# Simulation Based Formal Verification of Onboard Software — A Case Study — **SyLVer**: System Level Verifier Toni Mancini, Annalisa Massini, **Federico Mari**, Igor Melatti, Ivano Salvo, Enrico Tronci Computer Science Department Sapienza University of Rome, Italy <a href="http://mclab.di.uniroma1.it">http://mclab.di.uniroma1.it</a> ### System Level Verification of CPSs - Cyber Physical System (CPS): hw + sw components - → Can be modelled as Hybrid System - System Level Verification (SLV): to verify that the whole system (hw+sw) satisfies given specifications - CPSs of industrial relevance too complex for SLV to be performed by model checkers for Hybrid Systems - Main workhorse for SLV: Hardware in The Loop Simulation (HILS) ### Hardware in The Loop Simulation - Hardware in The Loop Simulation (HILS): replace hardware with a software simulator - Supported by Model Based Design Tools as Simulink, VisSim, ... ### HILS Campaign: Main Obstacles Effort needed to define the operational scenarios defining disturbances to be injected into the system under verification. Computation time needed to carry out the simulation campaign itself. - Degree of assurance achieved at the end of the HILS campaign: did we consider all relevant operational scenarios? - Graceful degradation: what can we say about the error probability during the HILS campaign? #### Our approach to System Level Formal Verification Effort needed to define the operational scenarios defining disturbances to be injected into the system under verification. Formal model of operational scenarios (disturbance model) as a FSA described in a high-level language (CMurphi) Degree of assurance: did we consider all relevant operational scenarios? **Exhaustive** system level verification wrt operational scenarios defined by the model Graceful degradation: what can we say about the error probability during the HILS campaign? Computation time needed to carry out the simulation campaign itself. **Embarrassing parallel multicore** approach to speed up simulation + optimisation [CAV13, PDP14, DSD14, PDP15, Microprocessors & Microsystems 2016, Fundamenta Informaticae 2016] #### Model-Based System Verification @ MCLab Disturbance Model (formal model of operational scenarios) **SyLVer** System Level Formal Verifier https://bitbucket.org/mclab/sylver-simulink-driver LOAD - RUN - FREE -STORE Simulator Omission Probability **Optimised Simulator Simulation CPS** Monitor output **Driver** Monitor Campaign Model pass Parallel (cluster) Simulator Omission Probability **Optimised Simulator Simulation CPS** Monitor output **Driver** Monitor Campaign Model pass Hardware-in-the-Loop Simulation (HILS) ### SyLVaaS - Introduces Verification as a Service paradigm - Supports companies in the CPS design business in their daily verification activities - Allows keeping both the SUV model and the property to be verified secret (Intellectual Property protection) # Modelling the Operational Environment #### Discrete Event Seq's & Disturbance Traces #### We aim at Bounded System Level Formal Verification: - Bounded time horizon: h - Bounded **time quantum** between disturbances: $\tau$ #### Disturbance Model - Defining all disturbance sequences the SUV should withstand cannot be done manually for large CPSs - Approach: use high-level modelling language to define disturbance model as a Finite State Automaton #### A tiny example - Just one disturbance (fault), always recovered within 4 seconds - At least 5 seconds between two consecutive disturbances - Time quantum $\tau = 1$ second - Time horizon h = 6 seconds FSA recognising **admissible disturbance traces** (we actually use the rich language of the CMurphi model checker) ``` function disturbanceModel(h) c \leftarrow 0; /* counter */ t \leftarrow 0; /* time */ while t \leq h do d \leftarrow read(); \quad t \leftarrow t + 1; if c > 0 then c \leftarrow c - 1; if d = 1 then if c > 0 then return \otimes; else c \leftarrow 4; return \sqrt{}; 000000 010000 \sqrt{} ... overall 8 adm 000001\sqrt{0100018} disturbance traces 000010\sqrt{01001} ``` # SyLVaaS Workflow #### Optimised Rnd Exhaustive Sim. Campaigns - Optimisation: use of load/store commands avoids revisiting previously visited simulation states as much as possible - Exhaustiveness: all disturbance traces in input slice are verified - Randomness: trace verification order is randomised #### Sequence of simulator commands: - inj\_run(e, t): inject disturbance and advance simulation - store(/): store current sim. state into mass memory - **load(/):** set current sim. state from previously stored state - **free(***I***):** free stored sim. state stored ### Optimised Rnd Exhaustive Sim. Campaigns ### Embarrassingly Parallel Simulation Simulation carried out on user private cluster (Intellectual Property protection) # A Case Study: Apollo # A Case Study: Apollo # A Case Study: Apollo ### Experiments: Disturbance Models #### **Disturbance model:** - sensor faults repaired after 1 second - 5 different sensor faults possible - at most 3 faults in each trace - at most 1 fault active at any time - $h = 10 \text{ sec}, \tau = 500 \text{ms}$ #### Disturbance model CMurphi encoding ``` Ruleset d : FAULT_TYPE do Ruleset d: INPUT_TYPE do Rule "Inject Fault" Rule "Inject Input Variation" time\_since\_last\_fault[d] = -1 \& no_fault_needs_repair() & no_fault_needs_repair() & num_inputs < MAX_NUM_INPUTS & is_input_variation_allowed() num_faults < MAX_NUM_FAULTS & num_active_faults() < MAX_NUM_ACTIVE_FAULTS</pre> \Longrightarrow begin \Longrightarrow begin num_inputs := num_inputs + 1; time\_since\_last\_fault[d] := 0; time_step(); num_faults := num_faults+1; end; time_step(); End: end; Rule "No Disturbance" Rule "Repair Fault" no_fault_needs_repair() ==> time\_since\_last\_fault[d] = FAULT\_DURATION begin time_step(); end; => begin -- repair fault d Finalstate "Correct Length" time\_since\_last\_fault[d] := -1; no_faults() & num_faults <= MAX_NUM_FAULTS & time_step(); num_inputs <= MAX_NUM_INPUTS;</pre> end: End; ``` -> 8.9M dist. traces ### Experiments: Infrastructure #### SyLVaaS infrastructure: - 1 orchestrator - 16 slaves #### **User private cluster:** - 8 to 64 8-core machines - —> up to 512 Simulink parallel instances # Experiments (1) #### SyLVaaS: Parallel computation of random exhaustive optimised simulation campaigns (16 cores): | k = #cores<br>in user cluster | Computation of simulation campaigns | |-------------------------------|-------------------------------------| | 128 | 0:22:18 | | 256 | 0:22:18 | | 512 | 0:24:30 | h:m:s # Experiments (2) #### **Private user cluster:** Formal verification via **embarrassing parallel execution of simulation campaigns** (k=128, 256, 512 parallel Simulink instances): | k = #cores<br>in user cluster | Execution of simulation campaigns | |-------------------------------|-----------------------------------| | 128 | 726:53:25 | | 256 | 121:06:28 | | 512 | 44:26:37 | h:m:s #### Conclusions SyLVer: System Level Verifier SyLVaaS: SyLVer as a Service - Given formal model of operational environment - Efficiently computes random exhaustive simulation campaigns - Approach scales well: additional experiments with dist. models yielding 40M traces - Campaigns run embarrassingly in parallel on all Simulink instances available on private user cluster - Campaigns optimise simulation activities (4x speedups) by storing/restoring intermediate simulation states as much as possible (depending on available mass memory space on user cluster) - Graceful degradation: omission probability bound available anytime during verification - Completion time estimation available anytime during verification - Both SUV model and property to be verified kept secret (Intellectual Property protection) # Thank you! Simulation Based Formal Verification of Cyber-physical Systems SyLVaaS: System Level Verification as a Service Toni Mancini, Annalisa Massini, Federico Mari, Igor Melatti, Ivano Salvo, **Enrico Tronci** Computer Science Department Sapienza University of Rome, Italy <a href="http://mclab.di.uniroma1.it">http://mclab.di.uniroma1.it</a>