Service-oriented Abstraction and Verification of Hybrid Simulink Models with Simulink2dL

Embedded control systems combine discrete and continuous behavior. To cope with the immense complexity of the resulting systems, they are increasingly designed with model-driven development and tools like Matlab Simulink. At the same time, application of embedded systems in safety-critical areas, like in the automotive industry or medical context, require high safety standards. In this project, we investigate a formally well-founded, service-oriented design and verification approach for Simulink. The key ideas of our approach are threefold: First, we propose a service-oriented design approach for Simulink, where we introduce services for Simulink, hybrid contracts to cleanly define these services, and feature models to model their variability. Second, we propose a transformation of Simulink models into the expressive and formally well-defined differential dynamic logic. This enables the formal verification of hybrid systems modeled in Simulink using the powerful interactive theorem prover KeYmaera X. To overcome scalability issues, we enable compositional verification by replacing the inner structure of services by their contracts for system verification.

Contact: Prof. Dr. Paula Herber

• Contents

  • 1. Access to our framework (Simulink2dL and SimulinkRL2dL)
  • 2. Verification Flow
  • 3. Example Models and Proofs
  • • 3.1. Formal Methods 2021: Proofs and Models with Reinforcement Learning
    • 3.2. (A)ISoLA 2022/23: Proofs and Models for Safe and Resilient Hybrid Systems
    • 3.3. ATVA 2022: Proofs and Models for Reusable Contracts
    • 3.4. Formal Methods 2024: Proofs and Models for Reusable Specification Patterns for Verification of Resilience in Autonomous Hybrid Systems
  • 4. Proof and Model for Safe Battery Use and Grid-Convenience in an Intelligent Energy Control System

Access to our framework (Simulink2dL and SimulinkRL2dL)

Our framework for the automated transformation from Simulink (and the RL Toolbox) to differential dynamic logic (dL) is freely available under the MIT open source license at:

https://github.com/EmbSys-WWU/Simulink2dL

Contributors are very welcome. For any questions, please contact emb.sys@wwu.de

Verification Flow

The overall verification flow of our service-oriented verification approach with Simulink2dL is as follows: First, the designer identifies parts of the system that can be considered to be independent and configurable services and creates hybrid contracts for them. The best candidates for such services are subsystems, which already encapsulate functionality and have an interface via their input and output ports. It is also possible to choose a group of connected blocks as service. Second, each service can then individually be transformed into a behaviorally equivalent formal dL representation with Simulink2dL. Third, the designer (resp. verifier) can use interactive theorem prover KeYmaera X to verify that the service fulfills its contract. Note that services can be reused in other designs and their verified contracts can be reused for the following steps without repeating the second and third step. Fourth, the contracts are used to generate an abstract formal system model, where all services are replaced by their contract. A hybrid contract abstracts from the inner structure of a given service, but describes the interface behavior in sufficient detail to represent their behavior in the resulting dL model. In a fifth step, this abstract dL representation can be used to semi-automatically verify safety properties using KeYmaera X. Note that the verified properties can be represented as a hybrid contract of the overall system. Thus, our approach can be used hierarchically, i.e., a large system can be divided into services that can be individually verified, and each service can again be divided into smaller services.

Example Models and Proofs

• Temperature Control Service
• Temperature Control System
• Generic Infusion Pump

Note that the "transformed models" do not contain assumptions and guarantees for verifying contracts.

Temperature Control Service

Simulink Model Service Temperature Control

All KeYmaera X files and the Simulink model as zip ServiceTemperatureControl.zip

KeYmaera X files for the Patient

KeYmaera X files for the Input Processing

KeYmaera X files for DrugInBlood

KeYmaera X files for the Controller

KeYmaera X files for WarningGenerator

KeYmaera X files for the Pump

KeYmaera X files for Tank

KeYmaera X files for the Power Source

Formal Methods 2021: Proofs and Models with Reinforcement Learning

In the following, the Simulink Models and a selection of KeYmaera X files from the SimulinkRL2dL Case Study (FM 2021) are available for download.

The full set of KeYmaera X files is available here: VerificationResults.zip

Note that  Mathematica was used for most proofs exept for the Top Level, the Sensor Service and the Evasive Move Checker Service (see Zip file above), where Z3 was used instead.

Factory with 2 Opponents 

Simulink Model of the Factory with 2 Opponents:  RL Factory 2 Opponents

Top Level of the Factory

RL Robot

Opponent

(A)ISoLA 2022/23: Proofs and Models for Safe and Resilient Hybrid Systems

KeYmaera X files for Safe and Resilient Hybrid Systems (ISoLA 2022)

ATVA 2022: Proofs and Models for Reusable Contracts

KeYmaera X files of Proofs with Reusable Hybrid Contracts (ATVA 2022)

Note that resilience and range proofs are also threshold proofs

Formal Methods 2024: Proofs and Models for Reusable Specification Patterns for Verification of Resilience in Autonomous Hybrid Systems

Proof and Model for Safe Battery Use and Grid-Convenience in an Intelligent Energy Control System