Nicolas Rouquette,Alessandro Pinto,Inigo Incer

2024-09-04

Abstract:We present a compositional approach to early modeling and analysis of complex aerospace systems based on assume-guarantee contracts. Components in a system are abstracted into assume-guarantee specifications. Performing algebraic contract operations with Pacti allows us to relate local component specifications to that of the system. Applications to two aerospace case studies (the design of spacecraft to satisfy a rendezvous mission and the design of the thermal management system of a prototypical aircraft) show that this methodology provides engineers with an agile, early analysis and exploration process.

Systems and Control

Albert Benveniste,Benoît Caillaud,Dejan Nickovic,Roberto Passerone,Jean-Baptiste Raclet,Philipp Reinkemeier,Alberto Sangiovanni-Vincentelli,Werner Damm,Thomas A. Henzinger,Kim G. Larsen

DOI: https://doi.org/10.1561/1000000053

2018-01-01

Foundations and Trends® in Electronic Design Automation

Abstract:Recently, contract-based design has been proposed as an “orthogonal” approach that complements system design methodologies proposed so far to cope with the complexity of system design. Contract-based design provides a rigorous scaffolding for verification, analysis, abstraction/refinement, and even synthesis. A number of results have been obtained in this domain but a unified treatment of the topic that can help put contract-based design in perspective was missing. This monograph intends to provide such a treatment where contracts are precisely defined and characterized so that they can be used in design methodologies with no ambiguity. In particular, this monograph identifies the essence of complex system design using contracts through a mathematical “meta-theory”, where all the properties of the methodology are derived from a very abstract and generic notion of contract. We show that the meta-theory provides deep and illuminating links with existing contract and interface theories, as well as guidelines for designing new theories. Our study encompasses contracts for both software and systems, with emphasis on the latter. We illustrate the use of contracts with two examples: requirement engineering for a parking garage management, and the development of contracts for timing and scheduling in the context of the AUTOSAR methodology in use in the automotive sector.

Nicola Del Giudice,Lorenzo Matteucci,Michela Quadrini,Aniqa Rehman,Michele Loreti

DOI: https://doi.org/10.1016/j.scico.2024.103095

IF: 1.039

2024-02-01

Science of Computer Programming

Abstract:Formal approaches and tools have been defined, implemented and successfully applied to support the design and development of Collective Adaptive Systems. These tools are highly specialised in their fields, and their integration requires an effort. In this paper, we introduce Sibilla, a Java modular tool that facilitates the integration of multiple specification languages for supporting quantitative analysis of systems. After a description of the general architecture of Sibilla, the main features of the tool are discussed via simple examples.

computer science, software engineering

Yongwang Zhao,David Sanán,Fuyuan Zhang,Yang Liu

DOI: https://doi.org/10.1007/978-3-030-30942-8_11

2019-01-01

Abstract:Reactive systems are composed of a well defined set of event handlers by which the system responds to environment stimulus. In concurrent environments, event handlers can interact with the execution of other handlers such as hardware interruptions in preemptive systems, or other instances of the reactive system in multicore architectures. The rely-guarantee technique is a suitable approach for the specification and verification of reactive systems. However, the languages in existing rely-guarantee implementations are designed only for “pure programs”, simulating reactive systems makes the program and rely-guarantee conditions unnecessary complicated. In this paper, we decouple the system reactions and programs using a rely-guarantee interface, and develop PiCore , a parametric rely-guarantee framework for concurrent reactive systems. PiCore has a two-level inference system to reason on events and programs associated to events. The rely-guarantee interface between the two levels allows the reusability of existing languages and their rely-guarantee proof systems for programs. In this work we show how to integrate in PiCore two existing rely-guarantee proof systems. This work has been fully mechanized in Isabelle/HOL. As a case study, we have applied PiCore to the concurrent buddy memory allocation of a real-world OS, providing a verified low-level specification and revealing bugs in the C code.

Stéphane Kastenbaum,Benoît Boyer,Jean-Pierre Talpin

DOI: https://doi.org/10.48550/arXiv.2108.13647

2021-08-31

Formal Languages and Automata Theory

Abstract:Cyber-physical systems (CPS) are assemblies of networked, heterogeneous, hardware, and software components sensing, evaluating, and actuating a physical environment. This heterogeneity induces complexity that makes CPSs challenging to model correctly. Since CPSs often have critical functions, it is however of utmost importance to formally verify them in order to provide the highest guarantees of safety. Faced with CPS complexity, model abstraction becomes paramount to make verification attainable. To this end, assume/guarantee contracts enable component model abstraction to support a sound, structured, and modular verification process. While abstractions of models by contracts are usually proved sound, none of the related contract frameworks themselves have, to the best of our knowledge, been formally proved correct so far. In this aim, we present the formalization of a generic assume/guarantee contract theory in the proof assistant Coq. We identify and prove theorems that ensure its correctness. Our theory is generic, or parametric, in that it can be instantiated and used with any given logic, in particular hybrid logics, in which highly complex cyber-physical systems can uniformly be described.

Dag McGeorge,Jon Arne Glomsrud

2024-08-09

Abstract:A growing number of safety-critical industries agree that building confidence in complex systems can be achieved through evidence and structured argumentation framed in assurance cases. Nevertheless, according to practical industry experience, assurance cases can easily become too rigorous and difficult to develop and maintain when applied to complex systems. Therefore, we propose to use contract-based development (CBD), a method to manage complexity originally developed in computer science, to simplify assurance cases by modularizing them. This paper will not only summarize relevant previous work such as constructing consistent modular assurance cases using CBD, but more importantly also propose a novel approach to integrate CBD with the argumentation in assurance case modules. This approach will allow subject-matter and domain experts to build assurance case modules together without having to know CBD. This can help a broader application of these methods in industry because subject matter experts outside of computer science can contribute to cross disciplinary co-development of assurance cases without having to learn CBD. Industry experience has proven four rules of thumb helpful for developing high-quality assurance cases. This article illustrates their usefulness and explains how modular assurance enables assurance that accounts for the interdependency of different concerns such as safety, security and performance.

Logic in Computer Science,Software Engineering

Yijiang Guo,Guojie Luo

2020-01-01

Abstract:In this paper, we propose Pillars, an integrated CGRA design framework, to assist in design space exploration and hardware optimization of CGRA. Pillars allows an architect to describe a hierarchical CGRA design in a Scala-based language and produce an in-memory model for both behavior and structure. The model generates the RTL code and the structure for reconfiguration. This structure enables application mapping and context generation in a flattened representation generated from a hierarchical model. Thus, CAD tools in Pillars are able to map applications onto the architecture and produce contexts that enable cycle-accurate simulations. In the experimental evaluation, we demonstrate the capability of Pillars to model CGRA architectures by synthesizing variants of a widely known CGRA architecture, ADRES, into FPGA overlays.

Yongwang Zhao,David Sanan

DOI: https://doi.org/10.48550/arXiv.2309.09148

2023-09-17

Abstract:The rely-guarantee approach is a promising way for compositional verification of concurrent reactive systems (CRSs), e.g. concurrent operating systems, interrupt-driven control systems and business process systems. However, specifications using heterogeneous reaction patterns, different abstraction levels, and the complexity of real-world CRSs are still challenging the rely-guarantee approach. This article proposes PiCore, a rely-guarantee reasoning framework for formal specification and verification of CRSs. We design an event specification language supporting complex reaction structures and its rely-guarantee proof system to detach the specification and logic of reactive aspects of CRSs from event behaviours. PiCore parametrizes the language and its rely-guarantee system for event behaviour using a rely-guarantee interface and allows to easily integrate 3rd-party languages via rely-guarantee adapters. By this design, we have successfully integrated two existing languages and their rely-guarantee proof systems without any change of their specification and proofs. PiCore has been applied to two real-world case studies, i.e. formal verification of concurrent memory management in Zephyr RTOS and a verified translation for a standardized Business Process Execution Language (BPEL) to PiCore.

Software Engineering

B. Meyer

DOI: https://doi.org/10.1109/2.161279

1992-10-01

Computer

Abstract:Methodological guidelines for object-oriented software construction that improve the reliability of the resulting software systems are presented. It is shown that the object-oriented techniques rely on the theory of design by contract, which underlies the design of the Eiffel analysis, design, and programming language and of the supporting libraries, from which a number of examples are drawn. The theory of contract design and the role of assertions in that theory are discussed.<>

computer science, software engineering, hardware & architecture

Miel Sharf,Bart Besselink,Karl Henrik Johansson

DOI: https://doi.org/10.48550/arXiv.2211.01298

2022-11-03

Abstract:Designing large-scale control systems to satisfy complex specifications is hard in practice, as most formal methods are limited to systems of modest size. Contract theory has been proposed as a modular alternative to formal methods in control, in which specifications are defined by assumptions on the input to a component and guarantees on its output. However, current contract-based methods for control systems either prescribe guarantees on the state of the system, going against the spirit of contract theory, or can only support rudimentary compositions. In this paper, we present a contract-based modular framework for discrete-time dynamical control systems. We extend the definition of contracts by allowing the assumption on the input at a time $k$ to depend on outputs up to time $k-1$, which is essential when considering the feedback connection of an unregulated dynamical system and a controller. We also define contract composition for arbitrary interconnection topologies, under the pretence of well-posedness, and prove that this notion supports modular design, analysis and verification. This is done using graph theory methods, and specifically using the notions of topological ordering and backward-reachable nodes. Lastly, we use $k$-induction to present an algorithm for verifying vertical contracts, which are claims of the form "the conjugation of given component-level contracts is a stronger specification than a given contract on the integrated system". These algorithms are based on linear programming, and scale linearly with the number of components in the interconnected network. A numerical example is provided to demonstrate the scalability of the presented approach, as well as the modularity achieved by using it.

Systems and Control,Dynamical Systems,Optimization and Control

Silvia Crafa,Cosimo Laneve,Giovanni Sartor

DOI: https://doi.org/10.48550/arXiv.2110.11069

2021-10-21

Abstract:There is a growing interest in running legal contracts on digital systems, at the same time, it is important to understand to what extent software contracts may capture legal content. We then undertake a foundational study of legal contracts and we distill four main features: agreement, permissions, violations and obligations. We therefore design Stipula, a domain specific language that assists lawyers in programming legal contracts through specific patterns. The language is based on a small set of abstractions that correspond to common patterns in legal contracts, and that are amenable to be executed either on centralized or on distributed systems. Stipula comes with a formal semantics and an observational equivalence, that provide for a clear account of the contracts' behaviour. The expressive power of the language is illustrated by a set of examples that correspond to template contracts that are often used in practice.

Programming Languages

Inigo Incer,Albert Benveniste,Alberto Sangiovanni-Vincentelli

2023-09-16

Abstract:We present the algebra of assume-guarantee (AG) contracts. We define contracts, provide new as well as known operations, and show how these operations are related. Contracts are functorial: any Boolean algebra has an associated contract algebra. We study monoid and semiring structures in contract algebra -- and the mappings between such structures. We discuss the actions of a Boolean algebra on its contract algebra.

Logic in Computer Science,Systems and Control

Sadek Belamfedel Alaoui,Adnane Saoud

2024-05-13

Abstract:This work establishes fundamental principles for verifying contract for interconnected hybrid systems. When system's hybrid arcs conform to the contract for a certain duration but subsequently violate it, the composition of hybrid dynamical systems becomes challenging. The objective of this work is to analyze the temporal satisfaction of the contract, allowing us to reason about the compositions that do not violate the contract up to a certain point in a hybrid time. Notions of weak and strong satisfaction of an assume-guarantee contract are introduced. These semantics permits the compositional reasoning on hybrid systems of varying complexity depending on the interconnection's type, feedback or cascade. The results show that both semantics are compatible with cascade composition, while strong semantic is required for feedback composition. Moreover, we have shown how one can go from weak to strong contract satisfaction. Finally, we have studied a particular class of hybrid systems and we have shown that the concept of forward (pre-)invariant relative to a contract makes it possible to deal with feedback compositions. These results are demonstrated throughout the paper with simple numerical examples.

Systems and Control

Alireza Fallah,Michael I. Jordan

2023-11-05

Abstract:We study the role of regulatory inspections in a contract design problem in which a principal interacts separately with multiple agents. Each agent's hidden action includes a dimension that determines whether they undertake an extra costly step to adhere to safety protocols. The principal's objective is to use payments combined with a limited budget for random inspections to incentivize agents towards safety-compliant actions that maximize the principal's utility. We first focus on the single-agent setting with linear contracts and present an efficient algorithm that characterizes the optimal linear contract, which includes both payment and random inspection. We further investigate how the optimal contract changes as the inspection cost or the cost of adhering to safety protocols vary. Notably, we demonstrate that the agent's compensation increases if either of these costs escalates. However, while the probability of inspection decreases with rising inspection costs, it demonstrates nonmonotonic behavior as a function of the safety action costs. Lastly, we explore the multi-agent setting, where the principal's challenge is to determine the best distribution of inspection budgets among all agents. We propose an efficient approach based on dynamic programming to find an approximately optimal allocation of inspection budget across contracts. We also design a random sequential scheme to determine the inspector's assignments, ensuring each agent is inspected at most once and at the desired probability. Finally, we present a case study illustrating that a mere difference in the cost of inspection across various agents can drive the principal's decision to forego inspecting a significant fraction of them, concentrating its entire budget on those that are less costly to inspect.

Computer Science and Game Theory,Theoretical Economics

Xiao Tan,Antonis Papachristodoulou,Dimos V. Dimarogonas

DOI: https://doi.org/10.1016/j.ejcon.2024.101053

IF: 2.649

2024-06-17

European Journal of Control

Abstract:This paper proposes a (control) barrier function synthesis and safety verification scheme for interconnected nonlinear systems based on assume-guarantee contracts (AGC) and sum-of-squares (SOS) techniques. It is well-known that the SOS approach does not scale well for barrier function synthesis for high-dimensional systems. In this paper, we show that compositional methods like AGC can mitigate this problem. We formulate the synthesis problem into a set of small-size problems, which constructs local contracts for subsystems, and propose a negotiation scheme among the subsystems at the contract level. The proposed scheme is then implemented numerically on two examples: vehicle platooning and room temperature regulation.

automation & control systems

Jeffrey M. Bell,Françoise Bellegarde,James Hook,Richard B. Kieburtz,Alex Kotov,Jeffrey Lewis,Laura McKinney,Dino Oliva,Tim Sheard,L. Tong,Lisa Walton,Tong Zhou

DOI: https://doi.org/10.1145/197694.197740

1994-01-01

Abstract:The Pacific Software Research Center is developing a new method to support reuse and introduce reliability into software. The method is based on design capture in domain specific design languages and automatic program generation using a reusable suite of program transformation tools. The transformation tools, and a domain specific component generator incorporating them, are being implemented as part of a major project underway at the Oregon Graduate Institute of Science and Technology. The processes used in tool development and application of the method are being captured. Once completed, an experiment will be performed on the generator to assess its usability and flexibility.This paper describes the Software Design for Reliability and Reuse method and illustrates its application to the Message Translation and Validation domain, a problem identified by our sponsors so that our method can be compared directly to a previously existing state-of-the-art solution based on code templates produced by the Software Engineering Institute (SEI) [14].

H.-Christian Estler,Carlo A. Furia,Martin Nordio,Marco Piccioni,Bertrand Meyer

DOI: https://doi.org/10.1007/978-3-319-06410-9_17

2014-02-26

Abstract:Contracts are a form of lightweight formal specification embedded in the program text. Being executable parts of the code, they encourage programmers to devote proper attention to specifications, and help maintain consistency between specification and implementation as the program evolves. The present study investigates how contracts are used in the practice of software development. Based on an extensive empirical analysis of 21 contract-equipped Eiffel, C#, and Java projects totaling more than 260 million lines of code over 7700 revisions, it explores, among other questions: 1) which kinds of contract elements (preconditions, postconditions, class invariants) are used more often; 2) how contracts evolve over time; 3) the relationship between implementation changes and contract changes; and 4) the role of inheritance in the process. It has found, among other results, that: the percentage of program elements that include contracts is above 33% for most projects and tends to be stable over time; there is no strong preference for a certain type of contract element; contracts are quite stable compared to implementations; and inheritance does not significantly affect qualitative trends of contract usage.

Software Engineering

Miel Sharf,Bart Besselink,Karl Henrik Johansson

DOI: https://doi.org/10.48550/arXiv.2111.01259

2021-11-02

Abstract:Verifying specifications for large-scale control systems is of utmost importance, but can be hard in practice as most formal verification methods can not handle high-dimensional dynamics. Contract theory has been proposed as a modular alternative to formal verification in which specifications are defined by assumptions on the inputs to a component and guarantees on its outputs. In this paper, we present linear-programming-based tools for verifying contracts for control systems. We first consider the problem of verifying contracts defined by time-invariant inequalities for unperturbed systems. We use $k$-induction to show that contract verification can be achieved by considering a collection of implications between inequalities, which are then recast as linear programs. We then move our attention to perturbed systems. We present a comparison-based framework, verifying that a perturbed system satisfies a contract by checking that the corresponding unperturbed system satisfies a robustified (and $\epsilon$-approximated) contract. In both cases, we present explicit algorithms for contract verification, proving their correctness and analyzing their complexity. We also demonstrate the verification process for two case studies, one considering a two-vehicle autonomous driving scenario, and one considering formation control of a multi-agent system.

Systems and Control,Dynamical Systems,Optimization and Control

Emanuel Palm,Ulf Bodin,Olov Schelén

2024-08-12

Abstract:While the blockchain-based smart contract has become a hot topic of research over the last decade, not the least in the context of Industry 4.0, it now has well-known legal and technical shortcomings that currently prohibit its real-world application. These shortcomings come from (1) that a smart contract is a computer program, not a document describing legal obligations, and (2) that blockchain-based systems are complicated to use and operate. In this paper, we present a refined and extended summary of our work taking key technologies from the blockchain sphere and applying them to the ricardian contract, which is a traditional contract in digital form with machine-readable parameters. By putting the ricardian contract in the context of our contract network architecture, we facilitate the infrastructure required for contracts to be offered, negotiated, performed, renegotiated and terminated in a completely digital and automatable fashion. Our architecture circumvents the legal issues of blockchains by facilitating an artifact very much alike a traditional contract, as well as its operational complexity by requiring consensus only between nodes representing directly involved parties. To demonstrate its utility, we also present how it could be used for (1) private data purchasing, (2) treasury management, (3) order-driven manufacturing and (4) automated device on-boarding.

Software Engineering