# Information Engineering Department Institute of Communication, Information and Perception Technologies University of Pisa, Scuola Superiore Sant'Anna



# From natural language requirements to Simulation Monitors: Synthesis through code generation

Master Degree in Embedded Computing Systems

Supervisors:

Prof. Marco Di Natale

Prof. Giorgio C. Buttazzo

Author:

Marco Emanuele Celia

**External Supervisor:** 

Dr. Stylianos Basagiannis

University of Pisa

July 2017

# Acknowledgements

Without the effort of several people this work wouldn't be possible. First of all, I would like to thank my supervisor, Marco Di Natale, for having introduced me into the world of the Model-Based Design, for being always available to answer my questions and clarify my doubts and, most important, for his precious life teachings.

I would like to thank United Technologies Research Center for the big opportunity they gave to me. In this six months I experienced a professional and high qualified environment. I have been really surprised on how employees are considered to be the most important resource to achieve their purposes. A special thank to Vassilios Tsachouridis who really made me capable to deal with the complexity of Control Systems. I consider myself very lucky for having worked with him. Thank also to Stylianos Basagiannis who always watched over me and ensured of my wellness. Lastly, thank to the rest of the team, Juan Valverde and Georgeos Giantamidis for the hard work and the funny moments.

I would like to mention also people who indirectly contributed to this work.

Un ringraziamento speciale ai miei amici per non avermi mai fatto mancare il loro aiuto, con le parole e, soprattutto, con i fatti. Senza il contributo di ciascuno di voi non sarei arrivato a questo traguardo.

Grazie a Miriam per essermi stata accanto in questi anni, per avermi sopportato e avermi sempre offerto una via di fuga dai miei pensieri.

Infine, grazie alla mia famiglia per non avermi mai fatto mancare il loro supporto e la loro fiducia.

# **Abstract**

The increasing level of complexity of modern embedded systems concurs to enhance the gap between the textual representation of High-Level System Requirements and the testing units in charge of their verification. Such gap is worsened by the possible presence of errors and omissions in the natural language requirement and causes engineers to inject into the verification units features derived from their personal interpretation.

The goal of this Master thesis is to provide a framework consisting of a requirement (loose) syntax, a requirements editor, a parser, and an automatic synthesis tool, which helps engineers writing high level requirements in a structured natural language with a contract-based paradigm, thus reducing, as much as possible, inconsistency and common errors, and directly generating verification monitors for a target platform.

To restrict the domain and the framework complexity and make the problem affordable, the first version of the tool is restricted to the controls domain and assumes the use of Simulink as a modelling and simulation tool. To ease the generation process, a control verification Simulink library has been implemented.

# **Table of contents**

| Li | List of figures |         |                                     |    |
|----|-----------------|---------|-------------------------------------|----|
| 1  | Introduction    |         |                                     |    |
|    | 1.1             | Develo  | opment Models                       | 1  |
|    | 1.2             | -       |                                     | 2  |
|    |                 | 1.2.1   | Definition                          | 2  |
|    |                 | 1.2.2   | Guidelines                          | 3  |
|    |                 | 1.2.3   | Requirement Specification languages | 4  |
|    |                 | 1.2.4   | Readability versus Formality        | 5  |
|    |                 | 1.2.5   | Requirements Specialization         | 5  |
|    |                 | 1.2.6   | High-Level Requirements             | 6  |
|    | 1.3             | Verific | ation tools                         | 6  |
|    |                 | 1.3.1   | Property checking                   | 6  |
|    |                 | 1.3.2   | Automatic monitor generation        | 8  |
|    | 1.4             | Propos  | sed Tool                            | 8  |
|    |                 | 1.4.1   | Premise                             | 8  |
|    |                 | 1.4.2   | Custom Editor                       | 9  |
| 2  | MD              | B and H | Lybrid Systems                      | 10 |
|    | 2.1             | Why n   | nodels                              | 10 |
|    | •               |         | Based Design                        | 11 |
|    |                 | 2.2.1   | Basis elements                      | 11 |
|    |                 | 2.2.2   | Automatic Code Generation           | 12 |
|    |                 |         | l Systems                           | 13 |
|    |                 | 2.3.1   | State Machines                      | 13 |
|    |                 | 2.3.2   | Time-Based Model                    | 14 |
|    |                 | 2.3.3   | LTI System                          | 15 |
|    |                 | 2.3.4   | Mixed Models                        | 16 |

Table of contents

|    |        | 225                 | E IM II                            | 1.0        |  |  |  |  |  |
|----|--------|---------------------|------------------------------------|------------|--|--|--|--|--|
|    |        | 2.3.5               | Formal Model                       | 16         |  |  |  |  |  |
|    |        | 2.3.6               | Examples                           | 19         |  |  |  |  |  |
| 3  | Forr   | Formal Verification |                                    |            |  |  |  |  |  |
|    | 3.1    | Temporal Logic      |                                    |            |  |  |  |  |  |
|    |        | 3.1.1               | Linear Temporal Logic              | 21         |  |  |  |  |  |
|    |        | 3.1.2               | Computation Tree Logic             | 23         |  |  |  |  |  |
|    |        | 3.1.3               | Property Specification Language    | 26         |  |  |  |  |  |
|    |        | 3.1.4               | Signal Temporal Logic              | 27         |  |  |  |  |  |
|    | 3.2    | Patterr             | ns Identification                  | 29         |  |  |  |  |  |
|    |        | 3.2.1               | Property Specification Patterns    | 29         |  |  |  |  |  |
|    |        | 3.2.2               | Domain Patterns                    | 32         |  |  |  |  |  |
|    | 3.3    | The Co              | ontract Paradigm                   | 35         |  |  |  |  |  |
| 4  | The    | Frame               | work                               | 37         |  |  |  |  |  |
|    | 4.1    | From 1              | Requirements to Monitors           | 37         |  |  |  |  |  |
|    |        | 4.1.1               | Syntax Definition                  | 38         |  |  |  |  |  |
|    | 4.2    | Suppo               | rt from Modeling Environment       | 40         |  |  |  |  |  |
|    |        | 4.2.1               | Signal Exporter                    | 40         |  |  |  |  |  |
|    |        | 4.2.2               | STL operators library              | 42         |  |  |  |  |  |
|    |        | 4.2.3               | System Performance Control Library | 45         |  |  |  |  |  |
|    | 4.3    | Design              | n Patterns                         | 51         |  |  |  |  |  |
|    |        | 4.3.1               | Factory                            | 51         |  |  |  |  |  |
|    |        | 4.3.2               | Visitor                            | 54         |  |  |  |  |  |
|    | 4.4    | Requir              | rements Editor                     | 55         |  |  |  |  |  |
|    |        | 4.4.1               | Data Dictionary Importer           | 56         |  |  |  |  |  |
|    |        | 4.4.2               | Context Aware Syntax Helper        | 58         |  |  |  |  |  |
|    |        | 4.4.3               | Abstract Syntax Tree Generation    | 62         |  |  |  |  |  |
|    |        | 4.4.4               | Target Platform Generation         | 64         |  |  |  |  |  |
| 5  | Con    | clusions            | S                                  | 66         |  |  |  |  |  |
|    | 5.1    | Future              | Work                               | 67         |  |  |  |  |  |
| D. | ·fores | 202                 |                                    | <i>(</i> 0 |  |  |  |  |  |
| K  | eferen | ces                 |                                    | 69         |  |  |  |  |  |

# **List of figures**

| 1.1 | Waterfall Model                                                    |
|-----|--------------------------------------------------------------------|
| 1.2 | V-Model                                                            |
| 1.3 | Requirement specialization                                         |
| 1.4 | Off-line, Passive On-line and Active On-line monitors from [MNP08] |
| 1.5 | Framework                                                          |
| 2.1 | Modeling                                                           |
| 2.2 | Elements of MBD from [Beh06]                                       |
| 2.3 | Hybrid System Structure                                            |
| 2.4 | Hybrid System: Tick Generator                                      |
| 2.5 | Tick Generator Internals                                           |
| 2.6 | Hybrid System: Bouncing Ball                                       |
| 3.1 | CTL formulas                                                       |
| 3.2 | Property Scopes                                                    |
| 3.3 | Pattern Hierarchy                                                  |
| 3.4 | Rise Time                                                          |
| 3.5 | Overshoot                                                          |
| 3.6 | Settling Time                                                      |
| 4.1 | Requirement Framework                                              |
| 4.2 | STL Simulink                                                       |
| 4.3 | Test of STL Always-Eventually                                      |
| 4.4 | Until Simulation                                                   |
| 4.5 | Timed Until Implementation                                         |
| 4.6 | System Performance Control Library                                 |
| 4.7 | Input References                                                   |
| 4.8 | Detector's masks                                                   |
| 10  | Detectors' time behavior                                           |

| f ' 4 C C        | •••           |
|------------------|---------------|
| I 10f Of Hallrec | X/11          |
| List of figures  | VII           |
|                  | · <del></del> |
|                  |               |

| 4.10 | Ramp Detector Implementation | 48 |
|------|------------------------------|----|
| 4.11 | Overshoot Blocks' Masks      | 49 |
| 4.12 | Overshoots' Time response    | 49 |
| 4.13 | Overshoots' Implementations  | 50 |
| 4.14 | Factory                      | 52 |
| 4.15 | Node Hierarchy               | 54 |
| 4.17 | Signal Readers UML           | 56 |
| 4.18 | Importer Dialog              | 57 |
| 4.19 | CSV Data Dictionary          | 57 |
| 4.20 | XML Data Dictionary          | 58 |
| 4.21 | Syntax Sections              | 59 |
| 4.22 | Word-Trie                    | 60 |
| 4.23 | Assumption completion        | 60 |
| 4.24 | Assertion completion         | 61 |
| 4.25 | Requirements Document        | 61 |
| 4.26 | ANTLR generation process     | 62 |
| 4.27 | Basic syntax Example         | 62 |
| 4.28 | Intermediate Representation  | 63 |
| 4.29 | Platform Generators UML      | 64 |
| 4.30 | Build Window                 | 64 |
| 4.31 | Population Result            | 65 |
|      |                              |    |

# **Chapter 1**

# Introduction

# 1.1 Development Models

Every industrial product has its own *life-cycle* which starts when the need of a new product arises, and continues with the requirements identification, design, development and verification processes. Furthermore several other activities regarding the product maintenance could be part of the cycle. There are several approaches describing the sequentiality of the tasks in the product life cycle, such as the so-called *Waterfall model* (Fig.1.1), in which a phase starts after the completion of the previous one and the deliverables at each phase follow an unidirectional flow as in a pipeline.



Fig. 1.1 Waterfall Model

The military standard MIL-STD-2167A, which establish a uniform development model applicable during the whole system life-cycle is an example of a waterfall model.

The *V-model* (Fig.1.2) enforces the temporal correlation among the development and validation phases. The activities on the left hand side of the V are associated with models of the system, where each subsequent activity represents a refinement of the model from the previous activity. The processes on the right hand side of the V correspond to verification (testing) activities. The results of a test phase validate the structure of the correspondent developing phase.



Fig. 1.2 V-Model

This work focuses on the first stage of a generic product development model, i.e. Requirement analysis, trying to reduce the gap with its relative validation.

# 1.2 Requirements Fundamentals

### 1.2.1 Definition

"...Requirements definition is a careful assessment of the needs that a system is to fulfill. It must say why a system is needed, based on current and foreseen conditions, which may be internal operations or an external market. It must say what system features will serve and satisfy this context. And it must say how the system is to be constructed..." — Doug Ross [RS77]

Regardless of the adopted development model, the first, and critical, step to approach a product development is the definition of the System Requirement specifications. It is much more than a functional specification, it is the groundwork for all the future stages and it has to catch everything is needed in terms of performance, behaviors and constraints to be satisfied.

Being the requirement analysis the fundamental step that drives the design and implementation phases it is also worth noting how errors at this stage, or *early* errors, are much more costly in terms of time to be fixed than *late* (design or implementation) errors. The DoD Software Technology Plan [oD91] states that "late defect fixes are typically two orders of magnitude cheaper than early defect fixes, and the early requirements and design defects typically leave more serious operational consequences."

### 1.2.2 Guidelines

The result of the system requirements specification process is an unambiguous and complete specification document. It should help:

- a) System customers to accurately describe what they wish to obtain;
- b) System suppliers to understand exactly what the customer wants;

Furthermore, a good system requirements specification (SRS) should provide several specific benefits to the stakeholders, such as the following:

- Establish the basis for agreement between the customers and the suppliers on what
  the software product is supposed to do. The complete description of the functions
  to be performed by the software specified in the SRS will assist the potential users
  to determine if the software specified meets their needs or how the software must be
  modified to meet their needs
- Reduce the development effort. The preparation of the SRS forces the various concerned groups in the customer's organization to consider rigorously all of the requirements before design begins and reduces later redesign, recoding, and retesting. Careful review of the requirements in the SRS can reveal omissions, misunderstandings, and inconsistencies early in the development cycle when these problems are easier to correct.
- Provide a baseline for validation and verification. Organizations can develop their validation and verification plans much more productively from a good SRS. As a part of the development contract, the SRS provides a baseline against which compliance can be measured.

Attempts to reduce as much as possible the inconsistencies coming from the plain text descriptions has been proposed in several standards. The IEEE 830-1998 [CB98] offers a metric to produce and evaluate a good system requirements specification in terms of

- a) Correctness
- b) Unambiguity
- c) Completeness
- d) Consistency
- e) Verifiability
- f) Modifiability
- g) Traceability

while the MIL-STD-498 [oD94] was a United States military standard whose purpose was to establish uniform requirements for systems development and documentation. Those standards rather than automatic tools are guidelines to achieve a good specification for the system.

# 1.2.3 Requirement Specification languages

As said above, the requirement document quite often serves as a "contract" between designers and the costumers, as such it has to be understandable also from those people having a non technical background, so quite often they are given with many pages of natural language descriptions, sometimes flanked with manually derived diagrams that represent the structure of the design. Due to its nature, the natural language specification of a property could be very far, and sometimes totally unrelated, from a formal definition. For instance, natural language could be lacking, redundant or misleading. Even worse, the requirement definition is generally the result of an empirical process subjected to ambiguity, subjectivity and imprecisions.

The literature provides several methods aiming to avoid bad-formed requirements. All of them are based on the addition of a certain degree of formality in the syntax used to define the property referring a specific requirement. The most general classification of the specification languages is into *formal*, *semi-formal* and *informal*.

A language is formal if its syntax and semantic are defined in a rigorous mathematical way. A formally expressed requirement provides a high level of verifiability. Furthermore,

the process of translating natural into formal language requires the analysts to improve their comprehension of the requirement semantic. In fact, in order for the translation to be successful they have to verify, and eventually eliminate, the presence of ambiguities from the natural language definition.

Semi-formal languages are usually expressed in a graphical manner, aimed to provide a non-ambiguous description through an easier syntax that has not necessarily a direct mapping to a mathematical semantics, but is often characterized by a set of rules (a metamodel) that constrain the set of structures and properties that can be expressed. The *structured natural language*, which will be of interest in the following chapters, could be in turn part of this category. In particular it can be considered as plain text enriched by a set of constraints on the structure and the type of statements that can be written.

Informal languages are those that have neither a rigorous syntax or rigorous semantic. In particular the syntax is derived from the relative grammatic and the semantic is that rich that makes impossible its formalization. Despite all this, they are the most commonly used, and, hence, a good specification always relies on the experience of designers.

# 1.2.4 Readability versus Formality

The more we increase the syntax formality and the more the number of possible inconsistencies is reduced. As a drawback, requirement specifications become increasingly technical, difficult to understand and very distant from its natural language expression. There are several reasons why this aspect represents an obstacle to the usability of these techniques. First, a requirements document can hardly be used or accepted as a contract among stakeholders since there are no guarantees that one of the parts is able to understand the meaning of the formulas. Further, their use implies that engineers have a minimum level of expertise in the definition and understanding of formal requirements. Although usability does not constitute the strength of this approach the reason why formal languages are still of interest is due to their capability of totally avoiding ambiguity and possibly inconsistency.

# 1.2.5 Requirements Specialization

A direct consequence of the use of formal languages is the possibility to perform automatic verification, but, as previously said, rarely the specifications are formally written, implying, several manual translation stages from natural language.

This work bridges the gap between formal and informal representation of requirements. In order to do so, the effort has been spread along an ideal line starting from the natural up to the formal language description. The first step consists of defining a syntax which

allows the presence of free-text, limited to selected portions of the sentencse, and, at the same time, preserving a well defined structure. Once the requirements are structured according to this loose syntax, it is then possible to apply automatic processing technique to recognize *common patterns*, i.e. all those properties having a direct correlation, in terms of temporality or property semantic, with a specific formal language pattern. Finally the formal properties are used to generate verification monitors to be used at simulation time.



Fig. 1.3 Requirement specialization

# 1.2.6 High-Level Requirements

System requirements are rarely written in a formal language, and the non-rigorous nature of plain text constitutes the main obstacle to automatic generation of monitors out of the specification. Writing requirements in a semi-formal shape rather than a plain text will make them suitable to language processing techniques. To enforce this concept, in certain application domains, requirements refer to properties having a well-known semantic. In these cases, also plain text requirements tend to have a fixed structure. Performance requirements in a control system are an example. These requirements tend to have an invariant textual form compared, for instance, to system's hardware structure or generic control algorithms.

1.3 Verification tools

# 1.3 Verification tools

# 1.3.1 Property checking

In general, the problem of determining whether a property  $\phi$  is satisfied from system S could be faced in many ways depending on the set of environmental conditions in which the system and the property are defined. Being not too much formal we can define a system S as an entity that correlates inputs and output signals according to a precise law, while the *model* of the system as a set of possible *states* in which the system can be, each state  $x_i$  ranging over the domain  $X_i$ . A system evolves over the time domain and the function  $\beta: T \to X$ , associating a state to a precise time instant, is called *behavior* of the systems. Within this context a property  $\phi$  defines a subset of the systems' state and a property *monitor* is the entity that verifies whether a certain behavior *satisfies* the property, i.e. whether  $L_{\phi} \in X$ .

The procedure leading to the verification of a property, or formula, consists of associating a function  $\Omega_{\phi}: X \to B$  which, given the set of all possible behaviors returns a boolean value meaning whether the property is satisfied or not. Behaviors are examined one at time assuming the presence of a simulation unit that produces them. A monitor is hence another unit which cooperates with the system simulator mainly in three ways (Fig. 1.4).



Fig. 1.4 Off-line, Passive On-line and Active On-line monitors from [MNP08]

In *off-line* monitoring monitors check simulation traces against formulas. Since monitors are not constrained to be causal over the execution time this technique constitutes the easiest way to perform model checking. In the *on-line* methods the monitor is running in parallel with the simulator, we refer to *active* on-line if the monitor is also affecting, through a

1.4 Proposed Tool

feed-back loop, the simulation inputs, and *passive* on-line otherwise. In general, on-line monitors have the advantage of being able to assert satisfaction or violation of a property while the simulation is running, this allows time consuming simulations to be terminated and to avoid dangerous behaviors that may occur after the violation of the property. The cost we pay for an on-line monitoring is that formulas must be causal, i.e. it is not possible to check a property at certain time *t* as function of states occurring later than *t*. Since this work focuses mostly on dynamic controls system domain monitors that are better suited to fit it are of the type passive on-line.

# **1.3.2** Automatic monitor generation

Under the assumption that requirements are written in formal language, i.e. absence of inconsistencies, the generation of verification monitors for simulation can be performed in an automatic way.

Code generation procedures are always targeted to a specific platform, which in turn varies as function of the application domain. For what regards dynamical systems typical targets are simulation frameworks such as Simulink by Matworks[Sim] and LabVIEW[Lab]. Together with the target platform usually code generation starts from a model of the entities we want generate for.

Tools such as Acceleo[acc] are based on the prior definition of the mode of the system architecture, allowing language independent code generation from any kind of EMF compatible meta-model, such as UML, UML 2.0 and SysML. Also Simulink with the Embedded Coder offers the possibility to customize the C/C++ code generated from any Simulink model.

Another chance is to not rely on the presence of a system model and generate code implementing verification monitors directly from statements expressed in some formal language. The work in [BDNCT17] starts from properties expressed in the STL formal language[MNP08] and produces Simulink monitors, to ease the auto-generation procedure it makes use of a library implementing the STL temporal operators.

# 1.4 Proposed Tool

### 1.4.1 Premise

This work aims at showing the feasibility of a tool that starts from semi-formal system specifications and ends up with verification monitors to be plugged into a simulation model of the system. The number of particular cases to deal with it is huge and the scalability of the approach is a key factor that needs time to be addressed. However, due to the impact that

1.4 Proposed Tool

such a tool could have in the design and verification processes, the problem has been sized in order to be manageable at least with the purpose of producing a proof of concept prototype.

For the above reasons we decide to use, as a case study, the high-level requirements for dynamic control systems. Such requirements has been restructured in the *contract-base* paradigm, which, basically, expect the formulation of the property as a composition of two main sections, *assumption* and *assertion*, were the first logically implies the second.

Further the formalization of the requirements has been performed using the STL formal language, which, unlike many others temporal logics derived from LTL, adds some domain specific features that will be better described in sec.3.1.4. Finally, as target platform, Simulink has been selected since it is one of the most used simulation tools for such application domain. A graphical representation of the whole framework together with the smart editor, which will be discussed in next section, is presented in figure 1.5.



Fig. 1.5 Framework

# 1.4.2 Custom Editor

The smart editor is meant as the tool helping users to write semi-formal requirements. It has been implemented as an Eclipse Editor plug-in, from which inherits many features common to most commercial editors such as *context-aware* text completion and syntax error checking. The editor comes with it is own syntax which even if for the time being is deeply application domain oriented preserves a modular an easily extensible software structure.

1.4 Proposed Tool

Some more specific features are the capability to import a data dictionary which is ideally synchronized with the target model and generate platform dependent monitors.

# Chapter 2

# **MDB** and Hybrid Systems

# 2.1 Why models



Fig. 2.1 Modeling

We can define a model as a simplification of the reality (Fig.2.1). Models can be of any nature, *mathematical models* are, typical, sets of equations, *physical models* could be mock-ups aiming to provide a final picture of what the system will look like and so on.

Usually a model is the result of a process affected of different metrics. In a very generic perspective the first is the determination of *model type*, namely which of all the possible approaches, leading to a correct result, to model our system (mathematical, graphical, textual

and so on) is the most appropriate one. In practical cases this step translates in choosing the most appropriate modeling tool.

The second is the determination of the *level of abstraction* of our model, since any system can be view as a composition of several layers one may be more interested in representing features of some of them. However, a good model has always to be connected enough to reality, indeed the risk to oversimplify may cause the model to lose meaningful information.

The previous metrics could be in turn influenced by the *model purpose*. One possible scenario is when industries and organizations wants to shorten as much as possible the development time, the most natural way to accomplish that is to reuse as much as possible what they already have implemented. Reuse always implies knowledge, therefore models can be used to provide graphical and more intuitive documentations for the software or system. This is the case of UML [JIG<sup>+</sup>99] and SysML[sys], the first is a general-purpose visual modeling language that is used to specify, visualize, construct, and document the artifacts of a software system, while the latter was defined as extension of the first and provide support for the specification, analysis, design, verification, and validation of systems that include hardware, software, data, personnel, procedures, and facilities.

On the other hand there could be many cases in which for a certain application domain, aerospace for instance, fully test the final product before using it's an high costly process. More, sometimes reproducing all the possible testing cases could be either too difficult or too dangerous, just think to nuclear applications. Hence, for all of these reasons, systems models could be used to simulate behavior, perform tests and verify compliance against the design. The methodology considering the model as the primary artifact for simulating the system behavior and verify properties on the behavior is called *Model Based Design*.

# 2.2 Model Based Design

# 2.2.1 Basis elements

In a traditional development, usually a system engineer defines the overall system specification and presents it as a design document to software engineers, who will have the task of implementing those ideas into a fully working solution. However, the main problem with this approach is the fact that in most cases the ideas presented by the system engineer via the specification document may widely differ to the implemented software. Even the most detailed and diligently prepared type of documentation may not always guarantee

that the design document generated by the system engineers would be fully understood and interpreted correctly by the implementing software programmers. The Model Based Design (MBD) approach enables behavioral modeling based on a mathematical formalism and executable semantics, and it's the reference approach for the analysis of the system, its verication by simulation, the documentation of the design and the automatic generation of a code implementation (Fig. 2.2).



Fig. 2.2 Elements of MBD from [Beh06]

### 2.2.2 Automatic Code Generation

In classical development models the implementation phase follows the design, at this stage the developers will generate suitable software code in a selected language to implement the system. If the system definitions are not clear enough, the programmers would refer to system designer for clarification, but, despite these clarifications, there's still the possibility that the developed system may be different from the one that system designers had in mind. Even worse, it may contain coding errors that invalidates all the tests performed during the design. Although unlikely not even the case in which programmers job is perfect and there are no coding errors could make hand-coding the preferable approach, indeed just consider that there could be always the need to perform small changes inside the source code, such changes, whether not propagated in the models, rapidly will make the implementation divergent from the design.

MBD offers the capability to greatly improve the above approach. Within such methodology models can be used as the input to an automatic code generation tool. Usually MBD tools offers a framework at least for modeling and generate code from models, those framework commonly comprise a language offering the capability to explore model features and use them for producing target specific code.

# 2.3 Hybrid Systems

## 2.3.1 State Machines

Systems are functions that transform signals. A broad class of systems can be characterized using the concept of state and the idea that a system evolves through a sequence of changes in state, or state transitions. Such characterizations are called state-space models. A state-space model describes a system procedurally, giving a sequence of step-by-step operations for the evolution of a system. It shows how the input signal drives changes in state, and how the output signal is produced.

A description of a system as a function involves three entities: the set of input signals, the set of output signals, and the function itself,

$$F: InputSignals \rightarrow OutputSignals$$

For a state machine, the input and output signals have the form

EventFlow: 
$$\mathbb{N}_0 \to Symbol$$

where  $\mathbb{N}_0 = \{0, 1, 2, ...\}$  and Symbol is an arbitrary set. The domain of these signals represents an ordering relation that does not necessarily corresponds to time, discrete or continuous. Ordering of the domain means that it is possible to say whether one event occurs before or after another one, but without the knowledge of how much time elapses between these events.

We can define *state machine* that entity that constructs the output signal one symbol at a time by observing the input signal one symbol at a time. Specifically

$$StateMachine = (States, Inputs, Outputs, update, initialState)$$

where States, Inputs, Outputs are sets, update is a function, and  $initialState \in States$ . The meaning of these names is:

**States** is the set space

**Inputs** is the input alphabet

**Outputs** is the outputs alphabet

**initialState** is the initial state  $\in$  *States* 

**update** :  $States \times Inputs \rightarrow States \times Outputs$  is the update function

The update function makes possible for the state machine to construct, step by step, the output signal by observing the input signal. In particular, if  $x(n) \in States$  is the current state at step n, and  $u(n) \in Inputs$  is the current input symbol, then current output symbol and the next state are given by the following

$$(x(n+1),y(n)) = update(x(n),u(n))$$

The above could be decomposed in two different functions, one for new state and one for output

$$x(n+1) = nextstate(x(n), u(n))$$
(2.1)

$$y(n) = output(x(n), u(n))$$
(2.2)

where

 $nextstate: States \times Inputs \rightarrow States$  $output: States \times Inputs \rightarrow Outputs$ 

### 2.3.2 Time-Based Model

The previous section defines input and output signals of a state machine as a collection of *events*. These events are generated in a domain which, usually, does not have a relation with a time set but, rather, represents just an ordered set. If we require events to happen at time instants that are multiple of a certain time quantity  $\delta$  we have that

$$t_{-}e_{i}-t_{-}e_{j}=\alpha\cdot\delta, \quad i>j, \alpha\in\mathbb{Z}_{+} \quad \forall i,j\in\mathbb{N}_{0}$$

where  $t_e_i$  and  $t_e_j$  are the time instant in which occur events  $e_i$  and  $e_j$ . Under this assumption the state machine becomes a *time-based model*, i.e. it reacts at all times in a base T.

Another specialization of could be achieved by imposing, as further assumption, that state, input and output spaces be numeric sets

$$States = \mathbb{R}^N$$
,  $Inputs = \mathbb{R}^M$ ,  $Outputs = \mathbb{R}^K$ 

Combining the previous two assumptions we can define a *discrete-time system*, and the index n in (2.1) and (2.2) is called *time index*. Finally, we require that

$$u(n) \in \mathbb{R}^M$$
 and  $y(n) \in \mathbb{R}^K \quad \forall n \in T$ 

Therefore we disallow the capability, proper of state machines, to handle special "do nothing" input called *absent*.

# 2.3.3 LTI System

In discrete-time systems the time base  $T \equiv \mathbb{Z}_+$ , a definition of continuous-time system could be achieved if we relax T to  $\mathbb{R}_{0^+}$ . This last category of systems shares many mathematical properties with its discrete-time version, but they can no longer be view as state machines since inputs, outputs, and state transitions do not occur at discrete instances.

Formally, a representation of a continuous time system is given,  $\forall t \in \mathbb{R}_{0^+}$ , by

$$\dot{x}(t) = nextstate(x(t), u(t))$$
$$y(t) = output(x(t), u(t))$$

The system is defined as *linear* if functions *nextstate* and *out put* are linear. It is also said *time invariant* if both do not change over time. As result a system holding these two properties is said Linear Time Invariant (LTI). An interesting property of those system is that they can be represented in a compact matrix-based form. The *nextstate* function is a  $N \times (N+M)$  matrix, while the *out put* is a  $K \times (N+M)$  matrix. If we partition both in two sub-matrix, the first of each comprising the first N columns we get

$$\dot{x}(t) = Ax(t) + Bu(t)$$
$$y(t) = Cx(t) + Du(t)$$

where 
$$A \in \mathbb{R}^{N \times N}, B \in \mathbb{R}^{N \times M}, C \in \mathbb{R}^{K \times N}$$
 and  $D \in \mathbb{R}^{K \times M}$ .

The major difference between discrete and continuous system is that the new state is represented with the derivative of the current state instead of a function of current input and state. The motivation is that the derivative, which represents the trend of a function,

better depicts the continuous evolution of the system rather than express it as a value at the successive time index.

### 2.3.4 Mixed Models

Sections 2.3.1 and 2.3.2 provided definitions of state machines and time-based model, trying to qualify the latter by imposing some constraint on the, more general, model of the first. In 2.3.3 such link was definitively broken due to the relaxation of the time to a continuous set.

In general, the two different models are used as alternative views of the same system. Even for simpler cases of discrete-time systems, which, though different from the continuous time, keep a precise mapping relationship between time and discrete time, retrieve the state machine relative to the time model is not straightforward. The reason is that operations of state machines normally acts according to a logic clear and understandable in response to situations or events that arise from the outside, such as pressing of buttons, the attainment of steady state conditions and so on.

In order to get state machine models to coexist with time-based models, we need to interpret state transitions on the time line used for the time-based portion of the system, be it continuous time or discrete time. The resulting models are called hybrid systems. A hybrid system combines time-based signals with sequences of events. The time-based signals are of the form  $x: T \to R$  where R is some range (such as  $\mathbb{R}$  or  $\mathbb{C}$ ), and T is the time domain, discrete or continuous. In 2.3.1 we defined the event signals as

$$u: \mathbb{N}_0 \to Symbols$$

for a hybrid system, however, these have to share a common time base with the time-based signals, so they must be in the form

$$u: T \rightarrow Symbols$$

Thus, events occur in time. Typically, for most  $t \in T$ , u(t) = absent, meaning that the state machine does not perform any action.

### 2.3.5 Formal Model

The general structure of an hybrid system is shown in figure 2.3.



Fig. 2.3 Hybrid System Structure

As previously mentioned, inputs and outputs may include either asynchronous events and time-based signals. In addition, each state of the state machine is associated with a time-based system, which is usually named *refinement* of the state. The refinement represents the time-based behavior of the hybrid system while the internal machine is in the relative state. In order to prevent mess in the notation, those state referring to the state machine are usually called *modes* while with *states* are referred those of the refinements. Such notation strengthen the concept of a systems which alternates different time-based behaviors depending on the operating mode. Summarizing, for *state* of an hybrid system is meant the pair (m(t), s(t)) where s is the state of the time-based refinement system associated with mode m.

A formal model for an hybrid system could be defined similarly to the one in 2.3.1, indeed

HybridSystem = (States, Inputs, Outputs, TransitionStructure, initialState)

where States, Inputs and Outputs are sets,  $initialState \in States$  is the initial state and TransitionStructure is the evolving law of the system in time  $t \in T$ , from now on we assume  $T \equiv \mathbb{R}_+$ .

 $States = Modes \times RefinementStates$  represents the state space containing pairs mode, refinementState as previously mentioned. The set of possible modes is finite, while no constraint are on the refinement state set.

 $Inputs = InEvents \times TimeInputs$  corresponds to the set of input symbols. InEvents is an

alphabetic set in which each symbol stands for the description of the event, it also includes the special "do nothing" input *absent*. *TimeInputs*, instead, contains all the inputs to which the refinement reacts. A complete input to the hybrid system is hence the functions pair  $u: \mathbb{R}_+ \to InEvents$  and  $x: \mathbb{R}_+ \to TimeInputs$ . It's useful to recall that, apart for a limited number of cases, the function relative to the events for the most of the time is set to the value *absent*.

Outputs = OutEvents × TimeOutputs is the set of output symbols. In strong analogy with what already done for the Inputs set, we can identify OutEvents as the alphabetic set containing those symbol representing the description of the event, and TimeOutputs as the one containing all possible outputs for the refinement. The entire output of the hybrid system is then the functions pair  $v : \mathbb{R}_+ \to OutEvents$  and  $y : \mathbb{R}_+ \to TimeOutputs$ . Even in this case for the most of the time the function v(t) is equal to absent.

The *TransitionStructure* determines how a mode transition occurs and how the refinement state changes over time. The evolution of an hybrid system occurs with the alternation of two phases, one associated to the transitioning and the other to the keeping of the current mode. In general, for state machines the transition between states is regulated by the verification of a particular conditions named *guards*. Such conditions consists of an event,internal or external, occurrence. For hybrid system the concept of guard is slightly extended, in particular, given the system in a mode *m* with relative refinement in the state *s*, the guard leading to a destination mode *d* has the form

$$G_{m,d} = U_{m,d} \times X_{m,d} \times S_{m,d} \subset InEvents \times TimeInputs \times RefinementStates$$

commonly, associated to a mode transition there is an output event  $v_{m,d}$  and a function action,  $A_{m,d}: Refinement States \to Refinement States$ , which updates the value of the refinement state. The transition from mode m to mode d occurs at time t if the triple  $(u(t), x(t), s(t)) \in G_{m,d}$ . If it is the case, after the transition (which is considered instantaneous) the system starts operating in mode d with refinement state equal to  $s(t+) = A_{m,d}(s(t))$ , producing the output event  $v_{m,d}$ . In the case no guard is satisfied at time t the systems evolves in the current mode. The refinement state s(t) and the time-based output y(t) are then determined by the time-based input signal x(t) according to equations governing the refinement dynamics (see Sec.2.3.3). The alternation of the two phases discussed above can be represented as  $\bigcup_{i=0}^{\infty} (t_i, t_{i+1}]$ , during each interval the active phase is the one who maintain constant the operation mode, while the transition phase take place at the rightmost time instant of every interval.

# 2.3.6 Examples

**Timed Automata** The simplest continuous-time hybrid systems that can be analyzed is a timed finite state machine measuring passage of time, it has a very simple refinement dynamics that can be modeled with a first-order differential equation,

$$\dot{s}(t) = 1, \quad \forall t \in T_m$$

where  $T_m \subset T$  is the subset of time during which the hybrid system is in mode m. Figure 2.4 shows a timed automata which generates a tick at time intervals alternating between 1 and 2 seconds. Although simple such example shows all the basic features of an hybrid system, namely the alternate evolution between time-count phase and tick-phase (Fig.2.5a), output event signal most of the time at absent value (Fig.2.5c) and refinement output, equal to the state in this case, as a signal resulting from a differential equation (Fig.2.5b).



Fig. 2.4 Hybrid System: Tick Generator



Fig. 2.5 Tick Generator Internals

**Bouncing Ball** An more interesting example is an hybrid system describing the dynamics of a bouncing ball. In this case the adoption of a mixed model greatly simplifies the representation of such a system, since, being it non-linear, finding a representation only through differential equation is not easy.

At time t=0 the ball is dropped from a certain height y(0)=h, it freely falls, with constant velocity  $\dot{y}(t)<0\,m/s$ , up to hit the ground, say at time t1. In that instant the *bounce* events occurs and, under the assumption of inelastic collision, the ball bounces back with an inverted velocity  $-a\dot{y}(t1)$ , where  $a\in(0,1)$ . After the ball reaches a certain height it falls back repeatedly. The model of the bouncing ball is illustrated in Figure 2.6a



Fig. 2.6 Hybrid System: Bouncing Ball

The *hit* condition is raised whenever the height of the ball is equal to 0, namely whenever it reaches the ground. In all other time instants in order to get position and velocity of the ball is enough to double integrate the acceleration (Fig.2.6b).

# **Chapter 3**

# **Formal Verification**

# 3.1 Temporal Logic

Temporal logic is a rigorous formalism for specifying behaviors of continuous and discrete systems [PM92, MP12] provides simple constructs to describe the order in which different "events" in the system should happen. The basic infrastructure of a formal language provides syntactical operators to handle property verification during time. In literature plenty of formalisms have been proposed, each one specializing either time or application specific features. First part of this chapter aims to analyze some of them starting from their common ancestor, providing also a general comparison.

# 3.1.1 Linear Temporal Logic

In the Linear Temporal Logic (LTL) time is implicitly represented as an enumerated sequence of reaction steps occurring in a discrete time space. Such temporal logics was developed to check properties in (typically hardware) systems with boolean, discrete-time signals.

LTL with *future* and *past* is defined using the following syntax:

$$\varphi := p \mid \neg \varphi \mid \varphi \lor \varphi \mid \bigcirc \varphi \mid \varphi U \varphi \mid \varphi S \varphi$$

where p belongs to a set  $P = \{p_1, \ldots, p_n\}$  of propositions indicating values of the corresponding state variable. LTL is interpreted over n-dimensional Boolean  $\omega$ -sequences of the form  $\omega : \mathbb{N} \to \mathbb{B}^n$ . We use  $\omega[t]$  to denote the value of a sequence  $\omega$  at position t and abuse p to denote the projection of w on variable p. The basic future temporal operators are next  $(\bigcirc)$ , which specifies what should hold in the next step and until  $(\mathcal{U})$ , which requires  $\varphi_1$  to hold until  $\varphi_2$  becomes true, without bounding the temporal distance to this becoming. From these

basic LTL operators one can derive other standard Boolean operators as well as temporal operators such as *eventually* ( $\Diamond$ ) and *always* ( $\square$ ):

$$\Diamond \varphi = True \ \mathcal{U} \ \varphi \quad \text{and} \quad \Box \varphi = \neg \Diamond \neg \varphi$$

Analogously, by means the past temporal operators, is possible to define *eventually in the*  $past(\diamondsuit)$  and always in the  $past(\boxminus)$ 

$$\Diamond \varphi = True \ S \ \varphi \quad \text{and} \quad \Box \varphi = \neg \Diamond \neg \varphi$$

The satisfaction relation  $(\omega, t) \models \varphi$  indicating that a sequence  $\omega$  satisfies  $\varphi$  starting from position t, is defined inductively as follows:

$$p \quad (\omega,t) \models \varphi \qquad \leftrightarrow \qquad p[t] = 1$$

$$not \varphi \quad (\omega,t) \models \neg \varphi \qquad \leftrightarrow \qquad (\omega,t) \nvDash \varphi$$

$$\varphi_1 \text{ or } \varphi_2 \quad (\omega,t) \models \varphi_1 \lor \varphi_2 \qquad \leftrightarrow \qquad (\omega,t) \models \varphi_1 \text{ or } (\omega,t) \models \varphi_2$$

$$next \varphi \quad (\omega,t) \models \bigcirc \varphi \qquad \leftrightarrow \qquad (\omega,t+1) \models \varphi$$

$$previously \varphi \quad (\omega,t) \models \bigcirc \varphi \qquad \leftrightarrow \qquad (\omega,t-1) \models \varphi$$

$$\varphi_1 \text{ until } \varphi_2 \quad (\omega,t) \models \varphi_1 \mathcal{U} \varphi_2 \qquad \leftrightarrow \qquad \exists t' \in [t,\infty) (\omega,t') \models \varphi_1 \text{ and } \forall t'' \in [t,t'), (\omega,t'') \models \varphi_2$$

$$\varphi_1 \text{ since } \varphi_2 \quad (\omega,t) \models \varphi_1 \mathcal{S} \varphi_2 \qquad \leftrightarrow \qquad \exists t' \in [0,t] (\omega,t') \models \varphi_1 \text{ and } \forall t'' \in (t',t], (\omega,t'') \models \varphi_2$$

$$eventually \varphi \quad (\omega,t) \models \Diamond \varphi \qquad \leftrightarrow \qquad \exists t' \geq t \ (\omega,t') \models \varphi$$

$$always \varphi \quad (\omega,t) \models \Box \varphi \qquad \leftrightarrow \qquad \forall t' \geq t \ (\omega,t') \models \varphi$$

$$(3.1)$$

A major difficulty in checking properties expressed in future LTL is due to the *non-causal* definition of the satisfaction relation. In other words, the satisfiability of  $\varphi$  at time t may depend on the value of  $\omega$  at some future time instant  $t' \geq t$ . Even worse, some temporal operators refer to future time instants in a *quantified* manner, for example, requiring some p to hold in all future time instants. The satisfiability of such a property may sometime be determined only at infinity, that is, "after" we can be sure that no instance of  $\neg p$  is observed.

The causality problem is not present anymore when the recursion goes backward in time, meaning that the satisfaction of a past formula  $\varphi$  by a sequence  $\omega$  at position t is determined only according to the values of  $\omega$  at the interval [0,t]. However the futuristic specification keeps a style more natural for humans, for this reason it has been adopted also by industrial specification languages such as PSL (3.1.3).

**Evaluation over incomplete behavior** Monitors do not exploit features of the model representing the system S, but rather observe sequences, i.e. model's outputs, as they are

24

produced during simulation. Although the LTL semantic is defined over *complete infinite sequences*, that is for all possible behaviors, is not possible to observe infinite sequence in finite time. Hence, trying to extend the LTL semantic to *incomplete behaviors* represents the hardest challenge in monitoring.

At the end of the observation of a certain sequence  $\omega$  we can assert one of the following with respect to the property  $\varphi$ 

- 1.  $\omega$  satisfies  $\varphi$ . Such situation happens, for example, when  $\varphi = \Diamond p$  and p occurs in  $\omega$ .
- 2.  $\omega$  not satisfies  $\varphi$ . For example, when  $\varphi = \Box \neg p$  and p occurs in  $\omega$ .
- 3.  $\omega$  is undecided. For example, when  $\varphi = \Diamond p$  and p has not yet occurred in  $\omega$ .

The category "undecided" can be further refined in order to distinguish, for instance, the "not yet violated" ( $\varphi = \Box \neg p$ ) category from the "not yet satisfied" one ( $\varphi = \Diamond p$ ).

Even for those cases in which the satisfiability of a property cannot be determined from the observed behavior we would like to give an answer at the end of the sequence. In order to achieve such objective we may consider some LTL sub-classes. One is the bounded-LTL. It provides only *next* as temporal operator, which, in turn, can be used to derive others such as bounded-always and bounded-eventually

$$\square_{[0,r]} \boldsymbol{\varphi} = \bigwedge_{i=0}^{r-1} \bigcirc^i \boldsymbol{\varphi} \text{ and } \lozenge_{[0,r]} \boldsymbol{\varphi} = \bigvee_{i=0}^{r-1} \bigcirc^i \boldsymbol{\varphi}$$

where  $\bigcirc^i$  is a shorthand for  $\bigcirc(\bigcirc(\cdots\bigcirc)p\ldots)$ ). Within this context of timed formulas a global property that has not been violated during the formula's lifetime is considered satisfied. Analogously a property expressing an eventuality not observed during the formula's lifetime is considered violated.

# 3.1.2 Computation Tree Logic

LTL formulas define properties referring individual executions, or simulations, that is, operators are provided for describing events along a single computation path.

The Computation Tree Logic (CTL) [CE08] extends this concept by expressing formulas with respect to many executions, or simulations, at once. In this sense it belongs to the family of *branching time logic*, in which operators quantify over the paths that are possible from a given state. The main feature provided by logic such as CTL is the possibility to add temporal connectives to the usual the usual atomic propositional logic formulas. The temporal connectives are expressions about paths into the future that the state of the system can follow.

25

The occurrence of a CTL formula is specified by means the pair *path*, *temporal* quantifiers. The first regards the possible execution paths that the system can follow starting from the current one. The second, instead, relates the occurrences within each single path.

It's clear how LTL logic represents a subset of CTL, in fact an LTL formula can be view as a CTL formula without the specification of the branch quantifier. However, part of the literature uses identify with CTL the sub-logic related to path and with CTL\* the one which unifies both path and temporal quantifiers. According that, LTL and CTL becomes two intersecting set, while CTL\* is the superset containing both. Anyway, for the sake of simplicity, in what follows we will make no difference between CTL and CTL\*, using the first in place of the second.

When evaluating a CTL formula the first member to be considered is the path quantifier. It can be

A meaning on all the path from the current state, read as "inevitably"

E meaning on at least one path from the current state, read as "possibly"

Once defined the occurrence among the paths, the second member to consider is the temporal quantifier, i.e.

**X** meaning the next state

**G** meaning all the future states, read as "globally".

**F** meaning in some future state

U meaning until

Combining the previous operators is possible to generate different types of formulas, suppose that the system is in some state *S* the formula

 $\varphi$  is true iff it is satisfied by the current state S

 $AX(\varphi)$  is true iff  $\varphi$  is true for every immediate successor of state S

 $\mathbf{AG}(\varphi)$  is true iff  $\varphi$  is true for every successor to state S, including S. That is,  $\varphi$  is true for all states on all paths into the future from S, i.e. the subtree originating from S

 $\mathbf{AF}(\varphi)$  is true iff on all paths into the future from S, there is a state where  $\varphi$  holds

**A** [ $\varphi_1$  **U**  $\varphi_2$ ] is true iff all paths starting in state S satisfy  $\varphi_1$  until the reach a state in which  $\varphi_2$  holds

 $\mathbf{EX}(\varphi)$  is true iff  $\varphi$  is true for at least one immediate successor to state S

 $\mathbf{EG}(\varphi)$  if true iff there is a path from S into the future for which  $\varphi$  holds for every state on the path, including S

 $\mathbf{EF}(\varphi)$  is true iff there exists a path into the future from S on which there is a state where  $\varphi$  holds

**E**  $[\varphi_1 \ \mathbf{U} \ \varphi_2]$  is true iff there exists a path starting in state S that satisfies  $\varphi_1$  until reaching a state in which  $\varphi_2$  holds

A graphical representation of the above formulas is shown in Figure 3.1



Fig. 3.1 CTL formulas

A subset Computation Tree Logic is supported for verification in UPPAAL, which is an integrated tool environment for modeling, validation and verification of real-time systems modeled as networks of timed automata [upp].

# 3.1.3 Property Specification Language

The Property Specification Language (PSL) [EF07] is a formal language for specification of electronic system behavior, compatible with multiple electronic system design languages. In 2005 it became an IEEE standard [IC<sup>+</sup>05]. PSL was designed to be mathematically rigorous, with the result that a PSL specification is both precise and automatically verifiable. Thus, a hardware specification written in PSL is machine readable and can be used as input to verification tools.

Being a specification language whose targets is the hardware, signals in PSL are used as stream of bits having a fixed length, and , for the same reason, time is meant as a sequences of *clock-cycles*. The structure of PSL is based on four layers

- The boolean layer is composed of Boolean expressions. PSL interprets a high signal as true, and a low signal as false, independent of whether the signal is active-high or active-low. Operations of the Boolean layer are expressed through the supported hardware specification languages such as Verilog, VHDL and so on.
- The temporal layer consists of temporal properties which describe the relationships between Boolean expressions over time. The semantic of temporal operators is quite similar to the LTL ones.
- The *verification layer* consists of directives which describe how the temporal properties should be used by verification tools. For instance, is possible to define verification or assumption directives, which tells the tools to verify the value of some property or specify coverage criteria. The verification layer also provides a means to group PSL statements into *verification units*.
- The modeling layer provides a means to model behavior of design inputs, and to declare and give behavior to auxiliary signals and variables

While the Boolean layer consists of Boolean expressions that hold or do not hold at a given cycle, the temporal layer provides a way to describe relationships between Boolean expressions over time. A PSL assertion typically looks in only one direction – forwards from the first cycle. Thus, the simplest PSL assertion **assert a**; states that signal **a** should hold at the very first cycle.

The PSL temporal operators are the following

**always** (p) meaning that property p must globally hold

**never** (p) meaning that property p must never hold

**next** (p) will hold if its operand, p, holds at the next clock-cycle. Variations on the next operator allows to specify ranges of future cycles, i.e. a **next a[i:j]**(p) property holds if its operand holds in all of the cycles from the  $i^{th}$  next cycle through the  $j^{th}$  next cycle, inclusive.

p until q provides a way to move forward, meaning that property p must hold until q hold. In order to include the cycle in which q holds the until\_ is normally used.

p before q is dual to until and requires that its first operand happen strictly before its second. Even for this case in order to include the cycle in which q holds, namely is allowed an overlap between left and right sides, the before\_ is used.

**eventually!**(p) allows you to specify that p must occur in the future without saying exactly when.

A good feature of PSL is that it let user choose how the formulas are evaluated in cases of incomplete behavior. Such problem, already discussed in section 3.1.1, rises whenever the simulation, or execution, time is not enough to determine the satisfiability of a formula. PSL handles this providing the possibility to define the strength of an operator, therefore operators can be claimed as *strong* or *weak* depending on the addition of an exclamation mark (!) to their names. Formulas with strong operators, marked with (!), are considered satisfied if the simulation time is *enough* and the property holds, for instance **next![n]** indicate that at least *n* cycles are needed. Some operators, anyway ,constitutes an exception since they are only allowed in their weak (**always**, **never**) or strong (**eventually!**) versions. Moreover, PSL offers many other versions of **next** associated with occurrence of events rather than cycles, for further details refer [EF07].

# 3.1.4 Signal Temporal Logic

Signal Temporal Logic (STL) [MN04] is a temporal logic for specifying properties on *dense-time real-valued signals*. Such a logic is particularly useful in domains like *control systems*, where continuous variables are used to model the physical plant under control. The natural models for such systems are differential equations, for purely continuous systems, or hybrid systems when the dynamics is mixed and contains mode switching, saturation, etc. Before going into details of STL is useful to analyze it's direct ancestor MITL.

**Metric Interval Temporal Logic** The *real-time temporal logic* MITL [AFH96] allows reasoning over Boolean signals over dense-time domains. Formally, signals are functions of the form  $s : \mathbb{T} \to \mathbb{B}$ , where the time domain  $\mathbb{T}$  is the set of non-negative real numbers  $\mathbb{R}_+$ .

We consider the logic  $\mathrm{MITL}_{[a,b]}$  as a fragment of MITL, such that all temporal modalities are restricted to intervals of the form [a,b] with  $0 \le a < b$  and  $a,b \in \mathbb{Q}+$ . Similarly to 3.1.1, the use of bounded temporal properties is justified by the nature of monitoring where the behavior of a system is observed for a finite time interval. The basic formulas of  $\mathrm{MITL}_{[a,b]}$  are defined by the grammar

$$\varphi := p \mid \neg \varphi \mid \varphi \lor \varphi \mid \varphi_1 \ \mathfrak{U}_{[a,b]} \ \varphi_2$$

From basic MITL[a,b] operators one can derive other standard Boolean and temporal operators, in particular the time-constrained eventually and always operators:

$$\lozenge_{[a,b]} \varphi = True \ \mathfrak{U}_{[a,b]} \ \varphi$$
 $\square_{[a,b]} \varphi = \neg \lozenge_{[a,b]} \neg \varphi$ 

The semantic of the unbounded operators is equivalent to the one provided for LTL (3.1), while the introduction of the time window modifies *until*, *eventually* and *always* as follow

$$(s,t) \models \varphi_1 \mathcal{U}_{[a,b]} \varphi_2 \leftrightarrow \exists t' \in [t+a,t+b] \ (s,t') \models \varphi_2 \ and \ \forall t'' \in [t,t'], (s,t'') \models \varphi_1$$
$$(s,t) \models \Diamond_{[a,b]} \varphi \leftrightarrow \exists t' \in [t+a,t+b], (s,t') \models \varphi$$
$$(s,t) \models \Box_{[a,b]} \varphi \leftrightarrow \forall t' \in [t+a,t+b], (s,t') \models \varphi$$

By using bounded operators we avoid the problems related to the ambiguity of  $\models$  when applied to finite signals or sequences. Nevertheless, even for  $MITL_{[a,b]}$  certain signals are too short to determine satisfaction of the formula, for example the property  $\Box_{[a,b]}\Diamond_{[c,d]}p$  cannot be evaluated on signals shorter than b+d.

We can now extend our semantic domain and logic to real-valued signals. While Boolean signals of finite variability admit a finite representation, this is typically not the case for real-valued signals which are often represented via sampling, that is a sequence of time stamped values of the form (t,s[t]). Although the semantics of the logic is defined in terms of the mathematical objects, for signals of the from  $s: \mathbb{T} \to \mathbb{R}^n$  is not possible to ignore issues related to their effective representation based on the output of some numerical simulator. For this reason STL does not directly cope with continuous signal, but rather via a set of abstraction of the form  $\mu: \mathbb{R}^n \to \mathbb{B}$ . Typically  $\mu$  partitions the continuous state-space according to the satisfaction of some inequality constraints on the real variables. As long as

 $\mu(s[t])$  remains constant we do not really care about the exact value of s[t]. However, in order to evaluate formulas we need the sampling to be sufficiently dense so that all such transitions can be detected when they happen. From now on we assume that we deal with signals that are well-behaving with respect to every  $\mu$ , that is, every change in  $\mu(s)$  is detected in the sense that every point t such that  $\mu(s[t]) \neq \lim_{t' \to t} \mu(s[t]')$  is included in the sampling.

We can define an STL formula as a  $\mathrm{MITL}_{[a,b]}$  formula over the atomic propositions  $\mu_1(s(t)),\ldots,\mu_m(s(t))$ , where each  $\mu_i$  is a predicate of the form  $\mu_i:\mathbb{R}^n\to\mathbb{B}$ . The monitoring process for STL formula decomposes hence into two phases, in which the first is always the construction of a Boolean "filter" for every  $\mu_i\in U=\{\mu_1,\ldots,\mu_m\}$ , which transforms s into a Boolean signal  $p_i=\mu_i(s)$ .

### 3.2 Patterns Identification

The drawback to using temporal logics for property specification is their steep learning curve for industrial practitioners. Consequently, designers and developers will be less likely to use verification tools if they must devote large amounts of time to learning a specification language. Even with significant expertise, dealing with the complexity of such a specification could be daunting. As many other disciplines, like *software engineering*, complexity in this context is addressed through the definition and use of common *patterns*. Patterns are meant as a further levels of abstraction, parameterizable and often formalism-independent.

# 3.2.1 Property Specification Patterns

Property specification patterns [DAC98] describe commonly observed requirements in a generalized manner. Observing the several formalisms introduced before is possible to notice how there are two basic parts of properties that commonly occur. The first tells when the property should hold, and the second tells what condition should be satisfied during this time. Precisely each formula consists of two pieces: a *scope* and a *pattern*. The scopes defines *when* a particular property should hold during the simulation, the pattern, instead, the condition that must be satisfied. The are five basic kinds of scopes that can be recognized,

**Globally** meaning the entire simulation

**Before R** meaning the entire execution up to the occurrence of **R** 

**After Q** meaning the entire execution from the occurrence of **Q** 

**Between Q and R** any piece of simulation from the occurrence of Q and the occurrence of R

After Q until R like above but holds even if R does not occur



Fig. 3.2 Property Scopes

Figure 3.2 illustrates the portions of an execution that are designed by the different kind of scopes.

Patterns are organized in a hierarchical manner based on their semantic. A the first level they are divided by *occurrence* and *order*. Firsts are used to express requirements related to the existence (or lack of existence) of certain states/events during well-defined regions of system execution, while seconds are used to express requirements related to pairs of states/events during well-defined regions of system execution. For both categories regions are defined using *scopes*. In the class of Occurrence patterns we find

*P* is false (Absence) to describe a portion of a system's execution that is free of certain events or states.

*P* is true (Universality) to describe a portion of a system's execution which contains only states that have a desired property.

P becomes true (Existence) to describe a portion of a system's execution that contains an instance of certain events or states.

P occur at most N times (Bounded Existence) to describe a portion of a system's execution that contains at most a specified number of instances of a designated state transition or event.

while Order patterns are

32

S precedes P (Precedence) to describe relationships between a pair of events/states where the occurrence of the first is a necessary pre-condition for an occurrence of the second.

S responds to P (Response) to describe cause-effect relationships between a pair of events/states.

 $Q_1 \dots Q_n$  **precedes**  $P_1 \dots P_n$  (**Precedence Chain**) to describe a relationship between a sequence of events/states and a sequence of events/states. The occurrence of sequence  $P_1 \dots P_n$  must be preceded by an occurrence of the the sequence  $Q_1 \dots Q_n$ .

 $P_1 \dots P_n$  **responds**  $Q_1 \dots Q_n$  (**Response chain**) to describe a relationship between stimulus events and a sequence of response events. The occurrence of the stimulus  $P_1 \dots P_n$  must be followed by an occurrence of the sequence  $Q_1 \dots Q_n$ .

Clearly patterns are not unique in the sense that one can be achieved by combination of some others. The Absence, for instance, is dual to Existence, while Precedence is converse to Response. This redundancy does not represents an issue but rather extends the usability of those patterns even in formalisms that not provide complete support for all scope operators. Figure 3.3 provides an overview of patterns classification.



Fig. 3.3 Pattern Hierarchy

Being each pattern defined over a scope, the number of possible achievable combinations corresponds to the dimension of the set generated by the product of scope and pattern sets. Each combination could be mapped in a specific requirements, therefore it can be independently translated in a chosen formalism. For the sake of briefness we show the complete LTL an CTL formalization for just a pattern, and refer [spe] for an exhaustive list.

Before describe the pattern lets define the *weak until* operator W which is used make less verbose the expression of some formulas.

LTL: 
$$P \mathcal{W} Q = P \mathcal{U} (Q \mid \Box P)$$
  
CTL:  $P \mathbf{W} Q = \neg \mathbf{E} (\neg Q \mathbf{U} (\neg P \& \neg Q))$ 

#### Universality P is true

Scope LTL Globally  $\Box P$ 

Before R  $A R \rightarrow (P \ U R)$ After Q  $\Box R \rightarrow (Q \rightarrow \Box P)$ 

Between R and  $Q = \Box ((Q \& \neg R \& \Diamond R) \rightarrow (P \& R))$ 

Scope CTL Globally AG(P)

Before R  $\mathbf{A}((P \mid \mathbf{AG}(\neg R)) \mathbf{W} R)$ 

After Q  $\mathbf{AG}(Q \to \mathbf{AG}(P))$ 

Between *R* and *Q*  $\mathbf{AG}(Q \& \neg R \to \mathbf{A}((P \mid \mathbf{AG}(\neg R)) \mathbf{W} R)$ 

After Q unit R  $\mathbf{AG}(Q \& \neg R \to \mathbf{A}(P \mathbf{W} R))$ 

#### 3.2.2 Domain Patterns

When dealing with complex systems quite often the requirements analysis is performed at different levels of abstraction. As result the complete specification is provided by many requirements documents, in which requirements of a certain level are grouped according to derivation from a *parent requirement* belonging to an higher level.

A typical scenario for control systems is that high-level requirements focus all those properties specific of that application domain. Examples are the so called *performance requirements*, which assess features of the system response over time. Since they refer properties having a well-known mathematical representation such kind of requirements in turn are prone to have a parameterizable definition. In other words they are suitable to become domain specific patterns.

A typical performance requirement expressed in natural language is the following

The controller system of the motor with inertia less than  $S_{In}$  should track a step speed command from zero to  $x_4$  with:

- 1. Settling time less than  $t_2$
- 2. Time Speed acceleration from zero to  $x_1$  less than  $t_1$
- 3. Overshoot less than  $x_2$
- 4. Time Speed deceleration from zero to  $x_1$  less than  $t_1$
- 5. *Undershoot less than*  $x_2$

An informal definition of the addressed requirements is the following

34

**Rise(Fall)-time** is the amount of time it takes for a signal to rise (fall) from an initial value to another value some distance from an expected steady state value in response to a step input (Fig.3.4)

**Overshoot** (**Undershoot**) is a quantity that defines how much a signal goes beyond an expected steady state value in response to a step input (Fig.3.5)

**Settling-Time** is the time it takes a signal to reach and remain within a band around a steady state value in response to a step input (Fig.3.6)



Fig. 3.4 Rise Time

In [KJD<sup>+</sup>16] J.Kapinski et al provided an STL formalization for above property. Since all of them are defined in response to an asynchronous step input they extended the STL language to provide the operator

$$step(x,a) \triangleq x(t+\varepsilon) - x(t) > a$$

where a is the step amplitude and  $\varepsilon$  corresponds to the smallest time variation following t. In the case the formula has to be verified by a discrete time monitors  $\varepsilon$  is equal to the sample time.

In STL, timed formulas can be nested such as, for example,

$$\Diamond_{[0,T]}(\mathbf{q} \wedge \Box_{[a,b]}\mathbf{p})$$



Fig. 3.5 Overshoot

The proposition  $\mathbf{p}$  is nested one level deeper than proposition  $\mathbf{q}$ . The meaning is that there has to be one time instant t in [0,T] (the outer Eventually condition) such that  $\mathbf{q}$  is satisfied in t and for all the system evolutions starting from time t, the condition  $\mathbf{p}$  is verified at some time between t+a and t+b. In a runtime monitor implementation, the evaluation of the global condition with  $\mathbf{p}$  depends not only on the time range of its temporal operator, but also on the time t in which  $\mathbf{q}$  is satisfied. If  $t_q$  is the time at which  $\mathbf{q}$  is satisfied, the time range in which  $\mathbf{p}$  is evaluated becomes  $[a+t_q,b+t_q]$ . The nested time interval [a,b] is therefore not an absolute time, but is relative to the time instant identified by the outer clause.

The STL expression of the performance requirements comes in a more readable shape if formulas aim to prove the presence of the property instead of their absence:

```
\begin{aligned} &\textit{RiseTime}(ref,x,a,t_1,x_1) && \diamondsuit_{[0,T]}(\textit{step}(ref,a) \land \Box_{[0,t_1]}(x < x_1)) \\ &\textit{FallTime}(ref,x,a,t_1,x_1) && \diamondsuit_{[0,T]}(\textit{step}(ref,a) \land \Box_{[0,t_1]}(x > x_1)) \\ &\textit{Overshoot}(ref,x,a,x_2) && \diamondsuit_{[0,T]}(\textit{step}(ref,a) \land \diamondsuit(x - ref > x_2)) \\ &\textit{Undershoot}(ref,x,a,x_2) && \diamondsuit_{[0,T]}(\textit{step}(ref,a) \land \diamondsuit(ref - x > x_2)) \\ &\textit{SettlingTime}(ref,x,a,t_2,x_3) && \diamondsuit_{[0,T]}(\textit{step}(ref,a) \land \diamondsuit_{[t_2,T]}(|x - ref| > x_3)) \end{aligned}
```

where T is the simulation time, ref is the command to the system and x is its output. In **REF** each pattern is coupled with a natural language representation, doing so we create the connection from natural to formal language, avoiding, at least for this class of requirements , ambiguities and errors.



Fig. 3.6 Settling Time

# 3.3 The Contract Paradigm

The contract-based paradigm, founded on the use of contracts as formal requirements, allows distributed designers to develop different aspects and components of the overall system in a concurrent but controlled way. In a component-based model, a component is a hierarchical entity that represents a unit of design and components are interconnected and communicate through ports carrying discrete or event values. Implementations and requirements can be attached to components, where requirements are expressed as *contracts* [BCF $^+$ 07, BFM $^+$ 08]. A contract is an assertion on the behaviors of a component (the promise) subject to certain assumptions. An assertion represents a set of runs of the component and a run can be seen informally as a sequence of values of the component's variables and ports. Therefore a contract C is the pair of assertions

$$C = (A, G)$$

where A corresponds to the assumption, and G to the promise. The component's contract (A,G) corresponds to the requirement  $A \to G$  or equivalently  $G \cup \neg A$  on the implementation of the component. A component's implementation M satisfies the requirement if  $M \subseteq G \cup \neg A$ , in which case the implementation is said to satisfies the contract.

With reference to both requirements of 3.2.2, the assumption under which system performances have to be validated is specified in the subsentence "...with a system inertia less than or equal to  $S_{In}$ ". In fact it represents the environmental condition under which the system

has to guarantee a specific behavior. By coupling the definition of domain patterns with the contract formalization those requirement can be restructured as follows

| Req. ID | Formalization $C = (A, G)$ |                                          |          |  |  |
|---------|----------------------------|------------------------------------------|----------|--|--|
| R.01    | $(inertia \leq S_{In},$    | $\neg RiseTime(ref, x, a, t_1, x_1)$     | $\wedge$ |  |  |
|         |                            | $\neg Overshoot(ref, x, a, x_2)$         | $\wedge$ |  |  |
|         |                            | $\neg SettlingTime(ref, x, a, t_2, x_3)$ | )        |  |  |
| R.02    | $(inertia \leq S_{In},$    | $\neg FallTime(ref, x, a, t_1, x_1)$     | $\wedge$ |  |  |
|         |                            | $\neg Undershoot(ref, x, a, x_2)$        | $\wedge$ |  |  |
|         |                            | $\neg SettlingTime(ref, x, a, t_2, x_3)$ | )        |  |  |

Table 3.1 Formalized Performance Requirements

In complex models with multiple entities the interactions can be regulated by contracts of single components. Moreover, the system specification and validation can be conduced by combination of all components' assumptions and guarantees. Benveniste et al in [BCF<sup>+</sup>07] provide different modalities of combining requirements expressed as contracts.

It is common that each requirement reflect the interpretation of the customer needs related to a single aspect of the design and under some implicit or explicit hypothesis, that represents the precondition under which the behavior described in the requirement should be guaranteed. These *preconditions* do not represent the system's assumptions since they are not absolute constraints that the environment must satisfy. Instead, they model the enabling conditions under which the proposed behavior must be exposed by the system. As example, such preconditions are identified in performance requirement by the verification of a step input, since it acts as trigger for the evaluation of the effective promise related to the property. In [MFF13] Mangeruca et al deeply analyze this difference, providing also a richer definition of the classical contract paradigm as the triple

$$C = [A, (P, Q)]$$

where A is the assumption, P is the precondition and Q is the guarantee. The newer semantics of the contract is then represented by the logical formula  $A \to (P \to Q)$ . For an in-depth exploration of such extended contracts please refer the reading.

# **Chapter 4**

# The Framework

# **4.1** From Requirements to Monitors

The components structure of the developed framework is shown in Fig. 4.1.



Fig. 4.1 Requirement Framework

**Model to Tool** The tool cooperates with a modeling environment through two actions. The first consists of using a model reader to import the list of all model's signals and parameters into a data dictionary. This allows to write requirement referring entities directly with the

same names as they are specified in the model. In addition to names, the import phase concur to gather information about data types, boundary values and measuring units.

**Tool to Model** The second actions consists of populating the model with monitors generated out of the requirements. Such action is strictly dependent on the platform on which the model is defined. For this reason the tool has been designed to be as flexible as possible, by providing a set of *Platform Generators* modules, each one for a specific target platform. In general, in order to ease its task, a platform generator could be supported with some platform libraries enclosing either operators or atomic instructions. In the case of Simulink the produced result is a script which, once executed, adds new requirements blocks to the provided model.

**The Editor** In order to write requirements the tool offers a smart editor. It provides the most common user relieving features, such as the context-aware syntax completion ad coloring. Requirements are written according to a specific loose syntax, which is basically equivalent to an ordered sequences of natural language keywords. Even in this case, due to the large variability of possible syntaxes, the tool shows flexibility and provide support for syntax updates with very low effort.

**The Parser** The syntax accepted by the editor is not as formal as a the one of a programming language, this complicates not a little the translation of a requirement as it is written. Therefore, before being delivered to a platform generator, the content of a requirement document is transformed into a syntax tree by means of a *Mid Level Parser*. This action, although adds a further step to the synthesis process, ease the task of the platform generator since restructures its input in order to be programmatically analyzable.

Following sections describe in depth all the components. As first version the tool support interactions only with Simulink, which is one of the most used modeling tools. However, for the sake of completeness, during explanation particular attention will be pose to emphasize all techniques adopted, during the development, to enforce extensibility of the tool. For this reason, also a brief survey of common Design Patterns will be conduced in 4.3.

## 4.1.1 Syntax Definition

The syntax of a requirement document has been developed in order to define requirements as contracts, the guarantee will be referred as an assertion, while the concept of precondition has not been explicitly used.

The grammar of the syntax is proposed as a list of recursive rules, each mandatory rule is enclosed within angular parentheses, while an optional one is enclosed within square parentheses. At the end of the recursion, rules are primitive, in the sense that they could be expressed through primitive data types (String, Integer, ...).

The entire syntax is defined as follow

```
Requirement Document = <Requirement List>
2 Requirement List = <Requirement>[Requirement List]
Requirement = <Header><Assumptions Section><Assertions Section>
4 Header = <ID><Title>
5 ID = 'R' < Requirement Number >
6 Requirement Number = <unsigned int >['.'Requirement Number]
7 Title = <string>
8 Assumption Section = <"ASSUMPTION"><Assumption List>
9 Assumption List = <Assumption > ["AND" Assumption List]
Assumption = <Comparison statement> | <Signal Generator> | <Reference>
Comparison Statement = <Signal ID><Intermission><Comparison-op><SPV>
12 SPV = <Signal ID> | <Parameter ID> | <Value>
13 PV = <Parameter ID> | <Value>
Signal ID = FROM_DATA_DICT
15 Parameter ID = FROM_DATA_DICT
Value = <double>
Intermission = [Free-text] < "is" | "not" > [Free-text]
Free-text = \langle string \rangle
19 Comparison-op = \langle L_EQ \rangle | \langle G_EQ \rangle | \langle EQ \rangle
L_EQ = \langle "less than" \rangle ["or" EQ]
_{21} G_EQ = < "greater than" > ["or" EQ]
EQ = < equal to >
23 Signal Generator = <Signal ID><"is"><Generator Type>
24 Generator Type = <Step> | <Ramp>
25 Step = <Step Type><"with amplitude"><PV><"beginning in"><PV>
26 Step Type = <"step"> | <"downstep">
27 Ramp = <"ramp with amplitude"><PV><", duration"><PV><"beginning in"><PV>
28 Reference = <Signal ID><"is reference">
29 Assertion Section = "ASSERTION" < Assertion List >
30 Assertion List = <Assertion >["AND" Assertion List]
31 Assertion = <Control Assertion>
22 Control Assertion = <Overshoot> | <Undershoot> | <Rise_Fall Time> |
       <Settling Time>
Overshoot = <Signal ID><"overshoot shall be less than"><PV>
34 Undershoot = <Signal ID><"undershoot shall be greater than"><PV>
35 Rise_Fall Time = <Signal ID><"shall"><Rise_Fall><"from"><PV><"in less
     than "><PV>
36 Rise_Fall = <"rise"> | <"fall">
```

Settling Time = <Signal ID><"time to settle to"><PV><"shall be less than"><PV>

# 4.2 Support from Modeling Environment

The cooperation of the requirements tool with a modeling environment could be easier if from the latter's side are provided some utilities. A good practice when writing requirements is to fill a data dictionary with system's components names and always refer them with that. To enforce the use of a data dictionary a modeling environment may offer the capability to partially generate it by exporting all entities in the model. From the other side, the process of auto-generate monitors for a targeted modeling environment can be lightened if the requirement tool could make use of built-in libraries. The libraries used to provide support for monitors generation have been already described in [BDNCT17]. Since this thesis is meant as continuation of that work such libraries are reanalyzed, possibly providing further details, also in this context. Next sections explore in a more detailed way these utilities, providing also examples in the case of Simulink.

## 4.2.1 Signal Exporter

A Simulink model can be view as a collection of connected blocks, where each connecting line represents a signal. In complex models the number of signals is in the order of thousands. The environment allow to name every signal but, for the sake of practicality, does not force users to do so. Although naming, at least the more significant, signals indisputably represents a good modeling practice, rarely professional models comply with such rule. The common situation is that in real models names are provided only for blocks and subsystems' ports, which are not allowed to be unnamed.

In order to be effective, a good Simulink signals exporter cannot avoid to consider the above aspect. In other words, it cannot rely on the fact that all meaningful signals' lines are named, and, somehow, has to overcome this problem. As possible solution, the signals exporter can, in first instance, collect all the lines' names and then continue with all the subsystems' output ports' names. Such approach allows to pick up a broad number of signals' names, however, it does not prevent from possible inconsistencies. As example, it does not produce results for models not defining subsystem blocks and for which no names are associated to lines. Further, since it prioritize lines rather than ports, for models in which a line and a port have the same name, which is perfectly legal in Simulink, the exporter will

consider just one name for both. These limitation, however, represents borderline situations which are also deprecated by modeling practices.

A signals exporter can be implemented with the following Matlab function, it requires as input the model and the file to fill with the signals' names.

```
function signalExport(sys, fname)
      ssys = find_system(sys, 'BlockType', 'SubSystem');
      ssys = {sys, ssys {1:end}};
      lines = find_system(ssys, 'FindAll', 'on', 'type', 'line');
      signals = containers. Map;
      for i = 1: length (lines)
          conn = get_param(lines(i), 'Connected');
          name = get_param(lines(i), 'Name');
          if (size(name, 2) > 0 \&\& strcmp(conn, 'on'))
              signals(name) = 1;
          end
      end
      ports = find_system(ssys, 'BlockType', 'Step');
13
      ports = [ports ; find_system(ssys, 'BlockType', 'Ramp')];
14
      ssys = ssys(2:end);
15
      ports = [ports ; find_system(ssys, 'BlockType', 'Outport')];
16
      onames = get_param(ports ,'Name');
      t = isKey(signals, onames);
      allkeys = [keys(signals) onames(t==0)'];
      signals = containers. Map(allkeys, ones(length(allkeys),1));
      file = fopen(fname, 'a+');
      k = keys(signals);
      for i=1:length(k)
23
          fprintf(file, 'signal,%s,,,,\n', strjoin(k(i)));
24
      end
25
      fclose (file);
26
27 end
```

In addition to line and subsystems' outputs, it further refines the collection including also names of particular signals generation block, i.e. *Step* and *Ramp*. The choice of these two block is motivated by the fact that inside the editor's syntax (4.1.1) there is an explicit reference to these kind of signal. The exporter can be extended as will simply adding clauses for new block types, as interesting new candidates, signal generators available in Simulink are the *Pulse Generator* and the *Sinusoidal Wave*.

It's possible to notice that the functions write the file according to a CSV format. This choice is dependent on the way the requirements tool expects to import data dictionaries, and will be clarified in section 4.4.1.

### 4.2.2 STL operators library

In order to generate online monitors, the following restrictions has been introduced to the STL language.

- 1. The maximum level of nesting for temporal operators is two.
- 2. If there is a nested temporal operator, the condition on which the outer operator is evaluated must be a conjunction and at least one of the terms of the conjunction must be a proposition (not a temporal operator).
- 3. If  $T_b$  is the maximum value for all the endpoints of the intervals defined in the inner (nested) temporal operators, then the terms of the conjunction that are not temporal operators can only be true at time instants that are separated by a time interval always greater than  $T_b$ .

The STL operators library implements a Simulink version of the *And* plus the most common STL operators (Fig.4.2).



Fig. 4.2 STL Simulink

The And block is needed to implement nested temporal operators, in particular, it represents the conjunction among outer and inner propositions. Despite the name, it is quite different from the classical logical And since it does not returns **true** if P and Q are **true** at the same time, but rather if Q becomes **true** at some the time t after P became **true**. In order to verify Q it returns, through the DELAY port, the time in which P was verified, such time is needed to correctly compute the interval of the Q's temporal operator.

All the operators blocks keep their output constant after a the property is detected. However, to facilitate their use in simulations concatenating several test cases, a reset input is also provided. Fig. 4.3 shows two test cases for *Always* and *Eventually*, one causing them return true and one false.



Fig. 4.3 Test of STL Always-Eventually

In particular, it is possible to notice that the two operators have different behaviors due to their dynamics. The Always produces positive outputs only at the end of the time interval relative to the current test case (Fig.4.3a). Conversely, the Eventually operator returns positive feedback immediately after the occurrence of a positive input (Fig.4.3b).

Compared to its brothers, the timed *Until* operator has a more complex dynamics, in fact, in presence of multiple test case during the same simulation, it is not possible to determine a priori the instant in which it reacts to each input sequence. Fig. 4.4 present a possible multiple cases simulation for the timed Until.

The operator returns true if within a time interval the proposition P is true at least once and, for all the time before this happen, the proposition Q is true. The simulation provide four different time intervals. For the first, the operator always returns true since Q is always true until P becomes true. For the second interval, it immediately returns false since, after the reset, the proposition Q is false. After the second pulse of signal reset the operator returns again true, indeed this scenario is perfectly analogous to the first one. During the last time interval, there is yet another behavior. The operator is not immediately returning false, Q is true after the reset, but rather when Q becomes false since P has not yet became true. Note that another behavior, which has not been included for the purpose of not overload the graphics, is observable for the edge case in which Q is always true within a reset and the end



Fig. 4.4 Until Simulation

of a time interval, and P is always false in the same time. In this case the operator reacts with a negative output only at the end of the time interval, since, till the end, it "waits" for P becoming true.

The Simulink implementation of the STL timed Until is depicted in Fig. 4.5. The other operators are implemented in a similar, and simpler, shape. The complete library is available at [bal].



Fig. 4.5 Timed Until Implementation

### **4.2.3** System Performance Control Library

Section 3.2.2 provided an STL formalization of the most common control system performance requirements. In the same has been argued that such formalizations represent patterns, namely parameterizable properties having a fixed formal structure. Offering an implementation of those pattern is the main purpose of the *System Performance Control Library* (SPCL), it provides several atomic blocks able to verify the violation of performance requirements. The library block-set is presented in Fig. 4.6.



Fig. 4.6 System Performance Control Library

The entire block-set has been developed to operate in a simulation environment that uses a fixed-step solver for *ODE* integration. Possible future versions of the library will eliminate such limitation, allowing their use with a variable-step solver, by simply forcing the user to set a sample time for the block to discretize time and input signals.

A first categorization of all blocks could be performed by dividing them in *checkers* and *detectors*. Checker blocks, as the name suggest, are those in charge of effectively assert the violation of the property. In order to do so, they need to cooperate with the detectors blocks, which are pulse emitters based on the behavior of their input signals. The cooperation between detectors and checkers can be *implicit* or *explicit*, and allows to split the latter into two more subcategories depending on the type.

Blocks belonging to the first, whose name starts for "s", internally perform the classification of the input type by means of a step (up or down) detector. Therefore, those blocks direct implement the formulas of section 3.2.2. Ideally this subcategory is enough to verify performance requirements, since these properties are defined under the hypothesis of step as reference input. The reason why the library includes more general versions of this blocks, based on an explicit cooperation with an input detector, comes from the practical user experience. Indeed, many times, along multiple experiments, users may adopt reference

signals sharing common features with steps, but having some substantial differences which makes them undetectable as steps. Two common examples are steps followed by a rate limiter (Fig. 4.7a) and pulse generators (Fig. 4.7b). The first is typically used to avoid sharp changes on input and basically transforms a step into a ramp, while the second is used to provide multiple inputs since it can be view as a sequence of up and down steps.



Fig. 4.7 Input References

In order to support those kind of inputs, without forcing the user to modify existing model to comply with the library, the blocks family starting with "t" label can be used. Unlike the implicit blocks, in addition to the *Trigger* produced by a detector some of them may need more information that normally can be inferred by the reference signal, like, for instance, the steady-state value.

**Signal Detectors** As previously said, detectors blocks emit pulses every time the input signal shows an expected behavior. The parameter to evaluate the conditions are set from the user by means of the blocks' masks. In what follows will be focused just the step-up and the ramp detectors, step-down and rise-fall detectors are not considered since the first works reciprocally to the step-up while the second is just a parallel composition of a step-up and a step-down. From the blocks' masks (Fig.4.8) is possible to note that step-up detector, unlike ramp-detector which requires start and duration time, has not parameter which are functions of time, this allow to use it multiple times in the same simulation. A possible time behavior for both detectors is shown in Fig. 4.9, in the case of the step, due to the detectors definition, does not make difference if the input signal is a single step or a step train. Indeed, the detector implementation expects that it reacts every time there is a difference of at least



Fig. 4.8 Detector's masks

Step size between two time-consecutive samples of the input signal. The implementation of



Fig. 4.9 Detectors' time behavior

the ramp detector is more complex, it is based on the idea that the block must check if, for all t in [Start, Start + Duration], the input signal is a line with a slope equal to  $\frac{Amplitude}{Duration}$ . This definition can be formally written with the following STL

$$\Box_{[St,St+Dur]} \left\{ \frac{dx}{dt} = = \frac{Ampl}{Dur} \right\}$$

Such formula can be easily implemented with the Always operator of the STLib (4.2.2). Please note that in the real implementation (Fig.4.10) the equality of slopes is not checked through the equal operator, but rather ensuring that their difference is less than a very small quantity. This approach has been adopted to avoid possible numerical issues on determining the exact equality of two numbers.



Fig. 4.10 Ramp Detector Implementation

**Property Checkers** For each performance requirements the library provides two different blocks depending on the type of cooperation with a signal detector. Time behavior and internal structure of blocks-couples relative to each property are very similar. Therefore, without losing generality only overshoot requirement will be analyzed as a case study.

The property's parameters, provided through the blocks' mask, are slightly different in the case of implicit (Fig.4.11a) or explicit (Fig.4.11b) reference detection. Indeed, if the blocks has to internally perform the step-up detection it needs to know the step size. Conversely, if the block only receives a detection trigger such parameter is not needed anymore. However, in order for the latter working properly, the information needed to estimate the overshoot has to be provided through a further input port, which has been labeled as "SS Value" (Fig.4.6). The common parameters of the two blocks are *Tolerance*, which represents the maximum tolerated distance among *Sig* and *Ref* (or *SS value*), and *Interval Size*, which corresponds to the simulation time.



Fig. 4.11 Overshoot Blocks' Masks

Two possible simulations involving *sOvershoot* and *tOvershoot* are shown in Fig.4.12. For the first a step has been used as reference input, while for the second a ramp. Both blocks reacts immediately after the violation of the requirement.



Fig. 4.12 Overshoots' Time response

The blocks have a layered structure which recalls the level of nesting of the parent STL formula. Essentially, the Simulink implementation of the two blocks only differ for the signal used as first input of the *And* operator inside the blocks' first layer (Fig.4.13). Such signal correspond to the proposition used at the left of the internal conjunction in nested STL temporal operators. Therefore, the STL formula, implemented in the *tOvershoot* block, can be rewritten as

$$\lozenge_{[0,T]}\big\{Trigger \land \lozenge\{Sig-SSValue \geq Tolerance\}\big\}$$

In order to avoid redundancy, the content of *overshoot* subsystem of Fig.4.13 has not been reported. Indeed, for both versions of the blocks, its structure is analogous to the first layer, i.e. an STL eventually with a less than or equal to proposition as input.



Fig. 4.13 Overshoots' Implementations

All other property checkers follow the same philosophy of overshoot blocks. Although with them a good coverage of the performance requirements has been achieved, as future extension other properties may be included, making the *SPCLibrary* a complete tool-chain for the analysis, during simulation, of several control systems models.

# 4.3 Design Patterns

In object-oriented software design a pattern describes a problem which occurs over and over in the environment, and then describes the core of the solution to that problem, in such a way that you can use this solution multiple times [VHJG95]. Design patterns make it easier to reuse successful designs and software architectures, and helps avoiding design alternatives that compromise reusability.

Design patterns solve many problems that object-oriented designers face every day, like

**Finding appropriate objects** The hard part about object-oriented design is decomposing a system into objects. Design patterns help identifying abstractions and the objects that can capture them.

**Determining object granularity** Objects can vary tremendously in size and number. Design patterns address this issue as well. Many of them describe specific techniques of decomposing an object into smaller objects.

**Specifying object interfaces** Interfaces are fundamental in object-oriented software systems. There is no way to know anything about an object without going through its interface. Design patterns help defining interfaces by identifying their key elements and the kinds of data that get sent across an interface.

An exhaustive treatment of all known design patterns requires an huge effort, and leads to cover situation that are out of the scope of this work. Hence, herein only two of them, those really involved, will be taken into consideration. Being scalability and extensibility key factors of the proposed framework, particular care must be payed on the software architecture. The use of patterns belonging to *creational* and *behavioral* classes greatly helps to accomplish this objectives.

## **4.3.1** Factory

Creational patterns abstract the instantiation process. They help make a system independent of how its objects are created, composed and represented. A class creational pattern uses inheritance to vary the class that's instantiated, whereas an object creational pattern will delegate instantiation to another object. Creational patterns become important as system evolve to depend more on object composition than class inheritance. As that happens, emphasis shifts away from hard-coding a fixed set of behavior toward defining a smaller set of fundamental

behavior that can be composed into any number of more complex ones. Thus creating objects with particular behavior requires more than simply instantiating a class.

The intent of the *Factory Method* is defining an interface to create objects, but let decide which class to instantiate. The UML representation of the Factory pattern is shown in Fig.4.14



Fig. 4.14 Factory

**Product** defines the interface of the objects the factory method creates

Concrete Product implements the Product's interface

Creator declares the factory method

**Concrete Creator** overrides the factory method to return an instance of a ConcreteProduct

Sometimes class Factories are implemented as *Singleton*, which is another design pattern ensuring that in the system there is only one instance of the class. The client class request for the creation of new a new concrete product to the Factory and uses object through their interface. Typically the client provide to the Factory a products identifier that is used, for instance, inside a switch/case to determine the correct concrete product to be instantiated. However, managing all possible Concrete Products by hard-coding the logic to create them is not flexible. For this reason, more sophisticated techniques are usually adopted, they make

use of the so called *registry* and let Concrete Products register themselves into the factory. Follows a Java implementation example of the Factory pattern, it make use of *Reflections*, which is mechanisms to discover information about the fields, methods and constructors of loaded classes. Further, it allows to use reflected fields, methods, and constructors to operate on their underlying counterparts.

```
interface Product {
    String getName();
3 }
4 class ProductOne implements Product {
    static {
      ProductFactory.instance().register("One", ProductOne.class);
    public String getName() { return "instance of ProductOne"; }
9
      . . .
10 }
11 class ProductTwo implements Product {
    static {
      ProductFactory.instance().register("Two", ProductTwo.class);
13
    public String getName() { return "instance of ProductTwo"; }
16
17 }
19 class ProductFactory {
    // Singleton
    static private ProductFactory inst = new ProductFactory();
    static public ProductFactory instance() { return inst; }
    // The registry
    private HashMap registry = new HashMap();
    public void register(String productID, Class productClass) {
      registry.put(productID, productClass);
26
27
    public Product create(String ID) {
28
      Class pClass = (Class) registry.get(ID);
29
      if (pClass == null) {
30
        System.err.println("Product " + ID + " not registered");
        return null;
      }
33
      try {
34
        Constructor pConstructor = pClass.getDeclaredConstructor(null);
        return (Product)pConstructor.newInstance(null);
      }
37
38
```

```
39 ...
40 public static void main(String[] args)
41 {
42    Class.forName("ProductOne");
43    Class.forName("ProductTwo");
44    ...
45 }
```

The Factory uses an associative set in order to couple Concrete Products with their identifier. Each Concrete Product register itself through the initial static block, however, in order to be sure of having all the registration done before start creating Concrete Product, the loader method "Class.forName(ClassName)" has to be called.

#### **4.3.2 Visitor**

Behavioral patterns are concerned with algorithms and the assignment of responsibility between objects. Behavioral patterns describe not just patterns of objects or classes but also the patterns of communication between them. These pattern characterize complex control flow that's difficult to follow at run-time. They shift the focus away from flow of control to let concentrate just on the way objects are interconnected.

Visitor pattern uses inheritance to encapsulates behavior that would otherwise be distributed across classes. The intent of the Visitor pattern is to represent an operation to be performed on the elements of an object structure. Visitor lets define new operation without changing the class so the elements on which it operates. In abstract syntax trees, for instance, due to the heterogeneity of nodes' semantic, several distinct operation can be performed. A first approach could be to define an abstract class, *node*, to be the base of an hierarchy of derived class each one implementing a node with a specific semantic 4.15.



Fig. 4.15 Node Hierarchy

The are two main problems of this solution. The first is that the node interface will become too fat in a short time, since all the methods must be part of the interface to be inherited. The second is that the solution does not scale, in fact, if new operations are needed on the node class then the entire hierarchy has to be modified. The Visitor pattern provides a smarter solution which expects to decouple the node structure form its operations, by using additional classes to implement the node visit 4.16a. Then the node class, through the *accept* method, is only providing the "hook" for a generic visitor. 4.16b



Visitor makes adding new operations easy. It is possible to define new operation over an object structure simply by adding new visitor in contrast to spreading functionality over many classes, which requires to change all of them to define new operation. A visitor gathers related information and separates unrelated ones. Related behavior is not spread over the classes defining the object structure but rather it is localized inside a visitor. However, when using visitor adding new sublasses of node is hard, indeed each new subclass gives rise to a new abstract operation on the visitor, and then require to change all concrete visitors. As partial solution, there could be exceptional cases in which the base visitor provides default implementations that can be inherited from the derived classes. This is the case of ANTLR [ant], a popular syntax parser that will be better discussed in 4.4.3.

# 4.4 Requirements Editor

The core application of the presented framework is the *Requirements Editor*. It has been implemented as an *Eclipse Editor Plugin*, which provides a set of built-in editing features such as syntax coloring and suggestions engine. The editor is the tool to which the user is directly exposed. It has to provide a user friendly interface and, in the mean time, ensure the construction of well defined requirements. One of the main practical rules for removing entities ambiguities in specifications documents is to use, since the beginning, a Data-Dictionary. It shall contain all the entities referred inside the document, each of them

appearing as a record having several explanatory fields. The editor provides support for importing different types of Data-Dictionary (Sec.4.4.1).

In order to support user in writing syntax coherent requirements the editor provides an helpful engine to *suggest* and *autocomplete* sentences (Sec.4.4.2). They can be also used, especially in the firsts usage attempts, as a mean allowing user to learn the syntax. Such functionality, which are common of many evolved programming editors, are cheap in therms of implementation for formal syntax, but, the more the syntax becomes informal, the more they become expensive. In any case, being extremely difficult comply with all possible inputs combinations, they are usually meant as best-effort tools.

Most likely the main capability of the editor is to allow user to export monitors that can run in several modeling platforms. This is a key feature since allow to save implementation time and eliminate the presence of interpretation and coding errors. To enforce extensibility the complete process is performed in two steps (Sec.4.4.3 and 4.4.4) which are hidden to the user.

### 4.4.1 Data Dictionary Importer

Since the Data-Dictionary could be a file of any extension, the importer shall provide support all of them. Hence, the software structure of the importer has to be flexible in order to add, when needed, new file formats. This is a typical problem that software designers solves using the Factory pattern. Each file format needs its own importer, on its own the tool, which has to treat all of them in the same way, it is the only module knowing which importer to instantiate for a specific file. A possible class diagram of the signal readers' software structure is shown in Fig.4.17.



Fig. 4.17 Signal Readers UML

In its first version the importer provides support just for *CSV* and *XML* files, being them common formats for data file. The *SigFileReaderFactory* keeps the supported importers within an associative set, *registry*, which uses as keys the file extension; for instance the key of *CSVFileReader* is ".csv". Using this software structure adding further importers is a quite easy task, in fact it only requires to define the new importer class, e.g. *JSONReader*, deriving from *SigFileReader* and let it call the *SigFileReaderFactory* method *register*. The correct file reader to be instantiated is then determined from the extension of the file provided by the user through the window in Fig.4.18.



Fig. 4.18 Importer Dialog

Through the above dialog is possible to import only files that can be evaluated as Data Dictionaries. Such consistence check is performed through the function *isFormatValid* present in the SigFileReader interface. In particular, such function should provide a positive feedback whether the content of the file is formatted coherently to its extension, and if all of the required fields are present for all the entries of the Data Dictionary. In Fig.4.19 is shown an example of well-formed Data Dictionary.

|    | Α      | В          | С                                                          | D       | Е            | F        | G        |
|----|--------|------------|------------------------------------------------------------|---------|--------------|----------|----------|
| 1  | type   | id         | descr                                                      | units   | nominalValue | maxValue | minValue |
| 2  | signal | time       | The simulation Time                                        | seconds |              |          |          |
| 3  | signal | cmdup      | Step-up Command                                            | rpm     |              |          |          |
| 4  | signal | cmddown    | Step-down Command                                          | rpm     |              |          |          |
| 5  | signal | error      | Error signal:<br>cmdup(cmdown) -<br>motorspeed             | rpm     |              |          |          |
| 6  | signal | voltage    | Motor input, conincide with<br>signal ContrOut             | V       |              |          |          |
| 7  | signal | sysinertia | Inertia of motor load                                      | kgm2    |              |          |          |
| 8  | signal | motorspeed | The controlled signal: motor speed in pulse per revolution | rpm     |              |          |          |
| 9  | signal | ContrOut   | The signal produced by the controller                      | V       |              |          |          |
| 10 | param  | nomTemp    | nominal motor temperature                                  | Kelvin  |              |          |          |
| 11 | param  | gConst     | gravity                                                    | m/s2    |              |          |          |
| 12 |        |            |                                                            |         |              |          |          |

Fig. 4.19 CSV Data Dictionary

It requires the specification of the entry type, its id, two explanatory fields, description and measurement unit, and tree optional numerical values, bounds and nominal value. The same Data Dictionary in XML format is shown in Fig.4.20.

```
□<DataDictionary>
      □<Entry>
               <type>signal</type> <id>time</id>
                <descr>The simulation Time</descr>
                <units>seconds</units><nominalValue></nominalValue></maxValue></minValue></minValue>
        </Entry>
       □<Entry>
                 <type>signal</type><id>cmdup</id>
                 <descr>Step-up Command</descr>
                 <units>rpm</units><nominalValue></nominalValue><maxValue></maxValue></minValue></minValue>
       </Entry>
     □<Entry>
                <type>signal</type><id>cmddown</id>
                 <descr>Step-down Command</descr>
                 <units>rpm</units><nominalValue></nominalValue></maxValue></minValue></minValue></minValue>
       </Entry>
16
18
                 <type>signal</type><id>error</id>
19
                 <descr>Error signal: cmdup(cmdown) - motorspeed</descr>
20
                 <units>rpm</units><nominalValue>
                 </nominalValue>maxValue></minValue></minValue>
         </Entry>
     | | Entry>
                 <type>signal</type><id>voltage</id>
                 <descr>Motor input, conincide with signal ContrOut</descr>
                 <units>V</units><nominalValue></maxValue></maxValue><minValue></minValue>
         </Entry>
29
                 <type>signal</type><id>sysinertia</id>
                 <descr>Inertia of motor load</descr>
                 <units>kgm2</units><nominalValue></nominalValue></maxValue></minValue></minValue>
<type>signal</type><id>motorspeed</id>
                 <descr>The controlled signal: motor speed in pulse per revolution</descr>
36
                 <units>rpm</units><nominalValue></nominalValue></maxValue></minValue></minValue>
          </Entry>
<type>signal</type><id>ContrOut</id>
40
                 <descr>The signal produced by the controller</descr>
                 <units>V</units><nominalValue></nominalValue></maxValue></minValue></minValue>
         </Entry>
44
                 <type>param</type><id>nomTemp</id>
4.5
                 <descr>nominal motor temperature</descr>
46
                 </Entry>
<type>param</type><id>gConst</id>
                 <descr>gravity</descr>
                 <units>m/s2</units><nominalValue></nominalValue></maxValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></minValue></
        </Entry>
        </pataDictionary>
```

Fig. 4.20 XML Data Dictionary

## 4.4.2 Context Aware Syntax Helper

The Context Aware Syntax Helper provide functionality of word and sentences completion, most commercial editors offer their own such as [Int]. Typically, whenever the user is typing

something and does not remember the exact syntax of what follow, he press a keyword shortcut to invoke the helping engine. The prefix Context Aware is used to clarify that its suggestions varies not only according to the set of keywords preceding the invocation point, but also according the location, in therms of syntax section, on which such point lies.

The context awareness requires to perform kind of hierarchical inspection of the textual "neighborhood" surrounding the invocation point. Then the list of proposals is different according to the syntax section. In other words, it is possible to consider just one syntax for each section and compute a section-wise completion. The syntax defined in 4.1.1, can then be partitioned in *Requirement block*, which, in turn, encloses *HEADER*, *ASSUMPTION* and *ASSERTION* (Fig.4.21).



Fig. 4.21 Syntax Sections

Every time the context helper is invoked it determines the current section and provide proposal accordingly. In general, a syntax helper has to behave differently whether it has to provide the completion for an incomplete word or if it has to suggest a continuation after a completed word. For both cases the literature provides an efficient data structure called *Trie* [Bla10]. A word-Trie is an ordered tree that stores words one character per layer. In Fig.4.22 is shown a word-Trie storing the words "able", "ably", "aces", "aced", "babe", "bad", "back".

Typical operations to be performed on Tries are new word insertion and list all possible matching for a partial word. Hence the syntax helper, every time is invoked on an incomplete word, queries a word-Trie to get all possible matching.

A possible generalization of a word-Trie is the sentence-Trie. Instead of storing words per character it stores sentences per words. The insertions policy is quite similar to the one of its simpler version, while the retrieving policy may vary whether one wants to propose just the set of possible following words or possible completion sentences. In the first, case the procedure must return all child nodes of the sentence passed as parameter, while for the



Fig. 4.22 Word-Trie

second the procedure is the same to the word-Trie and requires to follow all the child path downto the leaves.

As an example of syntax completion, assume that the user wants to type the following, contract-based, requirement

#### R.3 Overshoot

#### **Assumption:**

system inertia (sysinertia) less than IN kgm2 **and** reference input (cmdup) is a step with amplitude UAMPL beginning in UBEG

#### **Assertion:**

the motor speed (motorspeed) overshoot shall be lass than or equal to OVTOL

Starting from an empty requirement he types "system inertia is" and the invokes the helper, the results returned by the sentence-Trie is all the possible continuing sentences allowed by the syntax of this section.



Fig. 4.23 Assumption completion

In the same manner user can add any number of assumptions, such as the specification of signal generator. The context helper suggest the keyword "AND" every time a valid statement has been entered.

Once all the assumption has been defined, user can switch to the assertion section. In this case, after he inputs the name of the signal, the context helper queries a different sentence-Trie, the one holding the assertions syntax, to provides a different list of completions.



Fig. 4.24 Assertion completion

By repeating the above procedure user can type more complex requirements document 4.25, relying on the fact that the syntax he uses is consistent and unambiguous.

```
🏏 *MDS_requirements.txt 🛭
   [REQUIREMENT
   R.1 OvershootRiseTime
   ASSUMPTION
   sysinertia is less than or equal to IN AND
   cmdup is step with amplitude UAMPL beginning in UBEG AND
   cmdup is reference
   motorspeed overshoot shall be less than OVTOL AND
motorspeed shall rise from RFROM to RTO in less than RTIME AND
motorspeed time to settle to steady state value with tolerance SVAL shall be less than ST
   /REOUIREMENT]
   [REOUIREMENT
   R.2 UndershootFallTime
   ASSUMPTION
   sysinertia is less than or equal to IN AND
   cmddown is downstep with amplitude DAMPL beginning in DBEG AND cmddown is reference
   motorspeed undershoot shall be greater than UNTOL AND motorspeed shall fall from FFROM to FTO in Less than FTIME AND
   motorspeed time to settle to steady state value with tolerance SVAL shall be less than ST
   /REQUIREMENT]
```

Fig. 4.25 Requirements Document

### 4.4.3 Abstract Syntax Tree Generation

The process of Abstract Syntax Tree Generation is part of the whole generation process. The reason why an intermediate representation is provided is ease the task of platform generators, which does not have to perform any kind of textual analysis. Indeed, an Abstract Syntax Tree has a well defined structure that can be iteratively analyzed and parsed.

The intermediate representation is achieved involving the grammar parser and lexer ANTLR [ant]. It allows users to define their own parsable syntax into a grammar ".g4" file, then it produces a set of classes which are able to recognize the syntax and return the correspondent syntax tree. The process it follows is shown in Fig.4.26



Fig. 4.26 ANTLR generation process

As example, the syntax tree derived from a simple grammar is shown in Fig.4.27.



Fig. 4.27 Basic syntax Example

The generated classes handles the visit of the syntax tree through the Visitor Pattern (Sec.4.3.2). In particular, if the grammar file is "myGrammar.g4" the two main generated classes are "myGrammarVisitor.java" and "myGrammarBaseVisitor.java". The first corresponds to the visitor interface, while the seconds provides a default implementation of all the nodes' visits. Hence, in order to build its own traversing policy, the user needs to derive the *myGrammarBaseVisitor* class and override the methods performing the visit on the nodes under interest. Alternatively he can define its visitor as a new class which only implements the interface and does not derive from the base visitor, in this case, however, all node visit must be implemented in order to let the new class instantiable. Input and result of the intermediate transformation are shown in Fig.4.25 and Fig.4.28 respectively. Basically the requirement block keeps it structure, but the requirements are expressed in the following format.

```
PATTERN\_ID(param_1, ..., param_n)
```

This constitutes also the input of the platform generator parser, which is in charge of the translation of patterns into monitors. Note that this structure of the requirements, except for the name, does not provide any information about the pattern, therefore its correct implementation strongly relies on sharing the same pattern semantic between intermediate and platform generators.

```
ID: R.1
    TITLE:OvershootRiseTime
   ASSUMPTIONS:
 4
        <=(sysinertia,IN)
 5
        STEP (cmdup, UAMPL, UBEG)
 6
        REF (cmdup)
 7
   ASSERTIONS:
 8
        OVERSHOOT (motorspeed, OVTOL)
9
        RISE (motorspeed, RFROM, RTO, RTIME)
10
        STIME (motorspeed, SVAL, ST)
11
12
   ID: R.2
13
   TITLE:UndershootFallTime
14
   ASSUMPTIONS:
15
        <=(sysinertia,IN)
16
        DWSTEP (cmddown, DAMPL, DBEG)
17
        REF (cmddown)
18 ASSERTIONS:
19
        UNDERSHOOT (motorspeed, UNTOL)
20
        FALL (motorspeed, FFROM, FTO, FTIME)
21
        STIME (motorspeed, SVAL, ST)
22
```

Fig. 4.28 Intermediate Representation

### 4.4.4 Target Platform Generation

The target platform is the modeling environment which will hosts the generated monitors. It also has to provide the support for simulation. The platform generator is the module that receives as input a syntax tree and converts its nodes into model's units. Since the generation process is strictly dependent on the modeling environment, it is possible, in the same manner has been done for data-dictionary importers, to associate a specific software module with a specific environment. However, the absence in the syntax tree of environment's features requires to create and treat all generators' classes in the same way. Again this problem is greatly solved by using the Factory design pattern. A possible classes diagrams for a generators hierarchy is shown in Fig.4.29



Fig. 4.29 Platform Generators UML

A platform generator takes as input a list of requirement and produces a file containing the implementation of the monitors, such a file in the case of Simulink is a Matlab script that, once executed, populates the associated model.

Starting from the requirements document of Fig.4.25, the user can *build* it through the below window.



Fig. 4.30 Build Window

The *Target Model* field is needed by the generation procedure in order to let the monitor suitable to be attached to the existing model. The other fields are needed in order to, respectively, locate and name the generated script. The result of the model population is shown in Fig.4.31.



Fig. 4.31 Population Result

The monitor subsystem has as many subsystems as requirements. Each one gets as inputs all the model entities referred inside the requirement and returns an output connected to an assertion block which terminates the simulation if case of false input.

# Chapter 5

# **Conclusions**

The present thesis proposed a Model Based Design tool for system requirements validation and verification. It is possible to locate such framework in the first layer of a V-Model, where usually lie Top-Level (or User) requirements and Verification (or Validation) phases. Has been argued how these two stages can be coupled to enforce their correlation in therms of time and contents. The framework tries to automate such coupling, eliminating the effort for implementing the verification procedures. Moreover, it can be of help in finding the best way for the specification of the requirements itself. Such problem is known in the literature as Virtual Verification [SHFP10], and can be view as an internal V-Model where the developed product is the requirements specification. Briefly, it expects the development of models which aims to verify textual requirements completeness and correctness.

The framework comes with the main objective of providing a standard way to couple the usability of a textual representation with the effectiveness of a formal specification. Despite they requires strong technical skills, formal logics represent now-days one of the best way for product certification. The above gap has been reduced involving patterns, but, in order to consider it as a standard approach, a scalability analysis is still required.

This work offers a proof of concept prototype. As such several features more on the side of classical requirements editors has been sacrificed in favor of a flexible coexistence with modeling environments. Even if in its first version the tool support cooperation only with Simulink, its internal structure allows in small time to experiment whether the approach could fit many others. Next section will discuss about several future works that can improve the overall tool potentiality.

5.1 Future Work

#### **5.1** Future Work

The tool The requirements tool can be enriched of features exposed by several professionals requirements editors, such as DOORS [DOO]. Requirements can be hierarchically managed, this is particular useful when top-level requirements have a low-level representation which takes into account how, for instance, the property is mapped into the hardware. Another useful feature could be the capability of internally, or externally, link requirements. The internal links may represent some dependencies among requirements, while external link can be used to immediately point out some models or external file that provides a better explanation of the requirement. Further, a change tracking mechanism is another features that can help users to always have the complete history of the requirements, this is also useful in the process of virtual verification. Another potential service that the tool can provide is the read/write access to the data-dictionary. Since the syntax mostly provide sentences that has names as starting word, having the complete data-dictionary at disposal can help user to correct refer entities.

The Editor In the current state the editor provides quite interesting capability of syntax coloring and completion. Particularly for the latter, the dynamic syntax loading into Tries is a capability that very easily allows to modify the suggestions. On the other hand the editor does not provide any features of syntax checking, this is surely a good starting point since it can enforce the work done by the syntax helper. Indeed, right now user does not have a real-time feedback for the syntax he is typing, but rather the helper stops providing suggestions if something is wrong in what typed. There are many possible way to implement a syntax checker module, the simplest one could be involving the use of a run-time regular expression marcher, however this at the end provides only a valid-invalid feedback and does not scale very well with the syntax's growth . A better solution could involve again the ANTLR parser, and the redefinition of its errors management strategies. This approach could add to the valid-invalid feedback also the reason of the result, that can be directly provided to the user in order to let him aware. As a further, minor, improving many compact notation can be used in the syntax, for example numbers such as "0.000001" can be shortly represented as "1e-6".

**MBD features** Many improvements can come also for the MBD perspective. The contract-based formalization can be extended with the concept of precondition, this new section can replace or flank the assumption. Such refinement further enforce the unambiguousness of the requirement since better clarify roles inside it. More on the modeling side the interaction with environment can be improved by eliminating as much as possible the user intermissions. As an example the data-dictionary could be directly generated from a Simulink model without

5.1 Future Work 69

requiring the translation into supported file. Users simply provide as input of the importer a model file and it is converted into a data-dictionary, this features may involve the integration inside the tool of some archive decompressors and file managers. Another interesting feature could be having a real-time interaction with the modeling environment and the editor, which can mark satisfied and violated requirements.

The last, and perhaps the most important one, improvement is to extend compatibility with as much modeling environment as possible. Together with Simulink, modeling tools such as Scade [Sca], Scicos [Sci], SysML [sys], Modeler[Mod] and LabView [Lab] find their application in several different domains, but the requirements specification is an omnipresent problem and the possibility to adopt the proposed framework in all these tool could be the key factor of this approach.

# References

- [acc] Acceleo. http://www.eclipse.org/acceleo/.
- [AFH96] Rajeev Alur, Tomás Feder, and Thomas A Henzinger. The benefits of relaxing punctuality. *Journal of the ACM (JACM)*, 43(1):116–146, 1996.
  - [ant] Antlr. http://www.antlr.org/.
  - [bal] Alessio balsini repo. https://github.com/balsini/ SignalTemplateLibraryAutogen/.
- [BCF<sup>+</sup>07] Albert Benveniste, Benoît Caillaud, Alberto Ferrari, Leonardo Mangeruca, Roberto Passerone, and Christos Sofronis. Multiple viewpoint contract-based specification and design. In *International Symposium on Formal Methods for Components and Objects*, pages 200–225. Springer, 2007.
- [BDNCT17] Alessio Balsini, Marco Di Natale, Marco Celia, and Vassilios Tsachouridis. Generation of simulink monitors for control applications from formal requirements. 2017.
  - [Beh06] Ali Behboodian. Model-based design. DSP Magazine (May 2006), 2006.
  - [BFM<sup>+</sup>08] Luca Benvenuti, Alberto Ferrari, Leonardo Mangeruca, Emanuele Mazzi, Roberto Passerone, and Christos Sofronis. A contract-based formalism for the specification of heterogeneous systems. In *Specification, Verification and Design Languages*, 2008. FDL 2008. Forum on, pages 142–147. IEEE, 2008.
    - [Bla10] Paul E Black. Trie, dictionary of algorithms and data structures. *National Institute of Standards and Technology, Archived from the original on*, pages 05–19, 2010.
    - [CB98] IEEE Computer Society. Software Engineering Standards Committee and IEEE-SA Standards Board. Ieee recommended practice for software requirements specifications. Institute of Electrical and Electronics Engineers, 1998.
    - [CE08] Edmund Clarke and E Emerson. Design and synthesis of synchronization skeletons using branching time temporal logic. 25 Years of Model Checking, pages 196–215, 2008.

References 71

[DAC98] Matthew B Dwyer, George S Avrunin, and James C Corbett. Property specification patterns for finite-state verification. In *Proceedings of the second workshop on Formal methods in software practice*, pages 7–15. ACM, 1998.

- [DOO] Doors. http://www-03.ibm.com/software/products/it/ratidoor.
- [EF07] Cindy Eisner and Dana Fisman. *A practical introduction to PSL*. Springer Science & Business Media, 2007.
- [IC<sup>+</sup>05] IEEE-Commission et al. Ieee standard for property specification language (psl). Technical report, Technical report, IEEE, 2005. IEEE Std 1850-2005, 2005.
  - [Int] Intellisense. https://code.visualstudio.com/docs/editor/intellisense.
- [JIG<sup>+</sup>99] Rumbaugh James, Jacobson Ivar, Booch Grady, et al. The unified modeling language reference manual. *Reading: Addison Wesley*, 1999.
- [KJD+16] James Kapinski, Xiaoqing Jin, Jyotirmoy Deshmukh, Alexandre Donze, Tomoya Yamaguchi, Hisahiro Ito, Tomoyuki Kaga, Shunsuke Kobuna, and Sanjit Seshia. St-lib: A library for specifying and classifying model behaviors. Technical report, SAE Technical Paper, 2016.
  - [Lab] Ni labview. http://www.ni.com/labview/.
- [MFF13] Leonardo Mangeruca, Orlando Ferrante, and Alberto Ferrari. Formalization and completeness of evolving requirements using contracts. In *Industrial Embedded Systems (SIES)*, 2013 8th IEEE International Symposium on, pages 120–129. IEEE, 2013.
- [MN04] Oded Maler and Dejan Nickovic. Monitoring temporal properties of continuous signals. In *Formal Techniques, Modelling and Analysis of Timed and Fault-Tolerant Systems*, pages 152–166. Springer, 2004.
- [MNP08] Oded Maler, Dejan Nickovic, and Amir Pnueli. Checking temporal properties of discrete, timed and continuous behaviors. In *Pillars of computer science*, pages 475–505. Springer, 2008.
  - [Mod] Modeler. http://www.mathworks.com/products/simulink/.
  - [MP12] Zohar Manna and Amir Pnueli. *Temporal verification of reactive systems:* safety. Springer Science & Business Media, 2012.
  - [oD91] United States. Department of Defense. *Software Technology Plan: Volume II Plan of Action*. Department of Defense, 1991.
  - [oD94] United States. Department of Defense. *MIL-STD-498: Software Development and Documentation*. Department of Defense, 1994.

References 72

[PM92] Amir Pnueli and Zohar Manna. The temporal logic of reactive and concurrent systems. *Springer*, 16:12, 1992.

- [RS77] Douglas T Ross and Kenneth E Schoman. Structured analysis for requirements definition. *IEEE transactions on Software Engineering*, (1):6–15, 1977.
  - [Sca] Scade. http://www.esterel-technologies.com/products/scade-suite/.
  - [Sci] Scicos. http://www.scicos.org/.
- [SHFP10] Wladimir Schamai, Philipp Helle, Peter Fritzson, and Christiaan JJ Paredis. Virtual verification of system designs against system requirements. In *International Conference on Model Driven Engineering Languages and Systems*, pages 75–89. Springer, 2010.
  - [Sim] Simulink. http://www.mathworks.com/products/simulink/.
  - [spe] Specpatterns. http://patterns.projects.cs.ksu.edu/.
  - [sys] Sysml. http://www.omgsysml.org/.
  - [upp] Uppaal. http://www.uppaal.org/.
- [VHJG95] John Vlissides, Richard Helm, Ralph Johnson, and Erich Gamma. Design patterns: Elements of reusable object-oriented software. *Reading: Addison-Wesley*, 49(120):11, 1995.