Elaborating Requirements for Cyber-Physical Systems in Automotive

Domain for the Purpose of Their Formal Verification

Sergey Staroletov1

Abstract— Cyber-Physical Systems (CPSs) mirror real-world II. BACKGROUND

processes and combine discrete cyber and continuous physical
parts. It this paper, real CPS in the automotive domain are A. Requirement engineering
examined. The goal of this work is to apply the process of According to Zave [2], requirements engineering (RE) is
requirements engineering to design of that systems with the the branch of software engineering concerned with the real-
purpose of further verification. The necessitate of the formal
verification here in contrast to testing is also emphasized. It world goals for, functions of, and constraints on software
is proposed to use EU certification documents for the basis systems. As the primary measure of success of a software
of requirements for real-world CPSs, then the model for the system is the degree to which it meets the purpose for
system should be constructed using the Model-driven approach which it was intended, so software systems requirements
and then statically checking after Hybrid program generation engineering is the process of discovering that purpose [3].
using Dynamic logic related tools and proof strategies. The
current state of formal methods to verify these systems are Microsoft Press issued the book [4] to describe some
discussed. A process of elaborating requirements, a model, ways good practices on how requirements can lead to fewer
and a generated hybrid program are shown in the paper based change requests, higher customer satisfaction, and lower
on a simplified antilock braking system (ABS) controller. development costs in the production of general-purpose
Index Terms— requirements engineering, formal verification, software. For embedded system software that controls a CPS,
CPS, automotive.
a point with safety assurance should be added to the goal list
of succeed requirements.
I. I NTRODUCTION
B. Ontology-based design
The increasing complexity and use of control systems in According to Gruber [5], ontology is a description,
human live requires new methods to ensure the quality of similar to a formal specification of program, concepts and
embedded software in all levels of its production. Firstly, relationships that can formally exist for an agent or a
the system is built based on some assumptions, and a process community of agents. Nowadays, those relationships are
of collecting such complete and correct requirements now is often also called knowledge graph. In general, an ontology
the subject of requirement engineering. Secondly, the system comprises classes with attributes and named relations
implementation based on the requirements should be tested between them. Ontology engineering is a set of tasks related
with good test coverage. But due to the undecidability of to the development of ontologies for a particular domain [6].
General Testing Problem (discussed in [1] as a consequence
of Turing’s Halting problem) the engineering world needs C. Cyber-physical systems and their formal verification
methods of static checking with the possibility of proof of the Cyber-physical systems (CPS) are real-world systems that
model correctness, so formal methods have been introduced use a cyber part (computer/software) to control or operate a
by Model checking community. By the means of cyber- physical part (hardware/physical process) [7]. The cyber part
physical systems that have equations in their physical part, may be expressed as a discrete transition system, while the
some extensions of dynamic sequential logic were introduced physical part – as ODEs, real-world models over continuous
and now such systems can be expressed as hybrid programs time. Currently, model-driven methods are established to
over continuous time. The automotive domain is an example express that part [7] and, in the engineering world, a lot of
of a source for real-world cyber-physical systems with safety engineers use Matlab Simulink© or its open-source analogue
requirements. This domain includes models for physical Scilab Xcos to create and simulate physical models in the
work of chassis, transmission, engine and some safety- graphical editor with the possibility to write some additional
related subsystems like ABS (antilock braking system) and code.
ESP (electronic stability program). In the current paper, the According to Platzer, CPSs can be encoded as Hybrid
process and techniques to elaborate requirements, modeling, programs [8], [9] and the syntax of such programs [10] is
code generation and verification issues are discussed based defined as follows:
on a model for ABS.
α ::= x := e | ?Q | x0 = f (x)&Q | α ∪ α | α; α | α ∗ (1)
The results were partially obtained within the RFBR grant (project No. where α is a meta-variable for the hybrid programs, x is a
17-07-01600).
1 Sergey Staroletov is with Polzunov Altai State Technical University, meta-variable for program variables, e is a meta-variable for
Barnaul, Russia serg [email protected] the first-order terms on real numbers, f is a meta-variable
for the continuous real functions, and Q is a meta-variable In [19] researchers from Institute of Informatics Systems,
for the first-order formulas over real numbers. The construct SB RAS presented a verification oriented ontology approach
”;” means here the sequential composition, ”∪” is the non- with an actor-type ontology (with processes, channels,
deterministic choice, ”?” is the test operator, and ”∗ ” is messages, variables and transition rules) for systems of
the non-deterministic iteration (like Kleene-star). Using the concurrent is presented with the goals of further Promela
Dynamic differential logic, a formal verifier for these types of code generation from populated ontology. In [20] they
hybrid programs (with respect to requirements expressed as presented an ontology for requirements using patterns for
modalities and invariants) has been developed as KeYmaera complex LTL formulas.
tool which is based on KeY theorem prover. The goal was If we are going to discuss model-driven CPSs creation
to provide techniques to make hybrid system == continuous and further verification, we conducted a survey on it in
system == discrete system [11] for the verification purposes. [7]. In the current work we use Scilab Xcos [21] – block
diagram editor and GUI for the hybrid simulator. There
D. Automotive domain exists a project, ”Project P” [22], with the aim to support the
Automotive is one of the real-world domains of CPSs, model-driven engineering of real-time systems by providing
that is extremely used by mankind. Modern vehicles have an open code generation framework able to (I) verify the
sets of ECU (electronic control unit) that are distributed semantic consistency of systems, (II) generate optimized
among the vehicle and connected through CAN, LIN, K- source code and (III) support a multi-domain (avionics,
line buses; that offer to exchange frames of information space, and automotive) certification process by providing
from sensors, actuators and derivative data generated by open qualification material. Currently developed an Ecore
microcontrollers. ECUs can control engine, brakes, airbags, meta-model, Qqen as code-generator from Simulink/Xcos
automatic transmission; also novel cars include controllers models [23] and some kind of formal verification for discrete
for a hybrid drive, high-voltage battery, inventors and so systems using assertion blocks.
For continuous systems verification, a lot of example
on. The automotive domain comprises models for the
models were built around the KeYmaera tool as its tutorials
engine, emissions, transmission, electric and hybrid drives,
in trains, cars [24], robots domains. Explanations are given
suspension, steering, tires, vehicle stability, brakes, vehicle
in [25].
safety, aerodynamics [12], [13], etc. One of its software
The existence of tutorials of real-world CPSs near to
features is the frequent use of data tables with selected
Simulink/Xcos notation with feedbacks is still an open
parameters that describe physical processes. The automotive
question.
parts and controllers are certified (for obtaining a type-
approval) according to regulations on target sales markets IV. T OWARDS A MODEL FOR ABS
(Russian, EU, US, China, etc.). Here a model for ABS (anti-lock braking system) designed
by MathWorks is considered [26]. The model is based on
III. R ELATED W ORK the ratio of the difference between wheel angular velocity
In the paper [14], the authors from Imperial College refer ωw and speed divided by wheel radius ωv :
to the requirements elaboration for discrete label transitional ωw
sliprelative = 1 − (2)
systems, they use FLTL (Fluent Linear Temporal Logic) ωv
to specify predicates with requirements, then they translate When the calculated and actual angular speeds are the same
such requirements to Event Calculus, do inductive learning slip value is zero, and slip value is 1 when wheel is locked.
process to obtain new operational requirements using Model- In Fig. 1 from [13] the relation between brake slip value and
checking approach with counter-example generation and then brake force coefficient µb is shown. The desirable slip value
translation possible new requirements to FLTL representation is 0.2, this means that the wheel speed is 0.8 times higher
and manual selection good ones from them. This process than the speed in the absence of braking at the same vehicle
allows engineers to clarify system requirements even when speed. The reader can see on the graph that from 0 up to
they are firstly unclear. 20% wheel blocking, the brake force is increasing and after
In the work [15], we presented an approach to collect that value until the full wheel blocking the driver do not
requirements to discrete systems using an online tool – need to press the stopping pedal, especially on wet surfaces,
web portal as a shell to SPIN [16] tool, where engineers that is the idea of ABS. According to [26], maintaining
and customers can meet together, think about control slip value as 0.2 in the full phase of braking maximizes
variables, requirements, construct and verify algorithms the adhesion between the tire and road and minimizes the
without installing special tools. The author has also stopping distance with the available friction.
presented another vision to developing transitional software The model itself is based on a feedback system between
systems using Behaviour-driven process with Gherkin-style desired and calculated relative slip.
specifications [17].
slipon/o f f = sign(slipdesired − sliprelative ) (3)
In the article [18], the authors from ISP RAS proposed
using an attribute tree structure to keep system requirements This on/off rate goes to filtering through a first-order lag
among with subtree reuse feature and search algorithms. that represents the delay associated with the hydraulic lines
 av = −Ff /m (12)
Z
vv = v0 + av dt (13)

From this value, the vehicle angular speed is obtained

according
vv
ωv = (14)
Rr
And vehicle stopping distance
Z
s= vv dt (15)
Fig. 1. Brake slip coefficient [13]
This model is adequate in some cases but is not designed
for implementing in real ABS controllers. In [26] it is stated
of the brake system. It can be described using a transfer that in an actual vehicle, the slip cannot be measured directly,
function but it is known that the cars have speed sensors on each
K wheel and that data is available on CAN bus so the method,
hg = · slipon/o f f (4)
τ ·s+1 in general, can be used without calculating some intermediate
Or solving the corresponding differential equation variables. In this paper, the model is used as an example of
d(hg) non-simple CPS.
τ· + hg = K · slipon/o f f (5)
dt V. R EQUIREMENTS FOR THE ABS MODEL
The actual brake pressure obtains from the filtered rate by The main question here – what to require from our ABS
integrating model? The intuition tells us that using ABS should help the
Z car to stop that means the final velocity should be zero, and
Pbrake = hg dt (6) stopping distance should be less than the distance without
using ABS. With this model an additional requirement should
Brake torque applied to the wheel is directly proportional be satisfied: the desirable slip value should concentrate near
to the brake pressure and can be calculated as the pressure 0.2. But all the requirements are non-formal, nevertheless, of
multiplied by the piston area and radius with respect to the course, can be translated to predicates with model variables.
wheel In this work, it is proposed to look to official
certification documents (vehicle approval regulations) to get
Tbrake = Pbrake · K f (7) the requirements to develop such vehicle systems like ABS.
The accelerating torque of the road surface on the wheel List of current documents with EU regulations for vehicles
(tire torque) is proportional to the weight on the wheel (P) is available in [27]. The uniform provisions concerning the
and brake force coefficient (which gives us the frictional state approval of passenger cars with regard to braking
force on the wheel) and wheel radius are expressed in [28]. The document introduces definitions
correspond to braking, and provide requirements and test
Ff = µb · P; Ttire = Ff · Rr (8) procedures to different parts of the vehicle brake system. For
example, a general test procedure and measurement values
The brake torque is subtracted to give the net torque on for well-known ”moose test” (to approve ESP systems) are
the wheel given. In corresponding documents for other national markets
(for example [29]) the ideas are similar. According to the
Tnet = Tbrake − Ttire (9) document, the further requirements for normal vehicles’ ABS
can be elaborated:
The wheel acceleration is calculated by dividing the
1) During braking phase wheels are not locked.
net torque by the wheel rotational inertia, which is then
2) ABS works in full-cycle mode and it means that the
integrated to provide wheel velocity
system is repeatedly modulating the brake force to
prevent the directly controlled wheels from locking.
aw = Tnet /I (10)
Brake applications where modulation only occurs once
Z during the stop shall not be considered to meet this
ωw = aw dt (11) definition.
3) The utilisation of adhesion by the anti-lock system
For obtaining ωv value, the frictional force, Ff is divided takes into account the actual increase in braking
by the vehicle mass to produce the vehicle deceleration, distance beyond the theoretical minimum. The anti-
which can be integrated to get vehicle velocity lock system shall be deemed to be satisfactory when
the condition ε ≥ 0, 75. ε is defined as the quotient of
the maximum braking rate with the anti-lock system zm · P · g − 0, 01 · Fr
kr = (23)
operative (zAL ) and the coefficient of adhesion (kM ), h
Fr − · zAL · P · g
i.e. E
zAL
ε= (16) 4) Transition between surfaces with slightly different
kM
coefficient of adhesion [28]:
Given an initial vehicle speed of 55 km/h, the
• When an axle passes from a high-adhesion surface
maximum braking rate (zA L) shall be measured with
(kH ) to a low-adhesion surface (kL ), where kH ≥
full cycling of the anti-lock braking system using the
0, 5 and kH /kL ≥ 2, with the full force applied on
time taken tm1 for the speed to reduce from 45 km/h
the control device, the directly controlled wheels
to 15 km/h, according to the following formula:
shall not lock.
0, 849 • When a vehicle passes from a low-adhesion
zAL = (17)
t m1 surface (kL ) to a high-adhesion surface (kH ) where
kH ≥ 0, 5 and kH /kL ≥ 2, with the full force applied
on the control device, the deceleration of the
vehicle shall rise to the appropriate high value
within a reasonable time and the vehicle shall
not deviate from its initial course. The running
speed and the instant of applying the brake shall
be so calculated that, with the anti-lock system
fully cycling on the low-adhesion surface, the
passage from one surface to the other occurs at
approximately 50 km/h.
Fig. 2. Static axle loads [13]
5) Brake assistant system: approval of deceleration and
pedal force intervals. Given a test vehicle speed of
The coefficient of adhesion kM is determined by 100 ± 2 km/h. Once an emergency braking condition
weighting with the dynamic axle loads (front and rear). has been detected, systems sensitive to pedal force
shall show a significant increase in the ratio of:
k f · Ffdyn + kr · Frdyn
kM = (18) (a) Brake line pressure to brake pedal force (b)
P·g Vehicle deceleration to brake pedal force. The brake
where dynamic axle loads are calculated on static loads pedal force FABS is the minimum pedal force that
Ff and Fr with respect to gravity center h and wheel has to be applied for a given vehicle in order to
base E: achieve maximum deceleration which indicates that
h ABS is fully cycling. aABS is the deceleration for
Ffdyn = Ff + · zAL · P · g (19)
E a given vehicle during ABS deceleration. The full
deceleration (saturation curve, which is established
h
Frdyn = Fr − · zAL · P · g (20) after a linearly increasing section) shall be reached
E within the timeframe of 2, 0 ± 0, 5 s. FT and aT are
For the computation of the coefficient of adhesion for threshold force and threshold deceleration and their
front axle k f and for the rear axle kr the brakes without values shall be supplied to the Technical Service at the
locking the wheels shall be applied on only one axle time of submission of the type-approval application.
of the vehicle under special tests, at an initial speed of The value of aT shall be between 3,5 m/s2 and 5,0
50 km/h. The anti-lock system shall be disconnected. m/s2 . Then,
A number of tests at increments of line pressure shall
be carried out to determine the maximum braking rate FT · aABS
FABSextrapolated = (24)
of the vehicle (zm ). During each test, a constant input AT
force shall be maintained and the braking rate will Having aT , FT (supplied), FABSextrapolated (calculated),
be determined by reference to the minimal time taken FABS , aABS (as steady-state deceleration and pressure
(tm2 ) for the speed to reduce from 40 km/h to 20 km/h values from versus time graphs), FABSmin and FABSmax
using the formula: are calculated according to the requirement in Fig. 3.
0, 566 Then, the presence of BAS is proven if
zm = (21)
tm2
FABSmin ≤ FABS ≤ FABSmax (25)
Finally,
zm · P · g − 0, 015 · Fr where:
kf = (22)
h
Ff + · zAL · P · g FABSmax − FT ≤ (FABS, extrapolated − FT ) · 0, 6 (26)
E
 and intermediate values). In this section, block by block, the
internal operation of the circuit is examined.
FABSmin − FT ≥ (FABS, extrapolated − FT ) · 0, 2 (27) In Fig. 5 a feedback adder block is presented. It means that
the model is running in a loop with increasing time from zero
to some pre-defined value or until a halt condition is triggered
(also see the HALT block in the scheme). Each step, such
adder adds the desired relative slip (0,2) constant from a
positive input and resulting signal that is multiplied by Ctrl
constant (using the gain triangle block) from negative input.
So, it is negative feedback and it corrects the current system
state (recall, ABS needs to stabilize current slip value around
20%). Initially, the resulting signal is zero and it should be
saved to a temporal variable each time before starting a new
Fig. 3. Pedal force characteristic needed in order to achieve maximum
iteration of the loop.
deceleration [28] Next, the resulting signal comes to the SIGN block (Fig.
6). It just returns 1 for positive, 0 for zero and -1 for the
From this section, it can be inferred that the requirements negative input value.
for automotive systems (on the ABS example) consist of To model a smooth system with the simulation of delays
statements that can be translated to invariants, pre- and post- introduced by hydraulic lines of the braking system, the
conditions; graphics related data can be encoded as look- transfer function block is used. It is described in the formulas
up tables with further translation to code or formulas; test (4) and (5), and for this block, τ value is 0,05 and K value
scenarios can be encoded as programs or modeled from is 100 (Fig. 7).
blocks using Model-driven software, and then simulated or While K is the asymptotic value, τ represents the speed to
run with the cooperation of real controllers, also they can be achieve it (Fig. 8). During system execution, the equation (5)
encoded as Hybrid programs and then statically verified. can be dynamically solved using the Runge–Kutta methods
or the following function, which is a solution for (5) can be
VI. O N M ODEL - DRIVEN METHODS TO DESIGN OF CPS S applied:
Model-driven developing (MDD) is a way to create a hg(u,t) = u · K · (1 − exp(−t/τ)) (29)
software system from scratch by drawing some diagrams or
writing textual models and then simulate or execute these According to formula (6), for obtaining brake pressure, the
diagrams and generate the system code from them [7]. The input signal should be integrated with respect to time (Fig.
approach has the following main advantages of applying 9). Moreover, the result should be saturated that means that
MDD in the CPSs design process: resulting value must lie in [0, Pbmax ]. For discrete signals
(as the function is not known analytically), the integral can
• engineers can see a graphical model or a DSL code and
be calculated based on previous value using the formula:
move through it;
• no code and model distinctions after changing any one u + uold
y = yold + · (t − told ) (30)
of both; 2
• possible ways to generate code for different target
where yo ld, uo ld, to ld are values during the last calculation
languages and purposes; of this block (they should be saved).
• the system can be created by engineers who know how
The mu-slip curve (presented in Fig. 1) is designed using
to describe physical processes but do not have proper the Inter block (see Fig. 10). The resulting signal from the
programming skills. scheme is the brake slip and it comes to the feedback adder,
As a rule, engineers use Matlab (a language and a also it is used to calculate tire torque value (see formulas
collection of library functions) Simulink© (block editor and (7)-(8)). It can be implemented using Lagrange polynomial
simulator) or its analogues. In this paper, it is considered a interpolation, but due to wrong values close to the boundaries
free substitution (to some extent) – Scilab project and Xcos of the interval, spline interpolation is better to use. Sources
as a block editor. A variation of the ABS model (introduced for the interpolation are points (lie on curve in 1), like X =
in formulas (2)-(14) was adapted from MathWorks [26] by [0; 0.05; 0.10; 0.15; ...;1.00] and Y = [0; 0.40; 0.80; 0.97;
the author and presented in Fig. 4. The model is actually a ...;0.70].
collection of blocks, and each i-th block applies some kind Note that for different road and tire surfaces and weather,
of function to its input: the curve and its point should be substituted to a different
y = fi (u, statei ) (28) one. In the model here a reduction factor can be used to
lower the µb value but it is just a simplification.
where u is an input signal (usually came from a previous Other blocks on the scheme are clear or repeat described
block), y is an output signal, fi is a block function and blocks. In some points, CSCOPE blocks are used to plot
statei is a block state (some tuple of block parameters and the current signal values. The functional block is used to
 Fig. 4. Scilab/Xcos adaptation for the ABS model

Fig. 7. Hydraulic lag using SISO transfer function block

Fig. 5. Adder block organizes a negative feedback

Fig. 8. Solution for the hydraulic lag for 1 as input

diagram editor (like the considered Xcos) can be generated

Fig. 6. Bang-bang controller using SIGN block using information from the previous session. The pre-
conditions are the context for the diagram (some code to
be executed before the start of the simulation), and post-
calculate a function from several signal sources muxed into conditions are the possible assertions. Invariants can be
one vector. inserted as functions calls with checks at the right points
in the diagram.
VII. D IAGRAMS - TO - PROGRAMS TRANSLATION
To generate code from diagrams, some integration into
In this section, it is discussed how to move between the diagram editor should be performed. For example,
different variations of CPSs definitions. Scilab offers the integration into tools menu and abilities
Suppose we have elaborated requirements. As steps of the to manipulate with Xcos diagram nodes (some examples are
model are defined, the corresponding series of blocks for given in Project P repository), or it can be accomplished by
 program a postcondition is always satisfied with respect to
a precondition.
In the opposite direction, the generation of diagrams and
population of ontologies are also possible from the code,
not in a particular programming language but from Hybrid
programs since they have strict formal semantic.
Fig. 9. Integrator block with saturation
VIII. V ERIFICATION OF H YBRID REPRESENTATION OF
ABS MODEL AND ITS ISSUES
Formal verification of CPSs is a way of static checking of
models without running them with respect to requirements.
From the presented model as it is explained in the previous
section, it is possible to produce a Hybrid program. It
uses repetition for the loop; conditions, assignments are
also supported as well as differential equations solving (for
example for describing the hydraulic lag). Integrator blocks
Fig. 10. Solution for the hydraulic lag for 1 as input
are not supported by the Differential dynamic logic, so
they can be realized numerically using formula (30). The
processing the XML source file of a diagram. Using the rules, interpolation block is also an issue here, but it can be
described in the previous section, a corresponding program implemented as a step function.
can be generated, for example, in C. It should work in a loop
and implement a sequence of paths from the diagram. Also,
here it is possible to use special project-oriented languages
[32].
For formal verification purposes, Hybrid program code
can be also generated. In Listing 1 a fragment of KeY file
(for KeYmaera tool) with a description of the ABS model is
shown. It is analyzed in the next section.

Listing 1. A fragment of Hybrid program

\ problem {
t = 0 & tMax = 15 & d t = 0 . 1 &
DesiredRelativeSlip = 0.2 &
Pbmax = 1500 & . . .
/* i n i t i a l values for variables */
−>
\[ / * system dynamics * / Fig. 11. Interactive proof of ABS model using KeYmaera tool
( w h i l e ( t < tMax )
yOld : = y ; Playing with the Hybrid program representation of the
y : = D e s i r e d R e l a t i v e S l i p − yOld ; ABS model reveals that the use of KeYmaera theorem
/ * Bang − bang c o n t r o l l e r * / prover and Differential dynamic logic inside for such models
/ * H y d r a u l i c Lag * / even with simple requirements (recall that the requirements
/ * Brake p r e s s u r e * / for the model are not obvious) does not offer naive ”one-
/* Force & torque */ click” methods to prove. The process has high computation
/* Tire torque */ complicity and requires user interventions. Methods to help
/*...*/ the prover, presented in [33], can be used.
y : = 1 . 0 − y1 / ( y2 + u * e p s ) ;
t : = t + d t / * end o f w h i l e * /
end ) @ i n v a r i a n t ( t >=0 & t <=tMax )
\ ] ( t >= tMax ) & ( R e q i r e m e n t 1 ) & . . .
/* s a f e t y req / postcondition */
}
It uses a notation with modalities

precondition → [hybrid program]postcondition (31)

which means that for every terminated run of a Hybrid

 IX. C ONCLUSION [17] S. Staroletov, “Building a process of trustworthy software developing
based on bdd and ontology approaches with further formal
The automotive domain is a source for real-world verification,” in 9th Workshop PSSV: proceedings/Edited by Nikolay
problems and one of them (implemented a provable ABS Shilov, Vladimir Zakharov.–Yaroslavl: Yaroslavl State University,
2018.–98 pages.–(9 th Workshop “Program Seman-tics, Specification
controller) was considered. and Verification: Theory and Applications” dedicated to the memory
Verification of cyber-physical systems demands physics- of BA Trakhtenbrot, MI Dekhtyar, and MK Valiev, Yaroslavl, Russia,
mathematical models and requirements for them. The June 21-22, 2018)., 2018, p. 92.
[18] D. S. Kildishev and A. V. Khoroshilov, “Formalizing metamodel of
process of obtaining such requirements from authentic requirements management system,” Proceedings of the Institute for
certification documents is shown. It is proposed to use actual System Programming of the Russian Academy of Sciences, vol. 30,
requirements, construct the model from blocks and generate no. 5, pp. 163–176, 2018.
[19] N. Garanina and I. Anureev, “Verification oriented process ontology,”
code from it with the purpose of further prove the correctness in 9th Workshop PSSV: proceedings/Edited by Nikolay Shilov, Vladimir
of system behaviour with respect to given requirements. Zakharov.–Yaroslavl: Yaroslavl State University, 2018.–98 pages.–(9 th
Currently, there are a lot of issues to verify continuous Workshop “Program Semantics, Specification and Verification: Theory
and Applications” dedicated to the memory of BA Trakhtenbrot, MI
systems, especially non-toy models: no code generators from Dekhtyar, and MK Valiev, Yaroslavl, Russia, June 21-22, 2018)., 2018,
diagram representation, not all types of blocks exist in p. 58.
dynamic logics, the prover requires user selection of proof [20] N. Garanina, V. Zyubin, and T. Liakh, “Ontological approach to
organizing specification patterns in the framework of support system
strategies, computation complicity. for formal verification of distributed program systems,” System
The goal of the paper was to touch these problems and take Informatics, vol. 9, pp. 111–132, 2017.
[21] Y. Degré and S. Steer, “Scilab: Ii. modéliser et simuler avec xcos,”
a step to the possibility of automatic formal verifications of 2014.
CPSs in real domains using actual requirements. [22] “Project P. open-do.org,” Tech. Rep. [Online]. Available:
http://www.open-do.org/projects/p/
R EFERENCES [23] C. Junke, T. Gautier, J.-P. Talpin, and L. Besnard, “Integration of
polychrony and qgen model compiler,” 2016.
[1] S. Staroletov, Basics of Verification and Testing [in Russian]. Saint- [24] “Keymaera samples. case study: Distributed adaptive cruise control,”
Perersburg: Lanbook. ISBN 978-5-8114-3041-3, 2018. Tech. Rep. [Online]. Available: http://symbolaris.com/info/DCCS.html
[2] P. Zave, “Classification of research efforts in requirements [25] J.-D. Quesel, S. Mitsch, S. Loos, N. Aréchiga, and A. Platzer, “How to
engineering,” in Proceedings of 1995 IEEE International Symposium model and prove hybrid systems with KeYmaera: a tutorial on safety,”
on Requirements Engineering (RE’95). IEEE, 1995, pp. 214–216. International Journal on Software Tools for Technology Transfer,
[3] B. Nuseibeh and S. Easterbrook, “Requirements engineering: a vol. 18, no. 1, pp. 67–91, 2016.
roadmap,” in Proceedings of the Conference on the Future of Software [26] “Mathworks. modeling an anti-lock braking
Engineering. ACM, 2000, pp. 35–46. system,” Tech. Rep. [Online]. Available:
[4] K. Wiegers and J. Beatty, Software requirements. Pearson Education, https://www.mathworks.com/help/simulink/slref/modeling-an-anti-
2013. lock-braking-system.html
[5] T. R. Gruber, “Toward principles for the design of ontologies used [27] “UN regulations to which the EU has acceded. Ref.
for knowledge sharing?” International journal of human-computer ares(2019)5517771,” Tech. Rep. [Online]. Available:
studies, vol. 43, no. 5-6, pp. 907–928, 1995. https://ec.europa.eu/docsroom/documents/36881/attachments/1/
[6] L. Pouchard, N. Ivezic, and C. Schlenoff, “Ontology engineering translations/en/renditions/pdf
for distributed collaboration in manufacturing,” in Proceedings of the [28] “Official journal of the European Union L 335/1. Regulation no
AIS2000 conference. Citeseer, 2000. 13-H of the Economic Commission for Europe of the United
[7] S. Staroletov, N. Shilov, V. Zyubin, T. Liakh, A. Rozov, I. Konyukhov, Nations (UN/ECE) – Uniform provisions concerning the approval
I. Shilov, T. Baar, and H. Schulte, “Model-driven methods to design of passenger cars with regard to braking [2015/2364],” Tech.
of reliable multiagent cyber-physical systems,” in Proceedings of Rep. [Online]. Available: https://eur-lex.europa.eu/legal-content/EN
MACSPro 2019 : Modeling and Analysis of Complex Systems and /TXT/PDF/?uri=uriserv:OJ.L .2015.335.01.0001.01.ENG
Processes, Vienna, Austria. [29] “National standard of the People’s Republic of China GB
21670-2008. Technical requirements and testing methods for
[8] A. Platzer, “Differential dynamic logic for verifying parametric hybrid
passenger car braking systems,” Tech. Rep. [Online]. Available:
systems.” in TABLEAUX, ser. LNCS, N. Olivetti, Ed., vol. 4548.
https://www.chinesestandard.net/PDF/English.aspx/GB21670-2008
Springer, 2007, pp. 216–232.
[30] “Guide for KeYmaera hybrid systems verification tool,” Tech. Rep.
[9] Platzer, André, “Differential dynamic logic for hybrid systems,”
[Online]. Available: http://symbolaris.com/info/KeYmaera-guide.html
Journal of Automated Reasoning, vol. 41, no. 2, pp. 143–189, 2008.
[31] M. A. Musen et al., “The protégé project: a look back and a look
[10] A. Platzer, “Logical Foundations of Cyber-Physical Systems,”
forward,” AI matters, vol. 1, no. 4, p. 4, 2015.
Switzerland: Springer, 2018.
[32] T. Liakh, A. Rozov, and V. Zyubin, “Reflex language: a practical
[11] A. Platzer, “The complete proof theory of hybrid systems,” in
notation for cyber-physical systems,” System Informatics, vol. 2,
Proceedings of the 2012 27th Annual IEEE/ACM Symposium on Logic
no. 12, pp. 85–104, 2018.
in Computer Science. IEEE Computer Society, 2012, pp. 541–550.
[33] T. Baar and S. Staroletov, “A control flow graph based approach
[12] K. Reif, “Fundamentals of automotive and engine technology,” to make the verification of cyber-physical systems using KeYmaera
Springer: Bosch professional automotive information, 2014. easier,” Modeling and Analysis of Information Systems. 2018;25(5),
[13] W. Ribbens, H. Heisler, M. Blundell, D. Harty, J. Brown, pp. 465–480.
S. Serpento, A. Robertson, T. Garrett, J. Fenton, G. Davies et al.,
Automotive engineering: powertrain, chassis system and vehicle body.
Butterworth-Heinemann, 2009.
[14] D. Alrajeh, J. Kramer, A. Russo, and S. Uchitel, “Elaborating
requirements using model checking and inductive learning,” IEEE
Transactions on Software Engineering, vol. 39, no. 3, pp. 361–383,
2012.
[15] D. Lozhkina and S. Staroletov, “An online tool for requirements
engineering, modeling and verification of distributed software based
on the MDD approach.”
[16] G. J. Holzmann, “The model checker SPIN,” IEEE Transactions on
software engineering, vol. 23, no. 5, pp. 279–295, 1997.