Translating Hierarchical Block Diagrams into Composite Predicate Transformers

Simulink is the de facto industrial standard for designing embedded control systems. When dealing with the formal verification of Simulink models, we face the problem of translating the graphical language of Simulink, namely, hierarchical block diagrams (HBDs), into a formalism suitable for verification. In this paper, we study the translation of HBDs into the compositional refinement calculus framework for reactive systems. Specifically, we consider as target language an algebra of atomic predicate transformers to capture basic Simulink blocks (both stateless and stateful), composed in series, in parallel, and in feedback. For a given HBD, there are many possible ways to translate it into a term in this algebra, with different tradeoffs. We explore these tradeoffs, and present three translation algorithms. We report on a prototype implementation of these algorithms in a tool that translates Simulink models into algebra terms implemented in the Isabelle theorem prover. We test our tool on several case studies including a benchmark Simulink model by Toyota. We compare the three translation algorithms, with respect to size and readability of generated terms, simplifiability of the corresponding formulas, and other metrics.

[1]  Edward A. Lee,et al.  A Theory of Synchronous Relational Interfaces , 2011, TOPL.

[2]  Stavros Tripakis,et al.  Modular code generation from synchronous block diagrams: modularity vs. code size , 2009, POPL '09.

[3]  Stavros Tripakis,et al.  From simulink to SCADE/lustre to TTA: a layered approach for distributed embedded applications , 2003, LCTES '03.

[4]  Jun Sun,et al.  A formal framework for modeling and validating Simulink diagrams , 2009, Formal Aspects of Computing.

[5]  Stavros Tripakis,et al.  Translating discrete-time simulink to lustre , 2003, TECS.

[6]  Pascal Raymond,et al.  The synchronous data flow programming language LUSTRE , 1991, Proc. IEEE.

[7]  Nancy A. Lynch,et al.  Hybrid I/O automata , 1995, Inf. Comput..

[8]  Edsger W. Dijkstra,et al.  Guarded commands, nondeterminacy and formal derivation of programs , 1975, Commun. ACM.

[9]  L. D. Moura,et al.  The YICES SMT Solver , 2006 .

[10]  Joseph Sifakis,et al.  Compositional translation of simulink models into synchronous BIP , 2010, International Symposium on Industrial Embedded System (SIES).

[11]  Ralph-Johan Back,et al.  Refinement Calculus: A Systematic Introduction , 1998 .

[12]  Natarajan Shankar,et al.  SimCheck: a contract type system for Simulink , 2011, Innovations in Systems and Software Engineering.

[13]  Gabor Karsai,et al.  Semantic Translation of Simulink/Stateflow Models to Hybrid Automata Using Graph Transformations , 2004, GT-VMT@ETAPS.

[14]  Ratnesh Kumar,et al.  Semantic Translation of Simulink Diagrams to Input/Output Extended Finite Automata , 2012, Discret. Event Dyn. Syst..

[15]  E.A. Lee,et al.  Synchronous data flow , 1987, Proceedings of the IEEE.

[16]  G. Frehse,et al.  Assume-guarantee reasoning for hybrid I/O-automata by over-approximation of continuous interaction , 2004, 2004 43rd IEEE Conference on Decision and Control (CDC) (IEEE Cat. No.04CH37601).

[17]  Stavros Tripakis,et al.  Modularity vs. Reusability: Code Generation from Synchronous Block Diagrams , 2008, 2008 Design, Automation and Test in Europe.

[18]  Pontus Boström,et al.  Contract-Based Verification of Simulink Models , 2011, ICFEM.

[19]  Nikolaj Bjørner,et al.  Z3: An Efficient SMT Solver , 2008, TACAS.

[20]  Shengchao Qin,et al.  Verifying Simulink diagrams via a Hybrid Hoare Logic Prover , 2013, 2013 Proceedings of the International Conference on Embedded Software (EMSOFT).

[21]  Ilya Kolmanovsky,et al.  Automotive Powertrain Control — A Survey , 2006 .

[22]  Kenneth R. Butts,et al.  Powertrain control verification benchmark , 2014, HSCC.

[23]  Valeriy Vyatkin,et al.  Transformation of Simulink models to IEC 61499 Function Blocks for verification of distributed control systems , 2012 .

[24]  Marco Caccamo,et al.  A step towards verification and synthesis from simulink/stateflow models , 2011, HSCC '11.

[25]  Stavros Tripakis,et al.  Refinement calculus of reactive systems , 2014, 2014 International Conference on Embedded Software (EMSOFT).

[26]  Sudeepa Roy,et al.  Tool for Translating Simulink Models into Input Language of a Model Checker , 2006, ICFEM.

[27]  Jyotirmoy V. Deshmukh,et al.  Benchmarks for Model Transformations and Conformance Checking , 2014 .