# Safety assurance of an industrial robotic control system using hardware/software co-verification

Yvonne Murray<sup>a,</sup>, Martin Sirevåg<sup>a</sup>, Pedro Ribeiro<sup>b</sup>, David A. Anisi<sup>a,c</sup>, Morten Mossige<sup>d</sup>

<sup>a</sup>Dept. of Mechatronics, Faculty of Engineering and Science, University of Agder (UiA), Norway

<sup>b</sup>Dept. of Computer Science, University of York, UK

<sup>c</sup>Robotics Group, Faculty of Science ℰ Technology, Norwegian University of Life Sciences (NMBU), Norway

<sup>d</sup>ABB Robotics, Bryne, Norway

#### Abstract

As a general trend in industrial robotics, an increasing number of safety functions are being developed or re-engineered to be handled in software rather than by physical hardware such as safety relays or interlock circuits. This trend reinforces the importance of supplementing traditional, input-based testing and quality procedures which are widely used in industry today, with formal verification and model-checking methods. To this end, this paper focuses on a representative safety-critical system in an ABB industrial paint robot, namely the high-voltage electrostatic control system. Safety properties are formally verified using a novel and general co-verification framework where hardware and software models are decoupled via platform mappings. This approach enables the pragmatic combination of highly diverse and specialised tools. The paper's main contribution includes details on how hardware abstraction and verification results can be lifted between tools in order to verify system-level safety properties. It is noteworthy that the HVC application considered in this paper has a rather generic form of a feedback controller. Hence, the co-verification framework and experiences reported on here-within are also highly relevant for any cyber-physical system tracking a setpoint reference.

Keywords: Formal Verification, Co-Verification, Model Checking, High-Voltage Controller (HVC), Robots, Cyber-Physical Systems (CPS)

# 1. Introduction

The liberation of industrial robots from traditional metal cages and steadily increasing number of co-bots working side by side with humans are illustrative examples of a general trend in industrial robotics. In the wake of this, more and more safety-critical functions are now being developed to be handled by software and/or firmware components instead of hardware safety relays or interlock circuits. Modern industrial robots are heavily dependent on software-implemented safety signals to monitor and control various critical subsystems such as current/voltage supervision and emergency stop or short circuit interrupts. This trend brings several distinctive advantages such as cost-reduction and increased flexibility. Nevertheless, it also introduces or reinforces negative side-effects, most notably in the form of higher system complexity, vulnerability and dependability [1].

To set the stage for and address this ongoing industrial trend, this paper advocates use of formal verification techniques, which can provide an extra level of assurance by verifying the logic of a system. Application of formal methods in the robotics industry will ideally help identify potential pitfalls in a much earlier phase of the development cycle [2] and serve as an important supplement to the traditional testing and safety

Email addresses: yvonne.murray@uia.no (Yvonne Murray), martin.sirevag@uia.no (Martin Sirevåg), pedro.ribeiro@york.ac.uk (Pedro Ribeiro), david.anisi@nmbu.no (David A. Anisi), morten.mossige@no.abb.com (Morten Mossige)

risk identification and mitigation actions which are already employed [3]. Obtaining sufficiently high testing coverage in complex industrial systems can be time-consuming and expensive. In practice, it is most often not viable to account for every scenario, which means that testing can fail to reveal potential safety-critical issues

The High-Voltage Control (HVC) system considered in this paper provides a perfect testimony of this. As described in [4], there existed some software (SW) errors that went undetected with the potential to cause harm. This despite passing rigorous and certified quality assurance and testing procedures, including a priori and systematic identification of risk mitigation plans (e.g., using HAZID/HAZOP), as well as thorough testing procedures, including: static code analysis, unit testing, component testing, system test I and system test II. Here, system test I encompass hardware tests with Integrated Painting System (IPS) and HVC active, while system test II entails testing of the entire robotic system using actual paint.

The robotic spray booth in, e.g., a car factory, may contain flammable solvent and paint particles in the air. Hence, paint robots are certified for operation in potentially explosive atmospheres in accordance with regional ATEX/NFPA/IECEx standards (ATEX Directive – 2014/34/EU, IEC 60079). The IRCP controller units of paint robots are certified with respect to ISO 10218 standard for safety requirement for industrial robots. Paint robots using HVC are also certified according to the EN50176 standard for using high-voltage in explosive environments, while the paint atomizer is certified in accordance with ISO9001 and ISO14001.

Industrial paint robots use high-voltage to perform electrostatic painting, where particles are electrically charged and attracted to the grounded paint object, as seen in Fig. 1 [5, 6]. In this way, painting quality is ensured while paint consumption and costs are minimized. However, use of high-voltage also poses certain risks of electric shock and ignition. Fire in the painting cell may result in costly production delays, as well as damage to the equipment. Therefore, it is of great importance that the HVC is working as intended.

The HVC example illustrates the fact that complete elimination of all errors is most often not practical or even possible. Formal verification provides us not only with a mathematically sound formalism for the specification and verification of robotic systems which ensures correctness, but also provides inherent evidence for safety certification purposes. In fact, a survey on safety-critical robot systems [1] recognizes formal verification and correct-by-construction control synthesis as two main areas needed to develop safe robot systems.



Figure 1: In electrostatic painting, high-voltage (approximately 40-90 kV) charges the paint particles at the applicator. The particles follow the lines of the electrostatic field from the applicator (cathode) to the earthed object (anode).

Robot control systems, like the HVC, have rather natural and generic properties that are expected to be fulfilled by any feedback controller tracking a set-point reference. Formally verifying such system properties, however, requires reasoning over the combined, time-dependent behaviour of software and hardware. For pragmatic reasons these are often modelled using diverse languages and formalisms, making holistic reasoning challenging.

Inspired by co-simulation approaches [7], in this paper we propose a novel and generic co-verification approach for pragmatic verification of system properties. Models are decoupled through platform mappings

that relate the inputs and outputs of software and hardware. With our approach, behavioural properties of individual models – that may be established using separate domain-specific tools – can be combined to support the verification of system properties, using practical techniques, such as model-checking [8].

To illustrate the use of co-verification in a representative industrial case study, the HVC software is modelled in RoboChart [9, 10, 11], while the hardware is modelled in Simulink [12]. RoboChart is a domain-specific language for model-based software engineering of robotics, with a formal semantics encompassing timed and functional aspects, that is tailored for formal verification. Simulink, on the other hand, is a de facto standard for control engineering, as typically used in industry for dynamic simulation. For co-verification we use the MathWorks Simulink Design Verifier (SDV) toolbox [12], and the CSP model-checker FDR [13], as integrated into RoboTool [9, 10, 11].

Importantly, we demonstrate the value of our approach in identifying errors that existed in an early-phase HVC software version as described in [4]. In the next phase, once the identified software shortcomings had been rectified, we were able to show that it satisfies all safety properties of concern. This serves as a testimony of the strength and suitability of using formal verification methods for industrial safety-critical systems.

Some initial and preliminary results of our work regarding formal verification of HVC of industrial paint robot have been previously published in [4]. This paper extends [4] by addressing some fundamental and important aspects, most notably by:

- 1. taking into account the timed aspects of the HVC controller using the timed semantics of RoboChart.
- 2. replacing the simplified, binary representation of the output voltage *following* the setpoint, with a real representation and considering timed and dynamic *convergence* towards the setpoint signal (see Property P1).
- 3. providing a crisp dichotomy between control software and physical hardware parts of the HVC system, together with detailed platform mapping in-between (see Fig. 8 and consult [14, 15]).
- 4. modelling the system dynamics of the hardware in Simulink [5], [6].
- 5. using a novel approach to co-verification to combine the results from hardware simulations in Simulink with model-checking capabilities of RoboTool [16] to verify overall and system-level properties.

The remainder of this paper is structured as follows. Section 2 discusses related work. Section 3 provides an overview of the HVC system, contains formulation of the properties to be formally verified (Section 3.1) and presents a simplified finite state machine of the HVC (Section 3.2). Section 4 constitutes the main bodyof the current paper. It details the co-verification framework and explains how the state machine was modelled in RoboChart and combined with Mathworks SDV simulation and verification results in order to verify system properties. Section 5 reports on the verification of software properties. Finally, Section 6 provides some discussion and conclusions, as well as suggestions for further research.

## 2. Related Work

The survey on safety-critical robot systems in [1] identifies seven areas that need further focus and research in order to develop safe, dependable robotic systems. It is notable that at least five of these areas are relevant in the context of this paper, namely: adaptive safety monitoring, modeling and simulation for safety analysis, formal methods for verification, correct-by-construction control, and certification.

A recent survey [17] maps and lists the current challenges, used formalism, tools, approaches, as well as limitations when considering formal specification and verification of autonomous robotic systems. The main results there-within, reveal that temporal logic, state-transition and model checking are the main formalisms and approaches used during the last decade. At the same time, lack of appropriate tools and sheer resistance to adopt formal verification methods in robotic systems development is recognized as the main limiting factors for wider impact. Likewise, the lack of interoperability and need to capture the essence of complex, industrial robotic systems using several heterogeneous set of formalisms and tools is recognized.

Simulation plays an important role in the development of robotic systems, and more widely in the domain of cyber-physical systems (CPS). However, current practice makes it difficult to soundly reason across models of the software, simulation, and hardware, which can contribute to exacerbate the reality gap. Co-simulation approaches [7, 18] bridge the heterogeneity of tools via orchestration, for example, using a common API as advocated in the FMI standard [19]. Besides the issue of code portability, robotics simulators [20] tend to use different physics engines. A related approach [15] to our work on co-verification, extends the diagrammatic simulation language RoboSim [21] with facilities to cover physical modelling of robotics and establish formal links between sensors, actuators, and the software, via platform mappings.

Application of formal verification methodology within the control and CPS community have mainly adopted the hybrid system and automata framework of Alur et. al. [22, 23]. In this setting, finite- and infinite-time reachability constitute the main verification tools, but unfortunately turn out to be an undecidable problem in general, leaving conservative set approximation as the only viable approach [24, 25]. Hybrid automata also assumes having infinite accuracy and instantaneous reaction which serves as a noticeable discrepancy to the real system and implementation; potentially invalidating the verification results [26].

Focusing on formal verification of industrial robot applications, in [3], industrial robot- and PLC-programs are compiled into PROMELA models as input for the SPIN model checker [27]. The work is however restricted to Linear Temporal Logic (LTL) formulas. It further differs from our work by solely considering deadlocks, collisions and kill-switch violations. Narrowing down to industrial paint robots, [28] considers formal verification of paint spraying using ARIADNE tool for reachability analysis. The focus here is solely on parametric design verification.

# 3. High-Voltage Control (HVC)

A simplified block diagram of the HVC part of the paint robot can be seen in Fig. 2. The HVC module



Figure 2: Block diagram of one part of the paint robot, containing the HVC.

runs the control software loops and associated control logic. Here, the  $r(t) = HV\_SetPoint$  signal is used as a priori given reference for the desired voltage level on the HVC, while the 24V power signal provides the HVC with electrical power. The  $u(t) = PWM\_Output$  signal serves as input signal to the Pulse Width Modulation (PWM) hardware. It is a percentage, from 0 to 100%, mapped to an analog 0 to 10 voltage signal, which is then increased in the transformer. In the Cockcroft–Walton (CW) cascade generator, there are several voltage doubling circuits, and the voltage is rectified and further increased, before arriving to the applicator, see Fig. 3. Finally,  $\bar{y}(t) = [IM; HV\_Actual]^T$  denote current and voltage measurements,

respectively, which are fed back into the HVC. It is further noticeable that from a paint robot application point of view, it is given that  $HV\_Setpoint \in 0 \cup [30 \ 90], kV$ , that is, once high-voltage is activated and turned on, it requires values larger than 30kV, and that  $r(t) = HV\_SetPoint$  reference value does not change very often, and never faster than within 10 seconds from the previous change. These facts will be used subsequently in order to formally capture and verify some basic properties for HVC.

Following the line of thought in [14, 15], in order to distinguish and describe both the control software and physical hardware components of the HVC system, a faithful model of the PWM hardware is needed. The PWM hardware comprises the components inside the dashed blue box in Fig. 2, that is, the transformer, CW cascade block and resistors. Fig. 3 depicts the diodes, capacitors and resistors defining a CW cascade



Figure 3: The cascade modelled in Simulink with Simscape components, with the transformer, resistors and the Cockroft Walton voltage multiplier circuit.

block as modelled in Simulink Simscape, which allows modelling of physical components and systems. It is noteworthy that by design, each section of the CW block will double the input voltage so that the output voltage of a CW cascade with N sections will equal  $2NV_{in}$ . The Simulink models used in this work are based on and extracted from experimental laboratory tests performed in [5, 6] on real ABB paint robots as depicted in Figs. 4 and 5.



Figure 4: Setup for experimental testing with paint using ABB robot. Photo courtesy ABB, from [5].



Figure 5: Schematic overview of the lab setup for testing ABB paint robot. Photo courtesy ABB, from [5].

The paint robot HVC application has some further distinguishable structure and dynamics that will need to be considered and incorporated into our formal verification scheme. As detailed in [5, 6], the PWM hardware model and cascade controller are based on three distinct *phases* as graphically illustrated in Fig. 6:

- Charging: when a new external setpoint,  $HV\_SetPoint(t)$ , with higher value than the current one arrives and the PWM hardware is ramping up the control signal,  $u(t) = PWM\_Output(t)$ , in order to increase the value of  $HV\_Actual(t)$ .
- ullet Running: when  $HV\_Actual$  has converged to  $HV\_Setpoint$  and reached steady state.
- **Discharge:** when external  $HV\_Setpoint$  is set to a lower value and PWM hardware is discharging so that  $HV\_Actual$  converges to  $HV\_Setpoint$ .



Figure 6: The HVC hardware and controller has three distinct *phases*. Charge, Running (steady-state) and Discharge. The Integrated Painting System (IPS) parameters *RampLimit* and *TauPeriod* provide upper limit on the duration of the Charge and Discharge phases respectively.

It is further noticeable that by design and as documented in the IPS structure reference manual (reference 3HNA025397-001, v4.60), there are additional limits on peak deviation between  $HV\_Actual$  and  $HV\_Setpoint$  as well as time duration of the Charge and Discharge phases. Namely, a parameter  $Ram_pLimit$  determines the maximum time in seconds that it will take to ramp up the high-voltage from minimum to maximum level, i.e., from 0 to 90 (kV). The default value of  $Ram_pLimit$  is 2 seconds. Likewise, it is known that it will take TauPeriod seconds for  $HV\_Actual$  to reach a level of 30% above a new lower  $HV\_Setpoint$  value. Default value of TauPeriod is 3 seconds. Additionally, there are maximum allowed over- and under voltage limits. As mentioned earlier, the HVC application, once activated and turned on, requires high-voltage values larger than 30kV, so that  $HV\_Setpoint \in 0 \cup [30-90]kV$ . Consequently, the aforementioned limits are only specified at 30 and 90kV and over/under limits at other voltage levels can be calculated using simple linear interpolation between these values. All these parameters are used for safety supervision purposes and are hence set in a conservative manner. In the next section, these parameters will be used to formulate and later formally verify the practical convergence property of the HVC controller to a new high-voltage setpoint.

## 3.1. Properties for Formal Verification

In this section, the set of four properties that are to be formally verified will be presented. Recognizing that HVC has a rather generic form of a feedback controller, it is notable that most of the properties in this section are rather natural and generic properties to be fulfilled by any feedback controller tracking a setpoint reference.

Property P1. To start with, it is reasonable to require that the measured process value, which in the case of HVC is  $y(t) = HV\_Actual(t)$ , should converge to the reference- or setpoint value,  $r(t) = HV\_SetPoint(t)$ . To formalize this, it is noted that both voltage signals are non-negative time-series and that convergence may be defined by setting

$$E(t) = |r(t) - y(t)| = |HV \quad SetPoint(t) - HV \quad Actual(t)|, \tag{1}$$

and equivalently considering (asymptotic) Lyapunov stability of the the origin, E=0.

Taking the particular structure and dynamics of the HVC application as discussed previously into account, this setpoint convergence property can in practice be decomposed into considering a 10 second time-interval directly after a new setpoint arrives, within which practical convergence of  $HV\_Actual$  to a narrow interval centered around the new external setpoint  $(HV\_SetPoint)$  can be shown. To ease the notation and provide symmetry between the Charge/Discharge phases, the parameters RampLimit and TauPeriod are taken to be set conservatively equal to 3, with a peak deviation from new  $HV\_SetPoint$  as 30% of the setpoint value. The width of this narrow interval, as well as schematic time changes and evolution of  $HV\_SetPoint$  and  $HV\_Actual$  are depicted in Fig. 6.

This system-level property involves both hardware and software components and can be formally specified as follows:

**P1:** Practical convergence of the actual system voltage, HV Actual, to the external setpoint, HV SetPoint:

$$\forall t \ge \max(RampLimit, TauPeriod) = 3sec \implies$$

$$e(t) = |HV \quad SetPoint(t) - HV \quad Actual(t)| < 0.3 \times \max(HV \quad SetPoint(t), 1),$$

Property P2-P3. To avoid residual effects and windup type of behavior in the HVC, it is also reasonable to verify that both  $PWM\_Output$  and the software internal representation of  $HV\_SetPoint$ , denoted mSetPoint, are set to 0 whenever the 24V power signal, and thereby the HVC-module, is switched off. Here, mSetPoint is distinguished from  $HV\_SetPoint$  which is a software extrinsic signal set a priori by human operator or application engineer.

These two properties can be formulated as follows:

**P2:** That *PWM* Output is set to 0 whenever the 24V power signal is off:

$$24V \ Power = 0 \rightarrow PWM \ Output = 0$$

**P3:** That *mSetPoint* is set to 0 when the 24V power signal is switched off:

$$24V \ Power = 0 \rightarrow mSetPoint = 0$$

Property **P4**. Finally, in order to increase the confidence in the correctness of the model, it is customary to verify that the HVC state machine is not able to go into deadlock.

**P4:** That the HVC software is not able to go into deadlock.

These are the four properties that collectively need to be formally verified for the HVC application.

# 3.2. Finite State Machine Overview

In order to perform model checking on the HVC, its functionalities were modelled as a finite state machine. This section presents the general finite state machine as depicted in Fig. 7. This high-level state machine was given by ABB and then further detailed and modelled in RoboTool. This is the topic of Section 4.2.2.

In the state GateDriverRamping, which is the state the HVC first enters when it is switched on, the PWM duty-cycle is ramped up gradually to ensure stability and gradual increasing of current and voltage. Then, in the Initialization state, initial parameters are set, as well as upper and lower limits for the high-voltage.

After the GateDriverRamping and Initialization steps are successfully finished, the state machine enters the Wait24VPower state. When the HVC has 24V power switched on and stable, the system enters the ClosedLoop state. This is the ideal state for operation, and is where the controller is regulating the voltage in relation to the setpoint. In case the voltage is breaching the upper or lower limits, the state machine moves from ClosedLoop to ErrorMode.



Figure 7: Finite state diagram of the high-voltage Controller (HVC).

There is also a possibility to enter ErrorMode from the CloseLoop and Wait24VPower states, if certain variables are set or any watchdogs or interrupts are triggered. For instance, an interrupt is triggered if the supply voltage is below a certain threshold, and another is triggered if  $HV\_Actual$  is above or below the upper and lower limits, respectively. Getting out of ErrorMode requires manual acknowledgement of the occurred errors.

## 4. Hardware/Software Co-Verification

To reason about system properties, such as Property P1, it is necessary to consider the behaviour of both software and hardware. We propose a novel approach, where properties are established by co-verification of models decoupled via platform mappings that relate the inputs and outputs of software and hardware, via sensors and actuators. With this approach, behavioural properties of individual models – that may be established using domain-specific tools – can be combined to support the verification of system properties.

As an illustrative example, in our case study, the software is modelled in RoboChart, while the hardware is modelled in Simulink. RoboChart [10] is a domain-specific language for model-based engineering of control software for robotics, that caters for timed and functional aspects. Its formal semantics is tailored for reasoning, namely using the CSP [29] model-checker FDR [13]. However, it currently lacks facilities to specify the behaviour of the hardware. Simulink [12], on the other hand, is a *de facto* standard for control engineering, typically used for dynamic simulation in the industrial setting of the HVC [5, 6] system.

For modelling, we use Simulink and RoboTool [11, 9], that allows the graphical creation of RoboChart models, and for verification we use Simulink Design Verifier (SDV) [12] and FDR. System property **P1** is co-verified by model-checking, using the formal semantics of the control software, as calculated by RoboTool, and an abstract specification of the hardware behaviour, as established using SDV. These are formalised in *tock*-CSP [29, 30], the timed process algebraic semantics of RoboChart, suitable for checking with FDR.

The complete system behaviour is considered at a suitable level of abstraction for verification by: (1) defining a platform mapping; (2) using a specification of the hardware that captures at an abstract level the relation between its inputs and outputs, as verified using SDV; (3) formalising these in *tock*-CSP. We depict the approach in Fig. 8 and explain it in detail in the next Section 4.1. In Section 4.2 we discuss the co-verification of system properties, modelling of the hardware and software, and the mechanisation in CSP of the overall framework. In Section 5 verification of properties of the software is also discussed.

### 4.1. Framework overview

In our framework, the software and hardware models are decoupled via interfaces that capture their inputs and outputs. On the left-hand side of Fig. 8 we consider the interface of the HVC control software, defined as a robotic platform (RP1) in RoboChart, that specifies the inputs and outputs as (possibly typed) events, indicated by solid boxes.

On the right-hand side we have a high-level description of the hardware platform, that captures its sensors and actuators. In our abstraction of the HVC platform, that comprises the cascade in Fig. 2, the hardware receives an input voltage, via RPInputV out, and produces a high-voltage via RPActualHV out.

We also annotate important assumptions about the hardware that are of relevance for analysis: sensors are perfect, and, in particular, the voltage produced via RPAcualHV\_out is assumed to be the same as that sensed via RPActualHV. The relation between RPInputV\_out and RPActualHV\_out is established by the Simulink model as detailed in Section 4.2.2, but abstracted for verification, as explained later in Section 4.2.4. The input signals RPerrorAck and RPsetPoint are an abstraction over inputs available to a human operator.

The relation between the software and hardware model is specified by the platform mapping, as illustrated in the middle of Fig. 8. It records how the inputs and outputs of the software are connected to sensors and actuators of the hardware platform, as realised by low-level code and physical interfaces. The mappings for the software inputs ext\_ActualHV, ext\_errorAck and ext\_newSetPoint are trivial, as the software reads directly from these idealised sensors. The input ext\_pow24VStatus, of type Power, has the value On if the reading from the hardware, via RPpow24V in is between 18 and 24 Volts, and otherwise has the value Off.

The software outputs  $int\_dutyCyclePWM1$  and  $int\_enablePWM$  are used to determine whether a voltage is produced via RPInputV\_out. If the value set via  $int\_enablePWM$  is true, then the value of RPInputV\_out



Figure 8: Co-verification framework, with arrows indicating the direction of the information flow between inputs and outputs, of the software and hardware models. The platform mapping captures the relation between the software and hardware model on either side.

is determined by the value of int\_dutyCyclePWM1, otherwise it is 0. This captures the fact that the PWM needs to be enabled in order to produce a voltage. Here, the function duty2volt maps a percentage, from 0 to 100% to the range of the analog 0 to 10 voltage signal as previously mentioned in Section 3.

# 4.2. System verification

Using the co-verification framework as illustrated in Fig. 8, in this section we address the formal verification of system property **P1**. As described in Section 3.1, it requires practical convergence of the high-voltage (RPActualHV\_out) to the value of the set-point as set by the user (RPsetPoint). Since the software is modelled in RoboChart, and the hardware in Simulink, our pragmatic verification strategy consists in: (1) capturing **P1** as a specification in tock-CSP; (2) showing practical convergence of the hardware output RPActualHV\_out in relation to its input RPInputV\_out using SDV; (3) lifting the result obtained from SDV as a tock-CSP specification; (4) checking with FDR that, when combined with the semantics of the RoboChart model, via a mechanisation of the framework depicted in Fig. 8, **P1** is satisfied. That overall property **P1** holds is justified by the timed process algebraic semantics of RoboChart and the abstract specification (2-3) as established using SDV, and captured in CSP. A full account of the CSP specifications for all properties considered in this paper can be found online<sup>1</sup>.

Formal Semantics. The formalism we use, tock-CSP, is a dialect of the process algebra CSP, where the event tock marks the passage of discrete time. As CSP adopts a reactive paradigm, interactions with the environment are specified using events, and that includes the passage of time in the case of tock-CSP. Importantly, it allows the specification of timed budgets and deadlines, and has a denotational semantics for refinement [30]. Relevant for our work, the model-checker FDR has tailored support for tock-CSP.

Specification. Following the description of P1 as presented in Section 3.1, we construct a discrete version in CSP, as shown in the RoboChart timed csp block named SpecP1 below, that uses two events, RPsetPoint and e, of type core\_real. The event e models the absolute difference between ActualHV\_out and RPsetPoint, so that the specification can capture the relation between changes in RPsetPoint and the absolute difference.

<sup>1</sup>https://github.com/robo-star/hvc-case-study

The process specP1 is specified directly in  $CSP_M$ , the machine-readable version of CSP accepted by FDR. Timed processes are defined inside a timed section<sup>2</sup>, indicated by the keyword Timed(...), while the built-in function timed\_priority ensures the correct timed semantics is calculated by FDR [30]. The behaviour of SpecP1 is that of Follow, defined as an external choice ([1]) over accepting events e or RPsetPoint, via input prefixing (?x ->). Synchronisation on RPsetPoint, with any value, or e, with value 0, is followed by a recursion on Follow. Whenever the event e carries a value that is not 0, then Follow behaves as ADeadline({[e|},{[e.0|},d), that ensures an event e with a value of 0 can only be observed within d time units (instantiated as 3s for SpecP1), and afterwards, via sequential composition (;), behaves as TRUN({[e.0|}), that only allows events e with a value 0, but where an arbitrary amount of time may elapse. This behaviour can be interrupted ( $\land$ ) at any time by a new RPsetPoint. We observe that for the purpose of model-checking the reals are instantiated in the discrete domain 0 to 2, so here we consider the difference e(t), encoded via the event e, to be 0, without loss of generality.

The auxiliary process ADeadline(S,E,d) takes three parameters, two sets of events, S and E, and a natural G. It continuously offers events in the set S, but time can only advance time by up to G units, unless an event from the set E happens, in which case the process terminates. It is defined using the exception operator of CSP([E|S]), where initially the behaviour is that of EndBy(TRUN(S),d), that continuously offers events in set S, and allows time to advance by up to G time units. Thus, within the exception, if TRUN(S) performs an event that is in E, then the process behaves as SKIP, that terminates immediately. We observe that the auxiliary processes TRUN and EndBy are included with the RoboTool distribution for convenience. Their definition is included in Appendix B for completeness. Next, we focus on the hardware model.

# 4.2.1. Hardware Modelling and Verification in Simulink Design Verifier (SDV)

Both the co-verification regime detailed in Section 4.1, as well as verification of the system-level properties presented in Section 4.2.4, require distinct and systematic separation between hardware and software components of the HVC system. Fig. 8 provides the overview for this separation and the steps toward implementing this have been set forward in the ingress of Section 4. To this end, the focus of this section is centered around hardware modeling, specification, abstraction and verification of hardware properties in SDV. All these components are naturally combined in Section 4.2.4 where co-verification results of system-level properties will be be presented.

Simulink is widely adopted as a tool for traditional, input-driven simulation, and the modelling in SDV is similar to regular modelling used for simulation [12]. SDV uses Prover Plug-In® products from Prover® Technology to do the model checking and prove the model properties [31]. It is built upon Gunnar Stålmarck's proof procedure, which uses tautology checks to prove that an assertion holds true in every possible interpretation [32]. In Property Proving mode, SDV offers three different proof strategies, Prove, FindViolation and ProveWithViolationDetection where the latter is merely a serial combination of the two first mentioned. In this work, both Prove and FindViolation have been used. Prove performs an unbounded property proof, while FindViolation searches for property violations within the number of steps specified by the Maximum violation steps option, which specifies the maximum number of steps

<sup>&</sup>lt;sup>2</sup>https://cocotec.io/fdr/manual/cspm/definitions.html#csp-timed-section

SDV searches for property violations. Thus, verification with increasingly large Maximum violation steps will help increase confidence in the property.

The Simulink Model. The hardware model in Simulink was created based on previous models found in [5, 6]. These models have been validated both theoretically and empirically by several lab experiments, and correspond well with the real-world system. In order to do formal verification with SDV however, the model had to be converted from continuous to discrete time, since SDV does not support continuous time. In this process, in addition to converting transfer functions specified in continuous time using Laplace transform (S-domain) to discrete time Z-domain, some of the Simulink blocks specific to continuous time were replaced with their discrete counterparts. Fig. 9 shows the overview of the hardware verification model in SDV where the input/output signals, i.e., RPInputV\_out and RPActualHV\_out denote the same signals as previously introduced in Section 4.1 and Fig. 8. The mapping and transfer function between these two signals, and formal verification of certain hardware properties treated in this section, then correspond naturally to the extension and scope of the dashed grey box in upper right side of Fig. 8.

It is noteworthy that, as will be detailed in the csp block named Instantiations presented in Section 4.2.4, RPInputV\_out  $\in \{0,1,2\}$ , but is in Simulink multiplied by a constant factor 5, effectively corresponding to having the set of possible values of  $\{0,5,10\}$  volt being fed into the PWM hardware model. This means that duty2volt maps a percentage, from 0 to 100% to the entire range of the analogue [0 10] voltage signal as previously mentioned in Section 3. It also implies that the convergence results obtained in this section using  $\{0,5,10\}$  volt as input, will also be valid for the real PWM hardware system that has the substantially richer input set of [0 10] volt.



Figure 9: Overview of the hardware verification model. The grey box include the modelling of the cascade, while the green box contains the property for verification.

The test data used to create the model was collected from structured experiments running at many different HV setpoints, frequencies, distances and number of stages in the CW-cascade, providing a rich data-set to represent how the actual hardware will behave in the real environment. As detailed in [5, 6] and depicted in Fig. 10, the Simulink model will, in addition to the ideal transfer function, have two additional terms describing the cascade loss and ripple effects. Using the Matlab System Identification Toolbox, state-space models and transfer-functions are fitted to the lab test data to provide the best description of the PWM hardware dynamics; both during the charge- and discharge phases of operation. The resulting transfer functions and model components in continuous time can be seen in Fig. 10. Additionally, a Simulink model describing the bell-cup inside the applicator and that will effect the electrical field at a plane at a given distance, d, from the paint robot, has been derived in [5] and used here-within.

In order to be able to formally verify system-level property, **P1**, the mapping and relational properties between RPInputV out and RPActualHV out, effectively describing the hardware, are needed. This allows us



Figure 10: Simulink model of the total CW-cascade hardware complementing the ideal model with loss and ripple terms [6].



Figure 11: Simulink model of the ideal cascade including the phase model selector and the two transfer functions describing the charging- and discharging phases respectively [6].

to obtain a well-defined "closed circuit" or mapping between all components in the co-verification framework of Fig. 8. To this end, System Identification Toolbox was used to model the transfer function describing the relation between these two signals. The resulting model:

$$G(s) = \frac{K_p}{(1 + T_{p1}s)(1 + T_{p2}s)}$$

$$K_p = 1.1196$$

$$T_{p1} = 0.087821$$

$$T_{p2} = 0.02042$$
(2)

was then analysed in Simulink with particular attention to time dynamics, stability and convergence properties as defined by, e.g., rise- and settling-time. Of particular interest in the following, is the settling time,  $t_s$ , which was found to be  $t_s = 0.3668s$ .

Formal Verification of Hardware Properties. Based on the developed Simulink model, next, we will be verifying a low-level property that will then be lifted into the co-verification scheme in Section 4.2.4 in order to be able to verify Property P1.

Referring back to the definition of Property **P1**, the error term Eq. (1) as well as the notion of *practical convergence* in Section 3.1, the following hardware property will be considered and verified in this section:

 $\mathbf{P_{HW}}$ : Practical convergence of actual hardware output voltage, RPActualHV\_out, to the hardware input signal, RPInputV\_out, within settling time,  $t_s$ :

$$\forall t \geq t_{sp} + t_s \implies e(t) = |\mathsf{RPInputV\_out}(t) - \mathsf{RPActualHV\_out}(t)| - 0.15 \times \max(\mathsf{RPInputV\_out}(t), 1) \leq 0. \tag{3}$$

Here,  $t_{sp}$  denotes the time instance where a new input command, RPInputV\_out, is received in PWM hardware. Property  $\mathbf{P}_{HW}$  as defined by Eq. (3) serves as a low-level hardware property that incrementally contributes towards fulfilment of corresponding equations to verify overall convergence Property P1 later in Section 4.2.4

The Simulink implementation to verify this property lies within the green Verification Subsystem in Fig. 9 and has been depicted in Fig. 12. The upper part containing the Detect Change block and an integrator function, works as a timer that is reset every time there is a change in RPInputV\_out. This in order to capture the  $t \ge t_{sp} + t_s$  constraint in Eq. (3). The lower part takes the absolute value of the error between RPInputV\_out and RPActualHV\_out and subtracts the accepted error, which is set to  $0.15 \times \max(\text{RPInputV}_{\text{out}}(t), 1)$ . Finally, the last function on the right, denoted evaluation, gives out false if Eq. (3) is not fulfilled at any time instance,  $t \ge t_{sp} + t_s$ . Otherwise it gives out true. This is verified with the proof assumption block, which shows if the property is fulfilled or violated.



Figure 12: SDV implantation of the PWM hardware convergence property, PHW as detailed in Eq. (3).

After creating the model and the specification, the Prove strategy was used in order to verify the property. It was run both using MATLAB online and on a Windows laptop with Intel® Core© i5 CPU @ 2.71GHz. However, after running continuously for 10 days without producing a result, the verification was manually terminated. It was instead decided to gain increased confidence in the verification by using FindViolation with increasing Maximum violation steps. The results of the verification by using FindViolation can be seen in Table 1. The Maximum violation steps option was gradually increased, until reaching the maximum value of 2,147,483,647, which is the maximum value for data type int32. As seen in the table, SDV was able to prove that the property was valid within bound in all cases.

| Maximum violation steps | Fixed-step size (fundamental sample time) | Result             | Elapsed time |
|-------------------------|-------------------------------------------|--------------------|--------------|
| 1,000                   | $1e^{-6}$                                 | Valid within bound | 0:47:49      |
| 1,000,000               | $1e^{-6}$                                 | Valid within bound | 0:46:44      |
| 1,000,000,000           | $1e^{-6}$                                 | Valid within bound | 0:47:15      |
| 2,147,483,647           | $1e^{-6}$                                 | Valid within bound | 0:47:15      |

Table 1: Results of the verification of the hardware, using FindViolation and different values for Maximum violation steps.

## 4.2.2. Software Modelling in RoboChart

In this section, we present the RoboChart model of the software, that is a formalisation of the sketch previously shown in Fig. 7. The robotic platform (RP1) – a specification of the services available to the software in terms of variables, events and operations – is fully specified in Fig. 13. Its events are defined in the interface IEvents\_RP1 also provides the interface SharedVars\_all, that declares all shared variables used in the model. The interface IOps specifies the signature of software operations that are used, and

defined, in the RoboChart model. In addition to employing built-in data types, such as reals, naturals, and booleans, three data types are declared: the enumerated types Power and State, and the given type duty. Two functions ms and s are used to construct time units corresponding to milliseconds and seconds, respectively. RoboChart adopts the type system of Z [33, 34]. For a full account of the language and its formal semantics we refer the reader to [11, 16, 9]. Here, we describe the RoboChart constructs as we use them to model our example.



Figure 13: RoboChart model components: robotic platform (FRP1), interfaces (IOps, IEvents\_RP1, IEvents\_ext, and Shared-Vars\_all), enumerated (Power and State) and given (duty) data types. Is an event, is variable, and I is associated with an operation. It is used to record that an interface is provided, while I is a used interface.

Module and Controllers. The top-level component of the software model is defined by the RoboChart module mod\_sys, shown in Fig. 14. It associates the robotic platform with four controllers (ctrl0-3), that capture specific behaviours. Controller ctrl0 contains the main State\_machine, that is a recast of that presented in Fig. 7, ctrl1 captures the behaviour of the watchdogs, and controllers ctrl2-3 are used to relay events. Controller ctrl2 relays the input event ext\_pow24VStatus from RP1 to controllers ctrl0-1, and ctrl3 relays the output events int\_dutyCyclePWM1 and int\_enablePWM from ctrl0 and ctrl1 to RP1, as RoboChart event connections are point-to-point. Due to their simple nature, we defer the full definition of the controllers to Appendix A. In RoboChart, connections with the platform are always asynchronous, indicated by the keyword async, as interactions with the platform cannot be refused, only ignored [10, p.3110].

State Machine. The core behaviour of the HVC controller is captured by the State\_machine in Fig. 17. In RoboChart, state machines are self-contained by explicitly stating the required (②) variables and operations, and the used (③) events. In this case, State\_machine requires the software operations declared in IOps, and the shared variables in IVars\_seqSM\_shared. It also declares: local variables via the interface IVars\_seqSM, a constant cycleTime with a default value of 10 milliseconds, and a clock (③) Cl1. It uses the events of interface IEvents\_ctrl0, that are also explicitly listed on the left-hand side of Fig. 17.

The execution flow of State\_machine starts at the initial junction, followed by a transition whose action, specified after the dash (/), initializes the value of the variables mSetPoint and HVEnabled, by assigning 0 and false in sequence (;), respectively. It then waits for cycleTime units before entering state Init. This initial delay is a simplification of the GateDriverRamping behaviour depicted in Fig. 7, which does not concern the properties of interest for verification. In state Init there is an entry action that calls the software operation AdjustLimits which calculates the value of variables overLimit and underLimit and is defined by a state machine as shown in Fig. 15. The required variables of AdjustLimits, as listed in interface IVars\_adjustLimits, are provided by State machine in the context of the call to AdjustLimits, effectively sharing the state.



Figure 14: RoboChart module mod\_sys defining the connections between controllers and the robotic platform. Controller ctrl0 contains the main State\_machine, a recast in RoboChart of the state machine presented in Fig. 7. The watchdogs have been combined into one state machine, defined inside controller ctrl1. Controller ctrl2 relays the event ext\_pow24VStatus to controllers ctrl0 and ctrl1, while controller ctrl3 is used for relaying the events int\_enablePWM and int\_dutyCyclePWM1 to RP1.



Figure 15: Subset of software operations.

After the initialization is complete, the execution proceeds to the composite state Wait24Vpower on the next cycle. Its entry action explicitly records that the state has been entered by setting the variable currentState. The transition to ClosedLoop is only enabled when the current value of setPoint is 0, the 24V power is stable (pow24VStatus==Power::On), and the ErrorMode is not activated, as indicated by the transition's guard. The body of Wait24Vpower monitors the relevant inputs periodically as part of the cycle of transitions between the junctions. Firstly, the operations disableHV and supplyVoltCheck, as defined in Fig. 15, are called. disableHV disables the high-voltage, while supplyVoltCheck checks the input ext\_pow24VStatus and updates the value of the variable pow24VStatus. Secondly, the value of variable setPoint is also updated via a reading (ext\_setPoint?setPoint) through event ext\_setPoint, with a deadline (<{0}) of zero time units. In RoboChart budgets and deadlines must be specified explicitly, and so here the deadline indicates that the reading takes a negligible amount of time.

The critical phase of HVC operation is captured in state ClosedLoop, that controls the PWM. Initially the user-defined setpoint, ext\_Setpoint, is read into the variable setPoint. If the value is zero, then disableHV is called to ensure that the high-voltage is disabled. Afterwards, if the value is non-zero and the high-voltage has not been enabled yet (HVEnabled==false), HVEnabled is set to true, the supply voltage is checked by calling supplyVoltCheck(), and the high-voltage is enabled by calling enableHV. While the high-voltage is enabled, the internal setpoint (recorded in variable mSetPoint) is adjusted by calling setPointRamping(setPoint). The PWM duty-cycle is adjusted by PID\_Control that outputs a percentage via int\_dutyCyclePWM1, according to the difference between mSetPoint and ActualHV, the measured high-voltage via the input ext\_ActualHV. In state s0 of ClosedLoop, the flow of execution may be interrupted by transitioning to ErrorMode when currentState is set to State::ErrorMode. The error can be acknowledged via the event ext\_errorAck within the current cycleTime, after which there is a transition to Wait24Vpower.

The variable currentState may be set to State::ErrorMode by calling disableHV(true), either while in Wait24Vpower, or from within operations checkLimits or supplyVoltCheck, that checks whether the input 24V power is stable. The latter is called regularly in states ClosedLoop and Wait24Vpower of State\_machine, and also by the watchdog, which, as will be explained next, is modelled in another state machine.

Watchdog. The watchdog, shown in Fig. 16, executes, over time, in alternation with the main State\_machine, that executes on a 10 millisecond cycle, as specified by the constant cycleTime. Therefore, the watchdog's behaviour is initially delayed by 4 milliseconds. In state s0 there is a call to AdjustLimits(), and 2 milliseconds



Figure 16: Watchdog state machine.

later, the operation supplyVoltCheck() is called. We observe that the transition between s1 and s0 takes 8 milliseconds, and it is during this time that State machine actually executes its cyclic behaviour.

## 4.2.3. Framework Mechanisation

Having developed models of the software and hardware, in this section we mechanise the co-verification framework outlined in Fig. 8 with the aim of verifying system Property  $\mathbf{P1}$ . We start by defining a CSP process that captures Property  $\mathbf{P}_{\mathbf{HW}}$ . This is followed by the complete mechanisation of the platform and its mapping, and the composition with the semantics of the RoboChart, as calculated by RoboTool.



Figure 17: Main  $\mathsf{State}_{\mathtt{machine}}$  corresponding to that of Fig. 7 recast in RoboChart

Platform. The hardware platform is specified within the following csp block named  $HVC_Platform$ . It defines, first of all, the  $CSP_M$  events of the sensors and actuators, following the naming conventions of Fig. 8.

```
csp HVC_Platform csp—begin
Power_Voltage = \{0,24\}
                             Data type used to characterise input RPpow24V
channel RPActualHV_out : core_real
                                                       'Actuator' output
channel RPInputV_out
                                                       Output from software via platform mapping
                         : core_real
channel RPActualHV, RPActualHV_in : core_real
                                                       Sensor input and platform mapping
channel RPpow24V, RPpow24V_in : Power_Voltage
                                                       Sensor input and platform mapping
channel RPsetPoint_in : core_real
                                                      Sensor platform mapping
channel RPerrorAck, RPerrorAck_in
                                                      Untyped 'sensor' input and platform mapping
channel get_HV, set_HV, change : core_real
                                                  — Used for abstraction of the hardware
Timed(OneStep) {
    HVC_Platform = timed_priority((HV(0)[[ get_HV <- RPActualHV_out ]]</pre>
                                    [| {|set_HV|} |]
                                   HVC_Hardware)\{|set_HV|})
    HV(x) = set_HV?nv \longrightarrow HV(nv) [] get_HV!x \longrightarrow HV(x)
    HVC_Hardware = (Detector [| {| change, get_HV |} |] StatefulEvolution) \{|change, get_HV|}
    Detector = RPInputV_out?nv -> get_HV?x -> (if (nv != x) then (change!nv -> Detector) else Detector)
    StatefulEvolution = (Evolution [| {| change |} |] HV(0)[[ set_HV \leftarrow change ]])
    Evolution = change?x -> ((WAIT(ms(370)); set_HV!x -> Evolution) [] Evolution)
}
\mathsf{csp}\mathsf{--end}
```

The process HVC\_Platform is a discrete, and reactive, model of the hardware, constructed from the property established in Section 4.2.1. It is defined as a parallel composition ([| |]), synchronising on event set\_HV, of HVCO), that models the current value of the high-voltage, and HVC\_Hardware, that captures how the value of RPActualHV\_out may change over time in response to changes in RPInputV\_out. The process HV(x) offers the event set\_HV to change the value, and the event get\_HV to query the current value x. It is specialised in HV(x) [[ get\_HV <— RPActualHV\_out ]] by renaming the event get\_HV to RPActualHV\_out. The event set\_HV is hidden (\), as it is just an artefact of the CSP model.

The evolution of the value available via RPActualHV\_out is modelled by the process HVC\_Hardware. It is defined as the parallel composition of the process Detector, synchronising on events change and get\_HV, and the process StatefulEvolution. The latter models how changes to the voltage evolve over time, while Detector, named analogously to the SDV block in Fig. 12, models how an input via RPInputV\_out may affect the behaviour. First it offers to receive a new value nv via RPInputV\_out, and then synchronises with StatefulEvolution on get\_HV to query the current value x being targeted. If the value is different, it synchronises on change with value nv, otherwise it behaves as Detector.

The core of hardware property  $\mathbf{P_{HW}}$  is abstractly captured by the process StatefulEvolution. It is defined as the parallel composition of Evolution, synchronising on event change, with HV(0) where the event set\_HV is renamed to change. Evolution accepts a change event at anytime, and afterwards waits 370 milliseconds, a conservative natural approximation, before synchronising on set\_HV, which is used to update the high-voltage, whose value is available via RPActualHV\_out, as modelled by the process HV(0) in HVC\_Platform. Thus, a change via RPInpuV\_out leads to a change in the value available via RPActualHV\_out over time, mirroring property  $\mathbf{P_{HW}}$  as established in Section 4.2.1. Next, we describe the mechanisation of the platform mapping.

Platform Mapping. The process PlatformMapping, defined next, captures the non-trivial mapping between int\_dutyCyclePWM1, int\_enablePWM, and RPInputV\_out, and between RPpow24V\_in and ext\_pow24VStatus.

It is an interleaving (|||) of two processes, Pow24V\_Map, that models the mapping between RPpow24V\_in and the software input ext\_extPow24VStatus, and the prefixing on RPInputV\_out with value 0, that initializes the hardware with value zero, followed by the behaviour of PWM\_Map, that models the mapping between the output int dutyCyclePWM1 and int enablePWM, and the input to the platform RPInputV out.

PWM\_Map is parametrised to keep track of whether the PWM has been turned on or off. The first process in the external choice allows this value to be toggled depending on whether int\_enablePWM.out is received with value false, in which case the value zero is passed to the platform via RPInputV\_out, and otherwise there is a recursion on PWM\_Map(x) with the updated value of x. In the second process, values received via int\_dutyCyclePWM1.out are passed to the platform via RPInputV\_out, mapped via the function duty2volt, if the value of pwm is currently true. This function maps a percentage to a voltage, which, as previously discussed in Section 4.1, encodes three possible values.

The CSP process Pow24\_Map is defined analogously to model the mapping between the sensor of the 24V voltage, and the input ext\_pow24VStatus of the software, whereby a value between 18 and 24 is considered as On and otherwise as Off. This concludes the non-trivial mappings, which are used in the definition of the overall system next.

Mapped System. The complete system, as envisioned in Fig. 8 is defined next by the process MappedSystem.

```
csp MappedSystem csp—begin
Timed(OneStep) {
Software = mod_sys::O_{-}(0,ms(10),1) [[ mod_sys::ext_ActualHV.in < - RPActualHV_in,
                                         mod_sys::ext_errorAck.in <- RPerrorAck_in.</pre>
                                         mod_sys::ext_setPoint.in <- RPsetPoint_in ]]</pre>
Software_PMap = (Software
                  [| {|mod_sys::int_enablePWM.out,mod_sys::int_dutyCyclePWM1.out,mod_sys::ext_pow24VStatus|} |]
                 PlatformMapping
                )\{|mod_sys::int_enablePWM.out,mod_sys::int_dutyCyclePWM1.out,mod_sys::ext_pow24VStatus|}
MappedSoftware = Software_PMap[[ RPActualHV_in <- RPActualHV,</pre>
                                  RPerrorAck_in <- RPerrorAck,</pre>
                                  RPpow24V_in
                                                <- RPpow24V
                                  RPsetPoint_in <- RPsetPoint ]]</pre>
MappedSystem = timed_priority(MappedSoftware
                                [| {| RPInputV_out, RPActualHV |} |]
                                (HVC_Platform[[ RPActualHV_out <- RPActualHV_out,
                                                RPActualHV_out <- RPActualHV]])</pre>
                               \{|RPInputV_out,RPActualHV|})
csp-end
```

It is defined as the parallel composition of MappedSoftware and HVC\_Platform, as defined previously, synchronising on the events RPInputV\_out and RPActualHV. Here, HVC\_Platform is relationally renamed [29, p. 105], so that the event RPActualHV\_out is both an output of the platform and also a sensor input, with the same value, via RPActualHV, as depicted in Fig. 8. The hiding on RPInputV\_out and RPActualHV completes the abstraction.

The process MappedSoftware captures the connections between the composition of the platform mapping and the software, as established by Software\_PMap, and the platform, by renaming the events of the former to

the latter. The sensors of the platform, in particular, are assumed to be perfect, and so in this abstraction the functional renaming is a record of their ideal functional behaviour.

Sofware\_PMap captures the composition of the RoboChart CSP semantics, and the PlatformMapping, as defined earlier. It is a parallel composition of processes Software and PlatformMapping, synchronising on the events of the RoboChart model, int\_enablePWM.out, int\_dutyCyclePWM1, and ext\_pow24VStatus. The process Software, which explicitly instantiates the RoboChart model semantics, is defined analogously to MappedSoftware, whereby the trivial mappings are captured via renaming. The hiding completes the abstraction.

The process  $mod_sys::0_{-}(0,ms(10),1)$  is an explicit instantiation of the  $CSP_M$  semantics of  $mod_sys$ , automatically calculated by RoboTool, where 0 is a default identifier, ms(10) is the value of constant cycleTime of State\_machine, and 1 the value of constant rampStep of operation setPointRamping. Events in the CSP semantics of RoboChart are named according to the model hierarchy, where :: is a delimiter, and have a parameter in or out to indicate whether an event is an input or output.

## 4.2.4. Formal Verification of System-level Property P1

With the framework outlined in Fig. 8 mechanised in CSP, in this section we address the verification of Property **P1**. Its specification in CSP, described in Section 4.1, is reproduced below for convenience.

Verification of Property P1 is stated as a refinement assertion P1 in the traces model of CSP, that ensures safety [29, p.36]. That is, an implementation P refines Spec, if, and only if, every behaviour of the implementation is a behaviour permitted by the specification. For assertion P1, SpecP1 is the specification and ImplP1 is the implementation. As previously discussed in Section 4.1, SpecP1 is stated in terms of a new event e, that is not part of the Fig. 8, but useful to specify Property P1 in terms of the absolute difference between the value of output RPActualHV\_out and input RPsetPoint. To facilitate the verification, process ImplP1, is defined next to relate events e and RPActualHV\_out, and RPsetPoint, based on the process MappedSystem.

System Interface for Verification of P1. We observe that in SpecP1, the event RPsetPoint is used as an interrupt, which emerges naturally in the reactive CSP setting. However, the event RPsetPoint as used so far in the definition of MappedSystem models readings of a sensor, that can be performed periodically despite no change in the actual value. Therefore, to relate SpecP1 and ImplP1, in the next csp block we define a suitable mapping for the RPsetPoint event. We also capture the relationship between the event e and the current value of both the setpoint and the actual high-voltage, as required for the comparison with SpecP1.

Moreover, we also explicitly capture three assumptions, that are implicitly required for the verification of P1: (1) the 24V power is stable, as reported via the input RPpow24V (2) no error is to be acknowledged via RPerrorAck (3) the HVC control software is correctly initialised, that is, RPsetPoint has a value of zero during the first two cycles of State\_Machine, so as not to trigger an error, and that the value of RPsetPoint changes no more often than once per second. It should be noted that this third assumption regarding frequency of change of RPsetPoint, is more conservative than necessary, as RPsetPoint is known to never change faster than within 10 seconds from the previous change, as mentioned in Section 3. These assumptions together define the normal working behaviour of the HVC, where the State\_machine operates within the ClosedLoop state, during which P1 is required to hold.

Process ImplP1 is defined by the parallel composition of EsystemP1, synchronising on event RPsetPoint with Assumption\_SetPoint. The latter captures the first assumption by requiring that initially the set-point is set to zero, with immediate effect, via the use of the EndBy construct of tock-CSP, and where, after 22 milliseconds, its value can change arbitrarily, at most once per second, as defined by the process RPChange. Here 22 ms corresponds to at least two cycles of execution of State\_machine, given that for verification we consider each time unit as encoding 2ms. The process ESystemP1 introduces the event e in the context of the system behaviour, as defined by RPSystemP1, that captures the other two assumptions and relates the RPsetPoint of Fig. 8, a sampled input, with the RPsetPoint of SpecP1, which is used as an interrupt for the purpose of specification.

ESytemP1 is defined as the parallel composition of RPSystemP1 and two processes Error and Sampler, that are also composed in parallel, synchronising on RPsetPoint and RPActualHV\_out. The process Error synchronises on these events so that it offers to synchronise on event e with a value given by the absolute difference, specified by the application of abs\_diff. This follows the definition of Property P1 as presented in Section 3.1. The process Sampler ensures that the actual high-voltage, via RPActualHV\_out, and the difference, via e, are updated exactly every time unit. This is specified by imposing a deadline of zero time units on events RPActualHV\_out and e, using a deadline, followed by a delay of exactly one time unit. This is just a modelling mechanism to ensure that events corresponding to sampled inputs or outputs, namely RPActualHV\_out, are updated regularly without introducing erroneous Zeno behaviours in the CSP model.

The next process RPSystemP1 is also defined as a parallel composition of a process SystemP1, where the event RPsetPoint is renamed to a new event int\_RPsetPoint, used in the synchronisation set, with RPEventMapping(0). The latter process takes in new values via RPsetPoint, and then offers to synchronise on int\_RPsetPoint with the same value. The hiding of event int\_RPsetPoint makes it possible for SystemP1 to query the set-point value periodically via int\_RPsetPoint, rather than directly via RPsetPoint, as required for the comparison with SpecP1. This is a modelling mechanism to ensure the event RPsetPoint can be treated in the interrupt style of SpecP1.

Finally, SystemP1 is the composition of the behaviour established by the co-verification framework, that accounts for the software and hardware modelling, as defined by MappedSystem and processes Assumption\_RPerrorAck and Assumption\_RPpow24V that capture the second and third assumption for the purpose of verifying Prop-

erty P1. Here Assumption\_RPpow24V initially sets the input RPpow24V to the value 24, while Assumption\_RPerrorAck refuses to acknowledge any error via RPerrorAck by behaving as STOP, the process that deadlocks. As before, the use of hiding completes the abstraction as the events RPerrorAck and RPpow24V are not of relevance for refinement checking of SpecP1. Next, we report on the use of FDR for checking assertion P1.

Verification Parameters and Results. For model-checking with FDR, not only constants of the RoboChart model have to be instantiated, but the domain of data-types must also be defined as discrete finite sets. These are defined in a special csp block named Instantiations, reproduced below.

```
timed csp Instantiations csp—begin
nametype core_nat = { 0..1}
nametype core_real = { 0..2}
nametype core_int = { 0..1}
nametype core_boolean = Bool
nametype duty = { 0..100}

overLimitF(x) = if x > 2 then 2 else x
underLimitF(x) = if x < 0 then 0 else x

ms(t) = t1/2
s(t) = t1*1000/2
// ...
csp—end</pre>
```

Besides, in this block we also give a  $\mathtt{CSP}_{\mathtt{M}}$  definition for all functions declared in the RoboChart model. overLimitF and underLimitF, used by the software operation AdjustLimits, ensure the result is closed. Since in the software model all time units are divisible by 2, the smallest time unit is chosen as encoding 2 milliseconds, thus the function ms, halves the argument, and s, encoding seconds, is defined analogously. The reals are instantiated as the set  $\{0,1,2\}$  as this is a realistic representation of the different inputs and outputs, namely RPsetPoint, where values from 0, 1 and 2 naturally map to high-voltage values 0, 40 and 80 kV. Bearing in mind that  $HV\_Setpoint \in 0 \cup [30 \ 90] \ kV$ , it is noticed that this representation is rich enough to capture all possible combinations for HV setpoint changes.

The assertion P1 is successfully verified by FDR. On a dual AMD EPYC 7501 32-core machine with 1TiB of RAM, it took FDR 1456s to compile the Labelled Transition System (LTS), and 1394s to verify that the property holds, having visited 126,481,225 states and 517,333,656 transitions. For comparison, in Table 2, we include this result together with those concerning only software verification, which we address next.

# 5. Formal Verification of Software Properties

In what follows we discuss the verification of properties  $\mathbf{P2}\text{-}\mathbf{P4}$  of Section 3.1, which concern only the software. Property  $\mathbf{P4}$  concerning deadlock freedom can be specified directly using the assertion language provided by RoboTool. Properties  $\mathbf{P2}$  and  $\mathbf{P3}$ , on the other hand, are specified directly in  $\mathtt{CSP}_{\mathtt{M}}$ .

Property P2. Taking into account the RoboChart model, P2 can be restated as requiring that the observation of the input ext\_pow24VStatus with value Power::Off is followed by the output int\_dutyCyclePWM1 with value 0. As CSP adopts a reactive paradigm, the process SpecP2, specified below, is defined in terms of events. It considers the case when the output int\_dutyCyclePWM1 has been set to a value other than zero and subsequently ext\_pow24VStatus is observed with value Power:Off.

The behaviour of SpecP2 is that of PWM\_off, defined as an external choice over behaving as PWM\_Behaviour or accepting the event mod\_sys::ext\_pow24VStatus.in.Power\_Off, followed by the recursion on PWM\_off. PWM\_Behaviour tracks the changes of the output int\_dutyCyclePWM1 by offering a value greater than 0 and then behaving as PWM\_on, or, a value of 0, and then behaving as PWM\_off. In PWM\_on we capture the core of Property P2, where, following the event mod\_sys::ext\_pow24VStatus.in.Power\_Off we require mod\_sys::int\_dutyCyclePWM1.out.0 to be observed within 10 milliseconds (matching the cycleTime used by State\_machine) using the process ADeadline, after which the process behaves as PWM\_off again as specified by the sequential composition (;).

The specification for verifying Property P2 is written as a RoboChart assertion P2, reproduced below.

It is stated as a refinement assertion in the traces model. The process  $mod\_sys\_pwm$  is defined by constraining the timed semantics of  $mod\_sys$  and hiding every  $CSP_M$  event other than those mentioned by SpecP2 using the projection operator ( $| \setminus \rangle$ ) so that the comparison is meaningful.

Property P3. The next property, P3, is specified in  $CSP_M$  by the process SpecP3, defined below.

```
timed csp SpecP3 csp—begin
Timed(OneStep) {
    SpecP3 = timed_priority(mSetPoint_zero)
     mSetPoint = mod\_sys::set\_mSetPoint?x: \{x \mid x < - core\_real, \ x > \theta\} \ -> \ mSetPoint\_non\_zero \} 
                mod_sys::set_mSetPoint.0 -> mSetPoint_zero
    mSetPoint_zero = mSetPoint [] mod_sys::ext_pow24VStatus.in.Power_Off -> mSetPoint_zero
    mSetPoint_non_zero = mSetPoint_zero
                         []
                         mod_sys::ext_pow24VStatus.in.Power_Off -->
                             ADeadline({|mod_sys::ext_pow24VStatus.in.Power_Off,mod_sys::set_mSetPoint|},
                                       {|mod_sys::set_mSetPoint.0|},ms(10)) ; mSetPoint_zero
csp-end
// Constrained form of mod_sys for P3
timed csp mod_sys_setpoint associated to mod_sys csp—begin
Timed(OneStep) {
    mod_sys_setpoint = timed_priority(mod_sys::AS_0__(0,ms(10),1)
                                       |\ {|mod_sys::ext_pow24VStatus.in.Power_Off,mod_sys::set_mSetPoint,tock|})
csp-end
timed assertion P3 : mod_sys_setpoint refines SpecP3 in the traces model // Actual check for P3
```

The structure is similar to SpecP2, and it also uses the event ext\_pow24VStatus. Unlike SpecP2, however, SpecP3 tracks changes in the assignment of values to the shared variable mSetPoint, encoded in the RoboChart semantics via events set\_mSetPoint. We observe that since mSetPoint is a variable of the software, rather than an output of mod\_sys, such an assignment is not visible in the semantics of a RoboChart module. Instead, we use a tailored version of the semantics, calculated by RoboTool, that supports this type of analysis, in a similar way to how state reachability checks are implemented. The actual check for Property P3 is specified by assertion P3, a refinement that considers the process mod\_sys\_setpoint, a constrained form of mod\_sys, defined similarly to process mod\_sys\_pwm in assertion P2.

Property **P4**. The fourth property requires that the software is deadlock free. This can be directly specified using the following RoboChart assertion.

```
//P4: Checks if the model is deadlock free
timed assertion P4: mod_sys is deadlock—free
```

A timed deadlock manifests when the system refuses to perform any event, but time may pass indefinitely. Its absence, is checked in FDR in the failures-divergences semantic model of CSP, using a technique inspired by Roscoe [35], that effectively checks no state configuration is reached whereby an infinite amount of time can pass while refusing to perform every regular event.

Moreover, as a sanity check, we also verify that all of the states of State\_Machine and Watchdog are reachable, using the following RoboChart assertions.

```
timed assertion Reach_Init : State_machine::Init is reachable in mod_sys
timed assertion Reach_Wait24VPower : State_machine::Wait24Vpower is reachable in mod_sys
timed assertion Reach_ClosedLoop : State_machine::ClosedLoop is reachable in mod_sys
timed assertion Reach_Watchdog_s0 : State_machine::ErrorMode is reachable in mod_sys
timed assertion Reach_Watchdog_s1 : Watchdog::s1 is reachable in mod_sys
```

Similarly to the verification of Property **P3**, for checking reachability, RoboTool uses a tailored version of the semantics whereby the entrance of states is visible, as detailed in [10].

| Assertion          | Result | Elapsed Time |              | Complexity  |             |
|--------------------|--------|--------------|--------------|-------------|-------------|
|                    |        | Compilation  | Verification | States      | Transitions |
| P1                 | ✓      | 1456s        | 1394s        | 126,481,225 | 517,333,656 |
| P2                 | ✓      | 1456s        | 247s         | 1,460,749   | 3,855,659   |
| P3                 | ✓      | 1539s        | 248s         | 1,452,829   | 3,831,246   |
| P4                 | ✓      | 1253s        | 334s         | 1,920,070   | 5,795,521   |
| Reach_Init         | ✓      | 789s         | 1.07s        | 3,292       | 12,455      |
| Reach_Wait24VPower | ✓      | 789s         | 5.51s        | 2,229,843   | 9,672,801   |
| Reach_ClosedLoop   | ✓      | 789s         | 11.62s       | 8,148,391   | 35,349,260  |
| Reach_ErrorMode    | ✓      | 789s         | 10.38s       | 6,756,722   | 29,260,634  |
| Reach_Watchdog_s0  | ✓      | 789s         | 0.60s        | 352         | 976         |
| Reach_Watchdog_s1  | ✓      | 789s         | 0.80s        | 1,420       | 4,667       |

Table 2: Results of model-checking Properties P1-P4, as well as reachability analysis using FDR.

Verification Results. The results of model-checking are summarised in Table 2. The time elapsed is the sum of the time taken to compile and verify the Labelled Transition System (LTS), as calculated by FDR, on a dual AMD EPYC 7501 32-core machine with 1TiB of RAM. Complexity is broken down into number of states and transitions visited when verifying the assertions. Compilation takes longer than verification as the  $CSP_M$  automatically generated by RoboTool employs compression functions to minimize the LTS. The compression algorithms used by FDR are largely sequential, whereas verification can exploit multiple cores efficiently. Verification of P1 is more complex than the verification of software-only properties, due to the mechanisation of both the framework and the hardware abstraction.

#### 6. Concluding Remarks and Future Work

Co-simulation, e.g., effectively combining various types of models and simulation tools in order to reach system-level results, is a rather well-known and established industrial practice that has received recent attention [36]. This paper advocates extension of the same school of though and practice into the formal verification domain. Centering the focus around the paint robot HVC application, this paper guides the reader through an industrial use-case of co-verification where modelling and verification results from different tools are lifted into a unifying framework, thereby allowing the verification of overall, system-level properties.

In our case study, we have used RoboChart for modelling the software, and Simulink for hardware modelling. RoboChart models are typically of a higher abstraction level than those used for dynamic simulation. Therefore, abstractly capturing the behaviour of low-level software, like that of the HVC, can be challenging, especially for practitioners who are more familiar with dynamic simulation. Another aspect of practical concern is finding the right level of abstraction to achieve computationally tractable results for model-checking. Simulink, on the other hand, is convenient for modelling and simulation of dynamics, but is limited in the ability to perform verification. Continuous blocks need to be discretized for use with SDV, and, on a more practical level, it is not always clear whether counter-example generation is feasible.

Because of the general form of our approach, we envision that the principle of decoupling via platform mappings, also advocated in [15], could constitute a useful, and pragmatic, basis for use with other formal verification tools and techniques. An avenue for future work could include the complete formalisation and mechanisation of decomposition patterns using a unifying semantic framework like the UTP [37], that caters for multiple paradigms, with support for interactive theorem proving available via Isabelle/UTP [38].

On a more practical level, we anticipate that the automatic generation of proof models from a declarative notation capturing the framework outlined in Fig. 8, namely for model-checking as we do in our case study, could be useful for practitioners. Such work could also address the dichotomy between the use of events to represent sampling of inputs, and their use as interrupts in the style of CSP, that facilitates the specification of properties like **P1**. Not surprisingly, this is a paradigm shift also seen in the conformance relation between RoboChart and the closely-related simulation language RoboSim [21].

The results presented earlier in this paper, were extended by performing verification against an older version of the HVC software, which was known to be faulty, e.g., had been observed in practice to generate solutions contradicting some of the properties listed in Section 3.1. Our results revealed that neither Property P2 nor P3 were satisfied. This gives credence to our ability in successfully capturing the critical behavioural aspects of the HVC. Moreover, it reinforces the relevance of practical formal verification techniques for identifying problems early in the development cycle, supplementing traditional testing in industrial settings.

Related to our motivation on addressing the ongoing industrial trends in robotics, where an increasing number of safety features and functions are handled in software, we also acknowledge the emergence of adaptive or learning-based software components. The use of machine learning methods, and their inherent opaqueness, presents significant challenges in fulfilling certification requirements and obtaining wide-scale market acceptance. To push forward the socio-technical research frontier drastically and improve current practices of robotic system design, analysis and verification is scope of future research.

Related work is ongoing, for example, to provide facilities in RoboChart to capture properties of neural networks at a suitable level of abstraction, which could be a useful basis in the future to extend our coverification approach. In addition, RoboTool also supports the generation of reactive modules for analysis with PRISM [39, 40], which features both probabilistic and statistical model-checking. In the future, we plan to explore this avenue for verification, namely for reasoning in the presence of faults and uncertainty.

# Acknowledgements

The authors would like to gratefully acknowledge all the support, guidance and inspiration provided by Prof. Ana Cavalcanti during this work. The research presented in this paper has received funding from the Norwegian Research Council, SFI Offshore Mechatronics, project number 237896. Pedro Ribeiro is funded by the UK EPSRC (grant EP/M025756/1), and by the Royal Academy of Engineering (grant CiET1718/45).

# Appendix A. RoboChart Model: Controllers

The controllers ctrl0-3 referenced in mod sys are shown in Figs. A.18 to A.21.



Figure A.18: Controller ctrl0, showing its inputs and output connections to Sate machine, and references of operations.

# Appendix B. Extended RoboTool Definitions

Here we include the definition of the auxiliary processes EndBy and TRUN, which are provided built-in with RoboTool for modelling of timed behaviour using *tock*-CSP.

```
—— Events are not followed by implicit delays, so the function OneStep is defined as zero for every input.
OneStep(_) = 0

—— Outside a Timed section, the process STOP prevents time from passing, thus USTOP is a timelock.
USTOP = STOP

—— Version of RUN that includes the event 'tock' for modelling convenience.
TRUN(S) = RUN(union(S,{tock}))

Timed(OneStep) {
    EndBy(P,d) = timed_priority(P /\ (WAIT(d);USTOP))
}
```



Figure A.19: Controller ctrl1, showing its inputs and output connections to Watchdog, and references of operations.



Figure A.20: Controller ctrl2 with state machine stm0 that relays input events from ext\_pow24VStatus through ext\_pow24\_1 and ext\_pow24\_2. Initially stm0 accepts a reading through ext\_pow24VStatus, stores the value in the local variable power and sets the variable fresh to true, indicating that a new value is present. It then offers, in interleaving via two during actions the possibility to output the value of power via ext\_pow24\_1 and ext\_pow24\_2, after which it sets fresh to false, triggering the self transition of state s0.



Figure A.21: Controller ctrl3 with state machine stm0 that relays input events from ctrl0\_dutyCyclePWM1, ctrl0\_enablePWM, and ctrl1\_dutyCyclePWM1 and ctrl1\_enablePWM, through int\_dutyCyclePWM1 and int\_enablePWM.

## References

- [1] J. Guiochet, M. Machin, H. Waeselynck, Safety-critical advanced robots: A survey, Robotics and Autonomous Systems 94 (2017) 43–52. doi:10.1016/j.robot.2017.04.004.
- [2] E. Seligman, T. Schubert, M. Kumar, Formal Verification: An Essential Toolkit for Modern VLSI Design, Morgan Kaufmann Publishers Inc., 2015.
- [3] M. Weißmann, S. Bedenk, C. Buckl, A. Knoll, Model checking industrial robot systems, in: A. Groce, M. Musuvathi (Eds.), Model Checking Software, Springer, 2011, pp. 161–176. doi:10.1007/978-3-642-22306-8\_11.
- [4] Y. Murray, D. A. Anisi, M. Sirevåg, P. Ribeiro, R. S. Hagag, Safety assurance of a high voltage controller for an industrial robotic system, in: G. Carvalho, V. Stolz (Eds.), Formal Methods: Foundations and Applications., Vol. 12475 of Lecture Notes in Computer Science, Springer, 2020, pp. 45–63. doi:10.1007/978-3-030-63882-5\_4.
- [5] M. Mossige, "Automated Electrostatic Painting; principles and models", Master's thesis, University of Stavanger, Norway (2005).
- [6] N. R. Svensen, "Automated Electrostatic Painting; Safety and Control", Master's thesis, University of Stavanger, Norway (2005).
- [7] C. Gomes, C. Thule, D. Broman, P. G. Larsen, H. Vangheluwe, Co-simulation: A survey, ACM Computing Surveys 51 (3) (2018) 49:1–49:33. doi:10.1145/3179993.
- [8] C. Baier, Principles of model checking, MIT Press, Cambridge, MA, USA, 2008.
- [9] A. L. C. Cavalcanti, W. Barnett, J. Baxter, G. Carvalho, M. C. Filho, A. Miyazawa, P. Ribeiro, A. C. A. Sampaio, Software Engineering for Robotics, Springer, 2021, Ch. RoboStar Technology: A Roboticist's Toolbox for Combined Proof, Simulation, and Testing, pp. 249–293. doi:10.1007/978-3-030-66494-7\_9.
- [10] A. Miyazawa, P. Ribeiro, L. Wei, A. L. C. Cavalcanti, J. Timmis, J. C. P. Woodcock, RoboChart: modelling and verification of the functional behaviour of robotic applications, Software & Systems Modeling 18 (2019) 3097–314. doi: 10.1007/s10270-018-00710-z.
- [11] A. Miyazawa, A. Cavalcanti, P. Ribeiro, W. Li, J. Woodcock, J. Timmis, RoboChart Reference Manual, Technical report, University of York (Feb. 2016).
  - $\label{lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:url:lem:u$
- [12] MathWorks, Simulink Design Verifier (visited April 15, 2021). URL https://www.mathworks.com/products/simulink-design-verifier.html
- [13] T. Gibson-Robinson, P. Armstrong, A. Boulgakov, A. Roscoe, FDR3 A Modern Refinement Checker for CSP, in: E. Ábrahám, K. Havelund (Eds.), Tools and Algorithms for the Construction and Analysis of Systems, Vol. 8413 of Lecture Notes in Computer Science, Springer, 2014, pp. 187–201. doi:10.1007/978-3-642-54862-8\_13.

- [14] A. Miyazawa, A. L. C. Cavalcanti, S. Ahmadi, M. Post, J. Timmis, Robosim physical modelling diagrammatic physical robot models, Tech. rep., University of York, Department of Computer Science, RoboStar (2021). URL https://robostar.cs.york.ac.uk/publications/techreports/reports/physmod-reference.pdf
- [15] A. Miyazawa, A. L. C. Cavalcanti, S. Ahmadi, M. Post, J. Timmis, Diagrammatic physical robot models(Submitted) (2021).
- [16] J. Baxter, A. Miyazawa, P. Ribeiro, K. Ye, RoboTool RoboChart Tool Manual, University of York (December 2021). URL https://www.cs.york.ac.uk/circus/publications/techreports/reports/robotool-manual.pdf
- [17] M. Luckcuck, M. Farrell, L. A. Dennis, C. Dixon, M. Fisher, Formal specification and verification of autonomous robotic systems: A survey, ACM Computing Surveys 52 (5) (2019) 1–41. doi:10.1145/3342355.
- [18] A. Cavalcanti, A. Miyazawa, R. J. Payne, J. Woodcock, Sound simulation and co-simulation for robotics, in: M. Mazzara, B. Meyer (Eds.), Present and Ulterior Software Engineering, Springer, 2017, pp. 173–194. doi:10.1007/978-3-319-67425-4\_11.
- [19] T. Blockwitz, M. Otter, J. Akesson, M. Arnold, C. Clauß, H. Elmqvist, M. Friedrich, A. Junghanns, J. Mauss, D. Neumerkel, H. Olsson, A. Viel, Functional mockup interface 2.0: The standard for tool independent exchange of simulation models, in: 9th International Modelica Conference, Linköping Electronic Conference Proceedings, 2012, pp. 173–184. doi:10.3384/ecp12076173.
- [20] A. Afzal, D. S. Katz, C. L. Goues, C. S. Timperley, A study on the challenges of using robotics simulators for testing, CoRR abs/2004.07368 (2020). arXiv:2004.07368.
- [21] A. Cavalcanti, A. Sampaio, A. Miyazawa, P. Ribeiro, M. C. Filho, A. Didier, W. Li, J. Timmis, Verified simulation for robotics, Science of Computer Programming 174 (2019) 1–37. doi:10.1016/j.scico.2019.01.004.
- [22] R. Alur, C. Courcoubetis, T. A. Henzinger, P. H. Ho, Hybrid automata: An algorithmic approach to the specification and verification of hybrid systems, in: R. L. Grossman, A. Nerode, A. P. Ravn, H. Rischel (Eds.), Hybrid Systems, Vol. 736 of Lecture Notes in Computer Science, Springer, 1993, pp. 209–229. doi:10.1007/3-540-57318-6\_30.
- [23] R. Alur, Formal verification of hybrid systems, in: Proceedings of the Ninth ACM International Conference on Embedded Software, Association for Computing Machinery, New York, NY, USA, 2011, p. 273–278. doi:10.1145/2038642.2038685.
- [24] T. A. Henzinger, V. Rusu, Reachability verification for hybrid automata, in: T. A. Henzinger, S. Sastry (Eds.), Hybrid Systems: Computation and Control, Vol. 1386 of Lecture Notes in Computer Science, Springer, 1998, pp. 190–204. doi:10.1007/3-540-64358-3 40.
- [25] T. A. Henzinger, P. W. Kopke, A. Puri, P. Varaiya, What's decidable about hybrid automata?, Journal of Computer and System Sciences 57 (1) (1998) 94 124. doi:10.1006/jcss.1998.1581.
- [26] D. Bresolin, L. Di Guglielmo, L. Geretti, R. Muradore, P. Fiorini, T. Villa, Open problems in verification and refinement of autonomous robotic systems, in: 15th Euromicro Conference on Digital System Design, IEEE, 2012, pp. 469–476. doi:10.1109/DSD.2012.96.
- [27] G. J. Holzmann, The model checker SPIN, IEEE Transactions on Software Engineering 23 (5) (1997) 279–295. doi: 10.1109/32.588521.
- [28] L. Geretti, R. Muradore, D. Bresolin, P. Fiorini, T. Villa, Parametric formal verification: the robotic paint spraying case study, IFAC-PapersOnLine 50 (1) (2017) 9248 9253, 20th IFAC World Congress. doi:10.1016/j.ifacol.2017.08.1287.
- [29] A. W. Roscoe, Understanding Concurrent Systems, Springer, 2010.
- [30] J. Baxter, P. Ribeiro, A. Cavalcanti, Sound reasoning in tock-CSP, Acta Informatica (online) (Apr 2021). doi:10.1007/s00236-020-00394-3.
- [31] MathWorks, Acknowledgments, https://se.mathworks.com/help/sldv/ug/acknowledgments.html, visited April 15, 2021.
- [32] M. Sheeran, G. Stålmarck, A Tutorial on Stålmarck's Proof Procedure for Propositional Logic, Formal Methods in System Design 16 (1) (2000) 23–58. doi:10.1023/A:1008725524946.
- [33] J. C. P. Woodcock, J. Davies, Using Z Specification, Refinement, and Proof, Prentice-Hall, 1996.
- [34] I. Toyn (Ed.), Information Technology Z Formal Specification Notation Syntax, Type System and Semantics, ISO, 2002, ISO/IEC 13568:2002(E).
- [35] A. W. Roscoe, The automated verification of timewise refinement, in: First Open EIT ICT Labs Workshop on Cyber-Physical Systems Engineering, 2013.
- [36] P. G. Larsen, J. S. Fitzgerald, J. Woodcock, P. Fritzson, J. Brauer, C. Kleijn, T. Lecomte, M. Pfeil, O. Green, S. Basagiannis, A. Sadovykh, Integrated tool chain for model-based design of cyber-physical systems: The INTO-CPS project, in: 2nd International Workshop on Modelling, Analysis, and Control of Complex CPS, IEEE Computer Society, 2016, pp. 1–6. doi:10.1109/CPSData.2016.7496424.
- [37] C. A. R. Hoare, J. He, Unifying Theories of Programming, Prentice-Hall, 1998.
- [38] S. Foster, J. Baxter, A. Cavalcanti, J. Woodcock, F. Zeyda, Unifying semantic foundations for automated verification tools in Isabelle/UTP, Science of Computer Programming 197 (2020) 102510. doi:10.1016/j.scico.2020.102510.
- [39] M. Z. Kwiatkowska, G. Norman, D. Parker, PRISM: probabilistic symbolic model checker, in: T. Field, P. G. Harrison, J. T. Bradley, U. Harder (Eds.), Computer Performance Evaluation, Modelling Techniques and Tools 12th International Conference, Proceedings, Vol. 2324 of Lecture Notes in Computer Science, Springer, 2002, pp. 200–204. doi:10.1007/3-540-46029-2\_13.
- [40] J. Woodcock, A. Cavalcanti, S. Foster, A. Mota, K. Ye, Probabilistic semantics for RoboChart A weakest completion approach, in: P. Ribeiro, A. Sampaio (Eds.), Unifying Theories of Programming - 7th International Symposium, UTP 2019, Dedicated to Tony Hoare on the Occasion of His 85th Birthday, Vol. 11885 of Lecture Notes in Computer Science, Springer, 2019, pp. 80–105. doi:10.1007/978-3-030-31038-7\_5.