Multiple Analyses, Requirements Once: simplifying testing & verification in automotive model-based development arXiv:1906.07083v1 [cs.LO] 17 Jun 2019 Philipp Berger1 , Johanna Nellen1 , Joost-Pieter Katoen1 , Erika Ábrahám1 Md Tawhid Bin Waez2 , and Thomas Rambow2 1 RWTH Aachen University, Germany {berger, johanna.nellen, katoen, abraham}@cs.rwth-aachen.de 2 Ford Motor Company, USA/Germany {mwaez, trambow}@ford.com Abstract. In industrial model-based development (MBD) frameworks, requirements are typically specified informally using textual descriptions. To enable the application of formal methods, these specifications need to be formalized in the input languages of all formal tools that should be applied to analyse the models at different development levels. In this paper we propose a unified approach for the computer-assisted formal specification of requirements and their fully automated translation into the specification languages of different verification tools. We consider a two-stage MBD scenario where first Simulink models are developed from which executable code is generated automatically. We (i) propose a specification language and a prototypical tool for the formal but still textual specification of requirements, (ii) show how these requirements can be translated automatically into the input languages of Simulink Design Verifier for verification of Simulink models and BTC EmbeddedValidator for source code verification, and (iii) show how our unified framework enables besides automated formal verification also the automated generation of test cases. 1 Introduction In the automotive industry, software units for controllers are often implemented using model-based development (MBD). The industry standard ISO26262 recommends formal verification to ensure that such safety-critical software is implemented in accordance with the functional requirements. The work of our previous two papers [19,2] and this paper not only applies to safety critical automotive software but also to quality management (QM) or non-safety critical automotive software. In fact, we worked only on Ford QM software features in our papers. To optimally exploit recent academic developments as well as the capabilities of state-of-the-art verification tools, Ford Motor Company and RWTH Aachen University initiated an alliance research project to analyze how formal verification techniques for discrete-time systems can be embedded into 2 P. Berger et al. Ford’s model-based controller development framework, and to experimentally test their feasibility for industrial-scale C code controllers for mass production. In our previous works [19,2], we considered an MBD process starting with the development of Simulink controller models and using Simulink’s code generation functionality to derive C code for software units. For formal verification, we analyzed the feasibility of both Simulink Design Verifier (SLDV ) for Simulink models as well as BTC EmbeddedPlatform verification tool for the generated C code. Our papers [19,2] present our observations and give recommendations for requirement engineers, model developers and tool vendors how they can contribute to a formal verification process that can be smoothly integrated into MBD. The most serious pragmatic obstacles that we identified for the integration of formal methods are related to the requirement specifications. The requirement specifications were given informally in natural language. All the considered natural language requirements described time-bounded linear temporal logic (LTL) properties, which we manually formalized for both the SLDV and the BTC verification tools. During the formalization we detected ambiguity, incompleteness or inconsistency for roughly half of the textual requirements. The manual formalizations needed discussions with requirement engineers to clarify and correct these flaws. However, a high degree of automation is a prerequisite for mass production and the integration of formal methods into the established MBD process at Ford. Automation allows the usage of formal verification within a development team of engineers with little knowledge of formal verification. Ideally, verification is automatically triggered whenever changes have been made to either the requirements, the Simulink model, or the used verification tools. Verification results can then be stored and compared with previous runs, making deviations from previous results easily detectable. All deviations can then be reported to a person with a strong background in formal methods for thorough investigation. We also encountered problems rooted in the fact that the formalizations for the two different formal tools were done independently due to syntactic differences: in Simulink, requirements are themselves Simulink models that need to be embedded into the models that should satisfy them, whereas in BTC the requirements can be specified either using a graphical interface for pattern-based specification or directly in an XML-based file input format. The independence of multiple requirement formalizations has several disadvantages. First and foremost, basically the same work is done multiple times, using different input languages. In addition, the formalizations have the risk to be slightly different. This may result in potentially incompatible analysis results requiring a deep and time-consuming analysis. When the formalizations are done independently, they cost additional resources in time and expert knowledge, raising development cost. In addition, typically several programming and modeling languages are used within a company such as Ford. The preference of these languages changes over time and each language has its own analyses tools. Different teams within a Multiple Analyses, Requirements Once 3 company like Ford may use different tools for the same purpose. The fact that almost every formal verification tool has its unique input language is a big obstacle to introduce formal methods into versatile companies like Ford. A common requirement language for all formal verification tools may help to take advantage of the strengths of different tools. To diminish these problems, this paper presents a common formal requirement specification framework . We focus on Simulink and C code verification in the automotive domain, but our framework is naturally extensible to further languages and tools. Concretely, the paper makes the following main contributions: 1. We identify a small fragment of LTL as a formal specification language that is expressive enough for the formalization of typical requirements in the context of MBD in the automotive sector . 2. We describe our tool that was designed as a prototype for use inside this research project as a proof of concept. Similar to BTC EmbeddedSpecifier it assists users who are not experts in formal methods to specify unambiguous and complete formal requirements using textual descriptions according to a pattern-based syntax. 3. We propose an approach for the fully automated translation of the abovespecified formal requirements into Simulink models that can be embedded in SLDV verification processes. 4. We describe how to automatically generate BTC models from those formal requirements for source code verification. 5. We show how to automatically generate test objectives from formal requirements that can be used for automated test-case generation. Our framework is illustrated in Fig. 1. While computer-assisted approaches for formal requirement specification have been proposed (see Sec. 2), we believe that our approach supporting direct analysis using multiple tools at different development levels is novel, especially the automated specification export to Simulink and the generation of test-cases. 2 Specification Textual output of requirements Requirements Pattern-based specification tool Model data (optional) Verification - Simulink verification - Source code verification Testing Test case generation within Simulink Fig. 1: The structure of our unified specification and analysis framework. Related Work Patterns for specifying properties in formal verification were introduced by Dwyer et al. [7]. Cheng et al. has extended this work to real-time properties [14] and Grunske introduced a pattern system for probabilistic properties [10]. Autili et al. [1] recently presented a unified pattern catalog that combines known patterns 4 P. Berger et al. for qualitative, real-time and probabilistic properties. Then the work has been extended by some new patterns. Our works relies on the pattern catalogs from [7,1]. Inspired by our experience with Ford [19,2], we selected a set of patterns that covers more than 90% of our investigated automotive requirements. Several tools are available for pattern-based specifications. The PSPWizard [17] and the SESAMM Specifier [8] provide for a given pattern library export functionalities to a formal logic or to a textual representation. The SESAMM specifier has been integrated into an industrial toolchain in the automotive domain. The tool PASS (Property ASSistant) [20] guides the user by a set of questions towards a suitable pattern from which a µ-calculus formula and a UML sequence diagram can be generated. The tool PROPEL [21] represents patterns in natural language and by finite-state automata. The COMPASS toolset [6] supports the original patterns by Dwyer, real-time- and probabilistic patterns. While the previous mentioned tools use the pattern catalog from [1,7,6], the work [16] presents different patterns and a tool for the requirement specification and automated translation to a formal language. The tool DDPSL [11] goes a step further by allowing the user to fill the templates in a pattern with assumptions on the variables using a defined set of logical and temporal operators. The ReSA Tool allows an automated consistency check of requirements on multiple abstraction levels using SAT checking. The commercial tool BTC EmbeddedPlatform3 also offers the possibility to formalize textual requirements in a pattern-based language. Former versions of the tool support a pattern catalog but the latest release uses the universal pattern [22] that offers a graphical specification for trigger-action based requirements. Our tool focuses on the key patterns but allows for automated generation of test cases, as well as properties for Simulink model and source code verification. Besides the tools for pattern-based specifications, several experience reports on using specification patterns have been published. In [4], a case study in the field of service-based applications is presented. [23] reports on an approach using pattern-based specifications in the area of work flow modeling. Bosch company investigated the suitability of the pattern catalog from [14] for 289 informal behavioral requirements from their automotive projects. A report on the integration of a pattern-based specification tool in an industrial (automotive) tool chain is given in [8,9]. A restricted set of patterns was used for the formal specifications within the PICASSOS project [5]. A system for modeling and testing flight critical software was presented in [18], but their focus lies on test-case generation and modeling structural aspects of the software system, whereas our focus is on the automated translation of requirements. 3 Pattern-Based Requirement Specification Language Requirement documents are commonplace in the automotive industry and are usually written in natural language by a large number of stakeholders. These 3 https://www.btc-es.de/en/products/btc-embeddedplatform/ Multiple Analyses, Requirements Once 5 Table 1: Pattern distributions for three different controller models. Pattern Invariant Time-bounded response (exact bound) Event-bounded response LSC DSR 35 85.4% 5 12.2% 1 2.4% 50 92.6% 4 7.4% 0 0.0% ECC 80 97.6% 2 2.4% 0 0.0% can include engineers and other people without a strong background in formal methods, which may lead to ambiguous requirements. Specification patterns may assist engineers in writing complete and unambiguous textual requirements. A pattern defines the behavior that is described by a requirement and uses templates for additional information like the specification of events and durations. In contrast to most existing approaches, events are specified by a constrained grammar, and higher-order operators, e.g. hysteresis4 , are supported to enable specifying new operations on events. Goals. The pattern-based specification language should produce human readable specifications. A formal semantics avoids ambiguities and allows the automated generation of tool-specific requirement specifications. Our aim is to keep the pattern language simple such that no expert knowledge is needed and the learning curve for requirement engineers is low. We believe that a limited number of simple patterns reduces incorrect choices of patterns or scopes when writing requirements while still covering a high percentage of requirements. Why yet another specification language? Tools like BTC EmbeddedPlatform come with their own, existing, pattern-based specification language and there are existing tools for pattern-based specification. Nonetheless we decided that creating our own language and tool was the better choice. A key difference from many established pattern-based specification languages is that we also require the events to be specified using a constrained grammar, enforcing the events to be formalizable properties. This, in turn, allows us to immediately export the entire property to a supported format without the need for any further user interaction. Adding new features or constructs like higher-order operators (e.g. hysteresis) is easy to achieve, requiring only very modular changes to the grammar and the back-end exporter classes. We want to be able to create our own pool of higher-order operators for event specification that can be used to ease the burden of formalization for the engineers. Our own language allowed us to do rapid prototyping while coming up with new ideas, without the burden of getting all stakeholders of an established language on board beforehand. Syntax. We used [1,7,14] as a starting point to design our pattern-based requirement specification language L, whose grammar is shown in Fig. 2; for more details see also Appendix A. 4 Hysteresis is a functionality often used to prevent rapid toggling when observing an input signal against some threshold by introducing an upper and a lower delta. 6 P. Berger et al. specification: scope: pattern: initially: globally: invariant: response: event: term: duration: uint: unit: scope pattern; initially | globally; invariant | response; ’At system start, ’; ’At each time step, ’; ’[ ’ event ’] holds. ’; ’if [ ’ event ’] has been valid for [ ’ duration ’], ’ ’then in response, after a delay of [ ’ duration ’], ’ ’[ ’ event ’] is valid for [ ’ duration ’]. ’; identifier | event AND event | ...| term ≤ term | ... identifier | term + term |... uint unit; [1..9] [0..9]*; ’simulation steps ’ | ’milliseconds ’ | ’seconds ’ | ’minutes ’ | ’hours ’; Fig. 2: Syntax of our pattern-based requirement specification language. Requirement specifications consist of a scope followed by a pattern. We start with a limited set of scopes and patterns that can be extended later to cover further specification types. However, these limited sets were sufficient to formalize more than 90% of the requirements in all three case studies (Low Speed Control for Parking (LSC), Driveline State Request (DSR) and E-Clutch Control (ECC)) we considered in [2,19] (see Table 1). Other internal case studies from Ford show similar results. Currently two scopes are supported: the initially scope is used to express that a property should hold at system start, i.e. at time step 0 of a simulation before any operations have been performed, while the globally scope expresses that a property should hold at each time step of an execution, but starting after the first execution. In [1,7,14] there are further scopes like before R, after Q, between Q and R and after Q until R that can be considered for future inclusion. We support two patterns for defining which property is required to hold for a given scope. The invariant pattern allows to state that a certain event holds (at each time step within the specified scope), and covers both the absence and the universality patterns from [7] if the negation of events is supported. The response pattern specifies causalities between two events: the continuous validity of a trigger event for a given trigger duration implies that after a fixed separative duration the response event holds continuously for a given response duration. The events in the above patterns are built from identifiers (signals, constants and (calibration) parameters) using a set of functions and operators. We support those operators and functions that were used in our case studies, including the Boolean operators AND, OR, NOT and IMPLIES, the relational operators <, ≤, >, ≥ and =, the arithmetic operators +, −, · and /, absolute Multiple Analyses, Requirements Once scopes: 7 Jinitially patternK = JpatternK Jglobally patternK =  JpatternK patterns: J[e] holds.K = JeK Jif [eP ] has been valid for [dP ], then in response, after a delay of [d], [eQ ] is valid for [dQ ].K     = [≤JdP K] JeP K → ♦[=JdP K+JdK] [≤JdQ K] JeQ K events: JidentifierK Je1 AND e2 K Jt1 ≤ t2 K durations: Jn secondsK = identifier . . . = Je1 K ∧ Je2 K . . . = Jt1 K ≤ Jt2 K . . . ... = 1000·n DStep Fig. 3: Semantics of our pattern-based requirement specification language. value, minimum, maximum, functions for bit extraction (bit x of variable y) and time delays (value of x n steps ago). The complete ANTLR grammar for events is presented in Appendix A. We plan in future work to incorporate more advanced operators like state change (“the value of [param] transitions from [const1] to [const2]”), different variants of hysteresis functions, saturation, rate limiter and ramping up functions and lookup tables. Note that though custom operators and functions allow users a more efficient specification, special operators (e.g. lookup tables) might not be realizable in all specification languages for which export is provided. Semantics. We define the semantics of requirement specifications using linear temporal logic with quantitative temporal operators to express time durations, that is MTL [15]. The main semantical components are shown in Fig. 3 using only future temporal modalities (straightforward and therefore not listed in Fig. 3 are the semantics for events and durations, see Appendix A for a complete definition). We use DStep to denote the step-size, here in milliseconds. We support durations that are multiples of DStep . An equivalent semantics using past temporal modalities is given in Appendix A. The difference in terms of a timeshift between the formulations using past (resp. future) operators is illustrated in Fig. 4. The two equivalent semantics support the export of a pattern-based specification into different specification languages. For example the specification language of the analysis tool SLDV only supports past temporal operators. 4 Pattern-Based Requirement Specification Tool We have implemented a pattern-based specification tool as a prototype for use inside this research project to support requirement engineers in writing unambiguous and complete textual requirements. Our focus was to create a modular tool that is easy to learn and extendible, if in the future a larger set of scopes, patterns or operators needs to be supported. 8 P. Berger et al. past temporal operators Trigger P dP Delay d Response Q dQ + time-shift by dP + d + dQ Trigger P dP Delay d Response Q dQ future temporal operators Fig. 4: Evaluation of a response pattern with past or future operators. The present is represented by the red tick on the timeline. Fig. 5: User interface of our pattern-based specification tool. A user can either import signals, calibratables and constants from a file, or create, change and delete them manually. Calibratable parameters remain constant during software execution but can be adjusted before the execution for tuning or selecting the possible functionalities. Captured data includes a name, description, minimum and maximum values, dimensions, a value, the data type and the variable type (signal, calibratable or constant). With the information of available variables readily available, the tool checks specified events for whether all referenced variables actually exist. The current version of the tool provides export functionality for a selected requirement or for all of them. Export formats are textual (.txt), SLDV (.m), BTC (.spec) and C (.c) specifications. The last one is compatible with the SVCOMP standard [3] and can be used for formal verification with e.g. the Ultimate Automizer [12]. Multiple Analyses, Requirements Once 9 The requirement specification panel in Fig. 5 is the main panel of our tool. A scope and a pattern must be selected for the requirement. A textual translation of the scope and pattern is given as well as a visualization that shows the time steps where the chosen pattern is evaluated, see Fig. 5. Events are built using operators, functions, signals, constants and calibration parameters. For each event, a duration and a time unit can be specified. Additionally, for patterns with more than one event, a time delay between events can be specified, again together with a time unit. If the pattern-based specification is incomplete or if it contains specification errors, the lower part of the specification panel provides the list of errors and warnings. When all issues are resolved, a textual formal specification is generated from the specification. The modular set-up of the tool allows to add further exporters, e.g. to generate specification in a logic like MTL in a straightforward manner. Our prototypical implementation supports the functions abs(param), min(param1, param2), max(param1, param2), last(param), last(param, steps) and extractBit(index, param). For an explanation see Appendix A. Parenthesis expressions can be built using (param) and the basic boolean operators not, and, or and implication are provided. 5 5.1 Requirement Specification Export to Verification Tools Export to SLDV A formal pattern specification is exported to Simulink in the form of a Matlab script. This script generates a specification block inside a model on the currently selected hierarchy level. For verification on model-level, the topmost level of a model should be selected, whereas for verification on subsystem-level the topmost level of the subsystem should be selected. To implement the semantics of L in Simulink, we use a custom-build, modular and interchangeable block library and existing Simulink logic blocks. The following requirement is used as a running example to illustrate the various steps: Example 1. At each time step if [(((signal A is equal to TRUE) and ((not signal B) is equal to constant A)) and ((the absolute value of signal C) is greater than constant B)) and (signal D is less than constant C)] has been valid for [50 milliseconds], then in response, after a delay of [0 steps], [signal E is equal to TRUE] is valid for [1 step]. To support the requirement specification for SLDV, we implemented a Simulink library with building blocks for all elements of our requirement specification language. The library provides sub-libraries for the specification of scopes, patterns and events. Verification subsystem. Fig. 6 shows the topmost generated block, a verification subsystem. Its input are all input and output signals of the Simulink model 10 P. Berger et al. [signal A] signal A [signal B] signal B [signal C] signal C [signal D] signal D [signal E] signal E × X Verification Subsystem Fig. 6: A sample verification subsystem block. that are used by the generated requirement specification. The content of verification subsystems is considered during formal verification but ignored during code generation and is not part of the generated code. The top-level verification subsystem contains a separate verification subsystem for each requirement. The verification subsystem subsumes the implementation of the actual requirements, i.e. encoding the expected functional behavior, by separating it into parts: Transformations on inputs, and implementing timed behavioral aspects. A requirement specification consists of three parts: a set of events, a pattern and a scope; each is represented by distinct blocks in the library. Fig. 7 shows an example requirement specification that consists of a globally scope, a response pattern and two events. Scopes. A scope block defines the time steps during which a pattern needs to be evaluated. The pattern result is a Boolean input parameter. At each simulation step, either the pattern result or true (if the pattern result needs not to be evaluated at the current time step) is the input of a proof objective. During formal verification, SLDV analyzes this proof objective. A requirement is violated if the input of a proof objective can be false at any simulation step. The initially scope evaluates the pattern result only at system start, while the globally scope evaluates the pattern result at each time step. Fig. 8b and 8a show the implementations of scopes globally and initially, respectively. The delay block is initialized with the value 1, while all subsequent output values will be 0. The time shift (see Section 3) is realized by the Detector block. [signal A] signal A [signal B] signal B [signal C] signal C [signal D] signal D Trigger P Result Response Q Trigger [signal E] Pattern Globally Response Pattern signal E Response Fig. 7: The responseTbEb pattern of the verification subsystem in Fig. 6. Multiple Analyses, Requirements Once 0 Constant Z−1 Signal Delay In Out A Detector 1 Pattern 11 A⇒B P 1 P B (b) Scope globally Implies (a) Scope initially Fig. 8: Proof objectives for the scopes initially and globally. Patterns. A pattern receives the Boolean signals from the events as inputs along with the time duration and delays between events specified as mask parameters of the pattern. A pattern block ensures the correct order of events and handles timing aspects like event durations and delays between events. Simulink blocks for time durations and delays are provided by our Simulink specification library. The output of a pattern block is again a Boolean signal. In Fig. 7, the blocks Trigger and Response contain the part of signal transformation, whereas the block labeled Response Pattern represents the details of the duration- and delay checks, as shown in Fig. 9. Inside this subsystem block, the event order (trigger before response) is established together with the specified time delay between the two events. In our example, the trigger has to be true for 50 mil- 1 Trigger P Event Timed Event Duration Check Event Timed Event A Delay A⇒B 2 Response Q Event Timed Event 1 Result B Duration Check Implies Fig. 9: The implementation of the Trigger/Response pattern. liseconds. This duration is checked by the Duration Check block which returns a Boolean true iff its input evaluated to true for a given number of time steps. A delay block is then used to account for the response duration and a possible fixed delay between trigger and response. Events. Each event is specified in its subsystem. The event subsystems are connected with the input signals of the verification subsystem using From blocks. An event is built using the blocks provided by our Simulink specification library. These building blocks must be connected in accordance with the rules of our event grammar. The output of an event specification is a Boolean signal. Fig. 12 P. Berger et al. [signal A] a TRUE b a == b Equal [signal B] NOT Not constant A AND a And a == b b AND Equal [signal C] a abs(a) a Abs constant B And a>b AND b Greater [signal D] 1 And a a<b constant C b Less Fig. 10: The logic of the trigger condition of the example requirement. 10 shows the necessary signal transformations for the trigger of the example requirement. Connection to the Simulink model. After the automated insertion of the verification subsystem at a user-chosen level in the model, the inputs of the verification system need to be connected to the corresponding signals in the model. Because of possible data dependency issues, we use global data store blocks for accessing the signals. For selecting the source signal, we traverse the model in a hierarchical approach and try to find the first match of a named signal matching the one being looked for. A data store write is then inserted into the model at the matched location, allowing us to generate the corresponding global data store read block next to our verification subsystem. 5.2 Export to BTC EmbeddedPlatform We support the export of formalized requirements to BTC’s input format, socalled SPEC files. They contain an XML-based structured representation of the requirements and their patterns. Small transformations are applied during export to match BTC’s pattern semantics. We consider the time step 0 to be the first time step in the initially scope. This means that we start to evaluate the pattern directly after initialization, i.e. before the first computation step. In contrast, BTC starts the evaluation after the first computation step. It is not possible to check initial variable valuations in BTC, therefore, an error is presented when exporting a requirement with scope initially to BTC. The generated SPEC files can then be imported into BTC EmbeddedPlatform and used for verification. 5.3 Export to Textual Requirements Formally specified requirements can easily be exported to textual form. As many engineers and stakeholders without a solid background in formal methods are involved in the design, testing and implementation of the defined software components, it is vital to present the agreed-upon requirements in a textual representation, which is easy to understand, distribute and review. Our export feature Multiple Analyses, Requirements Once 13 for textual requirements additionally supports automatically introducing parenthesis around all non-trivial arguments used in the specification to prohibit misinterpretations or misunderstandings of the written specification—a problem we encountered several times in [2,19]. 5.4 Export to SV-Comp-style C code To enable the use of state-of-the-art academic C code model checkers, we explicitly encode our pattern semantics in C code. This enables to embed all assumptions and behavior directly in the code, instead of going around it with LTL specifications or similar, as supported by some tools. We built a boilerplate framework for initializing parameters and calibratables (enabling verifying with varying calibrations) and updating input variables after every step. We decided to use the established VERIFIER error(); functionality for encoding violations of the behavior allowed by the patterns as supported by many code verifiers such as more than 20 tools participating in the SV-comp. 6 Requirement-Based Test Vector Generation The automated generation of an SLDV specification can be reused for automated requirement-based test vector generation. The Automotive Functional Safety standard ISO26262 [13] recommends to identify missing test vectors and unintended behavior of the implemented model by: “For each requirement, a set of test vectors should be generated. Afterwards, the structural coverage of the requirement-based test vectors shall be measured according to a suitable coverage metrics. The industry norm recommends different coverage metrics depending on the ASIL-level of the model. In case the coverage metrics reveals uncovered parts of the model, a further analysis is needed: either test vectors are missing or unintended functionality in the model has been detected.” If requirements are verified using formal verification and the implemented requirement is shown to be valid, additional, manual creation of test vectors should not be necessary. Manual creation of test vectors is a tedious work and should be limited to those requirements that are not tested using formal verification. We propose to reuse the automated generation of SLDV requirement specification for generating test vectors for these same requirements. For this purpose, we annotate the generated specification with so-called test objectives (see Fig. 11) automatically. The test objectives specify the signal valuations that must be considered during test-vector generation. The set of requirement-based test vectors depends on the chosen coverage metric. For condition coverage, a set of test vectors is required such that each condition takes every possible value, while for decision coverage a set of test vectors must generate every possible outcome for each decision. Decision coverage is closely related to branch coverage, where conditional and unconditional branches are considered. According to ISO26262, branch coverage is suitable for requirement coverage at software unit-level for ASIL A to C. However, for 14 P. Berger et al. {true, false} 1 O {true, false} 2 {true, false} OR O 1 O or Fig. 11: A logic OR block with test objectives attached. ASIL D, modified condition/decision coverage (MC/DC) is highly recommended. Additionally, it is required that all conditions contributing to a decision must independently affect the outcome of the decision. To achieve condition coverage, test objectives must be added to all Boolean input signals. For decision coverage, test objectives are needed for all Boolean output signals. If test objectives are added to all Boolean output signals and to all Boolean input signals of blocks with more than one input parameter, condition/decision coverage is achieved, which guarantees both condition and decision coverage. For MC/DC coverage, test objectives are hard to generate and currently out of scope of our project. One way to at least partly cover MC/DC would be to generate test objectives for all Boolean combinations of possible input signals. For an OR block, we currently generate vectors for both outcomes, but ”true” could be generated by inputs 01, 10 or 11—by adding additional logic we can enforce all combinations to be generated. Alternatively, we propose to use the built-in function of SLDV to compute a set of test vectors for MC/DC coverage. Unfortunately, this functionality is currently only available on model-level. To get requirement-based test vectors for the model, MC/DC must be checked at requirement (i.e. subsystem) level while test vectors must be generated for the complete model. To automate the requirement-based test vector generation, we added test objectives for condition/decision coverage to all blocks in our Simulink formal specification library. The relational operators compute Boolean output signals that also must be annotated with test objectives. Additional test objectives are necessary for all temporal operators to assure the correct length of generated test cases. Since we handle Boolean signals only, all test objectives can take the values true and false. Fig. 11 presents the implementation of the annotated Boolean Or operator from our specification library. Annotating the specification library allows the flexibility of adding/removing test objectives without adapting the source code of the specification tool. This enables the user to maintain a set of specification libraries for different coverage metrics or to create a library without any test objective annotations. Multiple Analyses, Requirements Once 7 15 Conclusion and Future Work In this paper we presented a prototypical pattern-based specification tool together with automated translations to SLDV and BTC EmbeddedPlatform together with an adaption of the SLDV input for automated test-case generation. This corresponds to the vision of enabling engineers to specify requirements with formal semantics once and then applying the requirements in multiple analyses. The tool was designed as a prototype for use inside this research project as a proof of concept. Although a big step towards a highly automated automotive verification process has been made within this project and investigations by Ford have been producing encouraging results, this is only a proof-of-concept and many open problems still need to be resolved. As future work we plan the extension of our pattern set with a few further relevant elements like time- and event-bounded response patterns. We plan to tackle the automated translation of textual legacy requirements into formal notation. Scripts are needed to further automate verification at different development levels with suitable configuration parameters, and to trigger the verification process if changes are applied to the model or the requirements. Another module should monitor the verification results and automatically report conspicuous behavior if the comparison with previous results reveals deviations. In case of invalid verification results, counterexamples should be analyzed. We plan to use the export of formalized requirements to SV-COMP like C-code patterns in order to benchmark academic C-code model checkers on industrial examples against commercial tools. References 1. Autili, M., Grunske, L., Lumpe, M., Pelliccione, P., Tang, A.: Aligning qualitative, real-time, and probabilistic property specification patterns using a structured english grammar. IEEE Transactions on Software Engineering 41(7), 620–638 (2015). https://doi.org/10.1109/TSE.2015.2398877 2. Berger, P., Katoen, J.P., Ábrahám, E., Waez, M.T.B., Rambow, T.: Verifying auto-generated c code from simulink. In: Formal Methods. pp. 312–328. Springer International Publishing (2018). https://doi.org/10.1007/978-3-319-95582-7 18 3. Beyer, D.: Software verification with validation of results - (report on SVCOMP 2017). In: Legay, A., Margaria, T. (eds.) Tools and Algorithms for the Construction and Analysis of Systems - 23rd International Conference, TACAS 2017, Held as Part of the European Joint Conferences on Theory and Practice of Software, ETAPS 2017, Uppsala, Sweden, April 22-29, 2017, Proceedings, Part II. Lecture Notes in Computer Science, vol. 10206, pp. 331–349 (2017). https://doi.org/10.1007/978-3-662-54580-5 20 4. Bianculli, D., Ghezzi, C., Pautasso, C., Senti, P.: Specification patterns from research to industry: A case study in service-based applications. In: Proc. of ICSE. pp. 968–976. IEEE (2012). https://doi.org/10.1109/ICSE.2012.6227125 16 P. Berger et al. 5. Botham, J., Dhadyalla, G., Powell, A., Miller, P., Haas, O., McGeoch, D., Rao, A.C., O’Halloran, C., Kiec, J., Farooq, A., Poushpas, S., Tudor, N.: PICASSOS – Practical applications of automated formal methods to safety related automotive systems. In: SAE Technical Paper. SAE International (2017). https://doi.org/10.4271/2017-01-0063 6. Bozzano, M., Cimatti, A., Katoen, J., Nguyen, V.Y., Noll, T., Roveri, M.: Safety, dependability and performance analysis of extended AADL models. Comput. J. 54(5), 754–775 (2011). https://doi.org/10.1093/comjnl/bxq024 7. Dwyer, M.B., Avrunin, G.S., Corbett, J.C.: Patterns in property specifications for finite-state verification. In: Proc. of ICSE. pp. 411–420. ACM (1999). https://doi.org/10.1145/302405.302672 8. Filipovikj, P., Jagerfield, T., Nyberg, M., Rodriguez-Navas, G., Seceleanu, C.: Integrating pattern-based formal requirements specification in an industrial tool-chain. In: Proc. of COMPSAC. pp. 167–173. IEEE (2016). https://doi.org/10.1109/COMPSAC.2016.140 9. Filipovikj, P., Nyberg, M., Rodriguez-Navas, G.: Reassessing the pattern-based approach for formalizing requirements in the automotive domain. In: Proc. of RE. pp. 444–450. IEEE (2014). https://doi.org/10.1109/RE.2014.6912296 10. Grunske, L.: Specification patterns for probabilistic quality properties. In: Proc. of ICSE. pp. 31–40. ACM (2008). https://doi.org/10.1145/1368088.1368094 11. Guglielmo, L.D., Fummi, F., Orlandi, N., Pravadelli, G.: DDPSL: An easy way of defining properties. In: Proc. of ICCD. pp. 468–473. IEEE (2010). https://doi.org/10.1109/ICCD.2010.5647654 12. Heizmann, M., Hoenicke, J., Podelski, A.: Software model checking for people who love automata. In: Sharygina, N., Veith, H. (eds.) Computer Aided Verification - 25th International Conference, CAV 2013, Saint Petersburg, Russia, July 1319, 2013. Proceedings. Lecture Notes in Computer Science, vol. 8044, pp. 36–52. Springer (2013). https://doi.org/10.1007/978-3-642-39799-8 2 13. ISO Central Secretary: Road vehicles Functional safety. Standard ISO 262621:2011, International Organization for Standardization, Geneva, CH (2011), https: //www.iso.org/standard/62711.html 14. Konrad, S., Cheng, B.H.C.: Real-time specification patterns. In: Proc. of ICSE. pp. 372–381. ACM (2005). https://doi.org/10.1145/1062455.1062526 15. Koymans, R.: Specifying real-time properties with metric temporal logic. RealTime Systems 2(4), 255–299 (1990). https://doi.org/10.1007/BF01995674 16. Liu, S., Wang, X., Miao, W.: Supporting requirements analysis using pattern-based formal specification construction. In: Proc. of ICFEM. pp. 100–115. Springer (2015) 17. Lumpe, M., Meedeniya, I., Grunske, L.: PSPWizard: Machine-assisted definition of temporal logical properties with specification patterns. In: Proc. of SIGSOFT/FSE. pp. 468–471. ACM (2011). https://doi.org/10.1145/2025113.2025193 18. Moitra, A., Siu, K., Crapo, A.W., Chamarthi, H.R., Durling, M., Li, M., Yu, H., Manolios, P., Meiners, M.: Towards development of complete and conflict-free requirements. In: RE. pp. 286–296. IEEE Computer Society (2018) 19. Nellen, J., Rambow, T., Waez, M.T.B., Ábrahám, E., Katoen, J.P.: Formal verification of automotive simulink controller models: Empirical technical challenges, evaluation and recommendations. In: Formal Methods. pp. 382–398. Springer International Publishing (2018). https://doi.org/10.1007/978-3-319-95582-7 23 20. Remenska, D., Willemse, T.A.C., Templon, J., Verstoep, K., Bal, H.: Property specification made easy: Harnessing the power of model checking in UML designs. In: Formal Techniques for Distributed Objects, Components, and Systems. pp. 17–32. Springer (2014) Multiple Analyses, Requirements Once 17 21. Smith, R.L., Avrunin, G.S., Clarke, L.A., Osterweil, L.J.: PROPEL: An approach supporting property elucidation. In: Proc. of ICSE. pp. 11–21. IEEE (2002). https://doi.org/10.1109/ICSE.2002.1007952 22. Teige, T., Bienmller, T., Holberg, H.J.: Universal pattern – Formalization, testing, coverage, verification, and test case generation for safety-critical requirements. In: Proc. of MBMV (2016) 23. Wong, P.Y.H., Gibbons, J.: Property specifications for workflow modelling. In: Proc. of IFM. pp. 56–71. Springer (2009) 18 A P. Berger et al. Appendix Syntax In the following we present the formal grammar for the specification of events. grammar EventGrammar; ////////////////////////////// //GRAMMAR RULES (Parser) // ////////////////////////////// ////////////////////////////// // EVENT (Start rule) // ////////////////////////////// event : expr=booleanExpression EOF; ////////////////////////////// // BOOLEAN EXPRESSIONS // ////////////////////////////// booleanExpression : booleanTerm (booleanImplication booleanTerm)*; booleanTerm : booleanFactor (booleanAddition booleanFactor)*; booleanFactor : booleanEqualityTerm (booleanMultiplication booleanEqualityTerm)*; booleanEqualityTerm : booleanBaseTerm (booleanEquality booleanBaseTerm)*; booleanBaseTerm : booleanAtom | booleanNotExpression | booleanParExpression | relationalExpression | booleanFunctionExpression booleanNotExpression : booleanNot booleanBaseTerm; booleanParExpression : leftPar booleanExpression rightPar; relationalExpression : arithmeticExpression relationalOperator arithmeticExpression; booleanFunctionExpression : booleanBinaryFunctionExpression; booleanBinaryFunctionExpression : BIT_EXTRACTION_TEXTUAL arithmeticExpression OF arithmeticExpression | booleanBinaryFunction leftPar arithmeticExpression comma arithmeticExpression rightPar; ////////////////////////////// // ARITHMETIC EXPRESSIONS // ////////////////////////////// arithmeticExpression : arithmeticFactor (arithmeticAddition arithmeticFactor)*; arithmeticFactor : arithmeticBaseTerm (arithmeticMultiplication arithmeticBaseTerm)*; arithmeticBaseTerm : arithmeticAtom | arithmeticParExpression | arithmeticSignExpression Multiple Analyses, Requirements Once 19 | arithmeticFunction arithmeticParExpression : leftPar arithmeticExpression rightPar; arithmeticSignExpression : arithmeticSign arithmeticBaseTerm; //Functions arithmeticFunction : arithmeticUnaryFunctionExpression | arithmeticBinaryFunctionExpression | temporalUnaryFunctionExpression | temporalBinaryFunctionExpression; arithmeticUnaryFunctionExpression : arithmeticUnaryFunction leftPar arithmeticExpression rightPar | arithmeticUnaryFunctionTextual arithmeticExpression; arithmeticBinaryFunctionExpression : arithmeticBinaryFunction leftPar arithmeticExpression comma arithmeticExpression rightPar | arithemticBinaryFunctionTextual arithmeticExpression AND arithmeticExpression; temporalUnaryFunctionExpression : temporalUnaryFunction leftPar arithmeticExpression rightPar | temporalUnaryFunctionTextual arithmeticExpression; temporalBinaryFunctionExpression : temporalBinaryFunction leftPar arithmeticExpression comma arithmeticBaseTerm rightPar | LAST_BINARY_TEXTUAL_0 arithmeticExpression arithmeticBaseTerm LAST_BINARY_TEXTUAL_1; /////////////// //Operators // /////////////// booleanNot : NOT; booleanAddition : OR; booleanMultiplication : AND; booleanImplication : IMPLICATION; booleanEquality : EQ; relationalOperator : EQ | GT | GTEQ | LT | LTEQ; arithmeticAddition : PLUS | MINUS; arithmeticMultiplication : TIMES 20 P. Berger et al. | DIV; arithmeticSign : PLUS | MINUS; /////////////// //Functions // /////////////// booleanBinaryFunction : BIT_EXTRACTION_FUNCTION; arithmeticUnaryFunction : ABS_FUNCTION; arithmeticUnaryFunctionTextual : ABS_TEXTUAL; arithmeticBinaryFunction : MIN_FUNCTION | MAX_FUNCTION; arithemticBinaryFunctionTextual : MIN_TEXTUAL | MAX_TEXTUAL; //temporal temporalUnaryFunction : LAST_UNARY_FUNCTION; temporalUnaryFunctionTextual : LAST_UNARY_TEXTUAL; temporalBinaryFunction : LAST_BINARY_FUNCTION; ///////////////// //Parentheses // ///////////////// leftPar : LPAR; rightPar : RPAR; ///////////////// //Other // ///////////////// comma : COMMA; ///////////////////////////////// //Identifiers and Constants // ///////////////////////////////// booleanAtom : booleanConstant | booleanIdentifier; arithmeticAtom : arithmeticConstant | arithmeticIdentifier; booleanConstant : TRUE Multiple Analyses, Requirements Once | FALSE; arithmeticConstant : INTEGER | FLOATINGPOINT; booleanIdentifier : IDENTIFIER; arithmeticIdentifier : IDENTIFIER; ////////////////////////////// //TOKENS (Lexer rules) // ////////////////////////////// ///////////////// //Constants // ///////////////// TRUE : ’TRUE’ | ’True’ | ’true’; FALSE : ’FALSE’ | ’False’ | ’false’; ///////////////// //Operators // ///////////////// //boolean OR : ’|’ | ’or’; AND : ’&’ | ’and’; NOT : ’!’ | ’not’; IMPLICATION : ’=>’ | ’implies’; //arithmetic PLUS : ’+’ | ’plus’; MINUS : ’-’ | ’minus’; 21 22 P. Berger et al. TIMES : ’*’ | ’multiplied with’; DIV : ’/’ | ’divided by’; //relational GT : ’>’ | ’is greater than’; GTEQ : ’>=’ | ’is greater or equal to’; LT : ’<’ | ’is less than’; LTEQ : ’<=’ | ’is less or equal to’; EQ : ’=’ | ’is equal to’; ///////////////// //Parentheses // ///////////////// LPAR : ’(’ | ’left parenthesis’; RPAR : ’)’ | ’right parenthesis’; ///////////////// //Other // ///////////////// OF : ’of’; COMMA : ’,’; ///////////////// //Functions // ///////////////// BIT_EXTRACTION_TEXTUAL : ’bit’; BIT_EXTRACTION_FUNCTION : ’extractBit’; ABS_FUNCTION : ’abs’; Multiple Analyses, Requirements Once 23 ABS_TEXTUAL : ’the absolute value of’; MIN_FUNCTION : ’min’; MIN_TEXTUAL : ’the minimum of’; MAX_FUNCTION : ’max’; MAX_TEXTUAL : ’the maximum of’; LAST_UNARY_FUNCTION : ’last’; LAST_UNARY_TEXTUAL : ’the previous value of’ ; LAST_BINARY_FUNCTION : ’last’; LAST_BINARY_TEXTUAL_0 : ’the value of’; LAST_BINARY_TEXTUAL_1 : ’steps ago’ ; ///////////////// //Identifiers // ///////////////// IDENTIFIER : CHAR (CHAR | SPECIAL_CHAR | DIGIT)*; CHAR : (’a’..’z’) | (’A’..’Z’); SPECIAL_CHAR : ’_’; ///////////////// //Numbers // ///////////////// INTEGER : DIGIT+; FLOATINGPOINT : DIGIT+ ’.’ DIGIT+; DIGIT :(’0’..’9’); ///////////////// //White spaces // ///////////////// WS : [ \r\t\n] + -> skip // skip spaces, tabs, newlines; Semantics The semantics of w for temporal operators that reach to the past is given by the following MTL formulas: 1. P , if s = initially, p = invariant and E = (P ), 2. [0,∞] P , if s = globally, p = invariant and E = (P ), 3. ♦[tp +td +tq ,tp +td +tq ]

[−td −tq ,td −tq ] (P S[tp ,tp ] true) → (Q S[tq ,tq ] true) , 24 P. Berger et al. if s = initially, p = responseTbEb and E = (P, Q) (Note, that a time shift of tp + td + tq is needed for this scope/pattern combination.), 4. [tp +td +tq ,∞] 
 [−td −tq ,−td −tq ] (P S[tp ,tp ] true) → (Q S[tq ,tq ] true) , if s = globally, p = responseTbEb and E = (P, Q) (Note, that a time shift of tp + td + tq is needed for this scope/pattern combination.). Supported Functions Operator Meaning abs(param) Absolute value of param. min(param1, param2) The minimum of param1 and param2. max(param1, param2) The maximum of param1 and param2. last(param) The value of param one step ago. last(param, steps) The value of param steps step ago. extractBit(index, param) The bit at position index of param. Multiple Analyses, Requirements Once B 25 Appendix In this appendix, we present the Simulink library for the formal specification of properties for SLDV. We defined sub-libraries for the specification of scopes, patterns, and events (see Figure 12). Additionally, the library contains a set of auxiliary scripts that can be called to create a specification. Fig. 12: Simulink library with sub-libraries for the specification of scopes, patterns and events. B.1 Scopes Our specification library supports the set S = {initially, globally} of scopes. A scope defines the time steps in which a pattern is evaluated. 26 P. Berger et al. initially (Category: Scope) At system start, [Pattern]. Interface Parameters: – Input parameter “Pattern”: The pattern that is evaluated at system start. Implementation Comments – No scope shift is performed. For more information on the time shift, we refer to Section 3. – Delay mask parameter “Delay length”: 1 – Delay mask parameter “Initial condition”: 1 Multiple Analyses, Requirements Once initially (Category: Scope) At system start, [Pattern]. Interface Parameters: – Input parameter “Pattern”: The pattern that is evaluated at system start. Implementation Comments – A scope shift is performed. For more information on the time shift, we refer to Section 3. – Mask parameter “Time shift”: The time step to which the scope must be shifted. – Delay mask parameter “Delay length”: 1 – Delay mask parameter “Initial condition”: 1 – Detector mask parameter “Step for input detection”: 1 – Detector mask parameter “Time steps for delay”: d − 1 – Detector mask parameter “Time steps for output duration”: 1 27 28 P. Berger et al. globally (Category: Scope) At each time step, [Pattern]. Interface Parameters: – Input parameter “Pattern”: The pattern that is evaluated at each time step. Implementation Comments – No scope shift is performed. For more information on the time shift, we refer to Section 3. Multiple Analyses, Requirements Once B.2 29 Patterns The Simulink library for formal specification supports the set P = {invariant, responseTbEb} of patterns and offers Simulink blocks for durations and delays. A pattern is a template for the definition of properties. A set of events with time durations and delays between events must be specified. invariant (Category: Pattern) [P] holds. Interface Parameters: – Input parameter “P”: The invariant event. – Output parameter “Result”: The invariant pattern result (Boolean). Implementation Comments – – 30 P. Berger et al. responseTbEb (Category: Pattern) If [P] has been valid for [Trigger duration], then in response, after a delay of [Delay] , [Q] is valid for [Response duration]. Interface Parameters: – Input parameter “Trigger P”/“Response Q”: The trigger/response event. – Output parameter “Result”: The response pattern result (Boolean). – Mask parameter “Delay”: The delay between the trigger and the response event. – Mask parameter: “Trigger duration”/“Response duration”: The duration of the trigger/response event. Implementation Subsystem implementation: Comments – Duration/Duration1 mask parameter: Trigger/Response duration – Delay mask parameter: Delay + Response duration Multiple Analyses, Requirements Once duration (Category: Pattern) [Event is valid for] Time duration simulation steps. Interface Parameters: – Input parameter “Event”: The event for which a duration is specified. – Output parameter “Timed event”: The timed event result (Boolean). – Mask parameter “Time duration”: The duration of the event in simulation steps. Implementation Comments – Detector mask parameter “External reset”: No – Detector mask parameter “Time steps for input detection”: time Duration – Detector mask parameter “Time steps for delay (optional)”: 0 – Detector mask parameter “Time steps for output duration”: 1 – A test objective is added to ensure generated test vectors of the correct length. 31 32 P. Berger et al. delay (Category: Pattern) after a delay of Time duration simulation steps, [Event is valid]. Interface Parameters: – Input parameter “Event”: The event which is delayed. – Output parameter “Delayed event”: The delayed event result (Boolean). – Mask parameter “Time Delay”: The delay of the event in simulation steps. Implementation Comments – Detector mask parameter “External reset”: No – Detector mask parameter “Time steps for input detection”: 1 – Detector mask parameter “Time steps for delay (optional)”: time Duration – Detector mask parameter “Time steps for output duration”: 1 – A test objective is added to ensure generated test vectors of the correct length. Multiple Analyses, Requirements Once B.3 33 Events Events are specified in a subsystem using building blocks from the specification library for signals, constants, calibration parameters, operators and functions. For each input signal of the event, a “signal in” block is used and its output is connected to the input of a “signal goto” block. This provides the interface and allows to access the signal using a “signal from” block during event specification. Our event library contains sub-libraries for signals and parameters and for operators and funcations (see Figure 13). Fig. 13: Simulink library for events with sub-libraries for the specification of signals and parameters and for operators and functions. Signals, Constants and Calibration Parameters 34 P. Berger et al. input/output signal (Category: Event – Signals and Parameters) – Interface Parameters: – Mask parameter “Port number”: The number of the corresponding input/output port. Implementation – Comments – Used to define the interface for (verification) subsystems. Multiple Analyses, Requirements Once signal (Category: Event – Signals and Parameters) signal name, e.g. signal A Interface Parameters: – Mask parameter “Goto Tag”: The tag of the corresponding signal goto block. Implementation – Comments – Each signal in block is connected with a signal goto block to make the signal accessible during event specification. – Signal from blocks are used for the specification of signals inside the event specification. 35 36 P. Berger et al. constant (Category: Event – Signals and Parameters) constant name, e.g. constant A Interface Parameters: – Mask parameter “Constant value”: The numerical value of the constant. Implementation Comments – – Multiple Analyses, Requirements Once 37 calibration parameter (Category: Event – Signals and Parameters) signal name, e.g. calibration A Interface Parameters: – Mask parameter “Calibration parameter”: The name of the corresponding calibration parameter. Implementation Comments – – Operators and Functions The sub-library for operators and functions is further divided into sub-libraries for Boolean operators, arithmetic operators, relational operators, functions and parentheses (see Figure 14). 38 P. Berger et al. Fig. 14: Simulink library for events with sub-libraries for the specification of signals and parameters and for operators and functions. not (Category: Event – Operators and Functions – Boolean Operators) not [In1] Interface Parameters: – Input parameter “In1”: input that is negated. – Output parameter “Out1”: negation of the input. Implementation Comments – A test objective is added for the generation of test vectors for true/false result. Multiple Analyses, Requirements Once and (Category: Event – Operators and Functions – Boolean Operators) [In1] and [In2] Interface Parameters: – Input parameter “In1”/“In2”: The inputs to which the and operator is applied. – Output parameter “Out1”: The logical and of the two input parameters. Implementation Comments – Test objectives are added for the generation of test vectors for all possible input combinations. – A test objective is added for the generation of test vectors for true/false result. 39 40 P. Berger et al. or (Category: Event – Operators and Functions – Boolean Operators) [In1] or [In2] Interface Parameters: – Input parameter “In1”/“In2”: The inputs to which the or operator is applied. – Output parameter “Out1”: The logical or of the two input parameters. Implementation Comments – Test objectives are added for the generation of test vectors for all possible input combinations. – A test objective is added for the generation of test vectors for true/false result. Multiple Analyses, Requirements Once implies (Category: Event – Operators and Functions – Boolean Operators) [A] implies [B] Interface Parameters: – Input parameter “A”/“B”: The inputs to which the implication operator is applied. – Output parameter “A ⇒ B”: The logical implication of the two input parameters. Implementation Comments – Test objectives are added for the generation of test vectors for all possible input combinations. – A test objective is added for the generation of test vectors for true/false result. 41 42 P. Berger et al. plus (Category: Event – Operators and Functions – Arithmetic Operators) [a] plus [b] Interface Parameters: – Input parameter “a”/“b”: The inputs to which the addition operator is applied. – Output parameter “a+b”: The addition of the two input parameters. Implementation Comments – – Multiple Analyses, Requirements Once minus (Category: Event – Operators and Functions – Arithmetic Operators) [a] minus [b] Interface Parameters: – Input parameter “In1”/“In2”: The inputs to which the subtraction operator is applied. – Output parameter “a-b”: The subtraction of the two input parameters. Implementation Comments – – 43 44 P. Berger et al. multiplication (Category: Event – Operators and Functions – Arithmetic Operators) [a] multiplied with [b] Interface Parameters: – Input parameter “a”/“b”: The inputs to which the multiplication operator is applied. – Output parameter “a*b”: The multiplication of the two input parameters. – Mask parameter “Number of inputs”: “2”. – Mask parameter “Multiplication”: Element-wise(.*). Implementation Comments – – Multiple Analyses, Requirements Once division (Category: Event – Operators and Functions – Arithmetic Operators) [a] divided by [b] Interface Parameters: – Input parameter “a”/“b”: The inputs to which the division operator is applied. – Output parameter “a/b”: The division of the two input parameters. – Mask parameter “Number of inputs”: “*/”. – Mask parameter “Multiplication”: Element-wise(.*). Implementation Comments – – 45 46 P. Berger et al. plus sign (Category: Event – Operators and Functions – Arithmetic Operators) plus [a] Interface Parameters: – Input parameter “a”: The inputs to which the positive sign is applied. – Output parameter “+a”: The computation result. Implementation Comments – – Multiple Analyses, Requirements Once minus sign (Category: Event – Operators and Functions – Arithmetic Operators) minus [a] Interface Parameters: – Input parameter “a”: The inputs to which the negative sign is applied. – Output parameter “-a”: The computation result. Implementation Comments – – 47 48 P. Berger et al. less (Category: Event – Operators and Functions – Relational Operators) [a] is less than [b] Interface Parameters: – Input parameter “a”/“b”: The inputs which are compared using the less operator. – Output parameter “a<b”: The comparison result. Implementation Comments – A test objective is added for the generation of test vectors for true/false result. Multiple Analyses, Requirements Once less or equal (Category: Event – Operators and Functions – Relational Operators) [a] is less or equal to [b] Interface Parameters: – Input parameter “a”/“b”: The inputs which are compared using the less or equal operator. – Output parameter “a≤b”: The comparison result. Implementation Comments – A test objective is added for the generation of test vectors for true/false result. 49 50 P. Berger et al. greater (Category: Event – Operators and Functions – Relational Operators) [a] is greater than [b] Interface Parameters: – Input parameter “a”/“b”: The inputs which are compared using the greater operator. – Output parameter “a>b”: The comparison result. Implementation Comments – A test objective is added for the generation of test vectors for true/false result. Multiple Analyses, Requirements Once greater or equal (Category: Event – Operators and Functions – Relational Operators) [a] is greater or equal to [b] Interface Parameters: – Input parameter “a”/“b”: The inputs which are compared using the greater or equal operator. – Output parameter “a≥b”: The comparison result. Implementation Comments – A test objective is added for the generation of test vectors for true/false result. 51 52 P. Berger et al. equal (Category: Event – Operators and Functions – Relational Operators) [a] is equal to [b] Interface Parameters: – Input parameter “a”/“b”: The inputs which are compared using the equal operator. – Output parameter “a==b”: The comparison result. Implementation Comments – A test objective is added for the generation of test vectors for true/false result. Multiple Analyses, Requirements Once min (Category: Event – Operators and Functions – Functions) the minimum of [a] and [b] Interface Parameters: – Input parameter “a”/“b”: The inputs from which the minimum is selected. – Output parameter “min(a,b)”: The minimum of the two inputs. – Mask parameter “Function”: min. – Mask parameter “Number of input ports”: 2. Implementation Comments – – 53 54 P. Berger et al. max (Category: Event – Operators and Functions – Functions) the maximum of [a] and [b] Interface Parameters: – Input parameter “a”/“b”: The inputs from which the maximum is selected. – Output parameter “max(a,b)”: The maximum of the two inputs. – Mask parameter “Function”: max. – Mask parameter “Number of input ports”: 2. Implementation Comments – – Multiple Analyses, Requirements Once abs (Category: Event – Operators and Functions – Functions) the absolute value of [a] Interface Parameters: – Input parameter “a”: The inputs for which the absolute value is computed. – Output parameter “abs(a)”: The absolute value of the input. Implementation Comments – – 55 56 P. Berger et al. last (Category: Event – Operators and Functions – Functions) the value of [a] [delay] simulation steps ago Interface Parameters: – Input parameter “a”: The input for which the past value is computed. – Output parameter “last(a,delay)”: The value of the input a delay simulation steps ago. – Mask parameter “Time delay”: The number of steps the last operator reaches. Implementation Comments – Mask parameter “Delay length” of Delay block: Source= Dialog, Value = delay. – A test objective is added to ensure generated test vectors of the correct length. Multiple Analyses, Requirements Once extractBit (Category: Event – Operators and Functions – Functions) bit [bit] of [a] Interface Parameters: – Input parameter “a”: The input from which a bit is extracted. – Output parameter “extractBit(a,bit)”: The value of bit “bit” of the input a. – Mask parameter “Bit”: The number of the bit that is to be extracted. Implementation Comments – Mask parameter “Bits to extract” of Extract Bits block: Range of bits. – Mask parameter “Bit indices” of Extract Bits block: [bit, bit]. 57 58 P. Berger et al. parenthesis (Category: Event – Operators and Functions – Functions) ([In1]) Interface Parameters: – Input parameter “In1”: The input that should be surrounded by a parenthesis. – Output parameter “Out1”: The computed parenthesis expression. Implementation Comments – – B.4 Scripts Currently, the library is shipped with a single script that defines a matlab function to connect the inputs of a specification block with matching signals in the Simulink model. Multiple Analyses, Requirements Once addSubsystemConnection Parameters: – Input parameter “systempath”: The path to the top-level verification subsystem of the specification. – Input parameter “blockName”: The name of the top-level verification subsystem of the specification. – Input parameter “signalNames”: A list of strings that contains the names of the input signals of the top-level specification block. Description This function connects the inports of a verification subsystem with the matching signals in the selected (sub)model. For each input signal in the list of signal names, a search for a matching signal is started. In a first step, the input and output signals of the selected (sub)system are searched. If no matching signal name is found, all nested subsystems are searched, starting with the innermost subsystem. If the search is successful, a Data Store Write block is attached to the signal source. Additionally, a corresponding Date Store block is added to the selected (sub)system and the corresponding inport is connected with the output of a Data Store Read block. If no matching signal is found, an error message is printed. 59