# Temporal/Timed Formal Verification of Autonomous Robots Mohammed Foughali -LAAS-CNRS #### Content I. Problem Definition II. Our Approach III. Verification Results IV. Conclusion & Improvements Autonomous robots -> high level of complexity A growing need of formal guarantees on the systems' reliability as the robots are more and more involved in human environments and/or costly missions - \* Autonomous system software levels: - Decisional layer - ➤ Deals with high-level missions such as planning, acting, etc. - >Often formal - Functional layer - >Interacts directly with sensors and actuators - ➤ Deployed via non formal frameworks (GenoM, ROS, etc.) - ➤ Little has been done to formally verify its components - So far, roboticists rely heavily on simulation and tests - X Possibility to miss faulty execution paths => catastrophic damage to the robot, to the environment and/or, more dramatically, to humans. - Formal verification offers mathematical guarantees - X Highly complex systems imply a costly investment in their formal modeling but also an explosion of the reachable state space - X Constrained formal frameworks (if used directly for specification) - Examples of such limits on related works: - → Model Checking - Espiau et al. (1995) - Orccad -> ESTEREL -> Mauto (untimed verification) - Orccad -> Timed Argos -> Kronos (timed verification) - X Properties verified on very simple examples under the threat of explosion - X The time-consuming and error-prone formal modeling step needs to be redone for every new example - → Compositional Verification - GenoM/BIP experiments, Ingrand et al. (2005-2012) - Over-approximation of the reachable state space (avoid explosion) - ♦ GenoM -> BIP -> D-Finder - X Time constraints forgotten - X Can't decide on properties evaluated as false # LAAS/RIS - Functional level : GenoM - Modules - Services (control flow) - Ports (data flow) # LAAS/VerTICS Fiacre/TINA framework for time-constrained distributed/concurrent systems Model-Driven Software Engineering **Formal Methods** ## GenoM - Services (control flow) - Ports (data flow) - Activities (automata) - Control task - Execution tasks ## Example 4 modules for robot navigation 4 ports 4 control task and 5 execution tasks >16 services - \* Template mechanism: GenoM provides a template-based generator to translate a GenoM specification into other representations - Modules can be generated for different middleware (ROS-Com, PocoLibs, etc.) - → Program templates to bridge GenoM with V&V Tools and Frameworks - Fiacre (Format Intermédiaire pour les Architectures de Composants Répartis Embarqués) - Timed discrete-event systems coding based on Automata and Time Petri Nets - Communication and synchronization through ports and shared variables - Possibility to formulate LTL properties - Patterns: possibility to express timed properties • Example of communicating Fiacre processes: The Fischer protocol ``` from TestLock /* Processes */ if lock = pid then to Critical Section process Proc (pid: id, &lock: lock) is states WaitLock, WaitLock2, SetLock, else TestLock, Critical Section to WaitLock end from WaitLock on (lock = 0); from Critical Section to WaitLock2 lock := 0; to WaitLock from WaitLock2 wait [0, 2]; /* Main component */ lock := pid; component Main is to SetLock var lock : lock := 0 par from SetLock Proc (1, &lock) wait ]2, ...[; | Proc (2, &lock) to TestLock end * Entry point for verification */ Main /* Mutual exclusion */ property mutex is ltl [] not ((Main/1/state CriticalSection) and (Main/2/state CriticalSection)) ``` - TINA (TIme Petri Net Analyzer) - A toolbox for the editing and analysis of Time Petri Nets and Time Transition Systems - > LTL model-checking techniques - > Fiacre specification compiler - FRAC (FiacRe to tinA Compiler) - ✓ transform Fiacre specifications into Time Transition Systems (formally verifiable by TINA) - **✓** Convert patterns into LTL properties A template that produces the Fiacre model out of any GenoM specification for the PocoLibs implementation example: process Manager (&tick: bool, ...) is process timer (&tick: bool) is states start, manage states start from start from start wait [0,0]; wait [0.5,0.5]; on tick; tick := true: to start tick := false; if (...) /\* no active activity \*/ then to start else to manage end from manage wait [0,0]; ... /\* execute one active activity if (...) /\* no more activities \*/ then to start else to manage end ``` *** Topic of the control cont ``` Fix the model ## II. Our Approach **TINA tools** ## ✓ Schedulability of execution tasks process timer (&tick: bool) is states start from start wait [0.5,0.5]; tick := true; to start process Manager (&tick: bool, ...) is states start, manage from start wait [0,0]; on tick; tick := false; if (...) /\* no active activity \*/ then to start else to manage end from manage wait [0,0]; ... /\* execute one active activity // if (...) /\* no more activities \*/ then to start else to manage end property sched is always (navigation/robmap/manager/state manage) => not (navigation/robmap/manager/value tick) ## ✓ Progress of activities process timer (&tick: bool) is states start from start wait [0.5,0.5]; tick := true; to start process Manager (&tick: bool, ...) is states start, manage from start wait [0,0]; on tick; tick := false; if (...) /\* no active activity \*/ then to start else to manage end from manage wait [0,0]; ... /\* execute one active activity // if (...) /\* no more activities \*/ then to start else to manage end property no\_block is (navigation/robmap/manager/state manage) leadsto (navigation/robmap/manager/state start) ✓ Position port update bounded in time event A leads to event B within I where I is an interval of integers ✓ Position port update bounded in time event A leads to event B within I where I is an interval of integers ✓ Position port update bounded in time event A leads to event B within I where I is an interval of integers **✓** Service termination bounded in time If a Stop request is sent, the service TSStart will end within I This leads to a null speed sent to the controller ✓ The roboticist analyzes the results and acts accordingly (if necessary) Example: If the application is hard real-time, tune the periods so as all tasks become schedulable. e.g doubling the period does it for the task track.. - ✓ Summary: - Important properties (particularly timed) successfully verified on a real-world example - Automatic generation of formal models out of GenoM specifications - Manageable state spaces due to careful modeling and verification choices - → Future work: - Express the properties in GenoM and translate them automatically to Fiacre - Automatically interpret counterexamples given by TINA to be easily understandable - Synthesize Fiacre models for different middleware Behavior Interaction port type IntPort (int x) port type ePort () atomic type Basic data int x = 0export port ePort $p_1()$ is $p_1$ export port intPort $p_2(x)$ is $p_2$ place empty place full initial to empty on p<sub>1</sub> from empty to full do { x = assign-value();} on p<sub>2</sub> provided [x > 0] from full to empty end connector type Max (intPort $p_1$ , intPort $p_2$ ) data int z define $[p_1p_2]$ on $p_1p_2$ provided $(p_1.x > 0)$ && $(p_2.y > 0)$ up $\{z = \text{Max } (p_1.x , p_2.y);\}$ down $\{p_1.x = p_2.y = z;\}$ export port intPort $p_3(z)$ compound type Sender component Basic Send1 component Basic Send2 component Basic Send3 connector Max Max1(Sender1. $p_2$ ,Send2. $p_2$ ) connector Max Max2(Max1. $p_3$ ,Send3. $p_2$ ) connector Singleton Sing1 (Send1. $p_1$ ) connector Singleton Sing2 (Send2. $p_1$ ) export port Intport $p'_2$ is Max2. $p_3$ export port Intport $p'_1$ is Send3. $p_1$ end **Priority** **Time** connector Max1 $(s_1, r)$ connector Max2 $(s_2, r)$ priority maximal if $(s_1.x > s_2.x)$ Max2 < Max1 atomic type Encoder export port intPort get export port intPort intPort next port intPort $enc_a$ compute port intPort $enc_b$ clock x unit millisecond place $q_0$ place $q_1$ place $q_2$ initial to $q_0$ on get from $g_0$ to $g_1$ when x in [0,-] eager when x in [50,60] delayable on ency from $a_1$ to $a_2$ when x in [0,50] delayable when x in [100, 120] delayab reset requests connectors < control immediate signal endsig ## Special thanks to LAAS/RIS: Félix Ingrand, Anthony Mallet LAAS/VerTICS: Bernard Berthomieu, Silvano Dal Zilio Part of this work is funded by the H2020 European project CPSE Labs under grant agreement No 644400 Thanks for your attention -Mohammed