Section: New Results

Formal validation for critical digital embedded systems

Participants : Ibrahim Merzoug, Karen Godary-Dejean, David Andreu.

The works addressed here fall under the domain of formal modelling, semantics and verification methods (model checking). We focus on the analysis part of the HILECOP methodology, integrating the specific execution constraints (non-functional properties) into the validation process to guarantee the validation results. Indeed, the state space that is analyzed is that of the model of the system (based on Interpreted Time Petri Nets). It is clear that, if we want to obtain confident validation results, this analyzed state space must include all the possible behaviors of the real system (i.e., considering the execution of the model on the target).

One solution has been studied in the PhD thesis of H. Leroux [34], which lays the foundations of translation rules from the designed model to the analyzed model integrating part of implementation and execution characteristics. These transformations rules allow analyzing the resulting model with classical Petri nets analysis tools (as the Tina toolbox), and to guarantee the inclusion of the real states and traces into the analyzed state space.

However, if the formal model, the Interpreted Time Petri Net in this case (ITPN), is inherently asynchronous, it is nevertheless executed synchronously on the target. In fact, the usual analysis approaches are not adapted in the sense that they construct state graphs that do not conform to the real state evolution within the target. In order to gain confidence in the validity of the results of the formal analysis, we carried on, through the PhD thesis of I. Merzoug, capturing the so-called non-functional characteristics to reify them on the model and finally to consider their impact through a dedicated analysis approach. In other words, we improved the expressiveness of the model and the relevance of the analysis, considering aspects such as clock synchronization, effective parallelism, the risk of blocking induced by the expression of an event (condition) and a time window of occurrence, without omitting the management of exceptions.

To deal with all these aspects, we have proposed a new method of analysis for Synchronously executed ITPN (SITPN), transforming them into an equivalent formalism that could be analyzed ([29] ). This formalism is associated with a new formal semantics integrating all the particular aspects of the execution. We also propose and implement a dedicated state space construction algorithm: the Synchronous Behavior Graph (an example being given on Fig. 13 and Fig. 14). Our work has been applied to an industrial case, more precisely to the validation of the behavior of the digital part of our neuro-stimulator.