strtok(NULL, delimiter);
                 if ((token != NULL) && (token[0] != '\n')) {
153
                   printf("cmd->cmd.instrumentation.cmd.setpoint.val = %s\n",token);
154
155
                   cmd->cmd.instrumentation.cmd.setpoint.val = (uint32_t)atoi(token);
                   printf("INSTRUMENTATION_COMMAND SETPOINT div=%u channel=%u val=%u\n",
156
                       cmd->instrumentation_division,
157
                       cmd->cmd.instrumentation.cmd.setpoint.channel,
158
                       cmd->cmd.instrumentation.cmd.setpoint.val);
159
                   ok = 1;
160
161
162
              }
163
              break:
\begin{array}{c} 164 \\ 165 \end{array}
            default:
              break;
166
167
168
      #endif /* #ifndef ENABLE_SELF_TEST */
169
170
171
      uint32_t get_sensor_data(uint8_t sensor_addr)
173
        uint32 t data = 0:
```

```
175
        uint32_t addr = 0;
176
        uint32_t result = 0;
177
        uint8_t intermidiate = 0;
178
179
180
        // run 4 times to get all 32bits of uint32_t value
        for (uint8_t i = 0; i < 4; i++)
181
182
183
          // Set data pointer reg
184
          write_reg(I2C_REG_DATA, data);
185
          // Set write addr
186
          addr = (sensor_addr << 1) | 0x1;
187
          write_reg(I2C_REG_ADDR, addr);
188
          // Wait for transaction to finish
189
          while (read_reg(I2C_REG_STATUS) != 1) {
190
           ;;
          }
191
          // Set read addr
192
193
          addr = (sensor_addr << 1);
194
          write_reg(I2C_REG_ADDR, addr);
195
          // Wait for transaction to finish
196
          while (read_reg(I2C_REG_STATUS) != 1) {
         ;;
}
197
198
199
          // Update the result
200
          intermidiate = read_reg(I2C_REG_DATA);
201
         result = result | ( intermidiate << i*8);</pre>
202
203
       return result;
204
205
206
      void update_sensors(void)
207
208
        uint32_t val0, val1;
        val0 = get_sensor_data(TEMP_0_I2C_ADDR);
209
210
        val1 = get_sensor_data(TEMP_1_I2C_ADDR);
\tilde{2}11
        sensors_demux[0][T][0] = val0;
212
213
213
214
215
        sensors_demux[0][T][1] = val1;
        sensors_demux[1][T][0] = val0;
        sensors_demux[1][T][1] = val1;
216
        val0 = get_sensor_data(PRESSURE_0_I2C_ADDR);
217
        val1 = get_sensor_data(PRESSURE_1_I2C_ADDR);
218
        sensors_demux[0][P][0] = val0;
219
        sensors_demux[0][P][1] = val1;
220
        sensors_demux[1][P][0] = val0;
221
        sensors_demux[1][P][1] = val1;
222
223
224
225
       * Read external command, setting *cmd. Does not block.
226
       * Platform specific
227
228
       int read_actuation_command(uint8_t id, struct actuation_command *cmd) {
229
        cmd->device = id:
230
        cmd->on = (uint8_t) (read_reg(GPIO_REG) & (id+1));
231
        DEBUG_PRINTF(("<main.c> read_actuation_command: cmd->device=%u, cmd->on=%u\n",cmd->device,
              \hookrightarrow cmd->on));
232
        return 1;
233
      }
234
235
236
       * Physically set actuator to a new value
237
       * Platform specific
238
239
     int send_actuation_command(uint8_t id, struct actuation_command *cmd)
```

```
DEBUG_PRINTF(("<main.c> send_actuation_command, id=%u, cmd->device=%u, cmd->on=%u\n",id,

    cmd->device,cmd->on));
242
243
244
245
246
247
248
249
250
        if ((id < 2) && (cmd->on < 2) ) {
          uint32_t gpio_val = read_reg(GPIO_REG);
          if (id == 0) {
            // Set the actuator bit to zero
            gpio_val = gpio_val & 0xFFFFFFE;
            // Se the actuator bit to cmd->on value
            gpio_val = gpio_val | cmd->on;
          else {
251
            // id == 1
252
            // Set the actuator bit to zero
253
254
255
256
257
258
            gpio_val = gpio_val & 0xFFFFFFD;
            // Se the actuator bit to cmd->on value
            // Bit shift by one left
            gpio_val = gpio_val | (cmd->on << 1);</pre>
          write_reg(GPIO_REG, gpio_val);
259
          return 0;
260
261
        return -1:
262
263
264
265
      int main(void)
\tilde{2}66
      #if CLEAR_SCREEN
267
        // Prep the screen
268
        printf("\e[1;1H\e[2J");
269
        printf("\e[%d;3H\e[2K> ", NLINES+1);
270
271
272
        //struct rts_command cmd;// = (struct rts_command *)malloc(sizeof(*cmd));
273
        core_init(&core):
274
275
        sense_actuate_init(0, &instrumentation[0], &actuation_logic[0]);
        sense_actuate_init(1, &instrumentation[0], &actuation_logic[0]);
276
277
278
279
         char line[256];
        while (1)
280
          //read_rts_command(@cmd);
281
282
          update sensors():
283
          sprintf(line, "HW ACTUATORS 0x%X", read_reg(GPIO_REG));
284
285
          set_display_line(&core.ui, 8, line, 0);
          int retval = core_step(&core);
286
287
          DEBUG_PRINTF(("<main.c> core_step= 0x%X\n",retval));
          char line[256];
288
          sprintf(line, "Uptime: [%u]s\n",time_in_s());
289
          set_display_line(&core.ui, 9, line, 0);
290
          update_display();
291
          sense_actuate_step_0(&instrumentation[0], &actuation_logic[0]);
          sense_actuate_step_1(&instrumentation[2], &actuation_logic[1]);
292
293
294
295
        return 0;
296
```

Listing F.2: C implementation of common.

```
#include <stddef.h>
#include <stdint.h>
#include <stdlib.h>
#include "platform.h"
```

```
| #include "common.h"
     #include "core.h"
     #include "instrumentation.h"
     #include "actuation_logic.h"
10
11
     #include "sense_actuate.h"
12
     #ifdef PLATFORM_HOST
13
     #include <stdio.h>
14
15
     #include "printf.h"
16
     #endif
17
18
     struct core_state core = {0};
19
20
21
22
23
24
25
26
27
28
29
     struct instrumentation_state instrumentation[4];
     struct actuation_logic actuation_logic[2];
     // channel -> sensor # -> val
     uint32_t sensors[2][2];
     // channel -> sensor # -> demux output # -> val
     uint32_t sensors_demux[2][2][2];
     uint8_t trip_signals[NTRIP][4];
     struct instrumentation_command inst_command_buf[4];
30
31
32
33
34
35
     uint8_t actuator_state[NDEV];
     uint8_t device_actuation_logic[2][NDEV];
     //EI mode:
     // mode = 0 => no error
     // mode = 1 => error
     // mode = 2 => nondet error
     uint8_t error_instrumentation_mode[NINSTR];
     uint8_t error_instrumentation[NINSTR];
39
41
42
44
44
45
46
47
48
49
55
55
55
55
55
     // ES ch mode:
     // mode = 0 => no error
     // mode = 1 => demux error (out 0)
     // mode = 2 => demux error (out 1)
     // mode = 3 => sensor error (error in both demux outs)
     // mode = 4 => nondet sensor error
     // mode = 5 => nondet demux error
     uint8_t error_sensor_mode[2][2];
     uint8_t error_sensor[2][2];
     uint8_t error_sensor_demux[2][2][2];
     int read_instrumentation_channel(uint8_t div, uint8_t channel, uint32_t *val) {
      MUTEX_LOCK(&mem_mutex);
       int sensor = div/2;
       int demux_out = div%2;
       *val = sensors_demux[channel][sensor][demux_out];
       MUTEX_UNLOCK(&mem_mutex);
56
       DEBUG_PRINTF(("<common.c> read_instrumentation_channel: div=%u,channel=%u,val=%u\n",div,
              → channel,*val));
57
58
59
60
     int get_instrumentation_value(uint8_t division, uint8_t ch, uint32_t *value) {
61
       MUTEX_LOCK(&mem_mutex);
62
       \quad \  \  \text{if (!error\_instrumentation[division])} \\
6\tilde{3}
         *value = instrumentation[division].reading[ch];
64
65
       MUTEX_UNLOCK(&mem_mutex);
       DEBUG_PRINTF(("<common.c> get_instrumentation_value: error=%u, division=%u,ch=%u,val=%u\n"
              → ,error_instrumentation[division], division,ch,*value));
66
       return 0;
67
68
     int get_instrumentation_trip(uint8_t division, uint8_t ch, uint8_t *value) {
```

```
70
        MUTEX_LOCK(&mem_mutex);
 71
        if (!error_instrumentation[division])
 72
          *value = instrumentation[division].sensor_trip[ch];
 73
        MUTEX_UNLOCK(&mem_mutex);
 74
        DEBUG_PRINTF(("<common.c> get_instrumentation_trip: error=%u, division=%u,ch=%u,val=%u\n",

    error_instrumentation[division], division,ch,*value));

 \frac{75}{76}
        return 0;
 \gamma\gamma
 78
      int get_instrumentation_mode(uint8_t division, uint8_t ch, uint8_t *value) {
 79
        MUTEX_LOCK(&mem_mutex);
 80
        if (!error_instrumentation[division])
 81
          *value = instrumentation[division].mode[ch];
 82
        MUTEX_UNLOCK(&mem_mutex);
 83
        DEBUG_PRINTF(("<common.c> get_instrumentation_mode: error=%u, division=%u,ch=%u,val=%u\n",
              \hookrightarrow \texttt{error\_instrumentation[division], division,ch,*value));}
 84
85
        return 0;
 86
 87
       int get_instrumentation_maintenance(uint8_t division, uint8_t *value) {
 88
        MUTEX_LOCK(&mem_mutex);
 89
        if (!error_instrumentation[division])
 90
          *value = instrumentation[division].maintenance;
 91
        MUTEX_UNLOCK(&mem_mutex);
 92
        DEBUG_PRINTF(("<common.c> get_instrumentation_maintenance: error=%u, division=%u,val=%u\n"
              \hookrightarrow ,error_instrumentation[division],division,*value));
 93
        return 0:
 94
95
 96
97
      int get_actuation_state(uint8_t i, uint8_t device, uint8_t *value) {
        MUTEX_LOCK(&mem_mutex);
 98
         *value = device_actuation_logic[i][device];
 99
        MUTEX_UNLOCK(&mem_mutex);
100
        DEBUG_PRINTF(("<common.c> get_actuation_state: i=%u,device=%u,val=%u\n",i,device,*value));
101
        return 0;
102
103
104
105
       int read_instrumentation_trip_signals(uint8_t arr[3][4]) {
        DEBUG_PRINTF(("<common.c> read_instrumentation_trip_signals: ["));
106
        for (int i = 0; i < NTRIP; ++i) {</pre>
107
          DEBUG_PRINTF(("["));
108
          for (int div = 0; div < 4; ++div) {</pre>
109
            MUTEX_LOCK(&mem_mutex);
110
            arr[i][div] = trip_signals[i][div];
111
            DEBUG_PRINTF(("%u",trip_signals[i][div]));
112
            MUTEX_UNLOCK(&mem_mutex);
113
114
115
          DEBUG_PRINTF(("],"));
116
        DEBUG_PRINTF(("]\n"));
117
118
119
120
       int reset_actuation_logic(uint8_t logic_no, uint8_t device_no, uint8_t reset_val) {
121
        MUTEX_LOCK(&mem_mutex);
122
        actuation logic[logic no].vote actuate[device no] = reset val:
123
        MUTEX UNLOCK(&mem mutex):
124
        DEBUG_PRINTF(("<common.c> reset_actuation_logic: logic_no=%u,device=%u,reset_val=%u\n",
              → logic_no,device_no,reset_val));
125
        return 0;
126
127
128
       int set_output_actuation_logic(uint8_t logic_no, uint8_t device_no, uint8_t on) {
129
        ASSERT(logic_no < 2);
130
        ASSERT(device_no < 2);
131
```

```
132
        MUTEX_LOCK(&mem_mutex);
133
        device_actuation_logic[logic_no][device_no] = on;
134
135
        MUTEX_UNLOCK(&mem_mutex);
        DEBUG_PRINTF(("<common.c> set_output_actuation_logic: logic_no=%u,device=%u,on=%u\n",
              → logic_no,device_no,on));
136
        return 0:
137
      }
138
139
       int set_output_instrumentation_trip(uint8_t div, uint8_t channel, uint8_t val) {
140
        MUTEX_LOCK(&mem_mutex);
141
142
143
144
        if (!error_instrumentation[div])
          trip_signals[channel][div] = val;
        MUTEX_UNLOCK(&mem_mutex);
        DEBUG_PRINTF(("<common.c> set_output_instrumentation_trip: error=%u,div=%u,channel=%u,val
             → =%u\n",error_instrumentation[div], div, channel, val));
145
146
        return 0;
147
148
      int set_actuate_device(uint8_t device_no, uint8_t on)
149
150
        MUTEX_LOCK(&mem_mutex);
151
        actuator_state[device_no] = on;
152
        MUTEX_UNLOCK(&mem_mutex);
153
        DEBUG_PRINTF(("<common.c> set_actuate_device: dev %u, on %u\n",device_no, on));
154
155
        return 0:
156
157
      int read_instrumentation_command(uint8_t div,
158
                                    struct instrumentation_command *cmd) {
159
        DEBUG_PRINTF(("<common.c> read_instrumentation_command\n"));
160
        if ((div < 4) && (inst_command_buf[div].valid == 1)) {</pre>
161
          cmd->type = inst_command_buf[div].type;
162
          cmd->cmd = inst_command_buf[div].cmd;
163
          inst_command_buf[div].valid = 0;
164
165
         return 1;
166
       return 0;
      }
167
168
169
      int send_instrumentation_command(uint8_t div,
170
                                    struct instrumentation_command *cmd) {
171
        DEBUG_PRINTF(("<common.c> send_instrumentation_command\n"));
172
        if (div < 4) {</pre>
173
          inst_command_buf[div].type = cmd->type;
174
175
          inst_command_buf[div].cmd = cmd->cmd;
          inst_command_buf[div].valid = 1;
176
         return 0;
177
178
        return -1;
179
180
181
      uint8_t is_test_running()
182
183
        MUTEX_LOCK(&mem_mutex);
184
185
        uint8_t ret = core.test.self_test_running;
        MUTEX_UNLOCK(&mem_mutex);
186
        DEBUG_PRINTF(("<common.c> is_test_running? %u\n",ret));
187
        return ret;
188
189
190
      void set_test_running(int val)
191
192
        MUTEX_LOCK(&mem_mutex);
193
        core.test.self_test_running = val;
194
195
        MUTEX_UNLOCK(&mem_mutex);
        DEBUG_PRINTF(("<common.c> set_test_running: %i\n",core.test.self_test_running));
```

```
196
     | }
197
198
      uint8_t get_test_device()
199
200
        DEBUG_PRINTF(("<common.c> get_test_device: %u\n",core.test.test_device));
201
        return core.test.test_device;
202
203
204
205
      void get_test_instrumentation(uint8_t *id)
206
        id[0] = core.test.test_instrumentation[0];
207
        id[1] = core.test.test_instrumentation[1];
208
       DEBUG_PRINTF(("<common.c> get_test_instrumentation\n"));
209
210
211
      int get_instrumentation_test_setpoints(uint8_t id, uint32_t *setpoints)
212
\tilde{2}13
        setpoints[0] = core.test.test_setpoints[id][0];
214
215
        setpoints[1] = core.test.test_setpoints[id][1];
        setpoints[2] = core.test.test_setpoints[id][2];
216
        DEBUG_PRINTF(("<common.c> get_instrumentation_test_setpoints\n"));
217
        return 0;
218
219
220
      void set_instrumentation_test_complete(uint8_t div, int v)
221
222
        MUTEX_LOCK(&mem_mutex);
223
        core.test.test_instrumentation_done[div] = v;
224
        MUTEX_UNLOCK(&mem_mutex);
225
        226
227
228
      int is_instrumentation_test_complete(uint8_t id)
229
230
       MUTEX LOCK(&mem mutex):
231
        int ret = core.test.test_instrumentation_done[id];
232
        MUTEX_UNLOCK(&mem_mutex);
233
        DEBUG_PRINTF(("<common.c> is_instrumentation_test_complete: id=%u,ret=%i\n",id,ret));
234
235
       return ret;
236
237
      int read_test_instrumentation_channel(uint8_t div, uint8_t channel, uint32_t *val)
238
239
        MUTEX LOCK(&mem mutex):
240
241
242
        *val = core.test.test_inputs[div][channel];
        MUTEX_UNLOCK(&mem_mutex);
        DEBUG_PRINTF(("<common.c> read_test_instrumentation_channel: div=%u,channel=%u,val=%u\n",
             \hookrightarrow div,channel,*val));
243
244
245
246
247
248
249
       return 0;
      uint8_t get_test_actuation_unit()
        MUTEX_LOCK(&mem_mutex);
        uint8_t ret = core.test.test_actuation_unit;
250
        MUTEX_UNLOCK(&mem_mutex);
251
        DEBUG_PRINTF(("<common.c> get_test_actuation_unit: %u\n",ret));
252
253
       return ret;
254
255
      void set_actuation_unit_test_complete(uint8_t div, int v)
256
257
        MUTEX_LOCK(&mem_mutex);
258
        core.test.test_actuation_unit_done[div] = v;
259
        MUTEX_UNLOCK(&mem_mutex);
260
        DEBUG_PRINTF(("<common.c> set_actuation_unit_test_complete: div %u, v=%i\n",div,v));
```

```
261 |}
262
263
      void set_actuation_unit_test_input_vote(uint8_t id, int v)
264
265
        MUTEX_LOCK(&mem_mutex);
266
        core.test.actuation_old_vote = v != 0;
267
        MUTEX_UNLOCK(&mem_mutex);
268
        DEBUG_PRINTF(("<common.c> set_actuation_unit_test_input_vote: id %u, v=%i\n",id,v));
269
270
271
      int is_actuation_unit_test_complete(uint8_t id)
272
273
        MUTEX_LOCK(&mem_mutex);
274
275
        int ret = core.test.test_actuation_unit_done[id];
        MUTEX_UNLOCK(&mem_mutex);
\tilde{2}76
        DEBUG_PRINTF(("<common.c> is_actuation_unit_test_complete: %i\n",ret));
277
278
279
280
      void set_actuate_test_result(uint8_t dev, uint8_t result)
281
282
        MUTEX_LOCK(&mem_mutex);
283
        core.test.test_device_result[dev] = result;
284
        MUTEX UNLOCK(&mem mutex):
285
        \label{lem:debug_printf} $$ $$ DEBUG_PRINTF(("<common.c> set_actuate_test_result: dev \%u, result=\%u\n", dev,result)); $$
286
287
288
289
      void set_actuate_test_complete(uint8_t dev, int v)
290
        MUTEX_LOCK(&mem_mutex);
291
        core.test.test_device_done[dev] = v;
292
        MUTEX_UNLOCK(&mem_mutex);
293
        DEBUG_PRINTF(("<common.c> set_actuate_test_complete: dev %u, v=%i\n",dev,v));
294
295
\tilde{296}
      int is_actuate_test_complete(uint8_t dev)
297
298
        MUTEX_LOCK(&mem_mutex);
299
        int ret = core.test.test_device_done[dev];
300
        MUTEX_UNLOCK(&mem_mutex);
301
        DEBUG_PRINTF(("<common.c> is_actuate_test_complete: %i\n",ret));
302
        return ret;
303
```

Listing F.3: C implementation of posix\_main.

```
#include "common.h"
     #include "core.h"
 3
     #include "instrumentation.h"
     #include "actuation_logic.h"
     #include "sense_actuate.h"
 6
    #include "platform.h"
    #include <poll.h>
     #include <fcntl.h>
    #include <stdio.h>
     #include <termios.h>
    #include <unistd.h>
13
    #include <stddef.h>
14
15
    #include <stdint.h>
     #include <stdio.h>
16
    #include <stdlib.h>
17
     #include <string.h>
18
     #include <sys/select.h>
19
    #include <time.h>
20
```

```
extern struct instrumentation_state instrumentation[4];
     struct actuation_command *act_command_buf[2];
23
24
25
26
27
28
29
30
     #define min(_a, _b) ((_a) < (_b) ? (_a) : (_b))
     #define max(_a, _b) ((_a) > (_b) ? (_a) : (_b))
     #include <pthread.h>
     pthread_mutex_t display_mutex = PTHREAD_MUTEX_INITIALIZER;
     pthread_mutex_t mem_mutex = PTHREAD_MUTEX_INITIALIZER;
31
32
33
34
35
36
37
38
39
     #ifndef TO
     #define TO 200
     #endif
     #ifndef PO
     #define P0 1152600
     #endif
     // Bias to simulated sensor readings in degrees F
#ifndef T_BIAS
     #define T_BIAS 0
     #endif
     // Bias to simulated sensor readings in 10^-5 lb/in2
     #ifndef P_BIAS
     #define P_BIAS 0
     #endif
     #ifndef SENSOR_UPDATE_MS
     #define SENSOR_UPDATE_MS 500
     #endif
     int clear_screen() {
      return (isatty(fileno(stdin)) && (NULL == getenv("RTS_NOCLEAR")));
     void update_display() {
      if (clear_screen()) {
        printf("\e[s\e[1;1H");//\e[2J");
60
61
      for (int line = 0; line < NLINES; ++line) {</pre>
62
        printf("\e[0K");
        printf("%s%s", core.ui.display[line], line == NLINES-1 ? "" : "\n");
63
64
65
      if (clear_screen()) {
        printf("\e[u");
66
67
      }
68
69
70
     int read_rts_command(struct rts_command *cmd) {
71
72
73
      int ok = 0;
      uint8_t device, on, div, ch, mode, sensor;
      uint32_t val;
74
75
      char *line = NULL;
      size_t linecap = 0;
76
77
      ssize_t linelen;
78
79
       /* if (isatty(fileno(stdin))) { */
       /* set_display_line(&ui, 9, (char *)"> ", 0); */
80
81
       /* } */
       struct pollfd fds;
82
       fds.fd = STDIN_FILENO;
83
       fds.events = POLLIN;
84
85
       fds.revents = POLLIN;
       if(poll(&fds, 1, 100) < 1) {
        return 0:
```

```
87
 88
        linelen = getline(&line, &linecap, stdin);
 89
 90
        if (linelen == EOF)
 91
92
          exit(0);
 93
94
        if (linelen < 0)</pre>
          return 0;
 95
96
        MUTEX_LOCK(&display_mutex);
 97
 98
        printf("\e[%d;1H\e[2K> ", NLINES+1);}
        if (clear_screen()) {
 99
100
101
102
        MUTEX_UNLOCK(&display_mutex);
103
104
        if (2 == (ok = sscanf(line, "A %hhd %hhd", &device, &on))) {
105
          cmd->type = ACTUATION_COMMAND;
106
          cmd->cmd.act.device = device;
107
          cmd->cmd.act.on = on;
108
          DEBUG_PRINTF(("<main.c> read_rts_command ACTUATION_COMMAND dev=%u on=%u\n",
109
                       cmd->cmd.act.device, cmd->cmd.act.on));
110
          ok = 1:
111
        } else if (2 == (ok = sscanf(line, "M %hhd %hhd", &div, &on))) {
112
          cmd->type = INSTRUMENTATION_COMMAND;
113
          cmd->instrumentation_division = div;
114
115
          cmd->cmd.instrumentation.type = SET_MAINTENANCE;
          cmd->cmd.instrumentation.cmd.maintenance.on = on;
116
          DEBUG_PRINTF(("<main.c> read_rts_command INSTRUMENTATION_COMMAND MAINTENANCE div=%u on=%u
                 → , type=%u\n",
117
                       cmd->instrumentation_division,
118
                       cmd->cmd.instrumentation.cmd.maintenance.on,
119
                       cmd->cmd.instrumentation.type));
120
          ASSERT(on == 0 || on == 1);
121
          ok = 1;
122
        } else if (3 == (ok = sscanf(line, "B \%hhd \%hhd \%hhd", &div, &ch, &mode))) {
123
          cmd->type = INSTRUMENTATION_COMMAND;
124
125
          cmd->instrumentation_division = div;
          cmd->cmd.instrumentation.type = SET_MODE;
126
          cmd->cmd.instrumentation.cmd.mode.channel = ch;
127
          cmd->cmd.instrumentation.cmd.mode.mode_val = mode;
128
          DEBUG_PRINTF(("<main.c> read_rts_command INSTRUMENTATION_COMMAND MODE div=%u channel=%u

→ mode=%u type=%u\n",

129
                       cmd->instrumentation_division,
130
                       cmd->cmd.instrumentation.cmd.mode.channel.
131
                       cmd->cmd.instrumentation.cmd.mode.mode_val,
132
                       cmd->cmd.instrumentation.type));
133
          ok = 1:
        } else if (3 == (ok = sscanf(line, "S %hhd %hhd %d", &div, &ch, &val))) {
134
135
          cmd->type = INSTRUMENTATION_COMMAND;
136
          cmd->instrumentation_division = div;
137
          cmd->cmd.instrumentation.type = SET_SETPOINT;
138
          cmd->cmd.instrumentation.cmd.setpoint.channel = ch;
139
          cmd->cmd.instrumentation.cmd.setpoint.val = val;
140
          DEBUG_PRINTF(("<main.c> read_rts_command INSTRUMENTATION_COMMAND SETPOINT div=%u channel
                \hookrightarrow =%u val=%u\n".
141
142
143
144
145
146
147
148
149
                       cmd->instrumentation_division,
                       cmd->cmd.instrumentation.cmd.setpoint.channel,
                       cmd->cmd.instrumentation.cmd.setpoint.val));
          ok = 1;
      #ifndef SIMULATE_SENSORS
        } else if (3 == (ok = sscanf(line, "V %hhd %hhd %d", &sensor, &ch, &val))) {
          if (sensor < 2 && ch < 2)
            sensors[ch][sensor] = val;
          DEBUG_PRINTF(("<main.c> read_rts_command UPDATE SENSORS sensor=%d, ch=%d, val=%d\n",
```

```
150
                                             sensor, ch, val));
 151
                   #endif
 152
                      } else if (line[0] == 'Q') {
153
154
155
                             // printf("<main.c> read_rts_command QUIT\n");
                              exit(0);
                       } else if (line[0] == 'D') {
 156
                             DEBUG_PRINTF(("<main.c> read_rts_command UPDATE DISPLAY\n"));
 157
                             update_display();
 158
                        } else if (3 == (ok = sscanf(line, "ES %hhd %hhd %hhd", &sensor, &ch, &mode))) {
 159
                              error_sensor_mode[ch][sensor] = mode;
 160
                             DEBUG_PRINTF(("<main.c> read_rts_command ERROR SENSOR sensor=%d, ch=%d, mode=%d\n",
 161
                                            sensor,ch,mode));
                       } else if (2 == (ok = sscanf(line, "EI %hhd %hhd", &div, &mode))) {
162
 163
                              error_instrumentation_mode[div] = mode;
                             \label{eq:debug_printf} $$ $$ $ = -\frac{1}{n} \cdot \frac{1}{n} \cdot
164
165
                                             div, mode));
166
167
 168
                        if (line)
 169
                             free(line);
 170
171
                       return ok;
172
173
174
175
                   void update_instrumentation_errors(void) {
                      for (int i = 0; i < NINSTR; ++i) {
176
                             if(error_instrumentation_mode[i] == 2) {
177
                                   error_instrumentation[i] |= rand() % 2;
 178
 179
                                   error_instrumentation[i] = error_instrumentation_mode[i];
 180
 181
                      }
 182
 183
184
185
                   void update_sensor_errors(void) {
                      for (int c = 0; c < 2; ++c) {
186
187
                             for (int s = 0; s < 2; ++s) {
                                   switch (error_sensor_mode[c][s]) {
 188
                                        case 0:
 189
                                             error_sensor[c][s] = 0;
 190
                                             error_sensor_demux[c][s][0] = 0;
 191
                                             error_sensor_demux[c][s][1] = 0;
 192
                                            break;
 193
                                         case 1:
194
195
                                             error_sensor[c][s] = 0;
                                             error_sensor_demux[c][s][0] = 1;
 196
                                             error_sensor_demux[c][s][1] = 0;
 197
                                            break;
 198
                                         case 2:
 199
                                             error_sensor[c][s] = 0;
 200
                                              error_sensor_demux[c][s][0] = 0;
201
                                             error_sensor_demux[c][s][1] = 1;
202
                                             break;
203
                                         case 3:
 204
                                             error_sensor[c][s] = 1;
 205
                                             error_sensor_demux[c][s][0] = 0;
206
                                             error_sensor_demux[c][s][1] = 0;
207
                                             break;
208
                                         case 4:
209
210
                                             int fail = rand() % 2;
211
                                             error_sensor[c][s] |= fail;
212
                                             error_sensor_demux[c][s][0] = 0;
213
                                             error_sensor_demux[c][s][1] = 0;
214
215
                                        break:
```

```
216
              case 5:
217
              ł
218
                error_sensor[c][s] = 0;
219
                error_sensor_demux[c][s][0] |= (rand() % 2);
220
                error_sensor_demux[c][s][1] |= (rand() % 2);
\tilde{2}\tilde{2}\tilde{1}
222
              break;
223
              default:
224
225
                ASSERT("Invalid sensor fail mode" && 0);
226
     |}
227
228
229
230
       int update_sensor_simulation(void) {
\tilde{231}
        static int initialized = 0;
232
        static uint32_t last_update = 0;
233
        static uint32_t last[2][2] = {0};
234
235
        struct timespec tp;
236
        clock_gettime(CLOCK_REALTIME, &tp);
237
        uint32_t t0 = last_update;
238
        uint32_t t = tp.tv_sec*1000 + tp.tv_nsec/1000000;
239
240
241
242
243
244
245
246
247
248
249
250
        if (!initialized) {
          last_update = t;
          last[0][T] = T0;
          last[1][T] = T0;
          last[0][P] = P0;
          last[1][P] = P0;
          initialized = 1;
        } else if (t - t0 > SENSOR_UPDATE_MS) {
          for (int s = 0; s < 2; ++s) {
            last[s][T] += (rand() % 7) - 3 + T_BIAS;
            // Don't stray too far from our steam table
251
            last[s][T] = min(last[s][T], 300);
last[s][T] = max(last[s][T], 25);
252
253
\tilde{2}54
            last[s][P] += (rand() % 7) - 3 + P_BIAS;
255
            // Don't stray too far from our steam table
256
            last[s][P] = min(last[s][P], 5775200);
257
            last[s][P] = max(last[s][P], 8000);
258
259
          last_update = t;
260
261
        sensors[T][0] = last[T][0];
262
        sensors[T][1] = last[T][1];
263
        sensors[P][0] = last[P][0];
264
        sensors[P][1] = last[P][1];
265
266
        return 0;
267
268
269
       void update_sensors(void) {
270
        update_sensor_errors();
271
       #ifdef SIMULATE_SENSORS
272
        update_sensor_simulation();
273
274
275
276
       #endif
        for (int c = 0; c < 2; ++c) {
          for (int s = 0; s < 2; ++s) {
            if (error_sensor[c][s]) {
277
              sensors[c][s] = rand();
278
279
280
            MUTEX_LOCK(&mem_mutex);
281
            sensors_demux[c][s][0] = sensors[c][s];
```

```
282
            MUTEX_UNLOCK(&mem_mutex);
283
284
285
            MUTEX_LOCK(&mem_mutex);
            sensors_demux[c][s][1] = sensors[c][s];
\tilde{286}
            MUTEX_UNLOCK(&mem_mutex);
\tilde{287}
288
            for (int d = 0; d < 2; ++d) {
289
              if(error_sensor_demux[c][s][d]) {
290
                MUTEX_LOCK(&mem_mutex);
291
                sensors_demux[c][s][d] = rand();
292
                MUTEX_UNLOCK(&mem_mutex);
293
294
295
          }
     |<sub>}</sub>
296
297
\tilde{298}
\tilde{2}99
       int read_actuation_command(uint8_t id, struct actuation_command *cmd) {
300
        struct actuation_command *c = act_command_buf[id];
301
302
          cmd->device = c->device;
303
          cmd->on = c->on;
304
305
          free(c);
          act_command_buf[id] = NULL;
306
          return 1;
307
308
        return 0;
309
310
311
      int send_actuation_command(uint8_t id, struct actuation_command *cmd) {
312
313
314
          act_command_buf[id] = (struct actuation_command *)malloc(sizeof(*act_command_buf[id]));
          act_command_buf[id]->device = cmd->device;
315
          act_command_buf[id]->on = cmd->on;
316
          return 0:
317
318
319
320
        return -1;
321
      void* start0(void *arg) {
322
        while(1) {
323
          sense_actuate_step_0(&instrumentation[0], &actuation_logic[0]);
324
325
326
      void* start1(void *arg) {
327
        while(1) {
328
          sense_actuate_step_1(&instrumentation[2], &actuation_logic[1]);
329
330
331
332
      uint32_t time_in_s()
333
334
335
        static time_t start_time = 0;
        struct timespec tp;
336
        clock_gettime(CLOCK_REALTIME, &tp);
337
        if (start_time == 0) {
338
         start_time = tp.tv_sec;
339
340
341
342
344
345
347
        time_t total = tp.tv_sec - start_time;
        char line[256];
        \label{line: wull} sprintf(line, "Uptime: [%u]s\n",(uint32_t)total);
        set_display_line(&core.ui, 9, line, 0);
        return (uint32_t)total;
      int main(int argc, char **argv) {
```

```
348
349
350
351
352
353
354
355
        struct rts_command *cmd = (struct rts_command *)malloc(sizeof(*cmd));
        core_init(&core);
        sense_actuate_init(0, &instrumentation[0], &actuation_logic[0]);
        sense_actuate_init(1, &instrumentation[2], &actuation_logic[1]);
         if (isatty(fileno(stdin))) printf("\e[1;1H\e[2J");
         if (isatty(fileno(stdin))) printf("\e[%d;3H\e[2K> ", NLINES+1);
356
357
       #ifdef USE_PTHREADS
358
        pthread_attr_t attr;
359
        pthread_t sense_actuate_0, sense_actuate_1;
360
        pthread_attr_init(&attr);
361
362
        pthread_create(&sense_actuate_0, &attr, start0, NULL);
        pthread_create(&sense_actuate_1, &attr, start1, NULL);
363
       #endif
364
365
        while (1) {
366
          char line[256];
367
          fflush(stdout);
368
          MUTEX_LOCK(&display_mutex);
369
          sprintf(line, "HW ACTUATORS %s %s", actuator_state[0] ? "ON " : "OFF", actuator_state[1]?

→ "ON " : "OFF");
370
          set_display_line(&core.ui, 8, line, 0);
371
372
          MUTEX_UNLOCK(&display_mutex);
          update_instrumentation_errors();
373
374
375
376
377
          update_sensors();
          core_step(&core);
      #ifndef USE_PTHREADS
          sense_actuate_step_0(&instrumentation[0], &actuation_logic[0]);
          sense_actuate_step_1(&instrumentation[2], &actuation_logic[1]);
378
379
          update_display();
380
          sleep(1);
381
382
383
384
        return 0;
```

Listing F.4: C implementation of instrumentation\_common.

```
#include "instrumentation.h"

void instrumentation_init(struct instrumentation_state *state) {
    state->maintenance = 1;
    for (int i = 0; i < NTRIP; ++i) {
        state->mode[i] = 0;
        state->reading[i] = 0;
        state->reading[i] = 0;
        state->sensor_trip[i] = 0;
        state->setpoints[i] = 0;
}

10
}
```

Listing F.5: C implementation of syscalls.

```
#include <errno.h>
#include <sys/stat.h>
#include <sys/times.h>
#include <sys/time.h>
#include "syscalls.h"
#include "bsp.h"

y

void _exit(int n) {
    (void)n;
    while(1){
```

```
11
12
13
14
15
16
17
18
              ;;
         }
     }
      void *_sbrk(int nbytes)
          (void)nbytes;
          errno = ENOMEM;
190122345678901333345678901423445678901525555555567890
         return (void *)-1;
      int _write(int file, char *ptr, int len)
         volatile uint32_t *uart_tx = (void*) UART_REG_TX;
          (void)file;
         for (int i=0;i<len;i++) {
              *uart_tx = ptr[i];
              uint32_t count = MIN_PRINT_DELAY_TICKS;
              while(count-->0) {
                  __asm__ volatile ("nop");
              }
         return len;
     int _close(int fd)
          (void)fd;
          errno = EBADF;
         return -1;
     long _lseek(int fd, long offset, int origin)
          (void)fd;
          (void)offset;
          (void)origin;
          errno = EBADF;
         return -1;
     int _read(int fd, void *buffer, unsigned int count)
{
          (void)fd;
          (void)buffer;
         (void)count;
errno = EBADF;
         return -1;
61
62
     int _fstat(int fd, void *buffer)
63
          (void)fd;
64
65
          (void)buffer;
         errno = EBADF;
66
67
68
69
         return -1;
     int _isatty(int fd)
70
71
72
73
74
75
76
          (void)fd;
          errno = EBADF;
         return 0;
    int _kill(int pid, int sig)
```

## Listing F.6: C implementation of printf.

```
// File from: https://github.com/mpaland/printf
     // \author (c) Marco Paland (info@paland.com)
     // 2014-2019, PALANDesign Hannover, Germany
 4567
    // \license The MIT License (MIT)
    // Permission is hereby granted, free of charge, to any person obtaining a copy
     // of this software and associated documentation files (the "Software"), to deal
     // in the Software without restriction, including without limitation the rights
    // to use, copy, modify, merge, publish, distribute, sublicense, and/or sell // copies of the Software, and to permit persons to whom the Software is
13
     // furnished to do so, subject to the following conditions:
14
15
     //
     // The above copyright notice and this permission notice shall be included in
16
     // all copies or substantial portions of the Software.
17
     // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
19
     // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
     // FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
     // AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
     // LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
     // OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
     // THE SOFTWARE.
26
27
28
29
30
31
     \begin{subarray}{ll} // \brief Tiny printf, sprintf and (v) snprintf implementation, optimized for speed on \end{subarray}
     // embedded systems with a very limited resources. These routines are thread
     // safe and reentrant!
     // Use this instead of the bloated standard/newlib printf cause these use
     // malloc for printf (and may not be thread safe).
33345
3367
389
442
445
447
449
450
     #include <stdbool.h>
     #include <stdint.h>
     #include "printf.h"
     #include "syscalls.h"
     // define this globally (e.g. gcc -DPRINTF_INCLUDE_CONFIG_H ...) to include the
     // printf_config.h header file
     // default: undefined
     #ifdef PRINTF_INCLUDE_CONFIG_H
     #include "printf_config.h"
     #endif
     // 'ntoa' conversion buffer size, this must be big enough to hold one converted
     // numeric number including padded zeros (dynamically created on stack)
     // default: 32 byte
     #ifndef PRINTF_NTOA_BUFFER_SIZE
     #define PRINTF_NTOA_BUFFER_SIZE 32U
```

```
#endif
             \begin{tabular}{ll} \end{tabular} \beg
             // float number including padded zeros (dynamically created on stack)
             // default: 32 byte
             #ifndef PRINTF_FTOA_BUFFER_SIZE
   58
             #define PRINTF_FTOA_BUFFER_SIZE 32U
  59
   60
             // support for the floating point type (%f)
             // default: activated
             #ifndef PRINTF_DISABLE_SUPPORT_FLOAT
  64
65
             #define PRINTF_SUPPORT_FLOAT
             #endif
  66
  67
             // support for exponential floating point notation (%e/%g)
  68
             // default: activated
             #ifndef PRINTF_DISABLE_SUPPORT_EXPONENTIAL
   69
   70
             #define PRINTF_SUPPORT_EXPONENTIAL
   71
  72
73
74
75
             // define the default floating point precision
             // default: 6 digits
             #ifndef PRINTF_DEFAULT_FLOAT_PRECISION
  \frac{76}{77}
             #define PRINTF_DEFAULT_FLOAT_PRECISION 6U
  78
79
80
             // define the largest float suitable to print with %f
             // default: 1e9
  81
             #ifndef PRINTF_MAX_FLOAT
             #define PRINTF_MAX_FLOAT 1e9
             // support for the long long types (%llu or %p)
             // default: activated
  87
             #ifndef PRINTF_DISABLE_SUPPORT_LONG_LONG
  88
89
90
             #define PRINTF_SUPPORT_LONG_LONG
             #endif
  91
             // support for the ptrdiff_t type (%t)
             // ptrdiff_t is normally defined in <stddef.h> as long or long long type // default: activated
  92
             #ifndef PRINTF_DISABLE_SUPPORT_PTRDIFF_T
             #define PRINTF_SUPPORT_PTRDIFF_T
  96
             #endif
  97
  98
             99
100
             // internal flag definitions
101
             #define FLAGS_ZEROPAD (1U << 0U)</pre>
102
             #define FLAGS_LEFT (1U << 1U)</pre>
103
             #define FLAGS_PLUS (1U << 2U)
104
105
             #define FLAGS_SPACE (1U << 3U)</pre>
             #define FLAGS_HASH (1U << 4U)</pre>
106
            #define FLAGS_UPPERCASE (1U << 5U)
107
             #define FLAGS_CHAR (1U << 6U)</pre>
108
             #define FLAGS_SHORT (1U << 7U)</pre>
109
             #define FLAGS_LONG (1U << 8U)</pre>
110
             #define FLAGS_LONG_LONG (1U << 9U)</pre>
111
             #define FLAGS_PRECISION (1U << 10U)</pre>
112
             #define FLAGS_ADAPT_EXP (1U << 11U)</pre>
113
114
115
             // import float.h for DBL_MAX
             #if defined(PRINTF_SUPPORT_FLOAT)
116
             #include <float.h>
117
          #endif
```

```
118
119
      // output function type
120
      typedef void (*out_fct_type)(char character, void* buffer, size_t idx, size_t maxlen);
121
12\overline{2}
      \begin{tabular}{ll} /\!/ wrapper (used as buffer) for output function type \\ \end{tabular}
123
      typedef struct {
124
125
        void (*fct)(char character, void* arg);
        void* arg;
126
      } out_fct_wrap_type;
127
128
      // internal buffer output
129
      static inline void _out_buffer(char character, void* buffer, size_t idx, size_t maxlen)
130
131
        if (idx < maxlen) {</pre>
132
          ((char*)buffer)[idx] = character;
133
       }
134
135
136
      // internal null output
137
      static inline void _out_null(char character, void* buffer, size_t idx, size_t maxlen)
138
139
        (void)character; (void)buffer; (void)idx; (void)maxlen;
140
141
142
143
      // internal _putchar wrapper
      static inline void _out_char(char character, void* buffer, size_t idx, size_t maxlen)
144
145
146
147
148
149
         (void)buffer; (void)idx; (void)maxlen;
       if (character) {
          _write(0, &character, 1);
151
      // internal output function wrapper
152
      static inline void _out_fct(char character, void* buffer, size_t idx, size_t maxlen)
153
\begin{array}{c} 154 \\ 155 \end{array}
        (void)idx; (void)maxlen;
        if (character) {
156
          // buffer is the output fct pointer
157
          ((out_fct_wrap_type*)buffer)->fct(character, ((out_fct_wrap_type*)buffer)->arg);
158
159
      }
160
161
      // internal secure strlen
162
      // \return The length of the string (excluding the terminating 0) limited by 'maxsize'
163
      static inline unsigned int _strnlen_s(const char* str, size_t maxsize)
164
165
        const char* s;
166
       for (s = str; *s && maxsize--; ++s);
167
       return (unsigned int)(s - str);
168
169
170
      // internal test if char is a digit (0-9)
171
      // \return true if char is a digit
      static inline bool _is_digit(char ch)
172
173
174
175
        return (ch >= '0') && (ch <= '9');
176
177
      // internal ASCII string to unsigned int conversion
178
      static unsigned int _atoi(const char** str)
179
180
        unsigned int i = OU;
181
        while (_is_digit(**str)) {
182
         i = i * 10U + (unsigned int)(*((*str)++) - '0');
183
```

```
184
185
       return i;
186
187
      // output the specified string in reverse, taking care of any zero-padding
188
      static size_t _out_rev(out_fct_type out, char* buffer, size_t idx, size_t maxlen, const char
            \hookrightarrow * buf, size_t len, unsigned int width, unsigned int flags)
189
190
        const size_t start_idx = idx;
191
192
        // pad spaces up to given width
193
        if (!(flags & FLAGS_LEFT) && !(flags & FLAGS_ZEROPAD)) {
194
195
         for (size_t i = len; i < width; i++) {
            out(' ', buffer, idx++, maxlen);
196
         }
197
198
199
        // reverse string
200
        while (len) {
201
         out(buf[--len], buffer, idx++, maxlen);
202
203
204
        // append pad spaces up to given width
205
        if (flags & FLAGS_LEFT) {
206
         while (idx - start_idx < width) {</pre>
207
            out(' ', buffer, idx++, maxlen);
208
209
       }
210
211
        return idx;
212
213
214
      // internal itoa format
215
      static size_t _ntoa_format(out_fct_type out, char* buffer, size_t idx, size_t maxlen, char*

    → buf, size_t len, bool negative, unsigned int base, unsigned int prec, unsigned int

→ width, unsigned int flags)

216
217
        // pad leading zeros
218
        if (!(flags & FLAGS_LEFT)) {
219
          if (width && (flags & FLAGS_ZEROPAD) && (negative || (flags & (FLAGS_PLUS | FLAGS_SPACE))
               → )) {
220
            width--;
991
          }
222
          while ((len < prec) && (len < PRINTF_NTOA_BUFFER_SIZE)) {</pre>
223
           buf[len++] = '0';
224
225
          while ((flags & FLAGS_ZEROPAD) && (len < width) && (len < PRINTF_NTOA_BUFFER_SIZE)) {
226
            buf[len++] = '0';
227
228
       }
229
230
        // handle hash
231
        if (flags & FLAGS_HASH) {
232
         if (!(flags & FLAGS_PRECISION) && len && ((len == prec) || (len == width))) {
233
234
235
            if (len && (base == 16U)) {
             len--;
236
237
238
          if ((base == 16U) && !(flags & FLAGS_UPPERCASE) && (len < PRINTF_NTOA_BUFFER_SIZE)) {
239
240
241
242
243
244
245
           buf[len++] = 'x';
          else if ((base == 16U) && (flags & FLAGS_UPPERCASE) && (len < PRINTF_NTOA_BUFFER_SIZE)) {
           buf[len++] = 'X';
          else if ((base == 2U) && (len < PRINTF_NTOA_BUFFER_SIZE)) {</pre>
           buf[len++] = 'b';
```

```
246
247
248
249
250
251
252
253
254
255
          if (len < PRINTF_NTOA_BUFFER_SIZE) {</pre>
             buf[len++] = '0';
          }
        }
         if (len < PRINTF_NTOA_BUFFER_SIZE) {</pre>
          if (negative) {
            buf[len++] = '-';
256
          else if (flags & FLAGS_PLUS) {
257
            buf[len++] = '+'; // ignore the space if the '+' exists
258
259
          else if (flags & FLAGS_SPACE) {
  buf[len++] = ' ';
260
261
262
263

  \begin{array}{c}
    264 \\
    265
  \end{array}

        return _out_rev(out, buffer, idx, maxlen, buf, len, width, flags);
266
267
       // internal itoa for 'long' type
268
       static size_t _ntoa_long(out_fct_type out, char* buffer, size_t idx, size_t maxlen, unsigned
             \hookrightarrow long value, bool negative, unsigned long base, unsigned int prec, unsigned int

→ width, unsigned int flags)

269
270
271
272
        char buf[PRINTF_NTOA_BUFFER_SIZE];
        size_t len = OU;
272
273
274
275
276
         // no hash for 0 values
        if (!value) {
          flags &= ~FLAGS_HASH;
277
        // write if precision != 0 and value is != 0
278
279
        if (!(flags & FLAGS_PRECISION) || value) {
280
          do {
281
             const char digit = (char)(value % base);
282
             buf[len++] = digit < 10 ? '0' + digit : (flags & FLAGS_UPPERCASE ? 'A' : 'a') + digit -</pre>

→ 10;

283
             value /= base;
284
285
          } while (value && (len < PRINTF_NTOA_BUFFER_SIZE));</pre>
286
287
        return _ntoa_format(out, buffer, idx, maxlen, buf, len, negative, (unsigned int)base, prec

→ . width. flags):

288
289
290
       // internal itoa for 'long long' type
291
       #if defined(PRINTF_SUPPORT_LONG_LONG)
292
       static size_t _ntoa_long_long(out_fct_type out, char* buffer, size_t idx, size_t maxlen,
             \hookrightarrow unsigned long long value, bool negative, unsigned long long base, unsigned int prec,
             \hookrightarrow unsigned int width, unsigned int flags)
293
294
295
        char buf[PRINTF_NTOA_BUFFER_SIZE];
        size_t len = OU;
296
297
         // no hash for 0 values
298
        if (!value) {
299
          flags &= "FLAGS_HASH;
300
301
302
         // write if precision != 0 and value is != 0
303
         if (!(flags & FLAGS_PRECISION) || value) {
304
305
          do {
             const char digit = (char)(value % base);
```

```
306
            buf[len++] = digit < 10 ? '0' + digit : (flags & FLAGS_UPPERCASE ? 'A' : 'a') + digit -</pre>

→ 10:

307
            value /= base;
         } while (value && (len < PRINTF_NTOA_BUFFER_SIZE));</pre>
308
309
310
311
        return _ntoa_format(out, buffer, idx, maxlen, buf, len, negative, (unsigned int)base, prec

→ , width, flags);

312
313
      #endif // PRINTF_SUPPORT_LONG_LONG
314
315
      #if defined(PRINTF_SUPPORT_FLOAT)
316
317
      #if defined(PRINTF SUPPORT EXPONENTIAL)
318
      /\!/\ forward\ declaration\ so\ that\ \_ftoa\ can\ switch\ to\ exp\ notation\ for\ values\ > PRINTF\_MAX\_FLOAT
319
      static size_t _etoa(out_fct_type out, char* buffer, size_t idx, size_t maxlen, double value,
            \hookrightarrow unsigned int prec, unsigned int width, unsigned int flags);
320
321
322
      // internal ftoa for fixed decimal floating point
323
      static size_t _ftoa(out_fct_type out, char* buffer, size_t idx, size_t maxlen, double value,
            \hookrightarrow unsigned int prec, unsigned int width, unsigned int flags)
\frac{324}{325}
       char buf[PRINTF_FTOA_BUFFER_SIZE];
326
        size_t len = OU;
327
        double diff = 0.0;
328
329
        // powers of 10
330
        static const double pow10[] = { 1, 10, 100, 1000, 10000, 100000, 1000000, 10000000,
             → 100000000, 10000000000 };
331
332
        // test for special values
333
        if (value != value)
334
335
         return _out_rev(out, buffer, idx, maxlen, "nan", 3, width, flags);
        if (value < -DBL_MAX)</pre>
336
         return _out_rev(out, buffer, idx, maxlen, "fni-", 4, width, flags);
337
        if (value > DBL_MAX)
         338
339
340
341
        // test for very large values
        // standard printf behavior is to print EVERY whole number digit -- which could be 100s of
             \hookrightarrow characters overflowing your buffers == bad
342
343
344
345
346
346
349
350
        if ((value > PRINTF_MAX_FLOAT) || (value < -PRINTF_MAX_FLOAT)) {
      #if defined(PRINTF_SUPPORT_EXPONENTIAL)
         return _etoa(out, buffer, idx, maxlen, value, prec, width, flags);
      #else
         return OU:
      #endif
       }
        // test for negative
351
        bool negative = false;
352
       if (value < 0) {
353
         negative = true;
354
          value = 0 - value;
355
356
357
        // set default precision, if not set explicitly
358
        if (!(flags & FLAGS_PRECISION)) {
359
         prec = PRINTF_DEFAULT_FLOAT_PRECISION;
360
361
        // limit precision to 9, cause a prec \geq= 10 can lead to overflow errors
362
        while ((len < PRINTF_FTOA_BUFFER_SIZE) && (prec > 9U)) {
363
         buf[len++] = '0';
\begin{array}{c} 364 \\ 365 \end{array}
         prec--;
```

```
366
367
        int whole = (int)value;
        double tmp = (value - whole) * pow10[prec];
unsigned long frac = (unsigned long)tmp;
368
369
370
371
        diff = tmp - frac;
372
        if (diff > 0.5) {
373
          ++frac;
374
375
           // handle rollover, e.g. case 0.99 with prec 1 is 1.0 \,
          if (frac >= pow10[prec]) {
376
            frac = 0;
377
             ++whole;
378
379
        }
380
        else if (diff < 0.5) {
381
382
        else if ((frac == 0U) || (frac & 1U)) {
383
          // if halfway, round up if odd OR if last digit is O
384
385
          ++frac;
386
387
        if (prec == 0U) {
388
          diff = value - (double)whole;
389
          if ((!(diff < 0.5) || (diff > 0.5)) && (whole & 1)) {
             // exactly 0.5 and ODD, then round up
390
391
             // 1.5 -> 2, but 2.5 -> 2
392
            ++whole;
393
          }
394
395
        }
        else {
396
          unsigned int count = prec;
           // now do fractional part, as an unsigned number
397
398
          while (len < PRINTF_FTOA_BUFFER_SIZE) {
399
             --count:
400
401
402
403
            buf[len++] = (char)(48U + (frac % 10U));
            if (!(frac /= 10U)) {
              break:
            }
404
405
406
           // add extra Os
           while ((len < PRINTF_FTOA_BUFFER_SIZE) && (count-- > OU)) {
407
408
            buf[len++] = '0';
409
410
411
412
413
          if (len < PRINTF_FTOA_BUFFER_SIZE) {</pre>
             // add decimal
            buf[len++] = '.';
          }
        }
414
415
416
417
418
419
421
425
427
428
         // do whole part, number is reversed
        while (len < PRINTF_FTOA_BUFFER_SIZE) {</pre>
          buf[len++] = (char)(48 + (whole % 10));
          if (!(whole /= 10)) {
            break:
          }
        }
         // pad leading zeros
        if (!(flags & FLAGS_LEFT) && (flags & FLAGS_ZEROPAD)) {
          if (width && (negative || (flags & (FLAGS_PLUS | FLAGS_SPACE)))) {
            width--;
          while ((len < width) && (len < PRINTF_FTOA_BUFFER_SIZE)) {</pre>
429
430
431
            buf[len++] = '0';
          }
```

```
if (len < PRINTF_FTOA_BUFFER_SIZE) {</pre>
                   if (negative) {
                      buf[len++] = '-';
                   else if (flags & FLAGS_PLUS) {
                      buf[len++] = '+'; // ignore the space if the '+' exists
                  else if (flags & FLAGS_SPACE) {
                      buf[len++] = ' ';
               return _out_rev(out, buffer, idx, maxlen, buf, len, width, flags);
            #if defined(PRINTF_SUPPORT_EXPONENTIAL)
            // internal ftoa variant for exponential floating-point type, contributed by Martijn Jasperse
                       450
            static size_t _etoa(out_fct_type out, char* buffer, size_t idx, size_t maxlen, double value,
                       451
452
453
454
455
456
457
459
               // check for NaN and special values
               if ((value != value) || (value > DBL_MAX) || (value < -DBL_MAX)) {
                 return _ftoa(out, buffer, idx, maxlen, value, prec, width, flags);
               /\!/ determine the sign
               const bool negative = value < 0;</pre>
               if (negative) {
                 value = -value;
460
461
462
463
               // default precision
464
465
466
467
              if (!(flags & FLAGS_PRECISION)) {
                 prec = PRINTF_DEFAULT_FLOAT_PRECISION;
468
469
470
471
472
               // determine the decimal exponent
               \label{lem:com/netlib/fp/dtoa.c} \parbox{$$/$/ based on the algorithm by David Gay (https://www.ampl.com/netlib/fp/dtoa.c)$} \parbox{$$/$/ based on the algorithm by David Gay (https://www.ampl.com/netlib/fp/dtoa.c)$} \parbox{$$/$/ based on the algorithm by David Gay (https://www.ampl.com/netlib/fp/dtoa.c)$} \parbox{$$/$/ based on the algorithm by David Gay (https://www.ampl.com/netlib/fp/dtoa.c)$} \parbox{$$/$/ based on the algorithm by David Gay (https://www.ampl.com/netlib/fp/dtoa.c)$} \parbox{$$/$/ based on the algorithm by David Gay (https://www.ampl.com/netlib/fp/dtoa.c)$} \parbox{$$/$/ based on the algorithm by David Gay (https://www.ampl.com/netlib/fp/dtoa.c)$} \parbox{$$/$/ based on the algorithm by David Gay (https://www.ampl.com/netlib/fp/dtoa.c)$} \parbox{$$/$/ based on the algorithm by David Gay (https://www.ampl.com/netlib/fp/dtoa.c)$} \parbox{$$/$/ based on the algorithm by David Gay (https://www.ampl.com/netlib/fp/dtoa.c)$} \parbox{$$/$/ based on the algorithm by David Gay (https://www.ampl.com/netlib/fp/dtoa.c)$} \parbox{$$/$/ based on the algorithm by David Gay (https://www.ampl.com/netlib/fp/dtoa.c)$} \parbox{$$/$/ based on the algorithm by David Gay (https://www.ampl.com/netlib/fp/dtoa.c)$} \parbox{$$/$/ based on the algorithm by David Gay (https://www.ampl.com/netlib/fp/dtoa.c)$} \parbox{$$/$/ based on the algorithm by David Gay (https://www.ampl.com/netlib/fp/dtoa.c)$} \parbox{$$/$/ based on the algorithm by David Gay (https://www.ampl.com/netlib/fp/dtoa.c)$} \parbox{$$/$/ based on the algorithm by David Gay (https://www.ampl.com/netlib/fp/dtoa.c)$} \parbox{$$/$/ based on the algorithm by David Gay (https://www.ampl.com/netlib/fp/dtoa.c)$} \parbox{$$/$/ based on the algorithm by David Gay (https://www.ampl.com/netlib/fp/dtoa.c)$} \parbox{$$/$/ based on the algorithm by David Gay (https://www.ampl.com/netlib/fp/dtoa.c)$} \parbox{$$/$/ based on the algorithm by David Gay (https://www.ampl.com/netlib/fp/dtoa.c)$} \parbox{$$/$/ based on the algorithm by David Gay (https://www.ampl.com/netlib/
                 uint64_t U;
                   double F;
473
474
475
476
477
               } conv;
               conv.F = value;
               int exp2 = (int)((conv.U >> 52U) & 0x07FFU) - 1023; // effectively log2
               conv.U = (conv.U & ((1ULL << 52U) - 1U)) | (1023ULL << 52U); // drop the exponent so conv.F
                          \hookrightarrow is now in [1,2)
478
479
               // now approximate log10 from the log2 integer part and an expansion of ln around 1.5 \,
               int expval = (int)(0.1760912590558 + exp2 * 0.301029995663981 + (conv.F - 1.5) *
                           480
               // now we want to compute 10 ^{\circ}\text{expval} but we want to be sure it won't overflow
481
               exp2 = (int)(expval * 3.321928094887362 + 0.5);
482
483
               const double z = expval * 2.302585092994046 - exp2 * 0.6931471805599453;
               const double z2 = z * z;
484
485
               conv.U = (uint64_t)(exp2 + 1023) << 52U;
               /\!/\; compute \; exp(z) \; using \; continued \; fractions, \; see \; https://en.wikipedia.org/wiki/
                          ← Exponential_function#Continued_fractions_for_ex
486
487
488
489
490
               conv.F *= 1 + 2 * z / (2 - z + (z2 / (6 + (z2 / (10 + z2 / 14)))));
               // correct for rounding errors
               if (value < conv.F) {</pre>
                   expval--;
                   conv.F /= 10;
491
492
```

```
493
        // the exponent format is "\%+03d" and largest value is "307", so set aside 4-5 characters
494
495
496
497
498
499
500
        unsigned int minwidth = ((expval < 100) && (expval > -100)) ? 4U : 5U;
        // in "\%g" mode, "prec" is the number of *significant figures* not decimals
        if (flags & FLAGS_ADAPT_EXP) {
          // do we want to fall-back to "%f" mode?
          if ((value >= 1e-4) && (value < 1e6)) {
            if ((int)prec > expval) {
501
502
             prec = (unsigned)((int)prec - expval - 1);
503
            else {
504
505
             prec = 0;
506
507
            flags |= FLAGS_PRECISION; // make sure _ftoa respects precision
            // no characters in exponent
508
509
            minwidth = OU;
            expval = 0;
510
511
512
          else {
            // we use one sigfig for the whole part
513
514
515
516
            if ((prec > 0) && (flags & FLAGS_PRECISION)) {
             --prec;
         }
517
518
        }
519
        // will everything fit?
520
        unsigned int fwidth = width;
521
        if (width > minwidth) {
522
          /\!/ we didn't fall-back so subtract the characters required for the exponent
523
         fwidth -= minwidth;
524
525
        } else {
         // not enough characters, so go back to default sizing
526
         fwidth = OU;
527
528
529
        if ((flags & FLAGS_LEFT) && minwidth) {
          // if we're padding on the right, DON'T pad the floating part
530
          fwidth = OU;
531
532
533
        // rescale the float value
534
535
        if (expval) {
         value /= conv.F;
536
537
538
539
540
        // output the floating part
        const size_t start_idx = idx;
        idx = \_ftoa(out, buffer, idx, maxlen, negative ? -value : value, prec, fwidth, flags & ~
              \hookrightarrow FLAGS_ADAPT_EXP);
541
542
543
544
545
546
547
        // output the exponent part
        if (minwidth) {
         // output the exponential symbol
          out((flags & FLAGS_UPPERCASE) ? 'E' : 'e', buffer, idx++, maxlen);
          // output the exponent value
         548
549
550
551
          // \ {\it might need to right-pad spaces}
          if (flags & FLAGS_LEFT) {
            while (idx - start_idx < width) out(' ', buffer, idx++, maxlen);</pre>
552
       }
553
       return idx;
554
555
      #endif // PRINTF_SUPPORT_EXPONENTIAL
     #endif // PRINTF_SUPPORT_FLOAT
```

```
557
558
      // internal vsnprintf
559
      static int _vsnprintf(out_fct_type out, char* buffer, const size_t maxlen, const char*
            → format, va_list va)
560
561
        unsigned int flags, width, precision, n;
562
        size_t idx = 0U;
563
564
565
        if (!buffer) {
          // use null output function
566
          out = _out_null;
567
568
569
        while (*format)
570
571
572
573
574
575
        {
          /\!/\ format\ specifier?\ \%[flags][width][.precision][length]
          if (*format != '%') {
            // no
            out(*format, buffer, idx++, maxlen);
            format++;
576
577
            continue;
578
579
          else {
           // yes, evaluate it
580
581
            format++;
582
583
          // evaluate flags
584
585
          flags = OU;
          do {
586
            switch (*format) {
587
              case '0': flags |= FLAGS_ZEROPAD; format++; n = 1U; break;
588
              case '-': flags |= FLAGS_LEFT; format++; n = 1U; break;
589
              case '+': flags |= FLAGS_PLUS; format++; n = 1U; break;
590
              case ' ': flags |= FLAGS_SPACE; format++; n = 1U; break;
591
              case '#': flags |= FLAGS_HASH; format++; n = 1U; break;
592
593
594
595
              default : n = OU; break;
            }
          } while (n);
596
          // evaluate width field
597
          width = OU;
598
          if (_is_digit(*format)) {
599
            width = _atoi(&format);
600
601
          else if (*format == '*') {
602
            const int w = va_arg(va, int);
603
            if (w < 0) {
604
              flags |= FLAGS_LEFT; // reverse padding
605
              width = (unsigned int)-w;
606
607
608
             width = (unsigned int)w;
609
610
            format++;
611
612
613
614
          // evaluate precision field
precision = OU;
if (*format == '.') {
615
616
            flags |= FLAGS_PRECISION;
617
618
            if (_is_digit(*format)) {
             precision = _atoi(&format);
619
620
621
            else if (*format == '*') {
```

```
622
              const int prec = (int)va_arg(va, int);
623
              precision = prec > 0 ? (unsigned int)prec : OU;
624
625
              format++;
           }
626
627
          }
628
          /\!/\ evaluate\ length\ field
629
          switch (*format) {
630
           case 'l' :
631
              flags |= FLAGS_LONG;
632
              format++;
633
              if (*format == '1') {
634
635
               flags |= FLAGS_LONG_LONG;
               format++;
636
637
              break;
638
            case 'h' :
639
              flags |= FLAGS_SHORT;
640
641
              if (*format == 'h') {
642
               flags |= FLAGS_CHAR;
643
644
645
               format++;
              break:
646
647
648
649
      #if defined(PRINTF_SUPPORT_PTRDIFF_T)
            case 't' :
              flags |= (sizeof(ptrdiff_t) == sizeof(long) ? FLAGS_LONG : FLAGS_LONG_LONG);
651
      #endif
652
653
              flags |= (sizeof(intmax_t) == sizeof(long) ? FLAGS_LONG : FLAGS_LONG_LONG);
654
655
              format++;
              break:
656
            case 'z' :
657
              flags |= (sizeof(size_t) == sizeof(long) ? FLAGS_LONG : FLAGS_LONG_LONG);
\begin{array}{c} 658 \\ 659 \end{array}
              format++:
              break;
660
            default :
661
              break;
662
663
664
665
          // evaluate specifier
          switch (*format) {
            case 'd' :
666
667
            case 'i' :
668
            case 'u' :
669
            case 'x' :
670
            case 'X' :
671
            case 'o' :
672
            case 'b' : {
673
             // set the base
674
675
              unsigned int base;
              if (*format == 'x' || *format == 'X') {
676
               base = 16U;
677
              }
678
              else if (*format == 'o') {
679
               base = 8U;
680
681
              else if (*format == 'b') {
682
               base = 2U;
683
684
685
              else {
               base = 10U;
686
               flags &= "FLAGS_HASH; // no hash for dec format
687
```

```
688
              // uppercase
689
             if (*format == 'X') {
690
               flags |= FLAGS_UPPERCASE;
691
692
693
              // no plus or space flag for u, x, X, o, b
694
              if ((*format != 'i') && (*format != 'd')) {
695
               flags &= ~(FLAGS_PLUS | FLAGS_SPACE);
696
697
698
              // ignore '0' flag when precision is given
699
             if (flags & FLAGS_PRECISION) {
700
               flags &= "FLAGS_ZEROPAD;
701
702
703
704
              // convert the integer
              if ((*format == 'i') || (*format == 'd')) {
705
                // signed
706
                if (flags & FLAGS_LONG_LONG) {
707
      #if defined(PRINTF_SUPPORT_LONG_LONG)
708
                 const long long value = va_arg(va, long long);
709
                 710
      #endif
711
712
                else if (flags & FLAGS_LONG) {
713
714
                 const long value = va_arg(va, long);
                 idx = _ntoa_long(out, buffer, idx, maxlen, (unsigned long)(value > 0 ? value : 0
                       \hookrightarrow - value), value < 0, base, precision, width, flags);
715
               }
716
717
                 const int value = (flags & FLAGS_CHAR) ? (char)va_arg(va, int) : (flags &
                       → FLAGS_SHORT) ? (short int)va_arg(va, int) : va_arg(va, int);
718
                 idx = _ntoa_long(out, buffer, idx, maxlen, (unsigned int)(value > 0 ? value : 0 -
                        → value), value < 0, base, precision, width, flags);</p>
719
               }
720
             }
721
722
              else {
               // unsigned
723
724
725
                if (flags & FLAGS_LONG_LONG) {
      #if defined(PRINTF_SUPPORT_LONG_LONG)
                 idx = _ntoa_long_long(out, buffer, idx, maxlen, va_arg(va, unsigned long long),
                       → false, base, precision, width, flags);
\begin{array}{c} 726 \\ 727 \end{array}
      #endif
728
                else if (flags & FLAGS_LONG) {
729
                 idx = _ntoa_long(out, buffer, idx, maxlen, va_arg(va, unsigned long), false, base

→ , precision, width, flags);

730
               }
731
                else {
732
                 const unsigned int value = (flags & FLAGS_CHAR) ? (unsigned char)va_arg(va,
                       \hookrightarrow unsigned int) : (flags & FLAGS_SHORT) ? (unsigned short int)va_arg(va,
                       \hookrightarrow unsigned int) : va_arg(va, unsigned int);
733
                 idx = _ntoa_long(out, buffer, idx, maxlen, value, false, base, precision, width,
                       → flags);
734
735
736
               }
             }
              format++;
737
738
739
740
741
742
743
744
             break;
      #if defined(PRINTF_SUPPORT_FLOAT)
            case 'f' :
            case 'F' :
             if (*format == 'F') flags |= FLAGS_UPPERCASE;
             idx = _ftoa(out, buffer, idx, maxlen, va_arg(va, double), precision, width, flags);
             format++;
             break:
```

```
746
747
748
749
750
751
752
753
754
755
     | #if defined(PRINTF_SUPPORT_EXPONENTIAL)
            case 'e':
             case 'E':
             case 'g':
             case 'G':
              if ((*format == 'g')||(*format == 'G')) flags |= FLAGS_ADAPT_EXP;
if ((*format == 'E')||(*format == 'G')) flags |= FLAGS_UPPERCASE;
              idx = _etoa(out, buffer, idx, maxlen, va_arg(va, double), precision, width, flags);
              format++;
756
757
758
759
760
       #endif // PRINTF_SUPPORT_EXPONENTIAL
       #endif // PRINTF_SUPPORT_FLOAT
            case 'c' : {
              unsigned int 1 = 1U;
               // pre padding
761
762
               if (!(flags & FLAGS_LEFT)) {
                while (1++ < width) {
763
                  out(' ', buffer, idx++, maxlen);
764
765
                }
              }
766
              // char output
767
              out((char)va_arg(va, int), buffer, idx++, maxlen);
768
769
              // post padding
if (flags & FLAGS_LEFT) {
770
771
                while (l++ < width) {</pre>
                  out(' ', buffer, idx++, maxlen);
772
773
774
775
776
777
778
                }
              format++;
              break;
            case 's' : {
779
780
              const char* p = va_arg(va, char*);
              unsigned int l = _strnlen_s(p, precision ? precision : (size_t)-1);
781
782
783
784
785
786
               // pre padding
              if (flags & FLAGS_PRECISION) {
                1 = (1 < precision ? 1 : precision);</pre>
              if (!(flags & FLAGS_LEFT)) {
                while (1++ < width) {
787
788
                  out(' ', buffer, idx++, maxlen);
789
790
               // string output
              while ((*p != 0) && (!(flags & FLAGS_PRECISION) || precision--)) {
791
792
793
794
795
                out(*(p++), buffer, idx++, maxlen);
               // post padding
              if (flags & FLAGS_LEFT) {
796
797
                while (1++ < width) {
                  out(' ', buffer, idx++, maxlen);
798
799
              }
800
              format++;
801
              break;
802
803
804
805
             case 'p' : {
              width = sizeof(void*) * 2U;
806
               flags |= FLAGS_ZEROPAD | FLAGS_UPPERCASE;
807
       #if defined(PRINTF_SUPPORT_LONG_LONG)
808
              const bool is_ll = sizeof(uintptr_t) == sizeof(long long);
809
              if (is_11) {
                810
```

```
811
             }
812
             else {
813
      #endif
814
               idx = _ntoa_long(out, buffer, idx, maxlen, (unsigned long)((uintptr_t)va_arg(va,
                    \hookrightarrow void*)), false, 16U, precision, width, flags);
815
      #if defined(PRINTF_SUPPORT_LONG_LONG)
816
817
            }
      #endif
818
             format++;
819
             break;
820
821
822
           case '%' :
             out('%', buffer, idx++, maxlen);
823
824
825
             format++:
             break;
826
827
           default :
828
             out(*format, buffer, idx++, maxlen);
829
             format++;
830
             break;
831
832
833
834
835
        // termination
       out((char)0, buffer, idx < maxlen ? idx : maxlen - 1U, maxlen);</pre>
836
837
        // return written chars without terminating \0
838
       return (int)idx;
839
840
841
842
843
844
845
846
847
      int printf_(const char* format, ...)
       va_list va;
       va_start(va, format);
       char buffer[1];
       const int ret = _vsnprintf(_out_char, buffer, (size_t)-1, format, va);
       va_end(va);
850
851
852
853
      int sprintf_(char* buffer, const char* format, ...)
854
855
       va_list va;
856
       va_start(va, format);
857
       const int ret = _vsnprintf(_out_buffer, buffer, (size_t)-1, format, va);
858
       va_end(va);
859
       return ret;
860
861
862
      int snprintf_(char* buffer, size_t count, const char* format, ...)
863
864
865
       va_list va;
       va_start(va, format);
866
       const int ret = _vsnprintf(_out_buffer, buffer, count, format, va);
867
868
       va_end(va);
       return ret;
869
870
871
      int vprintf_(const char* format, va_list va)
872
873
       char buffer[1];
874
875
       return _vsnprintf(_out_char, buffer, (size_t)-1, format, va);
```

```
int vsnprintf_(char* buffer, size_t count, const char* format, va_list va)
878
879
        return _vsnprintf(_out_buffer, buffer, count, format, va);
880
881
882
      int fctprintf(void (*out)(char character, void* arg), void* arg, const char* format, ...)
883
884
885
        va_list va;
        va_start(va, format);
886
        const out_fct_wrap_type out_fct_wrap = { out, arg };
887
        const int ret = _vsnprintf(_out_fct, (char*)(uintptr_t)&out_fct_wrap, (size_t)-1, format,
              \hookrightarrow va):
888
        va end(va):
889
        return ret:
890
```

## Listing F.7: C implementation of actuation\_unit\_impl.

```
#include "common.h"
#include "actuation_logic.h"
#include "../generated/C/actuation_unit_impl.c"
```

# Listing F.8: C implementation of C\_Imported\_Functions.

```
// Copyright (c) 2013-2019 Bluespec, Inc. All Rights Reserved
               //\ https://github.com/bluespec/Piccolo/blob/master/src\_Testbench/Top/C\_Imported\_Functions.com/bluespec/Piccolo/blob/master/src\_Testbench/Top/C\_Imported\_Functions.com/bluespec/Piccolo/blob/master/src\_Testbench/Top/C\_Imported\_Functions.com/bluespec/Piccolo/blob/master/src\_Testbench/Top/C\_Imported\_Functions.com/bluespec/Piccolo/blob/master/src\_Testbench/Top/C\_Imported\_Functions.com/bluespec/Piccolo/blob/master/src\_Testbench/Top/C\_Imported\_Functions.com/bluespec/Piccolo/blob/master/src\_Testbench/Top/C\_Imported\_Functions.com/bluespec/Piccolo/blob/master/src\_Testbench/Top/C\_Imported\_Functions.com/bluespec/Piccolo/blob/master/src\_Testbench/Top/C\_Imported\_Functions.com/bluespec/Piccolo/blob/master/src\_Testbench/Top/C\_Imported\_Functions.com/bluespec/Piccolo/blob/master/src\_Testbench/Top/C\_Imported\_Functions.com/bluespec/Piccolo/blob/master/src\_Testbench/Top/C\_Imported\_Functions.com/bluespec/Piccolo/blob/master/src\_Testbench/Top/C\_Imported\_Functions.com/bluespec/Piccolo/blob/master/src\_Testbench/Top/C\_Imported\_Functions.com/bluespec/Functions.com/bluespec/Functions.com/bluespec/Functions.com/bluespec/Functions.com/bluespec/Functions.com/bluespec/Functions.com/bluespec/Functions.com/bluespec/Functions.com/bluespec/Functions.com/bluespec/Functions.com/bluespec/Functions.com/bluespec/Functions.com/bluespec/Functions.com/bluespec/Functions.com/bluespec/Functions.com/bluespec/Functions.com/bluespec/Functions.com/bluespec/Functions.com/bluespec/Functions.com/bluespec/Functions.com/bluespec/Functions.com/bluespec/Functions.com/bluespec/Functions.com/bluespec/Functions.com/bluespec/Functions.com/bluespec/Functions.com/bluespec/Functions.com/bluespec/Functions.com/bluespec/Functions.com/bluespec/Functions.com/bluespec/Functions.com/bluespec/Functions.com/bluespec/Functions.com/bluespec/Functions.com/bluespec/Functions.com/bluespec/Functions.com/bluespec/Functions.com/bluespec/Functions.com/bluespec/Functions.com/bluespec/Functions.com/bluespec/Functions.com/bluespec/Functions.com/bluespec/Functions.com/bluespec/Functions.com/b
               // Modified by @podhrmic
               /\!/\ \textit{These are functions imported into BSV during Bluesim or Verilog simulation}.
               // See C_Imports.bsv for the corresponding 'import BDPI' declarations.
              // There are several independent groups of functions below; the // groups are separated by heavy dividers ('// *******')
 11
               // Below, 'dummy' args are not used, and are present only to appease
               // some \mbox{\it Verilog} simulators that are finicky about 0-arg functions.
14
15
               // -----
16
               // Includes from C library
17
 18
               // General
              #include <unistd.h>
               #include <stdlib.h>
21
22
23
24
25
26
27
28
29
31
32
33
35
36
37
38
              #include <stdio.h>
               #include <stdint.h>
              #include <stdbool.h>
               #include <inttypes.h>
              #include <string.h>
               #include <errno.h>
               #include <time.h>
               #include <termios.h>
               #include <unistd.h>
               #include <sys/types.h>
               #include <poll.h>
               #include <sched.h>
               // Includes for this project
               #include "C_Imported_Functions.h"
                // **********************
```

```
// Functions for console I/O
      // -----
      // c_trygetchar()
      // Returns next input character (ASCII code) from the console.
      // Returns 0 if no input is available.
      // NOTE: Not needed right now
      void print_tty(char* name, FILE * f) {
          printf("%s (fileno %d): ", name, fileno(f));
          if (isatty(fileno(f))) printf("TTY %s\n", ttyname(fileno(f)));
          else printf("not a TTY\n");
      // TODO: set to 1 to try avoid line buffering
      #define INIT_TERMIOS 0
      uint8_t c_trygetchar (uint8_t dummy)
 60
 61
          uint8_t ch;
 62
         ssize_t n;
 63
          struct pollfd x_pollfd;
 64
65
         const int fd_stdin = 0;
 66
      #if INIT_TERMIOS
 67
          static bool init = false;
 68
          if (!init) {
             print_tty("stdin ", stdin);
print_tty("stdout", stdout);
print_tty("stderr", stderr);
 69
 70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
88
89
90
             struct termios tconf;
             // get original cooked/canonical mode values
             tcgetattr(fd_stdin,&tconf);
              {\it // set options for raw mode}\\
             tconf.c_lflag &= ~(ECHO | ICANON); /* no echo or edit */
tconf.c_cc[VMIN] = 0;
             tconf.c_cc[VTIME] = 0;
              // put unit into raw mode ...
             tcsetattr(fd_stdin,TCSANOW,&tconf);
             printf("Terminal set to ~(ECHO | ICANON) mode\n");
             init = true;
         }
      #endif
 91
92
          // Poll for input
          x_pollfd.fd = fd_stdin;
 93
          x_pollfd.events = POLLRDNORM;
 94
95
          x_pollfd.revents = 0;
         poll (& x_pollfd, 1, 1);
 96
 97
          //printf ("INFO: c_trygetchar: Polling for input\n");
 98
          if ((x_pollfd.revents & POLLRDNORM) == 0) {
 99
              //printf ("INFO: No input\n");
100
              return 0;
101
102
103
104
105
          // Input is available
106
          n = read (fd_stdin, & ch, 1);
```

```
107
          if (n == 1) {
             //printf ("INFO: got %c\n",ch);
108
109
          return ch;
110
111
112
          else {
          if (n == 0)
113
            printf ("c_trygetchar: end of file\n");
114
115
          return OxFF;
116
117
118
119
      // c_putchar()
120
      // Writes character to stdout
121
      void c_putchar (uint8_t ch)
122
123
         printf("%c",ch);
124
125
126
127
       * Assume that both sensors have 12 bit resolution
128
       * and two data registers
129
130
       * Pressure sensor: https://cdn.sparkfun.com/datasheets/Sensors/Pressure/MPL3115A2.pdf#

→ G10073/2

131
       *\ \textit{Temp sensor: https://www.sparkfun.com/datasheets/Sensors/Temperature/tmp102.pdf}
132
133
       * TODO: simplify
134
135
      // channel -> sensor # -> val
136
      uint32_t sensors[2][2];
137
      uint8_t c_i2c_request (uint8_t slaveaddr, uint8_t data) {
138
         static uint8_t data_reg = 0;
139
          static uint8_t pointer_reg = 1;
140
141
142
143
144
145
          static int initialized = 0:
          static uint32_t last_update = 0;
          static uint32_t last[2][2] = {0};
          struct timespec tp;
          clock_gettime(CLOCK_REALTIME, &tp);
          uint32_t t = tp.tv_sec*1000 + tp.tv_nsec/1000000;
147
148
149
150
      #ifdef SIMULATE_SENSORS
         if (!initialized) {
              last_update = t;
              last[0][T] = T0;
151
152
              last[1][T] = T0;
153
              last[0][P] = P0;
154
155
              last[1][P] = P0;
              sensors[0][T] = last[0][T];
156
              sensors[1][T] = last[1][T];
157
              sensors[0][P] = last[0][P];
              sensors[1][P] = last[1][P];
159
              initialized = 1;
160
          } else if (t - last_update > SENSOR_UPDATE_MS) {
161
              for (int s = 0; s < 2; ++s) {
162
                 last[s][T] += (rand() % 3) - 1;
163
                  // TODO: Temp sensor resolution is -25..85C
164
                  // Don't stray too far from our steam table
165
                 last[s][T] = min(last[s][T], 300);
166
                 last[s][T] = max(last[s][T], 25);
167
168
                 last[s][P] += (rand() % 3) - 1 + P_BIAS;
169
                 // Don't stray too far from our steam table
170
                 last[s][P] = min(last[s][P], 5775200);
                 last[s][P] = max(last[s][P], 8000);
```

```
172
173
               last_update = t;
174
175
176
177
           }
           //\ {\it Smooth the transitions}
           sensors[0][T] = last[0][T];
sensors[1][T] = last[1][T];
178
           sensors[0][P] = last[0][P];
179
           sensors[1][P] = last[1][P];
180
181
182
           if (slaveaddr & 0x1) {
183
               // Write request
184
185
186
               pointer_reg = data % 4;
               data_reg = pointer_reg;
           } else {
187
               // \ {\it Read request, use 7bit addressing}
188
               uint8_t dev_addr = slaveaddr >> 1;
189
               switch (dev_addr) {
190
                   case TEMP_0_I2C_ADDR:
191
                       data_reg = (uint8_t)(sensors[0][T] >> pointer_reg*8);
192
                       break;
193
                   case TEMP_1_I2C_ADDR:
194
195
                       data_reg = (uint8_t)(sensors[1][T] >> pointer_reg*8);
                       break:
196
                   case PRESSURE_0_I2C_ADDR:
197
                       data_reg = (uint8_t)(sensors[0][P] >> pointer_reg*8);
198
                       break;
199
                   case PRESSURE_1_I2C_ADDR:
200
                       data_reg = (uint8_t)(sensors[1][P] >> pointer_reg*8);
201
202
                   default:
203
                       data_reg = 0xAA;
204
                       break;
205
              }
206
207
           }
208
           return data_reg;
\tilde{2}\tilde{0}\tilde{9}
```

Listing F.9: C implementation of actuation\_unit.

```
1
2
3
     #include "common.h"
     #include "platform.h"
     #include "actuation_logic.h"
 4567
     #ifdef PLATFORM_HOST
     #include <stdio.h>
     #else
 .
8
9
     #include "printf.h"
     #endif
10
11
12
     #define VOTE_I(_v, _i) (((_v) >> (_i)) & 0x1)
13
     /*@requires \valid(&trip[0..2][0..3]);
14
15
       @requires \valid(&trip_test[0..2][0..3]);
       @assigns (trip[0..2][0..3]);
16
       @assigns (trip_test[0..2][0..3]);
17
18
     static int
19
     actuation_logic_collect_trips(uint8_t logic_no, int do_test, uint8_t trip[3][4], uint8_t

→ trip_test[3][4])
20
21
22
         int err = 0;
         uint8_t test_div[2];
23
         get_test_instrumentation(test_div);
24
```

```
25
26
         err |= read_instrumentation_trip_signals(trip);
/*@ loop invariant O <= i <= NINSTR;
           @ loop assigns i;
           @ loop assigns trip[0..2][0..3];
           @ loop assigns trip\_test[0..2][0..3];
         for (int i = 0; i < NINSTR; ++i) {</pre>
             /*@ loop invariant 0 <= c <= NTRIP;
               @ loop assigns c;
               @ loop assigns trip[0..2][i];
              @ loop assigns trip_test[0..2][i];
             for(int c = 0; c < NTRIP; ++c) {
    uint8_t test_signal = (i == test_div[0] || i == test_div[1]);</pre>
                 if (do_test) {
                     trip_test[c][i] = (trip[c][i] & test_signal) != 0;
                     trip[c][i] &= !test_signal;
                 } else if (!VALID(trip[c][i])) {
                    trip[c][i] = 0;
             }
         }
         return err;
     /*@ requires \valid(&trips[0..2][0..3]);
      @ requires \valid(trips + (0..2));
       @ assigns \nothing;
     static uint8_t
     actuate_device(uint8_t device, uint8_t trips[3][4], int old)
         uint8 t res = 0:
60
         if (device == 0) {
61
             res = Actuate_D0(trips, old);
62
         } else {
63
             res = Actuate_D1(trips, old);
64
65
         DEBUG_PRINTF(("<actuation_unit.c> actuate_device: device=0x%X, old=0x%X, out=0x%X, trips
               \hookrightarrow =[\n", device, old, res));
66
         /*@ loop assigns i; */
67
         for (int i = 0; i < 3; ++i) {
68
             DEBUG_PRINTF(("["));
69
             /*@ loop assigns div; */
70
71
72
73
74
75
76
77
78
79
             for (int div = 0; div < 4; ++div) {
             DEBUG_PRINTF(("%u,",trips[i][div]));
             DEBUG_PRINTF(("],"));
         DEBUG_PRINTF(("]\n"));
         return res;
     /*@requires \valid(state);
80
81
82
83
84
85
      @requires logic_no < NVOTE_LOGIC;
       Orequires device < NDEV;
       Orequires \valid(trip_test + (0..2));
       {\it @requires \ \ } \ {\it valid(\&trip[0..2][0..3])};
       @requires \valid(&trip_test[0..2][0..3]);
86
       @assigns state->vote_actuate[device];
       @assigns core.test.actuation_old_vote;
88
       {\tt @assigns \ core.test.test\_actuation\_unit\_done[logic\_no];}
```

```
90
    static void
 91
      actuation_logic_vote_trips(uint8_t logic_no, int do_test, uint8_t device, uint8_t trip
           92
 93
         if (do_test && get_test_device() == device) {
94
95
             if (!is_actuation_unit_test_complete(logic_no)) {
                set_actuation_unit_test_input_vote(logic_no, state->vote_actuate[device] != 0);
 96
                state->vote_actuate[device] = actuate_device(device, trip_test, state->
                      → vote_actuate[device] != 0);
 97
 98
         } else {
 99
             state->vote_actuate[device] = actuate_device(device, trip, state->vote_actuate[device
                  → ] != 0);
100
         }
101
     }
102
103
      /*@ requires logic_no < NVOTE_LOGIC;</pre>
104
       @ requires \valid(state);
105
       @ assigns state->vote_actuate[0..1];
106
107
        {\it @ assigns core.test.actuation\_old\_vote;}
108
       @ assigns core.test.test_actuation_unit_done[logic_no];
109
110
      static int
111
      actuation_logic_vote(uint8_t logic_no, int do_test, struct actuation_logic *state)
112
113
         int err = 0;
114
         uint8_t trip[3][4];
         uint8_t trip_test[3][4];
115
116
117
         err = actuation_logic_collect_trips(logic_no, do_test, trip, trip_test);
118
119
         actuation_logic_vote_trips(logic_no, do_test, 0, trip, trip_test, state);
120
         actuation_logic_vote_trips(logic_no, do_test, 1, trip, trip_test, state);
121
122
         return err:
123
124
125
     /*@requires \valid(cmd);
126
       @requires \valid(state);
127
        @assigns state->manual_actuate[0..1];
128
       @ensures -1 <= \result <= 0;
129
130
     static int
131
      actuation_handle_command(uint8_t logic_no, struct actuation_command *cmd, struct
           → actuation_logic *state)
132
133
         if (cmd->device <= 1)</pre>
134
135
            state->manual_actuate[cmd->device] = cmd->on;
         return 0;
136
     }
137
138
      139
       @requires logic_no < NVOTE_LOGIC;
140
141
142
143
144
145
146
       @assigns state->vote_actuate[0..1];
       @assigns core.test.test_actuation_unit_done[logic_no];
       @ensures -1 <= \result <= 0;
     static int
      output_actuation_signals(uint8_t logic_no, int do_test, struct actuation_logic *state)
147
         int err = 0;
148
149
150
         /*@ loop invariant 0 <= d <= NDEV;
           @ loop invariant -1 <= err <= 0;
           @ loop assigns d, err;
```

```
152
153
          for (int d = 0; d < NDEV; ++d) {</pre>
153
154
155
156
157
              uint8_t on = state->vote_actuate[d] || state->manual_actuate[d];
              if (!do_test || !is_actuation_unit_test_complete(logic_no)) {
                  err |= set_output_actuation_logic(logic_no, d, BIT(do_test, on));
158
159
          if (do_test && !is_actuation_unit_test_complete(logic_no)) {
160
              // Reset internal state
161
              state->vote_actuate[0] = 0;
162
              state->vote_actuate[1] = 0;
163
              set_actuation_unit_test_complete(logic_no, 1);
164
165
166
          return err;
167
      }
168
169
      int actuation_unit_step(uint8_t logic_no, struct actuation_logic *state)
170
171
172
173
174
175
          uint8_t test_div[2];
          get_test_instrumentation(test_div);
          int do_test = logic_no == get_test_actuation_unit() &&
176
177
                       {\tt is\_instrumentation\_test\_complete(test\_div[0]) ~\&\&}
                        is_instrumentation_test_complete(test_div[1]) &&
178
179
                        is_test_running();
180
          if (do_test && is_actuation_unit_test_complete(logic_no))
181
182
183
          if (!do_test && is_actuation_unit_test_complete(logic_no)) {
184
              set_output_actuation_logic(logic_no, get_test_device(), 0);
185
              set_actuation_unit_test_complete(logic_no, 0);
186
              return 0:
187
188
189
190
191
          /* Read trip signals & vote */
          err |= actuation_logic_vote(logic_no, do_test, state);
192
          /* Handle any external commands */
193
          struct actuation_command cmd;
194
          int read_cmd = read_actuation_command(logic_no, &cmd);
195
          if (read_cmd > 0) {
196
              err |= actuation_handle_command(logic_no, &cmd, state);
197
          } else if (read_cmd < 0) {
198
              err |= -read_cmd;
199
200
201
          /* Actuate devices based on voting and commands */
202
          err |= output_actuation_signals(logic_no, do_test, state);
203
          return err;
204
```

Listing F.10: C implementation of actuator\_impl.

```
typedef unsigned _ExtInt(1) w1;
typedef unsigned _ExtInt(2) w2;
w1 static rotl1(w1 x, w1 shf)
{
    w1 offset = 1;
    return x << shf | x >> offset - shf;
}

w1 static rotr1(w1 x, w1 shf)
{
    w1 offset = 1;
    return x << shf | x >> offset - shf;
}

w1 static rotr1(w1 x, w1 shf)
{
    w1 offset = 1;
    w1 offset = 1;
}
```

```
11
         return x >> shf | x << offset - shf;</pre>
13
14
15
16
     w2 static rotl2(w2 x, w2 shf)
          w2 	ext{ offset = 2;}
          return x << shf | x >> offset - shf;
17
18
     w2 static rotr2(w2 x, w2 shf)
19
20
21
22
23
24
25
26
27
28
         return x >> shf | x << offset - shf;</pre>
     w1 ActuateActuator(w2 inputs4683)
         w1 app_4097;
         w1 return_4096;
         return_4096 = 0;
         app_4097 = inputs4683 >> (w1) 0 & 1 | inputs4683 >> (w1) 1 & 1;
29
         return_4096 = app_4097;
30
         return return_4096;
31
```

### Listing F.11: C implementation of firmware.

```
#include <stdint.h>
     #include "bsp.h"
 3
     #include "printf.h"
     //
// int main(void)
 45
 \tilde{6}
     // {
     // volatile uint32_t *gpio = (void*) GPIO_REG;
     // uint32_t cnt = 0;
     // //char line[256] = {0};
     // //printf("Hello world\n");
     // while(1) {
     // //printf("%u miliseconds passed, GPIO=0x%X\n",time_in_ms(), *gpio);
     14
15
     // // NOTE this is still line buffered
     // //uint8_t c = soc_getchar();
// //printf(">>>%c<<<\n",c);
16
    //// for (unsigned int i = 0; i < sizeof(line); i++) {
//// line[i] = soc_getchar();
20
21
22
23
24
25
26
27
28
29
31
32
36
37
38
37
38
39
     // // if (line[i] == 0 // line[i] == '\n') {
     // // break;
     // // }
    // // }
/// printf(">>>%s<<<\\n", line);
     // *gpio = cnt;
// cnt++;
     // cnt = cnt % 256;
     // //delay_ms(1000);
     // delay(100000);
     // return 0;
     // }
     int main()
             volatile uint32_t *gpio = (void*)GPIO_REG;
         *gpio = 0;
            uint32_t cnt = 0;
             while(1)
```

Listing F.12: C implementation of actuator.

```
#include "platform.h"
#include "actuate.h"
 2
3
4
5
6
7
8
9
10
      #include "actuation_logic.h"
      #ifdef PLATFORM_HOST
      #include <stdio.h>
      #else
      #include "printf.h"
      #endif
11
      #define w1 uint8_t
12
      #define w2 uint8 t
13
14
15
      /*@ requires \true;
       {\it Q} assigns core.test.test_device_done[0..2];
16
17
        @ assigns core.test.test_device_result[0..2];
       @ ensures \true;
18
19
      int actuate_devices(void)
20
21
        int err = 0:
       int do_test = is_test_running() && is_actuation_unit_test_complete(get_test_actuation_unit
              ⇔ ()):
23
24
25
26
27
28
29
30
       DEBUG_PRINTF(("<actuator.c> actuate_devices, do_test = %i\n",do_test));
        if (!do_test) {
         \label{eq:devices:set} DEBUG\_PRINTF(("\actuator.c> actuate\_devices: set actuate test complete to FALSE\n"));
          set_actuate_test_complete(0, 0);
         set_actuate_test_complete(1, 0);
31
        /*@ loop invariant 0 <= d && d <= NDEV;
          {\it @ loop assigns d, err, core.test.test\_device\_done[0..2], core.test.test\_device\_result}

→ [0..2];

33
34
35
36
37
38
39
41
42
44
45
46
47
49
50
        for (int d = 0; d < NDEV; ++d) {</pre>
          uint8_t votes = 0;
          uint8_t test_votes = 0;
          /*@ loop invariant 0 <= l && l <= NVOTE_LOGIC;
           @ loop assigns l, err, test_votes, votes;
          for (int 1 = 0; 1 < NVOTE_LOGIC; ++1) {</pre>
           uint8_t this_vote = 0;
            err |= get_actuation_state(1, d, &this_vote);
            if (do_test && 1 == get_test_actuation_unit())
              test_votes |= ((this_vote & 0x1) << d);
            else if (VALID(this_vote))
              votes |= (this_vote << d);</pre>
          if (do_test && d == get_test_device()) {
```

```
51
           if (!is_actuate_test_complete(get_test_device())) {
52
             DEBUG_PRINTF(("<actuator.c> actuate_devices: set_actuate_test_result(0x%X,

→ ActuateActuator(0x%X))\n",

53
54
55
56
57
                    d, test_votes));
             set_actuate_test_result(d, ActuateActuator(test_votes));
             set_actuate_test_complete(d, 1);
          }
58
59
         // Call out to actuation policy
         DEBUG_PRINTF(("<actuator.c> actuate_devices: Call out to actuation policy,
               \hookrightarrow set_actuate_device(0x%X, ActuateActuator(0x%X))\n",
61
                    d. votes)):
62
         err |= set_actuate_device(d, ActuateActuator(votes));
63
64
65
       return err;
```

### Listing F.13: C implementation of instrumentation\_generated\_SystemVerilog.

```
#ifdef PLATFORM_HOST
            #include "../generated/SystemVerilog/verilator/generate_sensor_trips/VGenerate_Sensor_Trips.
                         → h"
            #include "../generated/SystemVerilog/verilator/is_ch_tripped/VIs_Ch_Tripped.h"
            #include <stdio.h>
            #else
   6
7
            #include "printf.h"
            #endif
   a
            #define Generate_Sensor_Trips Generate_Sensor_Trips_generated_SystemVerilog
10
            #define Is_Ch_Tripped Is_Ch_Tripped_generated_SystemVerilog
             #define instrumentation_step instrumentation_step_generated_SystemVerilog
            #include "../components/instrumentation.c"
13
14
15
            static uint8_t lookup[8] = { 0x0, 0b100, 0b010, 0b110, 0b001, 0b101, 0b011, 0b111 };
16
            #ifdef PLATFORM_HOST
17
            static VIs_Ch_Tripped is_tripped;
18
            static VGenerate_Sensor_Trips gen_trips;
19
20
            uint8_t Is_Ch_Tripped(uint8_t mode, uint8_t trip)
21
22
                     is_tripped.mode = mode;
23
24
25
                     is_tripped.sensor_tripped = trip;
                     is_tripped.eval();
                     uint32_t val = (trip & 0x1) << 3| (mode & 0x3) << 1| 0x0;
26
                    \label{lem:debug_printf} $$ $$ DEBUG_PRINTF(("<instrumentation\_generated\_SystemVerilog.c> Is\_Ch\_Tripped: mode=0x\%X, tripped: mode=0x\%X, tripped:
                                  \hookrightarrow =0x%X, base=0x%X, res=0x%X\n",
27
                    mode, trip, val,is_tripped.out));
~28
29
31
32
33
34
36
37
38
39
                     return is_tripped.out;
            uint8_t Generate_Sensor_Trips(uint32_t vals[3], uint32_t setpoints[3])
                     gen_trips.vals[0] = vals[2];
                     gen_trips.vals[1] = vals[1];
                     gen_trips.vals[2] = vals[0];
                    gen_trips.setpoints[0] = setpoints[2];
gen_trips.setpoints[1] = setpoints[1];
                    gen_trips.setpoints[2] = setpoints[0];
                     gen_trips.eval();
40
41
                     uint8_t out = gen_trips.out;
                     DEBUG_PRINTF(("<instrumentation_generated_SystemVerilog.c> Generate_Sensor_Trips: vals=[%
                                     \rightarrow u,%u,%u], setpoints=[%u,%u,%u], lookup[%d]=0x%X\n",
42
                     vals[0], vals[1], vals[2], setpoints[0], setpoints[1], setpoints[2], out, lookup[out]));
```

```
return lookup[out];
     }
     #else
     #include "bsp.h"
     #include "platform.h"
     uint8_t Is_Ch_Tripped(uint8_t mode, uint8_t trip)
         // wdata[0] - fnc select ( 0 - is_channel_tripped | 1 - generate_sensor_trips)
         // wdata[2:1] - mode
         // wdata[3] - sensor_tripped
         // rg_instr_hand_res[2:0] - result
// rg_instr_hand_res[3:1] - fnc select ( 0 - is_channel_tripped | 1 - generate_sensor_trips
               \hookrightarrow )
56
57
58
         uint32_t val = (trip & 0x1) << 3| (mode & 0x3) << 1| 0x0;
         write_reg(INSTRUMENTATION_GENERATED_REG_BASE, val);
         uint8_t res = (uint8_t) (read_reg(INSTRUMENTATION_GENERATED_REG_RESULT) & 0x1);
59
         DEBUG_PRINTF(("<instrumentation_generated_SystemVerilog.c> Is_Ch_Tripped: mode=0x%X, trip
               \hookrightarrow =0x%X, base=0x%X, res=0x%X\n",
60
         mode, trip, val,res));
61
         return res:
62
63
64
65
     uint8_t Generate_Sensor_Trips(uint32_t vals[3], uint32_t setpoints[3])
66
         // Set value for setpoints
67
         write_reg(INSTRUMENTATION_GENERATED_REG_SETPOINT_VAL_0, setpoints[0]);
68
         write_reg(INSTRUMENTATION_GENERATED_REG_SETPOINT_VAL_1, setpoints[1]);
69
         write_reg(INSTRUMENTATION_GENERATED_REG_SETPOINT_VAL_2, setpoints[2]);
70
         write_reg(INSTRUMENTATION_GENERATED_REG_INSTR_VAL_0, vals[0]);
71
         write_reg(INSTRUMENTATION_GENERATED_REG_INSTR_VAL_1, vals[1]);
72
         write_reg(INSTRUMENTATION_GENERATED_REG_INSTR_VAL_2, vals[2]);
73
         write_reg(INSTRUMENTATION_GENERATED_REG_BASE, 0x1);
74
75
         uint8_t out = (uint8_t) (read_reg(INSTRUMENTATION_GENERATED_REG_RESULT) & 0x7);
         DEBUG_PRINTF(("<instrumentation_generated_SystemVerilog.c> Generate_Sensor_Trips: vals=[%
                \rightarrow u,%u,%u], setpoints=[%u,%u,%u], lookup[%d]=0x%X\n",
76
         vals[0],vals[1],vals[2],setpoints[0],setpoints[1],setpoints[2],out,lookup[out]));
77
         return lookup[out];
78
79
     }
     #endif
```

Listing F.14: C implementation of core.

```
#include "core.h"
     #include "platform.h"
      #include "actuate.h"
 4 5
     #include "rts.h"
     #include <string.h>
 \frac{\tilde{6}}{7}
     #ifdef PLATFORM_HOST
     #include <stdio.h>
     #else
10
     #include "printf.h"
11
12
     #endif
13
     #define INST_OFFSET 0
     #define ACT_OFFSET 5
     char INSTR_LINE_FMT[] = "#I %d (%c): T[%10d %c %d] P[%10d %c %d] S[%10d %c %d]";
     char ACT_LINE_FMT[] = "#A %d [%d %d]";
17
18
     const char self_test_running[] = "SELF TEST: RUNNING";
19
     const char self_test_not_running[] = "SELF TEST: NOT RUNNING";
20
21
     const char pass[] = "LAST TEST: PASS";
const char fail[] = "LAST TEST: FAIL";
22
     char sensor_warning[] = "WARNING: LARGE SENSOR DIFFERENTIAL";
```

```
char sensor_ok[] = "SENSORS OK";
26
27
28
29
     #ifdef ENABLE_SELF_TEST
     struct testcase {
      uint32_t input[4][2];
      uint32_t setpoints[4][3];
30
31
      uint8_t instrumentation[2];
       uint8_t actuation_unit;
32
33
      uint8_t device;
       uint8_t expect;
} tests[] = {
     /\!/\ \mathit{Test\ data\ generated\ from\ Cryptol\ RTS} :: SelfTestOracleHalf
     #include "self_test_data/tests.inc.c"
     };
     #endif
     char mode_char(uint8_t mode) {
      switch (mode) {
       case BYPASS:
        return 'B';
       case OPERATE:
        return '0';
       case TRIP:
        return 'T';
       default:
        return '?';
      }
     char maint_char(uint8_t mode) {
      if (mode)
        return 'M';
       else
        return '_';
     int update_ui_instr(struct ui_values *ui) {
       int err = 0;
62
       int sensor_differential = 0;
63
64
65
       char line[256];
66
       for (uint8_t i = 0; i < NDIVISIONS; ++i) {</pre>
67
        for (uint8_t ch = 0; ch < NTRIP; ++ch) {
68
           if ((err = get_instrumentation_value(i, ch, &ui->values[i][ch])) < 0)</pre>
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
             return err;
           if ((err = get_instrumentation_mode(i, ch, &ui->bypass[i][ch])) < 0)</pre>
             return err;
           if ((err = get_instrumentation_trip(i, ch, &ui->trip[i][ch])) < 0)</pre>
         if ((err = get_instrumentation_maintenance(i, &ui->maintenance[i])) < 0)</pre>
           return err;
         snprintf(line, sizeof(line), INSTR_LINE_FMT, INST_OFFSET + i,
                  maint_char(ui->maintenance[i]), ui->values[i][T],
                  mode\_char(ui->bypass[i][T]), \ 0 \ != \ ui->trip[i][T], \ ui->values[i][P],
                  mode_char(ui->bypass[i][P]), 0 != ui->trip[i][P], ui->values[i][S],
                  mode_char(ui->bypass[i][S]), 0 != ui->trip[i][S]);
         set_display_line(ui, i, line, sizeof(line));
       // Flag any sensor differences that exceed thresholds
88
       for (uint8_t i = 0; i < NDIVISIONS; ++i) {</pre>
```

```
90
          if (ui->maintenance[i])
 91
            continue:
 92
 93
          for (uint8_t j = 0; j < NDIVISIONS; ++j) {
 94
95
            if (ui->maintenance[j])
              continue:
 96
 97
            sensor_differential |=
 98
              (ui->values[i][T] > ui->values[j][T] &&
 99
               ui->values[i][T] - ui->values[j][T] > T_THRESHOLD);
100
            sensor_differential |=
              (ui->values[i][P] > ui->values[j][P] && ui->values[j][P] > P_THRESHOLD);
101
102
103
         }
104
105
106
        if (sensor_differential)
107
         set_display_line(ui, 14, sensor_warning, sizeof(sensor_warning));
108
109
          set_display_line(ui, 14, sensor_ok, sizeof(sensor_ok));
110
111
        return err;
112
113
114
115
      int update_ui_actuation(struct ui_values *ui) {
        int err = 0;
116
        for (int i = 0; i < 2; ++i) {
117
          char line[256];
118
          for (int d = 0; d < 2; ++d) {
119
            uint8_t val;
120
            err |= get_actuation_state(i, d, &val);
121
           ui->actuators[i][d] = val;
122
123
         snprintf(line, sizeof(line), ACT_LINE_FMT, i, ui->actuators[i][0],
124
125
                  ui->actuators[i][1]):
         set_display_line(ui, ACT_OFFSET + i, line, sizeof(line));
126
\tilde{127}
128
        return err;
129
130
131
      int update_ui(struct ui_values *ui) {
132
        DEBUG_PRINTF(("<core.c> update_ui\n"));
133
        int err = 0:
134
135
        err |= update_ui_instr(ui);
        err |= update_ui_actuation(ui);
136
137
        return err;
138
139
      int set_display_line(struct ui_values *ui, uint8_t line_number, char *display, uint32_t size
140
            → ) {
141
142
143
144
145
146
147
        memset(ui->display[line_number], '', LINELENGTH);
        strncpy(ui->display[line_number], (const char*)display, LINELENGTH);
        return 0;
      \verb|#ifdef ENABLE_SELF_TEST|\\
      int end_test(struct test_state *test, struct ui_values *ui) {
148
149
150
          static int cnt = 0:
          int passed =
              test->test_device_result[test->test_device]
151
            == (test->self_test_expect || test->actuation_old_vote);
152
          test->failed = !passed;
153
          DEBUG_PRINTF(("<core.c> end_test #%d: test->test_device_result[%u]=0x%X\n", cnt, test->

    test_device, test->test_device_result[test->test_device]));
```

```
154
          DEBUG_PRINTF(("<core.c> end_test #%d: (test->self_test_expect || test->actuation_old_vote
               → )=0x%X\n", cnt, (test->self_test_expect || test->actuation_old_vote)));
155
156
          // Reset state
157
          set_test_running(0);
158
159
          if (passed) {
160
            set_display_line(ui, 16, (char*)pass, 0);
161
            test->test++;
162
            if (test->test >= sizeof(tests)/sizeof(struct testcase)) {
163
             test->test = 0;
164
165
             test->test_timer_start = time_in_s();
166
          } else {
167
            set_display_line(ui, 16, (char*)fail, 0);
168
            set_display_line(ui, 20, (char*)"A TEST FAILED", 0);
169
170
          DEBUG_PRINTF(("<core.c> end_test #%d: Passed: %d\n", cnt, passed));
171
172
          return passed;
173
174
175
      int components readv() {
176
        return !is_instrumentation_test_complete(0)
177
              && !is_instrumentation_test_complete(1)
178
              && !is_instrumentation_test_complete(2)
179
              && !is_instrumentation_test_complete(3)
180
              && !is_actuation_unit_test_complete(0)
181
              && !is_actuation_unit_test_complete(1)
182
              && !is_actuate_test_complete(0)
183
              && !is_actuate_test_complete(1);
184
185
186
      int self_test_timer_expired(struct test_state *test) {
187
        uint32_t t = time_in_s();
188
        uint32_t diff = t - test->test_timer_start;
189
       return SELF_TEST_PERIOD_SEC < diff;</pre>
190
191
192
      int should_start_self_test(struct test_state *test) {
193
        int retval = (!is_test_running()) && (self_test_timer_expired(test) || (test->test != 0));
194
195
       return retval;
196
197
      int test_step(struct test_state *test, struct ui_values *ui) {
198
        DEBUG_PRINTF(("<core.c> test_step: Has test failed? %u\n",test->failed));
199
        int err = 0;
200
201
        if(!test->failed && should_start_self_test(test)) {
202
          if (components_ready())
203
204
            struct testcase *next = &tests[test->test];
205
            test->self_test_expect = next->expect;
206
            test->test_device = next->device;
207
            test->test_actuation_unit = next->actuation_unit;
208
            DEBUG_PRINTF(("<core.c> test_step: starting new test. test->self_test_expect=%u,test->

→ test device=%u, test->test actuation unit=%u.\n".

209
             test->self_test_expect,test->test_device,test->test_actuation_unit));
210
           memcpy(test->test_instrumentation, next->instrumentation, 2);
211
            memcpy(test->test_inputs, next->input, 2*4*sizeof(uint32_t));
\tilde{2}12
            memcpy(test->test_setpoints, next->setpoints, 3*4*sizeof(uint32_t));
213
214
215
            set_test_running(1);
           set_display_line(ui, 15, (char *)self_test_running, 0);
216
        } else if (is_test_running() && test->test_device_done[test->test_device]) {
```

```
218
           DEBUG_PRINTF(("<core.c> test_step: Ending test\n"));
219
           int passed = end_test(test, ui);
220
           if(!passed) err = -1;
221
        } else if (!is_test_running()) {
222
          {\tt DEBUG\_PRINTF(("<core.c> test\_step:Continuing test\n"));}
\tilde{2}\tilde{2}\tilde{3}
          set_display_line(ui, 15, (char *)self_test_not_running, 0);
224
225
          DEBUG_PRINTF(("<core.c> test_step:Catchall\n"));
226
227
228
        return err;
229
230
       #endif
231
232
       void core_init(struct core_state *c) {
233
        c->test.test_timer_start = time_in_s();
234
235
        c->test.failed = 0;
236
237
       int core_step(struct core_state *c) {
238
        int err = 0;
239
        struct rts_command rts;
240
241
242
243
244
245
246
247
248
249
250
       #ifndef ENABLE_SELF_TEST
        time_in_s();
       #endif
        if (!c->error) {
           // Actuate devices if necessary
           int retval = actuate_devices_generated_C();
          DEBUG_PRINTF(("<core.c> actuate_devices_generated_C: 0x%X\n", retval));
        // Let's allow command processing even if an error is detected.
251
         // In a real system, we would probably want to disconnect the device
252
         // and perform maintenance.
253
254
255
256
257
        int read_cmd = read_rts_command(&rts);
        if (read_cmd < 0) {</pre>
          err |= -read_cmd;
        } else if (read_cmd > 0) {
          switch (rts.type) {
258
           case INSTRUMENTATION_COMMAND:
259
            err |= send_instrumentation_command(rts.instrumentation_division,
260
                                                &(rts.cmd.instrumentation));
261
            break:
262
263
           case ACTUATION_COMMAND:
264
            err |= send_actuation_command(0, &rts.cmd.act);
\tilde{2}65
             err |= send_actuation_command(1, &rts.cmd.act);
\tilde{2}66
            break;
267
268
          default:
269
             break;
270
271
272
273
274
275
276
277
278
279
       #ifdef ENABLE_SELF_TEST
        err |= test_step(&c->test, &c->ui);
       #endif
        err |= update_ui(&c->ui);
         c->error = err;
        return err;
280
```

Listing F.15: C implementation of instrumentation\_impl.

```
#include <stdint.h>
      // Identified by SAW: vals[2] and setpoints[2] must be less than 0x80000000
 3456789
     uint8_t Generate_Sensor_Trips(uint32_t vals[3], uint32_t setpoints[3])
         uint8_t trips_out = 0;
         trips_out |= Trip(vals, setpoints, 0);
         //@ assert trips_out <= 0x1;</pre>
         trips_out |= (Trip(vals, setpoints, 1) << 1);</pre>
10
         //@ assert trips_out <= 0x3;
11
         trips_out |= (Trip(vals, setpoints, 2) << 2);</pre>
13
14
15
         return trips_out;
     }
16
17
     uint8_t Trip(uint32_t vals[3], uint32_t setpoints[3], uint8_t ch)
18
         if (ch <= 1) {
19
             return (setpoints[ch] < vals[ch]);</pre>
20
21
22
23
24
25
26
27
         } else {
             return ((int32_t)vals[ch] < (int32_t)setpoints[ch]);</pre>
     uint8_t Is_Ch_Tripped(uint8_t mode, uint8_t sensor_tripped)
         return (mode == 2) || ((mode == 1) && sensor_tripped);
```

# Listing F.16: C implementation of instrumentation\_handwritten\_C.

```
#define Generate_Sensor_Trips Generate_Sensor_Trips_handwritten_C
#define Is_Ch_Tripped Is_Ch_Tripped_handwritten_C
#define Trip Trip_handwritten_C
#define instrumentation_step instrumentation_step_handwritten_C
#include "../components/instrumentation.c"
#include "../handwritten/C/instrumentation_impl.c"
```

#### Listing F.17: C implementation of instrumentation.

```
#include "instrumentation.h"
 23456789
     #include "platform.h"
#include "common.h"
     #include "core.h"
     #include <string.h>
      #define TRIP_I(_v, _i) (((_v) >> (_i)) & 0x1)
     /*@requires div < NINSTR;
10
       @requires \valid(state);
11
12
        @requires \valid(state->reading + (0.. NTRIP-1));
       @requires \valid(state->test_reading + (0.. NTRIP-1));
13
14
15
       Orequires \valid(state->setpoints + (0.. NTRIP-1));
        @requires \valid(state->sensor_trip + (0.. NTRIP-1));
        {\it Qassigns state-} {\it >reading[0..NTRIP-1];}
16
        @assigns state->test_reading[0.. NTRIP-1];
17
        @assigns state->sensor_trip[0.. NTRIP-1];
18
        @ensures -1 <= \result <= 0;
20
21
22
     static int instrumentation_step_trip(uint8_t div,
                                          int do_test,
                                          struct instrumentation state *state) {
23
24
       int err = 0:
```

```
if (do_test) {
         err |= read_test_instrumentation_channel(div, T, &state->test_reading[T]);
\verb|err|| = \verb|read_test_instrumentation_channel(div, P, \&state->test_reading[P]); \\
         state->test_reading[S] = Saturation(state->test_reading[T], state->test_reading[P]);
         err |= read_instrumentation_channel(div, T, &state->reading[T]);
         err |= read_instrumentation_channel(div, P, &state->reading[P]);
         state->reading[S] = Saturation(state->reading[T], state->reading[P]);
       uint8_t new_trips = 0;
       if (do_test) {
         uint32_t setpoints[3];
         err |= get_instrumentation_test_setpoints(div, &setpoints[0]);
         new_trips = Generate_Sensor_Trips(state->test_reading, setpoints);
       } else {
        new_trips = Generate_Sensor_Trips(state->reading, state->setpoints);
       /*@loop invariant 0 <= i && i <= NTRIP;
         @loop assigns i;
         @loop assigns state->sensor_trip[0.. NTRIP-1];
       for (int i = 0; i < NTRIP; ++i) {
        state->sensor_trip[i] = TRIP_I(new_trips, i);
       return err;
     /*@requires \valid(i_cmd);
       @requires \valid(state);
       @requires state->mode[0] \in {0,1,2};
@requires state->mode[1] \in {0,1,2};
60
       \textit{Orequires state->mode[2] } \ \ \ \ \{0,1,2\};
61
       @assigns state->maintenance, state->mode[0..2], state->setpoints[0..2];
62
       @ensures -1 <= \result <= 0;
63
       @ensures state->mode[0] \in {0,1,2};
64
       @ensures state->mode[1] \in {0,1,2};
65
       @ensures state->mode[2] \in {0,1,2};
66
67
     static int instrumentation_handle_command(uint8_t div,
68
                                             struct instrumentation command *i cmd.
69
                                              struct instrumentation_state *state) {
70
71
72
73
74
75
76
77
       struct set_maintenance set_maint;
       struct set_mode set_mode;
       struct set_setpoint set_setpoint;
       switch (i_cmd->type) {
       case SET_MAINTENANCE:
         set_maint = i_cmd->cmd.maintenance;
         state->maintenance = set_maint.on;
78
79
         break:
80
81
82
83
84
85
86
       case SET MODE:
         set_mode = i_cmd->cmd.mode;
         if (state->maintenance && set_mode.channel < NTRIP &&
             set_mode.mode_val < NMODES) {
           state->mode[set_mode.channel] = set_mode.mode_val;
         break;
87
88
       case SET_SETPOINT:
89
         set setpoint = i cmd->cmd.setpoint:
         if (state->maintenance && set_setpoint.channel < NTRIP) {</pre>
```

```
91
            state->setpoints[set_setpoint.channel] = set_setpoint.val;
 93
          break;
 94
95
        default:
 96
         return -1;
 97
 98
 99
        return 0;
100
101
102
      /*@ requires div < NINSTR;</pre>
103
       @ requires \valid(state);
104
105
        @ requires state->mode[0] \in {0,1,2};
@ requires state->mode[1] \in {0,1,2};
106
        @ requires state->mode[2] \in {0,1,2};
107
        @ assigns core.test.test_instrumentation_done[div];
108
       @ ensures \result <= 0;
109
110
      static int instrumentation_set_output_trips(uint8_t div,
111
                                                int do_test,
112
                                                struct instrumentation_state *state)
113
114
115
        /*@ loop invariant 0 <= i <= NTRIP;
          @ loop assigns i;
116
117
        for (int i = 0; i < NTRIP; ++i) {
118
          uint8_t mode = do_test ? 1 : state->mode[i];
119
          set_output_instrumentation_trip(div, i, BIT(do_test, Is_Ch_Tripped(mode, 0 != state->
                ⇔ sensor_trip[i])));
120
121
122
        if (do_test) {
123
          set_instrumentation_test_complete(div, 1);
124
125
126
        return 0;
127
128
129
       int instrumentation_step(uint8_t div, struct instrumentation_state *state) {
130
        int err = 0;
131
132
        uint8_t test_div[2];
133
        get_test_instrumentation(test_div);
134
135
        int do_test = (div == test_div[0] || div == test_div[1]) && is_test_running();
136
137
        if (do_test && is_instrumentation_test_complete(div))
          return 0;
138
139
        if (!do_test && is_instrumentation_test_complete(div)) {
140
141
142
143
144
145
146
147
148
150
         set_instrumentation_test_complete(div, 0);
        /* Read trip signals & vote */
        err |= instrumentation_step_trip(div, do_test, state);
        /* Handle any external commands */
        struct instrumentation_command i_cmd;
        int read_cmd = read_instrumentation_command(div, &i_cmd);
        if (read_cmd > 0) {
          err |= instrumentation_handle_command(div, &i_cmd, state);
151
        } else if (read_cmd < 0) {</pre>
152
         err |= -read_cmd;
153
154
155
        /* Actuate devices based on voting and commands */
```

```
156 err |= instrumentation_set_output_trips(div, do_test, state);
157 return err;
158 }
```

### Listing F.18: C implementation of actuation\_unit\_generated\_C.

```
#define Actuate_DO Actuate_DO_generated_C
#define Actuate_D1 Actuate_D1_generated_C
#define Coincidence_2_4 Coincidence_2_4_generated_C
#define actuation_unit_step actuation_unit_step_generated_C
#include "../components/actuation_unit_c"
#include "../generated/C/actuation_unit_impl.c"
```

### Listing F.19: C implementation of actuator\_impl.

```
typedef unsigned _ExtInt(1) w1;
 2
     typedef unsigned _ExtInt(2) w2;
3
4
5
6
7
8
9
10
     w1 static rotl1(w1 x, w1 shf)
          w1 offset = 1;
          return x << shf | x >> offset - shf;
     }
     w1 static rotr1(w1 x, w1 shf)
          w1 offset = 1;
11
          return x >> shf | x << offset - shf;</pre>
13
14
15
16
17
18
19
20
21
22
23
24
25
27
28
29
     w2 static rotl2(w2 x, w2 shf)
          w2 offset = 2;
          return x << shf | x >> offset - shf;
     }
     w2 static rotr2(w2 x, w2 shf)
          w2 offset = 2;
          return x >> shf | x << offset - shf;</pre>
     w1 ActuateActuator(w2 inputs4683)
          w1 app_4097;
          w1 return_4096;
          return_4096 = 0;
          app_4097 = inputs4683 >> (w1) 0 & 1 | inputs4683 >> (w1) 1 & 1;
          return_4096 = app_4097;
30
          return return_4096;
31
```

#### Listing F.20: C implementation of sense\_actuate.

```
#include "common.h"
#include "platform.h"
#include "instrumentation.h"
#include "actuation_logic.h"
#include "sense_actuate.h"

#ifdef PLATFORM_HOST
#include <stdio.h>
#else
#include "printf.h"
#endif
#include "printf.h"
#include "stdio.h>
#include "printf.h"
#include "sense_actuate.h"
#include "sense_actuate.h"
#include "sense_actuate.h"
#include "sense_actuate.h"
#include "sense_actuate.h"
#include "include "sense_actuate.h"
#include "sense_actuate.h"
#include "sense_actuate.h"
#include "include "sense_actuate.h"
#include "include "sense_actuate.h"
#include "sense_actuate.h"
#include
```

```
15
    | int instrumentation_step_generated_SystemVerilog(uint8_t div, struct instrumentation_state *
           → state):
16
     int instrumentation step handwritten SystemVerilog(uint8 t div. struct instrumentation state
           → *state):
17
     int actuation_unit_step_generated_C(uint8_t logic_no, struct actuation_logic *state);
18
     int actuation_unit_step_generated_SystemVerilog(uint8_t logic_no, struct actuation_logic *
           → state):
19
20
21
     int sense_actuate_init(int core_id,
                          struct instrumentation_state *instrumentation,
223456782933333333334445678995152
                          struct actuation_logic *actuation)
       DEBUG_PRINTF(("<sense_actuate.c> sense_actuate_init\n"));
       instrumentation_init(&instrumentation[0]);
       instrumentation_init(&instrumentation[1]);
       actuation->vote_actuate[0] = 0;
       actuation->vote_actuate[1] = 0;
       return 0;
     int sense_actuate_step_0(struct instrumentation_state *instrumentation,
                            struct actuation_logic *actuation)
      int err = 0;
       err |= instrumentation_step_generated_C(0,&instrumentation[0]);
       err |= instrumentation_step_handwritten_C(1,&instrumentation[1]);
       // Do we think the devices should be actuated?
       err |= actuation_unit_step_generated_C(0,actuation);
       DEBUG_PRINTF(("<sense_actuate.c> sense_actuate_step_0, err=0x%X\n",err));
     int sense_actuate_step_1(struct instrumentation_state *instrumentation,
                            struct actuation_logic *actuation)
       int err = 0:
       err |= instrumentation_step_handwritten_SystemVerilog(2,&instrumentation[0]);
       \verb|err|| = instrumentation_step_generated_SystemVerilog(3, \&instrumentation[1]); \\
       // Do we think the devices should be actuated?
       err |= actuation_unit_step_generated_SystemVerilog(1,actuation);
       DEBUG_PRINTF(("<sense_actuate.c> sense_actuate_step_1, err=0x%X\n",err));
53
       return err;
```

#### Listing F.21: C implementation of instrumentation\_generated\_C.

```
#define Generate_Sensor_Trips Generate_Sensor_Trips_generated_C
#define Is_Ch_Tripped Is_Ch_Tripped_generated_C
#define Trip Trip_generated_C
#define instrumentation_step instrumentation_step_generated_C
#include "../components/instrumentation.c"
#include "../generated/C/instrumentation_impl.c"
```

Listing F.22: C implementation of instrumentation\_impl.

```
#include <stdint.h>

#include <stdint.h>

// Identified by SAW: vals[2] and setpoints[2] must be less than 0x80000000

uint8_t Generate_Sensor_Trips(uint32_t vals[3], uint32_t setpoints[3])

{
    uint8_t trips_out = 0;
    trips_out |= Trip(vals, setpoints, 0);
    //@ assert trips_out <= 0x1;
    trips_out |= (Trip(vals, setpoints, 1) << 1);

//@ assert trips_out <= 0x3;</pre>
```

# Listing F.23: C implementation of instrumentation\_impl.

```
#include <stdint.h>
 234567
     // Identified by SAW: vals[2] and setpoints[2] must be less than 0x80000000
     uint8_t Generate_Sensor_Trips(uint32_t vals[3], uint32_t setpoints[3])
         uint8_t trips_out = 0;
         trips_out |= Trip(vals, setpoints, 0);
 89
         //@ assert trips_out <= 0x1;</pre>
         trips_out \mid= (Trip(vals, setpoints, 1) << 1);
10
         //@ assert trips_out <= 0x3;
11
         trips_out |= (Trip(vals, setpoints, 2) << 2);</pre>
12
13
14
15
         return trips_out;
16
17
18
19
20
21
22
23
24
25
27
     uint8_t Trip(uint32_t vals[3], uint32_t setpoints[3], uint8_t ch)
         if (ch <= 1) {
             return (setpoints[ch] < vals[ch]);</pre>
         } else {
             return ((int32_t)vals[ch] < (int32_t)setpoints[ch]);</pre>
     uint8_t Is_Ch_Tripped(uint8_t mode, uint8_t sensor_tripped)
         return (mode == 2) || ((mode == 1) && sensor_tripped);
```

## Listing F.24: C implementation of bsp.

```
#include "bsp.h"
#include "printf.h"

#include "printf.h"

#include "printf.h"

#include "printf.h"

#include "printf.h"

#include "printf.h"

#include "bsp.h"

#include
```

```
13
       *i2c_addr = addr;
14
15
        // Now the transaction is initialized, so wait for completion
       delay(100);
16
       while (1) {
17
18
         uint32_t status = *i2c_status;
          if (status) {
19
            // Return the acquired data
20
            uint32_t data = *i2c_data;
21
22
23
24
25
26
27
28
29
31
32
           return data;
         delay(1000);
    1,
      uint32_t time_in_s(void)
       uint32_t t_s = time_in_ms()/1000;
       return t_s;
uint32_t time_in_ms(void)
       volatile uint32_t *tick_reg_low = (void*) TICK_REG_LOW;
volatile uint32_t *tick_reg_high = (void*) TICK_REG_HIGH;
       uint64_t ticks = (uint64_t) (*tick_reg_high << 31 | *tick_reg_low);</pre>
       return (uint32_t)((ticks*1000)/(CORE_FREQ*TICKS_TO_MS_MULTIPLIER));
      void delay_ms(uint32_t ms)
          uint32_t ticks = ms*CORE_FREQ/1000;
          delay(ticks);
      void delay(uint32_t count)
              while(count-->0) {
                     __asm__ volatile ("nop");
      uint8_t soc_getchar(void)
       volatile uint32_t *data_rdy = (void*) UART_REG_DATA_READY;
       volatile uint32_t *rx_data = (void*) UART_REG_RX;
       int startime = time_in_ms();
int delay_ms = 0;
60
       // Wait 1s for each character
61
       while ((delay_ms < 2000)) {</pre>
62
         if (*data_rdy){
63
              return (uint8_t)(*rx_data);
64
65
         delay_ms = time_in_ms() - startime;
66
67
       return 0;
68
69
70
71
72
73
74
75
      /\!/\!\!\!/\; \mathit{Read} \ \mathit{from} \ \mathit{a} \ \mathit{register}
      uint32_t read_reg(uint32_t reg)
       uint32_t *p = (void*)reg;
       return *p;
76
      // Write 'val' to 'reg'
    void write_reg(uint32_t reg, uint32_t val)
```

Listing F.25: C implementation of instrumentation\_impl.

```
1
     #include <stdint.h>
 3
     // Identified by SAW: vals[2] and setpoints[2] must be less than 0x80000000
     uint8_t Generate_Sensor_Trips(uint32_t vals[3], uint32_t setpoints[3])
 4567
         uint8_t trips_out = 0;
trips_out |= Trip(vals, setpoints, 0);
 89
         //@ assert trips_out <= 0x1;
         trips_out \mid= (Trip(vals, setpoints, 1) << 1);
10
         //@ assert trips_out <= 0x3;
11
         trips_out |= (Trip(vals, setpoints, 2) << 2);</pre>
12
13
         return trips_out;
14
15
     }
16
17
18
19
     uint8_t Trip(uint32_t vals[3], uint32_t setpoints[3], uint8_t ch)
          if (ch <= 1) {
             return (setpoints[ch] < vals[ch]);</pre>
20
21
22
23
24
25
26
27
         } else {
             return ((int32_t)vals[ch] < (int32_t)setpoints[ch]);</pre>
     uint8_t Is_Ch_Tripped(uint8_t mode, uint8_t sensor_tripped)
         return (mode == 2) || ((mode == 1) && sensor_tripped);
```

Listing F.26: C implementation of firmware.

```
#include <stdint.h>
       #include "bsp.h"
 \tilde{3}
       #include "printf.h"
 45
      //
      // int main(void)
 _{\gamma}^{6}
      // {
      // volatile uint32_t *gpio = (void*) GPIO_REG;
     // uint32_t cnt = 0;

// //char line[256] = {0};

// //printf("Hello world\n");
10
11
      // while(1) {
       \label{lem:conds} \ensuremath{///printf("%u miliseconds passed, GPIO=0x%X\n",time_in_ms(), *gpio);}
      // //printf("%d seconds passed...and a sensor reads 0x\%X \setminus n", time_in_s(),i2c_read(0x64, 0x0B))
14
15
      // // NOTE this is still line buffered
      // //uint8_t c = soc_getchar();
      // //printf(">>>%c<<<\n",c);
     //// for (unsigned int i = 0; i < sizeof(line); i++) {
//// line[i] = soc_getchar();
//// if (line[i] == 0 |/ line[i] == '\n') {
     // // break;
      // // }
// // printf(">>>%s<<<\\n",line);
      // *gpio = cnt;
     // cnt++;
```

```
27
28
29
31
33
33
35
36
37
38
44
44
44
44
44
46
47
48
49
55
55
55
56
57
     | // cnt = cnt % 256;
      // //delay_ms(1000);
      // delay(100000);
      // return 0;
      // }
      int main()
               volatile uint32_t *gpio = (void*)GPIO_REG;
           *gpio = 0;
               uint32_t cnt = 0;
               while(1)
                        delay_ms(1000);
               if (cnt == 1) {
                   cnt = 0;
               } else {
                   cnt = 1;
                        *gpio = cnt;
               printf("%u miliseconds passed, GPIO=0x%X\n",time_in_ms(), *gpio);
}
               return 0;
```

Listing F.27: C implementation of saturation\_impl.

```
typedef unsigned _ExtInt(1) w1;
 234567
      typedef unsigned _ExtInt(32) w32;
     w1 static rotl1(w1 x, w1 shf)
          w1 offset = 1;
          return x << shf | x >> offset - shf;
     }
 8
     w1 static rotr1(w1 x, w1 shf)
10
          w1 offset = 1;
11
          return x >> shf \mid x << offset - shf;
12
13
14
15
     w32 static rotl32(w32 x, w32 shf)
          w32 	ext{ offset = } 32;
16
17
          return x << shf | x >> offset - shf;
18
     w32 static rotr32(w32 x, w32 shf)
19
20
21
22
23
24
25
26
27
28
29
31
32
33
34
35
          w32 \text{ offset} = 32;
          return x >> shf \mid x << offset - shf;
     }
     w32 Saturation(w32 t4762, w32 p4763)
          w32 app_4100;
          w32 app_4101;
          w1 app_4157;
          w1 app_4158;
w1 app_4159;
          w32 app_4160;
w32 ifv_4099;
          w32 ifv_4156;
          w32 return_4097;
          w32 table_4102[52];
          w32 v4804_4103;
36
          w32 v4805_4104;
37
          w32 v4806_4105;
```

```
w32 v4807_4106;
          w32 v4808_4107;
          w32 v4809_4108;
          w32 v4810_4109;
          w32 v4811_4110;
          w32 v4812_4111;
          w32 v4813_4112;
          w32 v4814_4113;
          w32 v4815_4114;
          w32 v4816_4115;
          w32 v4817_4116;
          w32 v4818_4117;
          w32 v4819_4118;
          w32 v4820_4119;
          w32 v4821_4120;
          w32 v4822_4121;
          w32 v4823_4122;
          w32 v4824_4123;
          w32 v4825_4124;
          w32 v4826_4125;
          w32 v4827_4126;
          w32 v4828_4127;
 60
          w32 v4829_4128;
 61
          w32 v4830 4129:
 62
          w32 v4831_4130;
 63
          w32 v4832_4131;
 64
65
          w32 v4833_4132;
          w32 v4834_4133;
 66
          w32 v4835_4134;
 67
          w32 v4836_4135;
          w32 v4837_4136;
 69
70
          w32 v4838_4137;
          w32 v4839_4138;
 71
72
73
74
75
76
77
78
79
80
          w32 v4840_4139;
          w32 v4841 4140:
          w32 v4842_4141;
          w32 v4843_4142;
          w32 v4844_4143;
          w32 v4845_4144;
          w32 v4846_4145;
          w32 v4847_4146;
          w32 v4848_4147;
          w32 v4849_4148;
 81
          w32 v4850_4149;
 82
          w32 v4851_4150;
 83
84
85
86
          w32 v4852_4151;
          w32 v4853_4152;
          w32 v4854_4153;
          w32 v4855_4154;
 87
          return_4097 = 0;
          app_4158 = (signed _ExtInt(32)) t4762 < (signed _ExtInt(32)) (w32) 35;</pre>
 89
90
          if (app_4158)
          {
 91
              ifv_4099 = (w32) 0;
 92
93
94
95
          }
          else
          {
              app_4100 = t4762 - (w32) 35;
 96
97
98
              app_4101 = app_4100 / (w32) 5;
              ifv_4099 = app_4101;
 99
          app_4159 = ifv_4099 < (w32) 52;
100
          if (app_4159)
101
          {
102
              app_4157 = (signed _ExtInt(32)) t4762 < (signed _ExtInt(32)) (w32) 35;</pre>
103
              if (app_4157)
```

```
104
105
                 ifv_4099 = (w32) 0;
106
             }
107
             else
108
              {
                 app_4100 = t4762 - (w32) 35;
109
110
                 app_4101 = app_4100 / (w32) 5;
111
                 ifv_4099 = app_4101;
112
113
              v4804_4103 = (w32) 9998;
114
115
             v4805_4104 = (w32) 12163;
              v4806_4105 = (w32) 14753;
116
             v4807_4106 = (w32) 17796;
             v4808_4107 = (w32) 21404;
117
118
             v4809_4108 = (w32) 25611;
119
             v4810_4109 = (w32) 30562;
120
             v4811_4110 = (w32) 36292;
121
              v4812_4111 = (w32) 42985;
122
              v4813_4112 = (w32) 50683;
123
              v4814_4113 = (w32) 59610;
124
              v4815_4114 = (w32) 69813;
125
             v4816_4115 = (w32) 81567;
             v4817_4116 = (w32) 94924;
126
127
             v4818_4117 = (w32) 110218;
128
             v4819_4118 = (w32) 127500;
129
             v4820_4119 = (w32) 147160;
130
             v4821_4120 = (w32) 169270;
131
              v4822_4121 = (w32) 194350;
132
              v4823_4122 = (w32) 222300;
133
              v4824_4123 = (w32) 253820;
134
              v4825_4124 = (w32) 288920;
135
              v4826_4125 = (w32) 328250;
136
             v4827_4126 = (w32) 371840;
137
             v4828_4127 = (w32) 420470;
138
             v4829_4128 = (w32) 474140;
139
             v4830_4129 = (w32) 533740;
140
             v4831_4130 = (w32) 599260;
141
142
             v4832_4131 = (w32) 671730;
             v4833_4132 = (w32) 751100;
              v4834_4133 = (w32) 838550;
              v4835_4134 = (w32) 934000;
             v4836_4135 = (w32) 1038600;
             v4837_4136 = (w32) 1152600;
147
148
149
150
             v4838_4137 = (w32) 1277600;
             v4839_4138 = (w32) 1413200;
             v4840_4139 = (w32) 1469600;
             v4841_4140 = (w32) 1718600;
151
             v4842_4141 = (w32) 1892100;
              v4843_4142 = (w32) 2079100;
152
153
              v4844_4143 = (w32) 2280400;
154
155
              v4845_4144 = (w32) 2496800;
              v4846_4145 = (w32) 2731900;
             v4847_4146 = (w32) 2984000;
157
              v4848_4147 = (w32) 3253900;
             v4849_4148 = (w32) 3542700;
158
             v4850_4149 = (w32) 3854600;
159
             v4851_4150 = (w32) 4187500;
160
              v4852_4151 = (w32) 4542300;
161
162
             v4853_4152 = (w32) 4920000;
163
              v4854_4153 = (w32) 5325900;
164
              v4855_4154 = (w32) 5775200;
165
              table_4102[0] = v4804_4103;
166
              table_4102[1] = v4805_4104;
             table_4102[2] = v4806_4105;
167
             table_4102[3] = v4807_4106;
table_4102[4] = v4808_4107;
168
169
```

```
170
              table_4102[5] = v4809_4108;
              table_4102[6] = v4810_4109;
171
172
              table_4102[7] = v4811_4110;
173
              table_4102[8] = v4812_4111;
174
175
              table_4102[9] = v4813_4112;
              table_4102[10] = v4814_4113;
176
              table_4102[11] = v4815_4114;
177
              table_4102[12] = v4816_4115;
              table_4102[13] = v4817_4116;
179
              table_4102[14] = v4818_4117;
180
              table_4102[15] = v4819_4118;
181
              table_4102[16] = v4820_4119;
182
              table_4102[17] = v4821_4120;
183
              table_4102[18] = v4822_4121;
184
              table_4102[19] = v4823_4122;
185
              table_4102[20] = v4824_4123;
186
              table_4102[21] = v4825_4124;
187
              table_4102[22] = v4826_4125;
188
              table_4102[23] = v4827_4126;
189
              table_4102[24] = v4828_4127;
190
              table_4102[25] = v4829_4128;
191
              table_4102[26] = v4830_4129;
192
              table_4102[27] = v4831_4130;
193
              table_4102[28] = v4832_4131;
194
              table_4102[29] = v4833_4132;
195
              table_4102[30] = v4834_4133;
196
              table_4102[31] = v4835_4134;
197
              table_4102[32] = v4836_4135;
198
              table_4102[33] = v4837_4136;
199
              table_4102[34] = v4838_4137;
200
              table_4102[35] = v4839_4138;
201
              table_4102[36] = v4840_4139;
202
              table_4102[37] = v4841_4140;
203
              table 4102[38] = v4842 4141:
204
              table_4102[39] = v4843_4142;
205
              table_4102[40] = v4844_4143;
206
              table_4102[41] = v4845_4144;
\tilde{2}\tilde{0}\tilde{7}
              table_4102[42] = v4846_4145;
208
              table_4102[43] = v4847_4146;
209
              table_4102[44] = v4848_4147;
210
              table_4102[45] = v4849_4148;
211
              table_4102[46] = v4850_4149;
212
              table_4102[47] = v4851_4150;
213
              table_4102[48] = v4852_4151;
214
215
              table_4102[49] = v4853_4152;
              table_4102[50] = v4854_4153;
\tilde{2}\tilde{1}\tilde{6}
              table_4102[51] = v4855_4154;
217
              ifv_4156 = table_4102[ifv_4099];
218
219
          }
          else
220
          {
221
              ifv_4156 = (w32) 5775200;
222
          app_4160 = p4763 - ifv_4156;
223
224
225
          return_4097 = app_4160;
           return return_4097;
\tilde{2}\tilde{2}\tilde{6}
```

Listing F.28: C implementation of instrumentation\_handwritten\_SystemVerilog.

```
#include "printf.h"
          #endif
          \verb|#define Generate_Sensor_Trips_handwritten_SystemVerilog|\\
          \verb|#define Is_Ch_Tripped_handwritten_SystemVerilog|\\
          #define instrumentation_step instrumentation_step_handwritten_SystemVerilog
12
          #include "../components/instrumentation.c"
13
14
15
          static uint8_t lookup[8] = { 0x0, 0b100, 0b010, 0b110, 0b001, 0b101, 0b011, 0b111 };
16
          #ifdef PLATFORM_HOST
17
          static VIs_Ch_Tripped is_tripped;
18
          static VGenerate_Sensor_Trips gen_trips;
19
20
21
22
23
          uint8_t Is_Ch_Tripped(uint8_t mode, uint8_t trip)
                 is_tripped.mode = mode;
                 is_tripped.sensor_tripped = trip;
24
25
                 is_tripped.eval();
                 uint32_t val = (trip & 0x1) << 3| (mode & 0x3) << 1| 0x0;</pre>
26
                DEBUG_PRINTF(("<instrumentation_handwritten_SystemVerilog.c> Is_Ch_Tripped: mode=0x%X,
                             \rightarrow trip=0x%X, base=0x%X, res=0x%X\n",
27
                mode, trip, val,is_tripped.out));
28
                return is_tripped.out;
29
30
31
32
33
35
36
37
39
41
          uint8_t Generate_Sensor_Trips(uint32_t vals[3], uint32_t setpoints[3])
                 gen_trips.vals[0] = vals[2];
                 gen_trips.vals[1] = vals[1];
                 gen_trips.vals[2] = vals[0];
                gen_trips.setpoints[0] = setpoints[2];
                gen_trips.setpoints[1] = setpoints[1];
                gen_trips.setpoints[2] = setpoints[0];
                 gen_trips.eval();
                DEBUG_PRINTF(("<instrumentation_handwritten_SystemVerilog.c> Generate_Sensor_Trips: vals
                            \hookrightarrow =[%u,%u,%u], setpoints=[%u,%u,%u], lookup[%d]=0x%X\n",
43 445 67 8 49 0 1 5 2 3 5 3 5 3
                vals[0],vals[1],vals[2],setpoints[0],setpoints[1],setpoints[2],out,lookup[out]));
                return lookup[out];
          #else
          #include "bsp.h"
          #include "platform.h"
          uint8_t Is_Ch_Tripped(uint8_t mode, uint8_t trip)
                 \label{eq:continuous} \end{minipage} \begin{subarray}{lll} \end{subarray} \begin{subarray}{lll} \end{subarray} & \end{subar
                 // wdata[2:1] - mode
                 // wdata[3] - sensor_tripped
54
55
                // rg_instr_hand_res[2:0] - result
// rg_instr_hand_res[31] - fnc select ( 0 - is_channel_tripped | 1 - generate_sensor_trips
56
                 uint32_t val = (trip & 0x1) << 3| (mode & 0x3) << 1| 0x0;
57
                write_reg(INSTRUMENTATION_HANDWRITTEN_REG_BASE, val);
58
                 uint8_t res = (uint8_t)(read_reg(INSTRUMENTATION_HANDWRITTEN_REG_RESULT) & 0x1);
                DEBUG_PRINTF(("<instrumentation_handwritten_SystemVerilog.c> Is_Ch_Tripped: mode=0x%X,
                            \hookrightarrow trip=0x%X, base=0x%X, res=0x%X\n",
60
                 mode, trip, val, res));
61
                 return res;
62
         1
63
64
65
          uint8_t Generate_Sensor_Trips(uint32_t vals[3], uint32_t setpoints[3])
66
                 // Set value for setpoints
                 write_reg(INSTRUMENTATION_HANDWRITTEN_REG_SETPOINT_VAL_0, setpoints[0]);
```

```
68
         write_reg(INSTRUMENTATION_HANDWRITTEN_REG_SETPOINT_VAL_1, setpoints[1]);
69
         write_reg(INSTRUMENTATION_HANDWRITTEN_REG_SETPOINT_VAL_2, setpoints[2]);
70
71
72
73
         write_reg(INSTRUMENTATION_HANDWRITTEN_REG_INSTR_VAL_0, vals[0]);
         write_reg(INSTRUMENTATION_HANDWRITTEN_REG_INSTR_VAL_1, vals[1]);
         write_reg(INSTRUMENTATION_HANDWRITTEN_REG_INSTR_VAL_2, vals[2]);
         write_reg(INSTRUMENTATION_HANDWRITTEN_REG_BASE, 0x1);
         uint8_t out = (uint8_t)(read_reg(INSTRUMENTATION_HANDWRITTEN_REG_RESULT) & 0x7);
         DEBUG_PRINTF(("<instrumentation_handwritten_SystemVerilog.c> Generate_Sensor_Trips: vals
                \rightarrow =[%u,%u,%u], setpoints=[%u,%u,%u], lookup[%d]=0x%X\n"
76
         ,vals[0],vals[1],vals[2],setpoints[0],setpoints[1],setpoints[2],out,lookup[out]));
77
78
79
         return lookup[out];
80
     #endif
```

Listing F.29: C implementation of bottom.

```
#include "actuate.h"
     #include "actuation_logic.h"
 3
     #include "common.h"
 45
     #include "core.h"
     #include "instrumentation.h"
 \frac{6}{7}
     #include "platform.h"
     #include "sense_actuate.h"
     #include <assert.h>
11
     int actuate_devices(void) {
12
13
14
15
16
       assert(0):
       return 0;
     uint8_t ActuateActuator(uint8_t vs) {
17
18
19
       assert(0);
       return 0;
2012234567829013233334567890412344567849
     uint8_t Coincidence_2_4(uint8_t trips[4]) {
       assert(0):
       return 0;
     uint8_t Actuate_D0(uint8_t trips[3][4], uint8_t old) {
       return 0;
     uint8_t Actuate_D1(uint8_t trips[3][4], uint8_t old) {
       assert(0):
       return 0;
     int actuation_unit_step(uint8_t logic_no, struct actuation_logic *state) {
     int sense_actuate_init(int core_id,
                            struct instrumentation_state *instrumentation,
                            struct actuation_logic *actuation) {
       assert(0);
       return 0;
      int sense_actuate_step_0(struct instrumentation_state *instrumentation,
                              struct actuation_logic *actuation)
```

```
50
51
52
53
54
55
56
57
58
59
        assert(0);
        return 0;
       \verb|int sense_actuate_step_1| (\verb|struct instrumentation_state *| \verb|instrumentation|)| \\
                               struct actuation_logic *actuation) {
        assert(0);
        return 0;
 60
 61
 62
       void core_init(struct core_state *core) { assert(0); }
 63
 64
65
66
       int core_step(struct core_state *core) {
        assert(0);
        return 0;
 67
 68
69
70
71
72
77
76
77
78
79
80
81
88
88
88
89
99
99
99
99
99
99
       void instrumentation_init(struct instrumentation_state *state) { assert(0); }
       int instrumentation_step(uint8_t div, struct instrumentation_state *state) {
        assert(0):
        return 0;
       int read_instrumentation_channel(uint8_t div, uint8_t channel, uint32_t *val) {
        assert(0);
        return 0;
       int get_instrumentation_value(uint8_t division, uint8_t ch, uint32_t *value) {
        assert(0);
        return 0;
       int get_instrumentation_trip(uint8_t division, uint8_t ch, uint8_t *value) {
        assert(0);
        return 0;
       int get_instrumentation_mode(uint8_t division, uint8_t ch, uint8_t *value) {
        assert(0);
        return 0;
       int get_instrumentation_maintenance(uint8_t division, uint8_t *value) {
        assert(0);
        return 0;
100
       int get_actuation_state(uint8_t i, uint8_t device, uint8_t *value) {
101
        assert(0);
102
        return 0;
103
104
105
       int read_instrumentation_trip_signals(uint8_t arr[3][4]) {
106
        assert(0);
107
108
        return 0;
109
110
       int set_output_actuation_logic(uint8_t logic_no, uint8_t device_no,
111
                                     uint8_t on) {
112
        assert(0);
113
        return 0;
114
115
```

```
116
     int set_output_instrumentation_trip(uint8_t division, uint8_t channel,
117
                                        uint8 t val) {
118
        assert(0):
119
        return 0;
120
121
122
      int set_actuate_device(uint8_t device_no, uint8_t on) {
123
        assert(0);
\frac{124}{125}
        return 0;
126
127
      int read_rts_command(struct rts_command *cmd) {
128
        assert(0):
129
        return 0;
130
131
132
       int read_instrumentation_command(uint8_t division,
133
                                     struct instrumentation_command *cmd) {
134
135
        assert(0);
       return 0;
136
137
138
      int send_instrumentation_command(uint8_t division,
139
                                      struct instrumentation_command *cmd) {
140
141
142
143
144
145
146
147
148
149
150
        assert(0):
        return 0;
      int read_actuation_command(uint8_t id, struct actuation_command *cmd) {
        return 0;
      int send_actuation_command(uint8_t actuator, struct actuation_command *cmd) {
        assert(0):
151
152
153
        return 0;
154
155
      int set_display_line(uint8_t line_number, const char *display, uint32_t size) {
156
        return 0;
157
158
159
      uint8_t is_test_running() {
160
        assert(0);
161
        return 0;
162
163
164
165
      void set_test_running(int val) { assert(0); }
      uint8_t get_test_device() {
  assert(0);
166
167
168
        return 0;
169
170
171
      void get_test_instrumentation(uint8_t *id) { assert(0); }
172
173
174
175
176
      int get_instrumentation_test_setpoints(uint8_t id, uint32_t *setpoints) {
        assert(0);
       return 0;
177
      void set_instrumentation_test_complete(uint8_t div, int v) { assert(0); }
178
      int is_instrumentation_test_complete(uint8_t id) {
179
       assert(0);
180
        return 0;
181 }
```

```
182
     int read_test_instrumentation_channel(uint8_t div, uint8_t channel,
183
                                          uint32_t *val) {
184
185
186
187
        assert(0):
        return 0;
188
      uint8_t get_test_actuation_unit() {
189
        assert(0);
190
        return 0;
191
192
      int is_actuation_unit_under_test(uint8_t id) {
193
        assert(0);
194
195
        return 0;
196
      void set_actuation_unit_test_complete(uint8_t div, int v) { assert(0); }
197
      void set_actuation_unit_test_input_vote(uint8_t id, int v) { assert(0); }
198
199
      int is_actuation_unit_test_complete(uint8_t id) {
200
201
       return 0;
202
203
      void set_actuate_test_result(uint8_t dev, uint8_t result) { assert(0); }
\frac{204}{205}
      void set_actuate_test_complete(uint8_t dev, int v) { assert(0); }
      int is_actuate_test_complete(uint8_t dev) {
206
        assert(0);
207
        return 0;
208
209
210
211
212
      int main(int argc, char **argv) {
        assert(0);
        return 0;
213
```

## Listing F.30: C implementation of saturation\_impl.

```
typedef unsigned _ExtInt(1) w1;
     typedef unsigned _ExtInt(32) w32;
     w1 static rotl1(w1 x, w1 shf)
 3456789
         w1 offset = 1;
         return x << shf | x >> offset - shf;
     }
     w1 static rotr1(w1 x, w1 shf)
          w1 offset = 1;
         return x >> shf | x << offset - shf;</pre>
     }
13
     w32 static rotl32(w32 x, w32 shf)
14
15
          w32 \text{ offset} = 32;
16
          return x << shf | x >> offset - shf;
17
18
     w32 static rotr32(w32 x, w32 shf)
19
20
21
22
23
24
25
26
27
28
29
          w32 \text{ offset} = 32;
         return x >> shf | x << offset - shf;</pre>
     w32 Saturation(w32 t4762, w32 p4763)
          w32 app_4100;
          w32 app_4101;
         w1 app_4157;
          w1 app_4158;
          w1 app_4159;
30
          w32 app_4160;
          w32 ifv_4099;
```

```
w32 ifv_4156;
w32 return_4097;
          w32 table_4102[52];
         w32 v4804_4103;
          w32 v4805_4104;
         w32 v4806_4105;
          w32 v4807_4106;
          w32 v4808_4107;
         w32 v4809_4108;
          w32 v4810_4109;
         w32 v4811_4110;
         w32 v4812_4111;
         w32 v4813_4112;
          w32 v4814_4113;
         w32 v4815_4114;
         w32 v4816_4115;
         w32 v4817_4116;
         w32 v4818_4117;
         w32 v4819_4118;
         w32 v4820_4119;
         w32 v4821_4120;
         w32 v4822_4121;
         w32 v4823_4122;
         w32 v4824 4123:
         w32 v4825_4124;
         w32 v4826_4125;
          w32 v4827_4126;
          w32 v4828_4127;
60
          w32 v4829_4128;
61
          w32 v4830_4129;
         w32 v4831_4130;
63
         w32 v4832_4131;
64
65
         w32 v4833_4132;
         w32 v4834_4133;
66
         w32 v4835_4134;
67
         w32 v4836_4135;
68
69
70
71
72
73
74
75
76
77
78
79
80
81
         w32 v4837_4136;
          w32 v4838_4137;
          w32 v4839_4138;
          w32 v4840_4139;
          w32 v4841_4140;
         w32 v4842_4141;
         w32 v4843_4142;
         w32 v4844_4143;
         w32 v4845_4144;
         w32 v4846_4145;
         w32 v4847_4146;
         w32 v4848_4147;
          w32 v4849_4148;
          w32 v4850_4149;
82
83
84
85
         w32 v4851_4150;
         w32 v4852_4151;
         w32 v4853_4152;
         w32 v4854_4153;
86
87
88
89
90
91
92
93
94
95
         w32 v4855_4154;
         return_4097 = 0;
app_4158 = (signed _ExtInt(32)) t4762 < (signed _ExtInt(32)) (w32) 35;
          if (app_4158)
          {
              ifv_4099 = (w32) 0;
          }
          {
              app_4100 = t4762 - (w32) 35;
96
97
             app_4101 = app_4100 / (w32) 5;
ifv_4099 = app_4101;
```

```
98
          app_4159 = ifv_4099 < (w32) 52;
 99
100
          if (app_4159)
101
102
103
              app_4157 = (signed _ExtInt(32)) t4762 < (signed _ExtInt(32)) (w32) 35;
              if (app_4157)
104
105
                  ifv_4099 = (w32) 0;
106
107
              else
108
              {
109
                  app_4100 = t4762 - (w32) 35;
110
                  app_4101 = app_4100 / (w32) 5;
                  ifv_4099 = app_4101;
111
112
113
              v4804_4103 = (w32) 9998;
              v4805_4104 = (w32) 12163;
114
115
              v4806_4105 = (w32) 14753;
116
              v4807_4106 = (w32) 17796;
117
              v4808_4107 = (w32) 21404;
118
              v4809_4108 = (w32) 25611;
119
              v4810_4109 = (w32) 30562;
120
              v4811_4110 = (w32) 36292;
121
              v4812_4111 = (w32) 42985;
122
              v4813_4112 = (w32) 50683;
123
              v4814_4113 = (w32) 59610;
124
              v4815_4114 = (w32) 69813;
125
              v4816_4115 = (w32) 81567;
              v4817_4116 = (w32) 94924;
126
127
              v4818_4117 = (w32) 110218;
128
              v4819_4118 = (w32) 127500;
129
              v4820_4119 = (w32) 147160;
130
              v4821_4120 = (w32) 169270;
131
              v4822_4121 = (w32) 194350;
              v4823_4122 = (w32) 222300;
132
              v4824_4123 = (w32) 253820;
133
134
              v4825_4124 = (w32) 288920;
135
              v4826_4125 = (w32) 328250;
136
              v4827_4126 = (w32) 371840;
137
              v4828_4127 = (w32) 420470;
138
              v4829_4128 = (w32) 474140;
139
              v4830_4129 = (w32) 533740;
140
              v4831_4130 = (w32) 599260;
141
142
143
144
              v4832_4131 = (w32) 671730;
              v4833_4132 = (w32) 751100;
              v4834_4133 = (w32) 838550;
v4835_4134 = (w32) 934000;
145
              v4836_4135 = (w32) 1038600;
              v4837_4136 = (w32) 1152600;
              v4838_4137 = (w32) 1277600;
              v4839_4138 = (w32) 1413200;
              v4840_4139 = (w32) 1469600;
              v4841_4140 = (w32) 1718600;
151
              v4842_4141 = (w32) 1892100;
152
              v4843_4142 = (w32) 2079100;
              v4844_4143 = (w32) 2280400;
v4845_4144 = (w32) 2496800;
153
154
155
              v4846_4145 = (w32) 2731900;
156
              v4847_4146 = (w32) 2984000;
157
              v4848_4147 = (w32) 3253900;
158
              v4849_4148 = (w32) 3542700;
159
              v4850_4149 = (w32) 3854600;
160
              v4851_4150 = (w32) 4187500;
              v4852_4151 = (w32) 4542300;
161
              v4853_4152 = (w32) 4920000;
162
              v4854_4153 = (w32) 5325900;
163
```

```
\frac{164}{165}
              v4855_4154 = (w32) 5775200;
              table_4102[0] = v4804_4103;
166
              table_4102[1] = v4805_4104;
              table_4102[2] = v4806_4105;
167
\begin{array}{c} 168 \\ 169 \end{array}
              table_4102[3] = v4807_4106;
              table_4102[4] = v4808_4107;
170
              table_4102[5] = v4809_4108;
171
              table_4102[6] = v4810_4109;
172
              table_4102[7] = v4811_4110;
173
              table_4102[8] = v4812_4111;
              table_4102[9] = v4813_4112;
175
              table_4102[10] = v4814_4113;
176
              table_4102[11] = v4815_4114;
              table_4102[12] = v4816_4115;
177
178
              table_4102[13] = v4817_4116;
179
              table_4102[14] = v4818_4117;
180
              table_4102[15] = v4819_4118;
181
              table_4102[16] = v4820_4119;
182
              table_4102[17] = v4821_4120;
183
              table_4102[18] = v4822_4121;
184
              table_4102[19] = v4823_4122;
185
              table_4102[20] = v4824_4123;
186
              table_4102[21] = v4825_4124;
187
              table_4102[22] = v4826_4125;
188
              table_4102[23] = v4827_4126;
189
              table_4102[24] = v4828_4127;
190
              table_4102[25] = v4829_4128;
191
              table_4102[26] = v4830_4129;
192
              table_4102[27] = v4831_4130;
193
              table_4102[28] = v4832_4131;
194
              table_4102[29] = v4833_4132;
195
              table_4102[30] = v4834_4133;
196
              table_4102[31] = v4835_4134;
197
              table_4102[32] = v4836_4135;
198
              table_4102[33] = v4837_4136;
199
              table_4102[34] = v4838_4137;
200
              table_4102[35] = v4839_4138;
\tilde{201}
              table_4102[36] = v4840_4139;
202
              table_4102[37] = v4841_4140;
203
              table_4102[38] = v4842_4141;
204
              table_4102[39] = v4843_4142;
205
              table_4102[40] = v4844_4143;
206
              table_4102[41] = v4845_4144;
207
              table_4102[42] = v4846_4145;
208
              table_4102[43] = v4847_4146;
209
              table_4102[44] = v4848_4147;
\tilde{2}\tilde{1}\tilde{0}
              table_4102[45] = v4849_4148;
211
              table_4102[46] = v4850_4149;
211
212
213
214
215
              table_4102[47] = v4851_4150;
              table_4102[48] = v4852_4151;
              table_4102[49] = v4853_4152;
              table_4102[50] = v4854_4153;
216
              table_4102[51] = v4855_4154;
217
              ifv_4156 = table_4102[ifv_4099];
218
          }
219
           else
\tilde{2}\tilde{2}0
           {
221
              ifv_4156 = (w32) 5775200;
\tilde{222}
223
224
225
           app_4160 = p4763 - ifv_4156;
           return_4097 = app_4160;
           return return_4097;
226
```

Listing F.31: C implementation of actuation\_unit\_impl.

```
1 #include "common.h"
2 #include "actuation_logic.h"
3 #include "../generated/C/actuation_unit_impl.c"
```

## Listing F.32: C implementation of actuator\_generated\_C.

```
#define ActuateActuator ActuateActuator_generated_C
#define actuate_devices actuate_devices_generated_C
#include "../components/actuator.c"
#include "../generated/C/actuator_impl.c"
```

# Listing F.33: C implementation of saturation\_generated\_C.

```
#include "common.h"
#include "../generated/C/saturation_impl.c"
```

## Listing F.34: C implementation of actuation\_unit\_generated\_SystemVerilog.

```
#ifdef PLATFORM_HOST
     #include "../generated/SystemVerilog/verilator/actuate_d0/VActuate_D0.h"
     #include "../generated/SystemVerilog/verilator/actuate_d1/VActuate_D1.h"
     #include <stdio.h>
     #else
 \frac{6}{7}
     #include "printf.h"
     #endif
 8 9
     #define Actuate_D0 Actuate_D0_generated_SystemVerilog
     #define Actuate_D1 Actuate_D1_generated_SystemVerilog
     #define actuation_unit_step actuation_unit_step_generated_SystemVerilog
     #include "../components/actuation_unit.c"
13
     #ifdef PLATFORM_HOST
     static VActuate_DO actuate_dO;
16
     static VActuate_D1 actuate_d1;
17
     uint8_t Actuate_D0(uint8_t trips[3][4], uint8_t old) {
18
         actuate_d0.old = old;
19
         for(int b = 0; b < 12; ++b) {</pre>
20
             memcpy((uint8_t *)actuate_d0.trips + b, (uint8_t *)trips + (11 - b), 1);
21
22
         actuate_d0.eval();
23
         DEBUG_PRINTF(("<actuation_unit_generated_SystemVerilog.c> actuate_base: device=0x0, old=0

→ x%X, out=0x%X,trips=["

24
25
26
27
28
29
30
31
32
35
36
37
38
39
                    old, actuate_d0.out));
         for (int i = 0; i < 3; ++i) {
             DEBUG_PRINTF(("["));
             for (int div = 0; div < 4; ++div) {
             DEBUG_PRINTF(("%u,",trips[i][div]));
             DEBUG_PRINTF(("],"));
         DEBUG_PRINTF(("]\n"));
         return actuate_d0.out;
     uint8_t Actuate_D1(uint8_t trips[3][4], uint8_t old) {
         actuate_d1.old = old;
         for(int b = 0; b < 12; ++b) {
             memcpy((uint8_t *)actuate_d1.trips + b, (uint8_t *)trips + (11 - b), 1);
40
41
42
         actuate_d1.eval();
         DEBUG_PRINTF(("<actuation_unit_generated_SystemVerilog.c> actuate_base: device=0x1, old=0
               \hookrightarrow x%X, out=0x%X,trips=["
43
                    old, actuate_d1.out));
```

```
44567489
51553556
5789
60
          for (int i = 0; i < 3; ++i) {
             DEBUG_PRINTF(("["));
             for (int div = 0; div < 4; ++div) \{
             DEBUG_PRINTF(("%u,",trips[i][div]));
             DEBUG_PRINTF(("],"));
          DEBUG_PRINTF(("]\n"));
         return actuate_d1.out;
      #else
      #include "bsp.h"
      #include "platform.h"
      uint8_t actuate_base(uint8_t trips[3][4], uint8_t old, uint8_t id);
      uint8_t actuate_base(uint8_t trips[3][4], uint8_t old, uint8_t id)
 61
 62
          // NOTE: reverse ordering: 2->1->0 goes to 0->1->2
 63
          // Set value for trip value 0
64
65
          size_t idx = 0;
          write_reg(ACTUATION_REG_GENERATED_TRIP_2, (uint32_t) (trips[idx][3] << 24| trips[idx][2]</pre>
                → << 16 | trips[idx][1] << 8 | trips[idx][0]));</p>
 66
 67
         write_reg(ACTUATION_REG_GENERATED_TRIP_1, (uint32_t) (trips[idx][3] << 24| trips[idx][2]</pre>
               68
          idx++:
 69
          write_reg(ACTUATION_REG_GENERATED_TRIP_0,(uint32_t) (trips[idx][3] << 24| trips[idx][2]
               70
 71
          // trigger the actuation
          // wdata[0] - value of 'old' argument
// wdata[1] - which actuator to actuate
 72
 73
74
75
          write_reg(ACTUATION_REG_GENERATED_BASE, (uint32_t)( id << 1 | old));</pre>
 76
77
          // Get actuation results (only the last bit is pertinent for True/false)
         uint8_t res = (uint8_t) (read_reg(ACTUATION_REG_GENERATED_RESULT) & 0x1);
 78
79
         DEBUG_PRINTF(("<actuation_unit_generated_SystemVerilog.c> actuate_base: device=0x%X, old
               \hookrightarrow =0x%X, out=0x%X,trips=[", id, old, res));
80
81
          for (int i = 0; i < 3; ++i) {
             DEBUG_PRINTF(("["));
82
83
84
85
86
87
88
89
91
92
93
             for (int div = 0; div < 4; ++div) {</pre>
             DEBUG_PRINTF(("%u,",trips[i][div]));
             DEBUG_PRINTF(("],"));
         DEBUG_PRINTF(("]\n"));
          return res;
      uint8_t Actuate_D0(uint8_t trips[3][4], uint8_t old)
         return actuate_base(trips, old, 0);
94
95
      uint8_t Actuate_D1(uint8_t trips[3][4], uint8_t old)
 98
         return actuate_base(trips, old, 1);
 99
      }
100
      #endif
```