



**TECHNICAL LETTER REPORT**  
TLR-RES-RES/DE-2024-005

---

# The HARDENS Final Report

---

May 2024

Authored by:

**Joseph Kiniry, Alexander Bakst, Simon Hansen,  
Michal Podhradsky, and Andrew Bivin**

Galois

Contracting Officer Representative:

**Derek Halverson**

U.S. Nuclear Regulatory Commission

**Division of Engineering  
Office of Nuclear Regulatory Research  
U.S. Nuclear Regulatory Commission  
Washington, DC 20555–0001**

Prepared as part of contract/order number 31310021C0014,  
“Assessment of Model-Based Systems Engineering Processes in a  
Regulatory Review Context for Digital Instrumentation and Controls  
(I&C) of Existing NPPs”

Material under Galois copyright is used with permission.

**DISCLAIMER**

This report was prepared as an account of work sponsored by an agency of the U.S. Government. Neither the U.S. Government nor any agency thereof, nor any employee, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for any third party's use, or the results of such use, of any information, apparatus, product, or process disclosed in this publication, or represents that its use by such third party complies with applicable law.

**This report does not contain or imply legally binding requirements. Nor does this report establish or modify any regulatory guidance or positions of the U.S. Nuclear Regulatory Commission and is not binding on the Commission.**

## FOREWORD

The following report was produced as part of work performed for a future focused research project for the US Nuclear Regulatory Commission titled “Assessment of Model Based Software Engineering Processes in a Regulatory Review Context for Digital I&C of Existing Nuclear Power Plants.”

This research project contracted an experienced entity to implement a simple protection system using both: (1) highly integrated computer-based engineering development processes, and (2) model-based engineering. This would serve as a pilot that starts with a defined protection system, applies model based methods to its development, and would then support assessment of how the methods and their artifacts demonstrate technical adequacy against related regulatory criteria. The result was the High Assurance Rigorous Digital Engineering for Nuclear Safety (HARDENS) project, which is described in this report. It should be noted that the HARDENS project serves as a demonstration of concepts and methods, and was only required to implement portions of the functional and regulatory requirements of a reactor protection system. The demonstration of its technical soundness was to be at a level consistent with satisfaction of the current regulatory criteria, although with no explicit demonstration of how regulatory requirements are met.

The HARDENS project has continued beyond the duration of NRC funded research. The HARDENS code, as well as presentations, updates on this report, and other documentation are located on GitHub at: <https://github.com/GaloisInc/HARDENS>

The project is open source under an Apache License, Version 2.0, as described at:  
<https://github.com/GaloisInc/HARDENS?tab=Apache-2.0-1-ov-file>

*Page intentionally left blank*

# HARDENS Final Report

Joseph Kiniry, Alexander Bakst, Simon Hansen, Michal  
Podhradsky, and Andrew Bivin

Galois

October 2022

# Contents

|                                                                   |           |
|-------------------------------------------------------------------|-----------|
| <b>1 Executive Summary</b>                                        | <b>5</b>  |
| <b>2 Introduction</b>                                             | <b>9</b>  |
| 2.1 Early Modeling Languages: UML and SysML . . . . .             | 10        |
| 2.2 Semantic Modeling . . . . .                                   | 10        |
| 2.3 Verification Competitions: Driving Tools to Utility . . . . . | 11        |
| 2.4 Grounded Modeling: Connecting Models and Code . . . . .       | 13        |
| 2.4.1 Disconnected Models . . . . .                               | 13        |
| 2.4.2 Fully Connected Models . . . . .                            | 14        |
| 2.5 Assurance Cases . . . . .                                     | 15        |
| 2.5.1 Tool Support for Assurance Case Presentation . . . . .      | 15        |
| 2.5.2 The HARDENS Assurance Case and its Presentation . .         | 16        |
| <b>3 Model-based Engineering</b>                                  | <b>18</b> |
| 3.1 Basic Facts of Model-Based Engineering . . . . .              | 18        |
| 3.2 Engineering in the 2020s . . . . .                            | 18        |
| 3.3 Novel Improvements . . . . .                                  | 19        |
| 3.4 Typical Set of MBE Technologies . . . . .                     | 20        |
| 3.4.1 Modeling Languages . . . . .                                | 20        |
| 3.4.2 Modeling Environments . . . . .                             | 20        |
| 3.4.3 Programming Languages . . . . .                             | 21        |
| 3.4.4 Reasoning Tools . . . . .                                   | 21        |
| 3.4.5 Specification Languages . . . . .                           | 21        |
| 3.4.6 Operating Systems and Related Technologies . . . .          | 22        |
| 3.5 MBE Technologies that Really Work . . . . .                   | 22        |
| 3.6 MBE for High-Assurance Engineering . . . . .                  | 23        |
| 3.7 Gap Analysis . . . . .                                        | 24        |
| 3.7.1 Market Gaps . . . . .                                       | 24        |
| 3.7.2 Research Gaps . . . . .                                     | 25        |
| 3.7.3 Practice Gaps . . . . .                                     | 26        |
| <b>4 Reviewing Model-based Systems</b>                            | <b>27</b> |
| 4.1 Reviewing . . . . .                                           | 27        |
| 4.2 Tool Dependencies . . . . .                                   | 28        |

|          |                                                            |           |
|----------|------------------------------------------------------------|-----------|
| 4.3      | Trust, but Verify . . . . .                                | 28        |
| 4.4      | Key Relations . . . . .                                    | 29        |
| 4.5      | Validating Models . . . . .                                | 37        |
| 4.6      | Validating Model-Implementation Correspondences . . . . .  | 39        |
| 4.7      | Validating Claims . . . . .                                | 40        |
| 4.8      | Key Questions to Answer . . . . .                          | 43        |
| <b>5</b> | <b>The HARDENS Reactor Trip System (RTS) Demonstrator</b>  | <b>44</b> |
| 5.1      | RTS Overview . . . . .                                     | 45        |
| 5.2      | Specifications . . . . .                                   | 45        |
| 5.2.1    | High-Level System Specifications . . . . .                 | 45        |
| 5.3      | The Reactor Trip System's Goals . . . . .                  | 46        |
| 5.3.1    | Scope of Work . . . . .                                    | 47        |
| 5.3.2    | Domain Engineering Model . . . . .                         | 48        |
| 5.3.3    | Feature Model . . . . .                                    | 49        |
| 5.3.4    | Formalized Requirements . . . . .                          | 50        |
| 5.4      | System Architecture and Models . . . . .                   | 51        |
| 5.5      | Executable Behavioral Model . . . . .                      | 51        |
| 5.5.1    | CRYPTOL Model . . . . .                                    | 52        |
| 5.5.2    | Formal Requirements Satisfaction . . . . .                 | 52        |
| 5.6      | Behavioral Model-based Interface Specification . . . . .   | 53        |
| 5.7      | Implementation . . . . .                                   | 53        |
| 5.7.1    | Hardware Components . . . . .                              | 53        |
| 5.7.2    | Software Components . . . . .                              | 57        |
| 5.7.3    | Model-derived Components . . . . .                         | 58        |
| 5.7.4    | Hand-Written Components . . . . .                          | 59        |
| 5.8      | V & V artifacts . . . . .                                  | 60        |
| 5.8.1    | Reviewing and Tracing Evidence . . . . .                   | 60        |
| 5.8.2    | Specification Consistency . . . . .                        | 60        |
| 5.8.3    | Model-based Assurance . . . . .                            | 61        |
| 5.8.4    | Kinds of Evidence . . . . .                                | 62        |
| 5.8.5    | Assurance of the RTS . . . . .                             | 63        |
| 5.8.6    | Hand-written . . . . .                                     | 66        |
| <b>6</b> | <b>Conclusion</b>                                          | <b>81</b> |
| 6.1      | What is Next for the RTS . . . . .                         | 82        |
| <b>A</b> | <b>Lando Models</b>                                        | <b>85</b> |
| A.1      | Top-level RTS Domain Engineering Model Structure . . . . . | 85        |
| A.2      | Project Acronyms . . . . .                                 | 86        |
| A.3      | System Architecture . . . . .                              | 88        |
| A.4      | System Dataflow . . . . .                                  | 90        |
| A.5      | System Events . . . . .                                    | 91        |
| A.6      | Project Glossary . . . . .                                 | 93        |
| A.7      | System Hardware . . . . .                                  | 98        |
| A.8      | System Instrumentation . . . . .                           | 100       |

|          |                                                        |            |
|----------|--------------------------------------------------------|------------|
| A.9      | Project Requirements . . . . .                         | 102        |
| A.10     | System Requirements . . . . .                          | 104        |
| A.11     | System Behavioral Scenarios . . . . .                  | 104        |
| A.12     | System Test Scenarios . . . . .                        | 104        |
| A.13     | System Tool Scenarios . . . . .                        | 108        |
| <b>B</b> | <b>Lobot Model</b>                                     | <b>110</b> |
| <b>C</b> | <b>FRET Specification</b>                              | <b>113</b> |
| <b>D</b> | <b>SysMLv2 Model</b>                                   | <b>137</b> |
| D.1      | Top-level SysMLv2 Architecture Specification . . . . . | 137        |
| D.2      | RTS Actions . . . . .                                  | 138        |
| D.3      | RTS Characteristics . . . . .                          | 139        |
| D.4      | RTS Contexts . . . . .                                 | 140        |
| D.5      | RTS Glossary . . . . .                                 | 140        |
| D.6      | RTS Hardware Artifacts . . . . .                       | 145        |
| D.7      | RTS Implementation Artifacts . . . . .                 | 147        |
| D.8      | RTS Physical Architecture . . . . .                    | 147        |
| D.9      | RTS Properties . . . . .                               | 148        |
| D.10     | RTS Requirements . . . . .                             | 149        |
| D.11     | RTS Scenarios . . . . .                                | 150        |
| D.12     | RTS Stakeholders . . . . .                             | 151        |
| D.13     | RTS Static Architecture . . . . .                      | 152        |
| D.14     | RTS Viewpoints . . . . .                               | 158        |
| D.15     | Semantic Properties . . . . .                          | 159        |
| <b>E</b> | <b>Cryptol Model</b>                                   | <b>163</b> |
| E.1      | Top-level RTS CRYPTOL model . . . . .                  | 163        |
| E.2      | CRYPTOL model of the Actuation Unit . . . . .          | 168        |
| E.3      | CRYPTOL model of the Actuator . . . . .                | 170        |
| E.4      | CRYPTOL model of the Instrumentation Unit . . . . .    | 170        |
| E.5      | CRYPTOL Utility Functions . . . . .                    | 175        |
| E.6      | SAW Model . . . . .                                    | 176        |
| E.6.1    | SAWscript to test the Actuator . . . . .               | 176        |
| E.6.2    | SAWscript to test the Actuation Unit . . . . .         | 176        |
| E.6.3    | SAWscript to test the Instrumentation Unit . . . . .   | 177        |
| E.6.4    | SAWscript to test the Saturation . . . . .             | 177        |
| E.6.5    | SAWscript some standard definitions . . . . .          | 178        |
| E.7      | HDL Implementation . . . . .                           | 178        |
| E.7.1    | HDL model of Instrumentation . . . . .                 | 178        |
| E.7.2    | HDL model of Actuator . . . . .                        | 179        |
| E.7.3    | HDL model of Actuation Unit . . . . .                  | 179        |
| E.8      | BlueSpec Implementations . . . . .                     | 194        |
| E.9      | ACSL Model . . . . .                                   | 211        |
| E.9.1    | ACSL Model of the Actuation Unit . . . . .             | 211        |



# Chapter 1

## Executive Summary

This is the final report of the *High Assurance Rigorous Digital Engineering for Nuclear Safety (HARDENS)* project. In this project, Galois has developed a high-assurance, safety-critical demonstration system for the Nuclear Regulatory Commission using Rigorous Digital Engineering (RDE). The system in question is a Digital Instrumentation and Control (DI&C) system for Nuclear Power Plants (NPPs), and is called the Reactor Trip System (RTS).

RDE is the combination of *Model-based Engineering*, *Digital Engineering*, and *Applied Formal Methods*. The engineering focus of RDE is broad, as we have used it to perform *software*, *firmware*, *hardware*, *systems*, *domain*, *requirements*, *product line*, *safety*, and *security engineering* of *high-assurance*, *secure-by-design systems*. The HARDENS project includes nearly all of these kinds of engineering, but for security engineering at this time.

To our knowledge, this demonstrator is the most rigorously specified and assured system of its kind that includes formally assured software and hardware for a safety-critical system.

*Model-based Engineering* focuses on the use of semi-formal and formal models and their properties to describe aspects of a system independent of a particular implementation. Models are connected to each other through a variety of relations (refinement, containment, subtyping/subsumption/implication, traceability, etc.), models are either or both denotational or operational (and thus executable), and models are used to specify, examine, understand, and reason about a system well-prior to a line of code ever being written. Models are used for rigorous validation—through automatic model-based test bench generation and bisimulation—and formal verification—through automatic model-based verification bench generation.

The models used in HARDENS include, from most to least abstract:

- a Lando high-level system specification model, which includes within it:
  - a domain engineering model,
  - a requirements engineering model, which includes:

- \* derived certification requirements,
  - \* contractual requirements,
  - \* safety requirements, and
  - \* correctness requirements.
- a product line (feature) model,
- a static system model,
- a dataflow model of the RDE methodology,
- a system event model,
- a system scenario model (including all normal and exceptional behaviors),
- a hardware, software, and evidence Bill of Materials (BOMs),
- a SysMLv2 system model, which includes within it, as refined directly from the Lando model:
  - a stakeholder model,
  - a domain engineering model,
  - a requirements engineering model,
  - property specifications for all correctness and safety properties derived from the formal requirements model,
  - a product line (feature/variant) model,
  - a static system model that includes both the software and hardware manifestations of the system,
  - a system action model, and
  - a validation and verification assurance case model.
- a formal requirements model expressed in JPL’s FRET tool, as refined from the Lando and SysMLv2 requirements models above,
- a Cryptol model of the entire system, including all subsystems and components, including formal, executable digital twin models of the system’s sensors, actuators, and compute infrastructure, and this Cryptol model includes a refinement of all formal requirements from FRET into Cryptol properties (theorems) about the Cryptol model itself,
- a model of the semantics of the RISC-V instruction set,
- a model-based specification of critical portions of the RTS’s software stack expressed in ACSL,
- an executable and synthesizable Bluespec System Verilog model of a family of RISC-V-based SoCs, and
- a System Verilog executable and synthesizable model of a simple, in-order 32-bit RISC-V CPU (NERV, from YosysHQ).

Digital Engineering focuses on the use of *digital twins* of physical systems, subsystems, and their components. A digital twin is typically an executable model that has known and measurable objective fidelity in relation to the models or systems that relate to the twin. For example, an executable Cryptol or SCADE model are a digital twins.

The HARDENS system includes several digital twins, including simulation and emulation of the system hardware (CPUs and SoCs), software implementation, and system model.

Applied formal methods are the sensible use of formal methods concepts, tools, and technologies to formally specifying and reasoning about systems and their properties. In the context of RDE and the HARDENS project, we use formal methods to achieve the following assurance:

- critical components of the RTS are automatically synthesized from Cryptol model into both formally verifiable C implementations and formally verifiable System Verilog implementations,
- automatically generated C code and hand-written implementations of the same models are used to fulfill safety-critical redundancy and fault-tolerance requirements, and all of those implementations are formally verified both against their model, as well as verified against each other as being equivalent, using Frama-C and Galois's SAW tool,
- the RISC-V CPU is formally verified against the RISC-V ISA specification using the Yosys open source verification tool,
- the RISC-V-based SoC is rigorously assured against the automatically generated end-to-end test bench,
- the formal requirements specified in FRET are formally verified for consistency, completeness, and realizability using SAT and SMT solvers,
- the refinement of these requirements into Cryptol properties are used as model validation theorems to rigorously check and formally verifying that the Cryptol model conforms to the requirements,
- the Cryptol model is used to automatically generate a component-level and end-to-end test bench (in C) for the entire system, and that test bench is executed on all digital twins and (soon) the full hardware implementation as well, and
- all models and assurance artifacts are traceable and sit in a semi-formal refinement hierarchy that spans semi-formal system specification written in precise natural language all of the way down for formally assured source code (in verifiable C), (a side-effect of the optional use of CompCert) binaries, and hardware designs (in System Verilog and Bluespec System Verilog).

While there are numerous relevant artifacts contained in this report and in the project repository, this project’s focus was not on correct-by-construction techniques nor on the assurance case for a model-based system. Such work is likely the focus of future, follow-up projects.

The appendices of this report are automatically generated from the project artifacts using the *RDE Refinement Finder* tool, developed in parallel with this project. As such, a large fraction of refinements embodied in the RDE process and methodology are discovered and hyperlinked therein, permitting one to navigate the project specifications, implementations, and assurance evidence via a PDF.

Clearly there is a lot more that such a tool can accomplish with further revision. The tool highlights when the RTS artifacts themselves are not in full alignment via refinement, so as this system sees future development and evolution, it will undoubtedly drift decidedly toward complete refinement via RDE.

## Chapter 2

# Introduction

Models have been a part of computer science since its very beginnings. Naturally, given that computer science is the daughter of mathematics, many early models were defined with foundational mathematics and logics, such as set theory and type theory.

Such models, while useful for describing and analyzing conceptual artifacts, are very often far from the day to day artifacts of engineering, such as the source code of an application or the design of a printed circuit board. Thus modeling languished into narrow subdisciplines of computer science, mainly those called “formal methods” and “programming languages.”

Other disciplines of engineering, such as structural and mechanical, needed their models to be closer to reality decades before it was necessary in computer science. Partly this timing was driven by the real world requirements of the field: a bridge must withstand normal and extraordinary environmental forces on it for its lifespan. Partly it was driven by the cost of early mistakes and failures: correcting a building mistake is very costly in materials and time. Partly it was driven by matters of scale: e.g., the need to manufacture thousands of identical widgets as a part of a production line.

But mostly it was due to matters driven by external societal requirements due to the safety-centric nature of engineered structures, such as liability insurance, contractual culpability in the case of structural failure, and, indirectly, manifested in the form of engineering certifications.

Unlike much of software engineering, structural engineers do not get to “wing it” while building that bridge, changing their mind as they go because of earlier mistakes made in a rush. If the bridge collapses, they do not just shrug and try something again. It is not virtuous to define a team’s goals every week and rush toward those goals, demonstrating that that frame of a house somehow resembles what the concrete structure will someday look like.

Over the past twenty-five years, models in computer science—particularly in software and hardware engineering—have crept closer and closer to the found, reused, and created artifacts of engineering. In the 1980s, models resembled code only if one squinted right through a very abstract lens; in 2022, models

and code are sometimes interchangeable and deeply connected.

## 2.1 Early Modeling Languages: UML and SysML

The rise of popularity of object-oriented languages in the early 1990s was a catalyst for the rapid creation of, experimentation with, and standardization of a host of modeling languages, such as the Unified Modeling Language (UML) and its ancestors and predecessors. While millions of models were described with UML, rarely would two model readers or writers precisely agree upon what their shared model meant.

The fundamental reason why there are these kinds of disagreements is that UML was created *without a formal semantics*. Semantics give meaning to things—models and code—and without semantics, everyone, and every tool, is free to interpret the meaning of a concept in their own way. UML did have a *specification*, but it was written in English and was full of omissions, ambiguities, and contradictions.

In the early 00s, researchers from several institutions spent years formalizing parts of UML, but in the end there was no agreement upon what constituted **the** semantics for UML, and few-to-no tools paid attention to semantics-centric research. This lack of formal foundation would come back to haunt not only those that tried to apply UML to rigorous software engineering, but also the future of systems engineering.

In the early 00s, development on the System Modeling Language, SysML, began. SysML was created as a *profile* on top of UML, thus it could both extend and leverage UML in a variety of ways: principally to design SysML’s meta-model, to include a subset of UML diagrams about which there was already substantial use and practical agreement of utility. Unfortunately, because UML’s lack of widely agreed upon semantic underpinnings, SysML took UML’s albatross and fattened it up.

Consequently, SysML (version 1, hereafter written as *SysMLv1*), while widely deployed now within industry and the DIB, is mainly used to specify the simplest and least semantic of system properties: static architectures, structured system requirements, and a small subset of behaviors at best.

Thus, in the end, UML and SysMLv1 are widely used, but are not “meaningful” in a formal sense, since they do not have accepted semantics that are concretized in tools, and have few means by which to connect models and code, as discussed later in section 2.4.

## 2.2 Semantic Modeling

In order to have “meaningful” models, models must be written in languages that have a formal description which is amenable to automated or interactive reasoning. A formal description typically must include: (1) a concrete and abstract syntax, (2) that syntax may be either or both textual and graphical, (3) a

type system which denotes which specifications are well-formed and meaningful, and (4) one or more semantics (axiomatic, operational, or denotational) in order give meaning to any specification.

Also, in order to be a *useful* modeling language, the language must also have (5) tools which support the efficient writing, rendering, type checking, and dynamic or static reasoning about specifications.

Many modeling languages have been invented over the decades that fulfill some of these requirements, and some of those modeling languages fulfill all of these requirements. Some of the more popular and high-impact high-level modeling languages that fulfill all of these requirements include (in alphabetical order): Alloy, B, BON, Event-B, Maude, OBJ and its daughters, SCADE (and its ancestor, Lustre), SPIN, UPPAAL, VDM and its daughters, Z and its daughters.

Formal specifications can also be written directly in logic. Logics come in various flavors, each with an increasing amount of expressiveness that comes with an automation tradeoff: propositional logic is less expressive than first order logic (FOL), which is less expressive than second order logic (SOL), which is less expressive than higher order logic (HOL). The most popular tools that provide support for what amounts to “logical” modeling languages for these different logics include a variety of SAT (Boolean SATisifiability) solvers, Satisfiability Modulo Theory (SMT) solvers, FOL and SOL solvers, and Logical Frameworks (LFs) such as Coq, Isabelle, LEAN, and PVS.

Formal specifications written in these languages are necessarily “reasonable”, as one must specify every single thing about a language for the tool to be ‘ok’ with its use. Of course, those languages that are only specified in an LF nearly always force one to interactively reason about specifications and their models, which is a complicated and sometimes expensive proposition at best. Languages that have *both* a complete HOL semantics *and* are supported by automated reasoning tools hit the sweet spot of well-foundedness, completeness, and usability.

## 2.3 Verification Competitions: Driving Tools to Utility

Formal modeling and reasoning tools are a dime a dozen. Over the years, hundreds of tools have been created to explore various specification and reasoning challenges and different domains. For a time, there was little coherence or coordination across the domain, thus to use two tools, one had to learn two input languages, and both tools’ behaviors and capabilities.

Over time, this fragmentation was recognized as an impediment to transition and the joint/mutual use of multiple tools for a single problem or system. Thus, a consolidation of input formats began to occur.

Some input formats were determined by parties outside that of the modeling and reasoning community. If one is going to reason about programming language

$X$ , your tool has to be able to read and understand  $X$ .

Other input formats were created with the express intent of having a shared language or platform across a subdomain of modeling or reasoning. Subcommunities of researchers came/come together to define modeling and specification languages by combining the best ideas of earlier work, and these shared languages provide the commonality necessary to enable multi-faceted modeling and reasoning.

Once this commonality came to pass, soon after contests associated with conferences emerged as a means by which to compare apples to apples in reasoning communities. Contests drive R&D teams in two ways. First, contests provide a means by which to challenge the community with new kinds of reasoning goals: goals of scale, new theories, new properties, etc. Second, contests drives teams to aggressively explore new algorithms, internal representations, programming techniques, and more in order to achieve community goals.

As a consequence, several different verification contests now regularly run spanning various branches of modeling and reasoning. For example, a few of the more prominent competitions include SV-COMP, MCC, SAT, SMT-COMP, and VerifyThis.<sup>1</sup>

**SV-COMP** is the “software verification” competition, which focuses on general-purpose tools for modeling and reasoning about software written in the C programming language. **MCC** is a competition that focuses on general-purpose model checking, mainly specified via a modeling formalism called Petri nets. **SAT** is the longest running competition, which focuses on problems in Boolean SATisifiability—a foundational abstraction used by many reasoning techniques. **SMT-COMP** complements SAT, insofar as it focuses on reasoning about the satisfiability of models, modulo various algebraic theories. Finally, VerifyThis is the big-picture, general-purpose competition that permits teams to use any approach they like to specifying and reasoning about models and implementations.

Modern advanced modeling and verification was enabled by four key environmental factors: (1) mathematical sophistication sufficient for real world program reasoning, reinforced by mechanized reasoning environments, (2) the researcher community’s willingness and bravery to tackle real world programming and modeling languages, (3) the dramatic rise in computational resources (primarily the Gb boundary, as the sweet spot of productivity hit once RAM sizes passed 1 Gb and CPU performance passed 1 GHz), but perhaps most importantly, (4) the competitive nature of these competitions, pushing research teams beyond the threshold of academic publication, and toward usability and robustness.

---

<sup>1</sup>There are many other competitions, many of which are summarized and enumerated on Alastair Reid’s [Verification Competitions](#) blog post.

## 2.4 Grounded Modeling: Connecting Models and Code

While there are many kinds of modeling and reasoning, only a small fraction of modeling and reasoning is about *implementations*.

Partly this is due to the historic trends of research communities. Many, perhaps even most, lines of work in modeling and reasoning are classically grounded in the research area called *formal methods*.

Formal methods is the application of logical or mathematical techniques to the specification and reasoning of systems. Since formal methods is wholly grounded in formality via mathematics, it is no surprise that most of the early formal methods researchers were mathematicians. But for decades, “programming” was viewed akin to bricklaying, and thus was uninteresting to mathematicians-cum-computer scientists. Consequently, and perhaps surprisingly, the vast majority of modeling languages and their reasoning tools have little to nothing to do with *programs*.

Modeling languages and tools that have no direct connection to code are not inherently flawed, or the wrong tools to use. They can be used very effectively to reason about critical aspects of systems, especially systems whose models are terrifically complex, such as those that exhibit large amounts of concurrency. Likewise, thinking and reasoning at a more abstract level (at least, more abstract than raw code), or in a domain specific fashion, is commonly enormously more effective and scalable than reasoning about implementations in general purpose programming languages.

### 2.4.1 Disconnected Models

But in doing so, one must ask, “How is the analysis obtained by this language or tool affected in the system which it purports to describe?” More often than not, these kinds of “disconnected” models fall into two usage categories.

The first, and least authentic and useful, is what we will call “slideware.” Models are created, rendered, and shown in documentation and presentations (thus, “slideware”), but they have little or nothing to do with the systems that are built. This usage scenario is typified by the creation of complex *static* models of systems—models that explain the parts of a system and how they interconnect, for example—but no *dynamic* or *behavioral* descriptions of the system, explaining what it does, or how it operates.

The second kind of commonly seen “disconnected” model is a model that is rich, authentic, and demonstrates aspects of a system, and yet has no strong connection, even informal, to the system implementation. This situation is commonly mitigated by putting into place a rigorous process and/or methodology that attends to ensuring that model elements and properties are traceable to system implementation elements and properties.

There are international standards, such as the ISO 90000 family of process standards and the ISO 27001 information security standard, that focus on

describing and evaluating rigorous processes. Likewise, there are certification regimes that mandate rigorous processes and methodologies, such as the FAA DO-178 series of standards for aircraft safety.

While such standards can be effectively used to maintain a connection between authentic models and implementations, doing so requires diligence and excellent development and collaboration environment support for facilitating, reinforcing, and checking such human-in-the-loop processes. This practice is also typically fairly resource intensive from a developer or compliance effort point of view.

#### 2.4.2 Fully Connected Models

Fully connected models, on the other hand, are models whose relationship to implementations is direct and is checked by reasoning tools. Connected models come in three flavors.

**Code Generated from Models.** The most common fully connected model is witnessed in specification systems that include code generators.

Some code generators only turn model abstractions into code abstractions, such as UML-based code generators that convert class diagrams into type declarations, such as Java classes or interfaces or C++ header files.

Other code generators are capable of translating behavioral specifications of algorithms into fully functional implementations, such as the code generators for Cryptol and SCADE.

Finally, some logical frameworks are able to generate code, converting specifications, implementations, and proofs in logic into implementations in languages like OCaml, Haskell, Scala, and C.

In all three of these scenarios, untouched code generated from a model is meant to be in full, traceable alignment with that model. What “alignment” means is very much dependent upon the tool and the goals of code generation, ranging from “they look about the same” to “all properties of the formal model are guaranteed to hold for the generated code.”

**Models Abstracted From Code.** A second kind of fully connected model is witnessed when models are abstracted from code. More generically, they are abstract models lifted from more concrete models or code, as the relationship need not be only between models and models.

Some tools that support UML support model lifting (in the form of class, object, sequence, and collaboration diagrams) from source code. Many of Galois’s formal reasoning tools lift models from source code, binaries, or intermediate representations, such as LLVM.

These kind of fully connected models are the dual of the first case: untouched abstract models generated from more concrete models or code are meant to be in full, traceable alignment. And, as before, what “alignment” means varies considerably across technologies.

**Models and Code in a Refinement Relation.** A final kind of fully connected model-model or model-code relation is that of a refinement relation. *Refinement relations* are relations that preserve specific, well-specified sets of properties across the relation.

What kinds of properties are, or can be, preserved very much depends upon the refinement, and thus on the nature of the two sides of the relation. The idea of refinement is discussed a great deal more in later chapters.

## 2.5 Assurance Cases

Assurance cases describe a system, its purported properties, and the evidence that the system conforms to the properties. They are widely used in safety-critical and national defense domains, especially in sectors defined as nationally critical infrastructure.

A given assurance case focuses on a specific set of concerns. For example, one flavor of assurance case focuses on the *correctness* of a system, a second might focus on the *dependability* of a system, and a third might focus on the *safety* of a system.

Assurance cases commonly are stated and argued entirely informally. These kinds of “classical” cases are precisely written natural language documentation—say a large Microsoft Word document printed on paper which contains some figures, tables, and a complementary Excel spreadsheet which explains traceability—that are read, reflected upon, and judged by subject matter experts.

It is not uncommon for such an informal assurance case to accompany a snapshot of part of the system it describes; say, for example, a printout of some of the system’s source code. While assessors that are judging the quality and validity of the assurance case may, on occasion, examine those engineering artifacts, this is more the exception than the rule.

Only in the most rigorous safety-critical and security-centric certifications, such those of Common Criteria and the NSA, and their respective assurance cases are system engineering artifacts deconstructed and examined by experts carefully, often with some computational tool support.

### 2.5.1 Tool Support for Assurance Case Presentation

There are a broad range of assurance case presentation research tools that have been created over the past few decades. Each focuses on a different kind of structured assurance case, or is targeting a particular domain. In general, few are robust, scalable, and supported, and until recently, none included support for formal specifications and verification.

The recent ARCOS DARPA program focused on this problem. It is meant to build a general-purpose assurance case database and reasoning system that can be used to help explain and vet the kinds of systems that the Department of Defense regularly buys and builds. ARCOS is not yet ready for

use on a system like HARDENS, but should be soon.<sup>2</sup>

Assurance cases use a variety of notations for presentation, such as Goal Structured Notation (GSN) and the Claims Argument Evidence (CAE) notation. Many tools focus on the idea that an assurance case is a model in and of itself, and one should be able to generate “classical” informal and semi-formal written artifacts directly from such a model.

Automation (re-)generation of evidence and reports is a boon to teams that must regularly go through a certification gauntlet, saving time and effort. And in combination with collaborative development tools, when used properly, can help track development, changes, artifacts, and evidence. After all, hand-writing assurance cases, even after reusing templates and boilerplate text, as we often see in evidence submitted with NIST FIPS-180 certification for example, is a very time-consuming and expensive proposition.

Such automation to check the process-centric boxes of the past is now, recently being complemented by automated, computational means by which to check and re-check assurance claims. Automatic claim checking is meant to be largely familiar to traditional software because it looks and feels like a test bench.

### 2.5.2 The HARDENS Assurance Case and its Presentation

The HARDENS project demonstrates this kind of automation in spades, using *Rigorous Digital Engineering* to state claims, build arguments, and demonstrate evidence. Evidence comes in several flavors, from structured, traceable design decisions to runtime verification using dynamic evaluation of models (also known as digital twins) and code to full formal verification using theorem proving.

Going into this project Galois wanted to explore using existing assurance case tools that have been developed by and for other agencies, such as NASA’s AdvoCATE tool. But given the project’s size and budget, we decided early on to simply present the assurance case directly in the project artifacts, and describe in this report how to read, understand, and evaluate those artifacts through example.

Several Eclipse-based frameworks (in addition to AdvoCATE), such as ACEdit, SafeEd, and AutoFocus3, have been created to implement fragments of GSN. Other open source or freely available tools that have novel features include CertWare, D-Case, EviCA, ACCESS, DiaSAR, the Evidential Tool Bus (ETB), and WEFACT.

Mature commercial are fewer in number, and include the widely used ASCE, Astah GSN, NOR-STA Assurance Case Tool, the Safety Case Toolkit (SCT), TurboAC, and SafetyLab.

Denney and Pai [DenneyPai18] contains a good overview of the state of various commercial, research, and open source tools.

---

<sup>2</sup>Galois is a performer and evaluator on the ARCOS program, and is working with DIB partners on evaluation and transition of ARCOS’s technologies.

If Galois continues to work with the NRC on formal assurance case development and presentation—especially with Rigorous Digital Engineering—we recommend that we jointly choose one of these existing tools as a foundation for future experimentation and use.

In addition to performing on the ARCos program, at Galois we currently use the *Resolute* language and tool from Collins Aerospace on the DARPA CASE project. Its use is inappropriate for the HARDENS project as Resolute is a specification language concretizes as an annotation annex for the AADL system specification language. While we use AADL on a number of projects at Galois, given the size and budget for this project, we chose not to demonstrate it in the HARDENS demonstrator. AADL was mentioned in our proposal, and fits into system specification below SysML, as it is most often used to precisely specify an embedded system’s structure and behavioral, especially in mission-critical settings.

Consequently, especially given the document-centric framing mandated by the NRC, we use a generic-but-rich means by which to state our model-based assurance case. The whole of the argument is grounded in the primary document that frames the project: the original NRC RFP. From that single source we derive all artifacts relevant to the system and its goals and properties, including international standards, research papers, relevant software and hardware, and more.

# Chapter 3

# Model-based Engineering

Several very good books have been written about model-based engineering (MBE) [2, 1, 3], though few focus on rigorous MBE that is grounded in the use of applied formal methods.

Model-Based Engineering (MBE) is fundamentally just engineering that uses models. By *engineering*, we mean any kind of engineering: software, firmware, hardware, systems, safety, security, etc. *Models* are conceptual abstractions of physical or digital phenomena.

Marketing information about products and services often talks about MBSE, which is ambiguous. MBSE can mean Model-Based *System* Engineering or Model-Based *Software* Engineering.

MBE *augments* other forms of engineering, like those mentioned above, and is *mandatory* for verification of high-assurance systems, and *complements* digital engineering with digital twins.

## 3.1 Basic Facts of Model-Based Engineering

MBE is not a panacea, a silver bullet, or a joke. Its use on a project says very little, other than the project team uses moderately advanced development tools.

MBE often means, at least, that (1) some abstractions are written down that describe a system under development, (2) repetitive, boilerplate code that programmers are prone to get wrong is automatically generated, and (3) the environment in which a system operates and evolves is taken into account.

## 3.2 Engineering in the 2020s

Engineering today, especially for embedded systems, looks a lot like it did in the 90s. Programmers like to program, after all, and documentation is often out-of-date.

Unfortunately, the abstractions taught in CS, ME, and CE programs—state machines, grammars, regular languages, and more—are rarely explicitly used

by programmers to create systems.

The C programming language and antique ISAs (e.g., x86 and ARM) are in widespread use, and hardware design languages (HDLs) standardized twenty years ago (e.g., SystemVerilog) are still not widely adopted.

Moreover, in our experience, hardware engineers are loath to learn new HDLs (Chisel, BSV, SystemC, many others) because hardware design firms are extremely risk adverse. Most firms would rather keep using something that has worked for decades than take a shot at a new technology or design flow, even if it might save money, decrease effort, or increase quality. To put a point on it: hardware engineers still use hardware print statements, debuggers, and laborious testing to check correctness.

Rigorous specifications—even boring old assertions—are unheard of, especially anything formal, such as the Java Modeling Language or SystemVerilog Assertions (SVA). In fact, it is fair to say that the vast majority of projects never use, or perhaps have even heard of, the MBE-centric Design-by-Contract methodology introduced in the early 1990s.

### 3.3 Novel Improvements

Over the past two decades there have been a number of technology improvements that has led to the ubiquity and impact of MBE. In the early days of MBE (back in the 1990s), MBE was often viewed as being too demanding for mainstream computing, both computationally (it impacted performance too much) and resource-wise (it used too much memory or storage).

Fast forward twenty-odd years, and hardware is faster and cheaper than ever. Who would have thought that pre-teens would carry around a multi-core, multi-gigahertz device (a supercomputer!) in their pockets?

New programming languages that are great for safe, embedded software engineering are breaking through, such as the Rust programming language. It is no longer necessary to implement embedded systems in assembly language or C in order to achieve high performance.

A new open, unencumbered Instruction Set Architecture (ISA) called RISC-V has catalyzed an explosion of novel hardware design for the masses. There are dozens of RISC-V CPUs and SoCs on the market, and the software ecosystem behind RISC-V is as large, rich, and stable as that of any other mainstream ISA.

RISC-V, in tandem with the rise in small, community-backed projects like those found on Kickstarter and via CrowdSupply, has created a new generation of open hardware developers. *Open hardware*, the brethren of the open software movement, has even become respected in many industry and government circles, including in U.S. Government agencies that are particularly concerned about reliability (e.g., Sandia National Labs) and security (e.g., the NSA).

Complementing the rise in open hardware, *reprogrammable* hardware (e.g., FPGAs) is widely available, well-understood, and adopted. DoD platform architectures today regularly witness the use of FPGAs to replace what was once

realized by expensive, underutilized general purpose processors. These new hardware-based architectures are higher performance and have much better power-performance ratios than their software predecessors.

Finally, Domain Specific Languages (DSLs) and Domain Specific Architectures (DSAs) have proliferated and increased productivity and quality.

## 3.4 Typical Set of MBE Technologies

The core set of MBE technologies that are widely used includes modeling/specification languages, modeling environments, programming languages, reasoning tools, and operating systems. Here we enumerate the most prevalent of these that are in use today.

### 3.4.1 Modeling Languages

Classical “modeling languages” are used to describe software systems and their environment. The dominant three modeling languages of this ilk are:

- **UML: Unified Modeling Language.** UML is mainly used to model software systems, both at a high level (e.g., domain models, requirements, viewpoints, etc.) and at a design level (e.g., classes and modules and their interfaces and APIs, and dynamics of a software system). Some UML tools permit the generation of software from specific UML artifacts (e.g., class diagrams), or the extraction of such artifacts from source code. UML was introduced in the mid-90s and is still in use today.
- **AADL: Architecture Analysis & Design Language.** AADL is mainly used to model embedded, sometimes real-time, systems, including their software, firmware, and hardware components. AADL tools often include powerful reasoning features and some include code generation. AADL was introduced in the early 00s and is in use in mission-critical sectors.
- **SysML: System Modeling Language.** SysML is used to model complex systems at a high-level, including their environments, software, firmware, hardware, and physical manifestations. SysML version 1, introduced in the early 00s, is a *UML profile*, and thus rests on UML as a foundation (for good and ill). SysML version 2 is under development at this time and decouples itself from UML. It should see standardization in 2023 and adoption soon thereafter.

### 3.4.2 Modeling Environments

Modeling environments are tools that permit the creation of, editing of, generation of, and reasoning about, models. Some modeling environments support only a single modeling language. Others support multiple languages, usually through some kind of extension mechanism. Commercial environments often

costs hundreds or thousands of dollars per-seat and their cost is usually not public, but is instead negotiated on a case-by-case basis by their vendors.

The dominant environments in use today are as follows.

- **IBM Rational Software**
- **Dassault Systèmes Cameo Systems Modeler**
- **Eclipse Software Foundation's Eclipse**
- NI LabVIEW
- Vitech's GENESYS
- MathWorks System Composer, **MATLAB**, and **Simulink**
- Sparx Systems Enterprise Architecture
- **OpenMBEE**
- Ansys ModelCenter and **SCADE**
- BigLever onePLE

Those environments and tools in **bold** are de facto in various government agencies and large engineering firms with which we are familiar.

### 3.4.3 Programming Languages

There are a host of programming languages widely used in the MBE domain.

The two main sub-classes of languages are:

- various subsets of C (MISRA, verifiable), or
- safety-centric languages such as Rust, Safety-critical Java, and SPARK.

### 3.4.4 Reasoning Tools

There are hundreds of MBE reasoning tools available today.

The main companies that develop and support such tools are: AbsInt, Galois, Microsoft, GrammaTech, Perforce, Parasoft, MathWorks, SonarSource, Ansys, Cadence, Synopsys, and Siemens.

### 3.4.5 Specification Languages

There are a few dozen main specification languages in use today. These are, in the main, domain specific languages which permit the detailed specification of the behavior or structure of a system, and many have an underlying semantics (or two).

The main languages in use today includes: MATLAB, Simulink, SCADE, Statecharts, Java Modeling Language, CodeContracts, Cryptol, and SystemVerilog Assertions.

### 3.4.6 Operating Systems and Related Technologies

There are just a few dominant operating systems (OSs) used in MBE. While mainstream OSs like various BSD flavors, Linux, macOS, and Windows are used as development platforms, and sometimes deployment platforms, for MBE, more often one sees MBE used for embedded systems engineering where such heavyweight OSs are ill-fitted.

The main go-to realtime/embedded OSs come from proprietary vendors such as Alteronic, Green Hills Software, Lynx, Segger, QNX, Wind River, or are open source and come from foundations—such as the Apache Foundation—or communities with corporate support, such as FreeRTOS/SafeRTOS—which is now supported by AWS—or MuttX, RTEMS, Zephyr.

Operating systems are complemented by various hypervisors, microkernels, and similar underlying technologies, some of which are widely used even without operating systems. The best examples of these technologies in deployment are seL4, MirageOS, Xen, QEMU, and KVM.

## 3.5 MBE Technologies that Really Work

Just because a technology is mentioned earlier does not mean that it is fit for use in developing a high-assurance system, such as the control and protection subsystems of a nuclear power plant. In fact, some MBE technologies (e.g., the use of UML without a model-code connection or the use of OCL contracts) are viewed as being more trouble than they are worth in some settings, particularly if a team is not fully bought into MBE.

The kinds of MBE technologies that we see in the field as really working well and are effective for saving time and effort and increasing quality are as follows.

- data modeling and database generation, evolution, and management (Ruby on Rails and other tools),
- user interface design and behavior (e.g., Apple’s Xcode, numerous tools/frameworks for Web 2.0)
- lexer and parser generators for language design (e.g., ANTLR, yacc/bison, flex/lex, XText, MPS)
- algorithm and protocol specification and reasoning systems (e.g., Cryptol, F, Ivy, ProVerif, CryptoVerif, FDR)
- Design-by-Contract and assurance of software (SPARK, JML, CodeContracts, Dafny, Kotlin), and
- Design-by-Contract and assurance of hardware (SVA, BlueCheck, OneSpin, Jasper, Formality, etc.)

### 3.6 MBE for High-Assurance Engineering

Very few MBE technologies with a focus on mission-/safety-critical systems have been commercialized. Those that have have fairly small customer bases of dozens to hundreds of individuals/firms, rather than two or three orders of magnitude more, as is the case with mainstream development tools.

Numerous MBE technologies exist that are applicable to high-assurance engineering, but have no corporation solely supporting their use, and are mostly supported by ICs and SMEs. Examples of tools and technologies that are suited for high-assurance engineers are as follows. Those that are blessed and widely used in the DoD are highlighted in **bold**.

- design environments from **Dassault**, CMU SEI (**OSATE2** and Oquarina), Vitech, Sparx, **IBM**, **Ansys**, **Siemens**, Visual Paradigm, PTC, etc.
- reasoning tools from **AbsInt**, **Galois**, **GrammaTech**, **Ansys**, Runtime Verification, etc.
- logical frameworks such as **Coq**, **Isabelle**, **Lean**, and **PVS**,
- classical formal methods such as B, Event-B, VDM, and Z,
- modeling intermediate representations such as **Boogie**, **LLVM**, **ZIMPL**, **SAT**, and **SMT-LIB**,
- constraint, SAT, and SMT solvers such as **CVC**, **MiniSAT**, **Yices**, **Z3**, and many others,
- open source development and modeling environments (**OpenMBEE**, **Eclipse**, **VS Code**, etc.), model checking tools (**Alloy**, **CBMC**, **SPIN**, UPPAAL, FDR4, **SPIN**, **TLA+**), hardware verification tools (**QED**, **Yosys**, etc.), and
- numerous MBE technologies have been funded by the DoD, IC, and NASA such as **Cryptol**, **SAW**, **Crux**, **AADL**, **CASE**, **ARCOS**, **CoPilot**, **AdvoCate**, etc.

The state-of-the-art in MBE in 2022 outside of the mainstream commercial realm is mainly found in the list above. These tools are mainly focused on DSLs and DSAs (e.g., the model checking tools mentioned above, Cryptol, and SAW), they include model-lifting and reasoning features (e.g., SAW and Yosys), code generation and reasoning features (e.g., Cryptol and SAW), model-based runtime verification/testing, BISLs and model-based software engineering (the aforementioned JML, SPARK, etc.), or HLS/UVM/SVA for model-based hardware engineering.

## 3.7 Gap Analysis

Today's MBE tools have seen thirty years of evolution, are powerful, very useful in commercial product development, often save developer and development time and money, and continue to evolve to work with new platforms, languages, and tools. Even so, there remain many practical and research gaps between today's tools and the vision of wholly integrated, high-assurance model-based engineering. This section summarizes many of those gaps, particularly with regards to the demands of high-assurance, safety-critical systems engineering.

### 3.7.1 Market Gaps

As discussed in section 3.6, there are insufficient customers in high-assurance engineering to support a rich ecosystem of tool providers, platforms, and products.

Part of the problem is that, in the large, software engineers expect tools to be free, and historically virtually all commercial model-centric tools have been prohibitively expensive. Thus, most software engineers have little-to-no experience with using high-end commercial tools, and thus do not appreciate their utility.

Additionally, there is a pipeline problem in the discipline. While MBE has been around for thirty-odd years, few students graduate with knowledge of MBE because most universities have very few to no courses in the topic.

Corporate adoption of MBE also holds back the field. As with many engineering disciplines whose focus is largely on making money, the good is the enemy of the best. While MBE is used successfully by many companies as a market advantage, it does not see widespread use because the market awards first-to-market products, many firms get away with creating throw-away products poorly and quickly, and thus eschew not only models, but any other artifacts that help with long-term maintainability or correctness, such as documentation and rigorous testing.

Another challenge in the market is that of usability. Easy-to-use products are much more widely adopted than harder-to-use-but-more-impactful products, and unfortunately, none of the existing high-end MBE products seem to have seen any user-centric design.

Historically we have seen some IEEE/ISO standards and specific tools adopted due to compliance and certification mandates (e.g., SCADE or AbsInt tools for development that is meant to be assured under FAA DO-178). But compliance and culpability are not (yet) forcing functions in the world of MBE because no large agency or program has mandated their use. This may change soon, with the evolution of the U.S. Government's Digital Engineering strategy and modernization goals across the DoD, but for the moment, major DIB firms are largely holding pat on development tools, processes, and methodologies of two decades ago.

Finally, mission-/safety-critical industries are risk adverse. MBE, while decades old, represents a fundamental shift in the means by which systems

are created. Adopting MBE means developers learning at least one or two new languages, development platforms, testing frameworks and methodologies, and verification tools. Shifting a workforce to a new language is hard enough; shifting to a whole new way of thinking about design, implementation, validation, and verification is another thing entirely. Consequently, we should expect to only see new entrants and greenfield products using MBE, rather than large, old, traditional firms.

### 3.7.2 Research Gaps

There are just over a dozen widely-recognized research challenges that have stifled more widespread adoptions of MBE over the past few decades. Many of these challenges are the focus of specific academic and industrial research programs, particularly at Galois, and historically in the academic career of one of the authors (Dr. Kiniry).

Each research challenge is only tersely summarized here, as explaining each of these in any degree of detail represents a section of material.

1. usable semantics that refine between levels
2. usable and useful traceability with semantics
3. reversibility of traceability
4. ambiguities in interpreting English into models
5. connecting semi-formal and formal models
6. consistency between text and graphical models
7. specifying and reasoning about systems of systems
8. supporting MBE in an agile methodology
9. augmenting IDEs with MBE for continuous learning
10. integrating rigor without loosing usability and scale
11. supporting product lines throughout the lifecycle
12. predictable and deterministic environments and products
13. consistency of all models across the whole lifecycle
14. trade space analysis and measurable, useful metrics

### 3.7.3 Practice Gaps

Finally, there are a number of nuts-and-bots practical gaps in widespread adoption of MBE, especially for the mainstream. These gaps are not a hindrance to the use of MBE for mission-/safety-critical systems, as today’s developers in those domains are rewarded for thinking hard and being careful, unlike your average web programmer.

Writing models is rarely as immediately rewarding as programming, since most are not executable. Models are often denotational as well, and thus are hard to think about and write for programmers who are used to thinking and “doing” operationally.

In fact, using modeling tools often feels more like writing and reviewing documentation than programming, and, frankly, programmers like to program. Some of the most common techniques used by programmers to understand and experiment with their systems, such as the infamous inline “print” statements, are rarely seen or used in modeling languages. And some modeling languages are only graphical, whereas most programmers prefer textual languages.

The biggest practical gap to widespread adoption in the broader set of mission-critical systems across the U.S. Government is historic. Trillions of lines of legacy code are not described with any existing models, and extracting models from code is much harder than generating code from models. Frequently, agencies and branches do not even have copies of the source code for the binaries that are in platforms. While lifting models from binaries is possible, it is the focus of several current DARPA projects, and thus is largely not ready for transition to mission-/safety-critical systems.

## Chapter 4

# Reviewing Model-based Systems

This chapter summarizes best practices in reviewing, validating, auditing, and certifying systems developed with model-based processes, methodologies, tools, and technologies.

### 4.1 Reviewing

Systems that have been developed using MBSE tools are typically delivered in one of two ways: directly through project access in a collaborative development environment (e.g., a CDE like GitHub, GitLab, etc.) or an archived snapshot/release of the system.

The standard development artifacts that come with such a delivery are:

- digital documentation (e.g., PDF, HTML, ASCII text files, etc.),
- models (stored in either open or proprietary formats),
- model views (interactive or static figures generated from models),
- source code (written in software programming languages or hardware definition languages),
- physical hardware designs (such as a PCB layout or a GDS-II file describing an ASIC),
- binary representations (object files, executables, shared and static libraries, bitstreams, and other document file formats), and
- containers used to, in turn, store stable snapshots of development, validation, and verification environments (such as a Docker image).

## 4.2 Tool Dependencies

Many of these artifacts are easily examined with off-the-shelf tools that come with standard operating systems, such as text editors, web browsers, and PDF viewers. But, given the nature of MBSE, one often finds dozens, or even hundreds, of artifacts stored in non-traditional file types. In order to read, evaluate, understand, and validate those files, one has to have the appropriate tools available.

Commercial MBSE tools commonly define their own proprietary file formats, and these formats change over time in backwards incompatible ways. Consequently, in order to vet a model artifact created with a proprietary tool, one often has to have access to exactly the right version/release of the tool that was used to create the artifact in question.

**Recommendation 1** (Tool Metadata). *For each artifact kind and file type in a system under review, ensure that the tool(s) necessary to validate that artifact are precisely documented (name, vendor, version, operating system platform).*

**Recommendation 2** (Tool Availability). *For each artifact kind and file type in a system under review, ensure that the tool(s) necessary to validate that artifact is made available to the reviewer(s).*

The best practice in fulfilling recommendation 2 is to deliver with the system an evaluation image snapshot that includes all necessary tools “out of the box”.

**Recommendation 3** (Evaluation Platform). *For each system under review, the system development team should provide a snapshot of a stable, coherent, documented evaluation platform to reviewers, such as a Virtual Machine image (e.g., VDI, VHD, VMDK file types), a Docker image, or a Nix configuration and cache.*

## 4.3 Trust, but Verify

When reviewing a system, one typically examines artifacts in a top-down fashion, moving from most abstract to most concrete. Whether or not one pursues a breadth-first or depth-first approach in moving through model abstraction layers is up to the reviewer’s personal taste. Different people think in different ways when it comes to taking in and understanding a system that is larger than one can easily grok in an hour or less.

Moderate to large scale systems often include far more artifacts than can be reasonable examined in detail by a reviewer or review team in an acceptable amount of time. In such a circumstance, reviewers commonly pursue a “Trust, but Verify” approach to examining artifacts.

There are three key facets to such a review methodology, and they are summarized in the following recommendations.

**Recommendation 4** (End-to-End). *Review at least one most abstract to most concrete chain.*

**Recommendation 5** (Regularity). *Review at least one instance of each artifact kind in detail, and check for regularity across adjacent model elements of the same kind.*

**Recommendation 6** (Workflow). *The recommended workflow for reviewing model-based assets moves through the four key facets of any system specification: structure, then data, then behavior, and then properties.*

The reason that the ordering in recommendation 6 is recommended is because, typically, dependencies flow backwards through this ordering, and thus, e.g., in order to understand behavior, one must understand data and structure.

**Recommendation 7** (Limit Risk). *Review remaining artifacts (of all kinds, model, code, documentation, etc.) using a risk-limiting audit approach.*

## 4.4 Key Relations

Examining only artifacts such as models, source code, and documents is insufficient for validating or certifying a system created with MBSE. The *relationships between artifacts* are often as or more important than the artifacts themselves.

There are several key kinds of relations between artifacts to look for when examining a system. The following list, while extensive, is by no means complete.

**Traceability.** Traceability relations are those that link artifacts, often in a *bi-directional* fashion. Traceable relations should be labeled to indicate the purpose of the reference.

By bi-directional, we mean that many useful traceable relations define a trace relation  $\mathcal{T}$  between two elements  $A$  and  $B$  as  $A\mathcal{T}B$  and, by virtue of its bi-directionality, one can follow the trace *from A to B* and, independently, from  $B$  to  $A$ .

Traceable relations commonly found in documentation include glossaries, indices, table of contents, lists of figures, lists of table, etc. Best practices in traceable relations enable both *active tracing* via hyperlinks, hovers, or other similar simple action triggered by a mouse or keyboard event and *passive tracing* via a traditional unique directional reference, such as a page number or file name with a relative or absolute path.

Traceable relations commonly found in model-based systems engineering artifacts include requirements and feature matrices, model-model/model-view/model-code relations as described below, abstract/concrete refinements, definitional lookups, and evidence derivation.

**Recommendation 8** (Traceability Completeness). *At every layer of model refinement, every assumption, goal, and requirement that frames a model-based specification at the abstract end of the refinement must be traceable to a corresponding assumption/rely/precondition, goal, or property in at least one refined artifact.*

Without traceability completeness, model elements are left “hanging.” For assumptions this is not fundamentally problematic: nothing needed the assumption in order to build and assure the system. But for goal and requirements, and artifacts derived thereof, such as scenarios, events, properties and the like, it is much more problematic because, if such a traceability relation does not exist, then the goal or requirement is unfulfilled in the assurance case.

**Recommendation 9** (Bi-directional Traceability). *Every model, code, or assurance artifact A that is in a traceability relation to another artifact B should (i) permit a trace from A to B and from B to A, and (ii) the nature of both traces must be clear.*

Uni-directional traceability, while somewhat useful—as it helps justify other traceability properties like completeness and reachability—is not satisfactory from a reviewer point of view. One should be able to trace each artifact *to* its more abstract dependency (be it concretized as a requirement, goal, invariant, etc.) and *back* from that artifact. Likewise for any relations *down* from the artifact to more refined artifacts.

**Recommendation 10** (Traceability Reachability). *Every model, code, or assurance artifact must be reachable by a trace relation to at least one, and preferably only one, other artifact.*

Every mode, code, or assurance artifact that is included in a system built with MBSE technologies should be there for a reason. A traceability relationship to each artifact is, in part, the means by which to justify its inclusion.

**Recommendation 11** (Traceability Implicitness). *Implicit traceability is superior to explicit traceability.*

*Explicit traceability* is realized by the writing or generation of model annotations which document trace relations. These annotations are often in the form of code or model comments, model notes, extra spreadsheet or CSV columns, source code formal annotations, etc. In our experience, such annotations are fragile, clutter models and programs, and are very difficult to maintain in the face of evolving artifacts on both ends of the traceability relation.

Implicit traceability is realized by the use of types, naming conventions, and methodological rules that are machine checkable and human understandable. In model-based systems that use implicit traceability, no extra comments, notes, etc. are necessary, as one can always trace up and down between abstraction layers in a system design and implementation.

Tools, such as IDEs with rich user experiences, can assist with such tracing, such as the ability to lookup a type declaration and its semi-formal definition by touching a variable in a model or code and seeing a pop-up help message that can be activated to jump to the definition in the current or new window. Refinement or traceability checkers can analyze a system to determine if a system’s implicit traceability is complete, bi-directional, and if all model elements are reachable.

**Representational.** Representational relations connect model abstractions to physical, digital, or computational manifestations. These kinds of relations are often based upon model abstractions that are meant to represent real-world constructs, whether they are physical (such as a CAD model of a PCB design), digital (such as a GDS-II model of an ASIC mask, a Entity-Relation model used to describe a database schema, or a wireframe model used to describe a user interface), or computational (such as an algorithm described in pseudocode or a protocol described with a domain specific language).

In each case, the model is meant to be an abstraction, and thus *every* property the model has should be a property witnessed by the thing it describes. In such a relation holds, we call the model *sound* with regards to its concretization. Moreover, a *complete* representational model is one which captures *all* properties of interest, given the context and goal of the model.

**Recommendation 12** (Representation Realizability). *Every model must be realizable within an implementation; that is, once the model is refined to an implementation, an implementation must be able to exist which fulfills all of the properties of the model. A model that is unrealizable is a model that is unimplementable.*

Sometimes models are created without a thought to the implications of the model’s properties. For example, a model might demand arbitrary amounts of compute or storage resources in order to be implemented. Or a model might demand that two properties hold at the same time, and those two properties contradict each other. This is very commonly seen when translating informal requirements into formal requirements, as English is notoriously imprecise and few write requirements with an eye toward logical consistency. All of these circumstances lead to unrealizable systems. Tools exist to help debug some of these kinds problems by, e.g., finding minimal models that resolve an inconsistency.

**Recommendation 13** (Representation Soundness). *Models must be sound; unsound models are neither useful nor realizable. Models and model-code relations should be checked for soundness by attempting to rigorously validate or formally verify “bottom” implementations.*

Demonstrating that a model is sound is often overlooked, but is necessary. During model evolution is is quite common to accidentally make a model unsound, and without some means by which to “smoketest” soundness, this can lead to a large amount of lost effort, late surprises in verification, and project risk.

The easiest means by which to check the soundness of a model is to intentionally attempt to demonstrate (either through runtime assertion checking or formal proof) a false proposition; i.e., try to prove that the lemma *false* holds. One can accomplish this in programming languages which provide an assertion construct by simply asserting *false*, thereby saying “the program that crashes, terminates successfully.” Galois implements a “bottom” version of all models that does just this, and vets the soundness of models by attempting to rigorously validate or formally verify the whole of *bottom* with multiple tools.

**Recommendation 14** (Representation Completeness). *Every model should be relatively complete, where relative completeness is defined with regards to (i) the expressivity of the modeling language, (ii) the utility and capability of tools which can reason about the model, and (iii) the property coverage necessary based upon the refinement relationships in which the model participates.*

While relative completeness has a formal meaning, and while it does connect with the intention of this recommendation, it is rarely the case that our notion used here of the same name is defined as such.

In essence, each modeling language, and the tools that support operating on or with models expressed in the language (checking, reasoning about, compiling, synthesizing, etc.), is good at modeling a certain kind of *thing*, and that thing's *properties*. Those are the kinds of things that one should endeavor to cover in any model expressed in that language. If there are simple concepts and properties which should be included in a model, but are not, that is a warning sign with regards to relative completeness.

Likewise, there are often certain shaped properties which, while possible to model in a given modeling language, are *unreasonable* with current tooling. By *unreasonable* here we mean that state of the art tools, while able to provide a semantic interpretation for an unreasonable property, cannot effectively determine if the property holds or not.

An abusive example of such a property is the embedding of an unsolved or extremely difficult theorem (say, Fermat's last theorem) into a specification. Another formal example, not uncommonly seen, is an attempt to formally verify a correctness property of an infinite stream without a reasoning framework that supports coinduction. A third common example is the statement of temporal logic expressions with prolific use of the *leadsto* operator, which essentially says "this thing will happen someday, but it could take a **very** long time."

Finally, if a (more abstract) model  $A$  is refined to a (more concrete) model  $B$ , and property  $P_A$  holds on  $A$ , then the refinement of  $P_A$  should hold on  $B$ . If it does not, then the model is relatively incomplete with regards to its abstraction's properties.

**Descriptive.** A descriptive relation is a relation that also connects an abstraction to a descriptive target, but no property correspondence is meant to hold between the model and the object it describes.

Common examples of descriptive relationships include document substructure summaries (e.g., a paper's abstract, a chapter's summary in an introduction, or a book's jacket description), source code substructure summarizes (a module's general purpose or a function's general meaning, as described in structured source code comments), and alternative text describing images for the sight impaired.

**Recommendation 15** (Descriptive Accuracy). *Descriptions should be accurate, as judged by a reader who is familiar with its target.*

Inaccurate descriptions are worse than no descriptions at all. The most common example of inaccurate descriptions is natural language comments on source code and system descriptions (architectural, security, operational, or otherwise) of systems that have witnessed a lot of evolution. In both cases, developers are wont to rewrite code, and rarely attend to updating the corresponding documentation, even though writing the documentation takes a fraction of the time taken to write and assure the code.

**Recommendation 16** (Descriptive Completeness). *Descriptions should be complete with regards to the relative completeness of the artifacts to which they refine.*

A description, while informal, has a scope driven by any formal properties associated with the artifact that is being described. Thus, the description should cover those properties/features of the artifact that are salient to the model. For example, if a model-based protocol specification attends to reasoning about protocol properties like robustness or fairness, then its description should discuss robustness and fairness. Likewise, if a concurrency model is created in order to reason about absence of deadlock and livelock, then its description should discuss such.

**Structural.** Structural relations are *part-whole* relations of various kinds. They are prolific in any artifact that has a hierarchical decomposition, such as this report, a system’s source code, or a complex formal model.

Part-whole relations come in several flavors, including the dual expanded and referential substructures, containment, ownership, physical position and orientation, token-based access control, and more.

**Recommendation 17** (Structural Property Preservation). *All traceable refinements of models that have structure should preserve all structural properties.*

Note that recommendation 17 does not prevent the many ways tools transform models or code in ways that typically munge representations. A few examples of transformations that are, surprisingly, often structure-preserving: source code optimization during compilation via inlining; model flattening when moving from a very expressive (e.g., higher-order) model to a less expressive one (e.g., first order), transforming operational artifacts, such as LLVM bitcode, into a relational artifact, such as a first order symbolic evaluation; and flattening a nested reference model by expansion of nested elements.

**Operational.** Operational relations are relations that describe possible unconstrained behaviors. One side of the relation often characterizes a set of possible abstract operations that can take place in a model, and the other side of the relation describes the concrete operations (such as function calls, message send/receives, UI events, etc.) that correspond to those abstract operations.

Classically, these kinds of relations are used to describe a variety of model phenomena, such as non-deterministic behavior, concurrency, timing uncertainty, human-in-the-loop actions, adversarial responses, etc.

**Recommendation 18** (Operation Realizability). *Operations must be realizable in a system.*

This recommendation is linked with the other, more abstract, recommendation that focus on realizability (recommendation 12). Operations, as the concretization through refinement in models or code of computation, must also be realizable, otherwise the system cannot be built.

**Recommendation 19** (Operational Elegance). *Operation design and implementation should be elegant. Elegance means: (1) there should be only a single operation that fulfills any system feature, (2) each operation should only implement a single feature, (3) simpler operational specifications are superior to more complex ones, (4) operations should either be pure queries (that change no system state) or simple commands that return no information beside success or failure, and (5) an operation that is both a query and a command (it changes state and then returns information) should be specified and implements as the composition of those two existing operations.*

Many of these recommendations come from rules derived from verifiable engineering practices, as initially espoused by Meyer, and inspired by best practices from formal methods like B, VDM, and Z. Tools are available that will analyze elegance factors like those described above, both at the model and code level.

A high-quality MBSE methodology will include the use of such tools to automatically check for model and implementation elegance, as doing so ensure that this property is preserved during development and post-release system evolution, and it also helps ensure that the system's assurance case is no more complex than it needs to be.

**Recommendation 20** (Operation-Action Coupling). *Every system operation should refine to a single system action.*

This recommendation is the direct implication of the first two clauses of the definition of *elegance* in recommendation 19 and recommendation 17. Because it is an important system property, we highlight it in its own recommendation.

**Data.** Data relations describe models of data and their relationship with data in implementations. Typically, data in models is described abstractly, using generic mathematical objects like sets, sequences, vectors, streams, etc. Data in applications is, on the other hand, concretized in programming language data types and/or serialized data, such as records in a database or network packets in a transmission.

In order to relate abstract data and concrete data, a data relation must explain what invariants hold on data types, and especially *between* data types, and how those invariants are maintained by the implementation.

**Recommendation 21** (Absent Invariants). *It is difficult to tell the difference between a component that has no invariants and one that has absent invariants. Absent invariants are invariants that hold for a model, but are not expressed by the development team due to accidental omission, oversight, or neglect.*

No component should have absent invariants, and the best way to document such is to have process or methodological conventions that permit an observer, be it another developer or a reviewer, to understand that the invariant for a component with regards to a particular property really is just *true*.

**Recommendation 22** (Data Simplicity). *The core data model of a system should be modeled in the simplest possible way, and model or implementations complexities due to optimization, representation, platform, or infrastructure should be modeled as data refinements of the core data model.*

**Recommendation 23** (Data Portability). *Data portability should be accounted for in a model using a platform product line specification, thereby factoring out platform-specific issues from core system specification matters.*

**Recommendation 24** (Data Transparency). *Data models and their representations should contain no undocumented values, interpretations, structures, or relations. If the semantics of data fulfill this condition, it is transparent to any developer or reviewer.*

**Recommendation 25** (Data Explainability). *The semantics of data should be explainable within a model refinement; every data invariant should be justified by a traceable refinement up to a more abstract model property, or down to a more concrete model or system property.*

**Action.** Finally, action relations describe the decomposition of complex actions into simple events, and how those actions and events are realized in a system implementation. An event is a state change in a system that, from the point of view of the observer, is atomic. An action is set of a sequences of events, possibly just a linear sequence (first *this* happens, then *that* happens), but often, instead, a branching tree of possible events. Actions are also known as *scenarios* and *use cases* in some methodologies.

An action relation maps an abstract action and its events to a concrete system. A *sound* action mapping ensures that any action that can be witnessed in the model can, in turn, be witnessed in the system, and, preferably, those two actions are in a refinement relation. A *complete* action mapping ensures that every interesting action (as defined by the domain of specification in the abstraction) is included in the model.

Actions are often used to describe both the normal behaviors of a system—how it should act under typical circumstances—and the abnormal behaviors of the system—how it should act in the presence of failures. Additionally, action specifications can describe non-terminating behavior, such a system that is meant to run continuously without fail.

**Recommendation 26** (Positive Action Completeness). *Actions that define the behavior of a system under normal circumstances (no errors, exceptions, or faults) are positive actions. The model-based specification of a system should be (representationally) complete (see recommendation 14) with regards to positive actions.*

**Recommendation 27** (Negative Action Completeness). *Actions that define the behavior of a system under abnormal circumstances (errors, exceptions, or faults) are negative actions. The model-based specification of a system should be (representationally) complete (see recommendation 14) with regards to negative actions.*

Note that (i) no positive action can be equivalent to a negative action, and (ii) the union of all positive and negative actions is the sum total of all actions defined on a system.

**Recommendation 28** (Positive-Negative Consistency). *The composition of positive and negative actions must be consistent, and thus realizable.*

**Recommendation 29** (Action-Implementation Consistency). *For every action  $A$ ,  $A$ 's action-event structural relation (that is, each action is decomposed into a set of events) should be maintained by the model refinement or implementation of  $A$ .*

This recommendation is a corollary of recommendation 13 and recommendation 17.

**Recommendation 30** (Action-Event Completeness). *Every event must be used in at least one action, and realized by a single model refinement or implementation feature.*

This recommendation is a corollary of recommendation 8 and recommendation 14.

**Relations in Systems Modeling Languages.** Each modeling language includes some subset of these modeling relations. Rich systems modeling languages, such as SysML, cover virtually all of these relation types. Other, more restrictive, modeling languages, especially Domain Specific Languages (DSLs), only cover a small number of relation types. For example, entity-relation models and basic SQL models are solely about data, and thus only focus on data relations.

A well-designed modeling language will ensure that its relations fulfill many/all of the relation recommendations in this section, and, furthermore, that tooling should support the creation, update, checking, and enforcement of such relations and their desirable properties.

**Recommendation 31** (Relation Typing). *For each relation identified or discovered in a system created with MBSE, if the relation is not explicitly typed according to the above classification scheme, deduce its type and check if it has the corresponding recommended properties described above. If it does not, ask the developers to justify its partial properties.*

Asking for justifications often forces developers to use the full existing features of their modeling languages and tools and to update their process or methodology to guarantee certification demands, such as those recommended in this section.

## 4.5 Validating Models

In order to validate a model, one must work to understand the model’s *purpose, utility, context, relationships, history, evolvability, and maintainability*.

Each of these model facets has at least a subjective, and sometimes and objective, quality measure. Determining the means by which such metrics are measured, one can “grade” each dimension as a part of a model validation process. We give some examples below for the metrics used at Galois for this kind of evaluation.

**Recommendation 32** (Model Purpose). *Every model should have a purpose—a reason for it to exist.*

Typically a model’s purpose is to describe something that is not described elsewhere, or is indescribable in the other models used to specify a system. Another good purpose is to describe a system property from another perspective, either to transform a property in a such a way that a second reasoning tool can revalidate/reverify the property (see recommendation 46 below), or to explain the point of a model artifact or property to a developer or reviewer (cf. recommendation 15).

**Recommendation 33** (Model Utility). *Every model must have a utility: a means by which to use the model toward providing assurance for a system.*

*Utility* is typically either semi-formal—the model is used to explain a system property to a developer or a reviewer—or is formal, and is used to rigorously validate or formally verify that system properties hold (cf. recommendation 17 and the recommendations of section 4.7).

**Recommendation 34** (Model Context). *Every model must have an explicit context: a frame of reference in which the model’s assumptions/rely are explicit.*

A model without context is missing information critical to developers, reviewers, and reasoning tools. While on some rare occasions a model needs no context—it makes no assumptions at all outside of those definitionally included in the model—most models have an enormous number of subtle assumptions in order for the model to be valid. An example of a simple unspoken model assumption that is frequently seen in embedded systems code is that there is an unspoken assumption that no pointer used in any function invocation is `NULL`.

Assumptions that are made between refinement levels or between system abstraction layers are known as *relies*, as one can often use a form of specification and reasoning known as *rely/guarantee reasoning* in order to sensibly reason about the composition of layers in an architecture.

**Recommendation 35** (Model Relationships). *Models are often connected with one another through relations, such as those described in section 4.4. A reviewer must understand and validate every model relationship, and every model relationship should have a purpose (cf. recommendation 32).*

Recall that model artifacts include not just components and their features (i.e., attributes, functions, procedures, events, signals, etc.), properties (goals, requirements, invariants, etc.), and aggregations (i.e., subsystems), but also all functional and relational connections **between** model elements. This includes even, e.g., relations between relations, or functions on modules.

**Recommendation 36** (Model History). *A reviewer should be able to observe the history of every model artifact, as that history often tells a story about the design and modeling decisions made by developers during a model's evolution, validation, verification, and refinement.*

Model history is often captured in one of two ways: (1) via a built-in design justification history mechanism, as provided in advanced MBSE IDEs, or (2) via a revision control system changelog when used with a rigorous development process.

**Recommendation 37** (Model Evolvability). *All models should be evolvable in a relation-preserving fashion.*

If an MBSE developer is fearful of changing any model or implementation artifact because the change will cause a large, particularly manual, change in other artifacts, then the model is not evolvable. It is very common for complex system specified with SysML version 1 to have this property, and thus models are constructed as read-only, “golden” *system architecture specifications* or *platform specifications* and then rarely changed thereafter. Such is indicative of a seriously broken MBSE methodology.

**Recommendation 38** (Model Maintainability). *All models should be maintainable after system deployment.*

Once a snapshot of a system “ships”—whether it is to a client, to a certification authority, or to an integrator—it must then be *Maintained*. Maintenance is triggered either through dependencies (e.g., via an upstream change, such as a bug is found in a dependency which forces a model or implementation update), client feedback (e.g., certification rejection with recommendations, or a bug is discovered during acceptance testing), or because of an adversary (e.g., a security vulnerability is exploited which forces a maintenance update to mitigate the flaw).

A model that cannot be maintained in the presence of these common post-deployment scenarios fails this criteria. Such models become archaeological artifacts describing the history of a project or product, and are no longer useful for the product that exists in client’s hands *today*. Many antique waterfall-based MBE tools fall into this trap, such as having an accurate UML model of a system in the first month’s of a system’s development, but the system’s implementation today has little or nothing to do with that model just a few months later.

## 4.6 Validating Model-Implementation Correspondences

The most valuable models are those that have a direct, measurable, checkable relation or correspondence with implementation artifacts.

On many occasions, models are created in order to think abstractly about a system and its properties, and then the model is barely used as a documentation reference when designing and implementing the system. This is an example of poor model-implementation correspondence. If there is little-to-no evidence that the implementation corresponds to the model, then the model has little utility beyond helping developers or architects think about a system.

Note that the situation, while extremely common, is not unacceptable. After all, thinking carefully before diving into the very expensive and time consuming task of building a system often pays dividends: reduced time and effort, lower risk to schedule, etc. But given today's MBSE technologies, there is no reason to not have strong model-implementation relationships, and to keep models and code in sync.

When reviewing a system developed with MBSE from the model-implementation correspondence point of view, we make the following recommendations.

**Recommendation 39** (Model-Impl Traceability). *The most concrete models that refine to implementations must be traceable.*

This recommendation is a corollary of recommendation 8, but is particularly critical as the implementation, not the model, is the real system.

**Recommendation 40** (Model-Impl Rigor). *The strongest, preferred relationship between a model and an implementation is one that is rigorous. A rigorous model-implementation relation is one that is codified mechanically (programmatically, in a machine-readable fashion) and can be automatically (re-)checked computationally.*

There are numerous specification languages and reasoning tools which provide rigorous model-implementation relations, such as ACSL/Frama-C, SAWScript/SAW, JML/OpenJML, Eiffel, SPARK, and more. Without a rigorous relationship between models and implementation, model-code relation *drift* must be mitigated using manual, expensive, time-consuming, process-based techniques.

**Recommendation 41** (Model-Impl Refinement). *The strongest, preferred model-implementation relation is one that is a refinement relation.*

If a model-implementation relation is not a refinement, then earlier recommendations are violated, such as recommendation 17, and there is little clarity with regards to which model properties must, can, should, or must not hold for its implementation. This situation is often hard to understand, review, and is unmaintainable.

**Recommendation 42** (Model-Impl Evolvability). *Model and their implementations should co-evolve, preferably in an automated fashion.*

As a system evolves—whether during development as features and enhancements are added, bugs are fixed, or when requirements change—the system’s models and implementation change over time. Every model-code relation is an extra artifact that must evolve as well, and because these relations are often used for traceability and assurance, it is critical that they are kept up-to-date and correct. While such updates can be accomplished manually, doing so if often expensive, time-consuming, and error-prone.

**Recommendation 43** (Model-Impl Canonicity). *In every model-implementation relation, either the model or the implementation should be declared canonical, and used as the ground truth for the relation.*

Some powerful tools used in MBSE, such as Ansys SCADE and Galois’s Cryptol, SAW, and Crux tools lift models from code or generate code from models. The source artifact of these tools is the canonical artifact fulfilling recommendation 43.

Other tools which do not have this nature typically expect that models and implementations co-evolve, per recommendation 42. A development process and methodology should precisely define and reinforce, preferably with automated tool support, how such evolution takes place.

The two most common rigorous methodologies are *Design by Contract* and *Contracting the Design*. *Design by Contract* holds that the contract (a model that describes a system’s architecture, behavior, and more) is canonical. *Contracting the Design* holds that the code is canonical, and updates to the code must be periodically translated into the model.

But by far, the most common approach to attending to model-code conformance is to simply not do it at all. Many projects that use some MBSE technologies only pretend to do so: models have few properties, little-to-no validity or verifiability, and have no relation, semi-formal or rigorous, with the implementation at all. Such projects typically violate most, if not all, of the recommendations made in this chapter.

## 4.7 Validating Claims

Many claims will be made about a system developed with MBSE tools. A reviewer must validate many or all claims as a part of the review or certification process. The recommendations from section 4.3 especially hold for claim validation.

A *rigorous claim* is a decidable proposition about the system: it is either true or false and there is evidence to bolster either interpretation. An *informal claim* about a system is any statement made about a system for which there is not measurable, decidable evidence. Often such claims are more of the form of *beliefs* of the developers, and evidence for their beliefs are not found in peer-reviewed literature, case studies, or cannot be generated by explainable computational tools.

When evaluating the claims made about a system that was developed using MBSE technologies, we make the following recommendations.

**Recommendation 44** (Automated Claim Validation). *Automating claim validation is far superior to, and preferred to, manual claim validation.*

**Recommendation 45** (Interactive Claim Validation). *While machine-assisted interactive claim validation can provide as much, or more, rigor, confidence, and assurance of a claim, interactive evidence often requires much more effort, time, cost, and attention than automatic validation.*

A halfway point between full automation and full interactivity is often possible: one can automatically validate claims that were originally made constructed interactively. Doing so permits automation, such as in continuous testing and integration systems and incorporation in developer pre-merge regression checks.

Examples of such a mechanism are in Galois’s work in formally verifying Amazon’s cryptographic libraries (re-running hand-written SAW proofs of the correctness of C and assembly implementations of high-performance, mission-critical cryptographic functions) or in the re-execution of proof scripts in a logical framework like Coq, Isabelle, or PVS.

**Recommendation 46** (Claim Multi-Validation). *Rigorously validating or formally verifying a claim with multiple tools or techniques is what we call multi-validation. In general, it is better to witness validation via multiple techniques, and multiple tools which rely upon distinct foundations, reasoning approaches, and different organizations.*

Validating a claim with only a single technique or tool amounts to putting all of your eggs in one basket. By validating each claim using multiple techniques and tools, several kinds of risks are mitigated, such as the discovery of a critical flaw in a reasoning tool or missing environmental assumptions about a platform model in a static formal reasoning technique that might be caught when runtime checking claims on the actual.

Likewise, by using tools from multiple sources/vendors that use different foundations or reasoning techniques increases surety, such as using multiple formal verification tools from competing EDA vendors to assured a piece of critical hardware against a model written using SystemVerilog Assertions (SVA).

**Recommendation 47** (Continuous Claim Validation). *Claims should be continuously validated, not checked all at once aperiodically with great effort. Preferably claims are (re-)checkable on every developer’s development machine, on private or cloud-based compute servers, or in a continuous integration (CI) service (e.g., as a part of a DevSecOps infrastructure).*

Automatically checking claims continuously in a CI service is what we call *Continuous Validation* or *Continuous Verification* (uniformly abbreviated “CV”), depending on the nature of the assurance.

**Recommendation 48** (Claim Validation Dependencies). *All dependencies of a claim and its validation should be included in an assurance package, be explicitly or implicitly traceable, and be validated as well, preferably starting from axiomatic foundations and moving up dependencies eventually to top-most theorems and properties.*

Sometimes assurance packages do not include all dependencies explicitly. This is problematic for several reasons, some of which include: (1) the accidental or purposeful misrepresentation of a dependency's nature, claims, and assurance, (2) dependencies that disappear over time (websites go offline, companies go out of business, licensing requirements change), or (3) poor release management of dependencies, and thus it is unclear exactly what version of a dependency is necessary (such is prolific in modern “Web 2.0” development styles that wantonly pull dependencies from the internet).

**Recommendation 49** (Safety Claim Validation). *Safety claims should be, if at all possible, validated with formal verification, not (only) with runtime assertion/property checking.*

Safety claims, in the main, cannot be tested for validity, despite this being the most common way that safety properties are validated in system implementations.

**Recommendation 50** (Risk Mitigation Claim Validation). *Risk mitigation claims should, if at all possible, be validated using mechanized/computational techniques, and not just with subjective human judgment.*

**Recommendation 51** (Hazard Mitigation Claim Validation). *Hazard analysis and mitigation claims should, if at all possible, be validated using mechanized/computational techniques, and not just with subjective human judgment. And when modeled computationally, they should be validated with formal verification, not (only) with runtime assertion/property checking.*

**Recommendation 52** (Security Mitigation Claim Validation). *Security analyses and mitigations should, if at all possible, be validated using mechanized/computational techniques, and not just with subjective human judgment. And when modeled computationally, they should be validated with formal verification, not (only) with runtime assertion/property checking.*

Too often, these kinds of analyses—risk, hazard, and security analysis and mitigation—are exclusively performed by experts using wisdom and checklists.

In our experience, when an existing subjective analysis (risk, security, correctness, and more) is augmented with mechanized reasoning, numerous flaws in the original analyses are discovered.

Therefore, for critical analyses like risk analysis, we recommend that claims should be validated using computational techniques. Doing so “supercharges” those very same experts with wisdom.

**Recommendation 53** (Claim Fidelity). *The fidelity of every claim must be explicit if it is not precise. A precise claim is one that is a theorem/property of model or code for which all assumptions are explicit for which a proof could be created/generated. An imprecise claim is a claim that is not precise. The fidelity of a claim is the context of a claim and its evidence—particularly its set of assumptions—including any necessary caveats, error bars, or other statistical analysis of related measures.*

Classically, fidelity of measurement claims are characterized by statistical error bars, standard deviations and variance of measures and their distributions, etc. This kind of fidelity information is commonly wholly absent in MBSE artifacts which include simulation data.

Formal logical models usually only need a (formal) context statement in order to characterize fidelity: the set of axioms and assumptions made in writing, generating, or reasoning about the model suffices to explain how the model is valid, in what circumstances it may be invalid, and thus—by virtue of earlier recommendations on model property refinement—how those assumptions impact the model's implementation.

## 4.8 Key Questions to Answer

The final key questions to answer about a system developed with MBSE, augmenting all of the recommendations summarized above, are characterized by the following, final, recommendations.

**Recommendation 54** (Understandable). *An MBSE-based assurance case should be understandable to any moderately experienced engineer.*

**Recommendation 55** (Believable). *An MBSE-based assurance case should be believable to any moderately experienced engineer.*

**Recommendation 56** (Coherent). *An MBSE-based assurance case should be coherent to any moderately experienced engineer.*

**Recommendation 57** (Surety). *An MBSE-based assurance case should meet or surpass the assurance threshold set by a client (its surety), and the fact that an assurance case is not yet good enough should not be a surprise to any involved.*

Is a system and its assurance case fulfills these four recommendations—reinforced by demonstrated alignment with all of the earlier recommendations that align with an organization's review remit (be it validation, certification, statutory, or rule-based), then the system is fit for acceptance based upon MBSE artifacts.

## Chapter 5

# The HARDENS Reactor Trip System (RTS) Demonstrator

The HARDENS Reactor Trip System is a demonstrator model-based engineering system built for the NRC. It demonstrates the art of what is possible using modern model-based hardware, firmware, software, and systems engineering for safety-critical systems, using only freely available, mostly open source, technologies.

Chapter 3 and ?? review the state-of-the-art in commercial and freely available MBE technologies. In the conclusion of this document, chapter 6, we reflect upon how this demonstrator and its assurance case might differ were proprietary tools used instead.

This chapter describes all of the modeling artifacts used in creation of the RTS, and grounds their use from a traditional MBE perspective, which has no rigorous or formal model-based assurance. As such, we differentiate the widespread state-of-practice against the state-of-the-art. We advocate that only the state-of-the-art is adequate to guarantee the correctness, safety, and security of nationally critical infrastructure.

After all, if Galois is able to design, build, and assure a system like the RTS for a nickle (relatively speaking), larger corporations should be able to do at least as well using the orders of magnitude greater resources that they regularly consume or spend.

1. This chapter is about describing the RTS from a software and hardware engineering perspective.
2. It describes modeling artifacts in the context of their use from a traditional MBE perspective, with no rigorous or formal model-based assurance.
3. Explain the RTS at a high level.

## 5.1 RTS Overview

The Reactor Trip System (RTS) is a demonstration of a digital instrumentation and controls (DI&C) system. As such, it features:

1. a sense-compute-control architecture;
2. a human-in-the-loop user interface;
3. a built-in self-test subsystem; and
4. a fault-tolerant design comprising components with identical behaviors implemented by multiple techniques.

In this chapter we discuss the artifacts comprising the RTS: not only the implementation artifacts, but also, crucially, the *assurance* artifacts.

## 5.2 Specifications

The RTS specification is naturally divided into a set of high-level system specifications comprising *requirements*, a *domain engineering model*, and a *feature model*. These high-level specifications are further refined by *formal* specifications of both the requirements and system architecture.

### 5.2.1 High-Level System Specifications

First, we will start with the NRC RFP as our first source for high-level system specifications. We will then review the relevant IEEE standard.

**The Original NRC RFP.** The core four pages of the original NRC RFP are included here in full on the following four pages. We will refer directly to elements therein in the following description of the **HARDENS Top-level Project Goals**.

In order to build our *domain engineering model* for the RTS as well as to make a start on our system requirements, we extract directly from this text, line by line, the following *goals* (section 5.3) and *scope of work* (section 5.3.1).

### 5.3 The Reactor Trip System's Goals

The goals of the are explicitly stated on the first page of the RFP. We manually highlight those declarations and transliterate them into a specification written in the LANDO system specification language (see appendix A).

Each goal has a *short name*, which we will use when referring to specific goals in what follows. In general, we label, rather than number, high-level specification artifacts such as goals, scope, and requirements in this fashion. Labels have more semantic meaning and permanence than numbers and, as these artifacts changes over time (e.g., a requirement changes mid-project), developers do not confuse themselves or the reviewer with missing, evolved, or struck-out numbered specification artifacts.

We call our demonstrator system the *Reactor Trip System*, or RTS for short.

**Goal 1** (Project Focus). *The project's main focus is on safety critical systems design.*

**Goal 2** (Mitigate Complexity). *The project must demonstrate MBSE's capability to address software and system complexity.*

**Goal 3** (Enhance Productivity). *The project must demonstrate MBSE's capability to address the productivity challenges of complex distributed embedded systems.*

**Goal 4** (Regulatory Review). *The project must demonstrate and help explain how Model-Based Systems Engineering (MBSE) methods and tools can support regulatory reviews of adequate design and design assurance.*

**Goal 5** (Barriers and Gaps). *The project must identify any barriers or gaps associated with MBSE in a regulatory review of Digital I&C for existing NPPs.*

**Goal 6** (Superior for Complex SSCs). *The project should demonstrate if MBSE, with its inherent ability to analyze and simulate many different scenarios, is a superior approach for more complex systems, structures, and components (SSCs).*

**Goal 7** (Non-Document-based Evidence). *NRC regulators must be prepared for MBSE applications where non-document-based evidence is a part of a safety evaluation.*

**Goal 8** (Future Review Processes). *The project should help the NRC understand if an MBSE-based assurance case presentation will help to enable the use of MBSE as an alternate review process DI&C-ISG-06, Rev. 2 (ML18269A259).*

### 5.3.1 Scope of Work

The scope of work for the RTS defines a framing condition on the system's requirements and implementation. Each scope declaration turns into a framing assumption or a constraint on the system, in its specifications, implementation, or assurance case.

Scope declarations often help tremendously with regards to constraining the space of possible design decisions and, when there are few-to-no hard constraints, also help create and evaluate a multi-dimensional objective function that helps a system's creators focus on finding the optimal product that solves a client's need.

Each scope definition below is, again, transliterated into LANDO. See appendix [A](#).

**Scope 1** (Simple Protection System). *The demonstration implementation must be a simple protection system.*

**Scope 2** (Modern Process). *The demonstration implementation must be created using a highly integrated computer-based engineering development process.*

**Scope 3** (MBSE). *The demonstration implementation must be created using MBSE.*

**Scope 4** (Module Functionality Completeness). *All the modules of the simple protection system must be modeled functionally.*

[FPGA]

**Scope 5.** *One FPGA-based circuit card must be modeled/Designed in detail.*

**Scope 6.** *The level of detail in the design and supporting analysis should address independence of functions.*

**Scope 7.** *Independence should address interfaces between functions.*

**Scope 8.** *Independence should address self-testing implemented on the circuit card.*

**Scope 9.** *Independence should address voting between protection system elements.*

**Scope 10.** *The final product must be the design itself and the associated evidence to demonstrate its technical soundness.*

**Scope 11.** *NRC technical staff for I&C must review the “demonstration” material and identify additional information needed or material that is not needed for regulatory purposes.*

**Scope 12.** *The research project is to explore the full scope of MBSE; in particular, it is not limited to simulation-based validation of I&C system designs.*

**Scope 13.** *The project should use models and simulations in the early design phases and for the validation of I&C system designs, such as to confirm required behavior and identify unwanted or undesirable interactions.*

**Scope 14.** *For each aspect of MBSE, the kind of engineering artifacts should be identified and described to include their use as evidence of the soundness of the design.*

### 5.3.2 Domain Engineering Model

Our *domain engineering model* (or just *domain model*, for short) is a description of those conceptual elements unique to the domain of discourse for a given system. One can (and we do) *extract* a domain model directly from the artifacts salient to a system: RFPs, client documentation, standards, statutes, peer-reviewed papers, and more.

Galois has developed an NLP extraction tool that consumes documents, such as files in the PDF, Word, and ASCII or Unicode text file formats, and produces a histogram of *concepts* characterized by *grammatical category*.

Using that corpus, we remove those concepts that are common, widely understood, or generic to computer science and mathematics, and we are left with a prioritized list of concepts that we must represent in order to understand and write specifications in a given domain. Those concepts (nouns), and their character (adjectives) and interrelationships (verbs and adverbs) are the domain engineering model.

The domain model provides the semantics for the system requirements. Another perspective is that we build our *vocabulary* for specifying the system via the domain model. The high-level domain model is specified in LANDO. The RTS *domain engineering model* is represented at its highest abstraction level in a structured LANDO specification, shown in fig. 5.5, which defines all of the RTS artifacts using natural language.

The relations at the bottom of the source indicate that the RTS system *contains* each of the subsystems defined earlier in the document. Each of these subsystems is further elucidated, including identifying and defining the constituent components, in the relevant LANDO documents.

The LANDO model specifies the behavior of the RTS by defining a set of *events*, and using those events to define *scenarios*, which are (partial) executions of the system: the sum of the scenarios should define the legal behaviors of the system.

As an example, the external input actions of the system are specified in fig. 5.6. Generally, external events specify the different actions that the user can perform via the RTS user interface, including manually actuating a device or configuring various parameters such as setpoints or maintenance mode.

These events are used to specify scenarios, a selection of which appear in fig. 5.7. Scenarios are nothing more than a sequence of events. In section 5.8 we will see that these scenarios are used to perform validation.

### 5.3.3 Feature Model

The RTS system is actually a *family* of related systems. For example, the RTS can be configured to run (1) on a host system that simulates the behavior of hardware, or (2) on an *emulated* hardware platform, or (3) on a real device.

The specification of this *product line* is captured via a *feature model* specified in the LOBOT specification language. The model captures not only *variation points*, but also relations' valid values.

For example, note that the device can be configured, via `all_Devices_twins`, such that all devices are digital twins. A constraint (below the `where`) indicates that if this feature is set, then all devices (sensors and actuators) must have the corresponding twin feature set.

The LOBOT specification is heavily documented. Each *type* is used to capture a *feature* in the feature model. A *feature* is a decision (variation) point in the design of a product line. Legal/permitted sets of values of features are constrained by logical propositions included in `struct` declarations and their instances.

A `struct` is a collection of related features, listed as name-value pairs like in a typical *structure* found in many programming languages (what is known as a *labeled product type* in type theory), and a set of constraints which explain the legal configurations of its features. Constraints in LOBOT are specified after the `where` clause in the `struct` definition.

The LOBOT specification also acts as a specification for the build system, by precisely indicating which build configurations are available to the user. These constraints are expressed in the `where` clause of the `rts` struct. They specify that the `soc` must be a `Twin` exactly when all devices are twins, and the entire RTS runs as a virtualized platform exactly when either (a) the SoC is a twin, the board we are compiling to is a RISC-V VEGA board and there is no virtualized twin development twin platform in use (i.e., we are compiling to a real RISC-V CPU on a development board that is connected to sensors and actuators), or (b) the SoC is a twin and there is no board in use at all (thus, everything is running on a virtualized development platform, which as defined early in the specification, means that the RTS is running either on a POSIX host).

The LOBOT specification also includes a description of all legal products derivable from the RTS product line at this time. See the `rts_configs` instance of the `rts` struct and its associated constraints.

Finally, there are a small set of checks at the bottom of the LOBOT specification. These are theorems that the LOBOT tool will try to prove that must hold for all legal configurations of the feature model.

The first theorem, `check_bottom`, is a consistency check, akin to the requirements consistency checker provided in the FRET tool ( section 5.3.4) and the consistency check we perform for the ACSL, CRYPTOL, and SAW specifications (cf appendices E.6 and E.9 and section 5.5.1). All of these “bottom” checks are discussed below in section 5.8.2.

The second, `check_twin_build_configs`, checks that all virtualized builds do not need a development board.

Besides reasoning about feature models, the LOBOT tool has many other features, including the ability to count the number of models that exist, iteratively enumerate models, and drive back-end tools to turn models into systems (e.g., BSV CPUs) and assurance artifacts (e.g., RISC-V compliance tests). We are not using any of those features in this project.

The full LOBOT specification of the RTS system is found in ??.

### 5.3.4 Formalized Requirements

The *requirements* expressed in LANDO form the basis of the specification of the RTS. However, as they are written in natural language, they are not suitable for consumption by tools (such as formal verifiers) that can check whether or not a model (section 5.5) or implementation (section 5.7) satisfies a specification. The natural language requirements written in LANDO must be formalized before they can be used as specifications for tools “lower” in the modeling and implementation stack.

We use NASA’s FRET tool to help produce formalized requirements from our LANDO specification. Use of a tool like FRET helps the designer in two complimentary ways.

First, FRET allows the user to use diagrams, simulators, and model checkers to explore requirement semantics. The user can use these tools to gain confidence that the formal representation accurately captures the intent of the corresponding natural language requirement. This analysis establishes the refinement step from the LANDO specification to its formalization.

Second, FRET can automatically machine-check requirements for *realizability*. Realizability-checking checks that an implementation of a component exists that conforms to the requirements given any combination of valid inputs. This analysis guarantees the requirements are non-vacuous, and can thus be used in further refinement steps.

Figure 5.9 is a screenshot of the FRET requirement editor. FRET’s input format is a stylized form on English NASA calls FRETish. FRETish is fairly easy to write and read, especially with interactive tool support, has a formal semantics, and is machine interpreted.

In order to deeply understand and debug requirements captured in FRET, one can use the tool to automatically convert a requirement in FRETish into two different-but-equivalent semantic interpretations written in *Linear Temporal Logic* (LTL): *future time LTL* and *past time LTL*. Essentially, these interpretations are duals of each other, one explaining the meaning of a requirements with regards to the *past*, and the other with regards to the *future*.

Also, as mentioned previously, FRET permits one to reason about a set of requirements in several ways. Requirements can be checked for *consistency*, *completeness*, and *realizability*. All three checkers have a similar user interface. The user interface of the realizability checker is shown in fig. 5.11.

Every requirement specified in the top-level LANDO model which is about system properties is translated, using the RTS domain engineering model, into a

FRET requirement. Traceability is maintained using our standard methodology of name translation between models.

Requirements that are project goals, constraints/scope, or architectural are not translated into FRET, as they have no semantic meaning with regards to the architecture. The only way such informal/semi-formal requirements can be demonstrated is with informal/semi-formal assurance artifacts, such as the requirement *NRC Understanding*. The full set of project requirements are found in appendix [A.9](#).

## 5.4 System Architecture and Models

The system model is refined from the LANDO specification to SysMLv2. The SysMLv2 models capture system-level aspects of the RTS. The full SysMLv2 model is found in appendix [D](#).

The structure of the SysMLv2 specification includes a direct refinement of the LANDO specification. Structural properties are maintained through the refinement, all informal/semi-formal LANDO requirements are refined to SysMLv2 requirements, the LOBOT model is refined to a SysML variation model, all formal FRET requirements are refined to SysMLv2 properties, etc.

The SysMLv2 specification, as it is a refinement of the LANDO specification, also includes new details about the system that were not expressed, or were expressed abstractly, in the LANDO specification.

For example, the hardware components used to build the demonstrator (e.g., all of the parts on the FPGA board, all sensors, solenoids, etc.) are itemized in the **RTS Hardware Artifacts** SysMLv2 package. The hardware is assembled into the RTS demonstrator, as explained in the **RTS part**.

Additionally, the context and stakeholders that hold concern about the RTS system are also captured in the SysMLv2 specification in the **RTS System Contexts** and **RTS Stakeholders** packages.

SysMLv2 tools currently are only capable of type checking a SysMLv2 specification and rendering views on that specification in SysMLv2's graphical syntax. At the moment, there is no means by which to behaviorally simulate a SysMLv2 dynamic model (such as an abstract state machine) or to refinement check that a SysMLv2 model conforms to an abstraction (such as a LANDO specification) or a refinement (such as our CRYPTOL or ACSL models or their implementations). The development of such refinement tools is part of the focus on a new DARPA I2O project starting in late 2022 led by Galois.

## 5.5 Executable Behavioral Model

The next major refinement step of the RTS is an executable, denotational model of its behavior. In the RTS, our executable model not only serves as a reference to guide implementation, but is also used to *generate test vectors* (??), *synthesize*

implementations (section 5.7), and serve as a specification for formal tools to reason about implementation correctness (section 5.8).

### 5.5.1 Cryptol Model

The RTS executable model is specified in CRYPTOL. Each component is specified in its own CRYPTOL model.

For example, the `Actuator` model is shown in fig. 5.12. The model includes a definition of the `Actuator` state, which is a record consisting of the last input from the voting stages, plus the last manual actuation command: both are Boolean values (which is a `Bit` in CRYPTOL).

Next, the model defines three functions: two (`SetInput` and `SetManual`) which simply set one of the two input bits, and one (`ActuateActuator`) which defines the logic for combining the signals from the two `Actuation Logic` stages into a single actuator command (via a logic OR).

Part of the `Actuation Unit` is shown in fig. 5.13. The terms shown model the logic (`TemperatureLogic`) for whether or not a set of temperature readings should result in a trip signal generation. This model includes a (local) definition of 2-out-of-4 coincidence logic.

### 5.5.2 Formal Requirements Satisfaction

In both CRYPTOL models, we connect models to requirements to establish the refinement of the high-level specifications and requirements to the behavioral model.

*Every* FRET formal requirement is refined to a CRYPTOL property (what amounts to a first order theorem) and all demonstrated to hold on the CRYPTOL model using:

- dynamic checking through the use of CRYPTOL’s `:check` command which randomly generates values and checks that the property holds for those concrete values, and
- formal verification, by *proving* that the properties hold for all inputs using a SAT or SMT solver, using CRYPTOL’s `:sat` and `:prove` commands.

For example, in the `Actuator` module, we indicate that `ACTUATION_LOGIC_MANUAL_DEVICE_0` and `ACTUATION_LOGIC_MANUAL_DEVICE_1`, which capture the requirement that the actuators have a manual mode, is satisfied trivially by representing the manual actuation state explicitly.

In the listing from the `ActuationUnit` module, we show how we indicate the satisfaction of `ACTUATION_LOGIC_VOTE_TEMPERATURE`, which says that 2-out-of-4 coincidence logic should be used to determine if a trip signal should be generated. We capture this requirement as a *property*, which is just a function that tests whether or not the requirement is satisfied on a single input value. Properties such as these can be *proven correct* for *all inputs* using CRYPTOL and (using SMT solvers under the hood). In this case, proving the property correct means

that for all input signals, the model of the temperature logic returns a value consistent with the requirement.

In the full CRYPTOL model, which is located in appendix E, you will see dozens of properties about the model, and all of them are formally verified (see the `check_model.icry` script which is driven by the model `Makefiles`'s `check` rule) and can dynamically validated, if one so desires.

## 5.6 Behavioral Model-based Interface Specification

Our CRYPTOL model is next refined to an ACSL specification of a C architecture. The C architecture is specified by refining the SysMLv2 and CRYPTOL models, preserving structure and properties as normally done in our methodology.

Such a refinement not only makes for simple traceability up and down the refinement hierarchy, but also helps make formal verification of the implementation (both software and hardware) straightforward, as discussed below in section 5.8, such as in the use of SAW for proofs of correctness of software components against their CRYPTOL specifications.

ACSL is the de facto standard formal specification language for C and C++ programming and is specified in an ISO standard. Many tools understand ACSL, most of which are a part of the Frama-C tool suite from CEA. ACSL specification are written either in C header files, as seen in the RTS's `instrumentation.h` and `platform.h` files found in appendix E.9, or in C implementation files, as seen in the `instrumentation.c` and `actuation_unit.c` files, all of which are included in appendices E.7 and F.

## 5.7 Implementation

The RTS implementation is a refinement of its higher-level LANDO, SysMLv2, and CRYPTOL specifications. Every component of the implementation—including the hardware and bare-metal software—is derived directly from earlier specifications.

### 5.7.1 Hardware Components

The RTS hardware consists of a small System-on-Chip that contains one or three instances of a small RISC-V RV32 CPU called the NERV CPU, developed by our colleagues at YosysHQ.

NERV stands for the Naive Educational **RISC-V** Processor. It is a simple, small, open, RISC-V CPU that has been formally assured for correctness against the RISC-V ISA specification. We chose to use NERV exactly because it had these properties.

**Overall Implementation Size, Shape, and Location.** The overall implementation consists of:

- a set of Bluespec SystemVerilog (BSV) modules that describe our RISC-V System-on-Chip, spread across ten files located in [hardware/SoC/src\\_BSV](#),
- a set of Verilog files which are compiled from the aforementioned BSV (six files located in [hardware/SoC/verilog](#)),
- a set of Verilog files imported in order to implement the SoC, either in simulation or emulation, located in [hardware/SoC/src\\_Verilog](#) and [hardware/SoC/Verilator\\_RTL](#), and
- a set of SystemVerilog files (three generated files located in [src/generated/SystemVerilog](#), and one that is handwritten located in [src/handwritten/SystemVerilog](#)).

The Bluespec SystemVerilog is just over 1,000 lines long. The Verilog and SystemVerilog is only around 150 lines long.

**RISC-V.** RISC-V is the Instruction Set Architecture (ISA) for the fifth generation of RISC processors. It is an open, unencumbered ISA, therefore anyone can use the ISA for any purpose with no cost, and no encumbrance, to design or manufacture FPGA or ASIC-based CPUs. Dozens, and perhaps now, hundreds of RISC-V CPUs have been developed over the past eight years.

The software ecosystem that sits on top of RISC-V is very rich as well, and includes operating systems (Linux, FreeBSD, FreeRTOS, and others), compilers (gcc and clang both fully support RISC-V), and much more.

The RISC-V ISA is semi-formally specified via a set of standards documents and is formally described in a specification in the SAIL language/platform.

The NERV CPU is formally verified against an interpretation of this specification using the [riscv-formal](#) assurance framework, also developed by YosysHQ. Using [riscv-formal](#), one can prove, using a hardware formal verification tool like JasperGold, OneSpin, or Yosys, that every instruction in the ISA is exactly implemented correctly according to the specification.

The simple, clean, elegant, precise design of the RISC-V ISA is what makes this level of assurance possible. One cannot, in general, formally assure any other flavor of CPU (x86, ARM, MIPS, etc.) against its ISA as easily, or even at all.

The NERV design is located in the [HARDENS/hardware/nerv](#) directory, which is, strictly speaking, just a submodule of our project directly imported from YosysHQ's GitHub project.

**The RTS System-on-Chip.** The RTS SoC is a small, one or three core, CPU. Its design is exactly driven by the requirements that flow down to the hardware via refinement through the specifications previously summarized.

The design of the RTS SoC is located in the [HARDENS/hardware/SoC](#) directory<sup>1</sup>. The SoC is written largely in the Bluespec SystemVerilog (BSV) language, which is a high-level Hardware Description Language (HDL) which compiles to the Verilog HDL. The Bluespec tool suite includes a compiler called `bsc` which can compile BSV to either an executable software emulator of the design or a Verilog RTL implementation. Either can execute the RTS system, though we only use the latter in the project.

**Simulating or Emulating the CPU or SoC.** In order to execute a Verilog design, such as the RTS CPU or SoC, one use any number of the following choices:

1. simulate in a commercial/proprietary RTL simulator, such as those available from Cadence, Synopsys, or Siemens,
2. compile to a software simulator using a complementary commercial/proprietary tool from one of those three EDA firms or a handful of others (such as [Metrics](#)),
3. compile to a software simulator using an open source, freely available RTL compiler such iVerilog, Verilator, or Yosys,
4. compile to a hardware FGPA-based emulator using a commercial/proprietary tool chain such as those provided by Xilinx, Intel, Lattice Semiconductor, and others, or
5. compile to an open source FGPA-based emulator using an open source, freely available tool chain such as that provided by YosysHQ, Berkeley's FireSim, or others.

For the HARDENS project, we use the Verilator simulator and the YosysHQ and Lattice Semiconductor-based FPGA compilers.

**SoC Design.** The SoC is either one or three core because the RTS software implementation can either run on a single CPU core or can be split across three CPU cores. See section [5.7.2](#) for more information.

The three CPU design is novel because it closely adheres to the requirements that refine from the system and model-based designs.

Traditional architectures for a three core CPU would either have (a) three completely separate CPUs that have separate memories and communicate via message passing or monitors, or (b) three CPUs that share a single memory and a level two cache in order to communicate via more traditional, ad hoc shared memory mechanisms.

For the RTS SoC, we find that only two of the CPUs need to communicate with each in one very small fashion, discussed below. In particular, we arrange the RTS architecture on the hardware in the following way:

---

<sup>1</sup>Located on GitHub at [HARDENS/hardware/SoC](#)

- On CPU #1, we place computation that communicates with the outside world over a UART, both for programmability and the RTS user interface.
- On CPU #2, we put instrumentation and actuation communication and computation in order to read sensors, drive actuators, and make instrumentation decisions.
- Finally, on CPU #3, we put the core abstract state machine that is the core computational loop of the RTS.

**Product Configurations.** Based upon our architecture, the RTS can be deployed in one of several different product configurations. The entire system can be deployed in one of three ways:

1. On a single FPGA, which emulates either a single CPU or a three core CPU.
2. On three FPGAs, each of which is a single independent CPU, and information is transmitted between the two CPUs which must communicate via a simple mechanism like a GPIO line.
3. One three normal compute elements, such as a normal Linux machine or a computational container (such as a Docker or Kubernetes instance), each of which either simulates a RISC-V CPU or simply runs the POSIX version of the subsystem. In such a configuration communication between compute elements would take place over, e.g., Ethernet.

The current implementation has much of what is necessary to realize any of these configurations, but the only configuration that is complete and delivered is the POSIX digital twin configuration and much, but not all, of the single FPGA configuration with the three core SoC.

**Hardware Divisions of Instrumentation.** The divisions of instrumentation are redundantly implemented, as described in the proposal and the system architecture, as two software and two hardware implementations, and one of hardware implementations is implemented by hand and the other is automatically generated from our CRYPTOL model (we discussed generation below in section 5.7.3).

Because the instrumentation is implemented in hardware, as are some of the drivers for the sensors and actuators, for that matter, the FPGA will execute those modules concurrently, independently, and if one of them were to fail for some reason (e.g., were it to deadlock), it will not affect the execution of the other modules.

The source for these two implementations is located in appendix E.7 and in the project filesystem in [src/generated/SystemVerilog](#) and [src/handwritten/SystemVerilog](#). These implementations are demonstrated to be functionally equivalent to each other through formal verification, as discussed below in section 5.8.

**Current State of the Hardware Implementation.** Despite all of the work on formal assurance and system modeling, the hardware implementation is not complete. In particular, we are 90% of the way to completing synthesis and debugging the three core RISC-V SoC, but it (a) does not operate properly, and (b) we are not yet cross-compiling the RTS system to deploy them on the SoC. The reason that we have not finished the hardware implementation is that we have run out of project resources, given the very small budget for the project, and the remaining work is purely engineering, and involves no formal assurance or novel research. If more resources are made available on this topic, we can easily finish up the implementation.

### 5.7.2 Software Components

The software components in the RTS implementation are arranged into 8 header files and 23 implementation files, all of which are implemented in verifiable C. The total size of the implementation is approximately 2,300 lines of code, and that includes all assurance-related code as well.

The actual size of the core behavioral implementation of the RTS (including all product variants and digital twins) is only 1,400 lines of hand-written C code and 700 lines of automatically generated C code.

**Header Files.** All header files are located in [src/include](#). The header files contain type declarations for named C types, functions, and ACSL behavioral specifications of both. The core ACSL behavioral axiomatic specifications are located in [src/include/models.acsl](#). We discuss these model-based ACSL specifications below in section 5.8.3.

All common types and constants are located in [src/include/common.h](#). Every single type declaration and constant is refined directly from the system architecture and CRYPTOL model.

Product line variants are concretized in three macros at the bottom of `common.h` called `VARIANT`, `VARIANT_IMPL`, and `VARIANT_IMPL2`.

There are a handful of helper macros defined to help write terse specifications. They are:

- `ShouldTrip` in [src/include/instrumentation.h](#),
- `DEBUG_PRINTF` in [src/include/platform.h](#),
- `ASSERT` in [src/include/platform.h](#), and
- `MUTEX_LOCK` and `MUTEX_UNLOCK` in [src/include/platform.h](#).

**Implementation Files.** The software implementation is written to be portable across any typical POSIX build platform and as a baremetal implementation on an arbitrary ISA. Each device in the instrumentation subsystem is implemented as both a software digital twin (a mock of our real hardware) or as a software

driver to the real hardware. (Recall from the discussion above in section 5.7.1 that each device is also implemented as a hardware driver in parallel.)

Some of the implementation files are used to provide assurance of the low level model(s) of the RTS or its implementation. For example, `src/bottom.c` is used to formally verify model consistency, and runtime tests are located in the files in the `src/tests` directory. We discuss their design and use below in section 5.8.

The implementation, as discussed above in section 5.3.3, has several variants. Code that is used to generate implementations of these variants is located in `src/variants`, and basically amount to setting a handful of variation point constants from the LOBOT model to the right values for the implementation and using `#include` to import the variant code.

Code used to generate model-based tests and run bisimulation is located in `src/self_test_data` and is discussed below in section 5.8 as well.

The two top-level files that represent the core of the two main variants of the RTS (POSIX and baremetal) are located in `src posix_main.c` and `src/rv32_main.c`. The former implements both a single-threaded and concurrent version of the software digital twin. The feature that controls which variant is built is called `USE_PTHREADS`. The latter has to include variant BSP-specific header files, I/O definitions, and more, typical of any embedded systems code.<sup>2</sup>

### 5.7.3 Model-derived Components

Two kinds of RTS implementation components are automatically generated from models. Both are critical parts of the instrumentation subsystem, and as described in the original HARDENS proposal, nearly all are a *pair* of implementations of different components of instrumentation—the actuation unit, the actuator, the saturation check, and the instrumentation component—that are meant to be exactly behaviorally equivalent. A discussion of the formal evidence for such is included below in section 5.8.

Some of the assurance artifacts are also automatically generated from models, and are thus model-derived, but they are not discussed here.

In general, each automatically generated software component is created by the CRYPTOL tool, which has the ability to compile executable CRYPTOL models into correct-by-construction implementations in C, JVM, and SystemVerilog. We use two of these three backends; the software-targeting model compiler is called `crymp` and the hardware-targeting model compiler is called `cryptol-verilog`. The SAW tool, which we use in this project for formal assurance of some of the software implementation, also has the ability to compile to correct-by-construction implementations as well (in LLVM).

The `generate_sources` build rule and its dependencies in the main software `Makefile` is how code generation is controlled. It is decomposed into two rules, one to build software (`generate_c` and its dependencies) and one to build hardware (`generate_sv`).

---

<sup>2</sup>BSP means Board Support Package.

#### 5.7.4 Hand-Written Components

The hand-written components of the RTS software stack include:

- the trivial “bottom” implementation that is used to check CRYPTOL and ACSL specification soundness/consistency (discussed below in section 5.8),
- the software common across all variants, including core data type declarations, functions which interoperate with instrumentation subsystems (reading channels, device values, trips, modes, state, resets, self-testing, etc.), all of which are located in `src/common.c`,
- the RTS UI, located in `src/core.c`,
- the RTS self-test functions, located in `src/core.c`,
- the wrapper around the four different-but-equivalent critical instrumentation subsystems, located in `src/sense_actuate.c`, and
- the core abstract state machine states and transitions of the RTS, implemented twice for the two main product variants, as discussed above, located in `src posix_main.c` and `src/rv32_main.c`.

**Tracing and Understanding Software Implementations and Their Specifications in the RTS.** In general, every implementation component—whether it is a datatype declarations, a store reference declaration (that is to say, a memory location that is named, typed, in a fixed location, and holds a particular piece of RTS state), or a function—is specified semi-formally in LANDO (in English) and formally (in ACSL and CRYPTOL). One can trace between these elements using our name-based, refinement-centric traceability methodology.

In this document’s appendices (??–?? we provide an explicit means by which to trace between all components and subsystems. In what follows we provide some examples of this traceability.

**Reviewing and Tracing Software.** One can discover where the core software located in `src/common.c` is documented by following its dependencies. For a C implementation, one looks at the (transitive) set of header files that are included via C preprocessor `#include` directives. For example, in the case of `common.c`, these files are `core.h`, `platform.h`, `actuate.h`, and `rts.h`. Likewise, `core.h`, in turn, includes `common.h`.

These dependencies are depicted in ???. Note how header file dependencies largely mirror package dependencies in the system architecture.

Each type declaration—both data types (such as the various array types in `platform.h` and structure types in `common.h`) and function types (such as those found in `actuation.logic.h`) in the C code refine isomorphic composite and functional data types, respectively, in either or both the ACSL and CRYPTOL specifications. Likewise, each function further refines those defined in the LANDO specification or the same name.

For example, the Mission Essential Function (MEP) C function `Is_Ch_Tripped`'s C type signature is defined in line 37 of `instrumentation.h`, its meaning is defined in the associated contract on line 35, in the ACSL model in line 49 of `models.acsl`, which states on line 48 that it refines the CRYPTOL specification `RTS::InstrumentationUnit::Is_Ch_Tripped` which is located on line 138 of `InstrumentationUnit.cr`, which in turn refines the SysML specification starting on line 146 of `RTS_Static_Architecture.sysml`, which in turn refines the LANDO specification found in `instrumentation.lando`.

Likewise, you will find alternative implementations of `Is_Ch_Tripped` in hardware in the Verilog files `mkInstrumentationHandwritten.v` and `mkInstrumentation-Generated.v`, the Bluespec SystemVerilog files `Instrumentation_Generated-BVI.bsv` and `Instrumentation_Handwritten_BVI.bsv`, the Verilog generated from CRYPTOL in `Is_Ch_Tripped.sv` and its hand-written sister in `Is_Ch-Tripped_Handwritten.sv`, etc.

## 5.8 V & V artifacts

### 5.8.1 Reviewing and Tracing Evidence

To continue with the traceability discussion of the last section, one can trace from source code and specifications to all of the related validation and verification by continuing to follow names in validation and verification files.

So, in the case of `Is_Ch_Tripped`, we can find hardware formal verification artifacts in `saw/generated/Is_Ch_Tripped.yosys` and `saw/handwritten/Is_Ch-Tripped.yosys`, and on lines 10, 11, 36, and 37 of `saw/instrumentation.saw`.

### 5.8.2 Specification Consistency

The first critical property to check before anything other is *specification consistency*. A specification is consistent if it contains no logical contradictions; occasions where both a proposition  $\phi$  and  $\neg\phi$  are stated to hold simultaneously.

If any fragment of specification contains an inconsistency, and a verification depends upon that fragment, then the inherent contradiction implies that the precedent of one or more theorems we intend to prove is false, and thus the those theorems trivially hold, since the proposition  $false \rightarrow B$  holds for any  $B$ .

Such specification inconsistencies are the bane of formal verification practitioners the world-over. When a hidden inconsistency happens, usually through a specification error, suddenly automatic verification becomes very simple, and even the hardest verifications go through immediately. This is a warning sign, and the consistency problem must be addressed.

In order to avoid this circumstance, the methodological mitigation we use in RDE is to always state false theorems (what are called “bottoms”) about every goal, requirement, model, and implementation, and try to prove those false theorems are valid (true). If we can ever prove such a fallacy, we know our specifications are inconsistent, and must be corrected.

We thus construct “bottoms” for every layer of our RDE specification. In the case of HARDENS, we must do so in our formal requirements specification (in FRET), in our feature model (in LOBOT), in our denotational and executable model-based specification (in CRYPTOL), in our proof scripts (in SAW), and in our model-based behavioral interface specification language (in ACSL).

Our verification bench must check, preferably automatically, each of these “bottom” theorems, prior to attempting to check any other evidence: any “real” theorem about the system.

For our formal requirements specification, the FRET tool includes a specification consistency checker that does just that. In our LOBOT specification, the `check_bottom` property on line 242 of `RTS.lobot` is this theorem. For our ACSL specification, the “bottom” C implementations of every core function of the system, located in `bottom.c`, does just that too.

Once all consistency checks pass, we can now focus on using specifications to check the correctness of the RTS.

### 5.8.3 Model-based Assurance

Correctness checking is based upon *evidence artifacts* which demonstrate that *properties* which imply *requirements* and their associated *goals* are satisfied.

Evidence comes in several forms, ranging from semi-formal and manual to formal and automatic. We demonstrate the use and presentation of this full range of evidence artifacts in the assurance of the RTS.

Historically, especially for document-based assurance methods with manual review of assurance cases, as done in a handful of national and international certification standards—such as the NRC’s, the FAA’s DO-178, Common Criteria, DoD branch flight certification, and the NSA’s “old” style certification—only semi-formal arguments written in natural language (i.e., English) are under evaluation.

While those arguments often call out to, or summarize, external technical evidence artifacts, such as tests or third party peer-review, they do not often refer to formal models, source code, or their properties. With model-based assurance, new forms of evidence become not only possible, but reasonable, as we can now make direct reference to formal models, source code, and their properties.

This evolution is comparable to the difference between an informal argument which appeals to common sense and intuition about statistical matters and a formal argument that *uses statistics* to prove a supposition. Likewise, it is the difference between a middle school math book that teaches by example and rote and a university text book which teaches and uses theorem proving techniques.

In computer science and mathematics (especially logic), a similar transition has been underway over the past twenty years, elevating precision and evidence even from this latter example. Mathematics textbooks and top computer science conference papers used to be written only in very precise English—complete with formal definitions, theorems, and proofs (aka formal models and their properties)—until a movement started in *open mechanization*.

Mechanization is the process of making a formal, human-readable, human-writable, human-reasonable model and its properties machine-readable, writable, and reasonable. By “reasonable” we mean the steps taken in making or evaluating a model, a property/theorem, or a proof. Moving from (only) human-based to both human- and machine-based means that a computer double-checks our work. It also means though that we cannot elide, skip steps, or only appeal to a reader’s intuition. Every single aspect of a model and proof is laid bare to both the human and the computer.

Mechanization does not mean that the models and proofs are **not** human-readable or approachable. The tools that are used for these kinds of model-based specifications and arguments are largely designed by and for mathematicians/-logicians, after all.

The tools that we use in the creation of the RTS demonstrator are a subset of the tools widely available for mechanized model-based systems engineering. These tools and others are discussed broadly, and in more detail, in ???. The tools we chose to use in HARDENS are those we deem appropriate for the task: they are some of the best tools available, they lean into the kinds of modeling, properties, and evidence necessary for nationally critical infrastructure, and they are open source and freely available.

In what follows we move through each kind of model and evidence present in the RTS. By discussing each flavor separately, we can both demonstrate that the RTS is high-assurance and fulfills its semi-formal requirements and also teach about best practices in the presentation and evaluation of model-based systems.

#### 5.8.4 Kinds of Evidence

To recap our discussion of evidence from earlier chapters, the new kinds of evidence that are available via model-based engineering largely fall into four categories: (1) the *application of rigorous patterns of relations between artifacts*, (2) *dynamic demonstration of property validity* against models and programs, (3) *static demonstration of property validity via automated solving*, and (4) *static demonstration of property validity via mathematical proof*.

While each of these forms of evidence is present in the RTS in plurality, we only discuss one or two examples per flavor so as to not be overly pedantic and overwhelm the reader. Given our recommendations in chapter 4, especially those in section 4.3, it should be unnecessary to pedantically discuss in an informal fashion, as we do here, every nook and cranny of every model, property, and piece of evidence.

Instead, a reviewer should be able to find the rhythm of a model-based system’s design, implementation, and assurance and, by judicious randomized exploration of artifacts, quickly gain surity or distrust of a system and its assurance. By demanding less from both sides of the reviewer/reviewee relationship, by embedding more in models, the creation, presentation, and review of evidence is significantly less costly and time-consuming than traditional, pedantic-but-informal, processes.

### 5.8.5 Assurance of the RTS

In this section, we move through each layer of the RTS specification and assurance case, from most informal to most formal, following traceable lines of evidence and refinements.

In the RTS implementation, the file `Assurance.md` also contains a detailed write-up of the rigorous assurance of the entire system.

1. test vectors for self-test implementation
2. equivalence proofs of cryptol & implementation (SAW)
3. ACSL model refinement of cryptol (in-line with source)

**From the Lando Specification.** As discussed in section 5.3, the LANDO specification contains the transliteration of RFP and IEEE goals and requirements for the RTS. Thus our relations and refinements start with precise English properties expressed in LANDO, and refine to specifications in our feature model (in LOBOT), formal requirements (in FRET), and our system architecture (in SysMLv2).

Some of these requirements and goals are extremely informal, such as ??:

Evidence for our fulfilling these kinds of requirements is provided only through reference to concrete artifacts, such as project contracts, this report, project communications, slide decks that summarize the material, etc.

Other system or project requirements, especially ones that are semi-formal and can be refined to formal models, are linked in the assurance case to their refinements. For example, the requirement ?? points directly to the system architecture and its software and hardware:

Likewise, several requirements have a formal meaning and are directly traced to formal assurance artifacts, especially in FRET, and hence CRYPTOL, models. A good example of such a requirement is ??, which refines to several different specification and assurance artifacts:

Recall that structural models refine directly to models with refined structure. For example, the LANDO system architecture, instrumentation, and dataflow specifications have this nature, and all directly refine to naturally named structures in other specifications.

**From the Lobot Specification.** The feature model specification written in LOBOT describes the products derivable from the product line. Its refinement connects to the build system that is used to generate products and to architectural, specification, and code components that help concretize those products.

The RTS build system is found in a set of simple `Makefiles`. Each build file attends to a separate concern, based upon its location in the filesystem.

- `hardware/SoC/firmware/Makefile` builds the RTS firmware for the FPGA-based demonstrator.
- `hardware/SoC/Makefile` builds the RTS SoC and its digital twins.

- `hardware/nerv/Makefile` builds the NERV’s digital twin (using iVerilog), basic firmware, and testbench.
- `saw/Makefile` compiles critical components of the RTS using the LLVM compiler to LLVM bitcode and runs SAW to formally demonstrate assurance of those components.
- `specs/Makefile` runs the LANDO and LOBOT tools to check all of the high level specifications.
- `Makefile` runs ...
- `models/Makefile` runs CRYPTOL to assure all properties to validate (via 10,000 model-based randomly generated tests) and formally verify the CRYPTOL model of the RTS.
- `report/Makefile` runs the `latexmk` tool to build the RTS final report (this document).
- `src/Makefile` builds the RTS “bottom” implementation and all digital twins, generates all model-based test data from CRYPTOL, builds all variants, runs various tools to automatically generate model-based implementations (software and hardware), and the hardware digital twin using `verilator`.

**From the FRET Specification.** The FRET specification is encoded in the filesystem using an internal JSON format supported by the FRET tool. That specification is flattened into a human-readable model of all of the RTSFRETish requirements in appendix C.

Each FRET requirement is refined from a SysMLv2 requirement, which in turn is refined from a LANDO requirement. Refinement of semi-formal natural language specifications, such as requirements, means that either the text of a given requirement is syntactically identical on both ends of the relation (i.e., the text in the LANDO is character-by-character equal to that which is in the SysMLv2), or the refined requirement has more information.

**From the SysMLv2 Specification.** The main properties *uniquely* described in the SysML specification is the structure of the RTS system. Consequently, the main assurance artifact associated with this specification is solely the structure-preserving refinement that is used upward (abstractly) to the LANDO specification, and downward (concretely) to the CRYPTOL and ACSL specifications described below.

A full, rich SysML specification would also include system properties (such as those captured in our FRET specification) as expressed in the SysML model. But those are wholly redundant in the RDE methodology, as they would be nothing more than a transliteration of the syntax of FRET to the syntax of SysML expressions. Thus, they are elided.

**From the Cryptol Specification.** The CRYPTOL specification, as discussed earlier, contains a transliteration of every FRET requirements and every behavioral property of the system as CRYPTOL first-order properties.

Cryptol properties are *theorems* about the CRYPTOL model. Thus, the assurance of the CRYPTOL model is wholly dependent upon the completeness, consistency, and correctness of these theorems.

We demonstrate the assurance of the CRYPTOL model by runtime checking and formally proving every property on the Cryptol model. The assurance script located at `models/check_model.icry` loads in the specification of every critical subsystem of the RTS model (e.g., `:m RTS::InstrumentationUnit`) and either `checks` or `proves` all properties therein.

Recall that every FRET property is transliterated to a CRYPTOL property. Consequently, proving every property of the model proves that the model is complete with regards to the properties (and thus the original system requirements), and is consistent (because we cannot prove the false theorem), and is correct (because the properties hold for any realization of the system under all inputs, given we are largely using the `prove` command everywhere).

The final property, `end_to_end_test` is a property that specifies how the whole of the RTS holds together. As it is a trace property through the entire system, it cannot be automatically formally proven, but only simulated and runtime verified.

**From the ACSL Specification.** Key properties of critical components from the aforementioned models are also transliterated, if relevant, into the ACSL model of the software system.

Properties becomes assertions of various kinds—preconditions, postconditions, invariants, and assertions—and thus express the correct behavior of the system at the software refinement level.

We use these models to formally assure the correctness of the hand-written and automatically generated C implementations of these critical components (e.g., those in `instrumentation.h`). Several kinds of analysis are used, in series, to build up to a full formal assurance case. First we prove that the code contains no underdefined behavior and then we perform full formal verification of the implementations against the contracts.

Normally we would also use these models to automatically generate a model-based runtime verification harness for the software implementation so as to demonstrate that all checks are valid as runtime assertion checks on all digital twins and on the deployment platform. This project had insufficient resources for us to also add this extra level of assurance.

**From the SAW Specification.** For C implementations, we use SAW to prove correctness between the Cryptol model and the LLVM bitcode. For SystemVerilog implementations, we use SAW to extract a Verilog module from the Cryptol specification, and then use the Yosys tool to prove equivalence between

the extracted Verilog module and the generated or hand-written SystemVerilog module.

Not only does this establish the functional correctness of the component in question, but writing such specification (that can be precisely checked) ensures that the interface between components is made precise. For example, the final specification must take into account any differences in endianness assumptions between the source (Cryptol) and the target (e.g., the Verilog hardware design).

### 5.8.6 Hand-written

We use a tool called `pexpect` to do end-to-end testing of scenarios. Each test case is a transcription of a LANDO scenario that matches UI output. The file `tests/README.md` explains the end-to-end runtime verification for the RTS in detail.

Each test scenario specified in `specs/test_scenarios.lando` is translated into a parametrized software test, either driven directly against the software through function call invocation or, better yet, as driven through the top-level UI.

By driving through the external UI, we can use the same model-based parametrized tests to drive digital twins (like the CRYPTOL model or the software simulation of the RTS in either the Posix or `RV32_bare_metal` configurations of the product line) or directly on the FPGA deployment platform.

31310021R0046

**Title: Assessment of Model-Based Systems Engineering Processes in a Regulatory Review Context for Digital Instrumentation and Controls of Existing Nuclear Power Plants**

**C.1 Background**

Over the past 15 years, Model-Based Systems Engineering (MBSE) has emerged as powerful methodology and practice for realizing and verifying complex embedded systems while providing rigorous evidence of functional and safety compliance. The phrase "Model Based Systems Engineering" has been used in many different contexts to the point where its meaning and purpose is vague. For safety critical systems design, the definition from the systems engineering and the formal methods community is appropriate.

*"Model-Based Systems Engineering (MBSE) is the formalized application of modeling to support system requirements, design, analysis, verification and validation activities beginning in the conceptual design phase and continuing throughout development and later life cycle."*

Because of its capability to address the software and system complexity and productivity challenges of complex distributed embedded systems, MBSE is quickly becoming the preferred engineering paradigm for the development of such systems across a variety of application domains. However, MBSE has not been used in any significant degree in the nuclear industry.

The NRC's guidance for digital I&C has its origins in a document-based waterfall development model. Modern software (SW) engineering environments are increasingly using highly integrated ecosystems of SW and hardware (HW) development tools with less reliance on published documents during development. These approaches tend to view the model as a portable "executable specification." The NRC is investigating the potential utility and impacts of MBSE methods and tools to the established review process of I&C for nuclear power plants (NPPs).

Documents are created by and for people to use (in the nuclear I&C domain) and are mostly natural language descriptions. Electronic representations, such as models, can be statically and dynamically analyzed by electronic tools. Although a human can never be removed from the development process, certain analysis tasks can be performed more quickly and accurately by electronic tools. Such tools may be difficult to qualify using current NRC criteria, which is focused on whether defects in the tool or resulting software would not be detected by other verification and validation activities.

**C.2 Objective**

The objective of this contract/order is to obtain expert technical services in order to develop a better understanding of: (1) how Model-Based Systems Engineering (MBSE) methods and tools can support regulatory reviews of adequate design and design assurance, (2) identify any barriers or gaps associated with MBSE in a regulatory review of Digital I&C for existing NPPs.

**C.3 Scope of Work**

The proposed research approach is for the implementation of a simple protection system using both: (1) highly integrated computer-based engineering development processes, and (2) MBSE. All the modules of the simple protection system would be modeled functionally, and one FPGA-based circuit card would be modeleddesigned in detail. The level of detail in the design

Page 5

**Figure 5.1:** NRC RFP Page 5

31310021R0046

and supporting analysis should address independence of functions. Independence should address interfaces between functions and self-testing implemented on the circuit card, as well as voting between protection system elements.

The final product would be the design itself and the associated evidence to demonstrate its technical soundness. Then the NRC technical staff for I&C would review the "demonstration" material and identify additional information needed or material that is not needed for regulatory purposes.

Different parties have different ideas about what it means to use MBSE. This research is intended to identify and explore an existing state of the practice, and not to develop new engineering practices.

MBSE, with its inherent ability to analyze and simulate many different scenarios may be a superior approach for more complex systems, structures, and components (SSCs). Modern digital systems tend to be more complex because they are SW intensive and include more shared resources, more coupling of resources (e.g., digital communication, heterogeneous computing devices), and sometimes adaptive abilities. For these reasons, MBSE is often needed to design such systems to high levels of design assurance. Therefore, the regulator must be prepared for MBSE applications where non-document-based evidences are part of a safety evaluation.

For relatively simple applications, such as a reactor trip system, MBSE may support more robust analysis methods such as formal methods or model-based safety assurance.

This research is to explore the full scope of MBSE (i.e., it is not limited to simulation-based validation of I&C system designs). The use of models and simulations in the early design phases of new NPPs and validation of I&C system designs (e.g., confirm required behavior and identify unwanted or undesirable interactions) is one aspect of MBSE. For each aspect of MBSE, the kind of engineering artifacts should be identified and described to include their use as evidence of the soundness of the design. The alternate review process of D&C-ISG-06, Rev. 2 (ML18269A259), could help to enable the use of MBSE.

**Base System Architecture:**

- Four redundant divisions of instrumentation, each containing identical designs:
  - Two instrumentation channels (Pressure and Temperature)
    - Sensor
    - Data acquisition and filtering
    - Setpoint comparison for trip generation
    - Trip output signal generation
- Two trains of actuation logic, each containing identical designs:
  - Two-out-of-four coincidence logic of like trip signals
    - Logic to actuate a first device based on an OR of two instrumentation coincidence signals
      - Logic to actuate a second device based on the remaining instrumentation coincidence signal

**Functions to Be Implemented:**

1. Trip on high pressure (sensor to actuation)

Page 6

**Figure 5.2:** NRC RFP Page 6

31310021R0046

2. Trip on high temperature (sensor to actuation)
3. Trip on low saturation margin (sensors to actuation)
4. Vote on like trips using two-out-of-four coincidence
5. Automatically actuate devices
6. Manually actuate each device
7. Select mutually exclusive maintenance and normal operating modes on a per division basis
8. Perform setpoint adjustment in maintenance mode
9. Configure the system in maintenance mode to bypass an instrument channel (prevent it from generating a corresponding active trip output)
10. Configure the system in maintenance mode to force an instrument channel to an active trip output state
11. Display pressure, temperature and saturation margin
12. Display each trip output signal state
13. Display indication of each channel in bypass
14. Periodic continual self-test of safety signal path (e.g., overlapping from sensor input to actuation output)

**Characteristics to be demonstrated** (based on the requirements of IEEE Std 603-2018):

1. Completeness and consistency of requirements
2. Independence among the four divisions of instrumentation (inability for the behavior of one division to interfere or adversely affect the performance of another)
3. Independence among the two instrumentation channels within a division (inability for the behavior of one channel to interfere or adversely affect the performance of another)
4. Independence among the two trains of actuation logic (inability for the behavior of one train to interfere or adversely affect the performance another)
5. Completion of actuation whenever coincidence logic is satisfied or manual actuation is initiated
6. Independence between periodic self-test functions and trip functions (inability for the behavior of the self-testing to interfere or adversely affect the trip functions)

**Task 1:**

The Contractor shall implement the system described above using both: (1) highly integrated computer-based engineering development processes, and (2) MBSE. All the modules of the simple protection system would be modeled functionally, and one FPGA-based circuit card would be modeled/designed in detail. The deliverable will be the model-based design itself.

**Task 2:**

The Contractor shall perform preliminary V&V and testing of the design using model-based engineering and testing methods. The deliverable will be the artifacts as described in the proposal.

**Task 3:**

The Contractor shall participate in an evaluation of the artifacts produced in tasks 1 and 2 with NRC staff. This will consist of:

1. An initial kickoff meeting for this task with the NRC staff.
2. The NRC staff will then provide initial feedback on the artifacts produced and additional information that would be needed.
3. The Contractor shall then attempt to address any issues and provide the additional information within the time for this portion of task 3 (1 month).

Page 7

**Figure 5.3:** NRC RFP Page 7

31310021R0046

4. A second meeting will be held to discuss the additional information provided.

Task 4:

The Contractor shall develop a one-day long virtual presentation on the results of this research that explains the MBSE approach used, the engineered development environment, the development products, and lessons learned from interacting with the regulator. The deliverable will be the presentation and associated materials.

Task 5:

The Contractor shall develop a final report describing the work summarizing the work performed and the results and conclusions derived. The final report shall include findings and recommendations for future research.

**C.5 Deliverables and Delivery Schedule**

| <b>Deliverable</b> | <b>Due Date</b>                                                                                                                                                                                                                                                                                                                                                                                                                              | <b>Format</b>                                                                   | <b>Submit to</b> |
|--------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------|------------------|
|                    |                                                                                                                                                                                                                                                                                                                                                                                                                                              |                                                                                 |                  |
| Task 1 design      | 4 months after start of work                                                                                                                                                                                                                                                                                                                                                                                                                 | As appropriate to the tools used.                                               | COR              |
| Task 2 artifacts   | 6 months after start of work                                                                                                                                                                                                                                                                                                                                                                                                                 | As appropriate to the tools used.                                               | COR              |
| Task 3             | <p>The initial kickoff meeting for task 3 will be held within two weeks of delivery of the artifacts and should be scheduled ahead of time.</p> <p>The NRC will provide input within one month of the kickoff meeting.</p> <p>The Contractor response is to be provided within one month of receipt of NRC input.</p> <p>The NRC will provide input and hold the second meeting within one month of receipt of the Contractor responses.</p> | As appropriate to the tools used.                                               | COR              |
| Task 4             | The presentation is to be provided within 11 months of the start of work.                                                                                                                                                                                                                                                                                                                                                                    | Slides (PowerPoint or Adobe Portable Document Format (PDF))<br>Training session | COR              |

Page 8

**Figure 5.4: NRC RFP Page 8**

```

1 // title: Reactor Trip System high,assurance demonstrator.
2 // project: High Assurance Rigorous Digital Engineering for Nuclear Safety (HARDENS)
3 // copyright (C) 2021 Galois
4 // author: Joe Kiniry <kiniry@galois.com>
5
6 system Reactor Trip System (RTS)
7 The overall shape of the Reactor Trip System (RTS) is an archetypal
8 *sense,compute,actuate* architecture. Sensors are in the 'Sensors'
9 subsystem. They are read by the 'Instrumentation' subsystem, which
10 contains four separate and independent 'Instrumentation'
11 components. The "Compute" part of the architecture is spread across
12 the 'Actuation Logic' subsystem,which contains the two 'Voting'
13 components which perform the actuation logic itself, and the 'Root'
14 subsystem which contains the core computation and I/O components, and
15 the two separate and independent devices that drive actuators.
16
17 subsystem RTS Architecture (Architecture)
18 This RTS architecture specification includes all of the core
19 concepts inherent to NPP Instrumentation and Control systems.
20 A system architecture specification often includes a software,
21 hardware, network, and data architecture specifications.
22
23 subsystem RTS Hardware Artifacts (Hardware)
24 The physical hardware components that are a part of the HARDENS RTS
25 demonstrator.
26
27 subsystem RTS Implementation Artifacts (Implementation)
28 A summary of the tools, technologies, specifications, and implementations
29 relevant to this high,assurance demonstrator's development and assurance.
30
31 subsystem RTS Requirements (Requirements)
32 All requirements that the RTS system must fulfill, as driven by the
33 IEEE 603,2018 standards and the NRC RFP.
34
35 subsystem RTS Properties (Properties)
36 All correctness and security properties of the RTS system are
37 specified in this subsystem.
38
39 subsystem IEEE Std 603,2018 Characteristics (Characteristics)
40 The IEEE 603,2018 requirements (known as "characteristics" in
41 the standard) which the RTS demonstrator system must fulfill.
42
43 relation RTS contains Architecture
44 relation RTS contains Hardware
45 relation RTS contains Properties
46 relation RTS contains Characteristics

```

**Figure 5.5:** A fragment of the RTS LANDO domain model

```

1 // Events are (seemingly, atomic, from the point of view of an external
2 // observer) interactions/state/transitions of the system. The full
3 // set of specified events characterizes every potential externally
4 // visible state change that the system can perform.
5
6
7 // External input actions are those that are triggered by external input on UI.
8 events Demonstrator External Input Actions
9
10 Manually Actuate Device
11 The user manually actuates a device.
12
13 Select Operating Mode
14 The user puts an instrumentation division in or takes a division out of 'maintenance' mode.
15
16 Perform Setpoint Adjustment
17 The user adjusts the setpoint for a particular channel in a particular division in
    ↪ maintenance mode.
18
19 Configure Bypass of an Instrument Channel
20 The user sets the mode of the channel of an instrumentation division to either bypass or
    ↪ normal mode.
21
22 Configure Active Trip Output State of an Instrument Channel
23 The user sets the mode of the channel of an instrumentation division to either trip or
    ↪ normal mode.
24
25 // External output actions are those that are triggered by internal
26 // state change, which is, in turn, sometimes prompted by external input
27 // actions.
28 events Demonstrator External Output Actions

```

**Figure 5.6:** A fragment of the RTS LANDO (external input) events

```

1 // Scenarios are sequences of events. Scenarios document normal and
2 // abnormal traces of system execution.
3
4 // Test scenarios are scenarios that validate a system conforms to its
5 // requirements through runtime verification (testing). Each scenario
6 // is refined to a (possibly parametrized) runtime verification
7 // property. If a testbench is complete, then every path of a
8 // system's state machine should be covered by the its set of scenarios.
9
10 scenarios Self,Test Scenarios
11
12 Normal Self,Test Behavior 1a ,Trip on Mock High Pressure Reading from that Pressure Sensor
13 The user selects 'maintenance' for an instrumentation division, the
14 division's pressure channel is set to 'normal' mode, the pressure
15 setpoint is set to a value v, the user simulates a pressure input to
16 that division exceeding v, the division generates a pressure trip.
17
18 Normal Self,Test Behavior 1b ,Trip on Environmental High Pressure Reading from that Pressure
19     ↢ Sensor
20 The user selects 'maintenance' for an instrumentation division, the
21 division's pressure channel is set to 'normal' mode, the pressure
22 setpoint is set to a value v, the division reads a pressure sensor
23 value division exceeding v, the division generates a pressure trip.
24
25 Normal Self,Test Behavior 2a ,Trip on Mock High Temperature Reading from that Temperature
26     ↢ Sensor
27 The user selects 'maintenance' for an instrumentation division, the
28 division's temperature channel is set to 'normal' mode, the
temperature setpoint is set to a value v, the user simulates a
temperature input to that division exceeding v, the division generates
a temperature trip.

```

**Figure 5.7:** A fragment of the RTS LANDO scenarios

```

1  -- We use three different C compilers for (cross-)compilation.
2  type compiler =
3    { GCC, Clang, CompCert }
4
5  -- We target three different ISAs in software compilation because our
6  -- development platforms for the POSIX-based virtual platform is
7  -- either ARM or X86-based and the SoC digital twin and deployment
8  -- platform are RISC-V-based.
9  type isa =
10   { ARM, X86, RV32 }
11
12 -- The feature model of the RTS demonstrator itself.
13
14 -- The cost of a demonstrator is expressed in U.S. dollars and is
15 -- based upon the value of the board plus all physical devices that
16 -- are attached. A purely virtualized RTS demonstrator has zero
17 -- hardware cost.
18
19 rts : kind of struct
20   with -- Which development board is being used?
21     board : dev_board
22     -- How much does the hardware for this demonstrator cost in USD?
23     cost : nat
24     -- What level of assurance does the demonstrator have overall?
25     assurance : assurance_level
26     -- Is the FPGA being twinned via a Verilog simulator/emulator?
27     soc : twin_or_physical
28     -- Is the first temperature sensor a twin or physically present?
29     ts1 : twin_or_physical
30     -- Is the second temperature sensor a twin or physically present?
31     ts2 : twin_or_physical
32     -- Is the first pressure sensor a twin or physically present?
33     ps1 : twin_or_physical
34     -- Is the second pressure sensor a twin or physically present?
35     ps2 : twin_or_physical
36     -- Is the first actuator a twin or physically present?
37     sa1 : twin_or_physical
38     -- Is the second actuator a twin or physically present?
39     sa2 : twin_or_physical
40     -- Which C compiler is used to (cross-)compile the software?
41     comp : compiler
42     -- Which ISA is the compiler (cross-)compiling to?
43     target : isa
44     -- Are all devices twins?
45     all_devices_twins : bool
46     -- Should sensors be simulated?
47     simulate_sensors : bool

```

**Figure 5.8:** A fragment of the RTS LOBOT feature model

| Requirement ID                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          | Parent Requirement ID          | Project |
|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------|---------|
| ACTUATION_LOGIC_VOTE_1                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  | ACTUATION_LOGIC_DEVICE_HARDENS | ▼       |
| <div style="border: 1px solid #ccc; padding: 5px; margin-bottom: 10px;"> <b>Rationale and Comments</b> <span style="float: right;">▼</span> </div> <p><b>Requirement Description</b></p> <p>A requirement follows the sentence structure displayed below, where fields are optional unless indicated with "*". For information on a field format, click on its corresponding bubble.</p> <div style="display: flex; justify-content: space-around; align-items: center; margin-bottom: 10px;"> <span>SCOPE</span> <span>CONDITIONS</span> <span>COMPONENT*</span> <span>SHALL*</span> <span>TIMING</span> <span>RESPONSES*</span> <span>(?)</span> </div> <div style="border: 1px solid #ccc; padding: 10px; background-color: #f9f9f9;"> <p>Upon VOTE_TRIP_SATURATION Actuation_Logic shall <b>always</b> satisfy<br/>VOTE_ACTUATE_DEVICE_1</p> </div> |                                |         |

**Figure 5.9:** An Example Formalized Requirement in FRET

## Formalizations

### Future Time LTL

```
(LAST V (( VOTE_ACTUATE_DEVICE_1 |  
MANUAL_ACTUATE_DEVICE_1 -> ACTUATE_DEVICE_1 ) & (  
ACTUATE_DEVICE_1 -> VOTE_ACTUATE_DEVICE_1 |  
MANUAL_ACTUATE_DEVICE_1 )))
```

Target: *Actuation\_Logic* component.

### Past Time LTL

```
(H (( VOTE_ACTUATE_DEVICE_1 | MANUAL_ACTUATE_DEVICE_1 ->  
ACTUATE_DEVICE_1 ) & ( ACTUATE_DEVICE_1 ->  
VOTE_ACTUATE_DEVICE_1 | MANUAL_ACTUATE_DEVICE_1 )))
```

Target: *Actuation\_Logic* component.

Figure 5.10: Some Example Requirement Semantics in FRET



Figure 5.11: Realizability Checking in FRET

```

1 // HARDENS Reactor Trip System (RTS) Actuator Unit
2 // A formal model of RTS Actuator behavior written in the Cryptol
3 // DSL.
4 //
5 // @author Alex Bakst <abakst@galois.com>
6 // @created November, 2021
7 // @refines HARDENS.sysml
8 // @refines RTS.lando
9 // @refines RTS_Requirements.json
10
11 module RTS::Actuator where
12
13 type Actuation = Bit
14 type Mode = Bit
15
16 /** @requirements
17     ACTUATION_LOGIC_MANUAL_DEVICE_{0,1} satisfied by definition
18 */
19 type Actuator =
20   { input: Actuation
21   , manualActuatorInput: Actuation
22   }
23
24 SetInput: Actuation -> Actuator -> Actuator
25 SetInput on actuator = {actuator | input = on }
26
27 SetManual: Actuation -> Actuator -> Actuator
28 SetManual on actuator = {actuator | manualActuatorInput = on}
29
30 ActuateActuator : [2]Actuation -> Actuation
31 ActuateActuator inputs = (inputs @ (0:[1])) || (inputs @ (1:[1]))

```

**Figure 5.12:** CRYPTOL model of Actuator component

```

1 // HARDENS Reactor Trip System (RTS) Actuation Unit
2 // A formal model of RTS Actuation Unit behavior written in the
3 // Cryptol DSL.
4 //
5
6 module RTS::ActuationUnit where
7
8 import RTS::Utils
9 import RTS::InstrumentationUnit
10
11 type Input = [3][4]TripPort
12 type ActuationPort = Bit
13 type ActuationUnit = { output: [2]ActuationPort }
14 type CoincidenceLogic = [4]TripPort -> Bit
15 type OrLogic = [2] -> Bit
16
17 TemperatureLogic: [4]TripPort -> Bit
18 TemperatureLogic ts = Coincidence_2_4 ts
19
20 private
21 Coincidence_2_4 : [4]TripPort -> Bit
22 Coincidence_2_4 x =
23   (a&&b) || ((a||b) && (c||d)) || (c&&d)
24   where
25     a = (x @ (0:[2])) != 0
26     b = (x @ (1:[2])) != 0
27     c = (x @ (2:[2])) != 0
28     d = (x @ (3:[2])) != 0
29
30 count : {n} (fin n, n >= 1) => [n] -> [width n]
31 count bs = sum [ if b then 1 else 0 | b <- bs ]
32
33 /** @requirements
34   ACTUATION_LOGIC_VOTE_TEMPERATURE
35 */
36 property actuation_logic_vote_temperature (inp: Input) =
37   (count [i != 0 | i <- (inp @ T)] >= 2) == TemperatureLogic (inp @ T)

```

**Figure 5.13:** CRYPTOL model of Actuation Unit component

```

1 NRC Understanding
2 Provide to the NRC expert technical services in order to develop a
3 better understanding of how Model-Based Systems Engineering (MBSE)
4 methods and tools can support regulatory reviews of adequate design
5 and design assurance.

```

**Figure 5.14:** An informal project goal: NRC Understanding

```

1 Demonstrator Parts
2 Our demonstrator includes high-assurance software and hardware,
3 includes open source RISC,V Central Processing Units.

```

**Figure 5.15:** A semi-formal project goal: Demonstrator Parts

```
1 // Both formal and rigorous consistency checks of the requirements
2 // will be accomplished by using false theorem checks and proofs in
3 // the Cryptol model and in software and hardware source code;
4 Requirements Consistency
5 Requirements must be shown to be consistent.
```

**Figure 5.16:** A formal project goal: Requirements Consistency

# Chapter 6

## Conclusion

This final report summarizes the outcomes of the *High Assurance Rigorous Digital Engineering for Nuclear Safety (HARDENS)* project, in which Galois has developed a high-assurance, safety-critical demonstration system for the Nuclear Regulatory Commission using Rigorous Digital Engineering (RDE). The system in question is a Digital Instrumentation and Control (DI&C) system for Nuclear Power Plants (NPPs), and is called the Reactor Trip System (RTS).

The report covered the following topics:

- In chapter 2, we covered the topic at a 50,000 ft level: what is this project about, what are the NRC’s goals, just what are models and model-based engineering (MBE), what forces have influenced the evolution of models and MBE over the past few decades, how do assurance cases relate to MBE, and how is the system that was built to demonstrate modern MBE—the HARDENS demonstrator—described and assured in what follows.
- chapter 3 contains a top-level summary of model-based engineering in the 2020s, with particular attention on which concepts, tools, and technologies have been successfully adopted in high-end industry, especially for mission- and safety-critical systems development, assurance, and certification. This chapter also includes a gap analysis which details the challenges that remain for widespread adoption of MBE, or deep acceptance in a specific industrial segment, such as the critical infrastructure sector.
- chapter 4 discusses how one should review model-based systems, particularly from the point of view of carefully reviewing large, complex, high-assurance systems automatically and manually using both digital and paper-based means. These kinds of reviews are a natural part of the validation or certification regimes used by NIST and the NSA, as well as international certification regimes such as Common Criteria, but are not traditionally the remit of reviews that take place at the FAA, in the DoD branches (such as flight certification), or at the NRC.

- The HARDENS Reactor Trip System (RTS) Demonstrator is discussed in gory detail in chapter 5.
- After this chapter, a large appendix contains all of the cross-referenced models and code for the entire RTS demonstrator.

Were we to have used proprietary tools instead of, or in addition to, the open source tools that have been used in this project, then we would have chosen to use the following tools:

- Cameo Systems Modeler (CATIA) from Dassault Systèmes would have been used to create and reason about a SysML version 1 model, and generate hypertext digital and paper documentation from that model.
- OSATE2 from the Carnegie Mellon University's Software Engineering Institute (SEI) would have been used to create and reason about an AADL model.<sup>1</sup>
- A broad set of tools from Ansys, including ModelCenter, SCADE, Twin Builder, medina, and others, would have been used to (a) perform trade-study analysis and, (b) to implement and verify the instrumentation sub-system again using another language/technique for more heterogeneity.
- BigLever's onePLE would have been used to characterize our product line model and drive the aforementioned trade-study.
- And a tool like AdvoCate from NASA or ASCE from Adelard would have been used to document and review our assurance case.

## 6.1 What is Next for the RTS

This project is likely just the first of many that Galois hopes to do with the NRC. Its technical focus and outcomes are highly aligned with a rich area R&D at Galois that is seeing a lot of attention from the U.S. Government.

**Technical Next Steps.** On the technical side of things, the implementation of the RTS does not wholly conform to our original, ambitious, plans for demonstrating heterogeneous, independent high-assurance implementations.

While the RTS is fault tolerant and does fulfill all core RFP requirements and IEEE characteristics, the three core implementation (which was meant to demonstrate diversity and fault tolerance at the hardware compute level) of the RTS's System-on-Chip (SoC) is not complete. The single core version is complete and demonstrable.

We also intended to demonstrate multiple, heterogeneous techniques for interfacing with sensors and actuators (software and hardware device drivers),

---

<sup>1</sup>In fact, some of this work has already begun outside of the remit of this project with Dr. John Hatcliff and Dr. Robby at Kansas State University.

but those components, too, are not complete. Only single drivers have been experimented with in the FPGA-based demo.

The SoC has seen only lightweight exercising and runtime testing. No model-based testing or formal assurance of the SoC has been completed.

Multiple other projects and agencies have expressed an interest in reusing or extending this line of work. We hope to build on top of this foundation for the NRC, and we expect that, at least, DARPA will be using the RTS as a case study in teaching about, and R&D on, RDE.

**Non-Technical Next Steps.** On the non-technical side of things, there is work to do on matters related to the MBE market, MBE adoption, statutes and rule-making around MBE, and more.

A part of the reason for the small market for high-assurance components or subsystems for NPPs are perceived or actual barriers to entry. If such barriers can be lowered by making licensing easier through clear guidance for modern digital I&C design techniques, such as those demonstrated in this project, then a marked market shift could occur.

# Bibliography

- [1] John M. Borky and Thomas H. Bradley. *Effective Model-Based Systems Engineering*. Springer, 2018.
- [2] Peter H. Feiler and David P. Gluch. *Model-Based Engineering with AADL: An Introduction to the SAE Architecture Analysis & Design*. Addison-Wesley, 2012.
- [3] Tim Weilkiens et al. *Model-Based System Architecture*. Wiley, 2022.

# Appendix A

## Lando Models

### A.1 Top-level RTS Domain Engineering Model Structure

Listing A.1: Lando model of the top-level design.

```
1 // title: Reactor Trip System high,assurance demonstrator.
2 // project: High Assurance Rigorous Digital Engineering for Nuclear Safety (HARDENS)
3 // copyright (C) 2021 Galois
4 // author: Joe Kiniry <kiniry@galois.com>
5
6 system Reactor Trip System (RTS)(└ RTS (?? on page ??), RTS (?? on page ??), RTS
   (line 224 on page 156), RTS (line 19 on page 137))
7 The overall shape of the Reactor Trip System (RTS) is an archetypal
8 *sense,compute,actuate architecture. Sensors are in the 'Sensors'
9 subsystem. They are read by the 'Instrumentation' subsystem, which
10 contains four separate and independent 'Instrumentation'
11 components. The "Compute" part of the architecture is spread across
12 the 'Actuation Logic' subsystem,which contains the two 'Voting'
13 components which perform the actuation logic itself, and the 'Root'
14 subsystem which contains the core computation and I/O components, and
15 the two separate and independent devices that drive actuators.
16
17 subsystem RTS Architecture (Architecture)(└ Architecture (line 26 on page 137),
   Architecture (line 7 on page 152), Architecture (line 136 on page 143))
18 This RTS architecture specification includes all of the core
19 concepts inherent to NPP Instrumentation and Control systems.
20 A system architecture specification often includes a software,
21 hardware, network, and data architecture specifications.
22
23 subsystem RTS Hardware Artifacts (Hardware)(└ Hardware (line 191 on page 144), RTS
   Hardware Artifacts (line 5 on page 146), Hardware (?? on page ??), Hardware
   (line 28 on page 137), RTS Hardware Artifacts (?? on page ??))
24 The physical hardware components that are a part of the HARDENS RTS
25 demonstrator.
26
27 subsystem RTS Implementation Artifacts (Implementation)(└ Artifacts (line 30 on
   page 137), Artifacts (line 1 on page 147))
28 A summary of the tools, technologies, specifications, and implementations
29 relevant to this high,assurance demonstrator's development and assurance.
30
31 subsystem RTS Requirements (Requirements)(└ Requirements (line 5 on page 149),
   Requirements (line 12 on page 149), Requirements (line 31 on page 137))
32 All requirements that the RTS system must fulfill, as driven by the
```

```

33 IEEE 603,2018 standards and the NRC RFP.
34
35 subsystem RTS Properties (Properties)(Properties (line 5 on page 148), Properties
   (line 32 on page 137))
36 All correctness and security properties of the RTS system are
37 specified in this subsystem.
38
39 subsystem IEEE Std 603,2018 Characteristics (Characteristics)(Characteristics (line 27
   on page 149), Characteristics (line 34 on page 138), Characteristics (line 5 on
   page 139))
40 The IEEE 603,2018 requirements (known as "characteristics" in
41 the standard) which the RTS demonstrator system must fulfill.
42
43 relation RTS (line 6) contains Architecture (line 17)
44 relation RTS (line 6) contains Hardware (line 23)
45 relation RTS (line 6) contains Properties (line 35)
46 relation RTS (line 6) contains Characteristics (line 39)

```

## A.2 Project Acronyms

Listing A.2: Lando model of the Acronyms.

```

1 subsystem Proposal Acronyms (Acronyms)
2 A list of words formed by combining the initial letters of a multipart name.
3
4 // Source: Frama,C website
5 component ISO ANSI C Specification Language (ACSL)
6 The ANSI/ISO C Specification Language (ACSL) is a behavioral specification language for C
   ↪ programs.
7
8 // Source: https://csrc.nist.gov/glossary/term/Application\_Programming\_Interface
9 component Application Programming Interface (API)
10 A system access point or library function that has a well-defined syntax and
11 is accessible from application programs or user code to provide well-defined functionality.
12
13 component Application,Specific Integrated Circuit (ASIC)(ASIC (line 216 on page 144))
14 Custom,designed and/or custom,manufactured integrated circuits.
15
16 component Commercial Off The Shelf (COTS)
17 Software and hardware that already exists and is available from commercial sources.
18
19 component Central Processing Unit (CPU)(CPU (line 15 on page 147), CPU (line 206 on
   page 144))
20 A CPU is the electronic circuitry that executes instructions comprising a computer program.
21
22 component Continuous Verification (CV)(CV (line 154 on page 143))
23
24 component Communicating Sequential Processes (CSP)
25
26 component Digital Engineering (DE)
27
28 component Digital Instrumentation \& Control (diandc)
29
30 component Defense Industrial Base (DIB)
31
32 component Department of Defense (DoD)
33
34 component Domain Specific Language (DSL)
35
36 component Electronic Design Automation (EDA)
37
38 component Field Programmable Gate Array (FPGA)(FPGA (?? on page ??), FPGA
   (line 228 on page 144))

```

```

39
40 component Gnu Compiler Collection (GCC)
41
42 component Government Furnished Equipment (GFE)
43
44 component Galois Low,energy Asynchronous Secure SoC for Computer Vision (GLASS,CV)
45
46 component General Purpose I/O (GPIO)( GPIO  (line 218 on page 144))
47
48 component High,Assurance Rigorous Digital Engineering for Nuclear Safety (HARDENS)
49
50 component Hardware Description Language (HDL)( HDL  (line 201 on page 144))
51
52 component Hash,based Message Authentication Code (HMAC)
53
54 component Higher,Order Logic (HOL)
55
56 component Hardware Security Module (HSM)
57
58 component Intelligence Community (IC)
59
60 component Integrated Development Environment (IDE)
61
62 component Intellectual Property (IP)
63
64 component Instruction Set Architecture (ISA)
65
66 component Intermediate Representation (IR)( IR  (line 183 on page 144))
67
68 component Java Modeling Language (JML)
69
70 component Low Level Virtual Machine (LLVM)( LLVM  (line 184 on page 144))
71
72 component Model,Based Engineering (MBE)
73
74 component Model,Based Systems Engineering (MBSE)
75
76 component Natural Language Processing (NLP)
77
78 component Nuclear Regulatory Commission (NRC)
79
80 component National Security Agency (NSA)
81
82 component Nuclear Power Plant (NPP)
83
84 component Object Constraint Language (OCL)
85
86 component Open Systems Architecture (OSA)
87
88 component Power Performance Area and Security (PPAS)
89
90 component Rigorous Digital Engineering (RDE)
91
92 component Register Transfer Level (RTL)( RTL  (line 28 on page 147))
93
94 component Reactor Trip System (RTS)( RTS  (?? on page ??),  RTS  (?? on page ??),
95            RTS  (line 224 on page 156),  RTS  (line 19 on page 137))
96
97 component Software Analysis Workbench (SAW)
98
99 component Safety Critical Application Development Environment (SCADE)
100
101 component Secure Hash Algorithm (SHA)
102
103 component Satisfiability Modulo Theories (SMT)
104 component Secret Ninja Formal Methods (SNFM)

```

```

105 component Statement of Work (SoW)
106
107 component SystemVerilog (SV)( SystemVerilog  (line 203 on page 144))
108
109 component SystemVerilog Assertions (SVA)
110
111 component Size Weight and Power (SWaP)( SWaP  (line 192 on page 144))
112
113 component System Modeling Language (SysML)
114
115 component System, on, Chip (SoC)
116
117 component System Security Integration Through Hardware and Firmware (SSITH)
118
119 component User Interface (UI)
120
121 component Unified Modeling Language (UML)
122
123 component Universal Serial Bus (USB)( USB  (line 225 on page 144))
124
125 component United States Government (USG)
126
127 component Unified Theories of Programming (UTP)
128
129 component Universal Verification Methodology (UVM)
130
131 component User eXperience (UX)
132
133 component Verilog( Verilog  (line 204 on page 144))
134
135 component Vienna Development Method (VDM)
136
137 component Very High Speed Integrated Circuit (VHSIC)
138
139 component VHSIC Hardware Description Language (VHDL)
140

```

## A.3 System Architecture

architecture.lando

Listing A.3: Lando model of the architecture.

```

1 // Architecture
2
3 subsystem RTS System Architecture (RTS_System_Arch)( RTS_System_Arch  (line 19 on
page 152))
4
5 subsystem Root( Root  (?? on page ??))
6
7 component Core Finite State Machine (CFSM)( CFSM  (?? on page ??))
8 inherit FSM
9
10 component Programming I/O (Programming_IO)( Programming_IO  (?? on page ??))
11 inherit IO
12
13 component UI I/O (UI_IO)( UI_IO  (?? on page ??))
14 inherit IO
15
16 component Debugging I/O (Debugging_IO)( Debugging_IO  (?? on page ??))
17 inherit IO
18
19 subsystem Actuation Logic( Actuation_Logic  (?? on page ??))

```

```

20 | component Voting 1(≤ Voting (line 254 on page 145))
21 |
22 | component Voting 2(≤ Voting (line 254 on page 145))
23 |
24 | component Actuator 1(≤ Actuator (line 196 on page 155), Actuator (line 222 on
25 |     page 144), Actuator (?? on page ??))
26 |
27 | component Actuator 2(≤ Actuator (line 196 on page 155), Actuator (line 222 on
28 |     page 144), Actuator (?? on page ??))
29 |
30 | subsystem Computation(≤ Computation (?? on page ??))
31 |
32 | component RISC,V CPU 1(≤ RISC-V CPU (?? on page ??))
33 |
34 | component RISC,V CPU 2(≤ RISC-V CPU (?? on page ??))
35 |
36 | component RISC,V CPU 3(≤ RISC-V CPU (?? on page ??))
37 |
38 | subsystem Hardware(≤ Hardware (?? on page ??), Hardware (line 191 on page 144),
39 |     Hardware (line 28 on page 137))
40 |
41 | component Lattice ECP,5 FGPA Development Board(≤ DevBoard (line 26 on page 146))
42 |
43 | subsystem Actuators(≤ actuator2 (line 273 on page 156), Actuator (line 222 on
44 |     page 144), actuator1 (line 272 on page 156), Actuator1 (?? on page ??),
45 |     Actuator2 (?? on page ??), Actuator (line 196 on page 155), Actuator (?? on
46 |     page ??), Actuators (?? on page ??))
47 |
48 | component Actuator 1(≤ Actuator (line 196 on page 155), Actuator (line 222 on
49 |     page 144), Actuator (?? on page ??))
50 |
51 | component Actuator 2(≤ Actuator (line 196 on page 155), Actuator (line 222 on
52 |     page 144), Actuator (?? on page ??))
53 |
54 | subsystem Sensors(≤ Sensor (line 219 on page 144), Sensors (?? on page ??), Sensor
55 |     (line 21 on page 152))
56 |
57 | component Temperature Sensor 1(≤ Temperature Sensor (?? on page ??), Temperature
58 |     Sensor (line 220 on page 144), Temperature Sensor (line 59 on page 153))
59 |
60 | component Temperature Sensor 2(≤ Temperature Sensor (?? on page ??), Temperature
61 |     Sensor (line 220 on page 144), Temperature Sensor (line 59 on page 153))
62 |
63 | component Pressure Sensor 1(≤ Pressure Sensor (line 83 on page 153), Pressure Sensor
64 |     (?? on page ??), Pressure Sensor (line 221 on page 144), PressureSensor (?? on
65 |     page ??), PressureSensor (line 73 on page 153))
66 |
67 | component Pressure Sensor 2(≤ Pressure Sensor (line 83 on page 153), Pressure Sensor
68 |     (?? on page ??), Pressure Sensor (line 221 on page 144), PressureSensor (?? on
69 |     page ??), PressureSensor (line 73 on page 153))
70 |
71 | subsystem Instrumentation(≤ Instrumentation (?? on page ??), Instrumentation (?? on
72 |     page ??), Instrumentation (line 100 on page 154), Instrumentation (?? on
73 |     page ??))
74 |
75 | component Instrumentation 1(≤ Instrumentation (?? on page ??), Instrumentation (?? on
76 |     page ??), Instrumentation (line 100 on page 154), Instrumentation (?? on
77 |     page ??))
78 |
79 | component Instrumentation 2(≤ Instrumentation (?? on page ??), Instrumentation (?? on
80 |     page ??), Instrumentation (line 100 on page 154), Instrumentation (?? on
81 |     page ??))
82 |
83 | component Instrumentation 3(≤ Instrumentation (?? on page ??), Instrumentation (?? on
84 |     page ??), Instrumentation (line 100 on page 154), Instrumentation (?? on
85 |     page ??))
86 |
87 | component Instrumentation 4(≤ Instrumentation (?? on page ??), Instrumentation (?? on
88 |     page ??))

```

```

on page ??), Instrumentation (line 100 on page 154), Instrumentation (?? on
page ??))
68 // Top-level subsystems.
69 relation RTS_System_Arch (line 3) contains Root (line 5)
70 relation RTS_System_Arch (line 3) contains Actuation Logic (line 19)
71 relation RTS_System_Arch (line 3) contains Computation (line 29)
72 relation RTS_System_Arch (line 3) contains Hardware (line 37)
73 relation RTS_System_Arch (line 3) contains Instrumentation (line 59)
74
75 // Nested subsystems.
76 relation Hardware (line 37) contains FPGA (line 39)
77 relation Hardware (line 37) contains Actuators (line 43)
78 relation Hardware (line 37) contains Sensors (line 49)
79
80 // Client, supplier relations.
81 relation Root (line 5) client Actuation Logic (line 19)
82 relation Root (line 5) client Computation (line 29)
83
84 relation Computation (line 29) client Hardware (line 37)
85 relation Actuation Logic (line 19) client Hardware (line 37)
86 relation Instrumentation (line 59) client Hardware (line 37)
87 relation Instrumentation (line 59) client Actuation Logic (line 19)
88 relation Actuation Logic (line 19) client Instrumentation (line 59)
89

```

## A.4 System Dataflow

Listing A.4: Lando model of the dataflow.

```

1 subsystem RTS Implementation Artifacts (Artifacts)(≤ Artifacts (line 30 on page 137),
2 Artifacts (line 1 on page 147))
3 component Cryptol System Specification (CryptolSpec)(≤ CryptolSpec (line 257 on
4 page 145))
A specification of a model written in the Cryptol domain-specific
5 language (DSL), either as Literate Cryptol, which can be Cryptol
6 embedded in Markdown or LaTeX, or plain Cryptol. Cryptol is a strongly
7 typed, functional DSL for specifying and reasoning about bit-level
8 algorithms and their correctness properties and is mainly used to
9 specify cryptographic algorithms. See https://crypto.net/ for more
10 information.
11
12 component Cryptol Software Compiler (CryptolToC)(≤ CryptolToC (line 7 on page 147))
13 Multiple versions of a Cryptol software compiler exist which can
14 compile different subsets of the Cryptol language into implementations
15 and test benches written in the C, Java, and LLVM languages.
16
17 component Cryptol Hardware Compiler (CryptolToSystemVerilog)(≤ CryptolToSystemVerilog
18 (line 11 on page 147))
Multiple versions of a Cryptol hardware compiler exist which can
19 compile different subsets of the Cryptol language into implementations
20 and test benches written in the VHDL, Verilog, and SystemVerilog.
21
22 component Software Implementation (Software)(≤ Software (line 267 on page 145))
23
24 component Hand-written Software Implementation (SWImpl)(≤ HWImpl (line 274 on page 145),
25 SWImpl (line 269 on page 145))
inherit Hand-written Software
26
27 component Synthesized Software Implementation (SynthSW)(≤ SynthHW (line 275 on page 145),
28 SynthSW (line 271 on page 145))
inherit Machine-generated Software
29

```

```

30 | component Hardware Implementation (Hardware)( Hardware  (line 191 on page 144),
31 |    Hardware  (line 28 on page 137),  Hardware  (?? on page ??),  Hardware 
32 |   Implementation (line 273 on page 145))
33 | component Hand,written Hardware Implementation (HWImpl)( HWImpl  (line 274 on page 145),
34 |    SWImpl  (line 269 on page 145))
35 | inherit Hand,written Hardware
36 | component Synthesized Hardware Implementation (SynthHW)( SynthHW  (line 275 on page 145),
37 |    SynthSW  (line 271 on page 145))
38 | inherit Machine,generated Hardware
39 | component COTS High,Assurance RV32I RISC,V CPU (CPU)( CPU  (line 15 on page 147),  CPU 
40 |   (line 206 on page 144))
41 | component CompCert Compiler (CompCert)( CompCert  (line 16 on page 147))
42 | component Bluespec Compiler (BSC)( BSC  (line 20 on page 147))
43 | component SymbiFlow Synthesizer (SymbiFlow)( SymbiFlow  (line 24 on page 147))
44 | component Software Binaries (Binaries)( Binary  (line 276 on page 145))
45 | component Demonstrator Verilog (RTL)( RTL  (line 28 on page 147))
46 | component FPGA Bitstream (Bitstream)( Bitstream  (line 284 on page 145))
47 |
48 | subsystem Dataflow of RTS Implementation Artifacts (Dataflow)( Dataflow  (line 30 on
49 |   page 147))
50 | This specification, which comes from the Galois HARDENS proposal,
51 | describes the relationships between various levels of specifications,
52 | implementations, and assurance artifacts for the HARDENS demonstrator.
53 | indexing
54 |   proposal_figure: 3
55 |   figure_name: Dataflow of RTS Implementation Artifacts.
56 |
57 | relation CryptolToC (line 12) client CryptolSpec (line 3)
58 | relation CryptolToSystemVerilog (line 17) client CryptolSpec (line 3)
59 |
60 | relation SynthSW (line 27) client CryptolToC (line 12)
61 |
62 | relation SynthHW (line 35) client CryptolToSystemVerilog (line 17)
63 | relation SynthHW (line 35) client BSC (line 42)
64 |
65 | relation CompCert (line 40) client SynthSoftImpl
66 | relation CompCert (line 40) client SoftImpl
67 |
68 | relation BSC (line 42) inherit Compiler
69 | relation BSC (line 42) client HWImpl (line 32)
70 |
71 | relation SymbiFlow (line 44) client SynthHW (line 35)
72 | relation SymbiFlow (line 44) client CPU (line 38)
73 |
74 | relation Binaries (line 46) client CompCert (line 40)
75 |
76 | relation RTL (line 48) client SymbiFlow (line 44)
77 | relation RTL (line 48) contains Soft,core RISC,V CPU
78 |
79 | relation Bitstream (line 50) contains SynthHW (line 35)
80 | relation Bitstream (line 50) contains CPU (line 38)
81 |
82 | relation Bitstream (line 50) client SymbiFlow (line 44)
83 |
84 |

```

## A.5 System Events

Listing A.5: Lando model of the Events.

```

1 // Events are (seemingly, atomic, from the point of view of an external
2 // observer) interactions/state/transitions of the system. The full
3 // set of specified events characterizes every potential externally
4 // visible state change that the system can perform.
5
6 // External input actions are those that are triggered by external input on UI.
7 events Demonstrator External Input Actions
8
9 Manually Actuate Device
10 The user manually actuates a device.
11
12 Select Operating Mode
13 The user puts an instrumentation division in or takes a division out of 'maintenance' mode.
14
15 Perform Setpoint Adjustment
16 The user adjusts the setpoint for a particular channel in a particular division in
    ↪ maintenance mode.
17
18 Configure Bypass of an Instrument Channel
19 The user sets the mode of the channel of an instrumentation division to either bypass or
    ↪ normal mode.
20
21 Configure Active Trip Output State of an Instrument Channel
22 The user sets the mode of the channel of an instrumentation division to either trip or
    ↪ normal mode.
23
24 // External output actions are those that are triggered by internal
25 // state change, which is, in turn, sometimes prompted by external input
26 // actions.
27 events Demonstrator External Output Actions
28
29 Display Pressure(└ Display Pressure (line 62 on page 139))
30 The UI displays the current pressure reading for an instrumentation division.
31
32 Display Temperature(└ Display Temperature (line 63 on page 139))
33 The UI displays the current temperature reading for an instrumentation division.
34
35 Display Saturation Margin(└ Display Saturation Margin (line 64 on page 139))
36 The UI displays the current saturation margin reading for an instrumentation division.
37
38 Display Trip Output Signal State
39 The UI displays the current trip signal output for a particular channel and instrumentation
    ↪ division.
40
41 Display Indication of Channel in Bypass(└ Display Indication Of Channel in Bypass
    (line 66 on page 139))
42 The UI displays the current bypass mode for a particular channel and instrumentation
    ↪ division.
43
44 // Internal actions are those that are not triggered by external input on UI.
45 events Demonstrator Internal Actions
46
47 Trip on High Pressure
48 An instrumentation division reads a pressure sensor value that exceeds its setpoint and
    ↪ generates a trip output.
49
50 Trip on High Temperature
51 An instrumentation division reads a temperature sensor value that exceeds its setpoint and
    ↪ generates a trip output.
52
53 Trip on Low Saturation Margin
54 An instrumentation division reads temperature and pressure values such that the
55 saturation margin is below its setpoint and generates a trip output.
56
57 Vote on Like Trips using Two,out,of,four Coincidence(└ Vote (line 15 on page 138))

```

```

58 | An actuation unit reads two like trip inputs and generates the corresponding automatic
59 |   ↪ actuation signal.
60 | Automatically Actuate Device(└ A (line 19 on page 138))
61 | An actuation unit generates an automatic actuation signal and sends it to the corresponding
62 |   ↪ device.
63 | Self,test of Safety Signal Path(└ T (line 22 on page 138))
64 | The RTS simulates inputs to a pair of instrumentation divisions and checks the corresponding
   |   ↪ actuation signals.

```

## A.6 Project Glossary

Listing A.6: Lando model of the glossary.

```

1 subsystem Proposal Glossary (Glossary)(└ Glossary (line 10 on page 141))
2 A list of often difficult or specialized words with their definitions, often placed at the
   ↪ back of a book.
3
4 component Behavioral Interface Specification Language (BISL)(└ BISL (line 22 on
   page 141))
5 A formal, state,based specification language that focuses on the
6 specification of the interfaces of discrete modules in a system, and
7 often times includes model,based specification constructs to improve
8 usability and expressivity.
9
10 component BlueCheck(└ BlueCheck (line 17 on page 141))
11 A property,based testing framework for components written in Bluespec
12 SystemVerilog that uses some of the design patterns and ideas from the
13 QuickCheck.
14
15 component Coq(└ Coq (line 24 on page 141))
16 Coq is an interactive theorem prover first released in 1989. It allows
17 for expressing mathematical assertions, mechanically checks proofs of
18 these assertions, helps find formal proofs, and extracts a certified
19 program from the constructive proof of its formal specification. Coq
20 works within the theory of the calculus of inductive constructions, a
21 derivative of the calculus of constructions. Coq is not an automated
22 theorem prover but includes automatic theorem proving tactics
23 (procedures) and various decision procedures.
24
25 component Cryptol(└ Cryptol (line 25 on page 141))
26 Cryptol is a domain specific programming language for cryptography
27 developed by Galois. The language was originally developed for use by
28 the United States National Security Agency. The language is also used
29 by private firms that provide information technology systems, such as
30 Amazon and defense contractors in the United States. The programming
31 language is used for all aspects of developing and using cryptography,
32 such as the design and implementation of new ciphers and the
33 verification of existing cryptographic algorithms.
34
35 component DevSecOps(└ DevSecOps (line 26 on page 141))
36 The use of tools in a user's local and remote design, development,
37 validation, verification, maintenance, and evolution environments that
38 facilitate the automatic and continuous evaluation by static and
39 dynamic means of a system/subsystem/component's behavioral (e.g.,
40 safety and correctness) and non,behavioral (e.g., well,formedness and
41 security) properties.
42
43 component Digital Instrumentation and Control Systems (DIANDC)(└ DIANC (line 27 on
   page 141))
44 One of several types of control systems and associated instrumentation
45 used for industrial process control. Such systems can range in size

```

```

46 from a few modular panel-mounted controllers to large interconnected
47 and interactive distributed control systems with many thousands of
48 field connections. Systems receive data from remote sensors measuring
49 process variables (PVs), compare the collected data with desired
50 setpoints (SPs), and derive command functions which are used to
51 control a process through the final control elements (FCEs), such as
52 control valves.
53
54 component Formal Requirements Elicitation Tool (FRET)(FRET (line 31 on page 141),
55           FRET (line 51 on page 150))
56 The NASA Formal Requirements Elicitation Tool is used to make writing,
57 understanding, and debugging formal requirements natural and
58 intuitive.
59
60 component PVS(PVS (line 41 on page 141))
61 A specification language integrated with support tools and an
62 automated theorem prover, developed at the Computer Science Laboratory
63 of SRI International. PVS is based on a kernel consisting of an
64 extension of Church's theory of types with dependent types, and is
65 fundamentally a classical typed higher-order logic.
66
67 component RISC,V
68 RISC,V (pronounced "risk,five") is an open standard instruction set
69 architecture (ISA) based on established reduced instruction set
70 computer (RISC) principles. Unlike most other ISA designs, the RISC,V
71 ISA is provided under open source licenses that do not require fees to
72 use. A number of companies are offering or have announced RISC,V
73 hardware, open source operating systems with RISC,V support are
74 available and the instruction set is supported in several popular
75 software toolchains.
76
77 component Requirements State Modeling Language (RSML)(RSML (line 53 on page 141))
78 A formal specification language that uses hierarchical finite state
79 machines to specify system requirements.
80
81 component SAT(SAT (line 58 on page 141))
82 The Boolean satisfiability problem (sometimes called propositional
83 satisfiability problem and abbreviated SAT) is the problem of
84 determining if there exists an interpretation that satisfies a given
85 Boolean formula.
86
87 component SAWscript(SAWscript (line 61 on page 141))
88 The proof script language is used to specify the assumptions and proof
89 goals of formal verifications to the SAW tool.
90
91 component soft,core
92 A CPU or SoC that is implemented in an HDL and synthesized to a
93 bitstream and loaded onto an FPGA.
94
95 component SPARK(SPARK (line 74 on page 142))
96 A formally defined computer programming language based on the Ada
97 programming language, intended for the development of high integrity
98 software used in systems where predictable and highly reliable
99 operation is essential. It facilitates the development of applications
100 that demand safety, security, or business integrity.
101
102 component SpeAR(SpeAR (line 77 on page 142))
103 An integrated development environment for formally specifying and
104 rigorously analyzing requirements.
105
106 component Verifier for Concurrent C (VCC)(VCC (line 84 on page 142))
107 VCC is a program verification tool that proves correctness of
108 annotated concurrent C programs or finds problems in them. VCC extends
109 C with design by contract features, like pre, and postcondition as
110 well as type invariants. Annotated programs are translated to logical
111 formulas using the Boogie tool, which passes them to an automated SMT
112 solver Z3 to check their validity.

```

```

112
113 component Verified Software Toolchain (VST)(   VST (line 92 on page 142))
114 A software toolchain that includes static analyzers to check
115 assertions about a C program; optimizing compilers to translate a C
116 program to machine language; and operating systems and libraries to
117 supply context for the C program. The Verified Software Toolchain
118 project assures with machine-checked proofs that the assertions
119 claimed at the top of the toolchain really hold in the
120 machine-language program, running in the operating,system context.
121
122 component Refinement(   Refinement (line 95 on page 142))
123
124 component Property(   Property (line 96 on page 142))
125
126 component Safety Property(   Safety Property (line 97 on page 142))
127 inherit Property
128
129 component Correctness Property(   Correctness Property (line 98 on page 142))
130 inherit Property
131
132 component Security Property(   Security Property (line 99 on page 142))
133 inherit Property
134
135 component Model(   Model (line 100 on page 142))
136
137 component Semi,Formal Model(   Semi-Formal Model (line 101 on page 142))
138 inherit Model
139
140 component Formal Model(   Formal Model (line 102 on page 142))
141 inherit Model
142
143 component Consistent(   Consistent (line 103 on page 142))
144 inherit Property
145
146 component Complete(   Complete (line 104 on page 142))
147 inherit Property
148
149 component Consistent Model(   Consistent Model (line 105 on page 142))
150 inherit Model Consistent
151
152 component Complete Model(   Complete Model (line 106 on page 142))
153 inherit Model Complete
154
155 component Requirement(   Requirement (line 121 on page 142))
156
157 component Scenario(   Scenario (line 122 on page 142))
158
159 component Product(   Product (line 123 on page 142))
160
161 component Product Line(   Product Line (line 124 on page 142))
162
163 component Configure(   Configure (line 125 on page 142))
164
165 component DOORS(   DOORS (line 126 on page 142))
166
167 component Clafer(   Clafer (line 127 on page 142))
168
169 component Lobot(   Lobot (line 128 on page 142))
170
171 component Lando
172
173 component Denotational(   Denotational (line 108 on page 142))
174
175 component Operational(   Operational (line 109 on page 142))
176
177 component Semantics(   Semantics (line 110 on page 142))

```

```

178
179 component Risk(≤ Risk (line 146 on page 143))
180
181 component Power(≤ Power (line 147 on page 143))
182
183 component Resource(≤ Resource (line 148 on page 143))
184
185 component Reliability(≤ Reliability (line 149 on page 143))
186
187 component Rigorous(≤ Rigorous (line 114 on page 142))
188 A specification that has a precise, unambiguous, formal semantics
189 grounded in real world formal foundations and systems engineering
190 artifacts, such as source code and hardware designs.
191
192 component Collaborative Development Environment (CDE)(≤ CDE (line 152 on page 143))
193
194 component Continuous Integration (CI)(≤ CI (line 153 on page 143))
195
196 component Continuous Verification (CV)(≤ CV (line 154 on page 143))
197
198 component Analyzer(≤ Analyzer (line 155 on page 143))
199
200 component Static Analyzer(≤ Static Analyzer (line 156 on page 143))
201 inherit Analyzer
202
203 component Dynamic Analyzer(≤ Dynamic Analyzer (line 157 on page 143))
204 inherit Analyzer
205
206 component Finite State Machine (FSM)(≤ FSM (line 129 on page 143))
207
208 component Deterministic(≤ Deterministic (line 115 on page 142))
209
210 component Non,deterministic(≤ Non-deterministic (line 116 on page 142))
211
212 component Deterministic Finite State Machine (DFSM)(≤ DFSM (line 130 on page 143))
213 inherit FSM Deterministic
214
215 component Non,deterministic Finite State Machine (NFSM)(≤ NFSM (line 132 on page 143))
216 inherit FSM Non,deterministic
217
218 component Abstract State Machine (ASM)(≤ ASM (line 134 on page 143))
219 inherit FSM
220
221 component Design(≤ Design (line 135 on page 143))
222
223 component Architecture(≤ Architecture (line 26 on page 137), Architecture (line 7 on
page 152), Architecture (line 136 on page 143))
224
225 component Specification(≤ Specification (line 137 on page 143))
226
227 component Architecture Specification(≤ Architecture Specification (line 138 on page 143))
228 inherit Specification
229
230 component Solver(≤ Solver (line 158 on page 143))
231
232 component Formal Method (FM)(≤ FM (line 117 on page 142))
233
234 component Logical Framework (LF)(≤ LF (line 159 on page 143))
235
236 component Programming Language (PL)(≤ PL (line 26 on page 151), PL (line 178 on
page 143))
237
238 component Specification Language(≤ Specification Language (line 164 on page 143))
239
240 component Protocol(≤ Protocol (line 165 on page 143))
241
242 component System Specification(≤ System Specification (line 166 on page 143))

```

```

243 inherit Specification
244 component Hand,written(≤ Hand-written (line 167 on page 143))
245 component Machine,generated(≤ Machine-generated (line 168 on page 143))
246 component Source,level Specification Language(≤ Source-level Specification Language
247 (line 169 on page 143))
248 inherit Specification Language
249 component Model,based Specification Language(≤ Model-based Specification Language
250 (line 171 on page 143))
251 inherit Specification Language
252 component System(≤ System (line 139 on page 143))
253 component Distributed System(≤ Distributed System (line 140 on page 143))
254 inherit System
255 component Concurrent System(≤ Concurrent System (line 141 on page 143))
256 inherit System
257 component Cryptographic Protocol(≤ Cryptographic Protocol (line 174 on page 143))
258 inherit Protocol
259 component Cryptographic Algorithm(≤ Cryptographic Algorithm (line 175 on page 143))
260 component I/O (IO)(≤ IO (line 217 on page 144))
261 component General Purpose I/O (GPIO)(≤ GPIO (line 218 on page 144))
262 inherit IO
263 component Sensor(≤ Sensor (line 219 on page 144), Sensors (?? on page ??), Sensor
264 (line 21 on page 152))
265 component Actuator(≤ actuator2 (line 273 on page 156), Actuator (line 222 on
266 page 144), actuator1 (line 272 on page 156), Actuator1 (?? on page ??),
267 Actuator2 (?? on page ??), Actuator (line 196 on page 155), Actuator (?? on
268 page ??), Actuators (?? on page ??))
269 component Solenoid(≤ Solenoid (line 223 on page 144))
270 inherit Actuator
271 component Compiler(≤ Compiler (line 185 on page 144))
272 component Synthesizer(≤ Synthesizer (line 200 on page 144))
273 component Universal Serial Bus (USB)(≤ USB (line 225 on page 144))
274 component LED(≤ LED (line 226 on page 144))
275 component Cable(≤ Cable (line 227 on page 144))
276 component Program(≤ Program (line 143 on page 143))
277 component Bitstream(≤ Bitstream (line 284 on page 145))
278 component Field,Programmable Gate Array (FPGA)(≤ FPGA (?? on page ??), FPGA
279 (line 228 on page 144))
280 component ECP,5(≤ ECP-5 (line 229 on page 144))
281 inherit FPGA
282 component Printed Component Board (PCB)(≤ PCB (line 230 on page 144))
283 component Connector(≤ Connector (line 214 on page 144))
284 component USB Connector(≤ USB Connector (line 233 on page 144))

```

```

304
305 component USB Mini Connector (USB,Mini)( USB_Mini  (line 234 on page 144))
306 inherit USB Connector
307
308 component High,Assurance( High-Assurance  (line 160 on page 143))
309
310 component C( C  (line 180 on page 143))
311
312 component PMOD( PMOD  (line 235 on page 144))
313
314 component JTAG( JTAG  (line 236 on page 144))
315
316 component Driver( Driver  (line 237 on page 144))
317
318 component Voting( Voting  (line 254 on page 145))
319
320 component UCB Cable( USB Cable  (line 245 on page 145))
321 inherit USB Cable
322
323 component Output LED( Output LED  (line 16 on page 146))
324 inherit LED

```

## A.7 System Hardware

Listing A.7: Lando model of the system hardware.

```

1 subsystem RTS Hardware Artifacts( RTS Hardware Artifacts  (line 5 on page 146),
2    Hardware  (line 28 on page 137),  RTS Hardware Artifacts  (?? on page ??))
3 The physical hardware components that are a part of the HARDENS RTS
4 demonstrator.
5
6 component USB Cable( USB Cable  (line 245 on page 145))
7 A normal USB cable.
8 What kind of USB connector is on the start of the cable?
9 What kind of USB connector is on the end of the cable?
10
11 relation USB Cable (line 5) inherit USB, Cable
12
13 component SERDES Test SMA Connectors (J9,J26)( SERDES Test SMA Connector  (line 10 on
14   page 146))
15
16 component Parallel Config Header (J38)( Parallel Config Header  (line 11 on page 146),
17   J38 (line 28 on page 146))
18
19 component Versa Expansion Connectors (J39,J40)( Versa Expansion Connector  (line 12 on
20   page 146))
21
22 component SPI Flag Configuration Memory (U4)( SPI Flag Configuration Memory  (line 13 on
23   page 146),  U4  (line 30 on page 146))
24
25 component CFG Switches (SW1)( SW1  (line 31 on page 146))
26
27 component Input Switches (SW5)( Input Switch  (line 15 on page 146),  SW5  (line 32 on
28   page 146))
29
30 component Output LEDs (D5,D12)( Output LED  (line 16 on page 146))
31
32 component Input Push Buttons (SW2,SW4)( Input Push Button  (line 17 on page 146))
33
34 component 12 V DC Power Input (J37)
35
36 component GPIO Headers (J32,J33)( GPIO Headers  (line 19 on page 146))

```

```

32 | component PMOD/GPIO Header (J31)( PMOD/GPIO Header  (line 20 on page 146), J31
33 |   (line 37 on page 146))
34 | component Microphone Board/GPIO Header (J30)( Microphone Board/GPIO Header  (line 21 on
35 |   page 146), J30 (line 38 on page 146))
36 | component Prototype Area( Prototype Area  (line 39 on page 146))
37 |
38 | component ECP5,5G Device (U3)( ECP5-5G Device  (line 22 on page 146), U3 (line 40 on
39 |   page 146))
40 | component JTAG Interface (J1)( JTAG Interface  (line 24 on page 146), J1 (line 41 on
41 |   page 146))
42 | component Mini USB Programming (J2)( Mini USB Programming  (line 25 on page 146), J2
43 |   (line 42 on page 146))
44 | component Lattice ECP,5 FPGA Development Board (Board)( DevBoard  (line 26 on page 146))
45 |
46 | component Temperature Sensor( Temperature Sensor  (?? on page ??),  Temperature Sensor 
47 |   (line 220 on page 144),  Temperature Sensor  (line 59 on page 153))
48 | A sensor that is capable of measuring the temperature of its environment.
49 | What is your temperature reading in Celsius (C)?
50 | component Pressure Sensor( Pressure Sensor  (line 83 on page 153),  Pressure Sensor 
51 |   (?? on page ??),  Pressure Sensor  (line 221 on page 144),  PressureSensor  (?? on
52 |   page ??),  PressureSensor  (line 73 on page 153))
53 | A sensor that is capable of measuring the air pressure of its environment.
54 | What is your pressure reading in Pascal (P)?
55 | component Solenoid Actuator( Solenoid Actuator  (line 50 on page 146))
56 | A solenoid actuator capable of being in an open or closed state.
57 | Close!
58 | Open!
59 | relation Temperature Sensor (line 46) inherit Sensor
60 | relation Pressure Sensor (line 50) inherit Sensor
61 | relation Solenoid Actuator (line 54) inherit Actuator
62 |
63 | subsystem Physical Architecture( Physical Architecture  (line 2 on page 147))
64 | The physical architecture of the HARDENS RTS demonstrator.
65 |
66 | component USB UI Cable (UI,C)
67 | The USB cable used to communicate the ASCII UI to/from the board.
68 |
69 | component USB Programming Cable (Prog,C)
70 | The USB cable used to program the board with a bitstream.
71 |
72 | component USB Debugging I/O Cable (Debug,C)
73 | The USB cable used to interact with the board in a debugger.
74 |
75 | component Dev Board (Board)
76 | A PCB developer board used to prototype hardware.
77 |
78 | // * MOSFET power control kit: https://www.sparkfun.com/products/12959
79 |
80 | // * 12 V Latch solenoid: https://www.sparkfun.com/products/15324
81 |
82 | // * Pressure sensor: https://www.sparkfun.com/products/11084
83 |
84 | component Temperature Sensor 1 (TS1)( Temperature Sensor  (?? on page ??),  Temperature 
85 |    Sensor  (line 220 on page 144),  Temperature Sensor  (line 59 on page 153))
86 | The first of two redundant temperature sensors.
87 |
88 | component Temperature Sensor 2 (TS2)( Temperature Sensor  (?? on page ??),  Temperature 
89 |    Sensor  (line 220 on page 144),  Temperature Sensor  (line 59 on page 153))
90 | The second of two redundant temperature sensors.

```

```

90 | component Pressure Sensor 1 (PS1)( Pressure Sensor  (line 83 on page 153), Pressure
91 | Sensor (? on page ??), Pressure Sensor (line 221 on page 144), PressureSensor
92 | (? on page ??), PressureSensor (line 73 on page 153))
91 | The first of two redundant pressure sensors.
92 |
93 | component Pressure Sensor 2 (PS2)( Pressure Sensor  (line 83 on page 153), Pressure
94 | Sensor (? on page ??), Pressure Sensor (line 221 on page 144), PressureSensor
95 | (? on page ??), PressureSensor (line 73 on page 153))
94 | The second of two redundant pressure sensors.
95 |
96 | component Solenoid Actuator 1 (SA1)( Solenoid Actuator  (line 50 on page 146))
97 | The first of two redundant solenoid actuators.
98 |
99 | component Solenoid Actuator 2 (SA2)( Solenoid Actuator  (line 50 on page 146))
100 | The second of two redundant solenoid actuators.
101 |
102 | component HARDENS Demonstrator (Demonstrator)
103 | The fully assembled HARDENS demonstrator hardware with all component
104 | present.
105 |
106 | component Developer Machine
107 | The computer used by a developer to interface with the demonstrator,
108 | typically for driving the demonstrator's UI and programming and
109 | debugging the board.
110 |
111 | relation Demonstrator (line 102) client Board (line 75)
112 | relation Board (line 75) client UI
113 | relation Board (line 75) client UI-C (line 66)
114 | relation Board (line 75) client Prog-C (line 69)
115 | relation Board (line 75) client Debug-C (line 72)
116 | relation Board (line 75) client TS1 (line 84)
117 | relation Board (line 75) client TS2 (line 87)
118 | relation Board (line 75) client PS1 (line 90)
119 | relation Board (line 75) client PS2 (line 93)
120 | relation Board (line 75) client SA1 (line 96)
121 | relation Board (line 75) client SA2 (line 99)
122 | relation UI-C (line 66) client Developer Machine (line 106)
123 | relation Prog-C (line 69) client Developer Machine (line 106)
124 | relation Debug-C (line 72) client Developer Machine (line 106)
125 | relation U3 (line 38) inherit FPGA
126 | relation Board (line 75) contains ECP5,5G
127 | relation Board (line 75) inherit PCB
128 | relation FPGA Dev Board contains J2 (line 42)

```

## A.8 System Instrumentation

Listing A.8: Lando model of the system instrumentation.

```

1 subsystem RTS Instrumentation Architecture
2 The architecture for the instrumentation (sensors and actuators)
3 subsystem of the RTS demonstrator.
4
5 subsystem RTS Instrumentation Systems Architecture
6 The systems architecture for the instrumentation subsystem of the RTS
7 demonstrator. Some of the architecture is implemented in hardware,
8 and some is implemented in software.
9
10 component Instrumentation Implementation (InstImpl) inherit Driver
11 A software or hardware driver that interfaces with a sensor. In the
12 RTS demonstrator there are two kinds of sensors: pressure and
13 temperature.
14
15 component Actuator Implementation (ActImpl)

```

```

16  inherit Driver
17 A software or hardware driver that interfaces with an actuator. In
18 the RTS demonstrator there is one kind of actuator: a solenoid.
19
20 component Voting Implementation (VoteImpl)
21 inherit Voting
22 A software or hardware implementation of our voting algorithm that
23 provides fault tolerance for decision-making based upon the attached
24 components' inputs.
25
26 subsystem Instrumentation Software Stack (SWStack)
27 inherit Software
28 The software stack associated with the instrumentation subsystem.
29
30 component Instrumentation Implementation 1 (InstImpl1) inherit Instrumentation
   ↢ Implementation
31 The first of four sensor drivers for the instrumentation subsystem.
32
33 relation InstImpl1 inherit SWImpl
34 relation InstImpl1 inherit High,Assurance
35 relation InstImpl1 inherit C
36
37 component Instrumentation Implementation 2 (InstImpl2)
38 inherit InstImpl
39 The second of four sensor drivers for the instrumentation subsystem.
40 There are multiple sensors in the architecture to provide fault
41 tolerance.
42
43 component Actuator Implementation 1 (ActImpl1)
44 inherit ActImpl
45 The first of two actuator drivers for the instrumentation subsystem.
46 There are multiple actuators in the architecture to provide fault
47 tolerance.
48
49 component Voting Implementation 1 (VoteImpl1)
50 inherit VoteImpl
51 The first of two implementations of the voting component. Voting is
52 used to implement redundancy of instrumentation and control in the RTS
53 demonstrator.
54
55 relation SWStack (line 26) client Binaries
56 relation Binaries client SWStack (line 26)
57
58 subsystem Instrumentation Actuation and Voting Hardware Stack (HWStack)
59 The hardware implementations driving a redundant subset of sensors,
60 actuators, and voting components.
61
62 component Instrumentation Implementation 3 (InstImpl3)
63 inherit InstImpl
64 The third of four sensor drivers for the instrumentation subsystem.
65 There are multiple sensors in the architecture to provide fault
66 tolerance.
67
68 component Instrumentation Implementation 4 (InstImpl4)
69 inherit InstImpl
70 The fourth of four sensor drivers for the instrumentation subsystem.
71 There are multiple sensors in the architecture to provide fault
72 tolerance.
73
74 component Actuator Implementation 2 (ActImpl2)
75 inherit ActImpl
76 The second of two actuator drivers for the instrumentation subsystem.
77 There are multiple actuators in the architecture to provide fault
78 tolerance.
79
80 component Voting Implementation 2 (VoteImpl2)

```

```

81 inherit VoteImpl
82 The second of two implementations of the voting component. Voting is
83 used to implement redundancy of instrumentation and control in the RTS
84 demonstrator.
85
86 relation HWStack (line 58) client Bitstream
87 relation Bitstream client HWStack (line 58)

```

## A.9 Project Requirements

Listing A.9: Lando model of the project requirements.

```

1 // All requirements that the RTS system must fulfill, as driven by the
2 // IEEE 603,2018 standards and the NRC RFP.
3
4 requirements HARDENS Project High,level Requirements
5 // The high,level requirements for the project stipulated by the NRC RFP.
6
7 NRC Understanding(└ NRC Understanding (line 19 on page 149))
8 Provide to the NRC expert technical services in order to develop a
9 better understanding of how Model-Based Systems Engineering (MBSE)
10 methods and tools can support regulatory reviews of adequate design
11 and design assurance.
12
13 Identify Regulatory Gaps(└ Identify Regulatory Gaps (line 20 on page 149))
14 Identify any barriers or gaps associated with MBSE in a regulatory
15 review of Digital Instrumentation and Control Systems for existing
16 Nuclear Power Plants.
17
18 Demonstrate(└ Demonstrate (line 21 on page 149))
19 Galois will demonstrate to the Nuclear Regulatory Commission (NRC)
20 cutting,edge capabilities in the model,based design, validation, and
21 verification of safety,critical, mission,critical, high,assurance
22 systems.
23
24 Demonstrator Parts(└ Demonstrator Parts (line 22 on page 149))
25 Our demonstrator includes high,assurance software and hardware,
26 includes open source RISC,V Central Processing Units.
27
28 Demonstrator Groundwork(└ Demonstrator Groundwork (line 23 on page 149))
29 Our demonstrator lays the groundwork for a high,assurance reusable
30 product for safety critical Digital Instrumentation and Control
31 Systems systems in Nuclear Power Plants.
32
33 requirements NRC Characteristics
34 // The requirements driven by the IEEE 603,2018 standard for NPP I&C
35 // systems.
36
37 // Both formal and rigorous consistency checks of the requirements
38 // will be accomplished by using false theorem checks and proofs in
39 // the Cryptol model and in software and hardware source code;
40 Requirements Consistency(└ Requirements Consistency (line 6 on page 139), Requirements
41 Consistency (line 35 on page 149))
42 Requirements must be shown to be consistent.
43
44 // A rigorous completeness validation of the requirements will be
45 // accomplished by demonstrating traceability from the project
46 // specification (including the RFP text describing the reactor trip
47 // system) to the formal models of the system and its properties.
48 Requirements Colloquial Completeness(└ Requirements Colloquial Completeness (line 36 on
49 page 149), Requirements Colloquial Completeness (line 9 on page 139))
The system must be shown to fulfill all requirements.

```

```

50 // A formal verification of completeness of the requirements will be
51 // accomplished by using the chosen requirements checking tool
52 Requirements Formal Completeness(└ Requirements Formal Completeness (line 37 on
      page 149), Requirements Formal Completeness (line 12 on page 139))
53 Requirements must be shown to be formally complete.
54
55 // This characteristic will be demonstrated architecturally via the
56 // decoupling of computation across the two RISC,V instrumentation
57 // cores and two instrumentation units running on the FPGA.
58 Instrumentation Independence(└ Instrumentation Independence (line 15 on page 139),
      Instrumentation Independence (line 38 on page 149))
59 Independence among the four divisions of instrumentation (inability
60 for the behavior of one division to interfere or adversely affect the
61 performance of another).
62
63 // This characteristic will be demonstrated architecturally by
64 // decoupling the compute and I/O channels of the units from one
65 // another.
66 Channel Independence(└ Channel Independence (line 39 on page 149), Channel Independence
      (line 20 on page 139))
67 Independence among the two instrumentation channels within a division
68 (inability for the behavior of one channel to interfere or adversely
69 affect the performance of another).
70
71 // This characteristic will be demonstrated architecturally by
72 // partitioning the actuation logic across software and hardware
73 // units.
74 Actuation Independence(└ Actuation Independence (line 25 on page 139), Actuation
      Independence (line 40 on page 149))
75 Independence among the two trains of actuation logic (inability for
76 the behavior of one train to interfere or adversely affect the
77 performance of another).
78
79 // This characteristic will be demonstrated by rigorous validation via
80 // runtime verification and formal verification of the model and its
81 // implementation, as discussed in detail below.
82 Actuation Correctness(└ Actuation Correctness (line 30 on page 139), Actuation
      Correctness (line 41 on page 149))
83 Completion of actuation whenever coincidence logic is satisfied or
84 manual actuation is initiated.
85
86 // This characteristic will be demonstrated architecturally by
87 // partitioning the actuation logic across software and hardware
88 // units.
89 Self,Test/Trip Independence(└ Self-Test/Trip Independence (line 34 on page 140),
      Self-Test/Trip Independence (line 42 on page 149))
90 Independence between periodic self,test functions and trip functions
91 (inability for the behavior of the self,testing to interfere or
92 adversely affect the trip functions).

```

## A.10 System Requirements

Listing A.10: Lando model of the requirements.

```
1 subsystem Requirements
2 The requirements for the RTS system are specified in the following
3 requirements specifications:
4   HARDENS Project High-level Requirements
5   NRC Characteristics.
6
7 // At the moment all system requirements are written in FRET. See the
8 // top-level [](..../README.md) for more information.
9
10 // During Task 2 we will reify those same requirements into our Lando
11 // and SysML specifications as well.
```

## A.11 System Behavioral Scenarios

Listing A.11: Lando model of the scenarios.

```
1 // Scenarios are sequences of events. Scenarios document normal and
2 // abnormal traces of system execution.
3
4 // Normal scenarios describe the normal behavior of the system when
5 // it is not in maintenance or self,test mode.
6
7 scenarios RTS Scenarios
8
9 Normal Behavior 1 ,Stable Normal State
10 The system is in the normal operating mode across all instrumentation
11 units, no unit is in test mode, and no unit is in maintenance mode, a
12 threshold setpoint v_p has been set for pressure, and a threshold
13 setpoint v_t has been set for temperature.
14
15 Normal Behavior 2 ,Event Control
16 The system is in a stable normal state and responds to a new event.
17
18 Normal Behavior 3 ,Sense Compute Actuate
19 The system is in a stable normal state and receives input from the
20 user and reads data from its sensors and, reacts to user input, and if
21 necessary, actuates an actuator.
22
23 Normal Behavior 4 ,Test Instrumentation
24 Test system behavior across all possible combinations of modes,
25 commands, pressure values, temperature values, and failure conditions.
26
27 Normal Behavior 5 ,Test Voting
28 Test system voting behavior across all possible combinations of vote
29 inputs.
```

## A.12 System Test Scenarios

Listing A.12: Lando model of the Test scenarios.

```

1 // Scenarios are sequences of events. Scenarios document normal and
2 // abnormal traces of system execution.
3
4 // Test scenarios are scenarios that validate a system conforms to its
5 // requirements through runtime verification (testing). Each scenario
6 // is refined to a (possibly parametrized) runtime verification
7 // property. If a testbench is complete, then every path of a
8 // system's state machine should be covered by the its set of scenarios.
9
10 scenarios Self,Test Scenarios
11
12 Normal Self,Test Behavior 1a ,Trip on Mock High Pressure Reading from that Pressure Sensor
13 The user selects 'maintenance' for an instrumentation division, the
14 division's pressure channel is set to 'normal' mode, the pressure
15 setpoint is set to a value v, the user simulates a pressure input to
16 that division exceeding v, the division generates a pressure trip.
17
18 Normal Self,Test Behavior 1b ,Trip on Environmental High Pressure Reading from that Pressure
    ↪ Sensor
19 The user selects 'maintenance' for an instrumentation division, the
20 division's pressure channel is set to 'normal' mode, the pressure
21 setpoint is set to a value v, the division reads a pressure sensor
22 value division exceeding v, the division generates a pressure trip.
23
24 Normal Self,Test Behavior 2a ,Trip on Mock High Temperature Reading from that Temperature
    ↪ Sensor
25 The user selects 'maintenance' for an instrumentation division, the
26 division's temperature channel is set to 'normal' mode, the
27 temperature setpoint is set to a value v, the user simulates a
28 temperature input to that division exceeding v, the division generates
29 a temperature trip.
30
31 Normal Self,Test Behavior 2a ,Trip on Environmental High Temperature Reading from that
    ↪ Temperature Sensor
32 The user selects 'maintenance' for an instrumentation division, the
33 division's temperature channel is set to 'normal' mode, the
34 temperature setpoint is set to a value v, the division reads a
35 temperature sensor value division exceeding v, the division generates
36 a temperature trip.
37
38 Normal Self,Test Behavior 3a ,Trip on Mock Low Saturation Margin
39 The user selects 'maintenance' for an instrumentation division, the
40 division's saturation channel is set to 'normal' mode, the saturation
41 margin setpoint is set to a value v, the user simulates pressure and
42 temperature inputs to that division such that the saturation margin is
43 below v, the division generates a saturation margin trip.
44
45 Normal Self,Test Behavior 3a ,Trip on Environmental Low Saturation Margin
46 The user selects 'maintenance' for an instrumentation division, the
47 division's saturation channel is set to 'normal' mode, the saturation
48 margin setpoint is set to a value v, the division reads pressure and
49 temperature sensor values in that division such that the saturation
50 margin is below v, the division generates a saturation margin trip.
51
52 Normal Self,Test Behavior 4 ,Vote on Every Possible Like Trip
53 The user selects 'maintenance' for each instrumentation division, the
54 user configures a subset of channels to place in active trip output.
55
56 Normal Self,Test Behavior 5a ,Automatically Actuate All Mock Devices in Sequence
57 The user selects 'maintenance' for each instrumentation division, the
58 user places enough channels in 'active trip' to actuate a mock device.
59
60 Normal Self,Test Behavior 5b ,Automatically Actuate All Hardware Devices in Sequence
61 The user selects 'maintenance' for each instrumentation division, the
62 user places enough channels in 'active trip' to actuate a hardware

```

```

63 device.
64
65 Normal Self,Test Behavior 6 ,Manually Actuate Each Device in Sequence
66 The user manually actuates each device.
67
68 Normal Self,Test Behavior 7a ,Select Maintenance Operating Mode for each Division
69 The user selects 'maintenance' mode for each instrumentation division
70 in sequence.
71
72 Normal Self,Test Behavior 7b ,Select Normal Operating Mode for each Division
73 The user exits 'maintenance' mode for each instrumentation division in
74 sequence.
75
76 Normal Self,Test Behavior 8 ,Perform Each Kind of Setpoint Adjustment
77 For each instrumentation division, the user provides a setpoint for
78 temperature, then the user provides a setpoint for pressure, then the
79 user provides a setpoint for saturation margin.
80
81 Normal Self,Test Behavior 9 ,Configure Bypass of Each Instrument Channel in Sequence
82 For each instrumentation division, the user puts each channel in
83 'normal' and then 'bypass' mode.
84
85 Normal Self,Test Behavior 10 ,Configure Active Trip Output State of Each Instrument Channel
     ↪ in Sequence
86 For each instrumentation division, the user puts each channel in
87 'trip' and then 'normal' mode.
88
89 Normal Self,Test Behavior 11 ,Display Pressure Temperature and Saturation Margin
90 The user provides inputs for an instrumentation division, then the UI
91 displays the updated pressure, temperature and saturation margin.
92
93 Normal Self,Test Behavior 12 ,Display Every Trip Output Signal State in Sequence
94 The user configures an instrumentation division in 'maintenance',
95 selects a channel and places it in 'trip', the UI displays the trip
96 state, the user places the channel in 'normal' mode, the UI displays
97 the trip state.
98
99 Normal Self,Test Behavior 13 ,Display Indication of Every Channel in Bypass in Sequence
100 The user configures an instrumentation division in 'maintenance', the
101 user selects a channel and places it in bypass, the UI displays the
102 bypass state, the user places the channel in normal mode, the UI
103 displays the updated state.
104
105 Normal Self,Test Behavior 14 ,Demonstrate Periodic Continual Self,test of Safety Signal Path
106 The system starts, eventually the UI displays that self test has run.
107
108 Normal Behavior Full Self,Test
109 The system selects two instrumentation divisions and a device, the system
110 simulates inputs to the selected instrumentation divisions, the system checks
111 that the correct actuation signal would be sent to the selected device.
112
113 // Exceptional behaviors are *predictable* system behaviors triggered
114 // by external environment affects. Examples include a CPU, OS,
115 // device, or network total or partial failure. E.g., CPU deadlock,
116 // out-of-memory errors, permanent store partial and total failures,
117 // lack of space in permanent store, partial and total network
118 // failures, device driver partial or total failures, etc.
119
120 // In our architecture, every part of the RTS system, and particularly
121 // every part of the instrumentation and sensing subsystem and every
122 // part of the actuation subsystem must be able to fail and the system
123 // must respond appropriately.
124
125 // This is not detectable
126 Exceptional Behavior 1a ,Cause Actuator 1 to Fail
127 Manually actuate Actuator 1, the actuator fails, an error is indicated.

```

```

128
129 // This is not detectable
130 Exceptional Behavior 1b ,Cause Actuator 2 to Fail
131 Manually actuate Actuator 2, the actuator fails, an error is indicated.
132
133 // This is not detectable
134 Exceptional Behavior 1c ,Non,deterministically Cause an Actuator to Eventually Fail
135 Repeatedly manually actuate/unactuate an Actuator, the actuator fails, an error is indicated
    ↪ .
136
137 Exceptional Behavior 2a ,Cause Temperature Sensor 1 to Fail
138 Instrumentation units 1 and 2 reports temperature readings that are inconsistent with
    ↪ Instrumentation units 3 and 4, the
139 discrepancy is indicated on the UI.
140
141 Exceptional Behavior 2b ,Cause Temperature Sensor 2 to Fail
142 Instrumentation units 1 and 2 reports temperature readings that are inconsistent with
    ↪ Instrumentation units 3 and 4, the
143 discrepancy is indicated on the UI.
144
145 Exceptional Behavior 2c ,Non,deterministically Cause a Temperature Sensor to Eventually Fail
146 Instrumentation units 1 and 2 reports temperature readings that are inconsistent with
    ↪ Instrumentation units 3 and 4, the
147 discrepancy is indicated on the UI.
148
149 Exceptional Behavior 3a ,Cause Pressure Sensor 1 to Fail
150 Instrumentation units 1 and 2 reports pressure readings that are inconsistent with
    ↪ Instrumentation units 3 and 4, the
151 discrepancy is indicated on the UI.
152
153 Exceptional Behavior 3b ,Cause Pressure Sensor 2 to Fail
154 Instrumentation units 1 and 2 reports pressure readings that are inconsistent with
    ↪ Instrumentation units 3 and 4, the
155 discrepancy is indicated on the UI.
156
157 Exceptional Behavior 3c ,Non,deterministically Cause a Pressure Sensor to Eventually Fail
158 Temperature Sensor 1 or Temperature Sensor 2 report inconsistent values,
159 discrepancy is indicated on the UI.
160
161 // Can be further refined, e.g.:
162 // Sensor values are read by Instrummnetation Unit 1, the unit generates the wrong trip signal
    ↪ ,
163 Exceptional Behavior 4a ,Cause Instrumentation Unit 1 to Fail
164 Instrumentation unit 1 fails, self test indicates that a test has failed.
165
166 // Can be further refined, e.g.:
167 // Sensor values are read by Instrummnetation Unit 1, the unit generates the wrong trip signal
    ↪ ,
168 Exceptional Behavior 4b ,Cause Instrumentation Unit 2 to Fail
169 Instrumentation unit 2 fails, self test indicates that a test has failed.
170
171 // Can be further refined, e.g.:
172 // Sensor values are read by Instrummnetation Unit 1, the unit generates the wrong trip signal
    ↪ ,
173 Exceptional Behavior 4c ,Cause Instrumentation Unit 3 to Fail
174 Instrumentation unit 3 fails, self test indicates that a test has failed.
175
176 // Can be further refined, e.g.:
177 // Sensor values are read by Instrummnetation Unit 1, the unit generates the wrong trip signal
    ↪ ,
178 Exceptional Behavior 4d ,Cause Instrumentation Unit 4 to Fail
179 Instrumentation unit 4 fails, self test indicates that a test has failed.
180
181 Exceptional Behavior 4e ,Non,Deterministically Cause Instrumentation Unit to Eventually Fail
182 At least one instrumentation unit fails to generate the appropriate trip signal, self test
    ↪ runs,
183 self test indicates that a test has failed.

```

```

184
185 Exceptional Behavior 5a ,Cause Temperature Demultiplexor 1 to Fail
186 At least one of Instrumentation units 1 or 2 report temperature readings inconsistent with
    ↳ instrumentation units 3 and 4.
187
188 Exceptional Behavior 5b ,Cause Temperature Demultiplexor 2 to Fail
189 At least one of Instrumentation units 3 or 4 report temperature readings inconsistent with
    ↳ instrumentation units 1 and 2.
190
191 Exceptional Behavior 5c ,Cause Pressure Demultiplexor 1 to Fail
192 At least one of Instrumentation units 1 and 2 report pressure readings inconsistent with
    ↳ instrumentation units 3 and 4.
193
194 Exceptional Behavior 5d ,Cause Pressure Demultiplexor 2 to Fail
195 At least one of Instrumentation units 3 and 4 report pressure readings inconsistent with
    ↳ instrumentation units 1 and 2.
196
197 Exceptional Behavior 5e ,Cause a Temperature Demultiplexor to Eventually Fail
198 All instrumentation units report consistent temperature readings, a demultiplexor fails, at
    ↳ least one of the
199 instrumentation units reports an inconsistent temperature reading.
200
201 Exceptional Behavior 5f ,Cause a Pressure Demultiplexor to Eventually Fail
202 All instrumentation units report consistent temperature readings, a demultiplexor fails, at
    ↳ least one of the
203 instrumentation units reports an inconsistent pressure reading.

```

## A.13 System Tool Scenarios

Listing A.13: Lando model of the System Tool scenarios.

```

1 scenarios Tool Scenarios
2
3 Verify Software
4 Formally verify that software or firmware programs fulfill their
5 specifications.
6
7 Verify Hardware
8 Formally verify that a hardware design fulfills its specifications.
9
10 Formal Equivalence Checking
11 Formally verify that programs written in different languages (even
12 across the hardware/software boundary) are equivalent.
13
14 Symbolic Testing
15 Improve the assurance of software using symbolic testing.
16
17 Backend Solver Libraries
18 Provide libraries for symbolic formula representation and solver
19 interaction.
20
21 Binary Analysis
22 Analyze binaries in a variety of formats and for a host of different
23 Instruction Set Architectures.
24
25 Binary Rewriting
26 Perform binary analysis and rewriting for a variety of purposes.
27
28 Model-Based Test Generation
29 Automatically generate model-based tests for a software, firmware, or
30 hardware system.
31

```

|    |                                                                                      |
|----|--------------------------------------------------------------------------------------|
| 32 | Specify Semi,Formal Architecture using Natural Language Processing                   |
| 33 | Specify a systems architectures at a high level leveraging Natural                   |
| 34 | Language Processing technology.                                                      |
| 35 |                                                                                      |
| 36 | Concretize Model                                                                     |
| 37 | Create or generate a new model or an implementation from a semi,formal or formal     |
| 38 | model or implementation by adding extra information, typically turning               |
| 39 | a denotational property into an operational computation, and guarantee               |
| 40 | that the new, refined model behaves identically to the previous,                     |
| 41 | abstract model.                                                                      |
| 42 |                                                                                      |
| 43 | Abstract Model                                                                       |
| 44 | Extract formal models,,,including behavioral and architectural                       |
| 45 | models,,,from source code and binaries, and guarantee that all                       |
| 46 | properties of the abstract model hold for the more concrete model or                 |
| 47 | implementation.                                                                      |
| 48 |                                                                                      |
| 49 | Define Refinement Relation                                                           |
| 50 | Define a pair of functions, an abstraction function $L: I \rightarrow M$ and         |
| 51 | concretization function $C: M \rightarrow I$ , such that they form a refinement      |
| 52 | <b>relation</b> over some property $P$ (roughly, $P(c(l(i))) = P(i)$ ) between their |
| 53 | pair of types $M$ and $I$ .                                                          |
| 54 |                                                                                      |
| 55 | Formally Refine a Semi,formal Architecture                                           |
| 56 | Specify and formally refine a semi,formal architecture.                              |
| 57 |                                                                                      |
| 58 | Product Line Engineering                                                             |
| 59 | Specify and reason about product lines of hardware, firmware, and/or                 |
| 60 | software systems.                                                                    |
| 61 |                                                                                      |
| 62 | Reason about Products                                                                |
| 63 | Reason about products derived from product lines, particularly                       |
| 64 | automatically generated CPUs and SoCs.                                               |
| 65 |                                                                                      |
| 66 | Reason about Non,Behavioral Properties                                               |
| 67 | Reason about non,behavioral properties of models or implementations,                 |
| 68 | such as security proofs of cryptographic algorithms and protocols,                   |
| 69 | safety and progress properties of concurrent or distributed systems,                 |
| 70 | information leakage properties of embedded systems and hardware                      |
| 71 | designs.                                                                             |
| 72 |                                                                                      |
| 73 | Configure Product Line                                                               |
| 74 | Make feature selections in a feature model in order to specify the                   |
| 75 | subset of products from a product line that are of interest.                         |
| 76 |                                                                                      |
| 77 | Fully Configure Product Line                                                         |
| 78 | Configure a feature model until no open choices exist, thereby                       |
| 79 | creating a fully configured feature model that specifies a single                    |
| 80 | product.                                                                             |

# Appendix B

## Lobot Model

Listing B.1: Lobot-Model of RTS.

```
1  -- title: Reactor Trip System high-assurance demonstrator.
2  -- project: High Assurance Rigorous Digital Engineering for Nuclear Safety (HARDENS)
3  -- copyright (C) 2021 Galois
4  -- author: Joe Kiniry <jkiniry@galois.com>
5
6  nat : kind of int where self >= 0
7
8  -- Our development platforms for running the RTS demonstrator in a
9  -- fully virtualized (Twin) mode. If we choose to target a real RV32,
10 -- then we will be running on the bare metal.
11
12 type virtualized_platform_runtime =
13   { Posix, RV32_bare_metal, None }
14
15 -- The developer boards we have to choose from. We are using the
16 -- ECP-5 5G 85F variant of the Lattice Semiconductor dev board, and if
17 -- we choose to put the demonstrator on a real RV32, we will likely
18 -- use the Vega board.
19
20 type dev_board =
21   { Virtual, LFE5UM5G_85F_EVN, RV32M1_VEGA, None }
22
23 -- The ECP-5 FPGA comes in several flavors. We are using the 5G
24 -- variant for this project. Other variants should be able to use the
25 -- exact same build chain.
26
27 type fpga =
28   { ECP5, ECP5_5G }
29
30 -- We can assign an assurance level of every sub-component of the
31 -- system. This definition is made here to provide an enumeration of
32 -- assurance levels which we will assign/update later as assurance
33 -- work goes on.
34
35 type assurance_level =
36   { None, Low, Medium, High }
37
38 -- Every subsystem and the system overall is realized either by a
39 -- physical component (e.g., a real sensor, actuator, or FPGA) or a
40 -- "Digital Twin", which is a simulation/emulation of the component in
41 -- question.
42
```

```

43 type twin_or_physical =
44   { Twin, Physical }
45
46 -- Twins come in different fidelity levels.
47
48 -- "Perfect" fidelity means that our simulator/emulation is capable of
49 -- executing the actual software/hardware of the system, subsystem, or
50 -- component in such detail that all requirements can be validated or
51 -- verified in the twin as accurately as in the physical realization.
52
53 -- "High" fidelity means that we are executing the actual
54 -- software/hardware in question in a simulator or emulator that
55 -- replicates most, but not all, of the underlying functionality and
56 -- behavior of the device in question. For example, a cycle-accurate
57 -- Verilog simulator is high-fidelity, but is not "Perfect" fidelity
58 -- if we are concerned about EM side-channels.
59
60 -- A "Medium" fidelity twin also executes the actual
61 -- software/hardware, but elides non-behavioral properties that are
62 -- critical to fulfilling all system requirements. A hardware virtual
63 -- platform (VP) or an event-based Verilog simulator or emulator are
64 -- two examples of medium-fidelity digital twin environments.
65
66 -- A "Low" fidelity twin is an executable model that is usually fully
67 -- decoupled from the implementation. In order for the model to be
68 -- refinement-consistent with regards to more concrete models or the
69 -- software/hardware implementation, all measurable properties of the
70 -- model which relate to system requirements must hold through the
71 -- refinement.
72
73 type twin_fidelity =
74   { Low, Medium, High, Perfect }
75
76 -- We use three different C compilers for (cross-)compilation.
77 type compiler =
78   { GCC, Clang, CompCert }
79
80 -- We target three different ISAs in software compilation because our
81 -- development platforms for the POSIX-based virtual platform is
82 -- either ARM or X86-based and the SoC digital twin and deployment
83 -- platform are RISC-V-based.
84 type isa =
85   { ARM, X86, RV32 }
86
87 -- The feature model of the RTS demonstrator itself.
88
89 -- The cost of a demonstrator is expressed in U.S. dollars and is
90 -- based upon the value of the board plus all physical devices that
91 -- are attached. A purely virtualized RTS demonstrator has zero
92 -- hardware cost.
93
94 rts : kind of struct
95   with -- Which development board is being used?
96     board : dev_board
97     -- How much does the hardware for this demonstrator cost in USD?
98     cost : nat
99     -- What level of assurance does the demonstrator have overall?
100    assurance : assurance_level
101    -- Is the FPGA being twinned via a Verilog simulator/emulator?
102    soc : twin_or_physical
103    -- Is the first temperature sensor a twin or physically present?
104    ts1 : twin_or_physical
105    -- Is the second temperature sensor a twin or physically present?
106    ts2 : twin_or_physical
107    -- Is the first pressure sensor a twin or physically present?
108    ps1 : twin_or_physical

```

```

109   -- Is the second pressure sensor a twin or physically present?
110   ps2 : twin_or_physical
111   -- Is the first actuator a twin or physically present?
112   sa1 : twin_or_physical
113   -- Is the second actuator a twin or physically present?
114   sa2 : twin_or_physical
115   -- Which C compiler is used to (cross-)compile the software?
116   comp : compiler
117   -- Which ISA is the compiler (cross-)compiling to?
118   target : isa
119   -- Are all devices twins?
120   all_devices_twins : bool
121   -- Should sensors be simulated?
122   simulate_sensors : bool
123   -- Should we use parallel execution?
124   parallel_execution : bool
125   -- Compile with automatic self-test mode enabled?
126   self_test_enabled : bool
127   -- Compile with debugging options?
128   debug : bool
129   -- Is this instance of the RTS fully virtualized and running only in software?
130   virtualized_platform_rt : bool
131   -- What development platform is being used to run this fully virtualized twin?
132   rt : virtualized_platform_runtime
133
134 where
135   cost = 0 | cost = 100 | cost = 200
136   all_devices_twins <=> ((ts1 = Twin) & (ts2 = Twin) & (ps1 = Twin) & (ps2 = Twin) & (sa1 =
137     → Twin) & (sa2 = Twin))
138   (soc = Twin) => all_devices_twins
139   virtualized_platform_rt <=> ((soc = Twin) & (board = RV32M1_VEGA) & (rt = None)) ^ ((soc
140     → = Twin) & (board = None))
141   -- @todo kiniry Add appropriate constraints for the comp and isa features.
142   virtualized_rts_configs : kind_of_rts
143   where all_devices_twins = true & cost = 0 & board = None & virtualized_platform_rt = true
144   -- Virtualized builds do not need a development board.
145   check_twin_build_configs : check
146   on c : virtualized_rts_configs
147   that c.board = None

```

## Appendix C

# FRET Specification

Listing C.1: RTS requirements from FRET.

```
1 [,
2 {
3     "reqid" : "ACTUATION_ACTUATOR_0",
4     "parent_reqid" : "",
5     "rationale" :"RFP function 5,6\n",
6     "fulltext" :"RTS shall always satisfy\n (Auto_Actuate_0_Actuator_0 | Auto_Actuate_1
    ↪ _Actuator_0 | UI_Manual_Actuate_Actuator_0)\n = Actuate_Actuator_0\n",
7     "description" :"ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
    ↪ first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
    ↪ time points between (and including) the trigger and the end of the interval."
8 },
9 {
10    "reqid" : "ACTUATION_ACTUATOR_1",
11    "parent_reqid" : "",
12    "rationale" :"RFP function 5,6\n",
13    "fulltext" :"RTS shall always satisfy\n (Auto_Actuate_0_Actuator_1 | Auto_Actuate_1
    ↪ _Actuator_1 | UI_Manual_Actuate_Actuator_1)\n = Actuate_Actuator_1\n",
14    "description" :"ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
    ↪ first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
    ↪ time points between (and including) the trigger and the end of the interval."
15 },
16 {
17     "reqid" : "ACTUATION_AUTO_LOGIC_0_ACTUATOR_0",
18     "parent_reqid" :"ACTUATION_ACTUATOR_0",
19     "rationale" :"RFP function 4,5,RFP actuation logic architecture\n",
20     "fulltext" :"RTS shall always satisfy if (Coincidence_0_T | Coincidence_0_P) then
    ↪ Auto_Actuate_0_Actuator_0\n",
21     "description" :"ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
    ↪ first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
    ↪ time points between (and including) the trigger and the end of the interval."
22 },
23 {
24     "reqid" : "ACTUATION_AUTO_LOGIC_0_ACTUATOR_1",
25     "parent_reqid" :"ACTUATION_ACTUATOR_1",
26     "rationale" :"RFP function 4,5,RFP actuation logic architecture\n",
27     "fulltext" :"RTS shall always satisfy if Coincidence_0_S then Auto_Actuate_0_Actuator_1",
28     "description" :"ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
    ↪ first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
    ↪ time points between (and including) the trigger and the end of the interval."
29 },
30 {
31     "reqid" : "COINCIDENCE_LOGIC_0_T",
32     "parent_reqid" :"ACTUATION_AUTO_LOGIC_0_ACTUATOR_0",
33     "rationale" :"RFP function 4",
```

```

34      "fulltext" :"RTS shall always satisfy\n ((Trip_T_0 & Trip_T_1)\n | ((Trip_T_0 | Trip_T_1)
35          → & (Trip_T_2 | Trip_T_3))\n | (Trip_T_2 & Trip_T_3))\n = Coincidence_0_T\n",
36      "description" :"ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
37          → first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
38          → time points between (and including) the trigger and the end of the interval."
39  },
40  {
41      "reqid" :"COINCIDENCE_LOGIC_0_P",
42      "parent_reqid" :"ACTUATION_AUTO_LOGIC_0_ACTUATOR_0",
43      "rationale" :"RFP function 4",
44      "fulltext" :"RTS shall always satisfy\n ((Trip_P_0 & Trip_P_1)\n | ((Trip_P_0 | Trip_P_1)
45          → & (Trip_P_2 | Trip_P_3))\n | (Trip_P_2 & Trip_P_3))\n = Coincidence_0_P\n",
46      "description" :"ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
47          → first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
48          → time points between (and including) the trigger and the end of the interval."
49  },
50  {
51      "reqid" :"COINCIDENCE_LOGIC_0_S",
52      "parent_reqid" :"ACTUATION_AUTO_LOGIC_0_ACTUATOR_1",
53      "rationale" :"RFP function 4",
54      "fulltext" :"RTS shall always satisfy\n ((Trip_S_0 & Trip_S_1)\n | ((Trip_S_0 | Trip_S_1)
55          → & (Trip_S_2 | Trip_S_3))\n | (Trip_S_2 & Trip_S_3))\n = Coincidence_0_S\n",
56      "description" :"ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
57          → first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
58          → time points between (and including) the trigger and the end of the interval."
59  },
60  {
61      "reqid" :"ACTUATION_AUTO_LOGIC_1_ACTUATOR_0",
62      "parent_reqid" :"ACTUATION_ACTUATOR_0",
63      "rationale" :"RFP function 4,5,RFP actuation logic architecture\n",
64      "fulltext" :"RTS shall always satisfy if (Coincidence_1_T | Coincidence_1_P) then
65          → Auto_Actuate_1_Actuator_0\n",
66      "description" :"ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
67          → first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
68          → time points between (and including) the trigger and the end of the interval."
69  },
70  {
71      "reqid" :"COINCIDENCE_LOGIC_1_T",
72      "parent_reqid" :"ACTUATION_AUTO_LOGIC_1_ACTUATOR_0",
73      "rationale" :"RFP function 4",
74      "fulltext" :"RTS shall always satisfy\n ((Trip_T_0 & Trip_T_1)\n | ((Trip_T_0 | Trip_T_1)
75          → & (Trip_T_2 | Trip_T_3))\n | (Trip_T_2 & Trip_T_3))\n = Coincidence_1_T\n",
76      "description" :"ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
77          → first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
78          → time points between (and including) the trigger and the end of the interval."
79  },
80  {
81      "reqid" :"COINCIDENCE_LOGIC_1_P",
82      "parent_reqid" :"ACTUATION_AUTO_LOGIC_1_ACTUATOR_1",

```

```

82      "rationale" :"RFP function 4",
83      "fulltext" :"RTS shall always satisfy\n ((Trip_S_0 & Trip_S_1)\n | ((Trip_S_0 | Trip_S_1)
84          ↪ & (Trip_S_2 | Trip_S_3))\n | (Trip_S_2 & Trip_S_3))\n = Coincidence_1_S\n",
85      "description" :"ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
86          ↪ first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
87          ↪ time points between (and including) the trigger and the end of the interval."
88      },
89      {
90          "reqid" :"INSTRUMENTATION_0_T_TRIP",
91          "parent_reqid" :"",
92          "rationale" :"RFP function 1,2,3,9\n",
93          "fulltext" :"When\n (!Bypass_T_0 & (T_0 > Setpoint_T_0))\nRTS shall always satisfy
94              ↪ Trip_T_0\n",
95          "description" :"ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
96              ↪ first point in the interval if <b><i>(( ! Bypass_T_0 & ( T_0 > Setpoint_T_0 ) )
97              ↪ </i></b> is true and any point in the interval where <b><i>(( ! Bypass_T_0 &
98                  ↪ T_0 > Setpoint_T_0 ) )</i></b> becomes true (from false).\nREQUIRES: for every
99                  ↪ trigger, RES must hold at all time points between (and including) the trigger
100                 ↪ and the end of the interval."
101     },
102     {
103         "reqid" :"INSTRUMENTATION_0_T_TRIP_UI",
104         "parent_reqid" :"",
105         "rationale" :"RFP function 12",
106         "fulltext" :"RTS shall always satisfy UI_Trip_T_0_Display = Trip_T_0\n",
107         "description" :"ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
108             ↪ first point in the interval if <b><i>(( ! Bypass_P_0 & ( P_0 > Setpoint_P_0 ) )
109             ↪ </i></b> is true and any point in the interval where <b><i>(( ! Bypass_P_0 &
110                 ↪ P_0 > Setpoint_P_0 ) )</i></b> becomes true (from false).\nREQUIRES: for every
111                 ↪ trigger, RES must hold at all time points between (and including) the trigger
112                 ↪ and the end of the interval."
113     },
114     {
115         "reqid" :"INSTRUMENTATION_0_P_TRIP",
116         "parent_reqid" :"",
117         "rationale" :"RFP function 12",
118         "fulltext" :"RTS shall always satisfy UI_Trip_P_0_Display = Trip_P_0\n",
119         "description" :"ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
120             ↪ first point in the interval if <b><i>(( ! Bypass_S_0 & ( S_0 < Setpoint_S_0 ) )
121             ↪ </i></b> is true and any point in the interval where <b><i>(( ! Bypass_S_0 &
122                 ↪ S_0 < Setpoint_S_0 ) )</i></b> becomes true (from false).\nREQUIRES: for every
123                 ↪ trigger, RES must hold at all time points between (and including) the trigger
124                 ↪ and the end of the interval."
125     },
126     {
127         "reqid" :"INSTRUMENTATION_0_S_TRIP",
128         "parent_reqid" :"",
129         "rationale" :"RFP function 12",

```

```

125      "fulltext" :"RTS shall always satisfy UI_Trip_S_0_Display = Trip_S_0\n",
126      "description" :"ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
127          → first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
128          → time points between (and including) the trigger and the end of the interval."
129      },
130      {
131          "reqid" :"INSTRUMENTATION_1_T_TRIP",
132          "parent_reqid" :"",
133          "rationale" :"RFP function 1,2,3,9\n",
134          "fulltext" :"When\n (!Bypass_T_1 & ( T_1 > Setpoint_T_1 ))\nRTS shall always satisfy
135              → Trip_T_1\n",
136          "description" :"ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
137              → first point in the interval if <b><i>(( ! Bypass_T_1 & ( T_1 > Setpoint_T_1 ) ))
138              → </i></b> is true and any point in the interval where <b><i>(( ! Bypass_T_1 & (
139                  → T_1 > Setpoint_T_1 ) ))</i></b> becomes true (from false).\nREQUIRES: for every
140                  → trigger, RES must hold at all time points between (and including) the trigger
141                  → and the end of the interval."
142      },
143      {
144          "reqid" :"INSTRUMENTATION_1_T_TRIP_UI",
145          "parent_reqid" :"",
146          "rationale" :"RFP function 12",
147          "fulltext" :"RTS shall always satisfy UI_Trip_T_1_Display = Trip_T_1\n",
148          "description" :"ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
149              → first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
150              → time points between (and including) the trigger and the end of the interval."
151      },
152      {
153          "reqid" :"INSTRUMENTATION_1_P_TRIP",
154          "parent_reqid" :"",
155          "rationale" :"RFP function 1,2,3,9\n",
156          "fulltext" :"When\n (!Bypass_P_1 & ( P_1 > Setpoint_P_1 ))\nRTS shall always satisfy
157              → Trip_P_1\n",
158          "description" :"ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
159              → first point in the interval if <b><i>(( ! Bypass_P_1 & ( P_1 > Setpoint_P_1 ) ))
160              → </i></b> is true and any point in the interval where <b><i>(( ! Bypass_P_1 & (
161                  → P_1 > Setpoint_P_1 ) ))</i></b> becomes true (from false).\nREQUIRES: for every
162                  → trigger, RES must hold at all time points between (and including) the trigger
163                  → and the end of the interval."
164      },
165      {
166          "reqid" :"INSTRUMENTATION_1_P_TRIP_UI",
167          "parent_reqid" :"",
168          "rationale" :"RFP function 12",
169          "fulltext" :"RTS shall always satisfy UI_Trip_P_1_Display = Trip_P_1\n",

```

```

168     "description" :"ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
169         → first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
170             → time points between (and including) the trigger and the end of the interval."
171     },
172     {
173         "reqid" :"INSTRUMENTATION_2_T_TRIP",
174         "parent_reqid" :"",
175         "rationale" :"RFP function 1,2,3,9\n",
176         "fulltext" :"When\n (!Bypass_T_2 & ( T_2 > Setpoint_T_2 ))\nRTS shall always satisfy
177             → Trip_T_2\n",
178         "description" :"ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
179             → first point in the interval if <b><i>(( ! Bypass_T_2 & ( T_2 > Setpoint_T_2 )) )
180                 → </i></b> is true and any point in the interval where <b><i>(( ! Bypass_T_2 & (
181                     → T_2 > Setpoint_T_2 ))</i></b> becomes true (from false).\nREQUIRES: for every
182                     → trigger, RES must hold at all time points between (and including) the trigger
183                         → and the end of the interval."
184     },
185     {
186         "reqid" :"INSTRUMENTATION_2_T_TRIP_UI",
187         "parent_reqid" :"",
188         "rationale" :"RFP function 12",
189         "fulltext" :"RTS shall always satisfy UI_Trip_T_2_Display = Trip_T_2\n",
190         "description" :"ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
191             → first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
192                 → time points between (and including) the trigger and the end of the interval."
193     },
194     {
195         "reqid" :"INSTRUMENTATION_2_P_TRIP",
196         "parent_reqid" :"",
197         "rationale" :"RFP function 1,2,3,9\n",
198         "fulltext" :"When\n (!Bypass_P_2 & ( P_2 > Setpoint_P_2 ))\nRTS shall always satisfy
199             → Trip_P_2\n",
200         "description" :"ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
201             → first point in the interval if <b><i>(( ! Bypass_P_2 & ( P_2 > Setpoint_P_2 )) )
202                 → </i></b> is true and any point in the interval where <b><i>(( ! Bypass_P_2 & (
203                     → P_2 > Setpoint_P_2 ))</i></b> becomes true (from false).\nREQUIRES: for every
204                     → trigger, RES must hold at all time points between (and including) the trigger
205                         → and the end of the interval."
206     },
207     {
208         "reqid" :"INSTRUMENTATION_2_P_TRIP_UI",
209         "parent_reqid" :"",
210         "rationale" :"RFP function 12",
211         "fulltext" :"RTS shall always satisfy UI_Trip_P_2_Display = Trip_P_2\n",
212         "description" :"ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
213             → first point in the interval.\nREQUIRES: for every trigger, RES must hold at all

```

```

211     },
212     {
213         "reqid" : "INSTRUMENTATION_3_T_TRIP",
214         "parent_reqid" : "",
215         "rationale" :"RFP function 1,2,3,9\n",
216         "fulltext" :"When\n( !Bypass_T_3 & ( T_3 > Setpoint_T_3 ))\nRTS shall always satisfy
217             ↳ Trip_T_3\n",
218         "description" :"ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
219             ↳ first point in the interval if <b><i>(( ! Bypass_T_3 & ( T_3 > Setpoint_T_3 )) )
220             ↳ </i></b> is true and any point in the interval where <b><i>(( ! Bypass_T_3 & (
221             ↳ T_3 > Setpoint_T_3 ))</i></b> becomes true (from false).\nREQUIRES: for every
222             ↳ trigger, RES must hold at all time points between (and including) the trigger
223             ↳ and the end of the interval."
224     },
225     {
226         "reqid" : "INSTRUMENTATION_3_T_TRIP_UI",
227         "parent_reqid" : "",
228         "rationale" :"RFP function 12",
229         "fulltext" :"RTS shall always satisfy UI_Trip_T_3_Display = Trip_T_3\n",
230         "description" :"ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
231             ↳ first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
232             ↳ time points between (and including) the trigger and the end of the interval."
233     },
234     {
235         "reqid" : "INSTRUMENTATION_3_P_TRIP",
236         "parent_reqid" : "",
237         "rationale" :"RFP function 1,2,3,9\n",
238         "fulltext" :"When\n( !Bypass_P_3 & ( P_3 > Setpoint_P_3 ))\nRTS shall always satisfy
239             ↳ Trip_P_3\n",
240         "description" :"ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
241             ↳ first point in the interval if <b><i>(( ! Bypass_P_3 & ( P_3 > Setpoint_P_3 )) )
242             ↳ </i></b> is true and any point in the interval where <b><i>(( ! Bypass_P_3 & (
243             ↳ P_3 > Setpoint_P_3 ))</i></b> becomes true (from false).\nREQUIRES: for every
244             ↳ trigger, RES must hold at all time points between (and including) the trigger
245             ↳ and the end of the interval."
246     },
247     {
248         "reqid" : "INSTRUMENTATION_3_P_TRIP_UI",
249         "parent_reqid" : "",
250         "rationale" :"RFP function 12",
251         "fulltext" :"RTS shall always satisfy UI_Trip_P_3_Display = Trip_P_3\n",
252         "description" :"ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
253             ↳ first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
254             ↳ time points between (and including) the trigger and the end of the interval."

```

```

254  {
255      "reqid" : "INSTRUMENTATION_0_BYPASS_T_Display",
256      "parent_reqid" : "",
257      "rationale" :"RFP function 13",
258      "fulltext" :"RTS shall always satisfy UI_Bypass_T_0_Display = Bypass_T_0\n",
259      "description" :"ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
260          → first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
261          → time points between (and including) the trigger and the end of the interval."
262  },
263  {
264      "reqid" : "INSTRUMENTATION_0_BYPASS_T",
265      "parent_reqid" : "",
266      "rationale" :"RFP function 9:configure in maintenance mode to bypass an instrument
267          → channel (this requirement sets the system value from the UI)\n",
268      "fulltext" :"RTS shall always satisfy\n if UI_Maintenance_0\n then (UI_Bypass_T_0) =
269          → Bypass_T_0)\n",
270      "description" :"ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
271          → first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
272          → time points between (and including) the trigger and the end of the interval."
273  },
274  {
275      "reqid" : "CONST_INSTRUMENTATION_0_NO_BYPASS_T",
276      "parent_reqid" : "INSTRUMENTATION_0_BYPASS_T",
277      "rationale" :"RFP function 9:configure in maintenance mode to bypass an instrument
278          → channel (this requirement does not allow bypass to turn on during normal
279          → operation)\n",
280      "fulltext" :"When !UI_Maintenance_0 & !Bypass_T_0 RTS shall, until UI_Maintenance_0 &
281          → UI_Bypass_T_0, satisfy\n !Bypass_T_0\n",
282      "description" :"ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
283          → first point in the interval if <b><i>(! UI_Maintenance_0 & ! Bypass_T_0)</i></b>
284          → is true and any point in the interval where <b><i>(! UI_Maintenance_0 &
285          → Bypass_T_0)</i></b> becomes true (from false).\nREQUIRES: for every trigger, RES
286          → must remain true until (but not necessarily including) the point where the stop
287          → condition holds, or to the end of the interval. If the stop condition never
288          → occurs, RES must hold until the end of the scope, or forever. If the stop
289          → condition holds at the trigger, the requirement is satisfied."
290  },
291  {
292      "reqid" : "INSTRUMENTATION_0_BYPASS_P_Display",
293      "parent_reqid" : "",
294      "rationale" :"RFP function 13",
295      "fulltext" :"RTS shall always satisfy UI_Bypass_P_0_Display = Bypass_P_0\n",
296      "description" :"ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
297          → first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
298          → time points between (and including) the trigger and the end of the interval."
299  },
300  {
301      "reqid" : "INSTRUMENTATION_0_BYPASS_P",
302      "parent_reqid" : "",
303      "rationale" :"RFP function 9:configure in maintenance mode to bypass an instrument
304          → channel (this requirement sets the system value from the UI)\n",

```

```

293     "fulltext" :"RTS shall always satisfy\n if UI_Maintenance_0\n then (UI_Bypass_P_0) =  

294         → Bypass_P_0)\n",  

294     "description" :"ENFORCED: in the interval defined by the entire execution.\nTRIGGER:  

295         → first point in the interval.\nREQUIRES: for every trigger, RES must hold at all  

296         → time points between (and including) the trigger and the end of the interval."  

295     },  

296     {  

297         "reqid" :"CONST_INSTRUMENTATION_0_NO_BYPASS_P",  

298         "parent_reqid" :"INSTRUMENTATION_0_BYPASS_P",  

299         "rationale" :"RFP function 9:configure in maintenance mode to bypass an instrument  

299             → channel (this requirement does not allow bypass to turn on during normal  

299             → operation)\n",  

300         "fulltext" :"When !UI_Maintenance_0 & !Bypass_P_0 RTS shall, until UI_Maintenance_0 &  

300             → UI_Bypass_P_0, satisfy\n !Bypass_P_0\n",  

301         "description" :"ENFORCED: in the interval defined by the entire execution.\nTRIGGER:  

301             → first point in the interval if <b><i>(! UI_Maintenance_0 & ! Bypass_P_0)</i></b>  

302             → is true and any point in the interval where <b><i>(! UI_Maintenance_0 & !  

302             → Bypass_P_0)</i></b> becomes true (from false).\nREQUIRES: for every trigger, RES  

303             → must remain true until (but not necessarily including) the point where the stop  

303             → condition holds, or to the end of the interval. If the stop condition never  

303             → occurs, RES must hold until the end of the scope, or forever. If the stop  

303             → condition holds at the trigger, the requirement is satisfied."  

302     },  

303     {  

304         "reqid" :"CONST_INSTRUMENTATION_0_BYPASS_P",  

305         "parent_reqid" :"INSTRUMENTATION_0_BYPASS_P",  

306         "rationale" :"RFP function 9:configure in maintenance mode to bypass an instrument  

306             → channel (this requirement does not allow bypass to turn off during normal  

306             → operation)\n",  

307         "fulltext" :"When !UI_Maintenance_0 & Bypass_P_0 RTS shall, until UI_Maintenance_0 & !  

307             → UI_Bypass_P_0, satisfy\n Bypass_P_0\n",  

308         "description" :"ENFORCED: in the interval defined by the entire execution.\nTRIGGER:  

308             → first point in the interval if <b><i>(! UI_Maintenance_0 & Bypass_P_0)</i></b>  

309             → is true and any point in the interval where <b><i>(! UI_Maintenance_0 &  

309             → Bypass_P_0)</i></b> becomes true (from false).\nREQUIRES: for every trigger, RES  

310             → must remain true until (but not necessarily including) the point where the stop  

310             → condition holds, or to the end of the interval. If the stop condition never  

310             → occurs, RES must hold until the end of the scope, or forever. If the stop  

310             → condition holds at the trigger, the requirement is satisfied."  

309     },  

310     {  

311         "reqid" :"INSTRUMENTATION_UI_T_0",  

312         "parent_reqid" :"",  

313         "rationale" :"RFP function 11",  

314         "fulltext" :"RTS shall always satisfy T_0 = UI_T_0_Display",  

315         "description" :"ENFORCED: in the interval defined by the entire execution.\nTRIGGER:  

315             → first point in the interval.\nREQUIRES: for every trigger, RES must hold at all  

315             → time points between (and including) the trigger and the end of the interval."  

316     },  

317     {  

318         "reqid" :"INSTRUMENTATION_0_SETPOINT_T",  

319         "parent_reqid" :"",  

320         "rationale" :"RFP function 8",  

321         "fulltext" :"RTS shall always satisfy\n if UI_Maintenance_0 then Setpoint_T_0 =  

321             → UI_Setpoint_T_0\n",  

322         "description" :"ENFORCED: in the interval defined by the entire execution.\nTRIGGER:  

322             → first point in the interval.\nREQUIRES: for every trigger, RES must hold at all  

322             → time points between (and including) the trigger and the end of the interval."  

323     },  

324     {  

325         "reqid" :"INSTRUMENTATION_0_MANUAL_TRIP_T",  

326         "parent_reqid" :"",  

327         "rationale" :"RFP function 10",  

328         "fulltext" :"RTS shall always satisfy\n if UI_Maintenance_0 & UI_Manual_Trip_T_0 then  

328             → Trip_T_0\n",  

329         "description" :"ENFORCED: in the interval defined by the entire execution.\nTRIGGER:  

329             → first point in the interval.\nREQUIRES: for every trigger, RES must hold at all  

329             → time points between (and including) the trigger and the end of the interval."  


```

```

330 },
331 },
332 "reqid" :"INSTRUMENTATION_UI_P_0",
333 "parent_reqid" :"",
334 "rationale" :"RFP function 11",
335 "fulltext" :"RTS shall always satisfy P_0 = UI_P_0_Display",
336 "description" :"ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
    → first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
    → time points between (and including) the trigger and the end of the interval."
337 },
338 },
339 "reqid" :"INSTRUMENTATION_0_SETPOINT_P",
340 "parent_reqid" :"",
341 "rationale" :"RFP function 8",
342 "fulltext" :"RTS shall always satisfy\n if UI_Maintenance_0 then Setpoint_P_0 =
    → UI_Setpoint_P_0\n",
343 "description" :"ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
    → first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
    → time points between (and including) the trigger and the end of the interval."
344 },
345 },
346 "reqid" :"INSTRUMENTATION_0_MANUAL_TRIP_P",
347 "parent_reqid" :"",
348 "rationale" :"RFP function 10",
349 "fulltext" :"RTS shall always satisfy\n if UI_Maintenance_0 & UI_Manual_Trip_P_0 then
    → Trip_P_0\n",
350 "description" :"ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
    → first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
    → time points between (and including) the trigger and the end of the interval."
351 },
352 },
353 "reqid" :"INSTRUMENTATION_UI_S_0",
354 "parent_reqid" :"",
355 "rationale" :"RFP function 11",
356 "fulltext" :"RTS shall always satisfy S_0 = UI_S_0_Display",
357 "description" :"ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
    → first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
    → time points between (and including) the trigger and the end of the interval."
358 },
359 },
360 "reqid" :"INSTRUMENTATION_0_SETPOINT_S",
361 "parent_reqid" :"",
362 "rationale" :"RFP function 8",
363 "fulltext" :"RTS shall always satisfy\n if UI_Maintenance_0 then Setpoint_S_0 =
    → UI_Setpoint_S_0\n",
364 "description" :"ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
    → first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
    → time points between (and including) the trigger and the end of the interval."
365 },
366 },
367 "reqid" :"INSTRUMENTATION_0_MANUAL_TRIP_S",
368 "parent_reqid" :"",
369 "rationale" :"RFP function 10",
370 "fulltext" :"RTS shall always satisfy\n if UI_Maintenance_0 & UI_Manual_Trip_S_0 then
    → Trip_S_0\n",
371 "description" :"ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
    → first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
    → time points between (and including) the trigger and the end of the interval."
372 },
373 },
374 "reqid" :"INSTRUMENTATION_1_BYPASS_T_Display",
375 "parent_reqid" :"",
376 "rationale" :"RFP function 13",
377 "fulltext" :"RTS shall always satisfy UI_Bypass_T_1_Display = Bypass_T_1\n",
378 "description" :"ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
    → first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
    → time points between (and including) the trigger and the end of the interval."
379 },

```

```

380  {
381    "reqid" : "INSTRUMENTATION_1_BYPASS_T",
382    "parent_reqid" : "",
383    "rationale" : "RFP function 9:configure in maintenance mode to bypass an instrument
384      → channel (this requirement sets the system value from the UI)\n",
385    "fulltext" : "RTS shall always satisfy\n if UI_Maintenance_1\n then (UI_Bypass_T_1) =
386      → Bypass_T_1)\n",
387    "description" : "ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
388      → first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
389      → time points between (and including) the trigger and the end of the interval."
390  },
391  {
392    "reqid" : "CONST_INSTRUMENTATION_1_NO_BYPASS_T",
393    "parent_reqid" : "INSTRUMENTATION_1_BYPASS_T",
394    "rationale" : "RFP function 9:configure in maintenance mode to bypass an instrument
395      → channel (this requirement does not allow bypass to turn on during normal
396      → operation)\n",
397    "fulltext" : "When !UI_Maintenance_1 & !Bypass_T_1 RTS shall, until UI_Maintenance_1 &
398      → UI_Bypass_T_1, satisfy\n !Bypass_T_1\n",
399    "description" : "ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
400      → first point in the interval if <b><i>(! UI_Maintenance_1 & ! Bypass_T_1)</i></b>
401      → is true and any point in the interval where <b><i>(! UI_Maintenance_1 &
402      → Bypass_T_1)</i></b> becomes true (from false).\nREQUIRES: for every trigger, RES
403      → must remain true until (but not necessarily including) the point where the stop
404      → condition holds, or to the end of the interval. If the stop condition never
405      → occurs, RES must hold until the end of the scope, or forever. If the stop
406      → condition holds at the trigger, the requirement is satisfied."
407  },
408  {
409    "reqid" : "INSTRUMENTATION_1_BYPASS_P_Display",
410    "parent_reqid" : "",
411    "rationale" : "RFP function 13",
412    "fulltext" : "RTS shall always satisfy UI_Bypass_P_1_Display = Bypass_P_1\n",
413    "description" : "ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
414      → first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
415      → time points between (and including) the trigger and the end of the interval."
416  },
417  {
418    "reqid" : "CONST_INSTRUMENTATION_1_NO_BYPASS_P",
419    "parent_reqid" : "INSTRUMENTATION_1_BYPASS_P",

```

```

418     "rationale" :"RFP function 9:configure in maintenance mode to bypass an instrument
419         → channel (this requirement does not allow bypass to turn on during normal
420         → operation)\n",
421     "fulltext" :"When !UI_Maintenance_1 & !Bypass_P_1 RTS shall, until UI_Maintenance_1 &
422         → UI_Bypass_P_1, satisfy\n!Bypass_P_1\n",
423     "description" :"ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
424         → first point in the interval if <b><i>(! UI_Maintenance_1 & ! Bypass_P_1)</i></b>
425         → is true and any point in the interval where <b><i>(! UI_Maintenance_1 &
426             → Bypass_P_1)</i></b> becomes true (from false).\nREQUIRES: for every trigger, RES
427             → must remain true until (but not necessarily including) the point where the stop
428             → condition holds, or to the end of the interval. If the stop condition never
429             → occurs, RES must hold until the end of the scope, or forever. If the stop
430             → condition holds at the trigger, the requirement is satisfied."
431     },
432     {
433         "reqid" :"CONST_INSTRUMENTATION_1_BYPASS_P",
434         "parent_reqid" :"INSTRUMENTATION_1_BYPASS_P",
435         "rationale" :"RFP function 9:configure in maintenance mode to bypass an instrument
436             → channel (this requirement does not allow bypass to turn off during normal
437             → operation)\n",
438         "fulltext" :"When !UI_Maintenance_1 & Bypass_P_1 RTS shall, until UI_Maintenance_1 & !
439             → UI_Bypass_P_1, satisfy\n Bypass_P_1\n",
440         "description" :"ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
441             → first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
442             → time points between (and including) the trigger and the end of the interval."
443     },
444     {
445         "reqid" :"INSTRUMENTATION_1_SETPOINT_T",
446         "parent_reqid" :"",
447         "rationale" :"RFP function 11",
448         "fulltext" :"RTS shall always satisfy T_1 = UI_T_1_Display",
449         "description" :"ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
450             → first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
451             → time points between (and including) the trigger and the end of the interval."
452     },
453     {
454         "reqid" :"INSTRUMENTATION_1_MANUAL_TRIP_T",
455         "parent_reqid" :"",
456         "rationale" :"RFP function 10",
457         "fulltext" :"RTS shall always satisfy\n if UI_Maintenance_1 then Setpoint_T_1 =
458             → UI_Setpoint_T_1\n",
459         "description" :"ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
460             → first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
461             → time points between (and including) the trigger and the end of the interval."
462     },
463     {
464         "reqid" :"INSTRUMENTATION_1_P_1",
465         "parent_reqid" :"",
466         "rationale" :"RFP function 11",
467         "fulltext" :"RTS shall always satisfy P_1 = UI_P_1_Display",
468         "description" :"ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
469             → first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
470             → time points between (and including) the trigger and the end of the interval."

```

```

456 },
457 },
458 "reqid" :"INSTRUMENTATION_1_SETPOINT_P",
459 "parent_reqid" :"",
460 "rationale" :"RFP function 8",
461 "fulltext" :"RTS shall always satisfy\n if UI_Maintenance_1 then Setpoint_P_1 =
    ↪ UI_Setpoint_P_1\n",
462 "description" :"ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
    ↪ first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
    ↪ time points between (and including) the trigger and the end of the interval."
463 },
464 },
465 "reqid" :"INSTRUMENTATION_1_MANUAL_TRIP_P",
466 "parent_reqid" :"",
467 "rationale" :"RFP function 10",
468 "fulltext" :"RTS shall always satisfy\n if UI_Maintenance_1 & UI_Manual_Trip_P_1 then
    ↪ Trip_P_1\n",
469 "description" :"ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
    ↪ first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
    ↪ time points between (and including) the trigger and the end of the interval."
470 },
471 },
472 "reqid" :"INSTRUMENTATION_UI_S_1",
473 "parent_reqid" :"",
474 "rationale" :"RFP function 11",
475 "fulltext" :"RTS shall always satisfy S_1 = UI_S_1_Display",
476 "description" :"ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
    ↪ first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
    ↪ time points between (and including) the trigger and the end of the interval."
477 },
478 },
479 "reqid" :"INSTRUMENTATION_1_SETPOINT_S",
480 "parent_reqid" :"",
481 "rationale" :"RFP function 8",
482 "fulltext" :"RTS shall always satisfy\n if UI_Maintenance_1 then Setpoint_S_1 =
    ↪ UI_Setpoint_S_1\n",
483 "description" :"ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
    ↪ first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
    ↪ time points between (and including) the trigger and the end of the interval."
484 },
485 },
486 "reqid" :"INSTRUMENTATION_1_MANUAL_TRIP_S",
487 "parent_reqid" :"",
488 "rationale" :"RFP function 10",
489 "fulltext" :"RTS shall always satisfy\n if UI_Maintenance_1 & UI_Manual_Trip_S_1 then
    ↪ Trip_S_1\n",
490 "description" :"ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
    ↪ first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
    ↪ time points between (and including) the trigger and the end of the interval."
491 },
492 },
493 "reqid" :"INSTRUMENTATION_2_BYPASS_T_Display",
494 "parent_reqid" :"",
495 "rationale" :"RFP function 13",
496 "fulltext" :"RTS shall always satisfy UI_Bypass_T_2_Display = Bypass_T_2\n",
497 "description" :"ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
    ↪ first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
    ↪ time points between (and including) the trigger and the end of the interval."
498 },
499 },
500 "reqid" :"INSTRUMENTATION_2_BYPASS_T",
501 "parent_reqid" :"",
502 "rationale" :"RFP function 9:configure in maintenance mode to bypass an instrument
    ↪ channel (this requirement sets the system value from the UI)\n",
503 "fulltext" :"RTS shall always satisfy\n if UI_Maintenance_2\n then (UI_Bypass_T_2) =
    ↪ Bypass_T_2)\n",
504 "description" :"ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
    ↪ first point in the interval.\nREQUIRES: for every trigger, RES must hold at all

```

```

      ↪ time points between (and including) the trigger and the end of the interval."
505 },
506 {
507   "reqid" : "CONST_INSTRUMENTATION_2_NO_BYPASS_T",
508   "parent_reqid" :"INSTRUMENTATION_2_BYPASS_T",
509   "rationale" :"RFP function 9:configure in maintenance mode to bypass an instrument
      ↪ channel (this requirement does not allow bypass to turn on during normal
      ↪ operation)\n",
510   "fulltext" :"When !UI_Maintenance_2 & !Bypass_T_2 RTS shall, until UI_Maintenance_2 &
      ↪ UI_Bypass_T_2, satisfy\n!Bypass_T_2\n",
511   "description" :"ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
      ↪ first point in the interval if <b><i>(! UI_Maintenance_2 & ! Bypass_T_2)</i></b>
      ↪ is true and any point in the interval where <b><i>(! UI_Maintenance_2 & !
      ↪ Bypass_T_2)</i></b> becomes true (from false).\nREQUIRES: for every trigger, RES
      ↪ must remain true until (but not necessarily including) the point where the stop
      ↪ condition holds, or to the end of the interval. If the stop condition never
      ↪ occurs, RES must hold until the end of the scope, or forever. If the stop
      ↪ condition holds at the trigger, the requirement is satisfied."
512 },
513 {
514   "reqid" : "CONST_INSTRUMENTATION_2_BYPASS_T",
515   "parent_reqid" :"INSTRUMENTATION_2_BYPASS_T",
516   "rationale" :"RFP function 9:configure in maintenance mode to bypass an instrument
      ↪ channel (this requirement does not allow bypass to turn off during normal
      ↪ operation)\n",
517   "fulltext" :"When !UI_Maintenance_2 & Bypass_T_2 RTS shall, until UI_Maintenance_2 & !
      ↪ UI_Bypass_T_2, satisfy\nBypass_T_2\n",
518   "description" :"ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
      ↪ first point in the interval if <b><i>(! UI_Maintenance_2 & Bypass_T_2)</i></b>
      ↪ is true and any point in the interval where <b><i>(! UI_Maintenance_2 &
      ↪ Bypass_T_2)</i></b> becomes true (from false).\nREQUIRES: for every trigger, RES
      ↪ must remain true until (but not necessarily including) the point where the stop
      ↪ condition holds, or to the end of the interval. If the stop condition never
      ↪ occurs, RES must hold until the end of the scope, or forever. If the stop
      ↪ condition holds at the trigger, the requirement is satisfied."
519 },
520 {
521   "reqid" : "INSTRUMENTATION_2_BYPASS_P_Display",
522   "parent_reqid" :"",
523   "rationale" :"RFP function 13",
524   "fulltext" :"RTS shall always satisfy UI_Bypass_P_2_Display = Bypass_P_2\n",
525   "description" :"ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
      ↪ first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
      ↪ time points between (and including) the trigger and the end of the interval."
526 },
527 {
528   "reqid" : "INSTRUMENTATION_2_BYPASS_P",
529   "parent_reqid" :"",
530   "rationale" :"RFP function 9:configure in maintenance mode to bypass an instrument
      ↪ channel (this requirement sets the system value from the UI)\n",
531   "fulltext" :"RTS shall always satisfy\nif UI_Maintenance_2\nthen (UI_Bypass_P_2) =
      ↪ Bypass_P_2)\n",
532   "description" :"ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
      ↪ first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
      ↪ time points between (and including) the trigger and the end of the interval."
533 },
534 {
535   "reqid" : "CONST_INSTRUMENTATION_2_NO_BYPASS_P",
536   "parent_reqid" :"INSTRUMENTATION_2_BYPASS_P",
537   "rationale" :"RFP function 9:configure in maintenance mode to bypass an instrument
      ↪ channel (this requirement does not allow bypass to turn on during normal
      ↪ operation)\n",
538   "fulltext" :"When !UI_Maintenance_2 & !Bypass_P_2 RTS shall, until UI_Maintenance_2 &
      ↪ UI_Bypass_P_2, satisfy\n!Bypass_P_2\n",
539   "description" :"ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
      ↪ first point in the interval if <b><i>(! UI_Maintenance_2 & ! Bypass_P_2)</i></b>
      ↪ is true and any point in the interval where <b><i>(! UI_Maintenance_2 & !
      ↪ Bypass_P_2)</i></b> becomes true (from false).\nREQUIRES: for every trigger, RES

```

```

    → must remain true until (but not necessarily including) the point where the stop
    → condition holds, or to the end of the interval. If the stop condition never
    → occurs, RES must hold until the end of the scope, or forever. If the stop
    → condition holds at the trigger, the requirement is satisfied."
540 },
541 {
542   "reqid" : "CONST_INSTRUMENTATION_2_BYPASS_P",
543   "parent_reqid" : "INSTRUMENTATION_2_BYPASS_P",
544   "rationale" :"RFP function 9:configure in maintenance mode to bypass an instrument
      → channel (this requirement does not allow bypass to turn off during normal
      → operation)\n",
545   "fulltext" :"When UI_Maintenance_2 & Bypass_P_2 RTS shall, until UI_Maintenance_2 & !
      → UI_Bypass_P_2, satisfy\n Bypass_P_2\n",
546   "description" :"ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
      → first point in the interval if <b><i>(! UI_Maintenance_2 & Bypass_P_2)</i></b>
      → is true and any point in the interval where <b><i>(! UI_Maintenance_2 &
      → Bypass_P_2)</i></b> becomes true (from false).\nREQUIRES: for every trigger, RES
      → must remain true until (but not necessarily including) the point where the stop
      → condition holds, or to the end of the interval. If the stop condition never
      → occurs, RES must hold until the end of the scope, or forever. If the stop
      → condition holds at the trigger, the requirement is satisfied."
547 },
548 {
549   "reqid" : "INSTRUMENTATION_UI_T_2",
550   "parent_reqid" : "",
551   "rationale" :"RFP function 11",
552   "fulltext" :"RTS shall always satisfy T_2 = UI_T_2_Display",
553   "description" :"ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
      → first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
      → time points between (and including) the trigger and the end of the interval."
554 },
555 {
556   "reqid" : "INSTRUMENTATION_2_SETPOINT_T",
557   "parent_reqid" : "",
558   "rationale" :"RFP function 8",
559   "fulltext" :"RTS shall always satisfy\n if UI_Maintenance_2 then Setpoint_T_2 =
      → UI_Setpoint_T_2\n",
560   "description" :"ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
      → first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
      → time points between (and including) the trigger and the end of the interval."
561 },
562 {
563   "reqid" : "INSTRUMENTATION_2_MANUAL_TRIP_T",
564   "parent_reqid" : "",
565   "rationale" :"RFP function 10",
566   "fulltext" :"RTS shall always satisfy\n if UI_Maintenance_2 & UI_Manual_Trip_T_2 then
      → Trip_T_2\n",
567   "description" :"ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
      → first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
      → time points between (and including) the trigger and the end of the interval."
568 },
569 {
570   "reqid" : "INSTRUMENTATION_UI_P_2",
571   "parent_reqid" : "",
572   "rationale" :"RFP function 11",
573   "fulltext" :"RTS shall always satisfy P_2 = UI_P_2_Display",
574   "description" :"ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
      → first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
      → time points between (and including) the trigger and the end of the interval."
575 },
576 {
577   "reqid" : "INSTRUMENTATION_2_SETPOINT_P",
578   "parent_reqid" : "",
579   "rationale" :"RFP function 8",
580   "fulltext" :"RTS shall always satisfy\n if UI_Maintenance_2 then Setpoint_P_2 =
      → UI_Setpoint_P_2\n",
581   "description" :"ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
      → first point in the interval.\nREQUIRES: for every trigger, RES must hold at all

```

```

        ↪ time points between (and including) the trigger and the end of the interval."
582 },
583 {
584     "reqid" : "INSTRUMENTATION_2_MANUAL_TRIP_P",
585     "parent_reqid" : "",
586     "rationale" :"RFP function 10",
587     "fulltext" :"RTS shall always satisfy\n if UI_Maintenance_2 & UI_Manual_Trip_P_2 then
        ↪ Trip_P_2\n",
588     "description" :"ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
        ↪ first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
        ↪ time points between (and including) the trigger and the end of the interval."
589 },
590 {
591     "reqid" : "INSTRUMENTATION_UI_S_2",
592     "parent_reqid" : "",
593     "rationale" :"RFP function 11",
594     "fulltext" :"RTS shall always satisfy S_2 = UI_S_2_Display",
595     "description" :"ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
        ↪ first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
        ↪ time points between (and including) the trigger and the end of the interval."
596 },
597 {
598     "reqid" : "INSTRUMENTATION_2_SETPOINT_S",
599     "parent_reqid" : "",
600     "rationale" :"RFP function 8",
601     "fulltext" :"RTS shall always satisfy\n if UI_Maintenance_2 then Setpoint_S_2 =
        ↪ UI_Setpoint_S_2\n",
602     "description" :"ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
        ↪ first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
        ↪ time points between (and including) the trigger and the end of the interval."
603 },
604 {
605     "reqid" : "INSTRUMENTATION_2_MANUAL_TRIP_S",
606     "parent_reqid" : "",
607     "rationale" :"RFP function 10",
608     "fulltext" :"RTS shall always satisfy\n if UI_Maintenance_2 & UI_Manual_Trip_S_2 then
        ↪ Trip_S_2\n",
609     "description" :"ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
        ↪ first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
        ↪ time points between (and including) the trigger and the end of the interval."
610 },
611 {
612     "reqid" : "INSTRUMENTATION_3_BYPASS_T_Display",
613     "parent_reqid" : "",
614     "rationale" :"RFP function 13",
615     "fulltext" :"RTS shall always satisfy UI_Bypass_T_3_Display = Bypass_T_3\n",
616     "description" :"ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
        ↪ first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
        ↪ time points between (and including) the trigger and the end of the interval."
617 },
618 {
619     "reqid" : "INSTRUMENTATION_3_BYPASS_T",
620     "parent_reqid" : "",
621     "rationale" :"RFP function 9:configure in maintenance mode to bypass an instrument
        ↪ channel (this requirement sets the system value from the UI)\n",
622     "fulltext" :"RTS shall always satisfy\n if UI_Maintenance_3\n then (UI_Bypass_T_3) =
        ↪ Bypass_T_3)\n",
623     "description" :"ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
        ↪ first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
        ↪ time points between (and including) the trigger and the end of the interval."
624 },
625 {
626     "reqid" : "CONST_INSTRUMENTATION_3_NO_BYPASS_T",
627     "parent_reqid" : "INSTRUMENTATION_3_BYPASS_T",
628     "rationale" :"RFP function 9:configure in maintenance mode to bypass an instrument
        ↪ channel (this requirement does not allow bypass to turn on during normal
        ↪ operation)\n",

```

```

629   "fulltext" :"When !UI_Maintenance_3 & !Bypass_T_3 RTS shall, until UI_Maintenance_3 &
630     ↪ UI_Bypass_T_3, satisfy\n !Bypass_T_3\n",
631   },
632   {
633     "reqid" :"CONST_INSTRUMENTATION_3_BYPASS_T",
634     "parent_reqid" :"INSTRUMENTATION_3_BYPASS_T",
635     "rationale" :"RFP function 9:configure in maintenance mode to bypass an instrument
636       ↪ channel (this requirement does not allow bypass to turn off during normal
637         ↪ operation)\n",
638   },
639   {
640     "reqid" :"INSTRUMENTATION_3_BYPASS_P_Display",
641     "parent_reqid" :"",
642     "rationale" :"RFP function 13",
643     "fulltext" :"RTS shall always satisfy UI_Bypass_P_3_Display = Bypass_P_3\n",
644     "description" :"ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
645       ↪ first point in the interval if <b><i>(! UI_Maintenance_3 & Bypass_T_3)</i></b>
646       ↪ is true and any point in the interval where <b><i>(! UI_Maintenance_3 &
647         ↪ Bypass_T_3)</i></b> becomes true (from false).\nREQUIRES: for every trigger, RES
648       ↪ must remain true until (but not necessarily including) the point where the stop
649       ↪ condition holds, or to the end of the interval. If the stop condition never
650       ↪ occurs, RES must hold until the end of the scope, or forever. If the stop
651       ↪ condition holds at the trigger, the requirement is satisfied."
652   },
653   {
654     "reqid" :"INSTRUMENTATION_3_BYPASS_P",
655     "parent_reqid" :"",
656     "rationale" :"RFP function 9:configure in maintenance mode to bypass an instrument
657       ↪ channel (this requirement sets the system value from the UI)\n",
658     "fulltext" :"RTS shall always satisfy\n if UI_Maintenance_3\n then (UI_Bypass_P_3) =
659       ↪ Bypass_P_3)\n",
660     "description" :"ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
661       ↪ first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
662       ↪ time points between (and including) the trigger and the end of the interval."
663   },
664   {
665     "reqid" :"CONST_INSTRUMENTATION_3_NO_BYPASS_P",
666     "parent_reqid" :"INSTRUMENTATION_3_BYPASS_P",
667     "rationale" :"RFP function 9:configure in maintenance mode to bypass an instrument
668       ↪ channel (this requirement does not allow bypass to turn on during normal
669         ↪ operation)\n",
670     "fulltext" :"When !UI_Maintenance_3 & !Bypass_P_3 RTS shall, until UI_Maintenance_3 &
671       ↪ UI_Bypass_P_3, satisfy\n !Bypass_P_3\n",
672     "description" :"ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
673       ↪ first point in the interval if <b><i>(! UI_Maintenance_3 & ! Bypass_P_3)</i></b>
674       ↪ is true and any point in the interval where <b><i>(! UI_Maintenance_3 &
675         ↪ Bypass_P_3)</i></b> becomes true (from false).\nREQUIRES: for every trigger, RES
676       ↪ must remain true until (but not necessarily including) the point where the stop
677       ↪ condition holds, or to the end of the interval. If the stop condition never
678       ↪ occurs, RES must hold until the end of the scope, or forever. If the stop
679       ↪ condition holds at the trigger, the requirement is satisfied."
680   },
681   {
682     "reqid" :"CONST_INSTRUMENTATION_3_BYPASS_P",
683     "parent_reqid" :"INSTRUMENTATION_3_BYPASS_P",

```

```

663     "rationale" :"RFP function 9:configure in maintenance mode to bypass an instrument
664         → channel (this requirement does not allow bypass to turn off during normal
665         → operation)\n",
666     "fulltext" :"When !UI_Maintenance_3 & Bypass_P_3 RTS shall, until UI_Maintenance_3 & !
667         → UI_Bypass_P_3, satisfy\n Bypass_P_3\n",
668     "description" :"ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
669         → first point in the interval if <b><i>(! UI_Maintenance_3 & Bypass_P_3)</i></b>
670         → is true and any point in the interval where <b><i>(! UI_Maintenance_3 &
671             → Bypass_P_3)</i></b> becomes true (from false).\nREQUIRES: for every trigger, RES
672             → must remain true until (but not necessarily including) the point where the stop
673             → condition holds, or to the end of the interval. If the stop condition never
674             → occurs, RES must hold until the end of the scope, or forever. If the stop
675             → condition holds at the trigger, the requirement is satisfied."
676     },
677     {
678         "reqid" :"INSTRUMENTATION_UI_T_3",
679         "parent_reqid" :"",
680         "rationale" :"RFP function 11",
681         "fulltext" :"RTS shall always satisfy T_3 = UI_T_3_Display",
682         "description" :"ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
683             → first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
684             → time points between (and including) the trigger and the end of the interval."
685     },
686     {
687         "reqid" :"INSTRUMENTATION_3_SETPOINT_T",
688         "parent_reqid" :"",
689         "rationale" :"RFP function 8",
690         "fulltext" :"RTS shall always satisfy\n if UI_Maintenance_3 then Setpoint_T_3 =
691             → UI_Setpoint_T_3\n",
692         "description" :"ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
693             → first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
694             → time points between (and including) the trigger and the end of the interval."
695     },
696     {
697         "reqid" :"INSTRUMENTATION_3_MANUAL_TRIP_T",
698         "parent_reqid" :"",
699         "rationale" :"RFP function 10",
700         "fulltext" :"RTS shall always satisfy\n if UI_Maintenance_3 & UI_Manual_Trip_T_3 then
701             → Trip_T_3\n",
702         "description" :"ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
703             → first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
704             → time points between (and including) the trigger and the end of the interval."
705     },
706     {
707         "reqid" :"INSTRUMENTATION_3_SETPOINT_P",
708         "parent_reqid" :"",
709         "rationale" :"RFP function 8",
710         "fulltext" :"RTS shall always satisfy\n if UI_Maintenance_3 then Setpoint_P_3 =
711             → UI_Setpoint_P_3\n",
712         "description" :"ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
713             → first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
714             → time points between (and including) the trigger and the end of the interval."
715     },
716     {
717         "reqid" :"INSTRUMENTATION_3_MANUAL_TRIP_P",
718         "parent_reqid" :"",
719         "rationale" :"RFP function 10",
720         "fulltext" :"RTS shall always satisfy\n if UI_Maintenance_3 & UI_Manual_Trip_P_3 then
721             → Trip_P_3\n",

```

```

707     "description" :"ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
708         ↪ first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
709         ↪ time points between (and including) the trigger and the end of the interval."
710     },
711     {
712         "reqid" :"INSTRUMENTATION_UI_S_3",
713         "parent_reqid" :"",
714         "rationale" :"RFP function 11",
715         "fulltext" :"RTS shall always satisfy S_3 = UI_S_3_Display",
716         "description" :"ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
717             ↪ first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
718             ↪ time points between (and including) the trigger and the end of the interval."
719     },
720     {
721         "reqid" :"INSTRUMENTATION_3_SETPOINT_S",
722         "parent_reqid" :"",
723         "rationale" :"RFP function 8",
724         "fulltext" :"RTS shall always satisfy\n if UI_Maintenance_3 then Setpoint_S_3 =
725             ↪ UI_Setpoint_S_3\n",
726         "description" :"ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
727             ↪ first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
728             ↪ time points between (and including) the trigger and the end of the interval."
729     },
730 ]

```

---

Listing C.2: Requirements from FRET.

```

1 [
2 {
3     "reqid" :"INSTRUMENTATION_SET_MANUAL_TRIP_TEMPERATURE",
4     "parent_reqid" :"INSTRUMENTATION_TRIP_TEMPERATURE",
5     "rationale" :"RFP [10]",
6     "fulltext" :"Upon MAINTENANCE & TEMPERATURE_MODE = 2Instrumentation shall, until
6         ↪ MAINTENANCE & !(TEMPERATURE_MODE = 2), satisfy TRIP_TEMPERATURE",
7     "description" :"ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
7         ↪ first point in the interval if <b><i>(MAINTENANCE & TEMPERATURE_MODE = 2)</i></b>
7         ↪ > is true and any point in the interval where <b><i>(MAINTENANCE &
7         ↪ TEMPERATURE_MODE = 2)</i></b> becomes true (from false).\nREQUIRES: for every
7         ↪ trigger, RES must remain true until (but not necessarily including) the point
7         ↪ where the stop condition holds, or to the end of the interval. If the stop
7         ↪ condition never occurs, RES must hold until the end of the scope, or forever. If
7         ↪ the stop condition holds at the trigger, the requirement is satisfied."
8 },
9 {
10     "reqid" :"INSTRUMENTATION_SENSOR_TRIP_PRESSURE",
11     "parent_reqid" :"INSTRUMENTATION_TRIP_PRESSURE",
12     "rationale" :"RFP [11]",
13     "fulltext" :"Upon MAINTENANCE & PRESSURE_MODE = 1Instrumentation shall, until MAINTENANCE
13         ↪ & !(PRESSURE_MODE = 1), satisfy (if SENSOR_PRESSURE > SETPOINT_PRESSURE then
13             ↪ TRIP_PRESSURE) & (if TRIP_PRESSURE then SENSOR_PRESSURE > SETPOINT_PRESSURE)",
14     "description" :"ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
14         ↪ first point in the interval if <b><i>(MAINTENANCE & PRESSURE_MODE = 1)</i></b>
14         ↪ is true and any point in the interval where <b><i>(MAINTENANCE & PRESSURE_MODE =
14         ↪ 1)</i></b> becomes true (from false).\nREQUIRES: for every trigger, RES must
14         ↪ remain true until (but not necessarily including) the point where the stop
14         ↪ condition holds, or to the end of the interval. If the stop condition never
14         ↪ occurs, RES must hold until the end of the scope, or forever. If the stop

```

```

        ↪ condition holds at the trigger, the requirement is satisfied."
15    },
16    {
17      "reqid" : "INSTRUMENTATION_SET_SETPOINT_PRESSURE",
18      "parent_reqid" :"INSTRUMENTATION_TRIP_PRESSURE",
19      "rationale" :"RFP [8]",
20      "fulltext" :"Upon (MAINTENANCE & SET_SETPOINT_PRESSURE) Instrumentation shall, until
        ↪ MAINTENANCE & SET_SETPOINT_PRESSURE, satisfy SETPOINT_PRESSURE =
        ↪ INPUT_SETPOINT_PRESSURE",
21      "description" :"ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
        ↪ first point in the interval if <b><i>(( MAINTENANCE & SET_SETPOINT_PRESSURE ))</i></b>
        ↪ is true and any point in the interval where <b><i>(( MAINTENANCE &
        ↪ SET_SETPOINT_PRESSURE ))</i></b> becomes true (from false).\nREQUIRES: for every
        ↪ trigger, RES must remain true until (but not necessarily including) the point
        ↪ where the stop condition holds, or to the end of the interval. If the stop
        ↪ condition never occurs, RES must hold until the end of the scope, or forever. If
        ↪ the stop condition holds at the trigger, the requirement is satisfied."
22    },
23    {
24      "reqid" : "INSTRUMENTATION_SENSOR_TRIP_SATURATION",
25      "parent_reqid" :"INSTRUMENTATION_TRIP_SATURATION",
26      "rationale" :"RFP [3]",
27      "fulltext" :"Upon MAINTENANCE & SATURATION_MODE = 1Instrumentation shall, until
        ↪ MAINTENANCE & !(SATURATION_MODE = 1) satisfy (if SATURATION_FUNCTION_VALUE <
        ↪ SETPOINT_SATURATION then TRIP_SATURATION) & (if TRIP_SATURATION then
        ↪ SATURATION_FUNCTION_VALUE < SETPOINT_SATURATION)",
28      "description" :"ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
        ↪ first point in the interval if <b><i>(MAINTENANCE & SATURATION_MODE = 1)</i></b>
        ↪ is true and any point in the interval where <b><i>(MAINTENANCE &
        ↪ SATURATION_MODE = 1)</i></b> becomes true (from false).\nREQUIRES: for every
        ↪ trigger, RES must remain true until (but not necessarily including) the point
        ↪ where the stop condition holds, or to the end of the interval. If the stop
        ↪ condition never occurs, RES must hold until the end of the scope, or forever. If
        ↪ the stop condition holds at the trigger, the requirement is satisfied."
29    },
30    {
31      "reqid" : "INSTRUMENTATION_SET_MANUAL_TRIP_PRESSURE",
32      "parent_reqid" :"INSTRUMENTATION_TRIP_PRESSURE",
33      "rationale" :"RFP [10]",
34      "fulltext" :"Upon MAINTENANCE & PRESSURE_MODE = 2Instrumentation shall, until MAINTENANCE
        ↪ & !(PRESSURE_MODE = 2), satisfy TRIP_PRESSURE",
35      "description" :"ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
        ↪ first point in the interval if <b><i>(MAINTENANCE & PRESSURE_MODE = 2)</i></b>
        ↪ is true and any point in the interval where <b><i>(MAINTENANCE & PRESSURE_MODE =
        ↪ 2)</i></b> becomes true (from false).\nREQUIRES: for every trigger, RES must
        ↪ remain true until (but not necessarily including) the point where the stop
        ↪ condition holds, or to the end of the interval. If the stop condition never
        ↪ occurs, RES must hold until the end of the scope, or forever. If the stop
        ↪ condition holds at the trigger, the requirement is satisfied."
36    },
37    {
38      "reqid" : "INSTRUMENTATION_SET_BYPASS_SATURATION",
39      "parent_reqid" :"INSTRUMENTATION_TRIP_SATURATION",
40      "rationale" :"",
41      "fulltext" :"Upon MAINTENANCE & SATURATION_MODE = 0Instrumentation shall, until
        ↪ MAINTENANCE & !(SATURATION_MODE = 0), satisfy !TRIP_SATURATION",
42      "description" :"ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
        ↪ first point in the interval if <b><i>(MAINTENANCE & SATURATION_MODE = 0)</i></b>
        ↪ is true and any point in the interval where <b><i>(MAINTENANCE &
        ↪ SATURATION_MODE = 0)</i></b> becomes true (from false).\nREQUIRES: for every
        ↪ trigger, RES must remain true until (but not necessarily including) the point
        ↪ where the stop condition holds, or to the end of the interval. If the stop
        ↪ condition never occurs, RES must hold until the end of the scope, or forever. If
        ↪ the stop condition holds at the trigger, the requirement is satisfied."
43    },
44    {
45      "reqid" : "ACTUATION_LOGIC_DEVICE_0",
46      "parent_reqid" :"",

```

```

47      "rationale" :"RFP [5,6]",  

48      "fulltext" :"Actuation_Logic shall always satisfy ((VOTE_ACTUATE_DEVICE_0 |  

49      ↳ MANUAL_ACTUATE_DEVICE_0) => ACTUATE_DEVICE_0) & (ACTUATE_DEVICE_0 => (  

49      ↳ VOTE_ACTUATE_DEVICE_0 | MANUAL_ACTUATE_DEVICE_0))",  

49      "description" :"ENFORCED: in the interval defined by the entire execution.\nTRIGGER:  

49      ↳ first point in the interval.\nREQUIRES: for every trigger, RES must hold at all  

49      ↳ time points between (and including) the trigger and the end of the interval."  

50    },  

51  },  

52  {  

52      "reqid" :"INSTRUMENTATION_SET_SETPONT_SATURATION",  

53      "parent_reqid" :"INSTRUMENTATION_TRIP_SATURATION",  

54      "rationale" :"RFP [8]",  

55      "fulltext" :"Upon (MAINTENANCE & SET_SETPONT_SATURATION) Instrumentation shall, until  

55      ↳ MAINTENANCE & SET_SETPONT_SATURATION, satisfy SETPOINT_SATURATION =  

55      ↳ INPUT_SETPONT_SATURATION",  

56      "description" :"ENFORCED: in the interval defined by the entire execution.\nTRIGGER:  

56      ↳ first point in the interval if <b><i>(( MAINTENANCE & SET_SETPONT_SATURATION ))  

56      ↳ </i></b> is true and any point in the interval where <b><i>(( MAINTENANCE &  

56      ↳ SET_SETPONT_SATURATION ))</i></b> becomes true (from false).\nREQUIRES: for  

56      ↳ every trigger, RES must remain true until (but not necessarily including) the  

56      ↳ point where the stop condition holds, or to the end of the interval. If the stop  

56      ↳ condition never occurs, RES must hold until the end of the scope, or forever.  

56      ↳ If the stop condition holds at the trigger, the requirement is satisfied."  

57    },  

58  },  

59  {  

59      "reqid" :"INSTRUMENTATION_SET_BYPASS_PRESSURE",  

60      "parent_reqid" :"INSTRUMENTATION_TRIP_PRESSURE",  

61      "rationale" :"RFP [9]",  

62      "fulltext" :"Upon MAINTENANCE & PRESSURE_MODE = 0Instrumentation shall, until MAINTENANCE  

62      ↳ & !(PRESSURE_MODE = 0), satisfy !TRIP_PRESSURE",  

63      "description" :"ENFORCED: in the interval defined by the entire execution.\nTRIGGER:  

63      ↳ first point in the interval if <b><i>(MAINTENANCE & PRESSURE_MODE = 0)</i></b>  

63      ↳ is true and any point in the interval where <b><i>(MAINTENANCE & PRESSURE_MODE =  

63      ↳ 0)</i></b> becomes true (from false).\nREQUIRES: for every trigger, RES must  

63      ↳ remain true until (but not necessarily including) the point where the stop  

63      ↳ condition holds, or to the end of the interval. If the stop condition never  

63      ↳ occurs, RES must hold until the end of the scope, or forever. If the stop  

63      ↳ condition holds at the trigger, the requirement is satisfied."  

64    },  

65  },  

66  {  

66      "reqid" :"INSTRUMENTATION_SET_MANUAL_TRIP_SATURATION",  

67      "parent_reqid" :"INSTRUMENTATION_TRIP_SATURATION",  

68      "rationale" :"RFP [10]",  

69      "fulltext" :"Upon MAINTENANCE & SATURATION_MODE = 2Instrumentation shall, until  

69      ↳ MAINTENANCE & !(SATURATION_MODE = 2), satisfy TRIP_SATURATION",  

70      "description" :"ENFORCED: in the interval defined by the entire execution.\nTRIGGER:  

70      ↳ first point in the interval if <b><i>(MAINTENANCE & SATURATION_MODE = 2)</i></b>  

70      ↳ is true and any point in the interval where <b><i>(MAINTENANCE &  

70      ↳ SATURATION_MODE = 2)</i></b> becomes true (from false).\nREQUIRES: for every  

70      ↳ trigger, RES must remain true until (but not necessarily including) the point  

70      ↳ where the stop condition holds, or to the end of the interval. If the stop  

70      ↳ condition never occurs, RES must hold until the end of the scope, or forever. If  

70      ↳ the stop condition holds at the trigger, the requirement is satisfied."  

71    },  

72  },  

73  {  

73      "reqid" :"ACTUATION_LOGIC_VOTE_TEMPERATURE",  

74      "parent_reqid" :"ACTUATION_LOGIC_VOTE_DEVICE_0",  

75      "rationale" :"RFP Actuation Logic Architecture, [2,4]",  

76      "fulltext" :"Actuation_Logic shall always satisfy (((TRIP_TEMPERATURE_0 &  

76      ↳ TRIP_TEMPERATURE_1) | ((TRIP_TEMPERATURE_0 | TRIP_TEMPERATURE_1) & (  

76      ↳ TRIP_TEMPERATURE_2 | TRIP_TEMPERATURE_3)) | (TRIP_TEMPERATURE_2 &  

76      ↳ TRIP_TEMPERATURE_3)) => VOTE_TRIP_TEMPERATURE) & (VOTE_TRIP_TEMPERATURE => ((  

76      ↳ TRIP_TEMPERATURE_0 & TRIP_TEMPERATURE_1) | ((TRIP_TEMPERATURE_0 |  

76      ↳ TRIP_TEMPERATURE_1) & (TRIP_TEMPERATURE_2 | TRIP_TEMPERATURE_3)) | (  

76      ↳ TRIP_TEMPERATURE_2 & TRIP_TEMPERATURE_3)))",  

77      "description" :"ENFORCED: in the interval defined by the entire execution.\nTRIGGER:  

77      ↳ first point in the interval.\nREQUIRES: for every trigger, RES must hold at all  

77      ↳ time points between (and including) the trigger and the end of the interval."  


```

```

78 },
79 },
80 "reqid" :"ACTUATION_LOGIC_DEVICE_1",
81 "parent_reqid" :"",
82 "rationale" :"RFP [5,6]",
83 "fulltext" :"Actuation_Logic shall always satisfy (VOTE_ACTUATE_DEVICE_1 |
84     --> MANUAL_ACTUATE_DEVICE_1 => ACTUATE_DEVICE_1) & (ACTUATE_DEVICE_1 =>
85     --> VOTE_ACTUATE_DEVICE_1 | MANUAL_ACTUATE_DEVICE_1)",
86 "description" :"ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
87     --> first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
88     --> time points between (and including) the trigger and the end of the interval."
89 },
90 },
91 "reqid" :"ACTUATION_LOGIC_VOTE_PRESSURE",
92 "parent_reqid" :"ACTUATION_LOGIC_VOTE_DEVICE_0",
93 "rationale" :"RFP Actuation Logic Architecture, [1,4]",
94 "fulltext" :"Actuation_Logic shall always satisfy (IF ((TRIP_PRESSURE_0 & TRIP_PRESSURE_1
95     --> ) | (( TRIP_PRESSURE_0 | TRIP_PRESSURE_1) & (TRIP_PRESSURE_2 | TRIP_PRESSURE_3))
96     --> | (TRIP_PRESSURE_2 & TRIP_PRESSURE_3)) THEN VOTE_TRIP_PRESSURE) & (IF
97     --> VOTE_TRIP_PRESSURE THEN ((TRIP_PRESSURE_0 & TRIP_PRESSURE_1) | (( TRIP_PRESSURE_
98     --> 0 | TRIP_PRESSURE_1) & (TRIP_PRESSURE_2 | TRIP_PRESSURE_3)) | (TRIP_PRESSURE_2 &
99     --> TRIP_PRESSURE_3)))",
100 "description" :"ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
101     --> first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
102     --> time points between (and including) the trigger and the end of the interval."
103 },
104 },
105 "reqid" :"INSTRUMENTATION_TRIP_TEMPERATURE",
106 "parent_reqid" :"",
107 "rationale" :"RFP [3,10]",
108 "fulltext" :"Instrumentation shall always satisfy true",
109 "description" :"ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
110     --> first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
111     --> time points between (and including) the trigger and the end of the interval."
112 },
113 },
114 },
115 "reqid" :"INSTRUMENTATION_RESET",
116 "parent_reqid" :"",
117 "rationale" :"RFP [3,10]",
118 "fulltext" :"AFTER RESET Instrumentation shall immediately satisfy (MAINTENANCE &
119     --> PRESSURE_TRIP_MODE = 0& TEMPERATURE_TRIP_MODE = 0& SATURATION_TRIP_MODE = 0)",
120 "description" :"ENFORCED: in the interval (if defined) starting strictly after the first
121     --> <b><i>RESET</i></b> interval and spanning to the end of the execution.\nTRIGGER:
122     --> first point in the interval.\nREQUIRES: for every trigger, if trigger holds
123     --> then RES also holds at the same time point."
124 },
125 },
126 "reqid" :"INSTRUMENTATION_TRIP_SATURATION",
127 "parent_reqid" :"",
128 "rationale" :"RFP [2,10]",
129 "fulltext" :"Instrumentation shall always satisfy true",
130 "description" :"ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
131     --> first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
132     --> time points between (and including) the trigger and the end of the interval."
133 },
134 },
135 "reqid" :"CORE_UI_INSTRUMENTATION",
136 "parent_reqid" :"",
137 "rationale" :"RFP [11,12,13]",
138 "fulltext" :"Core shall always satisfy forAll_instr_i & INSTRUMENTATION_i_PRESSURE =
139     --> UI_i_PRESSURE & INSTRUMENTATION_i_TEMPERATURE = UI_i_TEMPERATURE &
140     --> INSTRUMENTATION_i_SATURATION = UI_i_SATURATION &
141     --> INSTRUMENTATION_i_BYPASS_PRESSURE = UI_i_BYPASS_PRESSURE &
142     --> INSTRUMENTATION_i_BYPASS_TEMPERATURE = UI_i_BYPASS_TEMPERATURE &
143     --> INSTRUMENTATION_i_TRIP_PRESSURE = UI_i_TRIP_PRESSURE &
144     --> INSTRUMENTATION_i_TRIP_TEMPERATURE = UI_i_TRIP_TEMPERATURE &
145     --> INSTRUMENTATION_i_TRIP_SATURATION = UI_i_TRIP_SATURATION",
146 "description" :"ENFORCED: in the interval defined by the entire execution.\nTRIGGER:

```

```

        → first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
        → time points between (and including) the trigger and the end of the interval."
120    },
121    {
122      "reqid" :"SELF_TEST",
123      "parent_reqid" :"",
124      "rationale" :"",
125      "fulltext" :"Upon TEST_FAIL Core shall always satisfy OUTPUT_TEST_FAIL",
126      "description" :"ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
        → first point in the interval if <b><i>(TEST_FAIL)</i></b> is true and any point
        → in the interval where <b><i>(TEST_FAIL)</i></b> becomes true (from false).\n
        → nREQUIRES: for every trigger, RES must hold at all time points between (and
        → including) the trigger and the end of the interval."
127    },
128    {
129      "reqid" :"INSTRUMENTATION_SET_Maintenance",
130      "parent_reqid" :"",
131      "rationale" :"RFP [7]",
132      "fulltext" :"Upon SET_Maintenance Instrumentation shall, until UNSET_Maintenance, satisfy
        → MAINTENANCE",
133      "description" :"ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
        → first point in the interval if <b><i>(SET_Maintenance)</i></b> is true and any
        → point in the interval where <b><i>(SET_Maintenance)</i></b> becomes true (from
        → false).\nREQUIRES: for every trigger, RES must remain true until (but not
        → necessarily including) the point where the stop condition holds, or to the end
        → of the interval. If the stop condition never occurs, RES must hold until the end
        → of the scope, or forever. If the stop condition holds at the trigger, the
        → requirement is satisfied."
134    },
135    {
136      "reqid" :"ACTUATION_LOGIC_MANUAL_DEVICE_0",
137      "parent_reqid" :"ACTUATION_LOGIC_DEVICE_0",
138      "rationale" :"RFP 6",
139      "fulltext" :"Upon SET_MANUAL_ACTUATE_DEVICE_0 Actuation_Logic shall, until
        → UNSET_MANUAL_ACTUATE_DEVICE_0, satisfy MANUAL_ACTUATE_DEVICE_0",
140      "description" :"ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
        → first point in the interval if <b><i>(SET_MANUAL_ACTUATE_DEVICE_0)</i></b> is
        → true and any point in the interval where <b><i>(SET_MANUAL_ACTUATE_DEVICE_0)</i></b>
        → becomes true (from false).\nREQUIRES: for every trigger, RES must remain
        → true until (but not necessarily including) the point where the stop condition
        → holds, or to the end of the interval. If the stop condition never occurs, RES
        → must hold until the end of the scope, or forever. If the stop condition holds at
        → the trigger, the requirement is satisfied."
141    },
142    {
143      "reqid" :"ACTUATION_LOGIC_VOTE_SATURATION",
144      "parent_reqid" :"ACTUATION_LOGIC_VOTE_DEVICE_1",
145      "rationale" :"RFP Actuation Logic Architecture, [3,4]",
146      "fulltext" :"Actuation_Logic shall always satisfy (((TRIP_SATURATION_0 & TRIP_SATURATION_
        → 1) | ((TRIP_SATURATION_0 | TRIP_SATURATION_1) & (TRIP_SATURATION_2 |
        → TRIP_SATURATION_3)) | (TRIP_SATURATION_2 & TRIP_SATURATION_3)) =>
        → VOTE_TRIP_SATURATION) & (VOTE_TRIP_SATURATION => ((TRIP_SATURATION_0 &
        → TRIP_SATURATION_1) | ((TRIP_SATURATION_0 | TRIP_SATURATION_1) & (
        → TRIP_SATURATION_2 | TRIP_SATURATION_3)) | (TRIP_SATURATION_2 & TRIP_SATURATION_3
        → )))",
147      "description" :"ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
        → first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
        → time points between (and including) the trigger and the end of the interval."
148    },
149    {
150      "reqid" :"ACTUATION_LOGIC_MANUAL_DEVICE_1",
151      "parent_reqid" :"ACTUATION_LOGIC_DEVICE_1",
152      "rationale" :"RFP 6",
153      "fulltext" :"Upon SET_MANUAL_ACTUATE_DEVICE_1 Actuation_Logic shall, until
        → UNSET_MANUAL_ACTUATE_DEVICE_1, satisfy MANUAL_ACTUATE_DEVICE_1",
154      "description" :"ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
        → first point in the interval if <b><i>(SET_MANUAL_ACTUATE_DEVICE_1)</i></b> is
        → true and any point in the interval where <b><i>(SET_MANUAL_ACTUATE_DEVICE_1)</i>
```

```

    ↪ ></b> becomes true (from false). \nREQUIRES: for every trigger, RES must remain
    ↪ true until (but not necessarily including) the point where the stop condition
    ↪ holds, or to the end of the interval. If the stop condition never occurs, RES
    ↪ must hold until the end of the scope, or forever. If the stop condition holds at
    ↪ the trigger, the requirement is satisfied."
155  },
156  {
157      "reqid" : "ACTUATION_LOGIC_VOTE_DEVICE_1",
158      "parent_reqid" : "ACTUATION_LOGIC_DEVICE_1",
159      "rationale" :"RFP 5",
160      "fulltext" :"Upon VOTE_TRIP_SATURATION Actuation_Lo
gic shall always satisfy
    ↪ VOTE_ACTUATE_DEVICE_1",
161      "description" :"ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
    ↪ first point in the interval if <b><i>(VOTE_TRIP_SATURATION)</i></b> is true and
    ↪ any point in the interval where <b><i>(VOTE_TRIP_SATURATION)</i></b> becomes
    ↪ true (from false). \nREQUIRES: for every trigger, RES must hold at all time
    ↪ points between (and including) the trigger and the end of the interval."
162  },
163  {
164      "reqid" : "INSTRUMENTATION_SET_BYPASS_TEMPERATURE",
165      "parent_reqid" : "INSTRUMENTATION_TRIP_TEMPERATURE",
166      "rationale" :"RFP [9]",
167      "fulltext" :"Upon MAINTENANCE & TEMPERATURE_MODE = 0Instrumentation shall, until
    ↪ MAINTENANCE & !(TEMPERATURE_MODE = 0), satisfy !TRIP_TEMPERATURE",
168      "description" :"ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
    ↪ first point in the interval if <b><i>(MAINTENANCE & TEMPERATURE_MODE = 0)</i></b>
    ↪ > is true and any point in the interval where <b><i>(MAINTENANCE &
    ↪ TEMPERATURE_MODE = 0)</i></b> becomes true (from false). \nREQUIRES: for every
    ↪ trigger, RES must remain true until (but not necessarily including) the point
    ↪ where the stop condition holds, or to the end of the interval. If the stop
    ↪ condition never occurs, RES must hold until the end of the scope, or forever. If
    ↪ the stop condition holds at the trigger, the requirement is satisfied."
169  },
170  {
171      "reqid" : "INSTRUMENTATION_TRIP_PRESSURE",
172      "parent_reqid" :"",
173      "rationale" :"RFP [1,10]",
174      "fulltext" :"Instrumentation shall always satisfy true",
175      "description" :"ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
    ↪ first point in the interval.\nREQUIRES: for every trigger, RES must hold at all
    ↪ time points between (and including) the trigger and the end of the interval."
176  },
177  {
178      "reqid" : "ACTUATION_LOGIC_VOTE_DEVICE_0",
179      "parent_reqid" : "ACTUATION_LOGIC_DEVICE_0",
180      "rationale" :"RFP 5",
181      "fulltext" :"Upon VOTE_TRIP_TEMPERATURE | VOTE_TRIP_SATURATION Actuation_Lo
gic shall
    ↪ always satisfy VOTE_ACTUATE_DEVICE_0",
182      "description" :"ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
    ↪ first point in the interval if <b><i>(VOTE_TRIP_TEMPERATURE |
    ↪ VOTE_TRIP_SATURATION)</i></b> is true and any point in the interval where <b><i>
    ↪ >(VOTE_TRIP_TEMPERATURE | VOTE_TRIP_SATURATION)</i></b> becomes true (from false
    ↪ ). \nREQUIRES: for every trigger, RES must hold at all time points between (and
    ↪ including) the trigger and the end of the interval."
183  },
184  {
185      "reqid" : "INSTRUMENTATION_SENSOR_TRIP_TEMPERATURE",
186      "parent_reqid" : "INSTRUMENTATION_TRIP_TEMPERATURE",
187      "rationale" :"RFP [21]",
188      "fulltext" :"Upon MAINTENANCE & TEMPERATURE_MODE = 1Instrumentation shall, until
    ↪ MAINTENANCE & !(TEMPERATURE_MODE = 1), satisfy (if SENSOR_TEMPERATURE >
    ↪ SETPOINT_TEMPERATURE then TRIP_TEMPERATURE) & (if TRIP_TEMPERATURE then
    ↪ SENSOR_TEMPERATURE > SETPOINT_TEMPERATURE)",
189      "description" :"ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
    ↪ first point in the interval if <b><i>(MAINTENANCE & TEMPERATURE_MODE = 1)</i></b>
    ↪ > is true and any point in the interval where <b><i>(MAINTENANCE &
    ↪ TEMPERATURE_MODE = 1)</i></b> becomes true (from false). \nREQUIRES: for every
    ↪ trigger, RES must remain true until (but not necessarily including) the point

```

```

    ↪ where the stop condition holds, or to the end of the interval. If the stop
    ↪ condition never occurs, RES must hold until the end of the scope, or forever. If
    ↪ the stop condition holds at the trigger, the requirement is satisfied."
190  },
191  {
192  "reqid" : "INSTRUMENTATION_SET_Setpoint_Temperature",
193  "parent_reqid" : "INSTRUMENTATION_Trip_Temperature",
194  "rationale" : "RFP [8]",
195  "fulltext" :"Upon (MAINTENANCE & SET_Setpoint_Temperature) Instrumentation shall, until
    ↪ MAINTENANCE & SET_Setpoint_Temperature, satisfy Setpoint_Temperature =
    ↪ INPUT_Setpoint_Temperature",
196  "description" :"ENFORCED: in the interval defined by the entire execution.\nTRIGGER:
    ↪ first point in the interval if <b><i>(( MAINTENANCE & SET_Setpoint_Temperature )
    ↪ )</i></b> is true and any point in the interval where <b><i>(( MAINTENANCE &
    ↪ SET_Setpoint_Temperature ))</i></b> becomes true (from false).\nREQUIRES: for
    ↪ every trigger, RES must remain true until (but not necessarily including) the
    ↪ point where the stop condition holds, or to the end of the interval. If the stop
    ↪ condition never occurs, RES must hold until the end of the scope, or forever.
    ↪ If the stop condition holds at the trigger, the requirement is satisfied."
197  }
198 ]

```

---

# Appendix D

## SysMLv2 Model

### D.1 Top-level SysMLv2 Architecture Specification

Listing D.1: Listing SysML Model of HARDENS.

```
1  /*
2   * Reactor Trip System (RTS) High-assurance Demonstrator
3   * ## project: High Assurance Rigorous Digital Engineering for Nuclear Safety (HARDENS)
4   * ## copyright (C) 2021 Galois
5   * ## author: Joe Kiniry <kiniry@galois.com>
6   */
7
8 /**
9  * The overall shape of the Reactor Trip System (RTS) is an archetypal
10 * *sense,compute,actuate* architecture. Sensors are in the 'Sensors'
11 * subsystem. They are read by the 'Instrumentation' subsystem, which
12 * contains four separate and independent 'Instrumentation'
13 * components. The "Compute" part of the architecture is spread across
14 * the 'Actuation Logic' subsystem, which contains the two 'Voting'
15 * components which perform the actuation logic itself, and the 'Root'
16 * subsystem which contains the core computation and I/O components, and
17 * the two separate and independent devices that drive actuators.
18 */
19 package id RTS 'Reactor Trip System' { (□ RTS (line 6 on page 85), RTS (line 94 on
20     page 87))
21     private import 'Semantic Properties'::*;
22     import 'Project Glossary'::*;
23     import 'RTS Viewpoints and Views'::*;
24     import 'RTS Architecture'::*;

25
26     package id Architecture 'RTS Architecture'; (□ Architecture (line 223 on page 96),
27         Architecture (line 17 on page 85))
28     alias Arch for Architecture;
29     package id Hardware 'RTS Hardware Artifacts'; (□ Hardware (line 37 on page 89), RTS
30         Hardware Artifacts (line 1 on page 98), Hardware (line 23 on page 85),
31         Hardware (line 30 on page 91))
32     alias HW for Hardware;
33     package id Artifacts 'RTS Implementation Artifacts'; (□ Implementation (line 27 on
34         page 85), Artifacts (line 1 on page 90))
35     package id Requirements 'RTS Requirements'; (□ Requirements (line 31 on page 85))
36     package id Properties 'RTS Properties'; (□ Properties (line 35 on page 86))
37     alias Props for Properties;
```

```

34 | package id Characteristics 'IEEE Std 603,2018 Characteristics';(□ Characteristics
35 |   (line 39 on page 86))
36 |   comment TopLevelPackages about Architecture, Hardware, Properties, Characteristics
37 |   /* These are the core top-level subsystems characterizing HARDEN work. */
37 |

```

## D.2 RTS Actions

Listing D.2: Listing SysML Model of RTS\_Actions.

```

1 /**
2 * The set of all atomic external or internal actions that the RTS
3 * system can take. Note that every scenario must be describable by
4 * a sequence of actions.
5 */
6 package id Actions 'RTS Actions' {
7   package id Internal 'RTS Internal Actions' {
8     action def id IA 'Internal Action' {
9       doc /* Actions internal to the RTS */
10    }
11    action id Trip 'Signal Trip' : IA {
12      in item division;
13      in item channel;
14    }
15    action id Vote 'Vote on Like Trips using Two,out,of,four Coincidence' : IA {((□ Vote on
16      Like Trips using Two-out-of-four Coincidence (line 57 on page 92))
17      in item divisions[2];
18      in item channel;
19    }
20    action id A 'Automatically Actuate Device' : IA {((□ Automatically Actuate Device
21      (line 60 on page 93))
22      in item device;
23    }
22    action id T 'Self,test of Safety Signal Path' : IA;((□ Self-test of Safety Signal Path
23      (line 63 on page 93))
24  }
24  package id External 'RTS External Actions' {
25    package 'UI Actions' {
26      action def id UIA 'UI Action' {
27        doc /* Actions exhibited by the RTS UI, either inbound or outbound. */
28      }
29      // @design kiniry These should both be specializations of UIA, but I
30      // don't know how to write that in SysML yet.
31      action def id UI_IA 'UI Input Action';
32      action def id UI_OA 'UI Output Action';
33
34      // Input actions.
35
36      action id A Actuate : UI_IA {
37        in item actuator;
38        in item on_off;
39      }
40      action id M 'Set Maintenance Mode' : UI_IA {
41        in item division;
42        in item on_off;
43      }
44      action id B 'Set Mode' : UI_IA {
45        in item division;
46        in item trip_mode;
47      }
48      action id S 'Set Setpoint' : UI_IA {
49        in item division;
50        in item channel;

```

```

51     in item value;
52   }
53   action id V 'Sensor Value' : UI_IA {
54     doc /* Simulate a sensor reading */
55     in item division;
56     in item channel;
57     in item value;
58   }
59   action id Q 'Quit' : UI_IA;
60
61   // Output actions.
62   action id 'Display Pressure' : UI_OA; (□ Display Pressure (line 29 on page 92))
63   action id 'Display Temperature' : UI_OA; (□ Display Temperature (line 32 on
64   page 92))
65   action id 'Display Saturation Margin' : UI_OA; (□ Display Saturation Margin (line 35
66   on page 92))
67   action id 'Display Trip Output Signal State' : UI_OA;
68   action id 'Display Indication Of Channel in Bypass' : UI_OA; (□ Display Indication of
69   Channel in Bypass (line 41 on page 92))
70   action id 'Display Actuation State' : UI_OA;
71 }
72 }

```

### D.3 RTS Characteristics

Listing D.3: Listing SysML Model of RTS\_Characteristics.

```

1 /**
2 * The IEEE 603,2018 requirements (known as "characteristics" in
3 * the standard) which the RTS demonstrator system must fulfill.
4 */
5 package id Characteristics 'IEEE Std 603,2018 Characteristics' { (□ Characteristics
6   (line 39 on page 86))
7   requirement def 'Requirements Consistency' { (□ Requirements Consistency (line 40 on
8   page 102))
9   doc /* Requirements must be shown to be consistent. */
10  }
11  requirement def 'Requirements Colloquial Completeness' { (□ Requirements Colloquial
12    Completeness (line 47 on page 102))
13  doc /* The system must be shown to fulfill all requirements. */
14  }
15  requirement def 'Requirements Formal Completeness' { (□ Requirements Formal Completeness
16    (line 52 on page 103))
17  doc /* Requirements must be shown to be formally complete. */
18  }
19  requirement def 'Instrumentation Independence' { (□ Instrumentation Independence
20    (line 58 on page 103))
21  doc /* Independence among the four divisions of instrumentation (inability
22    for the behavior of one division to interfere or adversely affect the
23    performance of another). */
24  }
25  requirement def 'Channel Independence' { (□ Channel Independence (line 66 on page 103))
26  doc /* Independence among the two instrumentation channels within a division
27    (inability for the behavior of one channel to interfere or adversely
28    affect the performance of another). */
29  }
30  requirement def 'Actuation Independence' { (□ Actuation Independence (line 74 on
page 103))
31  doc /* Independence among the two trains of actuation logic (inability for
the behavior of one train to interfere or adversely affect the
performance of another). */
32  }
33  requirement def 'Actuation Correctness' { (□ Actuation Correctness (line 82 on
page 103))

```

```

31     doc /* Completion of actuation whenever coincidence logic is satisfied or
32         manual actuation is initiated. */
33 }
34 requirement def 'Self,Test/Trip Independence' { (Self-Test/Trip Independence (line 89
35     on page 103))
36     doc /* Independence between periodic self,test functions and trip functions
37         (inability for the behavior of the self,testing to interfere or
38         adversely affect the trip functions). */
39 }

```

## D.4 RTS Contexts

Listing D.4: Listing SysML Model of RTS\_Contexts.

```

1 package 'RTS System Contexts' {
2     import 'RTS Architecture'::*;
3     import 'Kiniry RTS System Architecture Draft'::*;
4
5     // This specification is meant to frame the RTS in the larger context of
6     // deployment into a Nuclear Power Plant.
7
8     // Definitions of system contexts.
9
10    // Introduce the RTS context.
11    part def 'Reactor Trip System Context';
12    alias RTSC for 'Reactor Trip System Context';
13
14    // Introduce the NPP context.
15    part def 'Nuclear Power Plant Context';
16    alias NPPC for 'Nuclear Power Plant Context';
17
18    part def 'Nuclear Power Plant Operator';
19    part def 'Nuclear Power Plant Certifier';
20
21    // Definitions of relevant connections
22    connection def 'Digital Instrumentation and Control' {
23        end: RTSC[1];
24        end: NPPC[1];
25    }
26    alias DIandC for 'Digital Instrumentation and Control';
27
28    connection def 'NPP Operation' {
29        end: 'Nuclear Power Plant Operator'[*];
30        end: DIandC[1];
31    }
32
33    connection def 'NPP Certification Authority' {
34        end: 'NPPC'[1];
35        end: 'Nuclear Power Plant Certifier'[1..*];
36    }
37 }

```

## D.5 RTS Glossary

Listing D.5: Listing SysML Model of RTS\_Glossary.

```

1 /*

```

```

2  # Reactor Trip System (RTS) High-assurance Demonstrator
3  ## project: High Assurance Rigorous Digital Engineering for Nuclear Safety (HARDENS)
4  ### copyright (C) 2021,2022 Galois
5  ### author: Joe Kiniry <jkiniry@galois.com>
6  */
7
8 // @see https://github.com/GaloisInc/HARDENS/issues/30
9
10 package id Glossary 'Project Glossary' { (□ Glossary (line 1 on page 93))
11   // @design Eliminate all redundancy with concepts in KerML or SysML domain
12   // libraries.
13   private import ScalarValues:::;
14   private import KerML:::;
15
16   // Original proposal glossary.
17   part def BlueCheck; (□ BlueCheck (line 10 on page 93))
18   /** A formal, state,based specification language that focuses on the
19     specification of the interfaces of discrete modules in a system, and
20     often times includes model,based specification constructs to improve
21     usability and expressivity. */
22   abstract item def BISL 'Behavioral Interface Specification Language'; (□ BISL (line 4 on
23     page 93))
24   abstract part def Computer;
25   abstract part def Coq; (□ Coq (line 15 on page 93))
26   abstract part def Cryptol; (□ Cryptol (line 25 on page 93))
27   abstract item def DevSecOps; (□ DevSecOps (line 35 on page 93))
28   abstract item def id DIANC 'Digital Instrumentation and Control Systems'; (□ DIANDC
29     (line 43 on page 93))
30   /** The NASA Formal Requirements Elicitation Tool is used to make writing,
31     understanding, and debugging formal requirements natural and
32     intuitive. */
33   part def id FRET 'Formal Requirements Elicitation Tool'; (□ FRET (line 54 on page 94))
34   /** An Instruction Set Architecture, or ISA for short, is the set of
35     instructions that a given kind of CPU can understand. Example ISAs
36     include x86, x64, MIPS, RISC, RISC,V, AVR, etc. */
37   attribute def id ISA 'Instruction Set Architecture';
38   /** A specification language integrated with support tools and an
39     automated theorem prover, developed at the Computer Science Laboratory
40     of SRI International. PVS is based on a kernel consisting of an
41     extension of Church's theory of types with dependent types, and is
42     fundamentally a classical typed higher,order logic. */
43   part def PVS; (□ PVS (line 59 on page 94))
44   /** RISC,V (pronounced "risk,five") is an open standard instruction set
45     architecture (ISA) based on established reduced instruction set
46     computer (RISC) principles. Unlike most other ISA designs, the RISC,V
47     ISA is provided under open source licenses that do not require fees to
48     use. A number of companies are offering or have announced RISC,V
49     hardware, open source operating systems with RISC,V support are
50     available and the instruction set is supported in several popular
51     software toolchains. */
52   attribute def RISC_V_ISA :> ISA;
53   /** A formal specification language that uses hierarchical finite state
54     machines to specify system requirements. */
55   part def id RSML 'Requirements State Modeling Language'; (□ RSML (line 76 on page 94))
56   /** The Boolean satisfiability problem (sometimes called propositional
57     satisfiability problem and abbreviated SAT) is the problem of
58     determining if there exists an interpretation that satisfies a given
59     Boolean formula. */
60   abstract item def SAT; (□ SAT (line 80 on page 94))
61   /** The proof script language is used to specify the assumptions and proof
62     goals of formal verifications to the SAW tool. */
63   part def SAWscript; (□ SAWscript (line 86 on page 94))
64   /** A CPU or SoC that is implemented in an HDL and synthesized to a
65     bitstream and loaded onto an FPGA. */
66   abstract item def 'Soft Core' {
67     // size: estimated number of gates
68     // complexity: measured complexity metric

```

```

67 // hds: which HDLs are used in the design
68 }
69 /** A formally defined computer programming language based on the Ada
70    programming language, intended for the development of high integrity
71    software used in systems where predictable and highly reliable
72    operation is essential. It facilitates the development of applications
73    that demand safety, security, or business integrity. */
74 part def SPARK;(□ SPARK (line 94 on page 94))
75 /** An integrated development environment for formally specifying and
76    rigorously analyzing requirements. */
77 part def SpeAR;(□ SpeAR (line 101 on page 94))
78 /** VCC is a program verification tool that proves correctness of
79    annotated concurrent C programs or finds problems in them. VCC extends
80    C with design by contract features, like pre-, and postcondition as
81    well as type invariants. Annotated programs are translated to logical
82    formulas using the Boogie tool, which passes them to an automated SMT
83    solver Z3 to check their validity. */
84 part def id VCC 'Verifier for Concurrent C';(□ VCC (line 105 on page 94))
85 /** A software toolchain that includes static analyzers to check
86    assertions about a C program; optimizing compilers to translate a C
87    program to machine language; and operating systems and libraries to
88    supply context for the C program. The Verified Software Toolchain
89    project assures with machine-checked proofs that the assertions
90    claimed at the top of the toolchain really hold in the
91    machine-language program, running in the operating-system context. */
92 part def id VST 'Verified Software Toolchain';(□ VST (line 113 on page 95))
93
94 // Mathematical modeling concepts in RDE.
95 abstract item def Refinement:> Relationship;(□ Refinement (line 122 on page 95))
96 abstract item def Property:> BooleanExpression;(□ Property (line 124 on page 95))
97 abstract item def 'Safety Property' :> Property;(□ Safety Property (line 126 on
98 | page 95))
99 abstract item def 'Correctness Property' :> Property;(□ Correctness Property (line 129
99 | on page 95))
100 abstract item def 'Security Property' :> Property;(□ Security Property (line 132 on
100 | page 95))
101 abstract item def Model;(□ Model (line 135 on page 95))
102 abstract item def 'Semi,Formal Model' :> Model;(□ Semi-Formal Model (line 137 on
102 | page 95))
103 abstract item def 'Formal Model' :> Model;(□ Formal Model (line 140 on page 95))
104 abstract item def Consistent :> Property;(□ Consistent (line 143 on page 95))
105 abstract item def Complete :> Property;(□ Complete (line 146 on page 95))
106 abstract item def 'Consistent Model' :> Consistent, Model;(□ Consistent Model (line 149
106 | on page 95))
107 abstract item def 'Complete Model' :> Complete, Model;(□ Complete Model (line 152 on
107 | page 95))
108 abstract item def 'Consistent and Complete Model' :> 'Consistent Model', 'Complete Model';
109 abstract item def Denotational;(□ Denotational (line 173 on page 95))
110 abstract item def Operational;(□ Operational (line 175 on page 95))
111 abstract item def Semantics;(□ Semantics (line 177 on page 95))
112 /** A specification that has a precise, unambiguous, formal semantics
113    grounded in real world formal foundations and systems engineering
114    artifacts, such as source code and hardware designs. */
115 abstract item def Rigorous;(□ Rigorous (line 187 on page 96))
116 abstract item def Deterministic;(□ Deterministic (line 208 on page 96))
117 abstract item def 'Non,deterministic';(□ Non-deterministic (line 210 on page 96))
118 abstract part def id FM 'Formal Method';(□ FM (line 232 on page 96))
119
120 // Systems modeling concepts in RDE.
121 // @design Probably in KerML or SysML domain libraries.
122 abstract item def Requirement;(□ Requirement (line 155 on page 95))
123 abstract item def Scenario;(□ Scenario (line 157 on page 95))
124 abstract item def Product;(□ Product (line 159 on page 95))
125 abstract item def 'Product Line';(□ Product Line (line 161 on page 95))
126 abstract item def Configure;(□ Configure (line 163 on page 95))
127 part def DOORS;(□ DOORS (line 165 on page 95))
128 part def Clafer;(□ Clafer (line 167 on page 95))
129 part def Lobot;(□ Lobot (line 169 on page 95))

```

```

129 | abstract item def id FSM 'Finite State Machine';(❑ FSM (line 206 on page 96))
130 | abstract item def id DFSM 'Deterministic Finite State Machine'(❑ DFSM (line 212 on
|     page 96))
131 |     :> FSM, Deterministic;
132 | abstract item def id NFSM 'Non,deterministic Finite State Machine'(❑ NFSM (line 215 on
|     page 96))
133 |     :> FSM, 'Non,deterministic';
134 | abstract item def id ASM 'Abstract State Machine';(❑ ASM (line 218 on page 96))
135 | abstract part def Design;(❑ Design (line 221 on page 96))
136 | abstract part def Architecture;(❑ Architecture (line 223 on page 96), Architecture
|     (line 17 on page 85))
137 | abstract part def Specification;(❑ Specification (line 225 on page 96))
138 | abstract part def 'Architecture Specification' :> Specification;(❑ Architecture
|     Specification (line 227 on page 96))
139 | abstract part def System;(❑ System (line 255 on page 97))
140 | abstract part def 'Distributed System' :> System;(❑ Distributed System (line 257 on
|     page 97))
141 | abstract part def 'Concurrent System' :> System;(❑ Concurrent System (line 260 on
|     page 97))
142 | abstract part def Algorithm;
143 | abstract part def Program;(❑ Program (line 290 on page 97))
144 |
145 // Concepts related to measurable abstractions of systems.
146 abstract item def Risk;(❑ Risk (line 179 on page 96))
147 abstract item def Power;(❑ Power (line 181 on page 96))
148 abstract item def Resource;(❑ Resource (line 183 on page 96))
149 abstract item def Reliability;(❑ Reliability (line 185 on page 96))
150 |
151 // Assurance concepts and technologies.
152 abstract item def id CDE 'Collaborative Development Environment';(❑ CDE (line 192 on
|     page 96))
153 abstract item def id CI 'Continuous Integration';(❑ CI (line 194 on page 96))
154 abstract item def id CV 'Continuous Verification';(❑ CV (line 22 on page 86), CV
|     (line 196 on page 96))
155 abstract item def Analyzer;(❑ Analyzer (line 198 on page 96))
156 abstract item def 'Static Analyzer' :> Analyzer;(❑ Static Analyzer (line 200 on
|     page 96))
157 abstract item def 'Dynamic Analyzer' :> Analyzer;(❑ Dynamic Analyzer (line 203 on
|     page 96))
158 abstract part def Solver;(❑ Solver (line 230 on page 96))
159 abstract part def id LF 'Logical Framework';(❑ LF (line 234 on page 96))
160 abstract item def 'High,Assurance';(❑ High-Assurance (line 308 on page 98))
161 |
162 // Concepts relevant to languages and protocols.
163 abstract part def Language;
164 abstract part def 'Specification Language' :> Language;(❑ Specification Language
|     (line 238 on page 96))
165 abstract part def Protocol;(❑ Protocol (line 240 on page 96))
166 abstract part def 'System Specification' :> Specification;(❑ System Specification
|     (line 242 on page 96))
167 abstract item def 'Hand,written'(❑ Hand-written (line 245 on page 97))
168 abstract item def 'Machine,generated';(❑ Machine-generated (line 247 on page 97))
169 abstract part def 'Source,level Specification Language'(❑ Source-level Specification
|     Language (line 249 on page 97))
170     :> 'Specification Language';
171 abstract part def 'Model,based Specification Language'(❑ Model-based Specification
|     Language (line 252 on page 97))
172     :> 'Specification Language';
173 abstract item def Cryptological;
174 abstract item def 'Cryptographic Protocol' :> Protocol, Cryptological;(❑ Cryptographic
|     Protocol (line 263 on page 97))
175 abstract item def 'Cryptographic Algorithm' :> Algorithm, Cryptological;(❑ Cryptographic
|     Algorithm (line 266 on page 97))
176 |
177 // Software engineering.
178 abstract item def id PL 'Programming Language' :> Language;(❑ PL (line 236 on page 96))
179 abstract item def 'Source Code';
180 abstract part def C :> 'PL';(❑ C (line 310 on page 98))
181 abstract part def C_Source :> C, 'Source Code';
182 abstract item def 'Object Code';

```

```

183 | abstract item def id IR 'Intermediate Representation';(❑ IR (line 66 on page 87))
184 | abstract item def id LLVM 'Low-Level Virtual Machine' :> IR;(❑ LLVM (line 70 on
185 |     page 87))
186 | abstract item def Compiler {(& Compiler (line 280 on page 97))
187 |     item input: Language[1...*];
188 |     item output: Language[1...*];
189 |
190 | // Hardware design.
191 | abstract item def Hardware;(❑ Hardware (line 37 on page 89),   Hardware (line 23 on
192 |     page 88),   Hardware (line 30 on page 91))
193 | abstract item def SWaP {(& SWaP (line 112 on page 88))
194 |     // attribute size:
195 |     // attribute weight:
196 |     // attribute power:
197 |
198 | abstract item def Hard :> SWaP;
199 | abstract item def 'Soft Core Hardware' :> Hardware, 'Soft Core';
200 | abstract item def 'Physical Hardware' :> Hardware, Hard;
201 | abstract part def Synthesizer :> Compiler;(& Synthesizer (line 282 on page 97))
202 | abstract item def id HDL 'Hardware Design Language';(& HDL (line 50 on page 87))
203 | abstract part def BluespecSystemVerilog :> HDL;
204 | abstract part def SystemVerilog :> HDL;(& SV (line 108 on page 88))
205 | abstract part def Verilog :> SystemVerilog;(& Verilog (line 134 on page 88))
206 | abstract part def Chisel :> HDL;
207 | abstract part def id CPU 'Central Processing Unit';(& CPU (line 38 on page 91),   CPU
208 |     (line 19 on page 86))
209 |
210 | // Hardware engineering concepts.
211 | abstract part def Component;
212 | abstract part def Switch :> Component;
213 | abstract part def Button :> Component;
214 | abstract part def Header :> Component;
215 | abstract part def Interface :> Component;
216 | abstract part def Connector :> Component;(& Connector (line 301 on page 97))
217 | abstract part def Memory :> Component;
218 | abstract part def ASIC :> Component;(& ASIC (line 13 on page 86))
219 | abstract item def id IO 'I/O';(& IO (line 268 on page 97))
220 | abstract part def id GPIO 'General Purpose I/O';(& GPIO (line 46 on page 87),   GPIO
221 |     (line 270 on page 97))
222 | abstract part def Sensor;(& Sensors (line 49 on page 89),   Sensor (line 273 on
223 |     page 97))
224 | abstract part def Temperature Sensor';(& Temperature Sensor 1 (line 51 on page 89),
225 |     Temperature Sensor (line 46 on page 99),   Temperature Sensor 2 (line 53 on
226 |     page 89),   TS1 (line 84 on page 99),   TS2 (line 87 on page 99))
227 | abstract part def Pressure Sensor';(& Pressure Sensor 2 (line 57 on page 89),
228 |     Pressure Sensor (line 50 on page 99),   PS2 (line 93 on page 100),   PS1
229 |     (line 90 on page 100),   Pressure Sensor 1 (line 55 on page 89))
230 | abstract part def Actuator;(& Actuator 2 (line 47 on page 89),   Actuator 1 (line 45
231 |     on page 89),   Actuator (line 275 on page 97),   Actuators (line 43 on page 89))
232 | abstract part def Solenoid :> Actuator;(& Solenoid (line 277 on page 97))
233 | abstract item def Bus;
234 | abstract part def id USB 'Universal Serial Bus' :> Bus;(& USB (line 124 on page 88),
235 |     USB (line 284 on page 97))
236 | abstract part def LED;(& LED (line 286 on page 97))
237 | abstract part def Cable;(& Cable (line 288 on page 97))
238 | abstract part def id FPGA 'Field-Programmable Gate Array' :> ASIC;(& FPGA (line 38 on
239 |     page 86),   FPGA (line 294 on page 97),   FPGA (line 39 on page 89))
240 | abstract part def 'ECP,5' :> FPGA;(& ECP-5 (line 296 on page 97))
241 | abstract part def id PCB 'Printed Circuit Board' {(& PCB (line 299 on page 97))
242 |     part components: Component[*];
243 |
244 | abstract part def 'USB Connector' :> USB, Connector;(& USB Connector (line 303 on
245 |     page 97))
246 | abstract part def id USB_Mini 'USB Mini Connector' :> 'USB Connector';(& USB-Mini
247 |     (line 305 on page 98))
248 | abstract part def PMOD;(& PMOD (line 312 on page 98))
249 | abstract part def JTAG :> Protocol;(& JTAG (line 314 on page 98))
250 | abstract part def Driver;(& Driver (line 316 on page 98))

```

```

238 |     port def USB_In {
239 |         in item 'USB Connector';
240 |     }
241 |     port def USB_Out {
242 |         out item 'USB Connector';
243 |     }
244 |     /** A normal USB cable. */
245 |     abstract part def 'USB Cable' :> USB, Cable { (USB Cable (line 5 on page 98), UCB
246 |         Cable (line 320 on page 98))
247 |         /** What kind of USB connector is on the start of the cable? */
248 |         port start_connector: USB_In;
249 |         /** What kind of USB connector is on the end of the cable? */
250 |         port end_connector: USB_Out;
251 |     }
252 |     port def 'Output LED' :> LED;
253 |
254 |     // Safety, critical concepts.
255 |     abstract item def Voting; (Voting (line 318 on page 98), Voting 2 (line 23 on
256 |         page 89), Voting 1 (line 21 on page 89))
257 |
258 |     // Artifacts specific to RDE.
259 |     abstract part def id CryptolSpec 'Cryptol System Specification' (CryptolSpec (line 3
260 |         on page 90))
261 |         :> Cryptol, 'System Specification' {
262 |             attribute literate: Boolean;
263 |         }
264 |     attribute def Languages {
265 |         attribute languages: String[*];
266 |     }
267 |     abstract part def id Impl 'Implementation' {
268 |         attribute languages: Languages[*];
269 |     }
270 |     abstract part def id Software 'Software Implementation' (Software (line 22 on
271 |         page 90))
272 |         :> Implementation;
273 |     abstract part def id SWImpl 'Hand,written Software Implementation' (SWImpl (line 32
274 |         on page 91), SWImpl (line 24 on page 90))
275 |         :> Software, 'Hand,written';
276 |     abstract part def id SynthSW 'Synthesized Software Implementation' (SynthSW (line 27
277 |         on page 90), SynthHW (line 35 on page 91))
278 |         :> Software, 'Machine,generated';
279 |     abstract part def 'Hardware Implementation'; (Hardware (line 30 on page 91))
280 |     abstract part def id HWImpl 'Hand,written Hardware Implementation'; (HWImpl (line 32
281 |         on page 91), SWImpl (line 24 on page 90))
282 |     abstract part def id SynthHW 'Synthesized Hardware Implementation'; (SynthSW (line 27
283 |         on page 90), SynthHW (line 35 on page 91))
284 |     abstract part def id Binary 'Software Binaries' { (Binaries (line 46 on page 91))
285 |         attribute verified_compilation: Boolean;
286 |         attribute secure_compilation: Boolean;
287 |         attribute isa: ISA;
288 |     }
289 |     part def RISCV_Binary :> Binary {
290 |         // :>> isa = RISC_V_ISA;
291 |     }
292 |     abstract part def id Bitstream 'FPGA Bitstream' { (Bitstream (line 50 on page 91),
293 |         Bitstream (line 292 on page 97))
294 |         attribute proprietary_flow: Boolean;
295 |     }
296 |
297 |     // NRC concepts.
298 |     abstract part def 'NRC Certification Regulations';
299 |

```

## D.6 RTS Hardware Artifacts

Listing D.6: Listing SysML Model of RTS\_Hardware\_Artifacts.

```

1 /**
2 * The physical hardware components that are a part of the HARDENS RTS
3 * demonstrator.
4 */
5 package 'RTS Hardware Artifacts' { (RTS Hardware Artifacts (line 1 on page 98),
6     Hardware (line 23 on page 85))
7     private import 'Project Glossary'::*;
8     //import Architecture::RTS_System_Arch::Hardware::*;
9     private import ScalarValues::*;
10
11    part def 'SERDES Test SMA Connector' :> Connector;(J9-J26 (line 12 on page 98))
12    part def 'Parallel Config Header' :> Header;(J38 (line 14 on page 98))
13    part def 'Versa Expansion Connector' :> Connector;(J39-J40 (line 16 on page 98))
14    part def 'SPI Flag Configuration Memory' :> Memory;(U4 (line 18 on page 98))
15    part def 'CFG Switch' :> Switch;
16    part def 'Input Switch' :> Switch;(SW5 (line 22 on page 98))
17    part def 'Output LED' :> LED;(D5-D12 (line 24 on page 98), Output LED (line 323
18        on page 98))
19    part def 'Input Push Button' :> Button;(SW2-SW4 (line 26 on page 98))
20    part def '12 V DC Power Input' :> Power;
21    part def 'GPIO Headers' :> Header, GPIO;(J32-J33 (line 30 on page 98))
22    part def 'PMOD/GPIO Header' :> Header, PMOD, GPIO;(J31 (line 32 on page 99))
23    part def 'Microphone Board/GPIO Header' :> Header;(J30 (line 34 on page 99))
24    part def 'ECP5,5G Device' :> FPGA;(U3 (line 38 on page 99))
25
26    part def 'JTAG Interface' :> JTAG, USB;(J1 (line 40 on page 99))
27    part def 'Mini USB Programming' :> USB;(J2 (line 42 on page 99))
28    part def id DevBoard 'Lattice ECP5 FPGA Development Board' :> PCB { (Lattice ECP5 FGPA
29        Development Board (line 41 on page 89), Board (line 44 on page 99))
30        part J9_J26 : 'SERDES Test SMA Connector'[16] subsets components;
31        part J38 : 'Parallel Config Header' subsets components;(J38 (line 14 on page 98))
32        part J39_J40 : 'Versa Expansion Connector'[2] subsets components;
33        part U4 : 'SPI Flag Configuration Memory' subsets components;(U4 (line 18 on
34            page 98))
35        part SW1 : 'CFG Switch' subsets components;(SW1 (line 20 on page 98))
36        part SW5 : 'Input Switch' subsets components;(SW5 (line 22 on page 98))
37        part D5_D12 : 'Output LED'[8] subsets components;
38        part SW2_SW4 : 'Input Push Button'[3] subsets components;
39        part J37 : '12 V DC Power Input' subsets components;
40        part J5_J8_J32_J33 : 'GPIO Headers'[4] subsets components;
41        part J31 : 'PMOD/GPIO Header' subsets components;(J31 (line 32 on page 99))
42        part J30 : 'Microphone Board/GPIO Header' subsets components;(J30 (line 34 on
43            page 99))
44        part 'Prototype Area';(Prototype Area (line 36 on page 99))
45        part U3 : 'ECP5,5G Device' subsets components;(U3 (line 38 on page 99))
46        part J1 : 'JTAG Interface' subsets components;(J1 (line 40 on page 99))
47        part J2 : 'Mini USB Programming' subsets components;(J2 (line 42 on page 99))
48    }
49
50    enum def SolenoidState {
51        OPEN;
52        CLOSED;
53    }
54    /** A solenoid actuator capable of being in an open or closed state. */
55    part def 'Solenoid Actuator' :> Actuator { (SA1 (line 96 on page 100), SA2
56        (line 99 on page 100), Solenoid Actuator (line 54 on page 99))
57        item actuator_state;
58        /** Open! */
59        port open;
60        /** Close! */
61        port close;
62    }
63}

```

## D.7 RTS Implementation Artifacts

Listing D.7: Listing SysML Model of RTS\_Implementation\_Artifacts.

```

1 package id Artifacts 'RTS Implementation Artifacts' {(
2     page 85), Artifacts (line 1 on page 90)}
3     private import ScalarValues::.*;
4     private import 'Project Glossary'::*;
5 
6 // @design Remove concepts in general Glossary that duplicate or
7 // overlap with these concepts. Move abstract items to Glossary.
8 part def id CryptoToC 'Cryptol Software Compiler' :> Compiler {(
9     line 27 on
10    page 90)
11     ref item input: CryptolSpec redefines input;
12     ref item output: C_Source redefines output;
13 }
14 part def id CryptoToSystemVerilog 'Cryptol Hardware Compiler' :> Compiler {(
15     line 17 on page 90)
16     ref item input: CryptolSpec redefines input;
17     ref item output: SystemVerilog redefines output;
18 }
19 part def id CPU 'COTS High Assurance RV32I RISC-V CPU' :> CPU, RISC_V_ISA;(
20     line 38 on page 91), CPU (line 19 on page 86))
21 part def id CompCert 'CompCert Compiler' :> Compiler {(
22     line 40 on page 91))
23     ref item input: C_Source redefines input;
24     ref item output: RISCV_Binary redefines output;
25 }
26 part def id BSC 'Bluespec Compiler' :> Compiler {(
27     line 42 on page 91))
28     ref item input: BluespecSystemVerilog redefines input;
29     ref item output: SystemVerilog redefines output;
30 }
31 part def id SymbiFlow 'SymbiFlow Synthesizer' :> Synthesizer {(
32     line 44 on
33     page 91))
34     ref item input: SystemVerilog redefines input;
35     ref item output: Bitstream redefines output;
36 }
37 part def id RTL 'Demonstrator Verilog';((
38     line 92 on page 87), RTL (line 48 on
page 91))
39 part def 'Demonstrator Bitstream' :> Bitstream;
40 package id Dataflow 'Dataflow of RTS Implementation Artifacts' {(
41     line 52 on
page 91))
42     private import 'RTS Implementation Artifacts'::*;
43 
44     part def 'HARDENS Cryptol System Specification' :> CryptolSpec {
45         // :>> literate = true;
46     }
47     // bind 'HARDENS Cryptol System Specification'.output = CryptoToC.input;
48 }
```

## D.8 RTS Physical Architecture

Listing D.8: Listing SysML Model of RTS\_Physical\_Architecture.

```

1 /**
2 package 'Physical Architecture' {(
3     line 63 on page 99))
4     import 'Project Glossary'::*;
5     import 'RTS Hardware Artifacts'::*;
6 
7 // /**
8 // ** A PCB developer board used to prototype hardware. */
9 // part 'HARDENS Demonstrator Board' : DevBoard;
10 // /**
11 // ** The USB cable used to communicate the ASCII UI to/from the board. */
12 //
```

```

9 // part id UI_C 'USB UI Cable' : 'USB Cable';
10 // /** The USB cable used to program the board with a bitstream. */
11 // part id Prog_C 'USB Programming Cable' : 'USB Cable';
12 // /** The USB cable used to interact with the board in a debugger. */
13 // part id Debug_C 'USB Debugging I/O Cable' : 'USB Cable';
14 // /// @trace #11 https://github.com/GaloisInc/HARDENS/issues/11
15
16 // part def id MPL3115A2 'SparkFun Altitude/Pressure Sensor Breakout' :>
17 // PCB, 'Pressure Sensor';
18 // /// 4x https://www.sparkfun.com/products/11084
19 // part def 'SparkFun MOSFET Power Control Kit' :> PCB, Power;
20 // /// 4x https://www.sparkfun.com/products/12959
21 // part def id TMP102 'SparkFun Digital Temperature Sensor Breakout' :>
22 // PCB, 'Temperature Sensor';
23 // /// 4x https://www.sparkfun.com/products/13314
24 // part def 'Small Push,Pull Solenoid ,12VDC' :> 'Solenoid Actuator';
25 // /// 4x https://www.adafruit.com/product/412
26 // part def '1N4001 Diode';
27 // /// 1x https://www.adafruit.com/product/755
28 // /** The first of two redundant temperature sensors. */
29 // part id TS1 'Temperature Sensor 1' : TMP102;
30 // /** The second of two redundant temperature sensors. */
31 // part id TS2 'Temperature Sensor 2' : TMP102;
32 // /** The first of two redundant pressure sensors. */
33 // part id PS1 'Pressure Sensor 1' : MPL3115A2;
34 // /** The second of two redundant pressure sensors. */
35 // part id PS2 'Pressure Sensor 2' : MPL3115A2;
36 // /** The first of two redundant solenoid actuators. */
37 // part id SA1 'Solenoid Actuator 1' : 'Small Push,Pull Solenoid ,12VDC';
38 // /** The second of two redundant solenoid actuators. */
39 // part id SA2 'Solenoid Actuator 2' : 'Small Push,Pull Solenoid ,12VDC';
40
41 //
42 // /** The computer used by a developer to interface with the demonstrator,
43 // typically for driving the demonstrator's UI and programming and
44 // debugging the board. */
45 // part def 'Developer Machine':> Computer;
46 //
47 // /** The fully assembled HARDENS demonstrator hardware with all component present. */
48 // part id Demonstrator 'HARDENS Demonstrator';
49 //
50 // connection def DevMachineToDevBoard {
51 // end: Computer;
52 // end: PCB;
53 // }
54 // connection: DevMachineToDevBoard connect 'Developer Machine' to Board;
55 }

```

## D.9 RTS Properties

Listing D.9: Listing SysML Model of RTS\_Properties.

```

1 /**
2 * All correctness and security properties of the RTS system are
3 * specified in this subsystem.
4 */
5 package id Properties 'RTS Properties' { (≡ Properties (line 35 on page 86))
6 }

```

## D.10 RTS Requirements

Listing D.10: Listing SysML Model of RTS\_Requirements.

```

1 /**
2  * All requirements that the RTS system must fulfill, as driven by the
3  * IEEE 603,2018 standards and the NRC RFP.
4 */
5 package id Requirements 'RTS Requirements' { ( Requirements (line 31 on page 85))
6   // Note that we do not specify documentation comments here as they
7   // are specified in the Lando specification. If we do not include
8   // additional specifications here on the refinement from the higher, level
9   // specification (in this case, SysML refines Lando), then the higher, level
10  // specification's comments/specifications refine too (an hence are
11  // just copied verbatim).
12  package id Requirements 'HARDENS Project High,level Requirements' { ( Requirements
13    (line 31 on page 85))
14    import 'Project Glossary'::*;
15    import 'RTS Stakeholders'::*;

16    requirement def 'Project Requirements' {
17      subject 'NRC staff' : 'NRC Customer';
18    }
19    requirement 'NRC Understanding' : 'Project Requirements'; ( NRC Understanding (line 7
19      on page 102))
20    requirement 'Identify Regulatory Gaps' : 'Project Requirements'; ( Identify Regulatory
20      Gaps (line 13 on page 102))
21    requirement Demonstrate : 'Project Requirements'; ( Demonstrate (line 18 on
21      page 102))
22    requirement 'Demonstrator Parts' : 'Project Requirements'; ( Demonstrator Parts
22      (line 24 on page 102))
23    requirement 'Demonstrator Groundwork' : 'Project Requirements'; ( Demonstrator
23      Groundwork (line 28 on page 102))
24  }

25
26  // those found in the Characteristics specification.
27 package id Characteristics 'NRC Characteristics' { ( Characteristics (line 39 on
27      page 86))
28   import 'Project Glossary'::*;
29   import 'RTS Stakeholders'::*;

30
31   requirement def 'NRC Characteristic' {
32     //subject expert: 'NRC Certification SME';
33     //subject regulation: 'NRC Certification Regulations';
34   }
35   requirement 'Requirements Consistency' : 'NRC Characteristic'; ( Requirements
35     Consistency (line 40 on page 102))
36   requirement 'Requirements Colloquial Completeness' : 'NRC Characteristic'; ( Requirements
36     Colloquial Completeness (line 47 on page 102))
37   requirement 'Requirements Formal Completeness' : 'NRC Characteristic'; ( Requirements
37     Formal Completeness (line 52 on page 103))
38   requirement 'Instrumentation Independence' : 'NRC Characteristic'; ( Instrumentation
38     Independence (line 58 on page 103))
39   requirement 'Channel Independence' : 'NRC Characteristic'; ( Channel Independence
39     (line 66 on page 103))
40   requirement 'Actuation Independence' : 'NRC Characteristic'; ( Actuation Independence
40     (line 74 on page 103))
41   requirement 'Actuation Correctness' : 'NRC Characteristic'; ( Actuation Correctness
41     (line 82 on page 103))
42   requirement 'Self,Test/Trip Independence' : 'NRC Characteristic'; ( Self-Test/Trip
42     Independence (line 89 on page 103))
43 }

44 // Note that formal requirements expressed externally must be traceable
45 // to this system model, but need not be repeated in whole here. Model
46 // elements that are expressed in both the SysML and FRET models must
47 // be in a refinement relationship with each other (e.g., in this case study,
48 // SysML ⊑ FRET.
49 package 'Formal Requirements' {
50   import 'Project Glossary'::*;

```

```

51 requirement def id FRET 'FRET Requirements' { (FRET (line 54 on page 94))
52   doc /* RTS requirements formalized in the FRET tool. */
53 }
54
55 requirement ACTUATION_ACTUATOR_0 : FRET;
56 }
57 }
```

## D.11 RTS Scenarios

Listing D.11: Listing SysML Model of RTS\_Scenarios.

```

1 /**
2 * The set of all scenarios that describe interesting end,to,end executions
3 * of the RTS system. The full set of scenarios must include all normal
4 * behavior (online and during self,test) and exceptional behavior.
5 */
6 package id Scenarios 'RTS Scenarios' {
7   package id Normal 'RTS Normal Behavior Scenarios' {
8     import 'RTS Architecture'::'RTS System Architecture'::RTS;
9
10    item def 'RTS User';
11    use case def id NB 'Normal Behavior' {
12      subject RTS;
13      actor user : 'RTS User';
14      objective {
15        doc /* @see test_scenarios.lando */
16      }
17    }
18    // @design kiniry Actually, ST should specialize NB. I don't know how
19    // to express that in SysML yet.
20    use case def id ST 'Normal Behavior Under Self,Test' {
21      subject RTS;
22      actor tester : 'RTS User';
23    }
24    package 'Self,test Scenarios' {
25      import Normal::ST;
26      use case '1a ,Trip on Mock High Pressure Reading from that Pressure Sensor' : NB;
27      use case '1b ,Trip on Environmental High Pressure Reading from that Pressure Sensor' :
28        ↪ NB;
29      use case '2a ,Trip on Mock High Temperature Reading from that Temperature Sensor' : NB;
30      use case '2a ,Trip on Environmental High Temperature Reading from that Temperature
31        ↪ Sensor' : NB;
32      use case '3a ,Trip on Mock Low Saturation Margin' : NB;
33      use case '3a ,Trip on Environmental Low Saturation Margin' : NB;
34      use case '4 ,Vote on Every Possible Like Trip' : NB;
35      use case '5a ,Automatically Actuate All Mock Devices in Sequence' : NB;
36      use case '5b ,Automatically Actuate All Mock Devices in Sequence' : NB;
37      use case '6 ,Manually Actuate Each Device in Sequence' : NB;
38      use case '7a ,Select Maintenance Operating Mode for each Division' : NB;
39      use case '7b ,Select Normal Operating Mode for each Division' : NB;
40      use case '8 ,Perform Each Kind of Setpoint Adjustment' : NB;
41      use case '9 ,Configure Bypass of Each Instrument Channel in Sequence' : NB;
42      use case '10 ,Configure Active Trip Output State of Each Instrument Channel in Sequence
43        ↪ ' : NB;
44      use case '11 ,Display Pressure, Temperature, and Saturation Margin' : NB;
45      use case '13 ,Display Indication of Every Channel in Bypass in Sequence' : NB;
46      use case '14 ,Demonstrate Periodic Continual Self,test of Safety Signal Path' : NB;
47      use case 'Full Self,Test' : NB;
    }
  package 'RTS Scenarios' {
```

```

48    }
49 }
50 package id Exceptional 'RTS Exceptional Behavior Scenarios' {
51   use case def id EB 'Exceptional Behavior' {
52     subject RTS;
53     objective {
54       doc /* @see test_scenarios.lando */
55     }
56   }
57   use case '1a ,Cause Actuator 1 to Fail' : EB;
58   use case '1b ,Cause Actuator 2 to Fail' : EB;
59   use case '1c ,Non,deterministically Cause an Actuator to Eventually Fail' : EB;
60   use case '2a ,Cause Temperature Sensor 1 to Fail' : EB;
61   use case '2b ,Cause Temperature Sensor 2 to Fail' : EB;
62   use case '2c ,Non,deterministically Cause a Temperature Sensor to Eventually Fail' : EB;
63   use case '3a ,Cause Pressure Sensor 1 to Fail' : EB;
64   use case '3b ,Cause Pressure Sensor 2 to Fail' : EB;
65   use case '3c ,Non,deterministically Cause a Pressure Sensor to Eventually Fail' : EB;
66   use case '4a ,Cause Instrumentation Unit 1 to Fail' : EB;
67   use case '4b ,Cause Instrumentation Unit 2 to Fail' : EB;
68   use case '4c ,Cause Instrumentation Unit 3 to Fail' : EB;
69   use case '4d ,Cause Instrumentation Unit 4 to Fail' : EB;
70   use case '4e ,Non,Deterministically Cause Instrumentation Unit to Eventually Fail' : EB;
71   // @review kiniry I actually don't know if we are fault tolerant to' : EB;
72   // failure in these components. Please review @abakst.
73   use case '5a ,Cause Temperature Demultiplexor 1 to Fail' : EB;
74   use case '5b ,Cause Temperature Demultiplexor 2 to Fail' : EB;
75   use case '5b ,Cause a Temperature Demultiplexor to Eventualy Fail' : EB;
76 }
77 }

```

## D.12 RTS Stakeholders

Listing D.12: Listing SysML Model of RTS\_Stakeholders.

```

1 package 'RTS Stakeholders'
2 {
3   // NRC Stakeholders
4   part def 'NRC Customer';
5   part def 'NRC Assurance SME' :> 'NRC Customer';
6   part def 'NRC Certification SME' :> 'NRC Customer';
7
8   // Galois Stakeholders
9   part def 'Galois Employee' {
10     attribute
11       name: ScalarValues::String;
12       email: ScalarValues::String;
13   }
14   part def 'Galois PI' :> 'Galois Employee';
15   part def 'Galois PL' :> 'Galois Employee';
16   part def 'Galois Research Engineer' :> 'Galois Employee';
17   part def 'Galois Software and Assurance Research Engineer'
18     :> 'Galois Research Engineer';
19   part def 'Galois Hardware Research Engineer' :> 'Galois Research Engineer';
20   part PI : 'Galois PI' {
21     attribute
22       redefines name = "Joe Kiniry";
23       redefines email = "kiniry@galois.com";
24   }
25
26   part PL : 'Galois PL' { (PL (line 236 on page 96))
27     attribute

```

```

28     redefines name = "Andrew Bivin";
29     redefines email = "abivin@galois.com";
30 }
31 part SARE : 'Galois Software and Assurance Research Engineer' {
32   attribute
33   redefines name = "Alex Bakst";
34   redefines email = "abakst@galois.com";
35 }
36 part HRE : 'Galois Hardware Research Engineer' {
37   attribute
38   redefines name = "Michal Podhradsky";
39   redefines email = "mpodhradsky@galois.com";
40 }
41
42 concern 'requirement traceability' {
43   doc /* Will all requirements be traceable from project requirement
44     * or NRC characteristic to assurance evidence demonstrated in a
45     * report? */
46   stakeholder 'Customer';
47   stakeholder 'Galois Employee';
48 }
49
50
51 // or from Galois or the Galois HARDENS team.
52 }
```

## D.13 RTS Static Architecture

Listing D.13: Listing SysML Model of RTS\_Static\_Architecture.

```

1 /**
2  * This RTS architecture specification includes all of the core
3  * concepts inherent to NPP Instrumentation and Control systems.
4  * A system architecture specification often includes a software,
5  * hardware, network, and data architecture specifications.
6 */
7 package id Architecture 'RTS Architecture' { (□ Architecture (line 223 on page 96),
8   Architecture (line 17 on page 85))
9   //import RTS::*;
10  //import 'Project Glossary'::*;
11  //import Artifacts::*;
12  //import 'RTS Hardware Artifacts'::*;
13
14  part def Base_RTS_System_Architecture_Context {
15    // overall RTS architecture shape from
16  }
17
18  /** Note that this is the *systems* architecture, which is different
19    than our software, hardware, or data architectures. */
20  package id RTS_System_Arch 'RTS System Architecture' { (□ RTS_System_Arch (line 3 on
21    page 88))
22    package Sensor { (□ Sensors (line 49 on page 89), Sensor (line 273 on page 97))
23      private import Quantities::*;
24
25      /** Generic sensor port */
26      port def SensorOutPort {
27        out value : ScalarQuantityValue;
28      }
29
30      /** Generic sensor */
31      part def GenericSensor {
32        attribute currentValue : ScalarQuantityValue;
```

```

32     attribute sensorAddress : ScalarValues::Integer;
33     port output: SensorOutPort;
34 }
35
36 /**
37 * A demultiplexer for sending one sensor signal to multiple
38 * outputs.
39 */
40 part def Demux {
41     port input: ~SensorOutPort;
42     // Using vector notation doesn't seem to work in connections
43     port output1: SensorOutPort;
44     port output2: SensorOutPort;
45 }
46
47 /**
48 * A generic temperature sensor. */
49 package TempSensor {
50     import Sensor::*;
51     import ISQThermodynamics::TemperatureValue;
52
53     /** Temperature port */
54     port def TemperatureOutPort :> SensorOutPort {
55         redefines value: TemperatureValue;
56     }
57
58     /** A sensor that is capable of measuring the temperature of its environment. */
59     part def 'Temperature Sensor' :> GenericSensor {(_ Temperature Sensor 1 (line 51 on
60         page 89), Temperature Sensor (line 46 on page 99), Temperature Sensor 2
61         (line 53 on page 89), TS1 (line 84 on page 99), TS2 (line 87 on page 99))
62         /** What is your temperature reading in Celsius (C)? */
63         redefines currentValue: TemperatureValue;
64         redefines output: TemperatureOutPort;
65     }
66
67     part def TempDemux :> Demux {
68         redefines input: ~TemperatureOutPort;
69         redefines output1: TemperatureOutPort;
70         redefines output2: TemperatureOutPort;
71     }
72
73     /** A generic pressure sensor. */
74     package PressureSensor {(_ Pressure Sensor 2 (line 57 on page 89), Pressure Sensor
75         (line 50 on page 99), PS2 (line 93 on page 100), PS1 (line 90 on page 100),
76         Pressure Sensor 1 (line 55 on page 89))
77         import Sensor::*;
78         import ISQMechanics::PressureValue;
79
80         /** Pressure port */
81         port def PressureOutPort :> SensorOutPort {
82             redefines value: PressureValue;
83         }
84
85         /** A sensor that is capable of measuring the air pressure of its environment. */
86         part def 'Pressure Sensor' :> GenericSensor {(_ Pressure Sensor 2 (line 57 on
87             page 89), Pressure Sensor (line 50 on page 99), PS2 (line 93 on
88             page 100), PS1 (line 90 on page 100), Pressure Sensor 1 (line 55 on
89             page 89))
90             /** What is your pressure reading in Pascal (P)? */
91             redefines currentValue: PressureValue;
92             redefines output: PressureOutPort;
93         }
94
95         part def PressureDemux :> Demux {
96             redefines input: ~PressureOutPort;
97             redefines output1: PressureOutPort;
98             redefines output2: PressureOutPort;

```

```

93    }
94
95
96 /**
97 * The Instrumentation subsystem contains all of the sensors for an
98 * NPP I&C system.
99 */
100 package Instrumentation {   Instrumentation 3 (line 65 on page 89),    Instrumentation
101   2 (line 63 on page 89),    Instrumentation 1 (line 61 on page 89),
102      Instrumentation (line 59 on page 89),    Instrumentation 4 (line 67 on
103   page 89))(   Instrumentation (?? on page ???))
104   private import ScalarValues::Real;
105   private import ScalarValues::Boolean;
106   private import TempSensor::.*;
107   private import PressureSensor::*;

108   port def TripPort {
109     out trip : Boolean;
110   }
111
112   port def BypassPort {
113     out trip : Boolean;
114   }
115
116   enum def TripMode {
117     enum Bypass;
118     enum Operate;
119     enum Manual;
120   }
121
122   enum def Channel {
123     enum Temperature;
124     enum Pressure;
125     enum Saturation;
126   }
127
128   attribute def TripModeCommand {
129     attribute mode: TripMode;
130     attribute channel: Channel;
131   }
132
133   port def TripModePort {
134     out mode: TripModeCommand;
135   }
136
137   part def InstrumentationUnit {
138     // setpoints
139     attribute tempSetpoint : TemperatureValue;
140     attribute pressureSetpoint : PressureValue;
141     attribute saturationLimit : Real;
142
143     // mode selectors
144     attribute maintenanceMode : Boolean;
145     attribute temperatureTripMode: TripMode;
146     attribute pressureTripMode: TripMode;
147     attribute saturationTripMode: TripMode;
148
149     // Inputs
150     port temperatureInput: ~TemperatureOutPort;
151     port pressureInput: ~PressureOutPort;
152     port tripMode: ~TripModePort;
153
154     // Outputs
155     port pressureTripOut:TripPort;
156     port temperatureTripOut:TripPort;
157     port saturationTripOut:TripPort;

```

```

157
158     port setMaintenanceMode: ~EventControl::MaintenancePort;
159
160     port newTemperatureSetpoint: ~TemperatureOutPort;
161     port newPressureSetpoint: ~PressureOutPort;
162     port newSaturationSetpoint : ~SensorOutPort;
163 }
164 }
165
166 package Actuation { (Actuation  (?? on page ??))
167   import Instrumentation::.*;
168
169   port def ActuationPort {
170     out actuate: ScalarValues::Boolean;
171   }
172
173   part def CoincidenceLogic {
174     port channel1: ~TripPort;
175     port channel2: ~TripPort;
176     port channel3: ~TripPort;
177     port channel4: ~TripPort;
178     port actuate: ActuationPort;
179   }
180   part def OrLogic {
181     port channel1: ~TripPort;
182     port channel2: ~TripPort;
183     port actuate: ActuationPort;
184   }
185
186   part def ActuationUnit {
187     part temperatureLogic : CoincidenceLogic;
188     part pressureLogic : CoincidenceLogic;
189     part saturationLogic : CoincidenceLogic;
190
191     part tempPressureTripOut : OrLogic;
192
193     connect temperatureLogic.actuate to tempPressureTripOut.channel1;
194     connect pressureLogic.actuate to tempPressureTripOut.channel2;
195   }
196   part def Actuator { (Actuator 2  (line 47 on page 89),  Actuator 1  (line 45 on
197   // page 89),  Actuator  (line 275 on page 97),  Actuators  (line 43 on page 89))
198   // Actuate if either of these are true
199   port input: ActuationPort;
200   port manualActuatorInput: ~ActuationPort;
201 }
202
203 package EventControl {
204   import ScalarValues::Boolean;
205
206   port def MaintenancePort {
207     out maintenance: Boolean;
208   }
209
210   part def ControlUnit {
211     // Maintenance mode select x 4 instrumentation units
212     port maintenanceMode: MaintenancePort[4];
213     // Trip mode select x 4 instrumentation units
214     port tripMode: Instrumentation::TripModePort[4];
215     // New setpoints x 4 instrumentation units
216     port newPressureSetpoint: PressureSensor::PressureOutPort[4];
217     port newTemperatureSetpoint: TempSensor::TemperatureOutPort[4];
218     port newSaturationSetpoint: PressureSensor::PressureOutPort[4];
219     // Toggle actuator x2 actuators
220     port manualActuatorInput: Actuation::ActuationPort[2];
221   }
222 }
```

```

223
224 part RTS { (RTS (line 6 on page 85), RTS (line 94 on page 87)) (RTS
225   (line 36 on page 163))
226   part eventControl : EventControl::ControlUnit;
227
228   import Instrumentation::*;
229   part instrumentationAndSensing {
230     part pressureSensor1 : PressureSensor::'Pressure Sensor';
231     part pressureSensor2 : PressureSensor::'Pressure Sensor';
232
233     part tempSensor1 : TempSensor::'Temperature Sensor';
234     part tempSensor2 : TempSensor::'Temperature Sensor';
235
236     part instrumentationUnit1 : InstrumentationUnit;
237     part instrumentationUnit2 : InstrumentationUnit;
238     part instrumentationUnit3 : InstrumentationUnit;
239     part instrumentationUnit4 : InstrumentationUnit;
240
241     part tempDemux1 : TempSensor::Demux;
242     part tempDemux2 : TempSensor::Demux;
243
244     part pressureDemux1 : PressureSensor::Demux;
245     part pressureDemux2 : PressureSensor::Demux;
246
247     // Temp sensor 1
248     connect tempSensor1.output to tempDemux1.input;
249     connect tempDemux1.output1 to instrumentationUnit1.temperatureInput;
250     connect tempDemux1.output2 to instrumentationUnit2.temperatureInput;
251
252     // Temp sensor 2
253     connect tempSensor2.output to tempDemux2.input;
254     connect tempDemux2.output1 to instrumentationUnit3.temperatureInput;
255     connect tempDemux2.output2 to instrumentationUnit4.temperatureInput;
256
257     // Pressure sensor 1
258     connect pressureSensor1.output to pressureDemux1.input;
259     connect pressureDemux1.output1 to instrumentationUnit1.pressureInput;
260     connect pressureDemux1.output2 to instrumentationUnit2.pressureInput;
261
262     // Pressure sensor 2
263     connect pressureSensor2.output to pressureDemux2.input;
264     connect pressureDemux1.output1 to instrumentationUnit3.pressureInput;
265     connect pressureDemux1.output2 to instrumentationUnit4.pressureInput;
266 }
267
268 import Actuation::*;
269 part actuation { (Actuation (?? on page ??))
270   part actuationUnit1 : ActuationUnit;
271   part actuationUnit2 : ActuationUnit;
272
273   part actuator1 : Actuator; (Actuators (line 43 on page 89), Actuator
274     (line 275 on page 97))
275   part actuator2 : Actuator; (Actuators (line 43 on page 89), Actuator
276     (line 275 on page 97))
277
278   part actuateActuator1 : OrLogic;
279   part actuateActuator2 : OrLogic;
280
281   // connect actuators
282   // Actuator 1 ,temp or pressure trip
283   connect actuationUnit1.tempPressureTripOut.actuate to actuateActuator1.channel1;
284   connect actuationUnit2.tempPressureTripOut.actuate to actuateActuator1.channel2;
285   connect actuateActuator1.actuate to actuator1.input;
286
287   // Actuator 2 ,Saturation
288   connect actuationUnit1.saturationLogic.actuate to actuateActuator2.channel1;
289   connect actuationUnit2.saturationLogic.actuate to actuateActuator2.channel2;

```

```

287     connect actuateActuator2.actuate to actuator2.input;
288 }
289
290 // connect Control units
291 // Actuators manual override
292 connect eventControl.manualActuatorInput[1] to actuation.actuator1.manualActuatorInput;
293 connect eventControl.manualActuatorInput[2] to actuation.actuator2.manualActuatorInput;
294
295 // Instrumentation mode select
296 connect eventControl.maintenanceMode[1] to instrumentationAndSensing.
297     ↪ instrumentationUnit1.setMaintenanceMode;
298 connect eventControl.maintenanceMode[2] to instrumentationAndSensing.
299     ↪ instrumentationUnit2.setMaintenanceMode;
300 connect eventControl.maintenanceMode[3] to instrumentationAndSensing.
301     ↪ instrumentationUnit3.setMaintenanceMode;
302 connect eventControl.maintenanceMode[4] to instrumentationAndSensing.
303     ↪ instrumentationUnit4.setMaintenanceMode;
304
305 // Instrumentation pressure setpoint
306 connect eventControl.newPressureSetpoint[1] to instrumentationAndSensing.
307     ↪ instrumentationUnit1.newPressureSetpoint;
308 connect eventControl.newPressureSetpoint[2] to instrumentationAndSensing.
309     ↪ instrumentationUnit2.newPressureSetpoint;
310 connect eventControl.newPressureSetpoint[3] to instrumentationAndSensing.
311     ↪ instrumentationUnit3.newPressureSetpoint;
312 connect eventControl.newPressureSetpoint[4] to instrumentationAndSensing.
313     ↪ instrumentationUnit4.newPressureSetpoint;
314
315 // Instrumentation temperature setpoint
316 connect eventControl.newTemperatureSetpoint[1] to instrumentationAndSensing.
317     ↪ instrumentationUnit1.newTemperatureSetpoint;
318 connect eventControl.newTemperatureSetpoint[2] to instrumentationAndSensing.
319     ↪ instrumentationUnit2.newTemperatureSetpoint;
320 connect eventControl.newTemperatureSetpoint[3] to instrumentationAndSensing.
321     ↪ instrumentationUnit3.newTemperatureSetpoint;
322 connect eventControl.newTemperatureSetpoint[4] to instrumentationAndSensing.
323     ↪ instrumentationUnit4.newTemperatureSetpoint;
324
325 // Instrumentation saturation setpoint
326 connect eventControl.newSaturationSetpoint[1] to instrumentationAndSensing.
327     ↪ instrumentationUnit1.newSaturationSetpoint;
328 connect eventControl.newSaturationSetpoint[2] to instrumentationAndSensing.
329     ↪ instrumentationUnit2.newSaturationSetpoint;
330 connect eventControl.newSaturationSetpoint[3] to instrumentationAndSensing.
331     ↪ instrumentationUnit3.newSaturationSetpoint;
332 connect eventControl.newSaturationSetpoint[4] to instrumentationAndSensing.
333     ↪ instrumentationUnit4.newSaturationSetpoint;
334
335 // Instrumentation trip mode
336 // Bypass temperature
337 connect eventControl.tripMode[1] to instrumentationAndSensing.instrumentationUnit1.
338     ↪ tripMode;
339 connect eventControl.tripMode[2] to instrumentationAndSensing.instrumentationUnit2.
340     ↪ tripMode;
341 connect eventControl.tripMode[3] to instrumentationAndSensing.instrumentationUnit3.
342     ↪ tripMode;
343 connect eventControl.tripMode[4] to instrumentationAndSensing.instrumentationUnit4.
344     ↪ tripMode;
345
346 // Trip on pressure above the setpoint
347 // Actuation unit 1
348 connect instrumentationAndSensing.instrumentationUnit1.pressureTripOut to actuation.
349     ↪ actuationUnit1.pressureLogic.channel1;
350 connect instrumentationAndSensing.instrumentationUnit2.pressureTripOut to actuation.
351     ↪ actuationUnit1.pressureLogic.channel2;
352 connect instrumentationAndSensing.instrumentationUnit3.pressureTripOut to actuation.
353     ↪ actuationUnit1.pressureLogic.channel3;

```

```

331   connect instrumentationAndSensing.instrumentationUnit4.pressureTripOut to actuation.
332     ↢ actuationUnit1.pressureLogic.channel4;
333 // Actuation unit 2
334   connect instrumentationAndSensing.instrumentationUnit1.pressureTripOut to actuation.
335     ↢ actuationUnit2.pressureLogic.channel1;
336   connect instrumentationAndSensing.instrumentationUnit2.pressureTripOut to actuation.
337     ↢ actuationUnit2.pressureLogic.channel2;
338   connect instrumentationAndSensing.instrumentationUnit3.pressureTripOut to actuation.
339     ↢ actuationUnit2.pressureLogic.channel13;
340   connect instrumentationAndSensing.instrumentationUnit4.pressureTripOut to actuation.
341     ↢ actuationUnit2.pressureLogic.channel4;
342
343 // Trip on temperature above the setpoint
344 // Actuation unit 1
345   connect instrumentationAndSensing.instrumentationUnit1.temperatureTripOut to actuation.
346     ↢ actuationUnit1.temperatureLogic.channel1;
347   connect instrumentationAndSensing.instrumentationUnit2.temperatureTripOut to actuation.
348     ↢ actuationUnit1.temperatureLogic.channel2;
349   connect instrumentationAndSensing.instrumentationUnit3.temperatureTripOut to actuation.
350     ↢ actuationUnit1.temperatureLogic.channel3;
351   connect instrumentationAndSensing.instrumentationUnit4.temperatureTripOut to actuation.
352     ↢ actuationUnit1.temperatureLogic.channel4;
353
354 // Trip on saturation above the setpoint
355 // Actuation unit 1
356   connect instrumentationAndSensing.instrumentationUnit1.saturationTripOut to actuation.
357     ↢ actuationUnit1.saturationLogic.channel1;
358   connect instrumentationAndSensing.instrumentationUnit2.saturationTripOut to actuation.
359     ↢ actuationUnit1.saturationLogic.channel2;
360   connect instrumentationAndSensing.instrumentationUnit3.saturationTripOut to actuation.
361     ↢ actuationUnit1.saturationLogic.channel3;
362   connect instrumentationAndSensing.instrumentationUnit4.saturationTripOut to actuation.
363     ↢ actuationUnit1.saturationLogic.channel4;
364
365 }
366 } // package id RTS_System_Arch 'RTS System Architecture'
367 } // package id Architecture 'RTS Architecture'

```

## D.14 RTS Viewpoints

Listing D.14: Listing SysML Model of RTS\_Viewpoints.

```

1 import Views::*;
2
3 package 'RTS Viewpoints and Views' {

```

```

4   import 'RTS Stakeholders'::*;
5
6   // Viewpoints and view definitions specify the different points of view
7   // that a system may be viewed from, and which parts of the system model
8   // attend to each view. We will specify viewpoints for a few kinds
9   // of NRC actors, various kinds of HARDENS performers, various kinds of
10  // other Galois employees who are interested in this project and its
11  // outcomes, and other government and industry parties interested in RDE.
12
13  viewpoint 'NRC General Customer Viewpoint' {}
14
15  view def 'NRC General Customer View Definition' {}
16
17  viewpoint 'NRC Assurance Customer Viewpoint' {}
18
19  view def 'NRC Assurance Customer View Definition' {}
20
21  viewpoint 'Galois Performer Viewpoint' {}
22
23  view def 'Galois Performer View Definition' {}
24
25  view 'Galois PI View' : 'Galois Performer View Definition' {}
26
27  view 'Galois PL View' : 'Galois Performer View Definition' {}
28
29  view 'Galois Software Engineer View' : 'Galois Performer View Definition' {}
30
31  view 'Galois Hardware Engineer View' : 'Galois Performer View Definition' {}
32
33  view 'Galois Assurance Engineer View' : 'Galois Performer View Definition' {}
34
35  viewpoint 'Galois Principal View' {}
36
37  viewpoint 'Galois Executive View' {}
38
39  viewpoint 'Galois Customer Specialist View' {}
40
41  viewpoint 'Galois Research Engineering View' {}
42
43  viewpoint 'General Party interested in Rigorous Digital Engineering' {}
44 }

```

## D.15 Semantic Properties

Listing D.15: SysMLv2 Model of Semantic Properties.

```

1  /** Semantic properties are annotation to model and system artifacts
2   * used to semantically markup those artifacts for documentation,
3   * traceability, and more. */
4 package 'Semantic Properties' {
5   doc /* Semantic Properties are used to document arbitrary
6       constructs in our specifications and implementations.
7       @see https://www.kindofsoftware.com/documents/whitepapers/code_standards/properties.
8           ↪ html
9   */
10  import ScalarValues::*;

11  attribute def id SP 'Semantic Property';
12  attribute def id SPD 'Semantic Property with Description' :>
13    'Semantic Property' {
14    attribute description: String;
15  }

```

```

16    attribute def Exception :> String;
17
18 package 'Meta,Information' {
19     attribute def Author :> SP {
20         author: String;
21     }
22     attribute def Lando :> SP {
23         summary: String;
24     }
25     attribute def Bug :> SPD;
26     attribute def Copyright :> SP {
27         copyright: String;
28     }
29     attribute def Description :> SPD;
30     attribute def History :> SPD;
31     attribute def License :> SP {
32         license: String;
33     }
34     attribute def Title :> SP {
35         title: String;
36     }
37 }
38
39 attribute def 'Author Description Scope Triple' :> SPD {
40     import 'Meta,Information'::*;
41     attribute author: Author;
42     attribute scope: Boolean;
43 }
44 package 'Pending Work' {
45     attribute def Idea :> 'Author Description Scope Triple' {
46         classifier: String;
47     }
48     attribute def Review :> 'Author Description Scope Triple';
49     attribute def Todo :> 'Author Description Scope Triple';
50 }
51
52 attribute def 'Rich Assertion' :> SPD {
53     attribute label: String;
54     attribute expression: Boolean;
55     attribute exception : Exception;
56 }
57
58 attribute def 'Expression Description Pair' :> SPD {
59     attribute expression: Boolean;
60 }
61
62 package 'Formal Specifications' {
63     import Collections::*;
64     enum def 'Modifies Frame' {
65         SINGLE_ASSIGNMENT;
66         QUERY;
67         EXPRESSION;
68     }
69     attribute def Ensures :> 'Rich Assertion';
70     attribute def Generate :> 'Expression Description Pair';
71     attribute def Invariant :> 'Expression Description Pair' {
72         exception: Exception;
73     }
74     attribute def Modify :> 'Expression Description Pair' {
75         enum kind: 'Modifies Frame';
76     }
77     attribute def requires :> 'Rich Assertion';
78 }
79
80 package 'Concurrency Control' {
81     import Collections::*;

```

```

82     attribute def Locks :> Set;
83     attribute def Timeout {
84         attribute timeout: Natural;
85         attribute exception: String;
86     }
87     attribute def 'Concurrency Semantic Property' :> 'Semantic Property' {
88         attribute locks: Locks;
89         attribute failure: Exception;
90         attribute atomic: Boolean;
91         attribute special: String;
92         attribute timeout: Timeout;
93     }
94     attribute def Concurrent :> 'Concurrency Semantic Property' {
95         attribute threadcountlimit: Positive;
96         attribute broken: Boolean;
97     }
98     attribute def Sequential :> 'Concurrency Semantic Property';
99     attribute def Guarded :> 'Concurrency Semantic Property' {
100         attribute semaphore_count: Positive;
101     }
102 }
103
104 package 'Usage Information' {
105     attribute def 'Parameter Spec' {
106         parameter_name: String;
107         precondition: Boolean;
108         description: String;
109     }
110     attribute def Return :> String;
111     attribute def Exception :> 'Expression Description Pair' {
112         exception: Exception;
113     }
114 }
115
116 package Versioning {
117     attribute def Version :> String;
118     attribute def Deprecated :> String;
119     attribute def Since :> String;
120 }
121
122 attribute def 'Feature Name Description Pair' {
123     feature_name: String;
124     description: String;
125 }
126
127 package Inheritance {
128     attribute def Hides :> 'Feature Name Description Pair';
129     attribute def Overrides :> 'Feature Name Description Pair';
130 }
131
132 package Documentation {
133     attribute def Design :> 'Author Description Scope Triple';
134     attribute def Equivalent :> String;
135     attribute def Example :> String;
136     attribute def See :> String;
137 }
138
139 package Dependencies {
140     import Collections::*;

141     attribute def References :> 'Expression Description Pair';
142     // Note that we rename 'use' to 'uses' to avoid SysML keyword conflict.
143     attribute def Uses :> 'Expression Description Pair';
144 }
145
146 package Miscellaneous {
147     attribute def Guard :> 'Expression Description Pair';
148     attribute def Values :> 'Expression Description Pair';

```

```
148     attribute def 'Time Complexity' :> 'Expression Description Pair';
149     attribute def 'Space Complexity' :> 'Expression Description Pair';
150   }
151 }
```

# Appendix E

# Cryptol Model

## E.1 Top-level RTS Cryptol model

Listing E.1: Listing Cryptol Model of RTS.

```
1 // HARDENS Reactor Trip System (RTS)
2 // A formal model of RTS behavior written in the Cryptol DSL.
3 //
4 // @author Alex Bakst <abakst@galois.com>
5 // @created November, 2021
6 // @refines HARDENS.sysml
7 // @refines RTS.lando
8 // @refines RTS_Requirements.json
9
10 module RTS where
11
12 import RTS::Utils
13 import RTS::InstrumentationUnit
14 import RTS::InstrumentationUnit as I
15 import RTS::ActuationUnit
16 import RTS::ActuationUnit as AU
17 import RTS::Actuator
18 import RTS::Actuator as A
19
20 type Device = [1](Device (?? on page ??))
21 type Division = [2]
22 type Logic = [1]
23
24 D0, D1: Device
25 D0 = 0
26 D1 = 1
27
28 type EventType = [2]
29 // Event Type Values
30 EVENT_MAINTENANCE, EVENT_TRIP_MODE, EVENT_SETPOINT, EVENT_ACTUATE : EventType
31 EVENT_MAINTENANCE = 0
32 EVENT_TRIP_MODE = 1
33 EVENT_SETPOINT = 2
34 EVENT_ACTUATE = 3
35
36 type RTS = (RTS (?? on page ??), RTS (?? on page ??), RTS (line 224 on
37     page 156))
38 { control: Control,
39   instrumentation: Instrumentation
```

```

39     , actuation: Actuation
40     , ui: UI
41   }
42
43 type UI =
44 { instrumentation_values: [4][NChannels][32]
45   , instrumentation_bypass: [4][NChannels]
46   , instrumentation_trip: [4][NChannels]
47 }
48
49 type Control =
50 { self_test: Bit // Are we running an end-to-end test?
51   , self_test_instrs: [2]Division // Which instrumentation units are we poking?
52   , self_test_channel: Channel // Which channel are we poking?
53   , self_test_logic: Logic // Which actuation logic unit are we observing?
54   , self_test_dev: Device // Which actuator are we observing?
55   , self_test_timer: [32]
56   , self_test_fail: Bit
57 }
58
59 type Actuation =
60 { units: [2]ActuationUnit
61   , actuators: [2]Actuator
62 }
63
64 type Instrumentation =
65 { units: [4]InstrumentationUnit }
66
67 type Event =
68 { event: EventType // The event tag
69   , ch: Channel // Which channel
70   , dev: Device // Which device
71   , unit: Division // Which Instrumentation unit
72   , setpoint: [32]
73   , mode: I::Mode
74   , on_off: Bit
75 }
76
77 // @refines ControlUnit
78 Event_Control: Event -> RTS -> RTS
79 Event_Control e rts =
80   if e.event == EVENT_MAINTENANCE then
81     on_instr_units rts (\units -> update units (e.unit) (Set_Maintenance e.on_off (units @ e.
82       → unit)))
83   else if (e.event == EVENT_TRIP_MODE) && (ch < 'NChannels) && (e.mode < 'NModes) then
84     on_instr_units rts (\units -> update units (e.unit) (Set_Mode ch e.mode (units @ e.unit))
85       → )
86   else if (e.event == EVENT_SETPOINT) && (ch < 'NChannels) then
87     on_instr_units rts (\units -> update units (e.unit) (Set_Setpoint ch e.setpoint (units @
88       → e.unit)))
89   else if (e.event == EVENT_ACTUATE) then
90     {rts| actuation =
91       {rts.actuation | actuators = update rts.actuation.actuators dev (SetManual e.on_off (
92         → rts.actuation.actuators @ dev))} }
93
94   else rts
95   where
96     ch : Channel
97     ch = e.ch
98     dev : Device
99     dev = e.dev
100
101   on_instr_units r f = {r|instrumentation = {units = f r.instrumentation.units }}

Sense_Actuate:
[4]I::Input ->
[4]I::Command ->

```

```

101    RTS ->
102    RTS
103 Sense_Actuate inputs icmds rts =
104   { rts | control = { rts.control | self_test_fail = test_fail }
105     , instrumentation = { units = instrumentation' }
106     , actuation = { units = actuation_logic', actuators = actuators' }
107   }
108 where
109   // The two instrumentation units under test
110   i0 = rts.control.self_test_instrs @ 0
111   i1 = rts.control.self_test_instrs @ 1
112   test_ch = rts.control.self_test_channel
113   test_dev = rts.control.self_test_dev
114   test_logic = rts.control.self_test_logic
115
116   // Each instrumentation unit runs
117   instrumentation' = [ I::Step input cmd i | i <- rts.instrumentation.units | input <-
118     → inputs | cmd <- icmds ]
119   output_trips: [3][4]TripPort
120   output_trips = [[ instr.output_trip @ ch | instr <- instrumentation' ] | ch <- [0..2]]
121
122   // Mask trips from the instrs under test at the channel under test. This is passed
123   // to the voting components _not_ under test (so that we do not count any test-generated
124   // → trips)
125   output_trips_masked, output_trips_test: [3][4]TripPort
126   output_trips_masked = MaskTripFrom (\i ch -> elem i [i0, i1] && (ch == test_ch))
127   output_trips_test = MaskTripFrom (\i ch -> ~ (elem i [i0, i1] && (ch == test_ch)))
128   → output_trips
129
130   // Now run the voting logic
131   actuation_logic': [2]ActuationUnit
132   actuation_logic' = [ AU::TripInput (Select_trips 1) logic | logic <- rts.actuation.units
133     → | 1 <- [0..1] ]
134
135   // Mask out the output of the voting unit we are *not* testing, and then use *this* value
136   // for testing device actuation
137   test_actuation_logic : [2]ActuationUnit
138   test_actuation_logic = [ { output = [ if (test_logic == 1) && (test_dev == d) then logic.
139     → output @ d else 0 | d <- [0..1] ]
140       | logic <- actuation_logic' | 1 <- [0..1]
141     ]
142
143   Select_trips 1 = if rts.control.self_test then
144     (if 1 == test_logic then output_trips_test else output_trips_masked)
145   else
146     output_trips
147
148   // This is the output to the devices
149   actuators' : [2]Actuator
150   actuators' = [ A::SetInput (A::ActuateActuator [ logic.output @ d | logic <-
151     → actuation_logic' ]) a | a <- rts.actuation.actuators | d <- [0...]
152
153   actuators_test : [2]Actuator
154   actuators_test = [ A::SetInput (A::ActuateActuator [ logic.output @ d | logic <-
155     → test_actuation_logic ]) a | a <- rts.actuation.actuators | d <- [0...]
156
157   old_vote = (rts.actuation.units @ test_logic).output @ test_dev
158   expect = (old_vote != 0) || ShouldActuate test_ch inputs rts.instrumentation.units [i0,i1
159     → ]
160   test_fail = expect != (actuators_test @ test_dev).input
161
162   // @review kiniry Shouldn't this/these be private?
163   MaskTripFrom: {idx} (Integral idx, Literal 0 idx) =>
164     (idx -> Channel -> Bit) -> [3][4][8] -> [3][4][8]
165   MaskTripFrom p trips =
166     [ [ if p j ch then 0 else ch_trip | ch_trip <- trip | j <- [0...]

```

```

159 |     | trip <- trips
160 |     | ch <- [0..2]
161 |
162
163 Test_Instrumentation : {n} (fin n) =>
164   [n](8), [2][32], Channel) -> [2] -> RTS -> RTS
165 Test_Instrumentation tests i rts = {rts | control = {rts.control|self_test_fail = ~ (all
166   ↪ Run_test tests)}}
167 where
168   Run_test: ([8],[2][32],Channel) -> Bit
169   Run_test (trip,vals,ch) = (rts.instrumentation.units @ i)
170     >>> Set_Maintenance True
171     >>> Set_Mode ch Operate
172     >>> Set_Maintenance False
173     >>> (\in -> I::Step vals I::NoCommand in)
174     >>> (\in -> trip == (in.output_trip @ ch))
175
176 Test_Voting: {n} (fin n) => [n](Bit, [1], AU::Input) -> [1] -> RTS -> RTS
177 Test_Voting tests l rts = {rts | control = {rts.control|self_test_fail = ~ (all Run_test
178   ↪ tests)}}
179 where
180   Run_test (on,d,trips) = (rts.actuation.units @ 1)
181     >>> AU::TripInput trips
182     >>> \a -> (a.output @ d) == on
183
184 SelfTestOracle: [4]I::Input -> [4][3][32] -> [2][2] -> [2]
185 SelfTestOracle inputs setpoints [i0,i1] = [(ts == 0b11) || (ps == 0b11), ss == 0b11]
186 where
187   ts,ps,ss:[2]
188   ts = [ValueShouldTrip T i s | i <- inputs @@ [i0,i1] | s <- setpoints @@ [i0,i1]]
189   ps = [ValueShouldTrip P i s | i <- inputs @@ [i0,i1] | s <- setpoints @@ [i0,i1]]
190   ss = [ValueShouldTrip S i s | i <- inputs @@ [i0,i1] | s <- setpoints @@ [i0,i1]]
191
192 // Helpful for testcase generation. The 'off' parameter is used
193 // to generate a second instrumentation division ID that's guaranteed
194 // to be different from the first one (i1)
195 SelfTestOracleHalf: [4][2][16] -> [4][3][16] -> [2] -> [2] -> [2]
196 SelfTestOracleHalf inputs setpoints i1 off =
197   SelfTestOracle (map (map extend) inputs) (map (map extend) setpoints) [i1, i2]
198 where
199   i2 = i1 + 1 + (off % 3)
200   extend v = zero # v
201
202 private
203   property sense_to_actuate_0 rts (sensors : [4][2][32]) cmd = {
204     ~rts.control.self_test ==> (
205       sum [ if Is_Tripped T i then 1 else 0 | i <- rts.instrumentation.units ] >= 2
206       ∨ sum [ if Is_Tripped P i then 1 else 0 | i <- rts.instrumentation.units ] >= 2
207       ∨ or [ a.output @ D0 | a <- rts.actuation.units ]
208       /* ----- */
209       (rts'.actuation.actuators @ D0).input
210     )
211   where
212     rts' = rts >>> Sense_Actuate sensors cmd
213
214   property sense_to_actuate_1 rts (sensors : [4][2][32]) cmd = {
215     ~rts.control.self_test ==> (
216       sum [ if Is_Tripped S i then 1 else 0 | i <- rts.instrumentation.units ] >= 2
217       ∨ or [ a.output @ D1 | a <- rts.actuation.units ]
218       /* ----- */
219       (rts'.actuation.actuators @ D1).input
220     )
221   where
222     rts' = rts >>> Sense_Actuate sensors cmd
223
224   property end_to_end_test (ch : [2]) rts i1 i2 vote sensors =

```

```

223   ( ~rts.control.self_test_fail
224     ^ (i1 != i2)
225     ^ and [ (a.output == 0) | a <- rts.actuation.units ]
226     ^ (ch < 3 /* not provable if ch == S */)// ^ (ch != S) // Add this to make it
227     → provable
228   /* ----- */
229   ~rts'.control.self_test_fail
230   where
231     rts' = RunEndToEnd rts i1 i2 ch vote (repeat sensors)
232
233   property end_to_end_test_non_interference (ch : [2]) rts (sensors: [4][2][32]) =
234     (~ rts.control.self_test_fail
235      // Start in a state where we haven't actuated
236      ^ and [ (a.output == 0) | a <- rts.actuation.units ]
237      ^ ch < 3
238      // Check if enough of the non-tested instrumentation (which may be all of them!) thinks
239      → we should
240      // actuate
241      ^ sum [ if (~rts.control.self_test || ~elem i [i1,i2]) && ChShouldTrip ch vs instr
242        → then 1 else 0
243        | vs <- sensors
244        | instr <- rts.instrumentation.units
245        | i <- [0...]
246        ] >= 2
247   /* ----- */
248   (rts'.actuation.actuators @ (if ch == S then D1 else D0)).input
249   where
250     i1 = rts.control.self_test_instrs@0
251     i2 = rts.control.self_test_instrs@1
252     rts' = rts >>> Sense_Actuate sensors (repeat I::NoCommand)
253
254   property test_instrumentation_ok i rts vs (ch : Channel) =
255     ~ (rts.control.self_test_fail) ==>
256       (ch < 3) ==
257       (~Test_Instrumentation [(pass, vs, ch)] i rts).control.self_test_fail)
258   where
259     pass: [8]
260     pass = if ChShouldTrip ch vs {(rts.instrumentation.units @ i) | mode = repeat Operate
261       → } then 1 else 0
262
263   property test_voting_ok d ts l rts =
264     (~rts.control.self_test_fail && and [ a.output == 0 | a <- rts.actuation.units ]) ==>
265     ~ ((Test_Voting [(expect, d, ts)] l rts).control.self_test_fail)
266   where
267     expect =
268       if d == DO then
269         (sum [ if (t != 0) then 1 else 0 | t <- ts @ T ] >= 2)
270         || (sum [ if (t != 0) then 1 else 0 | t <- ts @ P ] >= 2)
271       else
272         sum [ if (t != 0) then 1 else 0 | t <- ts @ S ] >= 2
273
274   I : ([4]InstrumentationUnit -> [4]InstrumentationUnit) -> RTS -> RTS
275   I f rts = {rts|instrumentation = { units = f rts.instrumentation.units }}
276
277   RunEndToEnd rts i1 i2 ch vote sensors = rts'
278   where
279     mkTestCore : [4]InstrumentationUnit -> Control
280     mkTestCore instrs = {rts.control| self_test = True,
281                           self_test_instrs = [i1, i2],
282                           self_test_channel = ch,
283                           self_test_logic = vote,
284                           self_test_dev = dev }
285     dev = if (ch == T) || (ch == P) then DO else D1
286     rts' = rts

```

```

284     >>> I (\instrs -> [ if (i == i1) || (i == i2) then Set_Maintenance True instr else
285         ↪ instr | instr <- instrs | i <- [0..3] ])
286     >>> I (\instrs -> [ if (i == i1) || (i == i2) then Set_Mode ch Operate instr else
287         ↪ instr | instr <- instrs | i <- [0..3] ])
288     >>> (\r -> {r | control = (mkTestCore r.instrumentation.units) })
289     >>> Sense_Actuate sensors cmds
290     cmds = repeat I::NoCommand
291
292 ShouldActuate: Channel -> [4][2][32] -> [4]InstrumentationUnit -> [2][2] -> Bit
293 ShouldActuate ch sensors instrumentation test_instrs =
294     numBits [ ChShouldTrip ch vs instr
295             | vs <- sensors @@ test_instrs | instr <- instrumentation @@ test_instrs ] >= 2
296
297 ChShouldTrip ch vs instr =
298     if In_Mode ch Operate instr then
299         ValueShouldTrip ch vs (instr.setpoints)
300     else
301         In_Mode ch Manual instr
302
303     ValueShouldTrip ch vs sp =
304         if (ch == T) || (ch == P)
305             then (sp @ ch) < (vs @ ch)
306         else (sp @ ch) >$ Saturation (vs @ T) (vs @ P)
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334

```

## E.2 Cryptol model of the Actuation Unit

Listing E.2: Listing Cryptol Model of ActuationUnit.

```

1 // HARDENS Reactor Trip System (RTS) Actuation Unit
2 // A formal model of RTS Actuation Unit behavior written in the
3 // Cryptol DSL.
4 //
5 // @author Alex Bakst <abakst@galois.com>
6 // @created November, 2021
7 // @refines HARDENS.sysml
8 // @refines RTS.lando
9 // @refines RTS_Requirements.json
10
11 module RTS::ActuationUnit where
12
13 import RTS::Utils
14 import RTS::InstrumentationUnit
15
16 type Input = [3][4]TripPort
17 type ActuationPort = Bit
18 type ActuationUnit = { output: [2]ActuationPort }
19 type CoincidenceLogic = [4]TripPort -> Bit
20 type OrLogic = [2] -> Bit
21
22 TripInput: [3][4]TripPort -> ActuationUnit -> ActuationUnit
23 TripInput trips actuationUnit =
24     { output = [ d0, d1 ] }
25     where
26         d0 = Actuate_D0 trips (actuationUnit.output @ 0)
27         d1 = Actuate_D1 trips (actuationUnit.output @ 1)
28
29 Actuate_D0: Input -> Bit -> Bit
30 Actuate_D0 trips old = d0 || old
31     where
32         d0 = TempPressureTripOut [TemperatureLogic temperatureTrips,
33                                     PressureLogic pressureTrips]
34         temperatureTrips = trips @ (0:[2])

```

```

35     pressureTrips = trips @ (1:[2])
36
37 Actuate_D1: Input -> Bit -> Bit
38 Actuate_D1 trips old = d1 || old
39   where
40     d1 = SaturationLogic saturationTrips
41     saturationTrips = trips @ (2:[2])
42
43 TemperatureLogic: [4]TripPort -> Bit
44 TemperatureLogic ts = Coincidence_2_4 ts
45
46 PressureLogic: [4]TripPort -> Bit
47 PressureLogic ts = Coincidence_2_4 ts
48
49 SaturationLogic: [4]TripPort -> Bit
50 SaturationLogic ts = Coincidence_2_4 ts
51
52 TempPressureTripOut: [2] -> Bit
53 TempPressureTripOut ts = (ts @ (0:[1])) || (ts @ (1:[1]))
54
55 private
56   Coincidence_2_4 : [4]TripPort -> Bit
57   Coincidence_2_4 x =
58     (a&&b) || ((a||b) && (c||d)) || (c&&d)
59   where
60     a = (x @ (0:[2])) != 0
61     b = (x @ (1:[2])) != 0
62     c = (x @ (2:[2])) != 0
63     d = (x @ (3:[2])) != 0
64
65   count : {n} (fin n, n >= 1) => [n] -> [width n]
66   count bs = sum [ if b then 1 else 0 | b <- bs ]
67
68 /** @requirements
69   ACTUATION_LOGIC_VOTE_TEMPERATURE
70 */
71 property actuation_logic_vote_temperature (inp: Input) =
72   (count [i != 0 | i <- (inp @ T)] >= 2) == TemperatureLogic (inp @ T)
73
74 /** @requirements
75   ACTUATION_LOGIC_VOTE_PRESSURE
76 */
77 property actuation_logic_vote_pressure (inp: Input) =
78   (count [i != 0 | i <- (inp @ P)] >= 2) == PressureLogic (inp @ P)
79
80 /** @requirements
81   ACTUATION_LOGIC_VOTE_SATURATION
82 */
83 property actuation_logic_vote_saturation (inp: Input) =
84   (count [i != 0 | i <- (inp @ S)] >= 2) == SaturationLogic (inp @ S)
85
86 /** @requirements
87   ACTUATION_LOGIC_DEVICE_0
88   ACTUATION_LOGIC_VOTE_DEVICE_0
89   ACTUATION_LOGIC_VOTE_MANUAL_DEVICE_0
90 */
91 property actuation_logic_device_0 (inp: Input) (act: ActuationUnit) =
92   act.output @ 0
93   ∨ TempPressureTripOut [TemperatureLogic (inp @ T), PressureLogic (inp @ P)]
94   == /* ----- */
95   act'.output @ 0
96   where act' = TripInput inp act
97
98 /** @requirements
99   ACTUATION_LOGIC_DEVICE_1
100  ACTUATION_LOGIC_VOTE_DEVICE_1

```

```

101      ACTUATION_LOGIC_VOTE_MANUAL_DEVICE_1
102      */
103      property actuation_logic_device_1 (inp: Input) (act: ActuationUnit) =
104          act.output @ 1
105          \vee SaturationLogic (inp @ S)
106          == /* ----- */
107          act'.output @ 1
108          where act' = TripInput inp act

```

### E.3 Cryptol model of the Actuator

Listing E.3: Listing Cryptol Model of Actuator.

```

1 // HARDENS Reactor Trip System (RTS) Actuator Unit
2 // A formal model of RTS Actuator behavior written in the Cryptol
3 // DSL.
4 //
5 // @author Alex Bakst <abakst@galois.com>
6 // @created November, 2021
7 // @refines HARDENS.sysml
8 // @refines RTS.lando
9 // @refines RTS_Requirements.json
10
11 module RTS::Actuator where
12
13 type Actuation = Bit
14 type Mode = Bit
15
16 /** @requirements
17     ACTUATION_LOGIC_MANUAL_DEVICE_{0,1} satisfied by definition
18 */
19 type Actuator =
20     { input: Actuation
21     , manualActuatorInput: Actuation
22     }
23
24 SetInput: Actuation -> Actuator -> Actuator
25 SetInput on actuator = {actuator | input = on}
26
27 SetManual: Actuation -> Actuator -> Actuator
28 SetManual on actuator = {actuator | manualActuatorInput = on}
29
30 ActuateActuator : [2]Actuation -> Actuation
31 ActuateActuator inputs = (inputs @ (0:[1])) || (inputs @ (1:[1]))

```

### E.4 Cryptol model of the Instrumentation Unit

Listing E.4: Listing Cryptol Model of InstrumentationUnit.

```

1 // HARDENS Reactor Trip System (RTS) Instrumentation Unit
2 // A formal model of RTS Instrumentation behavior written in the
3 // Cryptol DSL.
4 //
5 // @author Alex Bakst <abakst@galois.com>
6 // @created November, 2021
7 // @refines HARDENS.sysml
8 // @refines RTS.lando
9 // @refines RTS_Requirements.json

```

```

10
11 module RTS::InstrumentationUnit where
12
13 import RTS::Utils
14
15 type Input = [2][32]
16 type NChannels = 3
17 type Channel = [lg2 NChannels]
18 type TripPort = [8]
19 type NModes = 3
20 type Mode = [lg2 NModes]
21 type CommandType = [lg2 NCommands]
22 type NCommands = 4
23 type Command =
24   { command: CommandType
25   , channel: Channel
26   , mode: Mode
27   , setpoint: [32]
28   , on_off: Bit
29   }
30
31 Set_Mode_Cmd, Set_Maintenance_Cmd, Set_Setpoint_Cmd, Null_Cmd : CommandType
32 Set_Mode_Cmd = 0
33 Set_Maintenance_Cmd = 1
34 Set_Setpoint_Cmd = 2
35 Null_Cmd = 3
36
37 T,P,S : Channel
38 T = 0 // Temperature
39 P = 1 // Pressure
40 S = 2 // Saturation
41
42 Bypass,Operate,Manual: Mode
43 Bypass = 0 // Do not generate a "trip"
44 Operate = 1 // Generate "trip" on setpoint violation
45 Manual = 2 // Force "trip" generation
46
47 type InstrumentationUnit =
48   { setpoints: [NChannels][32]
49   , reading: [NChannels][32]
50   , mode: [NChannels]Mode
51   , sensor_trip: [NChannels]
52   , output_trip: [NChannels][8]
53   , maintenance: Bit
54   }
55
56 NoCommand: Command
57 NoCommand = { command= Null_Cmd, channel= zero, mode= zero, setpoint= zero, on_off= zero }
58
59 Initial: InstrumentationUnit
60 Initial =
61   { setpoints = zero
62   , reading = zero
63   , mode = zero
64   , sensor_trip = zero
65   , output_trip = repeat zero
66   , maintenance = "zero"
67   }
68
69 Step: Input -> Command -> InstrumentationUnit -> InstrumentationUnit
70 Step inp cmd instr =
71   Handle_Input inp instr
72   >>> Handle_Command cmd
73   >>> Step_Trip_Signals
74   >>> OutputTrips
75 where

```

```

76     OutputTrips state =
77     { state | output_trip = [ zero # [Is_Ch_Tripped (state.mode @ ch) (state.sensor_trip @
78     ↪ ch)] | ch <- [0..2] ] }
79 // @refines sensor input ports
80 Handle_Input: Input -> InstrumentationUnit -> InstrumentationUnit
81 Handle_Input sensors instr = { instr | reading = vals }
82   where
83     vals: [3][32]
84     // 0 and 1 should be T and P, but this causes problems for crymp
85     vals = [ sensors @ 0
86             , sensors @ 1
87             , Saturation (sensors @ 0) (sensors @ 1)
88           ]
89
90 // @refines mode, tripmode, setpoint input port attributes
91 Handle_Command: Command -> InstrumentationUnit -> InstrumentationUnit
92 Handle_Command cmd instr =
93   if (cmd.command == Set_Mode_Cmd) && (cmd.channel < 'NChannels) then
94     Set_Mode cmd.channel cmd.mode instr
95   else if cmd.command == Set_Maintenance_Cmd then
96     Set_Maintenance cmd.on_off instr
97   else if (cmd.command == Set_Setpoint_Cmd) && (cmd.channel < 'NChannels) then
98     Set_Setpoint cmd.channel cmd.setpoint instr
99   else
100    instr
101
102 /////////////////
103 // Queries, "Setters", "Getters", etc
104 ///////////////
105
106 Get_Reading: InstrumentationUnit -> [NChannels][32]
107 Get_Reading instr = instr.reading
108
109 In_Maintenance: InstrumentationUnit -> Bit
110 In_Maintenance instr = instr.maintenance
111
112 Set_Maintenance: Bit -> InstrumentationUnit -> InstrumentationUnit
113 Set_Maintenance on instr = { instr | maintenance = on }
114
115 Set_Mode: Channel -> Mode -> InstrumentationUnit -> InstrumentationUnit
116 Set_Mode ch mode i =
117   if In_Maintenance i && (mode <= 2) then
118     {i | mode = update i.mode ch mode}
119   else
120     i
121
122 In_Mode: Channel -> Mode -> InstrumentationUnit -> Bit
123 In_Mode ch mode instr = (instr.mode @ ch) == mode
124
125 Get_Setpoint: Channel -> InstrumentationUnit -> [32]
126 Get_Setpoint ch instr = instr.setpoints @ ch
127
128 Set_Setpoint: Channel -> [32] -> InstrumentationUnit -> InstrumentationUnit
129 Set_Setpoint ch val instr = { instr | setpoints = update instr.setpoints ch val }
130
131 Get_Tripped: InstrumentationUnit -> [NChannels][8]
132 Get_Tripped instr = [zero # [Is_Tripped T instr], zero # [Is_Tripped P instr], zero # [
133   ↪ Is_Tripped S instr]]
134
135 Is_Tripped: Channel -> InstrumentationUnit -> Bit
136 Is_Tripped ch instr = In_Mode ch Manual instr
137           || (In_Mode ch Operate instr && (instr.sensor_trip @ ch))
138
139 Is_Ch_Tripped : Mode -> Bit -> Bit
139 Is_Ch_Tripped mode sensor_tripped =

```

```

140 // @bug abakst Constants should be replaced, but this causes
141 // problems for crymp: 2 = Manual, 1 = Operate
142 (mode == 2) || ((mode == 1) && sensor_tripped)
143
144 Step_Trip_Signals:
145   InstrumentationUnit ->
146   InstrumentationUnit
147 Step_Trip_Signals state =
148   { state | sensor_trip = sensor_trips }
149   where
150     sensor_trips = Generate_Sensor_Trips state.reading state.setpoints
151
152 Saturation : [32] -> [32] -> [32]
153 Saturation t p = p - sat_pressure
154   where sat_pressure = PressureTable t
155
156 PressureTable : [32] -> [32]
157 PressureTable temp = sat_pressure
158   where
159     idx = if temp <$ 35 then 0 else (temp-35)/5
160     sat_pressure =
161       if idx < 52 then Table @ idx else Table @ (51 : [lg2 52])
162
163 // Table in 10^-5 lb/in^2
164 // https://mfathi.iut.ac.ir/sites/mfathi.iut.ac.ir/files/files_course/
165   ↪ table_of_saturation_vapor_0.pdf
166 Table: [52][32]
167 Table = [0009998,
168   0012163,
169   0014753,
170   0017796,
171   0021404,
172   0025611,
173   0030562,
174   0036292,
175   0042985,
176   0050683,
177   0059610,
178   0069813,
179   0081567,
180   0094924,
181   0110218,
182   0127500,
183   0147160,
184   0169270,
185   0194350,
186   0222300,
187   0253820,
188   0288920,
189   0328250,
190   0371840,
191   0420470,
192   0474140,
193   0533740,
194   0599260,
195   0671730,
196   0751100,
197   0838550,
198   0934000,
199   1038600,
200   1152600,
201   1277600,
202   1413200,
203   1469600,
204   1718600,
205   1892100,

```

```

205      2079100,
206      2280400,
207      2496800,
208      2731900,
209      2984000,
210      3253900,
211      3542700,
212      3854600,
213      4187500,
214      4542300,
215      4920000,
216      5325900,
217      5775200
218      ]
219
220 Generate_Sensor_Trips : [NChannels][32] -> [NChannels][32] -> [NChannels]
221 Generate_Sensor_Trips vals setpoints =
222   // @bug abakst '2' should be 'S', but this causes problems for crymp
223   // See 'Is_Ch_Tripped' above as well.
224   [ Trip vals setpoints 0, Trip vals setpoints 1, Trip vals setpoints 2 ]
225
226 Trip: [NChannels][32] -> [NChannels][32] -> Channel -> Bit
227 Trip vals setpoints ch = if ch == 2 then v <$ sp else sp < v
228   where v = vals @ ch
229   sp = setpoints @ ch
230
231 private
232   /** @requirements
233     INSTRUMENTATION_RESET
234   */
235   property instrumentation_reset =
236     In_Maintenance Initial
237     ^ In_Mode P Bypass Initial
238     ^ In_Mode T Bypass Initial
239     ^ In_Mode S Bypass Initial
240
241   /** @requirements
242     INSTRUMENTATION_TRIP_PRESSURE
243   */
244   property instrumentation_trip_pressure (inp: Input) (instr: InstrumentationUnit) =
245     In_Mode P Manual instr
246     ∨ (In_Mode P Operate instr ∧ inp @ P > Get_Setpoint P instr')
247     /* ----- */ ==
248     (Is_Tripped P instr')
249     where instr' = Handle_Input inp instr >>> Step_Trip_Signals
250
251   /** @requirements
252     INSTRUMENTATION_TRIP_TEMPERATURE
253   */
254   property instrumentation_trip_temperature (inp: Input) (instr: InstrumentationUnit) =
255     In_Mode T Manual instr
256     ∨ (In_Mode T Operate instr ∧ inp @ T > Get_Setpoint T instr')
257     /* ----- */ ==
258     (Is_Tripped T instr')
259     where instr' = Handle_Input inp instr >>> Step_Trip_Signals
260
261   /** @requirements
262     INSTRUMENTATION_TRIP_SATURATION
263   */
264   property instrumentation_trip_saturation (inp: Input) (instr: InstrumentationUnit) =
265     In_Mode S Manual instr
266     ∨ (In_Mode S Operate instr ∧ Saturation (inp @ T) (inp @ P) <$ Get_Setpoint S instr')
267     /* ----- */ ==
268     (Is_Tripped S instr')
269     where instr' = Handle_Input inp instr >>> Step_Trip_Signals
270

```

```

271  /** @requirements
272   * INSTRUMENTATION_SET_MANUAL_TRIP_TEMPERATURE
273   * INSTRUMENTATION_SET_MANUAL_TRIP_PRESSURE
274   * INSTRUMENTATION_SET_MANUAL_TRIP_SATURATION
275 */
276  property instrumentation_set_manual_trip (instr: InstrumentationUnit) =
277    In_Maintenance instr ==> (
278      (Is_Tripped T trippedT  $\vee$   $\sim$  (instr.sensor_trip @ T))
279       $\wedge$  (Is_Tripped P trippedP  $\vee$   $\sim$  (instr.sensor_trip @ P))
280       $\wedge$  (Is_Tripped S trippedS  $\vee$   $\sim$  (instr.sensor_trip @ S))
281    )
282  where
283    trippedT = Set_Mode T Manual instr
284    trippedP = Set_Mode P Manual instr
285    trippedS = Set_Mode S Manual instr
286
287  /** @requirements
288   * INSTRUMENTATION_SET_SETPOINT_TEMPERATURE
289   * INSTRUMENTATION_SET_SETPOINT_PRESSURE
290   * INSTRUMENTATION_SET_SETPOINT_SATURATION
291 */
292  property get_set_setpoint_correct (instr: InstrumentationUnit) (val: [32]) =
293    Get_Setpoint T (Set_Setpoint T val instr) == val
294     $\wedge$  Get_Setpoint P (Set_Setpoint P val instr) == val
295     $\wedge$  Get_Setpoint S (Set_Setpoint S val instr) == val
296
297  /** @requirements
298   * INSTRUMENTATION_SET_BYPASS_TEMPERATURE
299   * INSTRUMENTATION_SET_BYPASS_PRESSURE
300   * INSTRUMENTATION_SET_BYPASS_SATURATION
301 */
302  property set_bypass_correct (instr: InstrumentationUnit) =
303    In_Maintenance instr ==> (
304       $\sim$  Is_Tripped T (Set_Mode T Bypass instr)
305       $\wedge$   $\sim$  Is_Tripped P (Set_Mode P Bypass instr)
306       $\wedge$   $\sim$  Is_Tripped S (Set_Mode S Bypass instr)
307    )
308
309  property step_state_const (inp: Input) (instr: InstrumentationUnit) =
310    instr.mode == instr'.mode
311     $\wedge$  instr.setpoints == instr'.setpoints
312     $\wedge$  instr.maintenance == instr'.maintenance
313    where instr' = Handle_Input inp instr >>> Step_Trip_Signals
314
315  // Not connected to a high level requirement because this simply establishes
316  // the connection between 'Is_Tripped' and 'Is_Ch_Tripped' (which is more
317  // convenient for synthesis)
318  property is_ch_trip_correct instr =
319    Is_Tripped T instr == Is_Ch_Tripped (instr.mode @ T) (instr.sensor_trip @ T)
320     $\wedge$  Is_Tripped P instr == Is_Ch_Tripped (instr.mode @ P) (instr.sensor_trip @ P)
321     $\wedge$  Is_Tripped S instr == Is_Ch_Tripped (instr.mode @ S) (instr.sensor_trip @ S)

```

## E.5 Cryptol Utility Functions

Listing E.5: Listing Cryptol Model of Utils.

```

1  // HARDENS Reactor Trip System (RTS) Utility Functions
2  // In support of a formal model of RTS system behavior written in the
3  // Cryptol DSL.
4  //
5  // @author Alex Bakst <abakst@galois.com>
6  // @created November, 2021

```

```

7
8 module RTS::Utils where
9
10 infixl 5 >>>
11 (>>>) x f = f x
12
13 numBits: {n} (fin n) => [n] -> Integer
14 numBits lst = sum [ if b then 1 else 0 | b <- lst ]

```

## E.6 SAW Model

### E.6.1 SAWscript to test the Actuator

Listing E.6: Listing Saw Model of actuator.

```

1 include "common.saw";
2
3 cryptol_add_path "../models";
4
5 actuator_cryp <- cryptol_load "../models/RTS/Actuator.cry";
6 actuator_gen <- llvm_load_module "generated/actuator_impl.bc";
7
8 let actuate_actuator_ref = {{ actuator_cryp::ActuateActuator }};
9
10 let actuate_actuator_spec = do {
11   input <- llvm_fresh_var "inp" (llvm_int 8);
12   let expected = {{ (zero # [actuate_actuator_ref (take (reverse input))]) : [8] }};
13   llvm_execute_func [llvm_term input];
14   llvm_return (llvm_term expected);
15 };
16
17 llvm_verify actuator_gen "ActuateActuator" [] false actuate_actuator_spec z3;

```

### E.6.2 SAWscript to test the Actuation Unit

Listing E.7: Listing Saw Model of actuation\_unit.

```

1 include "common.saw";
2
3 cryptol_add_path "../models";
4
5 actuate_unit_cryp <- cryptol_load "../models/RTS/ActuationUnit.cry";
6 actuate_unit_gen <- llvm_load_module "generated/actuation_unit_impl.bc";
7
8 let actuate_d0_ref = {{ actuate_unit_cryp::Actuate_D0 }};
9 let actuate_d1_ref = {{ actuate_unit_cryp::Actuate_D1 }};
10
11 let actuate_d_spec f = do {
12   (trips, ptr_trips) <- ptr_to_fresh "trips" (llvm_array 3 (llvm_array 4 (llvm_int 8)));
13   old_trip <- llvm_fresh_var "old" (llvm_int 8);
14   llvm_precond {{ (old_trip == 0) || (old_trip == 1) }};
15   llvm_execute_func [ptr_trips, llvm_term old_trip];
16   let expected = {{ (zero # [f trips (0 != old_trip)]) : [8] }};
17   llvm_return (llvm_term expected);
18 };
19
20 let actuate_d0 = actuate_d_spec actuate_d0_ref;
21 let actuate_d1 = actuate_d_spec actuate_d1_ref;

```

```

22
23 llvm_verify actuate_unit_gen "Actuate_D0" [] false actuate_d0 z3;
24 llvm_verify actuate_unit_gen "Actuate_D1" [] false actuate_d1 z3;

```

### E.6.3 SAWscript to test the Instrumentation Unit

Listing E.8: Listing Saw Model of instrumentation.

```

1 include "common.saw";
2 enable_experimental;
3
4 cryptol_add_path "../models";
5
6 instrumentation_cryp <- cryptol_load "../models/RTS/InstrumentationUnit.cry";
7 instrumentation_gen <- llvm_load_module "generated/instrumentation_impl.bc";
8 instrumentation_hand <- llvm_load_module "handwritten/instrumentation_impl.bc";
9
10 let is_ch_tripped_ref = {{ instrumentation_cryp::Is_Ch_Tripped }};
11 write_verilog "Is_Ch_Tripped.v" is_ch_tripped_ref;
12
13 let generate_sensor_trips_ref = {{ instrumentation_cryp::Generate_Sensor_Trips }};
14 write_verilog "Generate_Sensor_Trips.v" generate_sensor_trips_ref;
15
16 let is_ch_tripped_spec = do {
17     mode <- llvm_fresh_var "mode" (llvm_int 8);
18     sensor_tripped <- llvm_fresh_var "sensor_tripped" (llvm_int 8);
19     llvm_precond {{ elem mode [0, 1, 2] }};
20     llvm_precond {{ elem sensor_tripped [0, 1] }};
21     llvm_execute_func [llvm_term mode, llvm_term sensor_tripped];
22     let expected = {{ (zero # [is_ch_tripped_ref (drop mode) (0 != sensor_tripped)]) : [8]
23                     → }};
24     llvm_return (llvm_term expected);
25 };
26
27 let generate_sensor_trips_spec = do {
28     (vals, ptr_vals) <- ptr_to_fresh "vals" (llvm_array 3 (llvm_int 32));
29     (setpoints, ptr_setpoints) <- ptr_to_fresh "setpoints" (llvm_array 3 (llvm_int 32));
30     llvm_precond {{ (vals @ instrumentation_cryp::S) < 0x80000000 }};
31     llvm_execute_func [ptr_vals, ptr_setpoints];
32     let reference_val = {{ generate_sensor_trips_ref vals setpoints }};
33     let expected = {{ (zero # reverse reference_val) : [8] }};
34     llvm_return (llvm_term expected);
35 };
36 llvm_verify instrumentation_gen "Is_Ch_Tripped" [] false is_ch_tripped_spec z3;
37 llvm_verify instrumentation_hand "Is_Ch_Tripped" [] false is_ch_tripped_spec z3;
38 llvm_verify instrumentation_gen "Generate_Sensor_Trips" [] false generate_sensor_trips_spec
39     ↪ z3;
40 llvm_verify instrumentation_hand "Generate_Sensor_Trips" [] false generate_sensor_trips_spec
41     ↪ z3;

```

### E.6.4 SAWscript to test the Saturation

Listing E.9: Listing Saw Model of saturation.

```

1 include "common.saw";
2 enable_experimental;
3
4 cryptol_add_path "../models";
5

```

```

6 instrumentation_cryp <- cryptol_load "../models/RTS/InstrumentationUnit.cry";
7 saturation_gen <- llvm_load_module "generated/saturation_impl.bc";
8
9 let saturation_ref = {{ instrumentation_cryp::Saturation }};
10
11 let saturation_spec = do {
12     t <- llvm_fresh_var "t" (llvm_int 32);
13     p <- llvm_fresh_var "p" (llvm_int 32);
14     llvm_execute_func [llvm_term t, llvm_term p];
15     llvm_return (llvm_term {{ saturation_ref t p }}));
16 };
17
18 llvm_verify saturation_gen "Saturation" [] false saturation_spec z3;

```

### E.6.5 SAWscript some standard definitions

Listing E.10: Listing Saw Model of common.

```

1 let alloc_init ty v = do {
2     p <- llvm_alloc ty;
3     llvm_points_to p v;
4     return p;
5 };
6
7 let ptr_to_fresh n ty = do {
8     x <- llvm_fresh_var n ty;
9     p <- alloc_init ty (llvm_term x);
10    return (x, p);
11};

```

## E.7 HDL Implementation

### E.7.1 HDL model of Instrumentation

Listing E.11: Listing Verilog Model of instrumentation\_impl.

```

1 module Is_Ch_Tripped
2     #(localparam Log2Modes = 2)
3     ( input logic [Log2Modes - 1:0] mode,
4         input logic sensor_tripped,
5         output logic out
6     );
7     assign out = (mode == 2) || ((mode == 1) & sensor_tripped);
8 endmodule
9
10 module Generate_Sensor_Trips
11     #(localparam NChannels = 3)
12     ( input logic [NChannels * 32 - 1:0] vals,
13         input logic [NChannels * 32 - 1:0] setpoints,
14         output logic [NChannels - 1:0] out
15     );
16     genvar ch;
17     for (ch = 0; ch < NChannels; ch = ch + 1) begin
18         localparam rev_ch = NChannels - ch - 1;
19         logic [31:0]v = vals[(rev_ch*32) + 31 -: 32];
20         logic [31:0]sp = setpoints[(rev_ch*32) + 31 -: 32];
21         // SAW caught a bug here, originally used
22         // 'rev_ch' in the conditional

```

```

23     if (ch == 2) begin
24         assign out[rev_ch] = $signed(v) < $signed(sp);
25     end else begin
26         assign out[rev_ch] = sp < v;
27     end
28 end
29 endmodule

```

### E.7.2 HDL model of Actuator

Listing E.12: Listing Verilog Model of actuator\_impl.

```

1 module ActuateActuator
2   ( input logic [1:0] inputs,
3     output logic out
4   );
5   // ../models/RTS/Actuator.cry:31:1--31:16
6   assign out = inputs[1] | inputs[0];
7 endmodule

```

### E.7.3 HDL model of Actuation Unit

Listing E.13: Listing Verilog Model of actuation\_unit\_impl.

```

1 module Coincidence_2_4
2   ( input logic [31:0] x,
3     output logic out
4   );
5   logic a;
6   logic b;
7   logic c;
8   logic d;
9   // ../models/RTS/ActuationUnit.cry:60:7--60:8
10  assign a = x[31:24] != 8'h0;
11  // ../models/RTS/ActuationUnit.cry:61:7--61:8
12  assign b = x[23:16] != 8'h0;
13  // ../models/RTS/ActuationUnit.cry:62:7--62:8
14  assign c = x[15:8] != 8'h0;
15  // ../models/RTS/ActuationUnit.cry:63:7--63:8
16  assign d = x[7:0] != 8'h0;
17  // ../models/RTS/ActuationUnit.cry:57:3--57:18
18  assign out = a & b | ((a | b) & (c | d) | c & d);
19 endmodule
20 module TemperatureLogic
21   ( input logic [31:0] ts,
22     output logic out
23   );
24   // ../models/RTS/ActuationUnit.cry:44:1--44:17
25   Coincidence_2_4 Coincidence_2_4_inst1 (.x(ts),
26                                         .out(out));
27 endmodule
28 module PressureLogic
29   ( input logic [31:0] ts,
30     output logic out
31   );
32   // ../models/RTS/ActuationUnit.cry:47:1--47:14
33   Coincidence_2_4 Coincidence_2_4_inst1 (.x(ts),
34                                         .out(out));
35 endmodule
36 module TempPressureTripOut

```

```

37   ( input logic [1:0] ts,
38     output logic out
39   );
40   // ../models/RTS/ActuationUnit.cry:53:1--53:20
41   assign out = ts[1] | ts[0];
42 endmodule
43 module Actuate_D0
44   ( input logic [95:0] trips,
45     input logic old,
46     output logic out
47   );
48   logic [31:0] temperatureTrips;
49   logic [31:0] pressureTrips;
50   logic d0;
51   // ../models/RTS/ActuationUnit.cry:34:5--34:21
52   assign temperatureTrips[31:0] = trips[95:64];
53   // ../models/RTS/ActuationUnit.cry:35:5--35:18
54   assign pressureTrips[31:0] = trips[63:32];
55   // ../models/RTS/ActuationUnit.cry:32:5--32:7
56   logic TemperatureLogic_out;
57   TemperatureLogic TemperatureLogic_inst1 (.ts(temperatureTrips),
58                                         .out(TemperatureLogic_out));
59   logic PressureLogic_out;
60   PressureLogic PressureLogic_inst1 (.ts(pressureTrips),
61                                     .out(PressureLogic_out));
62   TempPressureTripOut TempPressureTripOut_inst1 (.ts({TemperatureLogic_out,
63                                         ↗ PressureLogic_out}),
64                                         .out(d0));
65   // ../models/RTS/ActuationUnit.cry:30:1--30:11
66   assign out = d0 | old;
67 endmodule
68 module SaturationLogic
69   ( input logic [31:0] ts,
70     output logic out
71   );
72   // ../models/RTS/ActuationUnit.cry:50:1--50:16
73   Coincidence_2_4 Coincidence_2_4_inst1 (.x(ts),
74                                         .out(out));
75 endmodule
76 module Actuate_D1
77   ( input logic [95:0] trips,
78     input logic old,
79     output logic out
80   );
81   logic [31:0] saturationTrips;
82   logic d1;
83   // ../models/RTS/ActuationUnit.cry:41:5--41:20
84   assign saturationTrips[31:0] = trips[31:0];
85   // ../models/RTS/ActuationUnit.cry:40:5--40:7
86   SaturationLogic SaturationLogic_inst1 (.ts(saturationTrips),
87                                         .out(d1));
88   // ../models/RTS/ActuationUnit.cry:38:1--38:11
89   assign out = d1 | old;
endmodule

```

Listing E.14: Listing Verilog Model of nerv.

```

1  /*
2   * NERV -- Naive Educational RISC-V Processor
3   *
4   * Copyright (C) 2020 Claire Xenia Wolf <claire@yosyshq.com>
5   *
6   * Permission to use, copy, modify, and/or distribute this software for any
7   * purpose with or without fee is hereby granted, provided that the above
8   * copyright notice and this permission notice appear in all copies.
9   */

```

```

10  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17  *
18  */
19
20 module nerv #(
21     parameter [31:0] RESET_ADDR = 32'h 0000_0000,
22     parameter integer NUMREGS = 32
23 ) (
24     input clock,
25     input reset,
26     input stall,
27     output trap,
28
29 `ifdef NERV_RVFI
30     output reg rvfi_valid,
31     output reg [63:0] rvfi_order,
32     output reg [31:0] rvfi_insn,
33     output reg rvfi_trap,
34     output reg rvfi_halt,
35     output reg rvfi_intr,
36     output reg [1:0] rvfi_mode,
37     output reg [1:0] rvfi_ixl,
38     output reg [4:0] rvfi_rs1_addr,
39     output reg [4:0] rvfi_rs2_addr,
40     output reg [31:0] rvfi_rs1_rdata,
41     output reg [31:0] rvfi_rs2_rdata,
42     output reg [4:0] rvfi_rd_addr,
43     output reg [31:0] rvfi_rd_wdata,
44     output reg [31:0] rvfi_pc_rdata,
45     output reg [31:0] rvfi_pc_wdata,
46     output reg [31:0] rvfi_mem_addr,
47     output reg [3:0] rvfi_mem_rmask,
48     output reg [3:0] rvfi_mem_wmask,
49     output reg [31:0] rvfi_mem_rdata,
50     output reg [31:0] rvfi_mem_wdata,
51 `endif
52
53 // we have 2 external memories
54 // one is instruction memory
55 output [31:0] imem_addr,
56 input [31:0] imem_data,
57
58 // the other is data memory
59 output dmem_valid,
60 output [31:0] dmem_addr,
61 output [3:0] dmem_wstrb,
62 output [31:0] dmem_wdata,
63 input [31:0] dmem_rdata
64 );
65 reg mem_wr_enable;
66 reg [31:0] mem_wr_addr;
67 reg [31:0] mem_wr_data;
68 reg [3:0] mem_wr_strb;
69
70 reg mem_rd_enable;
71 reg [31:0] mem_rd_addr;
72 reg [4:0] mem_rd_reg;
73 reg [4:0] mem_rd_func;
74
75 reg mem_rd_enable_q;

```

```

76     reg [4:0] mem_rd_reg_q;
77     reg [4:0] mem_rd_func_q;
78
79 // delayed copies of mem_rd
80 always @(posedge clock) begin
81     if (!stall) begin
82         mem_rd_enable_q <= mem_rd_enable;
83         mem_rd_reg_q <= mem_rd_reg;
84         mem_rd_func_q <= mem_rd_func;
85     end
86     if (reset) begin
87         mem_rd_enable_q <= 0;
88     end
89 end
90
91 // memory signals
92 assign dmem_valid = mem_wr_enable || mem_rd_enable;
93 assign dmem_addr = mem_wr_enable ? mem_wr_addr : mem_rd_enable ? mem_rd_addr : 32'h x
94     ;
95 assign dmem_wstrb = mem_wr_enable ? mem_wr_strb : mem_rd_enable ? 4'h 0 : 4'h x;
96 assign dmem_wdata = mem_wr_enable ? mem_wr_data : 32'h x;
97
98 // registers, instruction reg, program counter, next pc
99 reg [31:0] regfile [0:NUMREGS-1];
100 wire [31:0] insn;
101 reg [31:0] npc;
102 reg [31:0] pc;
103
104 reg [31:0] imem_addr_q;
105
106 always @(posedge clock) begin
107     imem_addr_q <= imem_addr;
108 end
109
110 // instruction memory pointer
111 assign imem_addr = (stall || trap || mem_rd_enable_q) ? imem_addr_q : npc;
112 assign insn = imem_data;
113
114 // rs1 and rs2 are source for the instruction
115 wire [31:0] rs1_value = !insn_rs1 ? 0 : regfile[insn_rs1];
116 wire [31:0] rs2_value = !insn_rs2 ? 0 : regfile[insn_rs2];
117
118 // components of the instruction
119 wire [6:0] insn_funct7;
120 wire [4:0] insn_rs2;
121 wire [4:0] insn_rs1;
122 wire [2:0] insn_funct3;
123 wire [4:0] insn_rd;
124 wire [6:0] insn_opcode;
125
126 // split R-type instruction - see section 2.2 of RiscV spec
127 assign {insn_funct7, insn_rs2, insn_rs1, insn_funct3, insn_rd, insn_opcode} = insn;
128
129 // setup for I, S, B & J type instructions
130 // I - short immediates and loads
131 wire [11:0] imm_i;
132 assign imm_i = insn[31:20];
133
134 // S - stores
135 wire [11:0] imm_s;
136 assign imm_s[11:5] = insn_funct7, imm_s[4:0] = insn_rd;
137
138 // B - conditionals
139 wire [12:0] imm_b;
140 assign {imm_b[12], imm_b[10:5]} = insn_funct7, {imm_b[4:1], imm_b[11]} = insn_rd,
141     imm_b[0] = 1'b0;

```

```

140
141 // J - unconditional jumps
142 wire [20:0] imm_j;
143 assign {imm_j[20], imm_j[10:1], imm_j[11], imm_j[19:12], imm_j[0]} = {insn[31:12], 1'
144     ↪ b0};
145
146 wire [31:0] imm_i_sext = $signed(imm_i);
147 wire [31:0] imm_s_sext = $signed(imm_s);
148 wire [31:0] imm_b_sext = $signed(imm_b);
149 wire [31:0] imm_j_sext = $signed(imm_j);
150
151 // opcodes - see section 19 of RiscV spec
152 localparam OPCODE_LOAD = 7'b 00_000_11;
153 localparam OPCODE_STORE = 7'b 01_000_11;
154 localparam OPCODE_MADD = 7'b 10_000_11;
155 localparam OPCODE_BRANCH = 7'b 11_000_11;
156
157 localparam OPCODE_LOAD_FP = 7'b 00_001_11;
158 localparam OPCODE_STORE_FP = 7'b 01_001_11;
159 localparam OPCODE_MSUB = 7'b 10_001_11;
160 localparam OPCODE_JALR = 7'b 11_001_11;
161
162 localparam OPCODE_CUSTOM_0 = 7'b 00_010_11;
163 localparam OPCODE_CUSTOM_1 = 7'b 01_010_11;
164 localparam OPCODE_NMSUB = 7'b 10_010_11;
165 localparam OPCODE_RESERVED_0 = 7'b 11_010_11;
166
167 localparam OPCODE_MISC_MEM = 7'b 00_011_11;
168 localparam OPCODE_AMO = 7'b 01_011_11;
169 localparam OPCODE_NMADD = 7'b 10_011_11;
170 localparam OPCODE_JAL = 7'b 11_011_11;
171
172 localparam OPCODE_OP_IMM = 7'b 00_100_11;
173 localparam OPCODE_OP = 7'b 01_100_11;
174 localparam OPCODE_OP_FP = 7'b 10_100_11;
175 localparam OPCODE_SYSTEM = 7'b 11_100_11;
176
177 localparam OPCODE_AUIPC = 7'b 00_101_11;
178 localparam OPCODE_LUI = 7'b 01_101_11;
179 localparam OPCODE_RESERVED_1 = 7'b 10_101_11;
180 localparam OPCODE_RESERVED_2 = 7'b 11_101_11;
181
182 localparam OPCODE_OP_IMM_32 = 7'b 00_110_11;
183 localparam OPCODE_OP_32 = 7'b 01_110_11;
184 localparam OPCODE_CUSTOM_2 = 7'b 10_110_11;
185 localparam OPCODE_CUSTOM_3 = 7'b 11_110_11;
186
187 // next write, next destination (rd), illegal instruction registers
188 reg next_wr;
189 reg [31:0] next_rd;
190 reg illinsn;
191
192 reg trapped;
193 reg trapped_q;
194 assign trap = trapped;
195
196 always @* begin
197     // advance pc
198     npc = pc + 4;
199
200     // defaults for read, write
201     next_wr = 0;
202     next_rd = 0;
203     illinsn = 0;
204
205     mem_wr_enable = 0;

```

```

205     mem_wr_addr = 'hx;
206     mem_wr_data = 'hx;
207     mem_wr_strb = 'hx;
208
209     mem_rd_enable = 0;
210     mem_rd_addr = 'hx;
211     mem_rd_reg = 'hx;
212     mem_rd_func = 'hx;
213
214 // act on opcodes
215 case (insn_opcode)
216     // Load Upper Immediate
217     OPCODE_LUI: begin
218         next_wr = 1;
219         next_rd = insn[31:12] << 12;
220     end
221     // Add Upper Immediate to Program Counter
222     OPCODE_AUIPC: begin
223         next_wr = 1;
224         next_rd = (insn[31:12] << 12) + pc;
225     end
226     // Jump And Link (unconditional jump)
227     OPCODE_JAL: begin
228         next_wr = 1;
229         next_rd = npc;
230         npc = pc + imm_j_sext;
231         if (npc & 32'b 11) begin
232             illinsn = 1;
233             npc = npc & ~32'b 11;
234         end
235     end
236     // Jump And Link Register (indirect jump)
237     OPCODE_JALR: begin
238         case (insn_funct3)
239             3'b 000 /* JALR */: begin
240                 next_wr = 1;
241                 next_rd = npc;
242                 npc = (rs1_value + imm_i_sext) & ~32'b 1;
243             end
244             default: illinsn = 1;
245         endcase
246         if (npc & 32'b 11) begin
247             illinsn = 1;
248             npc = npc & ~32'b 11;
249         end
250     end
251     // branch instructions: Branch If Equal, Branch Not Equal, Branch Less
252     // Than, Branch Greater Than, Branch Less Than Unsigned, Branch
253     // Greater Than Unsigned
254     OPCODE_BRANCH: begin
255         case (insn_funct3)
256             3'b 000 /* BEQ */: begin if (rs1_value == rs2_value) npc
257                 ↪ = pc + imm_b_sext; end
258             3'b 001 /* BNE */: begin if (rs1_value != rs2_value) npc
259                 ↪ = pc + imm_b_sext; end
260             3'b 100 /* BLT */: begin if ($signed(rs1_value) <
261                 ↪ $signed(rs2_value)) npc = pc + imm_b_sext; end
262             3'b 101 /* BGE */: begin if ($signed(rs1_value) >=
263                 ↪ $signed(rs2_value)) npc = pc + imm_b_sext; end
264             3'b 110 /* BLTU */: begin if (rs1_value < rs2_value) npc
265                 ↪ = pc + imm_b_sext; end
266             3'b 111 /* BGEU */: begin if (rs1_value >= rs2_value)
267                 ↪ npc = pc + imm_b_sext; end
268             default: illinsn = 1;
269         endcase
270         if (npc & 32'b 11) begin
271             illinsn = 1;

```

```

264           npc = npc & ~32'b 11;
265       end
266   end
267 // load from memory into rd: Load Byte, Load Halfword, Load Word, Load
268 //      ↪ Byte Unsigned, Load Halfword Unsigned
269 OPCODE_LOAD: begin
270     mem_rd_addr = rs1_value + imm_i_sext;
271     casez ({insn_func3, mem_rd_addr[1:0]})
272         5'b 000_zz /* LB */,
273         5'b 001_z0 /* LH */,
274         5'b 010_00 /* LW */,
275         5'b 100_zz /* LBU */,
276         5'b 101_z0 /* LHU */: begin
277             mem_rd_enable = 1;
278             mem_rd_reg = insn_rd;
279             mem_rd_func = {mem_rd_addr[1:0], insn_func3};
280             mem_rd_addr = {mem_rd_addr[31:2], 2'b 00};
281         end
282         default: illinsn = 1;
283     endcase
284 end
285 // store to memory instructions: Store Byte, Store Halfword, Store Word
286 OPCODE_STORE: begin
287     mem_wr_addr = rs1_value + imm_s_sext;
288     casez ({insn_func3, mem_wr_addr[1:0]})
289         5'b 000_zz /* SB */,
290         5'b 001_z0 /* SH */,
291         5'b 010_00 /* SW */: begin
292             mem_wr_enable = 1;
293             mem_wr_data = rs2_value;
294             mem_wr_strb = 4'b 1111;
295             case (insn_func3)
296                 3'b 000 /* SB */: begin mem_wr_strb = 4'b
297                     ↪ 0001; end
298                 3'b 001 /* SH */: begin mem_wr_strb = 4'b
299                     ↪ 0011; end
300                 3'b 010 /* SW */: begin mem_wr_strb = 4'b
301                     ↪ 1111; end
302             endcase
303             mem_wr_data = mem_wr_data << (8*mem_wr_addr[1:0])
304             ↪ ;
305             mem_wr_strb = mem_wr_strb << mem_wr_addr[1:0];
306             mem_wr_addr = {mem_wr_addr[31:2], 2'b 00};
307         end
308         default: illinsn = 1;
309     endcase
310 end
311 // immediate ALU instructions: Add Immediate, Set Less Than Immediate,
312 //      ↪ Set Less Than Immediate Unsigned, XOR Immediate,
313 // OR Immediate, And Immediate, Shift Left Logical Immediate, Shift
314 //      ↪ Right Logical Immediate, Shift Right Arithmetic Immediate
315 OPCODE_OP_IMM: begin
316     casez ({insn_func7, insn_func3})
317         10'b zzzzzzz_000 /* ADDI */: begin next_wr = 1; next_rd
318             ↪ = rs1_value + imm_i_sext; end
319         10'b zzzzzzz_010 /* SLTI */: begin next_wr = 1; next_rd
320             ↪ = $signed(rs1_value) < $signed(imm_i_sext); end
321         10'b zzzzzzz_011 /* SLTIU */: begin next_wr = 1; next_rd
322             ↪ = rs1_value < imm_i_sext; end
323         10'b zzzzzzz_100 /* XORI */: begin next_wr = 1; next_rd
324             ↪ = rs1_value ^ imm_i_sext; end
325         10'b zzzzzzz_110 /* ORI */: begin next_wr = 1; next_rd =
326             ↪ rs1_value | imm_i_sext; end
327         10'b zzzzzzz_111 /* ANDI */: begin next_wr = 1; next_rd
328             ↪ = rs1_value & imm_i_sext; end
329         10'b 0000000_001 /* SLLI */: begin next_wr = 1; next_rd
330             ↪ = rs1_value << insn[24:20]; end

```

```

317          10'b 0000000_101 /* SRLI */: begin next_wr = 1; next_rd
318          ↪ = rs1_value >> insn[24:20]; end
319          10'b 0100000_101 /* SRAI */: begin next_wr = 1; next_rd
320          ↪ = $signed(rs1_value) >>> insn[24:20]; end
321          default: illinsn = 1;
322      endcase
323  OPCODE_OP: begin
324      // ALU instructions: Add, Subtract, Shift Left Logical, Set Left Than,
325      ↪ Set Less Than Unsigned, XOR, Shift Right Logical,
326      // Shift Right Arithmetic, OR, AND
327      case ({insn_funct7, insn_funct3})
328          10'b 0000000_000 /* ADD */: begin next_wr = 1; next_rd =
329          ↪ rs1_value + rs2_value; end
330          10'b 0100000_000 /* SUB */: begin next_wr = 1; next_rd =
331          ↪ rs1_value - rs2_value; end
332          10'b 0000000_001 /* SLL */: begin next_wr = 1; next_rd =
333          ↪ rs1_value << rs2_value[4:0]; end
334          10'b 0000000_010 /* SLT */: begin next_wr = 1; next_rd =
335          ↪ $signed(rs1_value) < $signed(rs2_value); end
336          10'b 0000000_011 /* SLTU */: begin next_wr = 1; next_rd =
337          ↪ rs1_value < rs2_value; end
338          10'b 0000000_100 /* XOR */: begin next_wr = 1; next_rd =
339          ↪ rs1_value ^ rs2_value; end
340          10'b 0000000_101 /* SRL */: begin next_wr = 1; next_rd =
341          ↪ rs1_value >> rs2_value[4:0]; end
342          10'b 0100000_101 /* SRA */: begin next_wr = 1; next_rd =
343          ↪ $signed(rs1_value) >>> rs2_value[4:0]; end
344          10'b 0000000_110 /* OR */: begin next_wr = 1; next_rd =
345          ↪ rs1_value | rs2_value; end
346          10'b 0000000_111 /* AND */: begin next_wr = 1; next_rd =
347          ↪ rs1_value & rs2_value; end
348          default: illinsn = 1;
349      endcase
350  end
351  default: illinsn = 1;
352 endcase
353
354 // if last cycle was a memory read, then this cycle is the 2nd part of it and
355 // ↪ imem_data will not be a valid instruction
356 if (mem_rd_enable_q) begin
357     npc = pc;
358     next_wr = 0;
359     illinsn = 0;
360     mem_rd_enable = 0;
361     mem_wr_enable = 0;
362
363 // reset
364 if (reset || reset_q) begin
365     npc = RESET_ADDR;
366     next_wr = 0;
367     illinsn = 0;
368     mem_rd_enable = 0;
369     mem_wr_enable = 0;
370
371     end
372
373     reg reset_q;
374     reg [31:0] mem_rdata;
375
376 'ifdef NERV_RVFI
377     reg rvfi_pre_valid;
378     reg [4:0] rvfi_pre_rd_addr;
379     reg [31:0] rvfi_pre_rd_wdata;
380
381 'endif
382
383 // mem read functions: Lower and Upper Bytes, signed and unsigned

```

```

370      always @* begin
371          mem_rdata = dmem_rdata >> (8*mem_rd_func_q[4:3]);
372          case (mem_rd_func_q[2:0])
373              3'b 000 /* LB */: begin mem_rdata = $signed(mem_rdata[7:0]); end
374              3'b 001 /* LH */: begin mem_rdata = $signed(mem_rdata[15:0]); end
375              3'b 100 /* LBU */: begin mem_rdata = mem_rdata[7:0]; end
376              3'b 101 /* LHU */: begin mem_rdata = mem_rdata[15:0]; end
377          endcase
378      end
379
380      // every cycle
381      always @(posedge clock) begin
382          reset_q <= reset;
383          trapped_q <= trapped;
384
385          // increment pc if possible
386          if (!trapped && !stall && !reset && !reset_q) begin
387              if (illinsn)
388                  trapped <= 1;
389              pc <= npc;
390      `ifdef NERV_RVFI
391          rvfi_pre_valid <= !mem_rd_enable_q;
392          rvfi_order <= rvfi_order + 1;
393          rvfi_insn <= insn;
394          rvfi_trap <= illinsn;
395          rvfi_halt <= illinsn;
396          rvfi_intr <= 0;
397          rvfi_mode <= 3;
398          rvfi_ixl <= 1;
399          rvfi_rs1_addr <= insn_rs1;
400          rvfi_rs2_addr <= insn_rs2;
401          rvfi_rs1_rdata <= rs1_value;
402          rvfi_rs2_rdata <= rs2_value;
403          rvfi_pre_rd_addr <= next_wr ? insn_rd : 0;
404          rvfi_pre_rd_wdata <= next_wr && insn_rd ? next_rd : 0;
405          rvfi_pc_rdata <= pc;
406          rvfi_pc_wdata <= npc;
407          if (dmem_valid) begin
408              rvfi_mem_addr <= dmem_addr;
409              case ({mem_rd_enable, insn_func3})
410                  4'b 1_000 /* LB */: begin rvfi_mem_rmask <= 4'b 0001 <<
411                                  ↪ mem_rd_func[4:3]; end
412                  4'b 1_001 /* LH */: begin rvfi_mem_rmask <= 4'b 0011 <<
413                                  ↪ mem_rd_func[4:3]; end
414                  4'b 1_010 /* LW */: begin rvfi_mem_rmask <= 4'b 1111 <<
415                                  ↪ mem_rd_func[4:3]; end
416                  4'b 1_100 /* LBU */: begin rvfi_mem_rmask <= 4'b 0001 <<
417                                  ↪ mem_rd_func[4:3]; end
418                  4'b 1_101 /* LHU */: begin rvfi_mem_rmask <= 4'b 0011 <<
419                                  ↪ mem_rd_func[4:3]; end
420                  default: rvfi_mem_rmask <= 0;
421          endcase
422          rvfi_mem_wmask <= dmem_wstrb;
423          rvfi_mem_wdata <= dmem_wdata;
424      end else begin
425          rvfi_mem_addr <= 0;
426          rvfi_mem_rmask <= 0;
427          rvfi_mem_wmask <= 0;
428          rvfi_mem_wdata <= 0;
429      end
430  `endif
431
432      // update registers from memory or rd (destination)
433      if (mem_rd_enable_q || next_wr)
434          regfile[mem_rd_enable_q ? mem_rd_reg_q : insn_rd] <=
435              ↪ mem_rd_enable_q ? mem_rdata : next_rd;
436  end

```

```

430
431          // reset
432          if (reset || reset_q) begin
433              pc <= RESET_ADDR - (reset ? 4 : 0);
434              trapped <= 0;
435      'ifdef NERV_RVFI
436          rvfi_pre_valid <= 0;
437          rvfi_order <= 0;
438      'endif
439          end
440      end
441
442 'ifdef NERV_RVFI
443     always @* begin
444         if (mem_rd_enable_q) begin
445             rvfi_rd_addr = mem_rd_reg_q;
446             rvfi_rd_wdata = mem_rd_reg_q ? mem_rdata : 0;
447         end else begin
448             rvfi_rd_addr = rvfi_pre_rd_addr;
449             rvfi_rd_wdata = rvfi_pre_rd_wdata;
450         end
451         rvfi_valid = rvfi_pre_valid && !stall && !reset && !reset_q && !trapped_q;
452         rvfi_mem_rdata = dmem_rdata;
453     end
454 'endif
455
456 'ifdef NERV_DBGREGS
457     wire [31:0] dbg_reg_x0 = 0;
458     wire [31:0] dbg_reg_x1 = regfile[1];
459     wire [31:0] dbg_reg_x2 = regfile[2];
460     wire [31:0] dbg_reg_x3 = regfile[3];
461     wire [31:0] dbg_reg_x4 = regfile[4];
462     wire [31:0] dbg_reg_x5 = regfile[5];
463     wire [31:0] dbg_reg_x6 = regfile[6];
464     wire [31:0] dbg_reg_x7 = regfile[7];
465     wire [31:0] dbg_reg_x8 = regfile[8];
466     wire [31:0] dbg_reg_x9 = regfile[9];
467     wire [31:0] dbg_reg_x10 = regfile[10];
468     wire [31:0] dbg_reg_x11 = regfile[11];
469     wire [31:0] dbg_reg_x12 = regfile[12];
470     wire [31:0] dbg_reg_x13 = regfile[13];
471     wire [31:0] dbg_reg_x14 = regfile[14];
472     wire [31:0] dbg_reg_x15 = regfile[15];
473     wire [31:0] dbg_reg_x16 = regfile[16];
474     wire [31:0] dbg_reg_x17 = regfile[17];
475     wire [31:0] dbg_reg_x18 = regfile[18];
476     wire [31:0] dbg_reg_x19 = regfile[19];
477     wire [31:0] dbg_reg_x20 = regfile[20];
478     wire [31:0] dbg_reg_x21 = regfile[21];
479     wire [31:0] dbg_reg_x22 = regfile[22];
480     wire [31:0] dbg_reg_x23 = regfile[23];
481     wire [31:0] dbg_reg_x24 = regfile[24];
482     wire [31:0] dbg_reg_x25 = regfile[25];
483     wire [31:0] dbg_reg_x26 = regfile[26];
484     wire [31:0] dbg_reg_x27 = regfile[27];
485     wire [31:0] dbg_reg_x28 = regfile[28];
486     wire [31:0] dbg_reg_x29 = regfile[29];
487     wire [31:0] dbg_reg_x30 = regfile[30];
488     wire [31:0] dbg_reg_x31 = regfile[31];
489 'endif
490 endmodule

```

Listing E.15: Listing Verilog Model of testbench.

```

1  /*
2   * NERV -- Naive Educational RISC-V Processor

```

```

3  *
4  * Copyright (C) 2020 N. Engelhardt <nak@yosyshq.com>
5  *
6  * Permission to use, copy, modify, and/or distribute this software for any
7  * purpose with or without fee is hereby granted, provided that the above
8  * copyright notice and this permission notice appear in all copies.
9  *
10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 *
18 */
19
20 module testbench;
21
22 localparam TIMEOUT = (1<<10);
23 reg clock;
24
25 wire LEDR_N, LEDG_N, LED1, LED2, LED3, LED4, LED5;
26
27 always #5 clock = clock === 1'b0;
28
29 top dut (
30     .CLK(clock),
31     .LEDR_N(LEDR_N),
32     .LEDG_N(LEDG_N),
33     .LED1(LED1),
34     .LED2(LED2),
35     .LED3(LED3),
36     .LED4(LED4),
37     .LED5(LED5)
38 );
39
40 initial begin
41     if ($test$plusargs("vcd")) begin
42         $dumpfile("testbench.vcd");
43         $dumpvars(0, testbench);
44     end
45 end
46
47 reg [31:0] cycles = 0;
48
49 always @ (posedge clock) begin
50     cycles <= cycles + 32'h1;
51     if (cycles >= TIMEOUT) begin
52         $display("Simulated %0d cycles", cycles);
53         $finish;
54     end
55 end
56
57 endmodule

```

Listing E.16: Listing Verilog Model of testbench.

```

1 /*
2  * NERV -- Naive Educational RISC-V Processor
3  *
4  * Copyright (C) 2020 N. Engelhardt <nak@yosyshq.com>
5  *
6  * Permission to use, copy, modify, and/or distribute this software for any
7  * purpose with or without fee is hereby granted, provided that the above
8  * copyright notice and this permission notice appear in all copies.

```

```

9  *
10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 *
18 */
19
20 module testbench;
21
22 localparam TIMEOUT = (1<<10);
23 reg clock;
24
25 wire LEDR_N, LEDG_N, LED1, LED2, LED3, LED4, LED5;
26
27 always #5 clock = clock === 1'b0;
28
29 top dut (
30     .CLK(clock),
31     .LEDR_N(LEDR_N),
32     .LEDG_N(LEDG_N),
33     .LED1(LED1),
34     .LED2(LED2),
35     .LED3(LED3),
36     .LED4(LED4),
37     .LED5(LED5)
38 );
39
40 initial begin
41     if ($test$plusargs("vcd")) begin
42         $dumpfile("testbench.vcd");
43         $dumpvars(0, testbench);
44     end
45 end
46
47 reg [31:0] cycles = 0;
48
49 always @(posedge clock) begin
50     cycles <= cycles + 32'h1;
51     if (cycles >= TIMEOUT) begin
52         $display("Simulated %0d cycles", cycles);
53         $finish;
54     end
55 end
56
57 endmodule

```

Listing E.17: Listing Verilog Model of wrapper.

```

1 /*
2  * NERV -- Naive Educational RISC-V Processor
3  *
4  * Copyright (C) 2020 Claire Xenia Wolf <claire@yosyshq.com>
5  *
6  * Permission to use, copy, modify, and/or distribute this software for any
7  * purpose with or without fee is hereby granted, provided that the above
8  * copyright notice and this permission notice appear in all copies.
9  *
10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN

```

```

15  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17  *
18  */
19
20 module rvfi_wrapper (
21   input clock,
22   input reset,
23   'RVFI_OUTPUTS
24 );
25   (* keep *) 'rvformal_rand_reg stall;
26   (* keep *) 'rvformal_rand_reg [31:0] imem_data;
27   (* keep *) 'rvformal_rand_reg [31:0] dmem_rdata;
28
29   (* keep *) wire [31:0] imem_addr;
30
31   (* keep *) wire dmem_valid;
32   (* keep *) wire [31:0] dmem_addr;
33   (* keep *) wire [3:0] dmem_wstrb;
34   (* keep *) wire [31:0] dmem_wdata;
35
36   nerv uut (
37     .clock (clock ),
38     .reset (reset ),
39     .stall (stall ),
40
41     .imem_addr (imem_addr ),
42     .imem_data (imem_data ),
43
44     .dmem_valid (dmem_valid),
45     .dmem_addr (dmem_addr ),
46     .dmem_wstrb (dmem_wstrb),
47     .dmem_wdata (dmem_wdata),
48     .dmem_rdata (dmem_rdata),
49
50     'RVFI_CONN
51   );
52
53 `ifdef NERV_FAIRNESS
54   reg [2:0] stalled = 0;
55   always @ (posedge clock) begin
56     stalled <= {stalled, stall};
57     assume (~stalled);
58   end
59 `endif
60 endmodule

```

Listing E.18: Listing Verilog Model of instrumentation\_impl.

```

1 module Is_Ch_Tripped
2   #(localparam Log2Modes = 2)
3   ( input logic [Log2Modes - 1:0] mode,
4     input logic sensor_tripped,
5     output logic out
6   );
7   assign out = (mode == 2) || ((mode == 1) & sensor_tripped);
8 endmodule
9
10 module Generate_Sensor_Trips
11   #(localparam NChannels = 3)
12   ( input logic [NChannels * 32 - 1:0] vals,
13     input logic [NChannels * 32 - 1:0] setpoints,
14     output logic [NChannels - 1:0] out
15   );
16   genvar ch;
17   for (ch = 0; ch < NChannels; ch = ch + 1) begin

```

```

18    localparam rev_ch = NChannels - ch - 1;
19    logic [31:0]v = vals[(rev_ch*32) + 31 -: 32];
20    logic [31:0]sp = setpoints[(rev_ch*32) + 31 -: 32];
21    // SAW caught a bug here, originally used
22    // 'rev_ch' in the conditional
23    if (ch == 2) begin
24        assign out[rev_ch] = $signed(v) < $signed(sp);
25    end else begin
26        assign out[rev_ch] = sp < v;
27    end
28 end
29 endmodule

```

Listing E.19: Listing Verilog Model of testbench.

```

1  /*
2  * NERV -- Naive Educational RISC-V Processor
3  *
4  * Copyright (C) 2020 N. Engelhardt <nak@yosyshq.com>
5  *
6  * Permission to use, copy, modify, and/or distribute this software for any
7  * purpose with or without fee is hereby granted, provided that the above
8  * copyright notice and this permission notice appear in all copies.
9  *
10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 *
18 */
19
20 module testbench;
21
22 localparam TIMEOUT = (1<<10);
23 reg clock;
24
25 wire LEDR_N, LEDG_N, LED1, LED2, LED3, LED4, LED5;
26
27 always #5 clock = clock === 1'b0;
28
29 top dut (
30     .CLK(clock),
31     .LEDR_N(LEDR_N),
32     .LEDG_N(LEDG_N),
33     .LED1(LED1),
34     .LED2(LED2),
35     .LED3(LED3),
36     .LED4(LED4),
37     .LED5(LED5)
38 );
39
40 initial begin
41     if ($test$plusargs("vcd")) begin
42         $dumpfile("testbench.vcd");
43         $dumpvars(0, testbench);
44     end
45 end
46
47 reg [31:0] cycles = 0;
48
49 always @(posedge clock) begin
50     cycles <= cycles + 32'h1;
51     if (cycles >= TIMEOUT) begin

```

```

52           $display("Simulated %0d cycles", cycles);
53           $finish;
54       end
55   end
56 endmodule

```

Listing E.20: Listing Verilog Model of nervsoc.

```

/*
 * NERV -- Naive Educational RISC-V Processor
 *
 * Copyright (C) 2020 Claire Xenia Wolf <claire@yosyshq.com>
 *
 * Permission to use, copy, modify, and/or distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */
module nervsoc (
    input clock,
    input reset,
    output reg [31:0] leds
);
    reg [31:0] imem [0:1023];
    reg [31:0] dmem [0:1023];

    wire stall = 0;
    wire trap;

    wire [31:0] imem_addr;
    reg [31:0] imem_data;

    wire dmem_valid;
    wire [31:0] dmem_addr;
    wire [3:0] dmem_wstrb;
    wire [31:0] dmem_wdata;
    reg [31:0] dmem_rdata;

initial begin
    $readmemh("firmware.hex", imem);
end

always @(posedge clock)
    imem_data <= imem[imem_addr[31:2]];

always @(posedge clock) begin
    if (dmem_valid) begin
        if (dmem_addr == 32'h 0100_0000) begin
            if (dmem_wstrb[0]) leds[ 7: 0] <= dmem_wdata[ 7: 0];
            if (dmem_wstrb[1]) leds[15: 8] <= dmem_wdata[15: 8];
            if (dmem_wstrb[2]) leds[23:16] <= dmem_wdata[23:16];
            if (dmem_wstrb[3]) leds[31:24] <= dmem_wdata[31:24];
        end else begin
            if (dmem_wstrb[0]) dmem[dmem_addr[31:2]][ 7: 0] <=

```

```

56           if (dmem_wstrb[1]) dmem[dmem_addr[31:2]][15: 8] <= dmem_wdata
57           ↪ [15: 8];
58           if (dmem_wstrb[2]) dmem[dmem_addr[31:2]][23:16] <= dmem_wdata
59           ↪ [23:16];
60           if (dmem_wstrb[3]) dmem[dmem_addr[31:2]][31:24] <= dmem_wdata
61           ↪ [31:24];
62       end
63   end
64
65   nerv cpu (
66     .clock (clock ),
67     .reset (reset ),
68     .stall (stall ),
69     .trap (trap ),
70
71     .imem_addr (imem_addr ),
72     .imem_data (imem_data ),
73
74     .dmem_valid(dmem_valid),
75     .dmem_addr (dmem_addr ),
76     .dmem_wstrb(dmem_wstrb),
77     .dmem_wdata(dmem_wdata),
78     .dmem_rdata(dmem_rdata)
79   );
endmodule

```

## E.8 BlueSpec Implementations

Listing E.21: Listing Verilog Model of FpgaTop.

```

1 import NervSoC :: *;
2
3 // IO
4 import I2C :: *;
5 import RS232 :: *;
6 import GetPut::*;
7
8 interface FpgaTop_IFC;
9   (* prefix = "" *)
10   interface RS232 rs232;
11   //(* prefix = "" *)
12   //interface I2C_Pins i2c;
13   (* always_ready *)
14   method Bit#(8) leds();
15 endinterface
16
17 (* synthesize *)
18 module mkFpgaTop_IFC(FpgaTop_IFC);
19   // Divisor of 10 for baudrate of 76800
20   UART #(4) uart <- mkUART(8, NONE, STOP_1, 10);
21   //I2CCController #(1) i2c_controller <- mkI2CCController();
22
23   NervSoC_IFC nerv_soc <- mkNervSoC;
24
25   rule uart_transmit;
26     let val <- nerv_soc.get_uart_tx_byte();
27     uart.rx.put(val);
28   endrule
29
30   Reg #(Bit #(12)) rg_console_in_poll <- mkReg (0);

```

```

31   rule uart_receive;
32     if (rg_console_in_poll == 0) begin
33       Bit #(8) ch <- uart.tx.get();
34       if (ch != 0) begin
35         nerv_soc.set_uart_rx_byte(ch);
36       end
37     end
38     rg_console_in_poll <= rg_console_in_poll + 1;
39   endrule
40
41
42
43   interface rs232 = uart.rs232;
44   // TODO: i2c interface
45   //interface I2C_Pins i2c = i2c_controller.i2c;
46   method leds = nerv_soc.gpio;
47 endmodule

```

Listing E.22: Listing Verilog Model of Actuation\_Generated\_BVI.

```

1 package Actuation_Generated_BVI;
2
3 import Clocks :: *;
4 import Actuation::*;
5
6 (* synthesize *)
7 module mkActuationGenerated(Actuation_IFC);
8   ActuationDO_IFC a0 <- mkActuationGeneratedDO();
9   ActuationD1_IFC a1 <- mkActuationGeneratedD1();
10
11   interface ActuationDO_IFC d0;
12     method actuate_d0 = a0.actuate_d0();
13   endinterface
14   interface ActuationD1_IFC d1;
15     method actuate_d1 = a1.actuate_d1();
16   endinterface
17 endmodule
18
19 import "BVI" Actuate_D0 =
20 module mkActuationGeneratedDO (ActuationDO_IFC);
21   default_clock ();
22   default_reset ();
23
24   method out actuate_d0 (trips, old);
25     schedule (actuate_d0) CF (actuate_d0);
26   endmodule
27
28 import "BVI" Actuate_D1 =
29 module mkActuationGeneratedD1 (ActuationD1_IFC);
30   default_clock ();
31   default_reset ();
32
33   method out actuate_d1 (trips, old);
34     schedule (actuate_d1) CF (actuate_d1);
35   endmodule
36
37 endpackage

```

Listing E.23: Listing Verilog Model of Nerv\_BVI.

```

1 // Copyright (c) 2022 Rishiyur S. Nikhil
2
3 package Nerv_BVI;
4

```

```

5 // =====
6 // Module mkNerv_BVI imports the SystemVerilog module nerv.sv so that
7 // it can be used in BSV.
8 // nerv.sv is from: https://github.com/YosysHQ/nerv
9
10 // =====
11 // Import from BSV library
12
13 import Clocks :: *;
14
15 // =====
16 // BSV "raw" interface for nerv.sv (nerv CPU)
17
18 interface Nerv_BVI_IFC;
19   (* always_ready, always_enabled *)
20   method Action m_stall (Bool b);
21   (* always_ready *)
22   method Bool m_trap;
23
24   (* always_ready *)
25   method Bit #(32) m_imem_addr;
26   (* always_ready, always_enabled *)
27   method Action m_imem_data (Bit #(32) xi);
28
29   (* always_ready *)
30   method Bool m_dmem_valid;
31   (* always_ready *)
32   method Bit #(32) m_dmem_addr;
33   (* always_ready *)
34   method Bit #(4) m_dmem_wstrb;
35   (* always_ready *)
36   method Bit #(32) m_dmem_wdata;
37   (* always_ready, always_enabled *)
38   method Action m_dmem_rdata (Bit #(32) xd);
39 endinterface
40
41 // =====
42
43 import "BVI" nerv =
44 module mkNerv_BVI (Nerv_BVI_IFC);
45   default_clock (clock);
46
47   // BSV's default reset (including this module's reset) is active low
48   // The imported nerv.sv's reset is active high.
49   default_reset (reset) <- invertCurrentReset;
50
51   method m_stall (stall) enable ((*inhigh*) EN0); // BSV -> Verilog
52   method trap m_trap; // BSV <- Verilog
53
54   method imem_addr m_imem_addr; // BSV <- Verilog
55   method m_imem_data (imem_data) enable ((*inhigh*) EN1); // BSV -> Verilog
56
57   method dmem_valid m_dmem_valid; // BSV <- Verilog
58   method dmem_addr m_dmem_addr; // BSV <- Verilog
59   method dmem_wstrb m_dmem_wstrb; // BSV <- Verilog
60   method dmem_wdata m_dmem_wdata; // BSV <- Verilog
61   method m_dmem_rdata (dmem_rdata) enable ((*inhigh*) EN2); // BSV -> Verilog
62
63   // Declaring each method conflict-free with each method.
64   // This is ok if everything is registered, but dicey if there are
65   // combinational paths weaving in and out of the module.
66   schedule
67     (m_stall,
68      m_trap,
69      m_imem_addr,
70      m_imem_data,

```

```

71     m_dmem_valid,
72     m_dmem_addr,
73     m_dmem_wstrb,
74     m_dmem_wdata,
75     m_dmem_rdata) CF (m_stall,
76                         m_trap,
77                         m_imem_addr,
78                         m_imem_data,
79                         m_dmem_valid,
80                         m_dmem_addr,
81                         m_dmem_wstrb,
82                         m_dmem_wdata,
83                         m_dmem_rdata);
84
85 endmodule
86 // =====
87
88 endpackage

```

Listing E.24: Listing Verilog Model of Nerv.

```

1 // Copyright (c) 2022 Rishiyur S. Nikhil
2
3 package Nerv;
4
5 // =====
6 // Module mkNerv is a thin wrapper around mkNerv_BVI to make DMem
7 // outputs (strobe and data) into a struct
8
9 // =====
10 // Import from BSV library
11
12 // None
13
14 // =====
15 // Local imports
16
17 import Nerv_BVI :: *;
18
19 // =====
20 // Interface for nerv as we might like to see it in BSV
21
22 typedef struct {
23   Bit #(4) wstrb;
24   Bit #(32) wdata;
25 }
26 DmemWrite
27 deriving (Bits, Eq, FShow);
28
29 interface Nerv_IFC;
30   (* always_ready, always_enabled *)
31   method Action m_stall (Bool b);
32   (* always_ready *)
33   method Bool m_trap;
34
35   (* always_ready *)
36   method Bit #(32) m_imem_addr;
37   (* always_ready, always_enabled *)
38   method Action m_imem_data (Bit #(32) xi);
39
40   method Bit #(32) m_dmem_addr;
41   method DmemWrite m_get_dmem;
42
43   (* always_ready, always_enabled *)
44   method Action m_dmem_rdata (Bit #(32) xd);
45

```

```

46     method Bool m_dmem_valid;
47 endinterface
48 // =====
49 (* synthesize *)
50 module mkNerv (Nerv_IFC);
51
52     Nerv_BVI_IFC nerv_BVI <- mkNerv_BVI;
53
54     method Action m_stall (Bool b) = nerv_BVI.m_stall (b);
55
56     method Bool m_trap = nerv_BVI.m_trap;
57     method Bool m_dmem_valid = nerv_BVI.m_dmem_valid;
58
59     method Bit #(32) m_imem_addr = nerv_BVI.m_imem_addr;
60     method Action m_imem_data (Bit #(32) xi) = nerv_BVI.m_imem_data (xi);
61
62     method Bit #(32) m_dmem_addr () if (nerv_BVI.m_dmem_valid);
63         return nerv_BVI.m_dmem_addr;
64     endmethod
65
66     method DmemWrite m_get_dmem () if (nerv_BVI.m_dmem_valid);
67         return DmemWrite {wstrb: nerv_BVI.m_dmem_wstrb,
68                           wdata: nerv_BVI.m_dmem_wdata};
69     endmethod
70
71     method Action m_dmem_rdata (Bit #(32) xd) = nerv_BVI.m_dmem_rdata (xd);
72 endmodule
73
74 // =====
75
76 (* synthesize *)
77 endpackage

```

Listing E.25: Listing Verilog Model of Instrumentation\_Handwritten\_BVI.

```

1 package Instrumentation_Handwritten_BVI;
2
3 import Clocks :: *;
4 import Instrumentation::*;
5
6 (* synthesize *)
7 module mkInstrumentationHandwritten(Instrumentation_IFC);
8     ChannelTripped_IFC i_channel <- mkInstrHandwrittenIsChannelTripped();
9     SensorTrips_IFC i_sensors <- mkInstrHandwrittenGenerateSensorTrips();
10
11     interface ChannelTripped_IFC channel;
12         method is_channel_tripped = i_channel.is_channel_tripped();
13     endinterface
14     interface SensorTrips_IFC sensors;
15         method generate_sensor_trips = i_sensors.generate_sensor_trips();
16     endinterface
17 endmodule
18
19 import "BVI" Is_Ch_Tripped_Handwritten =
20 module mkInstrHandwrittenIsChannelTripped (ChannelTripped_IFC);
21     default_clock ();
22     default_reset ();
23
24     method out is_channel_tripped (mode, sensor_tripped);
25         schedule (is_channel_tripped) CF (is_channel_tripped);
26     endmodule
27
28 import "BVI" Generate_Sensor_Trips_Handwritten =
29 module mkInstrHandwrittenGenerateSensorTrips (SensorTrips_IFC);
30     default_clock ();

```

```

31     default_reset ();
32
33     method out generate_sensor_trips (vals, setpoints);
34         schedule (generate_sensor_trips) CF (generate_sensor_trips);
35     endmodule
36
37 endpackage

```

Listing E.26: Listing Verilog Model of Instrumentation.

```

1 package Instrumentation;
2
3 import Vector :: *;
4
5 // Instrumentation interface
6 interface Instrumentation_IFC;
7     interface ChannelTripped_IFC channel;
8     interface SensorTrips_IFC sensors;
9 endinterface
10
11 // Sub-interface for each implemented function
12 interface ChannelTripped_IFC;
13     (* always_ready *)
14     method Bool is_channel_tripped (Bit#(2) mode,
15                                     Bool sensor_tripped);
16 endinterface
17
18 interface SensorTrips_IFC;
19     (* always_ready *)
20     method Bit#(3) generate_sensor_trips (Vector#(3, Bit#(32)) vals,
21                                         Vector#(3, Bit#(32)) setpoints);
22 endinterface
23
24 endpackage

```

Listing E.27: Listing Verilog Model of Top.

```

1 // Copyright (c) 2022 Rishiyur S. Nikhil
2
3 // =====
4 // Top-level module instantiates NervSoC and displays the LED outputs
5 // whenever they change.
6
7 // =====
8 // Import from BSV library
9
10 // None
11
12 // =====
13 // Local imports
14
15 import NervSoC :: *;
16
17 // IO
18 import I2C :: *;
19 import RS232 :: *;
20 import GetPut::*;
21
22 // =====
23 // Top
24
25 import "BDPI" function Action c_putchar (Bit #(8) c);
26 import "BDPI" function ActionValue #(Bit #(8)) c_trygetchar (Bit #(8) dummy);
27 import "BDPI" function ActionValue #(Bit #(8)) c_i2c_request (Bit #(8) addr,

```

```

28 |                                     Bit #(8) data);
29 |
30 | (* clock_prefix="CLK", reset_prefix="RST_N" *)
31 | (* synthesize *)
32 | module mkTop (Empty);
33 |
34 |     Reg #(Bit #(8)) rg_gpio <- mkReg (0);
35 |
36 |     NervSoC_IFC nerv_soc <- mkNervSoC;
37 |
38 |     // I/O peripherals
39 |     // @odhrmic TODO: check the prescalers
40 |     // and look into proper use of I2C module
41 |     I2CController #(1) i2c_controller <- mkI2CController();
42 |     UART #(4) uart <- mkUART(8, NONE, STOP_1, 16);
43 |     //uart.RS232.sout ?
44 |
45 |     // =====
46 |     // UART console I/O
47 |     // Based on https://github.com/bluespec/Piccolo/blob/master/src_Testbench/Top/Top_HW_Side.
48 |     //          ↳ bsv
49 |
50 |     // Poll terminal input and relay any chars into system console input.
51 |     // Note: rg_console_in_poll is used to poll only every N cycles, whenever it wraps around
52 |     //          ↳ to 0.
53 |     // Note: if the SoC starts dropping bytes, try increasing the register size
54 |     Reg #(Bit #(12)) rg_console_in_poll <- mkReg (0);
55 |
56 |     'ifdef SIMULATION
57 |         begin
58 |             rule uart_rx;
59 |                 if (rg_console_in_poll == 0) begin
60 |                     Bit #(8) ch <- c_trygetchar (?);
61 |                     if (ch != 0) begin
62 |                         nerv_soc.set_uart_rx_byte(ch);
63 |                     end
64 |                 end
65 |             endrule
66 |         end
67 |     'else
68 |         // FPGA
69 |         begin
70 |             rule uart_rx;
71 |                 if (rg_console_in_poll == 0) begin
72 |                     Bit #(8) ch <- uart.tx.get();
73 |                     if (ch != 0) begin
74 |                         nerv_soc.set_uart_rx_byte(ch);
75 |                     end
76 |                 end
77 |             endrule
78 |         end
79 |     'endif
80 |
81 |         rule uart_tx;
82 |             let val <- nerv_soc.get_uart_tx_byte();
83 |             'ifdef SIMULATION
84 |                 c_putchar(val);
85 |             'else
86 |                 uart.rx.put(val);
87 |             'endif
88 |             endrule
89 |
90 |             Reg #(Bit #(8)) rg_i2c_resp <- mkRegU();
91 |             Reg #(Bool) rg_i2c_complete <- mkReg(False);
92 |             rule i2c_request(!rg_i2c_complete);

```

```

92     let request <- nerv_soc.i2c_get_request();
93     let val <- c_i2c_request(request.address, request.data);
94     rg_i2c_resp <= val;
95     rg_i2c_complete <= True;
96   endrule
97
98   rule i2c_response(rg_i2c_complete);
99     let response = I2CResponse { data: rg_i2c_resp };
100    nerv_soc.i2c_give_response(response);
101    rg_i2c_complete <= False;
102  endrule
103
104  rule rl_leds;
105    let gpio = nerv_soc.gpio;
106    if (gpio != rg_gpio) $display ("GPIO: %032b", gpio);
107    rg_gpio <= gpio;
108  endrule
109
110 endmodule
111
112 // -----

```

Listing E.28: Listing Verilog Model of NervSoC.

```

1 // Copyright (c) 2022 Rishiyur S. Nikhil, Michal Podhradsky
2 package NervSoC;
3
4 // =====
5 // Module mkNervSoC is a BSV version of nervsoc.sv
6
7 // nervsoc.sv is from: https://github.com/YosysHQ/nerv
8
9 // =====
10 // Import from BSV library
11 import RegFile :: *;
12 import Vector :: *;
13 import I2C :: *;
14 import BRAM :: *;
15 import BRAMCore :: *;
16
17 // =====
18 // Local imports
19 import Nerv :: *;
20 import Instrumentation::*;
21 import Instrumentation_Handwritten_BVI::*;
22 import Instrumentation_Generated_BVI::*;
23 import Actuation::*;
24 import Actuation_Generated_BVI::*;
25 // =====
26 // A small NERV SoC
27
28 interface NervSoC_IFC;
29   // This sets the name of the result
30   method Bit #(8) gpio;
31   // TX -> a byte to be send
32   method ActionValue#(Bit #(8)) get_uart_tx_byte;
33   // RX -> a byte to be received
34   method Action set_uart_rx_byte(Bit #(8) rx);
35   // I2C methods
36   method ActionValue #(I2CRequest) i2c_get_request;
37   method Action i2c_give_response(I2CResponse r);
38 endinterface
39
40 // =====
41 typedef enum { REQ_I, PUSH_I, REQ_D, PUSH_D, STOP } State deriving(Bits,Eq);
42 (* synthesize *)

```

```

43 module mkNervSoC (NervSoC_IFC);
44 /**
45 * //////////////////////////////////////////////////////////////////
46 * Instantiate interfaces
47 * //////////////////////////////////////////////////////////////////
48 */
49 Nerv_IFC nerv <- mkNerv;
50 Instrumentation_IFC instr_hand <- mkInstrumentationHandwritten();
51 Instrumentation_IFC instr_gen <- mkInstrumentationGenerated();
52 Actuation_IFC actuation_gen <- mkActuationGenerated();
53
54 // For debugging only
55 Bool show_exec_trace = False;
56 Bool show_load_store = False;
57
58 /**
59 * //////////////////////////////////////////////////////////////////
60 * IO memory map
61 * //////////////////////////////////////////////////////////////////
62 */
63 Bit #(32) gpio_addr = 32'h 0100_0000;
64
65 Bit #(32) uart_reg_addr_tx = 32'h 0200_0000;
66 Bit #(32) uart_reg_addr_rx = 32'h 0200_0004;
67 Bit #(32) uart_reg_addr_dr = 32'h 0200_0008;
68
69 Bit #(32) i2c_reg_addr_base = 32'h 0300_0000;
70 Bit #(32) i2c_reg_addr_data = 32'h 0300_0004; // I2C fifo has up to 16 bytes (4 registers)
71 Bit #(32) i2c_reg_addr_stat = 32'h 0300_0008; // I2C status reg (transaction complete 1bit
    ↪ , transaction error 1bit, error type 2bits)
72
73 Bit #(32) clock_reg_adrr_lower = 32'h 0400_0000; // System ticks
74 Bit #(32) clock_reg_adrr_upper = 32'h 0400_0004;
75
76 Bit #(32) instr_reg_addr_hand_base = 32'h 0500_0000; // Handwritten Instrumentation base
    ↪ register
77 Bit #(32) instr_reg_addr_hand_instr_val_0 = 32'h 0500_0004;
78 Bit #(32) instr_reg_addr_hand_instr_val_1 = 32'h 0500_0008;
79 Bit #(32) instr_reg_addr_hand_instr_val_2 = 32'h 0500_000C;
80 Bit #(32) instr_reg_addr_hand_setpoint_val_0 = 32'h 0500_0010;
81 Bit #(32) instr_reg_addr_hand_setpoint_val_1 = 32'h 0500_0014;
82 Bit #(32) instr_reg_addr_hand_setpoint_val_2 = 32'h 0500_0018;
83 Bit #(32) instr_reg_addr_hand_res = 32'h 0500_001C;
84
85 Bit #(32) instr_reg_addr_gen_base = 32'h 0500_0020; // Generated Instrumentation base
    ↪ register
86 Bit #(32) instr_reg_addr_gen_instr_val_0 = 32'h 0500_0024;
87 Bit #(32) instr_reg_addr_gen_instr_val_1 = 32'h 0500_0028;
88 Bit #(32) instr_reg_addr_gen_instr_val_2 = 32'h 0500_002C;
89 Bit #(32) instr_reg_addr_gen_setpoint_val_0 = 32'h 0500_0030;
90 Bit #(32) instr_reg_addr_gen_setpoint_val_1 = 32'h 0500_0034;
91 Bit #(32) instr_reg_addr_gen_setpoint_val_2 = 32'h 0500_0038;
92 Bit #(32) instr_reg_addr_gen_res = 32'h 0500_003C;
93
94 Bit #(32) actuation_reg_addr_gen_base = 32'h 0500_0040; // Generated Actuation base
    ↪ register
95 Bit #(32) actuation_reg_addr_gen_trip_0 = 32'h 0500_0044;
96 Bit #(32) actuation_reg_addr_gen_trip_1 = 32'h 0500_0048;
97 Bit #(32) actuation_reg_addr_gen_trip_2 = 32'h 0500_004C;
98 Bit #(32) actuation_reg_addr_gen_res = 32'h 0500_0050;
99
100 Bit #(32) io_top_addr = 32'h 0500_0050;
101
102 /**
103 * //////////////////////////////////////////////////////////////////
104 * IO registers

```

```

105 * /////////////////////////////////
106 */
107 Reg #(Bit #(32)) rg_gpio <- mkReg(0);
108 Reg #(Bit #(8)) rg_uart_tx <- mkReg(0);
109 Reg #(Bit #(8)) rg_uart_rx <- mkReg(0);
110 Reg #(Bool) rg_uart_rx_data_ready <- mkReg(False);
111 Reg #(Bool) rg_uart_tx_data_ready <- mkReg(False);
112 Reg #(Bit #(8)) rg_i2c_addr <- mkReg(0);
113 Reg #(Bit #(32)) rg_i2c_data <- mkReg(0);
114 Reg #(Bit #(32)) rg_i2c_status <- mkReg(0);
115 Reg #(Bool) rg_i2c_transaction_ready <- mkReg(False);
116 Reg #(Bit #(32)) rg_i2c_transaction_complete <- mkReg(0);
117 Vector#(3, Reg#(Bit #(32))) instr_hand_vals <- replicateM( mkReg(0) );
118 Vector#(3, Reg#(Bit #(32))) instr_hand_setpoints <- replicateM( mkReg(0) );
119 Vector#(3, Reg#(Bit #(32))) instr_gen_vals <- replicateM( mkReg(0) );
120 Vector#(3, Reg#(Bit #(32))) instr_gen_setpoints <- replicateM( mkReg(0) );
121 Vector#(3, Reg#(Bit #(32))) actuation_trips <- replicateM( mkReg(0) );
122 Reg #(Bit #(32)) rg_actuation_res <- mkReg(0);
123 Reg #(Bit #(32)) rg_instr_hand_res <- mkReg(0);
124 Reg #(Bit #(32)) rg_instr_gen_res <- mkReg(0);
125
126 RWire#(Bit #(64)) rw_tick <- mkRWire();
127 Reg#(Bit#(30)) rg_dmem_addr <- mkReg(0);
128 Reg#(Bit#(32)) rg_dmem_put_data <- mkReg(0);
129
130 /**
131 * /////////////////////////////////
132 * Memory Definition
133 * /////////////////////////////////
134 */
135 // Memory size
136 Integer imemory_size = 'h07000;
137 Integer dmemory_size = 'h07000;
138
139 // Nerv has Harvard architecture (separate data and instruction memory),
140 // so in order to properly initialize global symbols, we need to load
141 // the hex file into *both* memories.
142 // NOTE: BRAM has size defined as 'reg [DATA_WIDTH-1:0] RAM[0:MEMSIZE-1];'
143 // while RegFileLoad was 'reg [data_width - 1 : 0] arr[lo:hi];'
144 // The size+1 is simply to make the current hex file fit.
145 BRAM_PORT#(Bit#(30), Bit#(32)) dmem_bram <- mkBRAMCore1Load(dmemory_size+1, False,
146   ↪ dmem_contents.memhex32', False);
147 BRAM_PORT#(Bit#(30), Bit#(32)) imem_bram <- mkBRAMCore1Load(imemory_size+1, False,
148   ↪ imem_contents.memhex32', False);
149
150 Reg #(Bit #(32)) rg_imem_addr <- mkReg (0);
151 Reg #(Bit #(32)) rg_imem_data <- mkRegU;
152 Reg #(Bit #(32)) rg_dmem_rdata <- mkRegU;
153 Reg #(Bool) rg_update_dmem <- mkReg(False);
154 Reg #(Bit #(64)) rg_tick <- mkReg (0);
155 Reg#(State) state <- mkReg(REQ_I);
156
157 /**
158 * /////////////////////////////////
159 * Function definitions
160 * /////////////////////////////////
161 */
162 function Bit #(8) strb2byte (Bit #(1) b) = signExtend (b);
163
164 // GPIO update
165 function ActionValue#(Bit#(32)) fn_gpio(Bit#(32) mask, Bit#(32) wdata)
166   = actionvalue
167     let gpio_val = ((rg_gpio & (~ mask)) | (wdata & mask));
168     rg_gpio <= gpio_val;
169     return gpio_val;
170   endactionvalue;

```

```

169
170    // UART
171    function ActionValue#(Bit#(32)) fn_uart(Bit#(32) addr, Bit#(32) wdata)
172        = actionvalue
173            case (addr)
174                // Write a byte to serial port
175                uart_reg_addr_tx:
176                    begin
177                        rg_uart_tx <= wdata[7:0];
178                        rg_uart_tx_data_ready <= True;
179                        return signExtend(wdata[7:0]);
180                    end
181                // Receive data from serial port
182                // Note: might be 0 or stale, check uart_reg_addr_dr first
183                uart_reg_addr_rx:
184                    begin
185                        rg_uart_rx_data_ready <= False;
186                        return signExtend(rg_uart_rx);
187                    end
188                uart_reg_addr_dr:
189                    begin
190                        if (rg_uart_rx_data_ready)
191                            return 1;
192                        else
193                            return 0;
194                    end
195                default:
196                    return 'hFFFF;
197            endcase
198        endactionvalue;
199
200    // I2C
201    function ActionValue#(Bit#(32)) fn_i2c(Bit#(32) addr, Bit#(32) mask, Bit#(32) wdata)
202        = actionvalue
203            case (addr)
204                i2c_reg_addr_base:
205                    begin
206                        // Only 8 bytes for the address, the rest is ignored
207                        rg_i2c_addr <= wdata[7:0];
208                        rg_i2c_transaction_ready <= True;
209                        return wdata;
210                    end
211                i2c_reg_addr_data:
212                    begin
213                        if (mask == 0)
214                            begin
215                                // Read rg_i2c_data
216                                return rg_i2c_data;
217                            end
218                        else
219                            begin
220                                // Write to rg_i2c_data
221                                rg_i2c_data <= wdata;
222                                return wdata;
223                            end
224                    end
225                i2c_reg_addr_stat:
226                    begin
227                        rg_i2c_transaction_complete <= 0;
228                        return rg_i2c_transaction_complete;
229                    end
230            endcase
231        endactionvalue;
232
233    // Clock
234    function Bit#(32) fn_clock(Bit#(32) addr);

```

```

235     if (addr == clock_reg_adrr_lower)
236         return rg_tick[31:0];
237     else
238         return rg_tick[63:32];
239     endfunction
240
241     // Instrumentation handwritten
242     function ActionValue#(Bit#(32)) fn_instrumentation_handwritten(Bit#(32) addr, Bit#(32)
243                                     ↪ mask, Bit#(32) wdata)
244     = actionvalue
245     let val = 0;
246     case (addr)
247         instr_reg_addr_hand_base:
248             begin
249                 // wdata[0] - fnc select ( 0 - is_channel_trippped / 1 - generate_sensor_trips)
250                 // wdata[2:1] - mode
251                 // wdata[3] - sensor_trippped
252                 // rg_instr_hand_res[2:0] - result
253                 // rg_instr_hand_res[31] - fnc select ( 0 - is_channel_trippped / 1 -
254                                     ↪ generate_sensor_trips)
255             if (wdata[0] == 0)
256                 begin
257                     // is_channel_trippped
258                     // method Bool is_channel_trippped (Bit #(2) mode, Bool sensor_trippped);
259                     let mode = wdata[2:1];
260                     let sensor_trippped = unpack(wdata[3]);
261                     rg_instr_hand_res <= signExtend( pack(instr_hand.channel.is_channel_trippped(
262                                         ↪ mode, sensor_trippped)) );
263                 end
264             else
265                 begin
266                     // generate_sensor_trips
267                     // NOTE: the values and setpoints are in reverse order.
268                     Vector#(3, Bit#(32)) vals = newVector;
269                     vals[2] = instr_hand_vals[0];
270                     vals[1] = instr_hand_vals[1];
271                     vals[0] = instr_hand_vals[2];
272
273                     Vector#(3, Bit#(32)) setpoints = newVector;
274                     setpoints[2] = instr_hand_setpoints[0];
275                     setpoints[1] = instr_hand_setpoints[1];
276                     setpoints[0] = instr_hand_setpoints[2];
277
278                     let res = signExtend(pack(
279                         instr_hand.sensors.generate_sensor_trips(vals, setpoints)
280                         ));
281                     res[31] = 1;
282                     rg_instr_hand_res <= res;
283                 end
284             end
285             instr_reg_addr_hand_instr_val_0:
286             begin
287                 instr_hand_vals[0] <= ((instr_hand_vals[0] & (~ mask)) | (wdata & mask));
288             end
289             instr_reg_addr_hand_instr_val_1:
290             begin
291                 instr_hand_vals[1] <= ((instr_hand_vals[1] & (~ mask)) | (wdata & mask));
292             end
293             instr_reg_addr_hand_instr_val_2:
294             begin
295                 instr_hand_vals[2] <= ((instr_hand_vals[2] & (~ mask)) | (wdata & mask));
296             end
297             instr_reg_addr_hand_setpoint_val_0:
298             begin
299                 instr_hand_setpoints[0] <= ((instr_hand_setpoints[0] & (~ mask)) | (wdata &
299                                     ↪ mask));

```

```

297     end
298     instr_reg_addr_hand_setpoint_val_1:
299     begin
300         instr_hand_setpoints[1] <= ((instr_hand_setpoints[1] & (~ mask)) | (wdata &
301             ↪ mask));
302     end
303     instr_reg_addr_hand_setpoint_val_2:
304     begin
305         instr_hand_setpoints[2] <= ((instr_hand_setpoints[2] & (~ mask)) | (wdata &
306             ↪ mask));
307     end
308     instr_reg_addr_hand_res:
309     begin
310         val = rg_instr_hand_res;
311     end
312     endcase
313     return val;
314     endactionvalue;
315
316 // Instrumentation generated
317 function ActionValue#(Bit#(32)) fn_instrumentation_generated(Bit#(32) addr, Bit#(32) mask,
318     ↪ Bit#(32) wdata)
319 = actionvalue
320     let val = 0;
321     case (addr)
322         instr_reg_addr_gen_base:
323             begin
324                 // wdata[0] - fnc select ( 0 - is_channel_tripped / 1 - generate_sensor_trips)
325                 // wdata[2:1] - mode
326                 // wdata[3] - sensor_tripped
327                 // rg_instr_gen_res[2:0] - result
328                 // rg_instr_gen_res[31] - fnc select ( 0 - is_channel_tripped / 1 -
329                     ↪ generate_sensor_trips)
330             if (wdata[0] == 0)
331                 begin
332                     // is_channel_tripped
333                     // method Bool is_channel_tripped (Bit #(2) mode, Bool sensor_tripped);
334                     let mode = wdata[2:1];
335                     let sensor_tripped = unpack(wdata[3]);
336                     rg_instr_gen_res <= zeroExtend(pack(
337                         instr_gen.channel.is_channel_tripped(mode, sensor_tripped)
338                         ));
339                 end
340             else
341                 begin
342                     // generate_sensor_trips
343                     // NOTE: the values and setpoints are in reverse order.
344                     Vector#(3, Bit#(32)) vals = newVector;
345                     vals[2] = instr_gen_vals[0];
346                     vals[1] = instr_gen_vals[1];
347                     vals[0] = instr_gen_vals[2];
348
349                     Vector#(3, Bit#(32)) setpoints = newVector;
350                     setpoints[2] = instr_gen_setpoints[0];
351                     setpoints[1] = instr_gen_setpoints[1];
352                     setpoints[0] = instr_gen_setpoints[2];
353                     let res = zeroExtend(pack(
354                         instr_gen.sensors.generate_sensor_trips(vals, setpoints)
355                         ));
356                     res[31] = 1;
357                     rg_instr_gen_res <= res;
358                 end
359             end
360             instr_reg_addr_gen_instr_val_0:
361             begin
362                 instr_gen_vals[0] <= ((instr_gen_vals[0] & (~ mask)) | (wdata & mask));

```

```

359     end
360   instr_reg_addr_gen_instr_val_1:
361     begin
362       instr_gen_vals[1] <= ((instr_gen_vals[1] & (~ mask)) | (wdata & mask));
363     end
364   instr_reg_addr_gen_instr_val_2:
365     begin
366       instr_gen_vals[2] <= ((instr_gen_vals[2] & (~ mask)) | (wdata & mask));
367     end
368   instr_reg_addr_gen_setpoint_val_0:
369     begin
370       instr_gen_setpoints[0] <= ((instr_gen_setpoints[0] & (~ mask)) | (wdata & mask)
371                                     ↪ );
372     end
373   instr_reg_addr_gen_setpoint_val_1:
374     begin
375       instr_gen_setpoints[1] <= ((instr_gen_setpoints[1] & (~ mask)) | (wdata & mask)
376                                     ↪ );
377     end
378   instr_reg_addr_gen_setpoint_val_2:
379     begin
380       instr_gen_setpoints[2] <= ((instr_gen_setpoints[2] & (~ mask)) | (wdata & mask)
381                                     ↪ );
382     end
383   instr_reg_addr_gen_res:
384     begin
385       val = rg_instr_gen_res;
386     end
387   endcase
388   return val;
389 endactionvalue;
390
391 // Actuation Generated
392 function ActionValue#(Bit#(32)) fn_actuation(Bit#(32) addr, Bit#(32) mask, Bit#(32) wdata)
393   = actionvalue
394   let val = 0;
395   case (addr)
396     actuation_reg_addr_gen_base:
397       begin
398         // base - trigger the actuation
399         Bool old = unpack(wdata[0]);
400         Vector#(3, Bit#(32)) trips = newVector;
401         trips[0] = actuation_trips[0];
402         trips[1] = actuation_trips[1];
403         trips[2] = actuation_trips[2];
404         // wdata[0] - value of 'old' argument
405         // wdata[1] - which actuator to actuate
406         if (wdata[1] == 0)
407           begin
408             // Actuate D0
409             rg_actuation_res <= zeroExtend( pack(actuation_gen.d0.actuate_d0(trips,
410                                               ↪ old)) );
411           end
412         else
413           begin
414             // Actuate D1
415             rg_actuation_res <= zeroExtend( pack(actuation_gen.d1.actuate_d1(trips,
416                                               ↪ old)) );
417           end
418       end
419   actuation_reg_addr_gen_trip_0:
420     begin
421       // Set value for trip value 0
422       actuation_trips[0] <= ((actuation_trips[0] & (~ mask)) | (wdata & mask));
423     end
424   actuation_reg_addr_gen_trip_1:

```

```

420
421     begin
422         // Set value for trip value 1
423         actuation_trips[1] <= ((actuation_trips[1] & (~ mask)) | (wdata & mask));
424     end
425     actuation_reg_addr_gen_trip_2:
426     begin
427         // Set value for trip value 2
428         actuation_trips[2] <= ((actuation_trips[2] & (~ mask)) | (wdata & mask));
429     end
430     actuation_reg_addr_gen_res:
431     begin
432         // Get actuation results
433         val = rg_actuation_res;
434     end
435 endcase
436 return val;
437 endactionvalue;
438 /**
439 * /////////////////////////////////
440 * State machine
441 * ///////////////////////////////
442 */
443 // default state: request a new instruction from m_imem_addr
444 rule stateReqI (state == REQ_I);
445     imem_bram.put(False, nerv.m_imem_addr [31:2], 0);
446     nerv.m_stall (True); // stall CPU until the fetch is done
447     rg_tick <= rg_tick + 1;
448     nerv.m_dmem_rdata (rg_dmem_rdata);
449     state <= PUSH_I;
450 endrule
451
452 // push the new instruction from the memory to the CPU
453 rule statePushI (state == PUSH_I);
454     nerv.m_imem_data (imem_bram.read());
455     if (nerv.m_dmem_valid)
456         state <= REQ_D;
457     else
458         state <= STOP;
459 endrule
460
461 // request data from a new data memory address
462 rule stateReqD (state == REQ_D);
463     dmem_bram.put(False, nerv.m_dmem_addr [31:2], 0);
464     state <= PUSH_D;
465 endrule
466
467 // push new data into the CPU
468 rule statePushD (state == PUSH_D);
469     let d_addr = nerv.m_dmem_addr;
470     let mem_data = dmem_bram.read();
471     let dmw = nerv.m_get_dmem;
472     let wstrb = dmw.wstrb;
473     let wdata = dmw.wdata;
474     let mask = {strb2byte (wstrb [3]),
475                 strb2byte (wstrb [2]),
476                 strb2byte (wstrb [1]),
477                 strb2byte (wstrb [0])};
478
479     let put_data = ((mem_data & (~ mask)) | (wdata & mask));
480     if (show_load_store)
481         $display ("DMem addr 0x%0h wstrb 0x%0h wdata 0x%0h mask 0x%0h put_data 0x%0h" ,
482                   d_addr[31:2], wstrb, wdata, mask, put_data);
483
484 // a priority encoder that takes the first arm whose condition is true.
485 case (True)

```

```

485 // GPIO update
486 (gpio_addr == d_addr):
487     put_data <- fn_gpio(mask, wdata);
488 // UART
489 (uart_reg_addr_tx <= d_addr && d_addr < i2c_reg_addr_base):
490     put_data <- fn_uart(d_addr, wdata);
491 // I2C
492 (i2c_reg_addr_base <= d_addr && d_addr < clock_reg_adrr_lower):
493     put_data <- fn_i2c(d_addr, mask, wdata);
494 // Clock
495 (clock_reg_addr_lower <= d_addr && d_addr < instr_reg_addr_hand_base):
496     put_data = fn_clock(d_addr);
497 // Instrumentation handwritten
498 (instr_reg_addr_hand_base <= d_addr && d_addr < instr_reg_addr_gen_base):
499     put_data <- fn_instrumentation_handwritten(d_addr, mask, wdata);
500 // Instrumentation generated
501 (instr_reg_addr_gen_base <= d_addr && d_addr < actuation_reg_addr_gen_base):
502     put_data <- fn_instrumentation_generated(d_addr, mask, wdata);
503 // Actuation Generated
504 (actuation_reg_addr_gen_base <= d_addr && d_addr <= io_top_addr):
505     put_data <- fn_actuation(d_addr, mask, wdata);
506 default:
507     // Regular memory read (no IO)
508     begin
509         dmem_bram.put(True, d_addr [31:2], put_data);
510     end
511 endcase
512 // RDATA are always updated
513 rg_dmem_rdata <= put_data;
514 state <= STOP;
515 endrule
516
517 rule stateStop (state == STOP);
518     nerv.m_dmem_rdata (rg_dmem_rdata);
519     nerv.m_stall (False); // un-stall the CPU
520     state <= REQ_I;
521 endrule
522
523 /**
524 * /////////////////////////////////
525 * Terminate if trapped
526 * /////////////////////////////////
527 */
528 rule trap;
529     if (nerv.m_trap)
530     begin
531         $display ("Trapped");
532         $finish(0);
533     end
534 endrule
535
536 /**
537 * /////////////////////////////////
538 * SOC Interface
539 * /////////////////////////////////
540 */
541 // set GPIO
542 method Bit #(8) gpio = rg_gpio[7:0];
543
544 // TX -> a byte to be send
545 method ActionValue#(Bit #(8)) get_uart_tx_byte () if (rg_uart_tx_data_ready);
546     begin
547         rg_uart_tx_data_ready <= False;
548         return rg_uart_tx;
549     end
550 endmethod

```

```

551
552 // Rx -> a byte to be received
553 method Action set_uart_rx_byte(Bit #(8) rx);
554 begin
555     rg_uart_rx_data_ready <= True;
556     rg_uart_rx <= rx;
557 end
558 endmethod
559
560 // I2C methods
561 method ActionValue #(I2CRequest) i2c_get_request () if (rg_i2c_transaction_ready);
562 begin
563     let r = I2CRequest {
564         write: unpack(rg_i2c_addr[0]),
565         address: rg_i2c_addr[7:0], // Unclear what this is for
566         slaveaddr: rg_i2c_addr[7:1],
567         data: rg_i2c_data[7:0]
568     };
569     rg_i2c_transaction_ready <= False;
570     return r;
571 end
572 endmethod
573
574 method Action i2c_give_response(I2CResponse r);
575 begin
576     rg_i2c_data <= signExtend(r.data);
577     rg_i2c_transaction_complete <= 1;
578 end
579 endmethod
580 endmodule
581
582 // =====
583
584 endpackage

```

Listing E.29: Listing Verilog Model of Actuation.

```

1 package Actuation;
2
3 import Vector :: *;
4
5 // Actuation interface
6 interface Actuation_IFC;
7     interface ActuationD0_IFC d0;
8     interface ActuationD1_IFC d1;
9 endinterface
10
11 interface ActuationD0_IFC;
12     (* always_ready *)
13     method Bool actuate_d0 (Vector#(3, Bit#(32)) trips,
14                             Bool old);
15 endinterface
16
17 interface ActuationD1_IFC;
18     (* always_ready *)
19     method Bool actuate_d1 (Vector#(3, Bit#(32)) trips,
20                             Bool old);
21 endinterface
22
23 endpackage

```

Listing E.30: Listing Verilog Model of Instrumentation\_Generated\_BVI.

```

1 package Instrumentation_Generated_BVI;

```

```

2
3 import Clocks :: *;
4 import Instrumentation::*;
5
6 (* synthesize *)
7 module mkInstrumentationGenerated(Instrumentation_IFC);
8     ChannelTripped_IFC i_channel <- mkInstrGeneratedIsChannelTripped();
9     SensorTrips_IFC i_sensors <- mkInstrGeneratedGenerateSensorTrips();
10
11     interface ChannelTripped_IFC channel;
12         method is_channel_tripped = i_channel.is_channel_tripped();
13     endinterface
14     interface SensorTrips_IFC sensors;
15         method generate_sensor_trips = i_sensors.generate_sensor_trips();
16     endinterface
17 endmodule
18
19 import "BVI" Is_Ch_Tripped_Generated =
20 module mkInstrGeneratedIsChannelTripped (ChannelTripped_IFC);
21     default_clock ();
22     default_reset ();
23
24     method out is_channel_tripped (mode, sensor_tripped);
25         schedule (is_channel_tripped) CF (is_channel_tripped);
26     endmodule
27
28 import "BVI" Generate_Sensor_Trips_Generated =
29 module mkInstrGeneratedGenerateSensorTrips (SensorTrips_IFC);
30     default_clock ();
31     default_reset ();
32
33     method out generate_sensor_trips (vals, setpoints);
34         schedule (generate_sensor_trips) CF (generate_sensor_trips);
35     endmodule
36
37 endpackage

```

## E.9 ACSL Model

### E.9.1 ACSL Model of the Actuation Unit

Listing E.31: Listing C Model of models.

```

1 #ifndef MODELS_ACSL_
2 #define MODELS_ACSL_
3 #include <stdint.h>
4
5 /* axiomatic Actuator {
6
7     // Refines RTS::Actuator::ActuateActuator
8     logic boolean ActuateActuator(uint8_t input) =
9         ((input & 0x1) != 0) || ((input & 0x2) != 0);
10    }
11
12    axiomatic ActuationUnit {
13
14        // Refines RTS::ActuationUnit::Coincidence_2_4
15        logic boolean Coincidence_2_4(uint8_t *trips) =
16            \let a = trips[0] != 0;
17            \let b = trips[1] != 0;
18            \let c = trips[2] != 0;
19            \let d = trips[3] != 0;

```

```

20     (a&&b) || ((a||b) && (c||d)) || (c&&d);
21
22 // Refines RTS::ActuationUnit::Actuate_D0
23 logic boolean Actuate_D0(uint8_t *tripsT, uint8_t *tripsP, uint8_t *tripsS, boolean old) =
24     Coincidence_2_4(tripsT) || Coincidence_2_4(tripsP) || old;
25
26 // Refines RTS::ActuationUnit::Actuate_D1
27 logic boolean Actuate_D1(uint8_t *tripsT, uint8_t *tripsP, uint8_t *tripsS, boolean old) =
28     Coincidence_2_4(tripsS) || old;
29
30 }
31
32
33 axiomatic Instrumentation {
34
35 // Refines RTS::InstrumentationUnit::Trip
36 logic boolean Trip(uint32_t *vals, uint32_t *setpoints, integer channel) =
37     channel == 2 ? ((int)vals[channel] < (int)setpoints[channel])
38         : (setpoints[channel] < vals[channel]);
39
40 // Refines RTS::InstrumentationUnit::Generate_Sensor_Trips
41 logic integer Generate_Sensor_Trips(uint32_t *vals, uint32_t *setpoints) =
42     \let t = Trip(vals, setpoints, T);
43     \let p = Trip(vals, setpoints, P);
44     \let s = Trip(vals, setpoints, S);
45     (t ? 1 : 0) + (p ? 2 : 0) + (s ? 4 : 0);
46
47 // Refines RTS::InstrumentationUnit::Is_Ch_Tripped
48 logic boolean Is_Ch_Tripped(integer mode, boolean tripped) =
49     (mode == 2) || ((mode == 1) && tripped);
50
51 }
52 */
53 #endif

```

Listing E.32: Various common definitions.

```

1 #ifndef COMMON_H_
2 #define COMMON_H_
3
4 #include <stdint.h>
5
6 /////////////////////////////////
7 // Constants derived from architecture and Cryptol model //
8 ///////////////////////////////
9
10 // Instrumentation
11 // Trip modes:
12 #define NINSTR 4
13 #define NMODES 3
14 #define BYPASS 0
15 #define OPERATE 1
16 #define TRIP 2
17
18 // Command Types
19 #define SET_MODE 0
20 #define SET_MAINTENANCE 1
21 #define SET_SETPOINT 2
22
23 // Channel/Trip signal IDs
24 #define NTRIP 3
25 #define T 0
26 #define P 1
27 #define S 2
28
29 // Actuation

```

```

30 #define NVOTE_LOGIC 2
31 #define NDEV 2
32
33 // Core
34 // Command Types
35 #define INSTRUMENTATION_COMMAND 0
36 #define ACTUATION_COMMAND 1
37
38 #define BIT(_test, _value) ((_test) ? (0x8 | (_value)) : _value)
39 #define VALID(_value) (!(_value & 0x8))
40 #define VAL(_value) (_value & 0x1)
41
42 #define NLINES 21
43 #define LINELENGTH 64
44 ///////////////////////////////////////////////////////////////////
45 // RTS Command Definitions //
46 ///////////////////////////////////////////////////////////////////
47
48 // Instrumentation
49 struct set_mode {
50     uint8_t channel;
51     uint8_t mode_val;
52 };
53 struct set_maintenance {
54     uint8_t on;
55 };
56 struct set_setpoint {
57     uint8_t channel;
58     uint32_t val;
59 };
60 struct instrumentation_command {
61     uint8_t type;
62     uint8_t valid;
63     union {
64         struct set_mode mode;
65         struct set_maintenance maintenance;
66         struct set_setpoint setpoint;
67     } cmd;
68 };
69
70 // Actuation
71 struct actuation_command {
72     uint8_t device;
73     uint8_t on;
74 };
75
76 // Root command structure
77 struct rts_command {
78     uint8_t type;
79     uint8_t instrumentation_division;
80     union {
81         struct instrumentation_command instrumentation;
82         struct actuation_command act;
83     } cmd;
84 };
85
86 // Redefine variable bit-width types:
87 #define _ExtInt_1 char
88 #define _ExtInt_2 char
89 #define _ExtInt_3 char
90 #define _ExtInt_4 char
91 #define _ExtInt_6 char
92 #define _ExtInt_8 char
93 #define _ExtInt_32 int
94 #define _ExtInt(w) _ExtInt_##w
95

```

```

96 // Generate names for implementation variants
97 #define VARIANT(source,lang,f) VARIANT_IMPL(source,lang,f)
98 #define VARIANT_IMPL(source,lang,f) f ## _ ## source ## _ ## lang
99 #define VARIANT_IMPL2(source,lang,f) source ## lang ## f
100 #endif // COMMON_H

```

Listing E.33: Various core definitions.

```

1 #ifndef CORE_H_
2 #define CORE_H_
3
4 #include "common.h"
5
6 #ifndef SELF_TEST_PERIOD_SEC
7 #define SELF_TEST_PERIOD_SEC 20
8 #endif
9
10 #define NDIVISIONS 4
11
12 #ifndef T_THRESHOLD // degrees F
13 #define T_THRESHOLD 3
14 #endif
15
16 #ifndef P_THRESHOLD // 10^-5 lb/in^2
17 #define P_THRESHOLD 100
18 #endif
19
20 struct ui_values {
21     uint32_t values[NDIVISIONS][NTRIP];
22     uint8_t bypass[NDIVISIONS][NTRIP];
23     uint8_t trip[NDIVISIONS][NTRIP];
24     uint8_t maintenance[NDIVISIONS];
25     char display[NLINES][LINELENGTH+1];
26
27     uint8_t actuators[2][NDEV];
28 };
29
30 struct test_state {
31     uint32_t test;
32     uint32_t test_timer_start;
33     uint8_t self_test_running;
34     uint8_t self_test_expect;
35     uint8_t failed;
36
37     uint8_t test_device_result[2];
38
39     uint8_t test_instrumentation[2];
40     uint8_t test_actuation_unit;
41     uint8_t test_device;
42
43     uint8_t test_instrumentation_done[4];
44     uint8_t test_actuation_unit_done[2];
45     uint8_t test_device_done[2];
46
47     uint32_t test_setpoints[4][3];
48     uint32_t test_inputs[4][2];
49
50     uint8_t actuation_old_vote;
51 };
52
53 struct core_state {
54     struct ui_values ui;
55     struct test_state test;
56     uint8_t error;
57 };

```

```

58
59     extern struct core_state core;
60
61     int set_display_line(struct ui_values *ui, uint8_t line_number, char *display, uint32_t size
62         ↵ );
63
64     void core_init(struct core_state *core);
65     int core_step(struct core_state *core);
66
67 #endif // CORE_H_

```

Listing E.34: The actuate interface.

```

1 #ifndef ACTUATE_H_
2 #define ACTUATE_H_
3
4 #include <stdint.h>
5 #include "models.acsl"
6
7 // Combine the votes from both actuate logic components
8 // and tell the hardware device to actuate (or unactuate)
9 int actuate_devices(void);
10
11 // Return whether or not a device with the provided votes should be actuated
12 // Bit i = vote by logic unit i
13 // This function is generated directly from the Cryptol model
14 /*@ assigns \nothing;
15     @ ensures \result == 0 || \result == 1;
16     @ ensures \result == 1 <==> ((vs & 0x01) || (vs & 0x02));
17     @ ensures ActuateActuator(vs) <==> \result == 1;
18 */
19 uint8_t ActuateActuator(uint8_t vs);
20
21 int actuate_devices_generated_C(void);
22
23 #endif // ACTUATE_H_

```

Listing E.35: Interface of the actuation logic.

```

1 #ifndef ACTUATION_H_
2 #define ACTUATION_H_
3
4 #include "stdint.h"
5 #include "common.h"
6 #include "instrumentation.h"
7 #include "core.h"
8 #include "models.acsl"
9
10 /*@requires \valid(&strips[0.. NINSTR - 1]);
11    @assigns \nothing;
12    @ensures (\result != 0) <==> Coincidence_2_4(trips);
13 */
14 uint8_t Coincidence_2_4(uint8_t trips[4]);
15
16 /*@requires \valid(&strips[0.. NTRIP - 1][0.. NINSTR - 1]);
17    @requires \valid(trips + (0.. NTRIP-1));
18    @assigns \nothing;
19    @ensures (\result != 0) <==> Actuate_D0(&strips[T][0], &strips[P][0], &strips[S][0], old != 0);
20 */
21 uint8_t Actuate_D0(uint8_t trips[3][4], uint8_t old);
22
23 /*@requires \valid(&strips[0.. NTRIP-1][0.. NINSTR-1]);
24    @requires \valid(trips + (0.. NTRIP-1));
25    @assigns \nothing;
26    @ensures (\result != 0) <==> Actuate_D1(&strips[T][0], &strips[P][0], &strips[S][0], old != 0);
27 */

```

```

28 uint8_t Actuate_D1(uint8_t trips[3][4], uint8_t old);
29
30 struct actuation_logic {
31     uint8_t vote_actuate[NDEV];
32     uint8_t manual_actuate[NDEV];
33 };
34
35 extern struct actuation_logic actuation_logic[2];
36
37 /* The main logic of the actuation unit */
38
39 /*@requires \valid(state);
40    @requires logic_no <= 1;
41    @assumes state->manual_actuate[0.. NDEV-1];
42    @assumes state->vote_actuate[0.. NDEV-1];
43    @assumes core.test.actuation_old_vote;
44    @assumes core.test.test_actuation_unit_done[logic_no];
45 */
46 int actuation_unit_step(uint8_t logic_no, struct actuation_logic *state);
47
48 #endif // ACTUATION_H

```

Listing E.36: Instrumentation definitions.

```

1 #ifndef INSTRUMENTATION_H_
2 #define INSTRUMENTATION_H_
3
4 #include "common.h"
5 #include "core.h"
6 #include "models.acsl"
7
8 #define ShouldTrip(_vals, _setpoints, _ch) \
9   (((_ch == T && _vals[T] > _setpoints[T]) \ 
10    || (_ch == P && _vals[P] > _setpoints[P]) \ 
11    || (_ch == S && (int)_vals[S] < (int)_setpoints[S]))
12
13 /*@ assigns \nothing; */
14 uint32_t Saturation(uint32_t x, uint32_t y);
15
16 /*@requires \valid(vals + (0.. NTRIP-1));
17    @requires \valid(setpoints + (0.. NTRIP-1));
18    @assumes \nothing;
19    @ensures \result == (uint8_t)Generate_Sensor_Trips(vals, setpoints);
20 */
21 uint8_t Generate_Sensor_Trips(uint32_t vals[3], uint32_t setpoints[3]);
22
23 /*@requires \valid(vals + (0.. NTRIP-1));
24    @requires \valid(setpoints + (0.. NTRIP-1));
25    @requires ch < NTRIP;
26    @assumes \nothing;
27    @ensures \result == 0 || \result == 1;
28    @ensures (\result == 1) <==> Trip(vals, setpoints, ch);
29 */
30 uint8_t Trip(uint32_t vals[3], uint32_t setpoints[3], uint8_t ch);
31
32 /*@requires mode < NMODES;
33    @requires trip <= 1;
34    @assumes \nothing;
35    @ensures (\result != 0) <==> Is_Ch_Tripped(mode, trip != 0);
36 */
37 uint8_t Is_Ch_Tripped(uint8_t mode, uint8_t trip);
38
39 struct instrumentation_state {
40     uint32_t reading[NTRIP];
41     uint32_t test_reading[NTRIP];
42     uint32_t setpoints[NTRIP];

```

```

43     uint8_t sensor_trip[NTRIP];
44     uint8_t mode[NTRIP];
45     uint8_t maintenance;
46     uint8_t test_complete;
47 };
48
49 void instrumentation_init(struct instrumentation_state *state);
50
51 /*@requires \valid(state);
52  @requires \valid(state->reading + (0.. NTRIP-1));
53  @requires \valid(state->test_reading + (0.. NTRIP-1));
54  @requires \valid(state->setpoints + (0.. NTRIP-1));
55  @requires \valid(state->sensor_trip + (0.. NTRIP-1));
56  @requires state->mode[T] \in {BYPASS, OPERATE, TRIP};
57  @requires state->mode[P] \in {BYPASS, OPERATE, TRIP};
58  @requires state->mode[S] \in {BYPASS, OPERATE, TRIP};
59  @requires div < NTRIP;
60  @assigns state->reading[0.. NTRIP-1];
61  @assigns state->test_reading[0.. NTRIP-1];
62  @assigns state->setpoints[0.. NTRIP-1];
63  @assigns state->sensor_trip[0.. NTRIP-1];
64  @assigns state->maintenance;
65  @assigns state->mode[0.. NTRIP-1];
66  @assigns core.test.test_instrumentation_done[div];
67  @ensures state->mode[T] \in {BYPASS, OPERATE, TRIP};
68  @ensures state->mode[P] \in {BYPASS, OPERATE, TRIP};
69  @ensures state->mode[S] \in {BYPASS, OPERATE, TRIP};
70 */
71 int instrumentation_step(uint8_t div, struct instrumentation_state *state);
72
73 #endif // INSTRUMENTATION_H_

```

Listing E.37: Listing Interface Model of platform.

```

1 #ifndef PLATFORM_H_
2 #define PLATFORM_H_
3 #include <stdint.h>
4
5 #include "common.h"
6 #include "core.h"
7 #include "instrumentation.h"
8 #include "actuation_logic.h"
9
10 // channel -> sensor # -> val
11 extern uint32_t sensors[2][2];
12 // channel -> sensor # -> demux output # -> val
13 extern uint32_t sensors_demux[2][2][2];
14
15 extern uint8_t trip_signals[NTRIP][4];
16 extern struct instrumentation_command inst_command_buf[4];
17
18 extern uint8_t actuator_state[NDEV];
19 extern uint8_t device_actuation_logic[2][NDEV];
20 extern struct actuation_command *act_command_buf[2];
21
22 //EI mode:
23 // mode = 0 => no error
24 // mode = 1 => error
25 // mode = 2 => nondet error
26 extern uint8_t error_instrumentation_mode[NINSTR];
27 extern uint8_t error_instrumentation[NINSTR];
28 // ES ch mode:
29 // mode = 0 => no error
30 // mode = 1 => demux error (out 0)
31 // mode = 2 => demux error (out 1)
32 // mode = 3 => sensor error (error in both demux outs)

```

```

33 // mode = 4 => nondet sensor error
34 // mode = 5 => nondet demux error
35 extern uint8_t error_sensor_mode[2][2];
36 extern uint8_t error_sensor[2][2];
37 extern uint8_t error_sensor_demux[2][2][2];
38
39 #ifdef DEBUG
40 #define DEBUG_PRINTF(X) printf X
41 #else
42 #define DEBUG_PRINTF(X)
43 #endif
44
45 #ifdef PLATFORM_HOST
46 #include <assert.h>
47 #define ASSERT(x) assert(x)
48 #else
49 #define ASSERT(x)
50 #endif // PLATFORM_HOST
51
52 #if defined(PLATFORM_HOST) && defined(USE_PTHREADS)
53 #include <pthread.h>
54 extern pthread_mutex_t display_mutex;
55 extern pthread_mutex_t mem_mutex;
56 #define MUTEX_LOCK(x) pthread_mutex_lock(x)
57 #define MUTEX_UNLOCK(x) pthread_mutex_unlock(x)
58 #else
59 #define MUTEX_LOCK(x)
60 #define MUTEX_UNLOCK(x)
61 #endif // defined(PLATFORM_HOST) && defined(USE_PTHREADS)
62
63 ///////////////////////////////////////////////////////////////////
64 // Reading signals and values //
65 ///////////////////////////////////////////////////////////////////
66
67 /*@requires \valid(val);
68  * @requires div < NINSTR;
69  * @requires channel < NTRIP;
70  * @assigns *val;
71  * @ensures -1 <= \result <= 0;
72  * @ensures \result == 0 ==> *val <= 0x80000000;
73 */
74 int read_instrumentation_channel(uint8_t div, uint8_t channel, uint32_t *val);
75
76 int get_instrumentation_value(uint8_t division, uint8_t ch, uint32_t *value);
77 int get_instrumentation_trip(uint8_t division, uint8_t ch, uint8_t *value);
78 int get_instrumentation_mode(uint8_t division, uint8_t ch, uint8_t *value);
79 int get_instrumentation_maintenance(uint8_t division, uint8_t *value);
80
81 // Reading actuation signals
82 /*@ requires i <= 1;
83  * @ requires device < NDEV;
84  * @ requires \valid(value);
85  * @ assigns *value;
86  * @ ensures (\result == 0) ==> (*value == 0 || *value == 1);
87  * @ ensures (\result != 0) ==> (*value == \old(*value));
88 */
89 int get_actuation_state(uint8_t i, uint8_t device, uint8_t *value);
90
91 /*@requires \valid(&arr[0.. NTRIP-1][0.. NINSTR-1]);
92  * @assigns *(arr[0.. NTRIP-1]+(0.. NINSTR-1));
93 */
94 int read_instrumentation_trip_signals(uint8_t arr[3][4]);
95
96 ///////////////////////////////////////////////////////////////////
97 // Setting output signals //
98 ///////////////////////////////////////////////////////////////////

```

```

99
100 int reset_actuation_logic(uint8_t logic_no, uint8_t device_no, uint8_t reset_val);
101
102 /*@requires logic_no < NVOTE_LOGIC;
103   @requires device_no < NDEV;
104   @assigns \nothing; // Not entirely true, but we'll never mention that state
105   @ensures -1 <= \result <= 0;
106 */
107 int set_output_actuation_logic(uint8_t logic_no, uint8_t device_no, uint8_t on);
108
109 /*@requires division < NINSTR;
110   @requires channel < NTRIP;
111   @assigns \nothing; // Not entirely true, but we'll never mention that state
112 */
113 int set_output_instrumentation_trip(uint8_t division, uint8_t channel, uint8_t val);
114
115 /*@ requires device_no <= 1;
116   @ assigns \nothing;
117 */
118 int set_actuate_device(uint8_t device_no, uint8_t on);
119
120 ///////////////////////////////////////////////////////////////////
121 // Sending commands between components //
122 ///////////////////////////////////////////////////////////////////
123 /**
124 * Read RTS command from the user
125 * Platform specific
126 */
127 int read_rts_command(struct rts_command *cmd);
128
129 /* Communicate with instrumentation division */
130
131 /*@requires division < NINSTR;
132   @requires \valid(cmd);
133   @assigns cmd->type, cmd->cmd;
134   @ensures -1 <= \result <= 1;
135 */
136 int read_instrumentation_command(uint8_t division, struct instrumentation_command *cmd);
137
138 /*@requires division < NINSTR;
139   @requires \valid(cmd);
140   @assigns \nothing; // not entirely true, but we'll never mention that state
141   @ensures -1 <= \result <= 0;
142 */
143 int send_instrumentation_command(uint8_t division, struct instrumentation_command *cmd);
144
145 /**
146 * Read external command, setting *cmd. Does not block.
147 * Platform specific
148 */
149 /*@requires \valid(cmd);
150   @assigns cmd->on;
151   @assigns cmd->device;
152   @ensures -1 <= \result <= 1;
153 */
154 int read_actuation_command(uint8_t id, struct actuation_command *cmd);
155
156 /**
157 * Physically set actuator to a new value
158 * Platform specific
159 */
160 int send_actuation_command(uint8_t actuator,
161                           struct actuation_command *cmd);
162
163 ///////////////////////////////////////////////////////////////////
164

```

```

165 // Self Test state //
166 ///////////////////////////////////////////////////////////////////
167
168 /*@ assigns \nothing; */
169 uint8_t is_test_running(void);
170
171 /*@ assigns \nothing; */
172 void set_test_running(int val);
173
174 /*@ assigns \nothing;
175   @ ensures \result < NDEV;
176 */
177 uint8_t get_test_device(void);
178
179 /*@ requires \valid(id) && \valid(&id[1]);
180   @ assigns id[0], id[1];
181   @ ensures id[0] < NINSTR;
182   @ ensures id[1] < NINSTR;
183 */
184 void get_test_instrumentation(uint8_t *id);
185
186 /*@ requires \valid(setpoints + (0.. NTRIP-1));
187   @ requires id < NINSTR;
188   @ assigns setpoints[0.. NTRIP-1];
189   @ ensures -1 <= \result <= 0;
190 */
191 int get_instrumentation_test_setpoints(uint8_t id, uint32_t *setpoints);
192
193 /*@ requires div < NINSTR;
194   @ assigns core.test.test_instrumentation_done[div];
195   @ ensures core.test.test_instrumentation_done[div] == v;
196 */
197 void set_instrumentation_test_complete(uint8_t div, int v);
198
199 /*@ requires id < NINSTR;
200   @ assigns \nothing;
201 */
202 int is_instrumentation_test_complete(uint8_t id);
203
204 /*@ requires div < NINSTR;
205   @ requires channel < NTRIP;
206   @ requires \valid(val);
207   @ assigns *val;
208   @ ensures -1 <= \result <= 0;
209 */
210 int read_test_instrumentation_channel(uint8_t div, uint8_t channel, uint32_t *val);
211
212 /*@ assigns \nothing;
213   @ ensures \result < NVOTE_LOGIC;
214 */
215 uint8_t get_test_actuation_unit(void);
216
217 // NOTE: this is actually never used (only in 'bottom.c')
218 int is_actuation_unit_under_test(uint8_t id);
219
220 /*@ requires div < NVOTE_LOGIC;
221   @ assigns core.test.test_actuation_unit_done[div];
222   @ ensures core.test.test_actuation_unit_done[div] == v;
223 */
224 void set_actuation_unit_test_complete(uint8_t div, int v);
225
226 /*@ requires id < NVOTE_LOGIC;
227   @ assigns core.test.actuation_old_vote;
228   @ ensures core.test.actuation_old_vote == v;
229 */
230 void set_actuation_unit_test_input_vote(uint8_t id, int v);

```

```

231 /*@ requires id < NVOTE_LOGIC;
232  * @ assigns \nothing;
233  */
234 int is_actuation_unit_test_complete(uint8_t id);
235
236 /*@ requires dev < NDEV;
237  * @ assigns core.test.test_device_result[dev];
238  * @ ensures core.test.test_device_result[dev] == result;
239  */
240 void set_actuate_test_result(uint8_t dev, uint8_t result);
241
242 /*@ requires dev < NDEV;
243  * @ assigns core.test.test_device_done[dev];
244  * @ ensures core.test.test_device_done[dev] == v;
245  */
246 void set_actuate_test_complete(uint8_t dev, int v);
247
248 /*@ requires dev < NDEV;
249  * @ assigns \nothing;
250  */
251 int is_actuate_test_complete(uint8_t dev);
252
253 ///////////////////////////////////////////////////////////////////
254 // General Utilities //
255 ///////////////////////////////////////////////////////////////////
256
257 /**
258  * Return uptime in seconds
259  * Platform specific
260  */
261 uint32_t time_in_s(void);
262
263 /**
264  * Update user display
265  * Platform specific
266  */
267 void update_display(void);
268
269 /**
270  * Poll sensors for new values
271  * Platform specific
272  */
273 void update_sensors(void);
274
275 #endif // PLATFORM_H_

```

Listing E.38: Listing Interface of RTS.

```

1 #ifndef RTS_H_
2 #define RTS_H_
3 #include <stdint.h>
4
5 #include "instrumentation.h"
6 #include "actuation_logic.h"
7 #include "actuate.h"
8
9 typedef uint32_t sensor_reading_t;
10
11 #endif // RTS_H_

```

Listing E.39: Listing Interface Model of sense\_actuate.

```

1 #ifndef SENSE_ACTUATE_H_

```

```

2 #define SENSE_ACTUATE_H_
3
4 #include "common.h"
5 #include "instrumentation.h"
6 #include "actuation_logic.h"
7
8 /* Initialize state for core 'core_id'.
9  * requires instrumentation is an array of NINSTRUMENTATION/NCORE_ID instrumentation structs
10 * requires actuation_logic is an array of NACTUATION_LOGIC/NCORE_ID actuation_logic structs
11 * returns < 0 on error
12 */
13 int sense_actuate_init(int core_id,
14     struct instrumentation_state *instrumentation,
15     struct actuation_logic *actuation);
16
17 /* Advance state for core 'core_id'.
18  * requires instrumentation is an array of NINSTRUMENTATION/NCORE_ID instrumentation structs
19  * requires actuation_logic is an array of NACTUATION_LOGIC/NCORE_ID actuation_logic structs
20 * returns < 0 on error
21 */
22 int sense_actuate_step_0(struct instrumentation_state *instrumentation,
23     struct actuation_logic *actuation);
24 int sense_actuate_step_1(struct instrumentation_state *instrumentation,
25     struct actuation_logic *actuation);
26
27 #endif // SENSE_ACTUATE_H_

```

## Appendix F

# Software Implementation

Listing F.1: C implementation of rv32\_main.

```
1  /**
2  * Main program entry for RTS
3  */
4 // System includes
5 #include <stdint.h>
6 #include <stdlib.h>
7 #include <string.h>
8
9 // Board includes
10 #include "bsp.h"
11 #include "printf.h"
12
13 // RTS includes
14 #include "common.h"
15 #include "core.h"
16 #include "instrumentation.h"
17 #include "actuation_logic.h"
18 #include "sense_actuate.h"
19 #include "platform.h"
20 #include "actuation_logic.h"
21
22 extern struct instrumentation_state instrumentation[4];
23
24 void update_display()
25 {
26 #if CLEAR_SCREEN
27     // This starts printing from the top of the screen
28     printf("\e[s\e[1;1H");//\e[2J");
29 #endif
30     for (int line = 0; line < NLINES; ++line) {
31 #if CLEAR_SCREEN
32     printf("\e[OK");
33 #endif
34     printf("%s%s", core.ui.display[line], line == NLINES-1 ? "" : "\n");
35     }
36 #if CLEAR_SCREEN
37     printf("\e[u");
38 #endif
39 }
40
41 int read_rts_command(struct rts_command *cmd)
42 {
```

```

43     int ok = 0;
44 #ifndef ENABLE_SELF_TEST
45     const char delimiter[2] = " ";
46     char line[254] = {0};
47     char *token = NULL;
48     int linelen = 0;
49
50     printf("\nEnter command and press enter:\n");
51     memset(line, 0, sizeof(line));
52     for (unsigned int i = 0; i < sizeof(line); i++) {
53         line[i] = soc_getchar();
54         linelen = i;
55         if (line[i] == 0 || line[i] == '\n') {
56             break;
57         }
58     }
59     printf(">>>%s<<<[%d]\n", line, linelen);
60
61 #if CLEAR_SCREEN
62     printf("\e[%d;1H\e[2K", NLINES+1);
63 #endif
64
65     if (linelen < 4) {
66         // Too short to be a valid command. "A 1\n" is the shortest command
67         return ok;
68     }
69
70     /* get the first token */
71     printf("About to call strtok\n");
72     token = strtok(line, delimiter);
73     printf("strtok called\n");
74
75     if (token != NULL) {
76         printf("Command = %s\n", token);
77         switch (token[0]) {
78             case 'A':
79                 cmd->type = ACTUATION_COMMAND;
80                 // "A %hd %hd", &device, &on
81                 token = strtok(NULL, delimiter);
82                 if (token != NULL) {
83                     printf("cmd->cmd.act.device = %s\n", token);
84                     cmd->cmd.act.device = (uint8_t)atoi(token);
85                     token = strtok(NULL, delimiter);
86                     if (token != NULL) {
87                         printf("cmd->cmd.act.on = %s\n", token);
88                         cmd->cmd.act.on = (uint8_t)atoi(token);
89                         printf("ACTUATION_COMMAND dev=%u on=%u\n",
90                                cmd->cmd.act.device, cmd->cmd.act.on);
91                         ok = 1;
92                     }
93                 }
94                 break;
95             case 'M':
96                 cmd->type = INSTRUMENTATION_COMMAND;
97                 cmd->cmd.instrumentation.type = SET_MAINTENANCE;
98                 // "M %hd %hd", &div, &on
99                 token = strtok(NULL, delimiter);
100                if (token != NULL) {
101                    printf("cmd->instrumentation_division = %s\n", token);
102                    cmd->instrumentation_division = (uint8_t)atoi(token);
103                    token = strtok(NULL, delimiter);
104                    if (token != NULL) {
105                        printf("cmd->cmd.instrumentation.cmd.maintenance.on = %s\n", token);
106                        cmd->cmd.instrumentation.cmd.maintenance.on = (uint8_t)atoi(token);
107                        printf("INSTRUMENTATION_COMMAND MAINTENANCE div=%u on=%u\n",
108                               cmd->instrumentation_division,

```

```

109         cmd->cmd.instrumentation.cmd.maintenance.on);
110     ok = 1;
111 }
112 }
113 break;
114 case 'B':
115     cmd->type = INSTRUMENTATION_COMMAND;
116     cmd->cmd.instrumentation.type = SET_MODE;
117 // "B %hd %hd %hd", &div, &ch, &mode
118     token = strtok(NULL, delimiter);
119     if (token != NULL) {
120         printf("cmd->instrumentation.division = %s\n",token);
121         cmd->instrumentation.division = (uint8_t)atoi(token);
122         token = strtok(NULL, delimiter);
123         if (token != NULL) {
124             printf("cmd->cmd.instrumentation.cmd.mode.channel = %s\n",token);
125             cmd->cmd.instrumentation.cmd.mode.channel = (uint8_t)atoi(token);
126             token = strtok(NULL, delimiter);
127             if (token != NULL) {
128                 printf("cmd->cmd.instrumentation.cmd.mode.mode_val = %s\n",token);
129                 cmd->cmd.instrumentation.cmd.mode.mode_val = (uint8_t)atoi(token);
130                 printf("INSTRUMENTATION_COMMAND MODE div=%u channel=%u mode=%u\n",
131                         cmd->instrumentation.division,
132                         cmd->cmd.instrumentation.cmd.mode.channel,
133                         cmd->cmd.instrumentation.cmd.mode.mode_val);
134             ok = 1;
135         }
136     }
137 }
138 break;
139 case 'S':
140     cmd->type = INSTRUMENTATION_COMMAND;
141     cmd->cmd.instrumentation.type = SET_SETPOINT;
142 // "S %hd %hd %d", &div, &ch, &val
143     token = strtok(NULL, delimiter);
144     if ((token != NULL) && (token[0] != '\n')) {
145         printf("cmd->instrumentation.division = %s\n",token);
146         cmd->instrumentation.division = (uint8_t)atoi(token);
147         token = strtok(NULL, delimiter);
148         if ((token != NULL) && (token[0] != '\n')) {
149             printf("cmd->cmd.instrumentation.cmd.setpoint.channel = %s\n",token);
150             cmd->cmd.instrumentation.cmd.setpoint.channel = (uint8_t)atoi(token);
151             token = strtok(NULL, delimiter);
152             if ((token != NULL) && (token[0] != '\n')) {
153                 printf("cmd->cmd.instrumentation.cmd.setpoint.val = %s\n",token);
154                 cmd->cmd.instrumentation.cmd.setpoint.val = (uint32_t)atoi(token);
155                 printf("INSTRUMENTATION_COMMAND SETPOINT div=%u channel=%u val=%u\n",
156                         cmd->instrumentation.division,
157                         cmd->cmd.instrumentation.cmd.setpoint.channel,
158                         cmd->cmd.instrumentation.cmd.setpoint.val);
159             ok = 1;
160         }
161     }
162 }
163 break;
164 default:
165     break;
166 }
167 }
168 #endif /* #ifndef ENABLE_SELF_TEST */
169     return ok;
170 }
171
172 uint32_t get_sensor_data(uint8_t sensor_addr)
173 {
174     uint32_t data = 0;

```

```

175     uint32_t addr = 0;
176     uint32_t result = 0;
177     uint8_t intermidiate = 0;
178
179     // run 4 times to get all 32bits of uint32_t value
180     for (uint8_t i = 0; i < 4; i++)
181     {
182         data = i;
183         // Set data pointer reg
184         write_reg(I2C_REG_DATA, data);
185         // Set write addr
186         addr = (sensor_addr << 1) | 0x1;
187         write_reg(I2C_REG_ADDR, addr);
188         // Wait for transaction to finish
189         while (read_reg(I2C_REG_STATUS) != 1) {
190             ;;
191         }
192         // Set read addr
193         addr = (sensor_addr << 1);
194         write_reg(I2C_REG_ADDR, addr);
195         // Wait for transaction to finish
196         while (read_reg(I2C_REG_STATUS) != 1) {
197             ;;
198         }
199         // Update the result
200         intermidiate = read_reg(I2C_REG_DATA);
201         result = result | ( intermidiate << i*8);
202     }
203     return result;
204 }
205
206 void update_sensors(void)
207 {
208     uint32_t val0, val1;
209     val0 = get_sensor_data(TEMP_0_I2C_ADDR);
210     val1 = get_sensor_data(TEMP_1_I2C_ADDR);
211     sensors_demux[0][T][0] = val0;
212     sensors_demux[0][T][1] = val1;
213     sensors_demux[1][T][0] = val0;
214     sensors_demux[1][T][1] = val1;
215
216     val0 = get_sensor_data(PRESSURE_0_I2C_ADDR);
217     val1 = get_sensor_data(PRESSURE_1_I2C_ADDR);
218     sensors_demux[0][P][0] = val0;
219     sensors_demux[0][P][1] = val1;
220     sensors_demux[1][P][0] = val0;
221     sensors_demux[1][P][1] = val1;
222 }
223
224 /**
225 * Read external command, setting *cmd. Does not block.
226 * Platform specific
227 */
228 int read_actuation_command(uint8_t id, struct actuation_command *cmd) {
229     cmd->device = id;
230     cmd->on = (uint8_t) (read_reg(GPIO_REG) & (id+1));
231     DEBUG_PRINTF("<main.c> read_actuation_command: cmd->device=%u, cmd->on=%u\n", cmd->device,
232                  cmd->on);
233     return 1;
234 }
235
236 /**
237 * Physically set actuator to a new value
238 * Platform specific
239 */
239 int send_actuation_command(uint8_t id, struct actuation_command *cmd)

```

```

240 {
241     DEBUG_PRINTF(("<main.c> send_actuation_command, id=%u, cmd->device=%u, cmd->on=%u\n",id,
242             → cmd->device,cmd->on));
243     if ((id < 2) && (cmd->on < 2) ) {
244         uint32_t gpio_val = read_reg(GPIO_REG);
245         if (id == 0) {
246             // Set the actuator bit to zero
247             gpio_val = gpio_val & 0xFFFFFFFF;
248             // Set the actuator bit to cmd->on value
249             gpio_val = gpio_val | cmd->on;
250         }
251         else {
252             // id == 1
253             // Set the actuator bit to zero
254             gpio_val = gpio_val & 0xFFFFFFF;
255             // Set the actuator bit to cmd->on value
256             // Bit shift by one left
257             gpio_val = gpio_val | (cmd->on << 1);
258         }
259         write_reg(GPIO_REG, gpio_val);
260         return 0;
261     }
262     return -1;
263 }
264 int main(void)
265 {
266 #if CLEAR_SCREEN
267     // Prep the screen
268     printf("\e[1;1H\e[2J");
269     printf("\e[%d;3H\e[2K> ", NLINES+1);
270 #endif
271
272 //struct rts_command cmd;// = (struct rts_command *)malloc(sizeof(*cmd));
273 core_init(&core);
274 sense_actuate_init(0, &instrumentation[0], &actuation_logic[0]);
275 sense_actuate_init(1, &instrumentation[0], &actuation_logic[0]);
276
277 char line[256];
278 while (1)
279 {
280     //read_rts_command(&cmd);
281
282     update_sensors();
283     sprintf(line, "HW ACTUATORS 0x%X", read_reg(GPIO_REG));
284     set_display_line(&core.ui, 8, line, 0);
285     int retval = core_step(&core);
286     DEBUG_PRINTF(("<main.c> core_step= 0x%X\n",retval));
287     char line[256];
288     sprintf(line, "Uptime: [%u]s\n",time_in_s());
289     set_display_line(&core.ui, 9, line, 0);
290     update_display();
291     sense_actuate_step_0(&instrumentation[0], &actuation_logic[0]);
292     sense_actuate_step_1(&instrumentation[2], &actuation_logic[1]);
293 }
294
295 return 0;
296 }
```

Listing F.2: C implementation of common.

```

1 #include <stddef.h>
2 #include <stdint.h>
3 #include <stdlib.h>
4
5 #include "platform.h"
```

```

6  #include "common.h"
7  #include "core.h"
8  #include "instrumentation.h"
9  #include "actuation_logic.h"
10 #include "sense_actuate.h"
11
12 #ifdef PLATFORM_HOST
13 #include <stdio.h>
14 #else
15 #include "printf.h"
16 #endif
17
18 struct core_state core = {0};
19 struct instrumentation_state instrumentation[4];
20 struct actuation_logic actuation_logic[2];
21
22 // channel -> sensor # -> val
23 uint32_t sensors[2][2];
24 // channel -> sensor # -> demux output # -> val
25 uint32_t sensors_demux[2][2][2];
26
27 uint8_t trip_signals[NTRIP][4];
28 struct instrumentation_command inst_command_buf[4];
29
30 uint8_t actuator_state[NDEV];
31 uint8_t device_actuation_logic[2][NDEV];
32
33 //EI mode:
34 // mode = 0 => no error
35 // mode = 1 => error
36 // mode = 2 => nondet error
37 uint8_t error_instrumentation_mode[NINSTR];
38 uint8_t error_instrumentation[NINSTR];
39 // ES ch mode:
40 // mode = 0 => no error
41 // mode = 1 => demux error (out 0)
42 // mode = 2 => demux error (out 1)
43 // mode = 3 => sensor error (error in both demux outs)
44 // mode = 4 => nondet sensor error
45 // mode = 5 => nondet demux error
46 uint8_t error_sensor_mode[2][2];
47 uint8_t error_sensor[2][2];
48 uint8_t error_sensor_demux[2][2][2];
49
50 int read_instrumentation_channel(uint8_t div, uint8_t channel, uint32_t *val) {
51     MUTEX_LOCK(&mem_mutex);
52     int sensor = div/2;
53     int demux_out = div%2;
54     *val = sensors_demux[channel][sensor][demux_out];
55     MUTEX_UNLOCK(&mem_mutex);
56     DEBUG_PRINTF("<common.c> read_instrumentation_channel: div=%u,channel=%u,val=%u\n",div,
57     ↪ channel,*val));
58     return 0;
59 }
60
61 int get_instrumentation_value(uint8_t division, uint8_t ch, uint32_t *value) {
62     MUTEX_LOCK(&mem_mutex);
63     if (!error_instrumentation[division])
64         *value = instrumentation[division].reading[ch];
65     MUTEX_UNLOCK(&mem_mutex);
66     DEBUG_PRINTF("<common.c> get_instrumentation_value: error=%u, division=%u,ch=%u,val=%u\n",
67     ↪ ,error_instrumentation[division], division,ch,*value));
68     return 0;
69 }
70
71 int get_instrumentation_trip(uint8_t division, uint8_t ch, uint8_t *value) {

```

```

70     MUTEX_LOCK(&mem_mutex);
71     if (!error_instrumentation[division])
72         *value = instrumentation[division].sensor_trip[ch];
73     MUTEX_UNLOCK(&mem_mutex);
74     DEBUG_PRINTF(("<common.c> get_instrumentation_trip: error=%u, division=%u,ch=%u,val=%u\n",
75                 ↪ error_instrumentation[division], division,ch,*value));
76     return 0;
77 }
78 int get_instrumentation_mode(uint8_t division, uint8_t ch, uint8_t *value) {
79     MUTEX_LOCK(&mem_mutex);
80     if (!error_instrumentation[division])
81         *value = instrumentation[division].mode[ch];
82     MUTEX_UNLOCK(&mem_mutex);
83     DEBUG_PRINTF(("<common.c> get_instrumentation_mode: error=%u, division=%u,ch=%u,val=%u\n",
84                 ↪ error_instrumentation[division], division,ch,*value));
85     return 0;
86 }
87 int get_instrumentation_maintenance(uint8_t division, uint8_t *value) {
88     MUTEX_LOCK(&mem_mutex);
89     if (!error_instrumentation[division])
90         *value = instrumentation[division].maintenance;
91     MUTEX_UNLOCK(&mem_mutex);
92     DEBUG_PRINTF(("<common.c> get_instrumentation_maintenance: error=%u, division=%u,val=%u\n",
93                 ↪ ,error_instrumentation[division],division,*value));
94     return 0;
95 }
96 int get_actuation_state(uint8_t i, uint8_t device, uint8_t *value) {
97     MUTEX_LOCK(&mem_mutex);
98     *value = device_actuation_logic[i][device];
99     MUTEX_UNLOCK(&mem_mutex);
100    DEBUG_PRINTF(("<common.c> get_actuation_state: i=%u,device=%u,val=%u\n",i,device,*value));
101    return 0;
102 }
103 int read_instrumentation_trip_signals(uint8_t arr[3][4]) {
104     DEBUG_PRINTF(("<common.c> read_instrumentation_trip_signals: []"));
105     for (int i = 0; i < NTRIP; ++i) {
106         DEBUG_PRINTF("[");
107         for (int div = 0; div < 4; ++div) {
108             MUTEX_LOCK(&mem_mutex);
109             arr[i][div] = trip_signals[i][div];
110             DEBUG_PRINTF("%u",trip_signals[i][div]);
111             MUTEX_UNLOCK(&mem_mutex);
112         }
113         DEBUG_PRINTF("],");
114     }
115     DEBUG_PRINTF("]\n");
116     return 0;
117 }
118 }
119 int reset_actuation_logic(uint8_t logic_no, uint8_t device_no, uint8_t reset_val) {
120     MUTEX_LOCK(&mem_mutex);
121     actuation_logic[logic_no].vote_actuate[device_no] = reset_val;
122     MUTEX_UNLOCK(&mem_mutex);
123     DEBUG_PRINTF(("<common.c> reset_actuation_logic: logic_no=%u,device=%u,reset_val=%u\n",
124                 ↪ logic_no,device_no,reset_val));
125     return 0;
126 }
127 int set_output_actuation_logic(uint8_t logic_no, uint8_t device_no, uint8_t on) {
128     ASSERT(logic_no < 2);
129     ASSERT(device_no < 2);
130
131 }
```

```

132     MUTEX_LOCK(&mem_mutex);
133     device_actuation_logic[logic_no][device_no] = on;
134     MUTEX_UNLOCK(&mem_mutex);
135     DEBUG_PRINTF("<common.c> set_output_actuation_logic: logic_no=%u,device=%u,on=%u\n",
136     ↪ logic_no,device_no,on);
137     return 0;
138 }
139 int set_output_instrumentation_trip(uint8_t div, uint8_t channel, uint8_t val) {
140     MUTEX_LOCK(&mem_mutex);
141     if (!error_instrumentation[div])
142         trip_signals[channel][div] = val;
143     MUTEX_UNLOCK(&mem_mutex);
144     DEBUG_PRINTF("<common.c> set_output_instrumentation_trip: error=%u,div=%u,channel=%u,val
145     ↪=%u\n",error_instrumentation[div], div, channel, val);
146     return 0;
147 }
148 int set_actuate_device(uint8_t device_no, uint8_t on)
149 {
150     MUTEX_LOCK(&mem_mutex);
151     actuator_state[device_no] = on;
152     MUTEX_UNLOCK(&mem_mutex);
153     DEBUG_PRINTF("<common.c> set_actuate_device: dev %u, on %u\n",device_no, on));
154     return 0;
155 }
156
157 int read_instrumentation_command(uint8_t div,
158                                     struct instrumentation_command *cmd) {
159     DEBUG_PRINTF("<common.c> read_instrumentation_command\n");
160     if ((div < 4) && (inst_command_buf[div].valid == 1)) {
161         cmd->type = inst_command_buf[div].type;
162         cmd->cmd = inst_command_buf[div].cmd;
163         inst_command_buf[div].valid = 0;
164         return 1;
165     }
166     return 0;
167 }
168
169 int send_instrumentation_command(uint8_t div,
170                                     struct instrumentation_command *cmd) {
171     DEBUG_PRINTF("<common.c> send_instrumentation_command\n");
172     if (div < 4) {
173         inst_command_buf[div].type = cmd->type;
174         inst_command_buf[div].cmd = cmd->cmd;
175         inst_command_buf[div].valid = 1;
176         return 0;
177     }
178     return -1;
179 }
180
181 uint8_t is_test_running()
182 {
183     MUTEX_LOCK(&mem_mutex);
184     uint8_t ret = core.test.self_test_running;
185     MUTEX_UNLOCK(&mem_mutex);
186     DEBUG_PRINTF("<common.c> is_test_running? %u\n",ret));
187     return ret;
188 }
189
190 void set_test_running(int val)
191 {
192     MUTEX_LOCK(&mem_mutex);
193     core.test.self_test_running = val;
194     MUTEX_UNLOCK(&mem_mutex);
195     DEBUG_PRINTF("<common.c> set_test_running: %i\n",core.test.self_test_running));

```

```

196 }
197
198 uint8_t get_test_device()
199 {
200     DEBUG_PRINTF("<common.c> get_test_device: %u\n",core.test.test_device));
201     return core.test.test_device;
202 }
203
204 void get_test_instrumentation(uint8_t *id)
205 {
206     id[0] = core.test.test_instrumentation[0];
207     id[1] = core.test.test_instrumentation[1];
208     DEBUG_PRINTF("<common.c> get_test_instrumentation\n"));
209 }
210
211 int get_instrumentation_test_setpoints(uint8_t id, uint32_t *setpoints)
212 {
213     setpoints[0] = core.test.test_setpoints[id][0];
214     setpoints[1] = core.test.test_setpoints[id][1];
215     setpoints[2] = core.test.test_setpoints[id][2];
216     DEBUG_PRINTF("<common.c> get_instrumentation_test_setpoints\n"));
217     return 0;
218 }
219
220 void set_instrumentation_test_complete(uint8_t div, int v)
221 {
222     MUXEX_LOCK(&mem_mutex);
223     core.test.test_instrumentation_done[div] = v;
224     MUXEX_UNLOCK(&mem_mutex);
225     DEBUG_PRINTF("<common.c> set_instrumentation_test_complete: div=%u,v=%i\n",div,v));
226 }
227
228 int is_instrumentation_test_complete(uint8_t id)
229 {
230     MUXEX_LOCK(&mem_mutex);
231     int ret = core.test.test_instrumentation_done[id];
232     MUXEX_UNLOCK(&mem_mutex);
233     DEBUG_PRINTF("<common.c> is_instrumentation_test_complete: id=%u,ret=%i\n",id,ret));
234     return ret;
235 }
236
237 int read_test_instrumentation_channel(uint8_t div, uint8_t channel, uint32_t *val)
238 {
239     MUXEX_LOCK(&mem_mutex);
240     *val = core.test.test_inputs[div][channel];
241     MUXEX_UNLOCK(&mem_mutex);
242     DEBUG_PRINTF("<common.c> read_test_instrumentation_channel: div=%u,channel=%u,val=%u\n",
243     ↪ div,channel,*val));
244     return 0;
245 }
246
247 uint8_t get_test_actuation_unit()
248 {
249     MUXEX_LOCK(&mem_mutex);
250     uint8_t ret = core.test.test_actuation_unit;
251     MUXEX_UNLOCK(&mem_mutex);
252     DEBUG_PRINTF("<common.c> get_test_actuation_unit: %u\n",ret));
253     return ret;
254 }
255
256 void set_actuation_unit_test_complete(uint8_t div, int v)
257 {
258     MUXEX_LOCK(&mem_mutex);
259     core.test.test_actuation_unit_done[div] = v;
260     MUXEX_UNLOCK(&mem_mutex);
261     DEBUG_PRINTF("<common.c> set_actuation_unit_test_complete: div %u, v=%i\n",div,v));

```

```

261 }
262
263 void set_actuation_unit_test_input_vote(uint8_t id, int v)
264 {
265     MUTEX_LOCK(&mem_mutex);
266     core.test.actuation_old_vote = v != 0;
267     MUTEX_UNLOCK(&mem_mutex);
268     DEBUG_PRINTF("<common.c> set_actuation_unit_test_input_vote: id %u, v=%i\n", id, v);
269 }
270
271 int is_actuation_unit_test_complete(uint8_t id)
272 {
273     MUTEX_LOCK(&mem_mutex);
274     int ret = core.test.test_actuation_unit_done[id];
275     MUTEX_UNLOCK(&mem_mutex);
276     DEBUG_PRINTF("<common.c> is_actuation_unit_test_complete: %i\n", ret);
277     return ret;
278 }
279
280 void set_actuate_test_result(uint8_t dev, uint8_t result)
281 {
282     MUTEX_LOCK(&mem_mutex);
283     core.test.test_device_result[dev] = result;
284     MUTEX_UNLOCK(&mem_mutex);
285     DEBUG_PRINTF("<common.c> set_actuate_test_result: dev %u, result=%u\n", dev, result));
286 }
287
288 void set_actuate_test_complete(uint8_t dev, int v)
289 {
290     MUTEX_LOCK(&mem_mutex);
291     core.test.test_device_done[dev] = v;
292     MUTEX_UNLOCK(&mem_mutex);
293     DEBUG_PRINTF("<common.c> set_actuate_test_complete: dev %u, v=%i\n", dev, v));
294 }
295
296 int is_actuate_test_complete(uint8_t dev)
297 {
298     MUTEX_LOCK(&mem_mutex);
299     int ret = core.test.test_device_done[dev];
300     MUTEX_UNLOCK(&mem_mutex);
301     DEBUG_PRINTF("<common.c> is_actuate_test_complete: %i\n", ret);
302     return ret;
303 }

```

Listing F.3: C implementation of posix\_main.

```

1 #include "common.h"
2 #include "core.h"
3 #include "instrumentation.h"
4 #include "actuation_logic.h"
5 #include "sense_actuate.h"
6 #include "platform.h"
7
8 #include <poll.h>
9 #include <fcntl.h>
10 #include <stdio.h>
11 #include <termios.h>
12 #include <unistd.h>
13 #include <stddef.h>
14 #include <stdint.h>
15 #include <stdio.h>
16 #include <stdlib.h>
17 #include <string.h>
18 #include <sys/select.h>
19 #include <time.h>
20

```

```

21 extern struct instrumentation_state instrumentation[4];
22 struct actuation_command *act_command_buf[2];
23
24 #define min(_a, _b) ((_a) < (_b) ? (_a) : (_b))
25 #define max(_a, _b) ((_a) > (_b) ? (_a) : (_b))
26
27 #include <pthread.h>
28 pthread_mutex_t display_mutex = PTHREAD_MUTEX_INITIALIZER;
29 pthread_mutex_t mem_mutex = PTHREAD_MUTEX_INITIALIZER;
30
31 #ifndef TO
32 #define TO 200
33#endif
34
35 #ifndef PO
36 #define PO 1152600
37#endif
38
39 // Bias to simulated sensor readings in degrees F
40 #ifndef T_BIAS
41 #define T_BIAS 0
42#endif
43
44 // Bias to simulated sensor readings in 10^-5 lb/in^2
45 #ifndef P_BIAS
46 #define P_BIAS 0
47#endif
48
49 #ifndef SENSOR_UPDATE_MS
50 #define SENSOR_UPDATE_MS 500
51#endif
52
53 int clear_screen() {
54     return (isatty(fileno(stdin)) && (NULL == getenv("RTS_NOCLEAR")));
55 }
56
57 void update_display() {
58     if (clear_screen()) {
59         printf("\e[s\e[1;1H");//\e[2J");
60     }
61     for (int line = 0; line < NLINES; ++line) {
62         printf("\e[OK");
63         printf("%s%s", core.ui.display[line], line == NLINES-1 ? "" : "\n");
64     }
65     if (clear_screen()) {
66         printf("\e[u");
67     }
68 }
69
70 int read_rts_command(struct rts_command *cmd) {
71     int ok = 0;
72     uint8_t device, on, div, ch, mode, sensor;
73     uint32_t val;
74     char *line = NULL;
75     size_t linecap = 0;
76     ssize_t linelen;
77
78     /* if (isatty(fileno(stdin))) { */
79     /* set_display_line(&ui, 9, (char *)"> ", 0); */
80     /* } */
81     struct pollfd fds;
82     fds.fd = STDIN_FILENO;
83     fds.events = POLLIN;
84     fds.revents = POLLIN;
85     if(poll(&fds, 1, 100) < 1) {
86         return 0;

```

```

87 }
88 linelen = getline(&line, &linecap, stdin);
89
90 if (linelen == EOF)
91     exit(0);
92
93 if (linelen < 0)
94     return 0;
95
96 MUTEX_LOCK(&display_mutex);
97
98 if (clear_screen()) {
99     printf("\e[%d;1H\ue[2K ", NLINES+1);
100 }
101
102 MUTEX_UNLOCK(&display_mutex);
103
104 if (2 == (ok = sscanf(line, "A %hhhd %hhhd", &device, &on))) {
105     cmd->type = ACTUATION_COMMAND;
106     cmd->cmd.act.device = device;
107     cmd->cmd.act.on = on;
108     DEBUG_PRINTF("<main.c> read_rts_command ACTUATION_COMMAND dev=%u on=%u\n",
109                 cmd->cmd.act.device, cmd->cmd.act.on));
110     ok = 1;
111 } else if (2 == (ok = sscanf(line, "M %hhhd %hhhd", &div, &on))) {
112     cmd->type = INSTRUMENTATION_COMMAND;
113     cmd->instrumentation_division = div;
114     cmd->cmd.instrumentation.type = SET_Maintenance;
115     cmd->cmd.instrumentation.cmd.maintenance.on = on;
116     DEBUG_PRINTF("<main.c> read_rts_command INSTRUMENTATION_COMMAND MAINTENANCE div=%u on=%u
117             \r, type=%u\n",
118             cmd->instrumentation_division,
119             cmd->cmd.instrumentation.cmd.maintenance.on,
120             cmd->cmd.instrumentation.type));
121     ASSERT(on == 0 || on == 1);
122     ok = 1;
123 } else if (3 == (ok = sscanf(line, "B %hhhd %hhhd %hhhd", &div, &ch, &mode))) {
124     cmd->type = INSTRUMENTATION_COMMAND;
125     cmd->instrumentation_division = div;
126     cmd->cmd.instrumentation.type = SET_MODE;
127     cmd->cmd.instrumentation.cmd.mode.channel = ch;
128     cmd->cmd.instrumentation.cmd.mode.mode_val = mode;
129     DEBUG_PRINTF("<main.c> read_rts_command INSTRUMENTATION_COMMAND MODE div=%u channel=%u
130             \r mode=%u type=%u\n",
131             cmd->instrumentation_division,
132             cmd->cmd.instrumentation.cmd.mode.channel,
133             cmd->cmd.instrumentation.cmd.mode.mode_val,
134             cmd->cmd.instrumentation.type));
135     ok = 1;
136 } else if (3 == (ok = sscanf(line, "S %hhhd %hhhd %d", &div, &ch, &val))) {
137     cmd->type = INSTRUMENTATION_COMMAND;
138     cmd->instrumentation_division = div;
139     cmd->cmd.instrumentation.type = SET_SetPOINT;
140     cmd->cmd.instrumentation.cmd.setpoint.channel = ch;
141     cmd->cmd.instrumentation.cmd.setpoint.val = val;
142     DEBUG_PRINTF("<main.c> read_rts_command INSTRUMENTATION_COMMAND SETPOINT div=%u channel
143             \r =%u val=%u\n",
144             cmd->instrumentation_division,
145             cmd->cmd.instrumentation.cmd.setpoint.channel,
146             cmd->cmd.instrumentation.cmd.setpoint.val));
147     ok = 1;
148 #ifndef SIMULATE_SENSORS
149 } else if (3 == (ok = sscanf(line, "V %hhhd %hhhd %d", &sensor, &ch, &val))) {
150     if (sensor < 2 && ch < 2)
151         sensors[ch][sensor] = val;
152     DEBUG_PRINTF("<main.c> read_rts_command UPDATE SENSORS sensor=%d, ch=%d, val=%d\n",

```

```

150         sensor,ch,val));
151 #endif
152 } else if (line[0] == 'Q') {
153     // printf("<main.c> read_rts_command QUIT\n");
154     exit(0);
155 } else if (line[0] == 'D') {
156     DEBUG_PRINTF("<main.c> read_rts_command UPDATE DISPLAY\n");
157     update_display();
158 } else if (3 == (ok = sscanf(line, "ES %hhd %hhd %hhd", &sensor, &ch, &mode))) {
159     error_sensor_mode[ch][sensor] = mode;
160     DEBUG_PRINTF("<main.c> read_rts_command ERROR SENSOR sensor=%d, ch=%d, mode=%d\n",
161                 sensor,ch,mode);
162 } else if (2 == (ok = sscanf(line, "EI %hhd %hhd", &div, &mode))) {
163     error_instrumentation_mode[div] = mode;
164     DEBUG_PRINTF("<main.c> read_rts_command ERROR INSTRUMENTATION div=%d, mode=%d\n",
165                 div,mode));
166 }
167
168 if (line)
169     free(line);
170
171 return ok;
172 }
173
174 void update_instrumentation_errors(void) {
175     for (int i = 0; i < NINSTR; ++i) {
176         if(error_instrumentation_mode[i] == 2) {
177             error_instrumentation[i] |= rand() % 2;
178         } else {
179             error_instrumentation[i] = error_instrumentation_mode[i];
180         }
181     }
182 }
183
184 void update_sensor_errors(void) {
185     for (int c = 0; c < 2; ++c) {
186         for (int s = 0; s < 2; ++s) {
187             switch (error_sensor_mode[c][s]) {
188                 case 0:
189                     error_sensor[c][s] = 0;
190                     error_sensor_demux[c][s][0] = 0;
191                     error_sensor_demux[c][s][1] = 0;
192                     break;
193                 case 1:
194                     error_sensor[c][s] = 0;
195                     error_sensor_demux[c][s][0] = 1;
196                     error_sensor_demux[c][s][1] = 0;
197                     break;
198                 case 2:
199                     error_sensor[c][s] = 0;
200                     error_sensor_demux[c][s][0] = 0;
201                     error_sensor_demux[c][s][1] = 1;
202                     break;
203                 case 3:
204                     error_sensor[c][s] = 1;
205                     error_sensor_demux[c][s][0] = 0;
206                     error_sensor_demux[c][s][1] = 0;
207                     break;
208                 case 4:
209                 {
210                     int fail = rand() % 2;
211                     error_sensor[c][s] |= fail;
212                     error_sensor_demux[c][s][0] = 0;
213                     error_sensor_demux[c][s][1] = 0;
214                 }
215             break;

```

```

216     case 5:
217     {
218         error_sensor[c][s] = 0;
219         error_sensor_demux[c][s][0] |= (rand() % 2);
220         error_sensor_demux[c][s][1] |= (rand() % 2);
221     }
222     break;
223     default:
224         ASSERT("Invalid sensor fail mode" && 0);
225     }
226 }
227 }
228 }
229 }

230 int update_sensor_simulation(void) {
231     static int initialized = 0;
232     static uint32_t last_update = 0;
233     static uint32_t last[2][2] = {0};
234
235     struct timespec tp;
236     clock_gettime(CLOCK_REALTIME, &tp);
237     uint32_t t0 = last_update;
238     uint32_t t = tp.tv_sec*1000 + tp.tv_nsec/1000000;
239
240     if (!initialized) {
241         last_update = t;
242         last[0][T] = T0;
243         last[1][T] = T0;
244         last[0][P] = P0;
245         last[1][P] = P0;
246         initialized = 1;
247     } else if (t - t0 > SENSOR_UPDATE_MS) {
248         for (int s = 0; s < 2; ++s) {
249             last[s][T] += (rand() % 7) - 3 + T_BIAS;
250             // Don't stray too far from our steam table
251             last[s][T] = min(last[s][T], 300);
252             last[s][T] = max(last[s][T], 25);
253
254             last[s][P] += (rand() % 7) - 3 + P_BIAS;
255             // Don't stray too far from our steam table
256             last[s][P] = min(last[s][P], 5775200);
257             last[s][P] = max(last[s][P], 8000);
258         }
259         last_update = t;
260     }
261     sensors[T][0] = last[T][0];
262     sensors[T][1] = last[T][1];
263     sensors[P][0] = last[P][0];
264     sensors[P][1] = last[P][1];
265
266     return 0;
267 }
268
269 void update_sensors(void) {
270     update_sensor_errors();
271 #ifdef SIMULATE_SENSORS
272     update_sensor_simulation();
273 #endif
274     for (int c = 0; c < 2; ++c) {
275         for (int s = 0; s < 2; ++s) {
276             if (error_sensor[c][s]) {
277                 sensors[c][s] = rand();
278             }
279
280             MUXEX_LOCK(&mem_mutex);
281             sensors_demux[c][s][0] = sensors[c][s];

```

```

282     MUTEX_UNLOCK(&mem_mutex);
283
284     MUTEX_LOCK(&mem_mutex);
285     sensors_demux[c][s][1] = sensors[c][s];
286     MUTEX_UNLOCK(&mem_mutex);
287
288     for (int d = 0; d < 2; ++d) {
289         if(error_sensor_demux[c][s][d]) {
290             MUTEX_LOCK(&mem_mutex);
291             sensors_demux[c][s][d] = rand();
292             MUTEX_UNLOCK(&mem_mutex);
293         }
294     }
295 }
296
297 }
298
299 int read_actuation_command(uint8_t id, struct actuation_command *cmd) {
300     struct actuation_command *c = act_command_buf[id];
301     if (c) {
302         cmd->device = c->device;
303         cmd->on = c->on;
304         free(c);
305         act_command_buf[id] = NULL;
306         return 1;
307     }
308     return 0;
309 }
310
311 int send_actuation_command(uint8_t id, struct actuation_command *cmd) {
312     if (id < 2) {
313         act_command_buf[id] = (struct actuation_command *)malloc(sizeof(*act_command_buf[id]));
314         act_command_buf[id]->device = cmd->device;
315         act_command_buf[id]->on = cmd->on;
316         return 0;
317     }
318     return -1;
319 }
320
321 void* start0(void *arg) {
322     while(1) {
323         sense_actuate_step_0(&instrumentation[0], &actuation_logic[0]);
324     }
325 }
326 void* start1(void *arg) {
327     while(1) {
328         sense_actuate_step_1(&instrumentation[2], &actuation_logic[1]);
329     }
330 }
331
332 uint32_t time_in_s()
333 {
334     static time_t start_time = 0;
335     struct timespec tp;
336     clock_gettime(CLOCK_REALTIME, &tp);
337     if (start_time == 0) {
338         start_time = tp.tv_sec;
339     }
340     time_t total = tp.tv_sec - start_time;
341     char line[256];
342     sprintf(line, "Uptime: [%u]s\n", (uint32_t)total);
343     set_display_line(&core.ui, 9, line, 0);
344     return (uint32_t)total;
345 }
346
347 int main(int argc, char **argv) {

```

```

348 struct rts_command *cmd = (struct rts_command *)malloc(sizeof(*cmd));
349
350 core_init(&core);
351 sense_actuate_init(0, &instrumentation[0], &actuation_logic[0]);
352 sense_actuate_init(1, &instrumentation[2], &actuation_logic[1]);
353
354 if (isatty(fileno(stdin))) printf("\e[1;1H\e[2J");
355 if (isatty(fileno(stdin))) printf("\e[%d;3H\e[2K> ", NLINES+1);
356
357 #ifdef USE_PTHREADS
358 pthead_attr_t attr;
359 pthead_t sense_actuate_0, sense_actuate_1;
360 pthead_attr_init(&attr);
361 pthead_create(&sense_actuate_0, &attr, start0, NULL);
362 pthead_create(&sense_actuate_1, &attr, start1, NULL);
363 #endif
364
365 while (1) {
366     char line[256];
367     fflush(stdout);
368     MUTEX_LOCK(&display_mutex);
369     sprintf(line, "HW ACTUATORS %s %s", actuator_state[0] ? "ON" : "OFF", actuator_state[1]?
370             "ON" : "OFF");
371     set_display_line(&core.ui, 8, line, 0);
372     MUTEX_UNLOCK(&display_mutex);
373     update_instrumentation_errors();
374     update_sensors();
375     core_step(&core);
376     #ifndef USE_PTHREADS
377         sense_actuate_step_0(&instrumentation[0], &actuation_logic[0]);
378         sense_actuate_step_1(&instrumentation[2], &actuation_logic[1]);
379     #endif
380     update_display();
381     sleep(1);
382 }
383
384 return 0;
}

```

Listing F.4: C implementation of instrumentation\_common.

```

1 #include "instrumentation.h"
2
3 void instrumentation_init(struct instrumentation_state *state) {
4     state->maintenance = 1;
5     for (int i = 0; i < NTRIP; ++i) {
6         state->mode[i] = 0;
7         state->reading[i] = 0;
8         state->sensor_trip[i] = 0;
9         state->setpoints[i] = 0;
10    }
11 }

```

Listing F.5: C implementation of syscalls.

```

1 #include <errno.h>
2 #include <sys/stat.h>
3 #include <sys/times.h>
4 #include <sys/time.h>
5 #include "syscalls.h"
6 #include "bsp.h"
7
8 void _exit(int n) {
9     (void)n;
10    while(1){

```

```

11     ;;
12 }
13 }
14
15 void *_sbrk(int nbytes)
16 {
17     (void)nbytes;
18     errno = ENOMEM;
19     return (void *)-1;
20 }
21
22 int _write(int file, char *ptr, int len)
23 {
24     volatile uint32_t *uart_tx = (void*) UART_REG_TX;
25     (void)file;
26     for (int i=0;i<len;i++) {
27         *uart_tx = ptr[i];
28         uint32_t count = MIN_PRINT_DELAY_TICKS;
29         while(count-->0) {
30             __asm__ volatile ("nop");
31         }
32     }
33     return len;
34 }
35
36 int _close(int fd)
37 {
38     (void)fd;
39     errno = EBADF;
40     return -1;
41 }
42
43 long _lseek(int fd, long offset, int origin)
44 {
45     (void)fd;
46     (void)offset;
47     (void)origin;
48     errno = EBADF;
49     return -1;
50 }
51
52 int _read(int fd, void *buffer, unsigned int count)
53 {
54     (void)fd;
55     (void)buffer;
56     (void)count;
57     errno = EBADF;
58     return -1;
59 }
60
61 int _fstat(int fd, void *buffer)
62 {
63     (void)fd;
64     (void)buffer;
65     errno = EBADF;
66     return -1;
67 }
68
69 int _isatty(int fd)
70 {
71     (void)fd;
72     errno = EBADF;
73     return 0;
74 }
75
76 int _kill(int pid, int sig)

```

```

77 {
78     (void)pid;
79     (void)sig;
80     errno = EBADF;
81     return -1;
82 }
83
84 int _getpid(int n)
85 {
86     (void)n;
87     return 1;
88 }

```

Listing F.6: C implementation of printf.

```

1 // File from: https://github.com/mpaland/printf
2 //////////////////////////////////////////////////////////////////
3 // \author (c) Marco Paland (info@paland.com)
4 // 2014-2019, PALANDesign Hannover, Germany
5 //
6 // \license The MIT License (MIT)
7 //
8 // Permission is hereby granted, free of charge, to any person obtaining a copy
9 // of this software and associated documentation files (the "Software"), to deal
10 // in the Software without restriction, including without limitation the rights
11 // to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
12 // copies of the Software, and to permit persons to whom the Software is
13 // furnished to do so, subject to the following conditions:
14 //
15 // The above copyright notice and this permission notice shall be included in
16 // all copies or substantial portions of the Software.
17 //
18 // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
19 // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
20 // FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
21 // AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
22 // LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
23 // OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
24 // THE SOFTWARE.
25 //
26 // \brief Tiny printf, sprintf and (v)snprintf implementation, optimized for speed on
27 // embedded systems with a very limited resources. These routines are thread
28 // safe and reentrant!
29 // Use this instead of the bloated standard/newlib printf cause these use
30 // malloc for printf (and may not be thread safe).
31 //
32 //////////////////////////////////////////////////////////////////
33
34 #include <stdbool.h>
35 #include <stdint.h>
36
37 #include "printf.h"
38 #include "syscalls.h"
39
40 // define this globally (e.g. gcc -DPRINTF_INCLUDE_CONFIG_H ...) to include the
41 // printf_config.h header file
42 // default: undefined
43 #ifdef PRINTF_INCLUDE_CONFIG_H
44 #include "printf_config.h"
45 #endif
46
47 // 'ntoa' conversion buffer size, this must be big enough to hold one converted
48 // numeric number including padded zeros (dynamically created on stack)
49 // default: 32 byte
50 #ifndef PRINTF_NTOA_BUFFER_SIZE
51 #define PRINTF_NTOA_BUFFER_SIZE 32U

```

```

52 #endif
53
54 // 'ftoa' conversion buffer size, this must be big enough to hold one converted
55 // float number including padded zeros (dynamically created on stack)
56 // default: 32 byte
57 #ifndef PRINTF_FTOA_BUFFER_SIZE
58 #define PRINTF_FTOA_BUFFER_SIZE 32U
59 #endif
60
61 // support for the floating point type (%f)
62 // default: activated
63 #ifndef PRINTF_DISABLE_SUPPORT_FLOAT
64 #define PRINTF_SUPPORT_FLOAT
65 #endif
66
67 // support for exponential floating point notation (%e/%g)
68 // default: activated
69 #ifndef PRINTF_DISABLE_SUPPORT_EXPONENTIAL
70 #define PRINTF_SUPPORT_EXPONENTIAL
71 #endif
72
73 // define the default floating point precision
74 // default: 6 digits
75 #ifndef PRINTF_DEFAULT_FLOAT_PRECISION
76 #define PRINTF_DEFAULT_FLOAT_PRECISION 6U
77 #endif
78
79 // define the largest float suitable to print with %f
80 // default: 1e9
81 #ifndef PRINTF_MAX_FLOAT
82 #define PRINTF_MAX_FLOAT 1e9
83 #endif
84
85 // support for the long long types (%llu or %p)
86 // default: activated
87 #ifndef PRINTF_DISABLE_SUPPORT_LONG_LONG
88 #define PRINTF_SUPPORT_LONG_LONG
89 #endif
90
91 // support for the ptrdiff_t type (%t)
92 // ptrdiff_t is normally defined in <stddef.h> as long or long long type
93 // default: activated
94 #ifndef PRINTF_DISABLE_SUPPORT_PTRDIFF_T
95 #define PRINTF_SUPPORT_PTRDIFF_T
96 #endif
97
98 ///////////////////////////////////////////////////////////////////
99
100 // internal flag definitions
101 #define FLAGS_ZEROPAD (1U << 0U)
102 #define FLAGS_LEFT (1U << 1U)
103 #define FLAGS_PLUS (1U << 2U)
104 #define FLAGS_SPACE (1U << 3U)
105 #define FLAGS_HASH (1U << 4U)
106 #define FLAGS_UPPERCASE (1U << 5U)
107 #define FLAGS_CHAR (1U << 6U)
108 #define FLAGS_SHORT (1U << 7U)
109 #define FLAGS_LONG (1U << 8U)
110 #define FLAGS_LONG_LONG (1U << 9U)
111 #define FLAGS_PRECISION (1U << 10U)
112 #define FLAGS_ADAPT_EXP (1U << 11U)
113
114 // import float.h for DBL_MAX
115 #if defined(PRINTF_SUPPORT_FLOAT)
116 #include <float.h>
117 #endif

```

```

118 // output function type
119 typedef void (*out_fct_type)(char character, void* buffer, size_t idx, size_t maxlen);
120
121 // wrapper (used as buffer) for output function type
122 typedef struct {
123     void (*fct)(char character, void* arg);
124     void* arg;
125 } out_fct_wrap_type;
126
127 // internal buffer output
128 static inline void _out_buffer(char character, void* buffer, size_t idx, size_t maxlen)
129 {
130     if (idx < maxlen) {
131         ((char*)buffer)[idx] = character;
132     }
133 }
134
135 // internal null output
136 static inline void _out_null(char character, void* buffer, size_t idx, size_t maxlen)
137 {
138     (void)character; (void)buffer; (void)idx; (void)maxlen;
139 }
140
141 // internal _putchar wrapper
142 static inline void _out_char(char character, void* buffer, size_t idx, size_t maxlen)
143 {
144     (void)buffer; (void)idx; (void)maxlen;
145     if (character) {
146         _write(0, &character, 1);
147     }
148 }
149
150 // internal output function wrapper
151 static inline void _out_fct(char character, void* buffer, size_t idx, size_t maxlen)
152 {
153     (void)idx; (void)maxlen;
154     if (character) {
155         // buffer is the output fct pointer
156         ((out_fct_wrap_type*)buffer)->fct(character, ((out_fct_wrap_type*)buffer)->arg);
157     }
158 }
159
160 // internal secure strlen
161 // \return The length of the string (excluding the terminating 0) limited by 'maxsize'
162 static inline unsigned int _strnlen_s(const char* str, size_t maxsize)
163 {
164     const char* s;
165     for (s = str; *s && maxsize--; ++s);
166     return (unsigned int)(s - str);
167 }
168
169 // internal test if char is a digit (0-9)
170 // \return true if char is a digit
171 static inline bool _is_digit(char ch)
172 {
173     return (ch >= '0') && (ch <= '9');
174 }
175
176 // internal ASCII string to unsigned int conversion
177 static unsigned int _atoi(const char** str)
178 {
179     unsigned int i = 0U;
180     while (_is_digit(**str)) {
181         i = i * 10U + (unsigned int)(*(*str)++ - '0');
182     }
183 }
```

```

184     return i;
185 }
186
187 // output the specified string in reverse, taking care of any zero-padding
188 static size_t _out_rev(out_fct_type out, char* buffer, size_t idx, size_t maxlen, const char
189   ↪ * buf, size_t len, unsigned int width, unsigned int flags)
190 {
191     const size_t start_idx = idx;
192
193     // pad spaces up to given width
194     if (!(flags & FLAGS_LEFT) && !(flags & FLAGS_ZEROPAD)) {
195         for (size_t i = len; i < width; i++) {
196             out(' ', buffer, idx++, maxlen);
197         }
198     }
199
200     // reverse string
201     while (len) {
202         out(buf[--len], buffer, idx++, maxlen);
203     }
204
205     // append pad spaces up to given width
206     if (flags & FLAGS_LEFT) {
207         while (idx - start_idx < width) {
208             out(' ', buffer, idx++, maxlen);
209         }
210     }
211
212     return idx;
213 }
214
215 // internal itoa format
216 static size_t _ntoa_format(out_fct_type out, char* buffer, size_t idx, size_t maxlen, char*
217   ↪ buf, size_t len, bool negative, unsigned int base, unsigned int prec, unsigned int
218   ↪ width, unsigned int flags)
219 {
220     // pad leading zeros
221     if (!(flags & FLAGS_LEFT)) {
222         if (width && (flags & FLAGS_ZEROPAD) && (negative || (flags & (FLAGS_PLUS | FLAGS_SPACE)))
223           ↪ )) {
224             width--;
225         }
226         while ((len < prec) && (len < PRINTF_NTOA_BUFFER_SIZE)) {
227             buf[len++] = '0';
228         }
229     }
230
231     // handle hash
232     if (flags & FLAGS_HASH) {
233         if (!(flags & FLAGS_PRECISION) && len && ((len == prec) || (len == width))) {
234             len--;
235             if (len && (base == 16U)) {
236                 len--;
237             }
238             if ((base == 16U) && !(flags & FLAGS_UPPERCASE) && (len < PRINTF_NTOA_BUFFER_SIZE)) {
239                 buf[len++] = 'x';
240             }
241             else if ((base == 16U) && (flags & FLAGS_UPPERCASE) && (len < PRINTF_NTOA_BUFFER_SIZE)) {
242                 buf[len++] = 'X';
243             }
244             else if ((base == 2U) && (len < PRINTF_NTOA_BUFFER_SIZE)) {
245                 buf[len++] = 'b';
246             }
247         }
248     }

```

```

246     }
247     if (len < PRINTF_NTOA_BUFFER_SIZE) {
248         buf[len++] = '0';
249     }
250 }
251
252 if (len < PRINTF_NTOA_BUFFER_SIZE) {
253     if (negative) {
254         buf[len++] = '-';
255     }
256     else if (flags & FLAGS_PLUS) {
257         buf[len++] = '+'; // ignore the space if the '+' exists
258     }
259     else if (flags & FLAGS_SPACE) {
260         buf[len++] = ' ';
261     }
262 }
263
264 return _out_rev(out, buffer, idx, maxlen, buf, len, width, flags);
265
266
267 // internal itoa for 'long' type
268 static size_t _ntoa_long(out_fct_type out, char* buffer, size_t idx, size_t maxlen, unsigned
269                         ↪ long value, bool negative, unsigned long base, unsigned int prec, unsigned int
270                         ↪ width, unsigned int flags)
271 {
272     char buf[PRINTF_NTOA_BUFFER_SIZE];
273     size_t len = 0U;
274
275     // no hash for 0 values
276     if (!value) {
277         flags &= ~FLAGS_HASH;
278     }
279
280     // write if precision != 0 and value is != 0
281     if (!(flags & FLAGS_PRECISION) || value) {
282         do {
283             const char digit = (char)(value % base);
284             buf[len++] = digit < 10 ? '0' + digit : (flags & FLAGS_UPPERCASE ? 'A' : 'a') + digit -
285             ↪ 10;
286             value /= base;
287         } while (value && (len < PRINTF_NTOA_BUFFER_SIZE));
288     }
289
290     return _ntoa_format(out, buffer, idx, maxlen, buf, len, negative, (unsigned int)base, prec
291                         ↪ , width, flags);
292 }
293
294 // internal itoa for 'long long' type
295 #if defined(PRINTF_SUPPORT_LONG_LONG)
296 static size_t _ntoa_long_long(out_fct_type out, char* buffer, size_t idx, size_t maxlen,
297                             ↪ unsigned long long value, bool negative, unsigned long long base, unsigned int prec,
298                             ↪ unsigned int width, unsigned int flags)
299 {
300     char buf[PRINTF_NTOA_BUFFER_SIZE];
301     size_t len = 0U;
302
303     // no hash for 0 values
304     if (!value) {
305         flags &= ~FLAGS_HASH;
306     }
307
308     // write if precision != 0 and value is != 0
309     if (!(flags & FLAGS_PRECISION) || value) {
310         do {
311             const char digit = (char)(value % base);

```

```

306     buf[len++] = digit < 10 ? '0' + digit : (flags & FLAGS_UPPERCASE ? 'A' : 'a') + digit -
307         ↪ 10;
308     value /= base;
309     } while (value && (len < PRINTF_NTOA_BUFFER_SIZE));
310 }
311 return _ntoa_format(out, buffer, idx, maxlen, buf, len, negative, (unsigned int)base, prec
312     ↪ , width, flags);
313 #endif // PRINTF_SUPPORT_LONG_LONG
314
315 #if defined(PRINTF_SUPPORT_FLOAT)
316
317 #if defined(PRINTF_SUPPORT_EXPONENTIAL)
318 // forward declaration so that _ftoa can switch to exp notation for values > PRINTF_MAX_FLOAT
319 static size_t _ftoa(out_fct_type out, char* buffer, size_t idx, size_t maxlen, double value,
320     ↪ unsigned int prec, unsigned int width, unsigned int flags);
321 #endif
322 // internal ftoa for fixed decimal floating point
323 static size_t _ftoa(out_fct_type out, char* buffer, size_t idx, size_t maxlen, double value,
324     ↪ unsigned int prec, unsigned int width, unsigned int flags)
325 {
326     char buf[PRINTF_FTOA_BUFFER_SIZE];
327     size_t len = OU;
328     double diff = 0.0;
329
330     // powers of 10
331     static const double pow10[] = { 1, 10, 100, 1000, 10000, 100000, 1000000, 10000000,
332         ↪ 100000000, 1000000000 };
333
334     // test for special values
335     if (value != value)
336         return _out_rev(out, buffer, idx, maxlen, "nan", 3, width, flags);
337     if (value < -DBL_MAX)
338         return _out_rev(out, buffer, idx, maxlen, "fni-", 4, width, flags);
339     if (value > DBL_MAX)
340         return _out_rev(out, buffer, idx, maxlen, (flags & FLAGS_PLUS) ? "fni+" : "fni", (flags &
341             ↪ FLAGS_PLUS) ? 4U : 3U, width, flags);
342
343     // test for very large values
344     // standard printf behavior is to print EVERY whole number digit -- which could be 100s of
345         ↪ characters overflowing your buffers == bad
346     if ((value > PRINTF_MAX_FLOAT) || (value < -PRINTF_MAX_FLOAT)) {
347 #if defined(PRINTF_SUPPORT_EXPONENTIAL)
348         return _ftoa(out, buffer, idx, maxlen, value, prec, width, flags);
349 #else
350         return OU;
351 #endif
352     }
353
354     // test for negative
355     bool negative = false;
356     if (value < 0) {
357         negative = true;
358         value = 0 - value;
359     }
360
361     // set default precision, if not set explicitly
362     if (!(flags & FLAGS_PRECISION)) {
363         prec = PRINTF_DEFAULT_FLOAT_PRECISION;
364     }
365
366     // limit precision to 9, cause a prec >= 10 can lead to overflow errors
367     while ((len < PRINTF_FTOA_BUFFER_SIZE) && (prec > 9U)) {
368         buf[len++] = '0';
369         prec--;
370     }

```

```

366
367     int whole = (int)value;
368     double tmp = (value - whole) * pow10[prec];
369     unsigned long frac = (unsigned long)tmp;
370     diff = tmp - frac;
371
372     if (diff > 0.5) {
373         ++frac;
374         // handle rollover, e.g. case 0.99 with prec 1 is 1.0
375         if (frac >= pow10[prec]) {
376             frac = 0;
377             ++whole;
378         }
379     }
380     else if (diff < 0.5) {
381     }
382     else if ((frac == 0U) || (frac & 1U)) {
383         // if halfway, round up if odd OR if last digit is 0
384         ++frac;
385     }
386
387     if (prec == 0U) {
388         diff = value - (double)whole;
389         if (!(diff < 0.5) || (diff > 0.5)) && (whole & 1)) {
390             // exactly 0.5 and ODD, then round up
391             // 1.5 -> 2, but 2.5 -> 2
392             ++whole;
393         }
394     }
395     else {
396         unsigned int count = prec;
397         // now do fractional part, as an unsigned number
398         while (len < PRINTF_FTOA_BUFFER_SIZE) {
399             --count;
400             buf[len++] = (char)(48U + (frac % 10U));
401             if (!(frac /= 10U)) {
402                 break;
403             }
404         }
405         // add extra 0s
406         while ((len < PRINTF_FTOA_BUFFER_SIZE) && (count-- > 0U)) {
407             buf[len++] = '0';
408         }
409         if (len < PRINTF_FTOA_BUFFER_SIZE) {
410             // add decimal
411             buf[len++] = '.';
412         }
413     }
414
415     // do whole part, number is reversed
416     while (len < PRINTF_FTOA_BUFFER_SIZE) {
417         buf[len++] = (char)(48 + (whole % 10));
418         if (!(whole /= 10)) {
419             break;
420         }
421     }
422
423     // pad leading zeros
424     if (!(flags & FLAGS_LEFT) && (flags & FLAGS_ZEROPAD)) {
425         if (width && (negative || (flags & (FLAGS_PLUS | FLAGS_SPACE)))) {
426             width--;
427         }
428         while ((len < width) && (len < PRINTF_FTOA_BUFFER_SIZE)) {
429             buf[len++] = '0';
430         }
431     }

```

```

432
433     if (len < PRINTF_FTOA_BUFFER_SIZE) {
434         if (negative) {
435             buf[len++] = '-';
436         }
437         else if (flags & FLAGS_PLUS) {
438             buf[len++] = '+'; // ignore the space if the '+' exists
439         }
440         else if (flags & FLAGS_SPACE) {
441             buf[len++] = ' ';
442         }
443     }
444
445     return _out_rev(out, buffer, idx, maxlen, buf, len, width, flags);
446 }
447
448 #if defined(PRINTF_SUPPORT_EXPONENTIAL)
449 // internal ftoa variant for exponential floating-point type, contributed by Martijn Jaspers
450 //   <m.jasperse@gmail.com>
451 static size_t _etoa(out_fct_type out, char* buffer, size_t idx, size_t maxlen, double value,
452                     //   unsigned int prec, unsigned int width, unsigned int flags)
453 {
454     // check for NaN and special values
455     if ((value != value) || (value > DBL_MAX) || (value < -DBL_MAX)) {
456         return _ftoa(out, buffer, idx, maxlen, value, prec, width, flags);
457     }
458
459     // determine the sign
460     const bool negative = value < 0;
461     if (negative) {
462         value = -value;
463     }
464
465     // default precision
466     if (!(flags & FLAGS_PRECISION)) {
467         prec = PRINTF_DEFAULT_FLOAT_PRECISION;
468     }
469
470     // determine the decimal exponent
471     // based on the algorithm by David Gay (https://www.ampl.com/netlib/fp/dtoa.c)
472     union {
473         uint64_t U;
474         double F;
475     } conv;
476
477     conv.F = value;
478     int exp2 = (int)((conv.U >> 52U) & 0x07FFU) - 1023; // effectively log2
479     conv.U = (conv.U & ((1ULL << 52U) - 1U)) | (1023ULL << 52U); // drop the exponent so conv.F
480     // now we want to compute 10^expval but we want to be sure it won't overflow
481     exp2 = (int)(expval * 3.321928094887362 + 0.5);
482     const double z = expval * 2.302585092994046 - exp2 * 0.6931471805599453;
483     const double z2 = z * z;
484     conv.U = (uint64_t)(exp2 + 1023) << 52U;
485     // compute exp(z) using continued fractions, see https://en.wikipedia.org/wiki/Exponential\_function#Continued\_fractions\_for\_ex
486     conv.F *= 1 + 2 * z / (2 - z + (z2 / (6 + (z2 / (10 + z2 / 14)))));
487     // correct for rounding errors
488     if (value < conv.F) {
489         expval--;
490         conv.F /= 10;
491     }
492 }
```

```

493 // the exponent format is "%+03d" and largest value is "307", so set aside 4-5 characters
494 unsigned int minwidth = ((expval < 100) && (expval > -100)) ? 4U : 5U;
495
496 // in "%g" mode, "prec" is the number of *significant figures* not decimals
497 if (flags & FLAGS_ADAPT_EXP) {
498     // do we want to fall-back to "%f" mode?
499     if ((value >= 1e-4) && (value < 1e6)) {
500         if ((int)prec > expval) {
501             prec = (unsigned)((int)prec - expval - 1);
502         }
503         else {
504             prec = 0;
505         }
506         flags |= FLAGS_PRECISION; // make sure _ftoa respects precision
507         // no characters in exponent
508         minwidth = 0U;
509         expval = 0;
510     }
511     else {
512         // we use one sigfig for the whole part
513         if ((prec > 0) && (flags & FLAGS_PRECISION)) {
514             --prec;
515         }
516     }
517 }
518
519 // will everything fit?
520 unsigned int fwidth = width;
521 if (width > minwidth) {
522     // we didn't fall-back so subtract the characters required for the exponent
523     fwidth -= minwidth;
524 } else {
525     // not enough characters, so go back to default sizing
526     fwidth = 0U;
527 }
528 if ((flags & FLAGS_LEFT) && minwidth) {
529     // if we're padding on the right, DON'T pad the floating part
530     fwidth = 0U;
531 }
532
533 // rescale the float value
534 if (expval) {
535     value /= conv.F;
536 }
537
538 // output the floating part
539 const size_t start_idx = idx;
540 idx = _ftoa(out, buffer, idx, maxlen, negative ? -value : value, prec, fwidth, flags & ~
541             → FLAGS_ADAPT_EXP);
542
543 // output the exponent part
544 if (minwidth) {
545     // output the exponential symbol
546     out((flags & FLAGS_UPPERCASE) ? 'E' : 'e', buffer, idx++, maxlen);
547     // output the exponent value
548     idx = _ntoa_long(out, buffer, idx, maxlen, (expval < 0) ? -expval : expval, expval < 0,
549                     → 10, 0, minwidth-1, FLAGS_ZEROPAD | FLAGS_PLUS);
550     // might need to right-pad spaces
551     if (flags & FLAGS_LEFT) {
552         while (idx - start_idx < width) out(' ', buffer, idx++, maxlen);
553     }
554 }
555
556 #endif // PRINTF_SUPPORT_EXPONENTIAL
557 #endif // PRINTF_SUPPORT_FLOAT

```

```

557 // internal vsnprintf
558 static int _vsnprintf(out_fct_type out, char* buffer, const size_t maxlen, const char*
559   ↪ format, va_list va)
560 {
561     unsigned int flags, width, precision, n;
562     size_t idx = 0U;
563
564     if (!buffer) {
565         // use null output function
566         out = _out_null;
567     }
568
569     while (*format)
570     {
571         // format specifier? %[flags][width].[precision][length]
572         if (*format != '%') {
573             // no
574             out(*format, buffer, idx++, maxlen);
575             format++;
576             continue;
577         }
578         else {
579             // yes, evaluate it
580             format++;
581         }
582
583         // evaluate flags
584         flags = 0U;
585         do {
586             switch (*format) {
587                 case '0': flags |= FLAGS_ZEROPAD; format++; n = 1U; break;
588                 case '-': flags |= FLAGS_LEFT; format++; n = 1U; break;
589                 case '+': flags |= FLAGS_PLUS; format++; n = 1U; break;
590                 case ' ': flags |= FLAGS_SPACE; format++; n = 1U; break;
591                 case '#': flags |= FLAGS_HASH; format++; n = 1U; break;
592                 default : n = 0U; break;
593             }
594         } while (n);
595
596         // evaluate width field
597         width = 0U;
598         if (_is_digit(*format)) {
599             width = _atoi(&format);
600         }
601         else if (*format == '*') {
602             const int w = va_arg(va, int);
603             if (w < 0) {
604                 flags |= FLAGS_LEFT; // reverse padding
605                 width = (unsigned int)-w;
606             }
607             else {
608                 width = (unsigned int)w;
609             }
610             format++;
611         }
612
613         // evaluate precision field
614         precision = 0U;
615         if (*format == '.') {
616             flags |= FLAGS_PRECISION;
617             format++;
618             if (_is_digit(*format)) {
619                 precision = _atoi(&format);
620             }
621         }
622         else if (*format == '*') {

```

```

622     const int prec = (int)va_arg(va, int);
623     precision = prec > 0 ? (unsigned int)prec : 0U;
624     format++;
625   }
626 }
627
628 // evaluate length field
629 switch (*format) {
630   case 'l' :
631     flags |= FLAGS_LONG;
632     format++;
633     if (*format == 'l') {
634       flags |= FLAGS_LONG_LONG;
635       format++;
636     }
637     break;
638   case 'h' :
639     flags |= FLAGS_SHORT;
640     format++;
641     if (*format == 'h') {
642       flags |= FLAGS_CHAR;
643       format++;
644     }
645     break;
646 #if defined(PRINTF_SUPPORT_PTRDIFF_T)
647   case 't' :
648     flags |= (sizeof(ptrdiff_t) == sizeof(long) ? FLAGS_LONG : FLAGS_LONG_LONG);
649     format++;
650     break;
651#endif
652   case 'j' :
653     flags |= (sizeof(intmax_t) == sizeof(long) ? FLAGS_LONG : FLAGS_LONG_LONG);
654     format++;
655     break;
656   case 'z' :
657     flags |= (sizeof(size_t) == sizeof(long) ? FLAGS_LONG : FLAGS_LONG_LONG);
658     format++;
659     break;
660   default :
661     break;
662 }
663
664 // evaluate specifier
665 switch (*format) {
666   case 'd' :
667   case 'i' :
668   case 'u' :
669   case 'x' :
670   case 'X' :
671   case 'o' :
672   case 'b' : {
673     // set the base
674     unsigned int base;
675     if (*format == 'x' || *format == 'X') {
676       base = 16U;
677     }
678     else if (*format == 'o') {
679       base = 8U;
680     }
681     else if (*format == 'b') {
682       base = 2U;
683     }
684     else {
685       base = 10U;
686       flags &= ~FLAGS_HASH; // no hash for dec format
687     }

```

```

688 // uppercase
689 if (*format == 'X') {
690     flags |= FLAGS_UPPERCASE;
691 }
692
693 // no plus or space flag for u, x, X, o, b
694 if ((*format != 'i') && (*format != 'd')) {
695     flags &= ~(FLAGS_PLUS | FLAGS_SPACE);
696 }
697
698 // ignore '0' flag when precision is given
699 if (flags & FLAGS_PRECISION) {
700     flags &= ~FLAGS_ZEROPAD;
701 }
702
703 // convert the integer
704 if ((*format == 'i') || (*format == 'd')) {
705     // signed
706     if (flags & FLAGS_LONG_LONG) {
707 #if defined(PRINTF_SUPPORT_LONG_LONG)
708         const long long value = va_arg(va, long long);
709         idx = _ntoa_long_long(out, buffer, idx, maxlen, (unsigned long long)(value > 0 ?
710             value : 0 - value), value < 0, base, precision, width, flags);
711     }
712     else if (flags & FLAGS_LONG) {
713         const long value = va_arg(va, long);
714         idx = _ntoa_long(out, buffer, idx, maxlen, (unsigned long)(value > 0 ? value : 0 -
715             value), value < 0, base, precision, width, flags);
716     }
717     else {
718         const int value = (flags & FLAGS_CHAR) ? (char)va_arg(va, int) : (flags &
719             &gt; FLAGS_SHORT) ? (short int)va_arg(va, int) : va_arg(va, int);
720         idx = _ntoa_long(out, buffer, idx, maxlen, (unsigned int)(value > 0 ? value : 0 -
721             value), value < 0, base, precision, width, flags);
722     }
723     else {
724         // unsigned
725         if (flags & FLAGS_LONG_LONG) {
726 #if defined(PRINTF_SUPPORT_LONG_LONG)
727             idx = _ntoa_long_long(out, buffer, idx, maxlen, va_arg(va, unsigned long long),
728                 false, base, precision, width, flags);
729         }
730         else if (flags & FLAGS_LONG) {
731             idx = _ntoa_long(out, buffer, idx, maxlen, va_arg(va, unsigned long), false, base
732                 &gt;, precision, width, flags);
733         }
734     }
735 }
736     format++;
737     break;
738 }
739 #if defined(PRINTF_SUPPORT_FLOAT)
740     case 'f' :
741     case 'F' :
742         if (*format == 'F') flags |= FLAGS_UPPERCASE;
743         idx = _ftoa(out, buffer, idx, maxlen, va_arg(va, double), precision, width, flags);
744         format++;
745         break;

```

```

746 #if defined(PRINTF_SUPPORT_EXPONENTIAL)
747     case 'e':
748     case 'E':
749     case 'g':
750     case 'G':
751         if ((*format == 'g')|>(*format == 'G')) flags |= FLAGS_ADAPT_EXP;
752         if ((*format == 'E')|>(*format == 'G')) flags |= FLAGS_UPPERCASE;
753         idx = _etoa(out, buffer, idx, maxlen, va_arg(va, double), precision, width, flags);
754         format++;
755         break;
756 #endif // PRINTF_SUPPORT_EXPONENTIAL
757 #endif // PRINTF_SUPPORT_FLOAT
758     case 'c' : {
759         unsigned int l = 1U;
760         // pre padding
761         if (!(flags & FLAGS_LEFT)) {
762             while (l++ < width) {
763                 out(' ', buffer, idx++, maxlen);
764             }
765         }
766         // char output
767         out((char)va_arg(va, int), buffer, idx++, maxlen);
768         // post padding
769         if (flags & FLAGS_LEFT) {
770             while (l++ < width) {
771                 out(' ', buffer, idx++, maxlen);
772             }
773         }
774         format++;
775         break;
776     }
777
778     case 's' : {
779         const char* p = va_arg(va, char*);
780         unsigned int l = _strnlen_s(p, precision ? precision : (size_t)-1);
781         // pre padding
782         if (flags & FLAGS_PRECISION) {
783             l = (l < precision ? l : precision);
784         }
785         if (!(flags & FLAGS_LEFT)) {
786             while (l++ < width) {
787                 out(' ', buffer, idx++, maxlen);
788             }
789         }
790         // string output
791         while ((*p != 0) && !(flags & FLAGS_PRECISION) || precision-- ) {
792             out(*(p++), buffer, idx++, maxlen);
793         }
794         // post padding
795         if (flags & FLAGS_LEFT) {
796             while (l++ < width) {
797                 out(' ', buffer, idx++, maxlen);
798             }
799         }
800         format++;
801         break;
802     }
803
804     case 'p' : {
805         width = sizeof(void*) * 2U;
806         flags |= FLAGS_ZEROPAD | FLAGS_UPPERCASE;
807 #if defined(PRINTF_SUPPORT_LONG_LONG)
808         const bool is_ll = sizeof(uintptr_t) == sizeof(long long);
809         if (is_ll) {
810             idx = _ntoa_long_long(out, buffer, idx, maxlen, (uintptr_t)va_arg(va, void*),
811             ↪ , 16U, precision, width, flags);

```

```

811     }
812     else {
813 #endif
814         idx = _ntoa_long(out, buffer, idx, maxlen, (unsigned long)((uintptr_t)va_arg(va,
815                         ↪ void*)), false, 16U, precision, width, flags);
816 #if defined(PRINTF_SUPPORT_LONG_LONG)
817     }
818 #endif
819     format++;
820     break;
821 }
822
823 case '%':
824     out('%', buffer, idx++, maxlen);
825     format++;
826     break;
827 default:
828     out(*format, buffer, idx++, maxlen);
829     format++;
830     break;
831 }
832 }
833
834 // termination
835 out((char)0, buffer, idx < maxlen ? idx : maxlen - 1U, maxlen);
836
837 // return written chars without terminating \0
838 return (int)idx;
839 }
840
841 /////////////////////////////////////////////////
842
843 int printf_(const char* format, ...)
844 {
845     va_list va;
846     va_start(va, format);
847     char buffer[1];
848     const int ret = _vsnprintf(_out_char, buffer, (size_t)-1, format, va);
849     va_end(va);
850     return ret;
851 }
852
853 int sprintf_(char* buffer, const char* format, ...)
854 {
855     va_list va;
856     va_start(va, format);
857     const int ret = _vsnprintf(_out_buffer, buffer, (size_t)-1, format, va);
858     va_end(va);
859     return ret;
860 }
861
862 int snprintf_(char* buffer, size_t count, const char* format, ...)
863 {
864     va_list va;
865     va_start(va, format);
866     const int ret = _vsnprintf(_out_buffer, buffer, count, format, va);
867     va_end(va);
868     return ret;
869 }
870
871 int vprintf_(const char* format, va_list va)
872 {
873     char buffer[1];
874     return _vsnprintf(_out_char, buffer, (size_t)-1, format, va);
875 }

```

```

876
877 int vsnprintf_(char* buffer, size_t count, const char* format, va_list va)
878 {
879     return _vsnprintf(_out_buffer, buffer, count, format, va);
880 }
881
882 int fctprintf(void (*out)(char character, void* arg), void* arg, const char* format, ...)
883 {
884     va_list va;
885     va_start(va, format);
886     const out_fct_wrap_type out_fct_wrap = { out, arg };
887     const int ret = _vsnprintf(_out_fct, (char*)(uintptr_t)&out_fct_wrap, (size_t)-1, format,
888                                ↪ va);
888     va_end(va);
889     return ret;
890 }
```

Listing F.7: C implementation of actuation\_unit\_impl.

```

1 #include "common.h"
2 #include "actuation_logic.h"
3 #include "../generated/C/actuation_unit_impl.c"
```

Listing F.8: C implementation of C\_Imported\_Functions.

```

1 // Copyright (c) 2013-2019 Bluespec, Inc. All Rights Reserved
2 // https://github.com/bluespec/Piccolo/blob/master/src_Testbench/Top/C_Imported_Functions.c
3 // Modified by @podhrmic
4
5 // =====
6 // These are functions imported into BSV during Bluesim or Verilog simulation.
7 // See C_Imports.bsv for the corresponding 'import BDPI' declarations.
8
9 // There are several independent groups of functions below; the
10 // groups are separated by heavy dividers ('// *****')
11
12 // Below, 'dummy' args are not used, and are present only to appease
13 // some Verilog simulators that are finicky about 0-arg functions.
14
15 // =====
16 // Includes from C library
17
18 // General
19 #include <unistd.h>
20 #include <stdlib.h>
21 #include <stdio.h>
22 #include <stdint.h>
23 #include <stdbool.h>
24 #include <inttypes.h>
25 #include <string.h>
26 #include <errno.h>
27 #include <time.h>
28 #include <termios.h>
29 #include <unistd.h>
30 #include <sys/types.h>
31 #include <poll.h>
32 #include <sched.h>
33
34 // =====
35 // Includes for this project
36
37 #include "C_Imported_Functions.h"
38
39 // ****
40 // ****
```

```

41 // ****
42 // Functions for console I/O
43 //
44 // =====
45 // c_trygetchar()
46 // Returns next input character (ASCII code) from the console.
47 // Returns 0 if no input is available.
48 //
49 // NOTE: Not needed right now
50 void print_tty(char* name, FILE * f) {
51     printf("%s (fileno %d): ", name, fileno(f));
52     if (isatty(fileno(f))) printf("TTY %s\n", ttyname(fileno(f)));
53     else printf("not a TTY\n");
54 }
55
56
57 // TODO: set_to 1 to try avoid line buffering
58 #define INIT_TERMIOS 0
59 uint8_t c_trygetchar (uint8_t dummy)
60 {
61     uint8_t ch;
62     ssize_t n;
63     struct pollfd x_pollfd;
64     const int fd_stdin = 0;
65
66 #if INIT_TERMIOS
67     static bool init = false;
68     if (!init) {
69         print_tty("stdin ", stdin);
70         print_tty("stdout", stdout);
71         print_tty("stderr", stderr);
72
73         struct termios tconf;
74
75         // get original cooked/canonical mode values
76         tcgetattr(fd_stdin,&tconf);
77
78         // set options for raw mode
79         tconf.c_lflag &= ~(ECHO | ICANON); /* no echo or edit */
80         tconf.c_cc[VMIN] = 0;
81         tconf.c_cc[VTIME] = 0;
82
83         // put unit into raw mode ...
84         tcsetattr(fd_stdin,TCSANOW,&tconf);
85         printf("Terminal set to ~(ECHO | ICANON) mode\n");
86         init = true;
87     }
88 #endif
89
90     // -----
91     // Poll for input
92     x_pollfd.fd = fd_stdin;
93     x_pollfd.events = POLLRDNORM;
94     x_pollfd.revents = 0;
95     poll (& x_pollfd, 1, 1);
96
97     //printf ("INFO: c_trygetchar: Polling for input\n");
98     if ((x_pollfd.revents & POLLRDNORM) == 0) {
99         //printf ("INFO: No input\n");
100        return 0;
101    }
102
103    // -----
104    // Input is available
105
106    n = read (fd_stdin, & ch, 1);

```

```

107     if (n == 1) {
108         //printf ("INFO: got %c\n",ch);
109         return ch;
110     }
111     else {
112         if (n == 0)
113             printf ("c_trygetchar: end of file\n");
114         return 0xFF;
115     }
116 }
117
118 // =====
119 // c_putchar()
120 // Writes character to stdout
121 void c_putchar (uint8_t ch)
122 {
123     printf("%c",ch);
124 }
125
126 /**
127 * Assume that both sensors have 12 bit resolution
128 * and two data registers
129 *
130 * Pressure sensor: https://cdn.sparkfun.com/datasheets/Sensors/Pressure/MPL3115A2.pdf#
131     ↪ G1007342
132 *
133 * TODO: simplify
134 */
135 // channel -> sensor # -> val
136 uint32_t sensors[2][2];
137 uint8_t c_i2c_request (uint8_t slaveaddr, uint8_t data) {
138     static uint8_t data_reg = 0;
139     static uint8_t pointer_reg = 1;
140     static int initialized = 0;
141     static uint32_t last_update = 0;
142     static uint32_t last[2][2] = {0};
143
144     struct timespec tp;
145     clock_gettime(CLOCK_REALTIME, &tp);
146     uint32_t t = tp.tv_sec*1000 + tp.tv_nsec/1000000;
147
148 #ifdef SIMULATE_SENSORS
149     if (!initialized) {
150         last_update = t;
151         last[0][T] = T0;
152         last[1][T] = T0;
153         last[0][P] = P0;
154         last[1][P] = P0;
155         sensors[0][T] = last[0][T];
156         sensors[1][T] = last[1][T];
157         sensors[0][P] = last[0][P];
158         sensors[1][P] = last[1][P];
159         initialized = 1;
160     } else if (t - last_update > SENSOR_UPDATE_MS) {
161         for (int s = 0; s < 2; ++s) {
162             last[s][T] += (rand() % 3) - 1;
163             // TODO: Temp sensor resolution is -25..85C
164             // Don't stray too far from our steam table
165             last[s][T] = min(last[s][T], 300);
166             last[s][T] = max(last[s][T], 25);
167
168             last[s][P] += (rand() % 3) - 1 + P_BIAS;
169             // Don't stray too far from our steam table
170             last[s][P] = min(last[s][P], 5775200);
171             last[s][P] = max(last[s][P], 8000);

```

```

172     }
173     last_update = t;
174 }
175 // Smooth the transitions
176 sensors[0][T] = last[0][T];
177 sensors[1][T] = last[1][T];
178 sensors[0][P] = last[0][P];
179 sensors[1][P] = last[1][P];
180 #endif
181
182 if (slaveaddr & 0x1) {
183     // Write request
184     pointer_reg = data % 4;
185     data_reg = pointer_reg;
186 } else {
187     // Read request, use 7bit addressing
188     uint8_t dev_addr = slaveaddr >> 1;
189     switch (dev_addr) {
190         case TEMP_0_I2C_ADDR:
191             data_reg = (uint8_t)(sensors[0][T] >> pointer_reg*8);
192             break;
193         case TEMP_1_I2C_ADDR:
194             data_reg = (uint8_t)(sensors[1][T] >> pointer_reg*8);
195             break;
196         case PRESSURE_0_I2C_ADDR:
197             data_reg = (uint8_t)(sensors[0][P] >> pointer_reg*8);
198             break;
199         case PRESSURE_1_I2C_ADDR:
200             data_reg = (uint8_t)(sensors[1][P] >> pointer_reg*8);
201             break;
202         default:
203             data_reg = 0xAA;
204             break;
205     }
206 }
207
208 return data_reg;
209 }
```

Listing F.9: C implementation of actuation\_unit.

```

1 #include "common.h"
2 #include "platform.h"
3 #include "actuation_logic.h"
4
5 #ifdef PLATFORM_HOST
6 #include <stdio.h>
7 #else
8 #include "printf.h"
9 #endif
10
11 #define VOTE_I(_v, _i) (((_v) >> (_i)) & 0x1)
12
13 /*@requires \valid(&trip[0..2][0..3]);
14  * @requires \valid(&trip_test[0..2][0..3]);
15  * @assumes (trip[0..2][0..3]);
16  * @assumes (trip_test[0..2][0..3]);
17 */
18 static int
19 actuation_logic_collect_trips(uint8_t logic_no, int do_test, uint8_t trip[3][4], uint8_t
20                                     trip_test[3][4])
21 {
22     int err = 0;
23     uint8_t test_div[2];
24     get_test_instrumentation(test_div);
```

```

25     err |= read_instrumentation_trip_signals(trip);
26
27     /*@ loop invariant 0 <= i <= NINSTR;
28     @ loop assigns i;
29     @ loop assigns trip[0..2][0..3];
30     @ loop assigns trip_test[0..2][0..3];
31     */
32     for (int i = 0; i < NINSTR; ++i) {
33         /*@ loop invariant 0 <= c <= NTRIP;
34         @ loop assigns c;
35         @ loop assigns trip[0..2][i];
36         @ loop assigns trip_test[0..2][i];
37         */
38         for(int c = 0; c < NTRIP; ++c) {
39             uint8_t test_signal = (i == test_div[0] || i == test_div[1]);
40             if (do_test) {
41                 trip_test[c][i] = (trip[c][i] & test_signal) != 0;
42                 trip[c][i] &= !test_signal;
43             } else if (!VALID(trip[c][i])) {
44                 trip[c][i] = 0;
45             }
46         }
47     }
48
49     return err;
50 }
51
52 /*@ requires \valid(@trips[0..2][0..3]);
53  @ requires \valid(trips + (0..2));
54  @ assigns \nothing;
55  */
56 static uint8_t
57 actuate_device(uint8_t device, uint8_t trips[3][4], int old)
58 {
59     uint8_t res = 0;
60     if (device == 0) {
61         res = Actuate_D0(trips, old);
62     } else {
63         res = Actuate_D1(trips, old);
64     }
65     DEBUG_PRINTF((<actuation_unit.c> actuate_device: device=0x%X, old=0x%X, out=0x%X, trips
66                  ↗ =[n", device, old, res));
67     /*@ loop assigns i; */
68     for (int i = 0; i < 3; ++i) {
69         DEBUG_PRINTF("[");
70         /*@ loop assigns div; */
71         for (int div = 0; div < 4; ++div) {
72             DEBUG_PRINTF("%u,", trips[i][div]));
73         }
74         DEBUG_PRINTF("],"));
75     }
76     DEBUG_PRINTF("]\n");
77     return res;
78 }
79 /*@requires \valid(state);
80  @requires logic_no < NVOTE_LOGIC;
81  @requires device < NDEV;
82  @requires \valid(trip + (0..2));
83  @requires \valid(trip_test + (0..2));
84  @requires \valid(@trip[0..2][0..3]);
85  @requires \valid(@trip_test[0..2][0..3]);
86  @assigns state->vote_actuate[device];
87  @assigns core.test.actuation_old_vote;
88  @assigns core.test.test_actuation_unit_done[logic_no];
89 */

```

```

90 static void
91 actuation_logic_vote_trips(uint8_t logic_no, int do_test, uint8_t device, uint8_t trip
92     ↪ [3][4], uint8_t trip_test[3][4], struct actuation_logic *state)
93 {
94     if (do_test && get_test_device() == device) {
95         if (!is_actuation_unit_test_complete(logic_no)) {
96             set_actuation_unit_test_input_vote(logic_no, state->vote_actuate[device] != 0);
97             state->vote_actuate[device] = actuate_device(device, trip_test, state-
98                 ↪ vote_actuate[device] != 0);
99         }
100    }
101 }
102
103 /*@ requires logic_no < NVOTE_LOGIC;
104  @ requires \valid(state);
105  @ assigns state->vote_actuate[0..1];
106
107  @ assigns core.test.actuation_old_vote;
108  @ assigns core.test.test_actuation_unit_done[logic_no];
109 */
110 static int
111 actuation_logic_vote(uint8_t logic_no, int do_test, struct actuation_logic *state)
112 {
113     int err = 0;
114     uint8_t trip[3][4];
115     uint8_t trip_test[3][4];
116
117     err = actuation_logic_collect_trips(logic_no, do_test, trip, trip_test);
118
119     actuation_logic_vote_trips(logic_no, do_test, 0, trip, trip_test, state);
120     actuation_logic_vote_trips(logic_no, do_test, 1, trip, trip_test, state);
121
122     return err;
123 }
124
125 /*@requires \valid(cmd);
126  @requires \valid(state);
127  @assigns state->manual_actuate[0..1];
128  @ensures -1 <= \result <= 0;
129 */
130 static int
131 actuation_handle_command(uint8_t logic_no, struct actuation_command *cmd, struct
132     ↪ actuation_logic *state)
133 {
134     if (cmd->device <= 1)
135         state->manual_actuate[cmd->device] = cmd->on;
136
137     return 0;
138
139 /*@requires \valid(state);
140  @requires logic_no < NVOTE_LOGIC;
141  @assigns state->vote_actuate[0..1];
142  @assigns core.test.test_actuation_unit_done[logic_no];
143  @ensures -1 <= \result <= 0;
144 */
145 static int
146 output_actuation_signals(uint8_t logic_no, int do_test, struct actuation_logic *state)
147 {
148     int err = 0;
149
150     /*@ loop invariant 0 <= d <= NDEV;
151      @ loop invariant -1 <= err <= 0;
152      @ loop assigns d, err;

```

```

152    */
153    for (int d = 0; d < NDEV; ++d) {
154        uint8_t on = state->vote_actuate[d] || state->manual_actuate[d];
155        if (!do_test || !is_actuation_unit_test_complete(logic_no)) {
156            err |= set_output_actuation_logic(logic_no, d, BIT(do_test, on));
157        }
158    }
159    if (do_test && !is_actuation_unit_test_complete(logic_no)) {
160        // Reset internal state
161        state->vote_actuate[0] = 0;
162        state->vote_actuate[1] = 0;
163        set_actuation_unit_test_complete(logic_no, 1);
164    }
165
166    return err;
167}
168
169 int actuation_unit_step(uint8_t logic_no, struct actuation_logic *state)
170{
171    int err = 0;
172    uint8_t test_div[2];
173
174    get_test_instrumentation(test_div);
175    int do_test = logic_no == get_test_actuation_unit() &&
176                is_instrumentation_test_complete(test_div[0]) &&
177                is_instrumentation_test_complete(test_div[1]) &&
178                is_test_running();
179
180    if (do_test && is_actuation_unit_test_complete(logic_no))
181        return 0;
182
183    if (!do_test && is_actuation_unit_test_complete(logic_no)) {
184        set_output_actuation_logic(logic_no, get_test_device(), 0);
185        set_actuation_unit_test_complete(logic_no, 0);
186        return 0;
187    }
188
189    /* Read trip signals & vote */
190    err |= actuation_logic_vote(logic_no, do_test, state);
191
192    /* Handle any external commands */
193    struct actuation_command cmd;
194    int read_cmd = read_actuation_command(logic_no, &cmd);
195    if (read_cmd > 0) {
196        err |= actuation_handle_command(logic_no, &cmd, state);
197    } else if (read_cmd < 0) {
198        err |= -read_cmd;
199    }
200
201    /* Actuate devices based on voting and commands */
202    err |= output_actuation_signals(logic_no, do_test, state);
203
204}

```

Listing F.10: C implementation of actuator\_impl.

```

1 typedef unsigned _ExtInt(1) w1;
2 typedef unsigned _ExtInt(2) w2;
3 w1 static rotl1(w1 x, w1 shf)
4 {
5     w1 offset = 1;
6     return x << shf | x >> offset - shf;
7 }
8 w1 static rotr1(w1 x, w1 shf)
9 {
10    w1 offset = 1;

```

```

11     return x >> shf | x << offset - shf;
12 }
13 w2 static rotl2(w2 x, w2 shf)
14 {
15     w2 offset = 2;
16     return x << shf | x >> offset - shf;
17 }
18 w2 static rotr2(w2 x, w2 shf)
19 {
20     w2 offset = 2;
21     return x >> shf | x << offset - shf;
22 }
23 w1 ActuateActuator(w2 inputs4683)
24 {
25     w1 app_4097;
26     w1 return_4096;
27     return_4096 = 0;
28     app_4097 = inputs4683 >> (w1) 0 & 1 | inputs4683 >> (w1) 1 & 1;
29     return_4096 = app_4097;
30     return return_4096;
31 }
```

Listing F.11: C implementation of firmware.

```

1 #include <stdint.h>
2 #include "bsp.h"
3 #include "printf.h"
4 //
5 // int main(void)
6 // {
7 // volatile uint32_t *gpio = (void*) GPIO_REG;
8 // uint32_t cnt = 0;
9 // char line[256] = {0};
10 // printf("Hello world\n");
11 // while(1) {
12 // //printf("%u milliseconds passed, GPIO=0x%X\n", time_in_ms(), *gpio);
13 // //printf("%d seconds passed...and a sensor reads 0x%X\n", time_in_s(), i2c_read(0x64, 0x0B))
14 // // NOTE this is still line buffered
15 // //uint8_t c = soc_getchar();
16 // //printf(">>%c<<\n", c);
17 // // for (unsigned int i = 0; i < sizeof(line); i++) {
18 // // line[i] = soc_getchar();
19 // // if (line[i] == 0 || line[i] == '\n') {
20 // // break;
21 // // }
22 // // }
23 // // }
24 // // printf(">>%s<<\n", line);
25 // *gpio = cnt;
26 // cnt++;
27 // cnt = cnt % 256;
28 // //delay_ms(1000);
29 // delay(100000);
30 // }
31 // return 0;
32 // }
33
34 int main()
35 {
36     volatile uint32_t *gpio = (void*)GPIO_REG;
37     *gpio = 0;
38     uint32_t cnt = 0;
39     while(1)
40     {
41 }
```

```

42         delay_ms(1000);
43     if (cnt == 1) {
44         cnt = 0;
45     } else {
46         cnt = 1;
47     }
48     *gpio = cnt;
49     printf("%u milliseconds passed, GPIO=0x%X\n", time_in_ms(), *gpio);
50 }
51 return 0;
52 }
```

Listing F.12: C implementation of actuator.

```

1 #include "platform.h"
2 #include "actuate.h"
3 #include "actuation_logic.h"
4
5 #ifdef PLATFORM_HOST
6 #include <stdio.h>
7 #else
8 #include "printf.h"
9 #endif
10
11 #define w1 uint8_t
12 #define w2 uint8_t
13
14 /*@ requires \true;
15  @ assigns core.test.test_device_done[0..2];
16  @ assigns core.test.test_device_result[0..2];
17  @ ensures \true;
18 */
19 int actuate_devices(void)
20 {
21     int err = 0;
22     int do_test = is_test_running() && is_actuation_unit_test_complete(get_test_actuation_unit
23     ↪ ());
24     DEBUG_PRINTF("<actuator.c> actuate_devices, do_test = %i\n", do_test);
25
26     if (!do_test) {
27         DEBUG_PRINTF("<actuator.c> actuate_devices: set actuate test complete to FALSE\n");
28         set_actuate_test_complete(0, 0);
29         set_actuate_test_complete(1, 0);
30     }
31     /*@ loop invariant 0 <= d && d <= NDEV;
32      @ loop assigns d, err, core.test.test_device_done[0..2], core.test.test_device_result
33      ↪ [0..2];
34 */
35     for (int d = 0; d < NDEV; ++d) {
36         uint8_t votes = 0;
37         uint8_t test_votes = 0;
38
39         /*@ loop invariant 0 <= l && l <= NVOTE_LOGIC;
40          @ loop assigns l, err, test_votes, votes;
41 */
42         for (int l = 0; l < NVOTE_LOGIC; ++l) {
43             uint8_t this_vote = 0;
44             err |= get_actuation_state(l, d, &this_vote);
45             if (do_test && l == get_test_actuation_unit())
46                 test_votes |= ((this_vote & 0x1) << d);
47             else if (VALID(this_vote))
48                 votes |= (this_vote << d);
49         }
50     if (do_test && d == get_test_device()) {
```

```

51     if (!is_actuate_test_complete(get_test_device())) {
52         DEBUG_PRINTF("<actuator.c> actuate_devices: set_actuate_test_result(0x%X,
53                         ↪ ActuateActuator(0x%X))\n",
54                         d, test_votes));
55         set_actuate_test_result(d, ActuateActuator(test_votes));
56         set_actuate_test_complete(d, 1);
57     }
58
59     // Call out to actuation policy
60     DEBUG_PRINTF("<actuator.c> actuate_devices: Call out to actuation policy,
61                         ↪ set_actuate_device(0x%X, ActuateActuator(0x%X))\n",
62                         d, votes));
63     err |= set_actuate_device(d, ActuateActuator(votes));
64
65     return err;
66 }
```

Listing F.13: C implementation of instrumentation-generated\_SystemVerilog.

```

1 #ifdef PLATFORM_HOST
2 #include "../generated/SystemVerilog/verilator/generate_sensor_trips/VGenerate_Sensor_Trips.
3     ↪ h"
4 #include "../generated/SystemVerilog/verilator/is_ch_tripped/VIs_Ch_Tripped.h"
5 #include <stdio.h>
6 #else
7 #include "printf.h"
8 #endif
9 #define Generate_Sensor_Trips Generate_Sensor_Trips_generated_SystemVerilog
10 #define Is_Ch_Tripped Is_Ch_Tripped_generated_SystemVerilog
11 #define instrumentation_step instrumentation_step_generated_SystemVerilog
12 #include "../components/instrumentation.c"
13
14 static uint8_t lookup[8] = { 0x0, 0b100, 0b010, 0b110, 0b001, 0b101, 0b011, 0b111 };
15
16 #ifdef PLATFORM_HOST
17 static VIs_Ch_Tripped is_tripped;
18 static VGenerate_Sensor_Trips gen_trips;
19
20 uint8_t Is_Ch_Tripped(uint8_t mode, uint8_t trip)
21 {
22     is_tripped.mode = mode;
23     is_tripped.sensor_tripped = trip;
24     is_tripped.eval();
25     uint32_t val = (trip & 0x1) << 3 | (mode & 0x3) << 1 | 0x0;
26     DEBUG_PRINTF("<instrumentation_generated_SystemVerilog.c> Is_Ch_Tripped: mode=0x%X, trip
27                         ↪ =0x%X, base=0x%X, res=0x%X\n",
28     mode, trip, val, is_tripped.out);
29     return is_tripped.out;
30 }
31
32 uint8_t Generate_Sensor_Trips(uint32_t vals[3], uint32_t setpoints[3])
33 {
34     gen_trips.vals[0] = vals[2];
35     gen_trips.vals[1] = vals[1];
36     gen_trips.vals[2] = vals[0];
37     gen_trips.setpoints[0] = setpoints[2];
38     gen_trips.setpoints[1] = setpoints[1];
39     gen_trips.setpoints[2] = setpoints[0];
40     gen_trips.eval();
41     uint8_t out = gen_trips.out;
42     DEBUG_PRINTF("<instrumentation_generated_SystemVerilog.c> Generate_Sensor_Trips: vals=[%
43                         ↪ u,%u,%u], setpoints=[%u,%u,%u], lookup[%d]=0x%X\n",
44     vals[0], vals[1], vals[2], setpoints[0], setpoints[1], setpoints[2], out, lookup[out]));
45 }
```

```

43     return lookup[out];
44 }
45 #else
46 #include "bsp.h"
47 #include "platform.h"
48
49 uint8_t Is_Ch_Tripped(uint8_t mode, uint8_t trip)
50 {
51     // wdata[0] - fnc select ( 0 - is_channel_tripped / 1 - generate_sensor_trips)
52     // wdata[2:1] - mode
53     // wdata[3] - sensor_tripped
54     // rg_instr_hand_res[2:0] - result
55     // rg_instr_hand_res[31] - fnc select ( 0 - is_channel_tripped / 1 - generate_sensor_trips
56     //                                     → )
57     uint32_t val = (trip & 0x1) << 3 | (mode & 0x3) << 1 | 0x0;
58     write_reg(INSTRUMENTATION_GENERATED_REG_BASE, val);
59     uint8_t res = (uint8_t) (read_reg(INSTRUMENTATION_GENERATED_REG_RESULT) & 0x1);
60     DEBUG_PRINTF(("<instrumentation_generated_SystemVerilog.c> Is_Ch_Tripped: mode=0x%X, trip
61     //                                     → =0x%X, base=0x%X, res=0x%X\n",
62     mode, trip, val,res));
63     return res;
64 }
65
66 uint8_t Generate_Sensor_Trips(uint32_t vals[3], uint32_t setpoints[3])
67 {
68     // Set value for setpoints
69     write_reg(INSTRUMENTATION_GENERATED_REG_SETPOINT_VAL_0, setpoints[0]);
70     write_reg(INSTRUMENTATION_GENERATED_REG_SETPOINT_VAL_1, setpoints[1]);
71     write_reg(INSTRUMENTATION_GENERATED_REG_SETPOINT_VAL_2, setpoints[2]);
72     write_reg(INSTRUMENTATION_GENERATED_REG_INSTR_VAL_0, vals[0]);
73     write_reg(INSTRUMENTATION_GENERATED_REG_INSTR_VAL_1, vals[1]);
74     write_reg(INSTRUMENTATION_GENERATED_REG_INSTR_VAL_2, vals[2]);
75     write_reg(INSTRUMENTATION_GENERATED_REG_BASE, 0x1);
76     uint8_t out = (uint8_t) (read_reg(INSTRUMENTATION_GENERATED_REG_RESULT) & 0x7);
77     DEBUG_PRINTF(("<instrumentation_generated_SystemVerilog.c> Generate_Sensor_Trips: vals=[%
78     //                                     → u,%u,%u], setpoints=[%u,%u,%u], lookup[%d]=0x%X\n",
79     vals[0],vals[1],vals[2],setpoints[0],setpoints[1],setpoints[2],out,lookup[out]));
80     return lookup[out];
81 }
82 #endif

```

Listing F.14: C implementation of core.

```

1 #include "core.h"
2 #include "platform.h"
3 #include "actuate.h"
4 #include "rts.h"
5 #include <string.h>
6
7 #ifdef PLATFORM_HOST
8 #include <stdio.h>
9 #else
10 #include "printf.h"
11 #endif
12
13 #define INST_OFFSET 0
14 #define ACT_OFFSET 5
15 char INSTR_LINE_FMT[] = "#I %d (%c): T[%10d %c %d] P[%10d %c %d] S[%10d %c %d]";
16 char ACT_LINE_FMT[] = "#A %d [%d %d]";
17
18 const char self_test_running[] = "SELF TEST: RUNNING";
19 const char self_test_not_running[] = "SELF TEST: NOT RUNNING";
20 const char pass[] = "LAST TEST: PASS";
21 const char fail[] = "LAST TEST: FAIL";
22
23 char sensor_warning[] = "WARNING: LARGE SENSOR DIFFERENTIAL";

```

```

24 char sensor_ok[] = "SENSORS OK";
25
26 #ifdef ENABLE_SELF_TEST
27 struct testcase {
28     uint32_t input[4][2];
29     uint32_t setpoints[4][3];
30     uint8_t instrumentation[2];
31     uint8_t actuation_unit;
32     uint8_t device;
33     uint8_t expect;
34 } tests[] = {
35 // Test data generated from Cryptol RTS::SelfTestOracleHalf
36 #include "self_test_data/tests.inc.c"
37 };
38#endif
39
40 char mode_char(uint8_t mode) {
41     switch (mode) {
42         case BYPASS:
43             return 'B';
44         case OPERATE:
45             return 'O';
46         case TRIP:
47             return 'T';
48         default:
49             return '?';
50     }
51 }
52
53 char maint_char(uint8_t mode) {
54     if (mode)
55         return 'M';
56     else
57         return '_';
58 }
59
60 int update_ui_instr(struct ui_values *ui) {
61     int err = 0;
62     int sensor_differential = 0;
63
64     char line[256];
65
66     for (uint8_t i = 0; i < NDIVISIONS; ++i) {
67         for (uint8_t ch = 0; ch < NTRIP; ++ch) {
68             if ((err = get_instrumentation_value(i, ch, &ui->values[i][ch])) < 0)
69                 return err;
70             if ((err = get_instrumentation_mode(i, ch, &ui->bypass[i][ch])) < 0)
71                 return err;
72             if ((err = get_instrumentation_trip(i, ch, &ui->trip[i][ch])) < 0)
73                 return err;
74         }
75         if ((err = get_instrumentation_maintenance(i, &ui->maintenance[i])) < 0)
76             return err;
77
78         snprintf(line, sizeof(line), INST_LINE_FMT, INST_OFFSET + i,
79                  maint_char(ui->maintenance[i]), ui->values[i][T],
80                  mode_char(ui->bypass[i][T]), 0 != ui->trip[i][T], ui->values[i][P],
81                  mode_char(ui->bypass[i][P]), 0 != ui->trip[i][P], ui->values[i][S],
82                  mode_char(ui->bypass[i][S]), 0 != ui->trip[i][S]);
83
84         set_display_line(ui, i, line, sizeof(line));
85     }
86
87 // Flag any sensor differences that exceed thresholds
88 for (uint8_t i = 0; i < NDIVISIONS; ++i) {
89

```

```

90     if (ui->maintenance[i])
91         continue;
92
93     for (uint8_t j = 0; j < NDIVISIONS; ++j) {
94         if (ui->maintenance[j])
95             continue;
96
97         sensor_differential |=
98             (ui->values[i][T] > ui->values[j][T] &&
99              ui->values[i][T] - ui->values[j][T] > T_THRESHOLD);
100        sensor_differential |=
101            (ui->values[i][P] > ui->values[j][P] &&
102              ui->values[i][P] - ui->values[j][P] > P_THRESHOLD);
103    }
104
105
106    if (sensor_differential)
107        set_display_line(ui, 14, sensor_warning, sizeof(sensor_warning));
108    else
109        set_display_line(ui, 14, sensor_ok, sizeof(sensor_ok));
110
111    return err;
112}
113
114 int update_ui_actuation(struct ui_values *ui) {
115     int err = 0;
116     for (int i = 0; i < 2; ++i) {
117         char line[256];
118         for (int d = 0; d < 2; ++d) {
119             uint8_t val;
120             err |= get_actuation_state(i, d, &val);
121             ui->actuators[i][d] = val;
122         }
123         sprintf(line, sizeof(line), ACT_LINE_FMT, i, ui->actuators[i][0],
124                 ui->actuators[i][1]);
125         set_display_line(ui, ACT_OFFSET + i, line, sizeof(line));
126     }
127
128     return err;
129 }
130
131 int update_ui(struct ui_values *ui) {
132     DEBUG_PRINTF("<core.c> update_ui\n");
133     int err = 0;
134     err |= update_ui_instr(ui);
135     err |= update_ui_actuation(ui);
136
137     return err;
138 }
139
140 int set_display_line(struct ui_values *ui, uint8_t line_number, char *display, uint32_t size
141     ↪ ) {
142     memset(ui->display[line_number], ' ', LINELENGTH);
143     strncpy(ui->display[line_number], (const char*)display, LINELENGTH);
144     return 0;
145 }
146
147 #ifdef ENABLE_SELF_TEST
148 int end_test(struct test_state *test, struct ui_values *ui) {
149     static int cnt = 0;
150     int passed =
151         test->test_device_result[test->test_device]
152         == (test->self_test_expect || test->actuation_old_vote);
153     test->failed = !passed;
154     DEBUG_PRINTF("<core.c> end_test %#d: test->test_device_result[%u]=0x%X\n",
155                 ↪ test_device, test->test_device_result[test->test_device]));

```

```

154     DEBUG_PRINTF("<core.c> end_test #%"PRIu32": (test->self_test_expect || test->actuation_old_vote
155         ↪ )=0x%X\n", cnt, (test->self_test_expect || test->actuation_old_vote));
156
157 // Reset state
158 set_test_running(0);
159
160 if (passed) {
161     set_display_line(ui, 16, (char*)pass, 0);
162     test->test++;
163     if (test->test >= sizeof(tests)/sizeof(struct testcase)) {
164         test->test = 0;
165         test->test_timer_start = time_in_s();
166     }
167 } else {
168     set_display_line(ui, 16, (char*)fail, 0);
169     set_display_line(ui, 20, (char*)"A TEST FAILED", 0);
170 }
171 DEBUG_PRINTF("<core.c> end_test #%"PRIu32": Passed: %d\n", cnt, passed));
172 cnt++;
173 return passed;
174 }
175
176 int components_ready() {
177     return !is_instrumentation_test_complete(0)
178         && !is_instrumentation_test_complete(1)
179         && !is_instrumentation_test_complete(2)
180         && !is_instrumentation_test_complete(3)
181         && !is_actuation_unit_test_complete(0)
182         && !is_actuation_unit_test_complete(1)
183         && !is_actuate_test_complete(0)
184         && !is_actuate_test_complete(1);
185 }
186
187 int self_test_timer_expired(struct test_state *test) {
188     uint32_t t = time_in_s();
189     uint32_t diff = t - test->test_timer_start;
190     return SELF_TEST_PERIOD_SEC < diff;
191 }
192
193 int should_start_self_test(struct test_state *test) {
194     int retval = (!is_test_running()) && (self_test_timer_expired(test) || (test->test != 0));
195     return retval;
196 }
197
198 int test_step(struct test_state *test, struct ui_values *ui) {
199     DEBUG_PRINTF("<core.c> test_step: Has test failed? %u\n", test->failed);
200     int err = 0;
201
202     if(!test->failed && should_start_self_test(test)) {
203         if (components_ready())
204         {
205             struct testcase *next = &tests[test->test];
206             test->self_test_expect = next->expect;
207             test->test_device = next->device;
208             test->test_actuation_unit = next->actuation_unit;
209             DEBUG_PRINTF("<core.c> test_step: starting new test. test->self_test_expect=%u,test->
210                 ↪ test_device=%u, test->test_actuation_unit=%u\n",
211                 test->self_test_expect,test->test_device,test->test_actuation_unit));
212             memcpy(test->test_instrumentation, next->instrumentation, 2);
213             memcpy(test->test_inputs, next->input, 2*4*sizeof(uint32_t));
214             memcpy(test->test_setpoints, next->setpoints, 3*4*sizeof(uint32_t));
215
216             set_test_running(1);
217             set_display_line(ui, 15, (char *)self_test_running, 0);
218         }
219     } else if (is_test_running() && test->test_device_done[test->test_device]) {

```

```

218     DEBUG_PRINTF("<core.c> test_step: Ending test\n");
219     int passed = end_test(test, ui);
220     if(!passed) err = -1;
221 } else if (!is_test_running()) {
222     DEBUG_PRINTF("<core.c> test_step:Continuing test\n");
223     set_display_line(ui, 15, (char *)self_test_not_running, 0);
224 } else {
225     DEBUG_PRINTF("<core.c> test_step:Catchall\n");
226 }
227
228     return err;
229 }
230 #endif
231
232 void core_init(struct core_state *c) {
233     c->test.test_timer_start = time_in_s();
234     c->test.failed = 0;
235 }
236
237 int core_step(struct core_state *c) {
238     int err = 0;
239     struct rts_command rts;
240 #ifndef ENABLE_SELF_TEST
241     time_in_s();
242 #endif
243
244     if (!c->error) {
245         // Actuate devices if necessary
246         int retval = actuate_devices_generated_C();
247         DEBUG_PRINTF("<core.c> actuate_devices_generated_C: 0x%X\n", retval);
248     }
249
250     // Let's allow command processing even if an error is detected.
251     // In a real system, we would probably want to disconnect the device
252     // and perform maintenance.
253     int read_cmd = read_rts_command(&rts);
254     if (read_cmd < 0) {
255         err |= -read_cmd;
256     } else if (read_cmd > 0) {
257         switch (rts.type) {
258             case INSTRUMENTATION_COMMAND:
259                 err |= send_instrumentation_command(rts.instrumentation_division,
260                                                     &(rts.cmd.instrumentation));
261                 break;
262
263             case ACTUATION_COMMAND:
264                 err |= send_actuation_command(0, &rts.cmd.act);
265                 err |= send_actuation_command(1, &rts.cmd.act);
266                 break;
267
268             default:
269                 break;
270         }
271     }
272
273 #ifdef ENABLE_SELF_TEST
274     err |= test_step(&c->test, &c->ui);
275 #endif
276     err |= update_ui(&c->ui);
277
278     c->error = err;
279     return err;
280 }

```

Listing F.15: C implementation of instrumentation.impl.

```

1 #include <stdint.h>
2
3 // Identified by SAW: vals[2] and setpoints[2] must be less than 0x80000000
4 uint8_t Generate_Sensor_Trips(uint32_t vals[3], uint32_t setpoints[3])
5 {
6     uint8_t trips_out = 0;
7     trips_out |= Trip(vals, setpoints, 0);
8     /*@ assert trips_out <= 0x1;
9     trips_out |= (Trip(vals, setpoints, 1) << 1);
10    /*@ assert trips_out <= 0x3;
11    trips_out |= (Trip(vals, setpoints, 2) << 2);
12
13    return trips_out;
14 }
15
16 uint8_t Trip(uint32_t vals[3], uint32_t setpoints[3], uint8_t ch)
17 {
18     if (ch <= 1) {
19         return (setpoints[ch] < vals[ch]);
20     } else {
21         return ((int32_t)vals[ch] < (int32_t)setpoints[ch]);
22     }
23 }
24
25 uint8_t Is_Ch_Tripped(uint8_t mode, uint8_t sensor_tripped)
26 {
27     return (mode == 2) || ((mode == 1) && sensor_tripped);
28 }
```

Listing F.16: C implementation of instrumentation\_handwritten\_C.

```

1 #define Generate_Sensor_Trips Generate_Sensor_Trips_handwritten_C
2 #define Is_Ch_Tripped Is_Ch_Tripped_handwritten_C
3 #define Trip Trip_handwritten_C
4 #define instrumentation_step instrumentation_step_handwritten_C
5 #include "../components/instrumentation.c"
6 #include "../handwritten/C/instrumentation_impl.c"
```

Listing F.17: C implementation of instrumentation.

```

1 #include "instrumentation.h"
2 #include "platform.h"
3 #include "common.h"
4 #include "core.h"
5 #include <string.h>
6
7 #define TRIP_I(_v, _i) (((_v) >> (_i)) & 0x1)
8
9 /*@requires div < NINSTR;
10  @requires \valid(state);
11  @requires \valid(state->reading + (0.. NTRIP-1));
12  @requires \valid(state->test_reading + (0.. NTRIP-1));
13  @requires \valid(state->setpoints + (0.. NTRIP-1));
14  @requires \valid(state->sensor_trip + (0.. NTRIP-1));
15  @assumes state->reading[0.. NTRIP-1];
16  @assumes state->test_reading[0.. NTRIP-1];
17  @assumes state->sensor_trip[0.. NTRIP-1];
18  @ensures -1 <= \result <= 0;
19 */
20 static int instrumentation_step_trip(uint8_t div,
21                                     int do_test,
22                                     struct instrumentation_state *state) {
23     int err = 0;
```

```

25     if (do_test) {
26         err |= read_test_instrumentation_channel(div, T, &state->test_reading[T]);
27         err |= read_test_instrumentation_channel(div, P, &state->test_reading[P]);
28         state->test_reading[S] = Saturation(state->test_reading[T], state->test_reading[P]);
29     } else {
30         err |= read_instrumentation_channel(div, T, &state->reading[T]);
31         err |= read_instrumentation_channel(div, P, &state->reading[P]);
32         state->reading[S] = Saturation(state->reading[T], state->reading[P]);
33     }
34
35     uint8_t new_trips = 0;
36
37     if (do_test) {
38         uint32_t setpoints[3];
39         err |= get_instrumentation_test_setpoints(div, &setpoints[0]);
40         new_trips = Generate_Sensor_Trips(state->test_reading, setpoints);
41     } else {
42         new_trips = Generate_Sensor_Trips(state->reading, state->setpoints);
43     }
44
45     /*@loop invariant 0 <= i && i <= NTRIP;
46     @loop assigns i;
47     @loop assigns state->sensor_trip[0.. NTRIP-1];
48 */
49     for (int i = 0; i < NTRIP; ++i) {
50         state->sensor_trip[i] = TRIP_I(new_trips, i);
51     }
52
53     return err;
54 }
55
56 /*@requires \valid(i_cmd);
57  @requires \valid(state);
58  @requires state->mode[0] \in {0,1,2};
59  @requires state->mode[1] \in {0,1,2};
60  @requires state->mode[2] \in {0,1,2};
61  @assigns state->maintenance, state->mode[0..2], state->setpoints[0..2];
62  @ensures -1 <= \result <= 0;
63  @ensures state->mode[0] \in {0,1,2};
64  @ensures state->mode[1] \in {0,1,2};
65  @ensures state->mode[2] \in {0,1,2};
66 */
67 static int instrumentation_handle_command(uint8_t div,
68                                         struct instrumentation_command *i_cmd,
69                                         struct instrumentation_state *state) {
70     struct set_maintenance set_maint;
71     struct set_mode set_mode;
72     struct set_setpoint set_setpoint;
73
74     switch (i_cmd->type) {
75     case SET_MAINTENANCE:
76         set_maint = i_cmd->cmd.maintenance;
77         state->maintenance = set_maint.on;
78         break;
79
80     case SET_MODE:
81         set_mode = i_cmd->cmd.mode;
82         if (state->maintenance && set_mode.channel < NTRIP &&
83             set_mode.mode_val < NMODES) {
84             state->mode[set_mode.channel] = set_mode.mode_val;
85         }
86         break;
87
88     case SET_SETPOINT:
89         set_setpoint = i_cmd->cmd.setpoint;
90         if (state->maintenance && set_setpoint.channel < NTRIP) {

```

```

91     state->setpoints[set_setpoint.channel] = set_setpoint.val;
92   }
93   break;
94 
95 default:
96   return -1;
97 }
98 
99 return 0;
100}
101 /*@ requires div < NINSTR;
102  @ requires \valid(state);
103  @ requires state->mode[0] \in {0,1,2};
104  @ requires state->mode[1] \in {0,1,2};
105  @ requires state->mode[2] \in {0,1,2};
106  @ assigns core.test.test_instrumentation_done[div];
107  @ ensures \result <= 0;
108 */
109 static int instrumentation_set_output_trips(uint8_t div,
110                                             int do_test,
111                                             struct instrumentation_state *state)
112 {
113   /*@ loop invariant 0 <= i <= NTRIP;
114    @ loop assigns i;
115   */
116   for (int i = 0; i < NTRIP; ++i) {
117     uint8_t mode = do_test ? 1 : state->mode[i];
118     set_output_instrumentation_trip(div, i, BIT(do_test, Is_Ch_Tripped(mode, 0 != state->
119       ↳ sensor_trip[i])));
120   }
121 
122   if (do_test) {
123     set_instrumentation_test_complete(div, 1);
124   }
125 
126   return 0;
127 }
128 
129 int instrumentation_step(uint8_t div, struct instrumentation_state *state) {
130   int err = 0;
131 
132   uint8_t test_div[2];
133   get_test_instrumentation(test_div);
134   int do_test = (div == test_div[0] || div == test_div[1]) && is_test_running();
135 
136   if (do_test && is_instrumentation_test_complete(div))
137     return 0;
138 
139   if (!do_test && is_instrumentation_test_complete(div)) {
140     set_instrumentation_test_complete(div, 0);
141   }
142 
143   /* Read trip signals & vote */
144   err |= instrumentation_step_trip(div, do_test, state);
145 
146   /* Handle any external commands */
147   struct instrumentation_command i_cmd;
148   int read_cmd = read_instrumentation_command(div, &i_cmd);
149   if (read_cmd > 0) {
150     err |= instrumentation_handle_command(div, &i_cmd, state);
151   } else if (read_cmd < 0) {
152     err |= -read_cmd;
153   }
154 
155   /* Actuate devices based on voting and commands */

```

```

156     err |= instrumentation_set_output_trips(div, do_test, state);
157     return err;
158 }
```

Listing F.18: C implementation of actuation\_unit\_generated\_C.

```

1 #define Actuate_D0 Actuate_D0_generated_C
2 #define Actuate_D1 Actuate_D1_generated_C
3 #define Coincidence_2_4 Coincidence_2_4_generated_C
4 #define actuation_unit_step actuation_unit_step_generated_C
5 #include "../components/actuation_unit.c"
6 #include "../generated/C/actuation_unit_impl.c"
```

Listing F.19: C implementation of actuator\_impl.

```

1 typedef unsigned _ExtInt(1) w1;
2 typedef unsigned _ExtInt(2) w2;
3 w1 static rotl1(w1 x, w1 shf)
4 {
5     w1 offset = 1;
6     return x << shf | x >> offset - shf;
7 }
8 w1 static rotr1(w1 x, w1 shf)
9 {
10    w1 offset = 1;
11    return x >> shf | x << offset - shf;
12 }
13 w2 static rotl2(w2 x, w2 shf)
14 {
15    w2 offset = 2;
16    return x << shf | x >> offset - shf;
17 }
18 w2 static rotr2(w2 x, w2 shf)
19 {
20    w2 offset = 2;
21    return x >> shf | x << offset - shf;
22 }
23 w1 ActuateActuator(w2 inputs4683)
24 {
25     w1 app_4097;
26     w1 return_4096;
27     return_4096 = 0;
28     app_4097 = inputs4683 >> (w1) 0 & 1 | inputs4683 >> (w1) 1 & 1;
29     return_4096 = app_4097;
30     return return_4096;
31 }
```

Listing F.20: C implementation of sense\_actuate.

```

1 #include "common.h"
2 #include "platform.h"
3 #include "instrumentation.h"
4 #include "actuation_logic.h"
5 #include "sense_actuate.h"
6
7 #ifdef PLATFORM_HOST
8 #include <stdio.h>
9#else
10 #include "printf.h"
11#endif
12
13 int instrumentation_step_generated_C(uint8_t div, struct instrumentation_state *state);
14 int instrumentation_step_handwritten_C(uint8_t div, struct instrumentation_state *state);
```

```

15 int instrumentation_step_generated_SystemVerilog(uint8_t div, struct instrumentation_state *
16   ↪ state);
16 int instrumentation_step_handwritten_SystemVerilog(uint8_t div, struct instrumentation_state
17   ↪ *state);
17 int actuation_unit_step_generated_C(uint8_t logic_no, struct actuation_logic *state);
18 int actuation_unit_step_generated_SystemVerilog(uint8_t logic_no, struct actuation_logic *
19   ↪ state);
20
20 int sense_actuate_init(int core_id,
21   ↪ struct instrumentation_state *instrumentation,
22   ↪ struct actuation_logic *actuation)
23 {
24   DEBUG_PRINTF(("<sense_actuate.c> sense_actuate_init\n"));
25   instrumentation_init(&instrumentation[0]);
26   instrumentation_init(&instrumentation[1]);
27   actuation->vote_actuate[0] = 0;
28   actuation->vote_actuate[1] = 0;
29   return 0;
30 }
31
32 int sense_actuate_step_0(struct instrumentation_state *instrumentation,
33   ↪ struct actuation_logic *actuation)
34 {
35   int err = 0;
36   err |= instrumentation_step_generated_C(0,&instrumentation[0]);
37   err |= instrumentation_step_handwritten_C(1,&instrumentation[1]);
38   // Do we think the devices should be actuated?
39   err |= actuation_unit_step_generated_C(0,actuation);
40   DEBUG_PRINTF(("<sense_actuate.c> sense_actuate_step_0, err=0x%X\n",err));
41   return err;
42 }
43
44 int sense_actuate_step_1(struct instrumentation_state *instrumentation,
45   ↪ struct actuation_logic *actuation)
46 {
47   int err = 0;
48   err |= instrumentation_step_handwritten_SystemVerilog(2,&instrumentation[0]);
49   err |= instrumentation_step_generated_SystemVerilog(3,&instrumentation[1]);
50   // Do we think the devices should be actuated?
51   err |= actuation_unit_step_generated_SystemVerilog(1,actuation);
52   DEBUG_PRINTF(("<sense_actuate.c> sense_actuate_step_1, err=0x%X\n",err));
53   return err;
54 }
```

Listing F.21: C implementation of instrumentation\_generated\_C.

```

1 #define Generate_Sensor_Trips Generate_Sensor_Trips_generated_C
2 #define Is_Ch_Tripped Is_Ch_Tripped_generated_C
3 #define Trip Trip_generated_C
4 #define instrumentation_step instrumentation_step_generated_C
5 #include "../components/instrumentation.c"
6 #include "../generated/C/instrumentation_impl.c"
```

Listing F.22: C implementation of instrumentation\_impl.

```

1 #include <stdint.h>
2
3 // Identified by SAW: vals[2] and setpoints[2] must be less than 0x80000000
4 uint8_t Generate_Sensor_Trips(uint32_t vals[3], uint32_t setpoints[3])
5 {
6   uint8_t trips_out = 0;
7   trips_out |= Trip(vals, setpoints, 0);
8   /* assert trips_out <= 0x1;
9   trips_out |= (Trip(vals, setpoints, 1) << 1);
10  /* assert trips_out <= 0x3;
```

```

11     trips_out |= (Trip(vals, setpoints, 2) << 2);
12
13     return trips_out;
14 }
15
16 uint8_t Trip(uint32_t vals[3], uint32_t setpoints[3], uint8_t ch)
17 {
18     if (ch <= 1) {
19         return (setpoints[ch] < vals[ch]);
20     } else {
21         return ((int32_t)vals[ch] < (int32_t)setpoints[ch]);
22     }
23 }
24
25 uint8_t Is_Ch_Tripped(uint8_t mode, uint8_t sensor_tripped)
26 {
27     return (mode == 2) || ((mode == 1) && sensor_tripped);
28 }
```

Listing F.23: C implementation of instrumentation\_impl.

```

1 #include <stdint.h>
2
3 // Identified by SAW: vals[2] and setpoints[2] must be less than 0x80000000
4 uint8_t Generate_Sensor_Trips(uint32_t vals[3], uint32_t setpoints[3])
5 {
6     uint8_t trips_out = 0;
7     trips_out |= Trip(vals, setpoints, 0);
8     //assert trips_out <= 0x1;
9     trips_out |= (Trip(vals, setpoints, 1) << 1);
10    //assert trips_out <= 0x3;
11    trips_out |= (Trip(vals, setpoints, 2) << 2);
12
13    return trips_out;
14 }
15
16 uint8_t Trip(uint32_t vals[3], uint32_t setpoints[3], uint8_t ch)
17 {
18     if (ch <= 1) {
19         return (setpoints[ch] < vals[ch]);
20     } else {
21         return ((int32_t)vals[ch] < (int32_t)setpoints[ch]);
22     }
23 }
24
25 uint8_t Is_Ch_Tripped(uint8_t mode, uint8_t sensor_tripped)
26 {
27     return (mode == 2) || ((mode == 1) && sensor_tripped);
28 }
```

Listing F.24: C implementation of bsp.

```

1 #include "bsp.h"
2 #include "printf.h"
3
4 uint32_t i2c_read(uint8_t addr, uint32_t data_tx)
5 {
6     volatile uint32_t *i2c_addr = (void*) I2C_REG_ADDR;
7     volatile uint32_t *i2c_data = (void*) I2C_REG_DATA;
8     volatile uint32_t *i2c_status = (void*) I2C_REG_STATUS;
9
10    // First set data
11    *i2c_data = data_tx;
12    // Second set address
```

```

13     *i2c_addr = addr;
14     // Now the transaction is initialized, so wait for completion
15     delay(100);
16     while (1) {
17         uint32_t status = *i2c_status;
18         if (status) {
19             // Return the acquired data
20             uint32_t data = *i2c_data;
21             return data;
22         }
23         delay(1000);
24     }
25 }
26
27 uint32_t time_in_s(void)
28 {
29     uint32_t t_s = time_in_ms()/1000;
30     return t_s;
31 }
32
33 uint32_t time_in_ms(void)
34 {
35     volatile uint32_t *tick_reg_low = (void*) TICK_REG_LOW;
36     volatile uint32_t *tick_reg_high = (void*) TICK_REG_HIGH;
37     uint64_t ticks = (uint64_t) (*tick_reg_high << 31 | *tick_reg_low);
38     return (uint32_t)((ticks*1000)/(CORE_FREQ*TICKS_TO_MS_MULTIPLIER));
39 }
40
41 void delay_ms(uint32_t ms)
42 {
43     uint32_t ticks = ms*CORE_FREQ/1000;
44     delay(ticks);
45 }
46
47 void delay(uint32_t count)
48 {
49     while(count-->0) {
50         __asm__ volatile ("nop");
51     }
52 }
53
54 uint8_t soc_getchar(void)
55 {
56     volatile uint32_t *data_rdy = (void*) UART_REG_DATA_READY;
57     volatile uint32_t *rx_data = (void*) UART_REG_RX;
58     int starttime = time_in_ms();
59     int delay_ms = 0;
60     // Wait 1s for each character
61     while ((delay_ms < 2000)) {
62         if (*data_rdy){
63             return (uint8_t)(*rx_data);
64         }
65         delay_ms = time_in_ms() - starttime;
66     }
67     return 0;
68 }
69
70 // Read from a register
71 uint32_t read_reg(uint32_t reg)
72 {
73     uint32_t *p = (void*)reg;
74     return *p;
75 }
76
77 // Write 'val' to 'reg'
78 void write_reg(uint32_t reg, uint32_t val)

```

```

79 {
80     uint32_t *p = (void*)reg;
81     *p = val;
82 }

```

Listing F.25: C implementation of instrumentation\_impl.

```

1 #include <stdint.h>
2
3 // Identified by SAW: vals[2] and setpoints[2] must be less than 0x80000000
4 uint8_t Generate_Sensor_Trips(uint32_t vals[3], uint32_t setpoints[3])
5 {
6     uint8_t trips_out = 0;
7     trips_out |= Trip(vals, setpoints, 0);
8     /* assert trips_out <= 0x1;
9     trips_out |= (Trip(vals, setpoints, 1) << 1);
10    /* assert trips_out <= 0x3;
11    trips_out |= (Trip(vals, setpoints, 2) << 2);
12
13    return trips_out;
14 }
15
16 uint8_t Trip(uint32_t vals[3], uint32_t setpoints[3], uint8_t ch)
17 {
18     if (ch <= 1) {
19         return (setpoints[ch] < vals[ch]);
20     } else {
21         return ((int32_t)vals[ch] < (int32_t)setpoints[ch]);
22     }
23 }
24
25 uint8_t Is_Ch_Tripped(uint8_t mode, uint8_t sensor_tripped)
26 {
27     return (mode == 2) || ((mode == 1) && sensor_tripped);
28 }

```

Listing F.26: C implementation of firmware.

```

1 #include <stdint.h>
2 #include "bsp.h"
3 #include "printf.h"
4 //
5 // int main(void)
6 // {
7 // volatile uint32_t *gpio = (void*) GPIO_REG;
8 // uint32_t cnt = 0;
9 // char line[256] = {0};
10 // printf("Hello world\n");
11 // while(1) {
12 // printf("%u milliseconds passed, GPIO=0x%X\n", time_in_ms(), *gpio);
13 // printf("%d seconds passed...and a sensor reads 0x%X\n", time_in_s(), i2c_read(0x64, 0x0B))
14 //     ;
15 // // NOTE this is still line buffered
16 // uint8_t c = soc_getchar();
17 // printf(">>>%c<<\n", c);
18 // // for (unsigned int i = 0; i < sizeof(line); i++) {
19 // // line[i] = soc_getchar();
20 // // if (line[i] == 0 || line[i] == '\n') {
21 // // break;
22 // // }
23 // // }
24 // // printf(">>>%s<<\n", line);
25 // *gpio = cnt;
26 // cnt++;

```

```

27 // cnt = cnt % 256;
28 // //delay_ms(1000);
29 // delay(100000);
30 // }
31
32 // return 0;
33 // }
34
35 int main()
{
36     volatile uint32_t *gpio = (void*)GPIO_REG;
37     *gpio = 0;
38     uint32_t cnt = 0;
39     while(1)
40     {
41         delay_ms(1000);
42         if (cnt == 1) {
43             cnt = 0;
44         } else {
45             cnt = 1;
46         }
47         *gpio = cnt;
48         printf("%u miliseconds passed, GPIO=0x%X\n", time_in_ms(), *gpio);
49     }
50     return 0;
51 }

```

Listing F.27: C implementation of saturation\_impl.

```

1 typedef unsigned _ExtInt(1) w1;
2 typedef unsigned _ExtInt(32) w32;
3 w1 static rotl1(w1 x, w1 shf)
4 {
5     w1 offset = 1;
6     return x << shf | x >> offset - shf;
7 }
8 w1 static rotr1(w1 x, w1 shf)
9 {
10    w1 offset = 1;
11    return x >> shf | x << offset - shf;
12 }
13 w32 static rotl32(w32 x, w32 shf)
14 {
15     w32 offset = 32;
16     return x << shf | x >> offset - shf;
17 }
18 w32 static rotr32(w32 x, w32 shf)
19 {
20     w32 offset = 32;
21     return x >> shf | x << offset - shf;
22 }
23 w32 Saturation(w32 t4762, w32 p4763)
24 {
25     w32 app_4100;
26     w32 app_4101;
27     w1 app_4157;
28     w1 app_4158;
29     w1 app_4159;
30     w32 app_4160;
31     w32 ifv_4099;
32     w32 ifv_4156;
33     w32 return_4097;
34     w32 table_4102[52];
35     w32 v4804_4103;
36     w32 v4805_4104;
37     w32 v4806_4105;

```

```

38     w32 v4807_4106;
39     w32 v4808_4107;
40     w32 v4809_4108;
41     w32 v4810_4109;
42     w32 v4811_4110;
43     w32 v4812_4111;
44     w32 v4813_4112;
45     w32 v4814_4113;
46     w32 v4815_4114;
47     w32 v4816_4115;
48     w32 v4817_4116;
49     w32 v4818_4117;
50     w32 v4819_4118;
51     w32 v4820_4119;
52     w32 v4821_4120;
53     w32 v4822_4121;
54     w32 v4823_4122;
55     w32 v4824_4123;
56     w32 v4825_4124;
57     w32 v4826_4125;
58     w32 v4827_4126;
59     w32 v4828_4127;
60     w32 v4829_4128;
61     w32 v4830_4129;
62     w32 v4831_4130;
63     w32 v4832_4131;
64     w32 v4833_4132;
65     w32 v4834_4133;
66     w32 v4835_4134;
67     w32 v4836_4135;
68     w32 v4837_4136;
69     w32 v4838_4137;
70     w32 v4839_4138;
71     w32 v4840_4139;
72     w32 v4841_4140;
73     w32 v4842_4141;
74     w32 v4843_4142;
75     w32 v4844_4143;
76     w32 v4845_4144;
77     w32 v4846_4145;
78     w32 v4847_4146;
79     w32 v4848_4147;
80     w32 v4849_4148;
81     w32 v4850_4149;
82     w32 v4851_4150;
83     w32 v4852_4151;
84     w32 v4853_4152;
85     w32 v4854_4153;
86     w32 v4855_4154;
87     return_4097 = 0;
88     app_4158 = (signed _ExtInt(32)) t4762 < (signed _ExtInt(32)) (w32) 35;
89     if (app_4158)
90     {
91         ifv_4099 = (w32) 0;
92     }
93     else
94     {
95         app_4100 = t4762 - (w32) 35;
96         app_4101 = app_4100 / (w32) 5;
97         ifv_4099 = app_4101;
98     }
99     app_4159 = ifv_4099 < (w32) 52;
100    if (app_4159)
101    {
102        app_4157 = (signed _ExtInt(32)) t4762 < (signed _ExtInt(32)) (w32) 35;
103        if (app_4157)

```

```

104 {
105     ifv_4099 = (w32) 0;
106 }
107 else
108 {
109     app_4100 = t4762 - (w32) 35;
110     app_4101 = app_4100 / (w32) 5;
111     ifv_4099 = app_4101;
112 }
113 v4804_4103 = (w32) 9998;
114 v4805_4104 = (w32) 12163;
115 v4806_4105 = (w32) 14753;
116 v4807_4106 = (w32) 17796;
117 v4808_4107 = (w32) 21404;
118 v4809_4108 = (w32) 25611;
119 v4810_4109 = (w32) 30562;
120 v4811_4110 = (w32) 36292;
121 v4812_4111 = (w32) 42985;
122 v4813_4112 = (w32) 50683;
123 v4814_4113 = (w32) 59610;
124 v4815_4114 = (w32) 69813;
125 v4816_4115 = (w32) 81567;
126 v4817_4116 = (w32) 94924;
127 v4818_4117 = (w32) 110218;
128 v4819_4118 = (w32) 127500;
129 v4820_4119 = (w32) 147160;
130 v4821_4120 = (w32) 169270;
131 v4822_4121 = (w32) 194350;
132 v4823_4122 = (w32) 222300;
133 v4824_4123 = (w32) 253820;
134 v4825_4124 = (w32) 288920;
135 v4826_4125 = (w32) 328250;
136 v4827_4126 = (w32) 371840;
137 v4828_4127 = (w32) 420470;
138 v4829_4128 = (w32) 474140;
139 v4830_4129 = (w32) 533740;
140 v4831_4130 = (w32) 599260;
141 v4832_4131 = (w32) 671730;
142 v4833_4132 = (w32) 751100;
143 v4834_4133 = (w32) 838550;
144 v4835_4134 = (w32) 934000;
145 v4836_4135 = (w32) 1038600;
146 v4837_4136 = (w32) 1152600;
147 v4838_4137 = (w32) 1277600;
148 v4839_4138 = (w32) 1413200;
149 v4840_4139 = (w32) 1469600;
150 v4841_4140 = (w32) 1718600;
151 v4842_4141 = (w32) 1892100;
152 v4843_4142 = (w32) 2079100;
153 v4844_4143 = (w32) 2280400;
154 v4845_4144 = (w32) 2496800;
155 v4846_4145 = (w32) 2731900;
156 v4847_4146 = (w32) 2984000;
157 v4848_4147 = (w32) 3253900;
158 v4849_4148 = (w32) 3542700;
159 v4850_4149 = (w32) 3854600;
160 v4851_4150 = (w32) 4187500;
161 v4852_4151 = (w32) 4542300;
162 v4853_4152 = (w32) 4920000;
163 v4854_4153 = (w32) 5325900;
164 v4855_4154 = (w32) 5775200;
165 table_4102[0] = v4804_4103;
166 table_4102[1] = v4805_4104;
167 table_4102[2] = v4806_4105;
168 table_4102[3] = v4807_4106;
169 table_4102[4] = v4808_4107;

```

```

170     table_4102[5] = v4809_4108;
171     table_4102[6] = v4810_4109;
172     table_4102[7] = v4811_4110;
173     table_4102[8] = v4812_4111;
174     table_4102[9] = v4813_4112;
175     table_4102[10] = v4814_4113;
176     table_4102[11] = v4815_4114;
177     table_4102[12] = v4816_4115;
178     table_4102[13] = v4817_4116;
179     table_4102[14] = v4818_4117;
180     table_4102[15] = v4819_4118;
181     table_4102[16] = v4820_4119;
182     table_4102[17] = v4821_4120;
183     table_4102[18] = v4822_4121;
184     table_4102[19] = v4823_4122;
185     table_4102[20] = v4824_4123;
186     table_4102[21] = v4825_4124;
187     table_4102[22] = v4826_4125;
188     table_4102[23] = v4827_4126;
189     table_4102[24] = v4828_4127;
190     table_4102[25] = v4829_4128;
191     table_4102[26] = v4830_4129;
192     table_4102[27] = v4831_4130;
193     table_4102[28] = v4832_4131;
194     table_4102[29] = v4833_4132;
195     table_4102[30] = v4834_4133;
196     table_4102[31] = v4835_4134;
197     table_4102[32] = v4836_4135;
198     table_4102[33] = v4837_4136;
199     table_4102[34] = v4838_4137;
200     table_4102[35] = v4839_4138;
201     table_4102[36] = v4840_4139;
202     table_4102[37] = v4841_4140;
203     table_4102[38] = v4842_4141;
204     table_4102[39] = v4843_4142;
205     table_4102[40] = v4844_4143;
206     table_4102[41] = v4845_4144;
207     table_4102[42] = v4846_4145;
208     table_4102[43] = v4847_4146;
209     table_4102[44] = v4848_4147;
210     table_4102[45] = v4849_4148;
211     table_4102[46] = v4850_4149;
212     table_4102[47] = v4851_4150;
213     table_4102[48] = v4852_4151;
214     table_4102[49] = v4853_4152;
215     table_4102[50] = v4854_4153;
216     table_4102[51] = v4855_4154;
217     ifv_4156 = table_4102[ifv_4099];
218 }
219 else
220 {
221     ifv_4156 = (w32) 5775200;
222 }
223 app_4160 = p4763 - ifv_4156;
224 return_4097 = app_4160;
225 return return_4097;
226 }
```

Listing F.28: C implementation of instrumentation\_handwritten\_SystemVerilog.

```

1 #ifdef PLATFORM_HOST
2 #include "../handwritten/SystemVerilog/verilator/generate_sensor_trips/
3     ↪ VGenerate_Sensor_Trips.h"
4 #include "../handwritten/SystemVerilog/verilator/is_ch_tripped/VIs_Ch_Tripped.h"
5 #include <stdio.h>
6 #else
```

```

6  #include "printf.h"
7  #endiff
8
9  #define Generate_Sensor_Trips Generate_Sensor_Trips_handwritten_SystemVerilog
10 #define Is_Ch_Tripped Is_Ch_Tripped_handwritten_SystemVerilog
11 #define instrumentation_step instrumentation_step_handwritten_SystemVerilog
12 #include "../components/instrumentation.c"
13
14 static uint8_t lookup[8] = { 0x0, 0b100, 0b010, 0b110, 0b001, 0b101, 0b011, 0b111 };
15
16 #ifdef PLATFORM_HOST
17 static VIs_Ch_Tripped is_tripped;
18 static VGenerate_Sensor_Trips gen_trips;
19
20 uint8_t Is_Ch_Tripped(uint8_t mode, uint8_t trip)
21 {
22     is_tripped.mode = mode;
23     is_tripped.sensor_tripped = trip;
24     is_tripped.eval();
25     uint32_t val = (trip & 0x1) << 3 | (mode & 0x3) << 1 | 0x0;
26     DEBUG_PRINTF("<instrumentation_handwritten_SystemVerilog.c> Is_Ch_Tripped: mode=0x%X,
27             → trip=0x%X, base=0x%X, res=0x%X\n",
28             mode, trip, val,is_tripped.out);
29     return is_tripped.out;
30 }
31
32 uint8_t Generate_Sensor_Trips(uint32_t vals[3], uint32_t setpoints[3])
33 {
34     gen_trips.vals[0] = vals[2];
35     gen_trips.vals[1] = vals[1];
36     gen_trips.vals[2] = vals[0];
37     gen_trips.setpoints[0] = setpoints[2];
38     gen_trips.setpoints[1] = setpoints[1];
39     gen_trips.setpoints[2] = setpoints[0];
40     gen_trips.eval();
41     uint8_t out = gen_trips.out;
42     DEBUG_PRINTF("<instrumentation_handwritten_SystemVerilog.c> Generate_Sensor_Trips: vals
43             → =[%u,%u,%u], setpoints=[%u,%u,%u], lookup[%d]=0x%X\n",
44             vals[0],vals[1],vals[2],setpoints[0],setpoints[1],setpoints[2],out,lookup[out]));
45     return lookup[out];
46 }
47 #else
48 #include "bsp.h"
49 #include "platform.h"
50
51 uint8_t Is_Ch_Tripped(uint8_t mode, uint8_t trip)
52 {
53     // wdata[0] - fnc select ( 0 - is_channel_tripped / 1 - generate_sensor_trips)
54     // wdata[2:1] - mode
55     // wdata[3] - sensor_tripped
56     // rg_instr_hand_res[2:0] - result
57     // rg_instr_hand_res[31] - fnc select ( 0 - is_channel_tripped / 1 - generate_sensor_trips
58     // → )
59     uint32_t val = (trip & 0x1) << 3 | (mode & 0x3) << 1 | 0x0;
60     write_reg(INSTRUMENTATION_HANDWRITTEN_REG_BASE, val);
61     uint8_t res = (uint8_t)(read_reg(INSTRUMENTATION_HANDWRITTEN_REG_RESULT) & 0x1);
62     DEBUG_PRINTF("<instrumentation_handwritten_SystemVerilog.c> Is_Ch_Tripped: mode=0x%X,
63             → trip=0x%X, base=0x%X, res=0x%X\n",
64             mode, trip, val,res));
65     return res;
66 }
67
68 uint8_t Generate_Sensor_Trips(uint32_t vals[3], uint32_t setpoints[3])
69 {
70     // Set value for setpoints
71     write_reg(INSTRUMENTATION_HANDWRITTEN_REG_SETPOINT_VAL_0, setpoints[0]);

```

```

68     write_reg(INSTRUMENTATION_HANDWRITTEN_REG_SETPOINT_VAL_1, setpoints[1]);
69     write_reg(INSTRUMENTATION_HANDWRITTEN_REG_SETPOINT_VAL_2, setpoints[2]);
70     write_reg(INSTRUMENTATION_HANDWRITTEN_REG_INSTR_VAL_0, vals[0]);
71     write_reg(INSTRUMENTATION_HANDWRITTEN_REG_INSTR_VAL_1, vals[1]);
72     write_reg(INSTRUMENTATION_HANDWRITTEN_REG_INSTR_VAL_2, vals[2]);
73     write_reg(INSTRUMENTATION_HANDWRITTEN_REG_BASE, 0x1);
74     uint8_t out = (uint8_t)(read_reg(INSTRUMENTATION_HANDWRITTEN_REG_RESULT) & 0x7);
75     DEBUG_PRINTF(("instrumentation_handwritten_SystemVerilog.c> Generate_Sensor_Trips: vals
76      → =[%u,%u,%u], setpoints=[%u,%u,%u], lookup[%d]=0x%X\n"
77 ,vals[0],vals[1],vals[2],setpoints[0],setpoints[1],setpoints[2],out,lookup[out]));
78     return lookup[out];
79 }
80 #endif

```

Listing F.29: C implementation of bottom.

```

1 #include "actuate.h"
2 #include "actuation_logic.h"
3 #include "common.h"
4 #include "core.h"
5 #include "instrumentation.h"
6 #include "platform.h"
7 #include "sense_actuate.h"
8
9 #include <assert.h>
10
11 int actuate_devices(void) {
12     assert(0);
13     return 0;
14 }
15
16 uint8_t ActuateActuator(uint8_t vs) {
17     assert(0);
18     return 0;
19 }
20
21 uint8_t Coincidence_2_4(uint8_t trips[4]) {
22     assert(0);
23     return 0;
24 }
25
26 uint8_t Actuate_D0(uint8_t trips[3][4], uint8_t old) {
27     assert(0);
28     return 0;
29 }
30
31 uint8_t Actuate_D1(uint8_t trips[3][4], uint8_t old) {
32     assert(0);
33     return 0;
34 }
35
36 int actuation_unit_step(uint8_t logic_no, struct actuation_logic *state) {
37     assert(0);
38     return 0;
39 }
40
41 int sense_actuate_init(int core_id,
42                         struct instrumentation_state *instrumentation,
43                         struct actuation_logic *actuation) {
44     assert(0);
45     return 0;
46 }
47
48 int sense_actuate_step_0(struct instrumentation_state *instrumentation,
49                         struct actuation_logic *actuation)

```

```

50
51 {
52     assert(0);
53     return 0;
54 }
55
56 int sense_actuate_step_1(struct instrumentation_state *instrumentation,
57                         struct actuation_logic *actuation) {
58     assert(0);
59     return 0;
60 }
61
62 void core_init(struct core_state *core) { assert(0); }
63
64 int core_step(struct core_state *core) {
65     assert(0);
66     return 0;
67 }
68
69 void instrumentation_init(struct instrumentation_state *state) { assert(0); }
70
71 int instrumentation_step(uint8_t div, struct instrumentation_state *state) {
72     assert(0);
73     return 0;
74 }
75 int read_instrumentation_channel(uint8_t div, uint8_t channel, uint32_t *val) {
76     assert(0);
77     return 0;
78 }
79
80 int get_instrumentation_value(uint8_t division, uint8_t ch, uint32_t *value) {
81     assert(0);
82     return 0;
83 }
84
85 int get_instrumentation_trip(uint8_t division, uint8_t ch, uint8_t *value) {
86     assert(0);
87     return 0;
88 }
89
90 int get_instrumentation_mode(uint8_t division, uint8_t ch, uint8_t *value) {
91     assert(0);
92     return 0;
93 }
94
95 int get_instrumentation_maintenance(uint8_t division, uint8_t *value) {
96     assert(0);
97     return 0;
98 }
99
100 int get_actuation_state(uint8_t i, uint8_t device, uint8_t *value) {
101    assert(0);
102    return 0;
103 }
104
105 int read_instrumentation_trip_signals(uint8_t arr[3][4]) {
106    assert(0);
107    return 0;
108 }
109
110 int set_output_actuation_logic(uint8_t logic_no, uint8_t device_no,
111                               uint8_t on) {
112    assert(0);
113    return 0;
114 }
115

```

```

116 int set_output_instrumentation_trip(uint8_t division, uint8_t channel,
117                                     uint8_t val) {
118     assert(0);
119     return 0;
120 }
121
122 int set_actuate_device(uint8_t device_no, uint8_t on) {
123     assert(0);
124     return 0;
125 }
126
127 int read_rts_command(struct rts_command *cmd) {
128     assert(0);
129     return 0;
130 }
131
132 int read_instrumentation_command(uint8_t division,
133                                  struct instrumentation_command *cmd) {
134     assert(0);
135     return 0;
136 }
137
138 int send_instrumentation_command(uint8_t division,
139                                 struct instrumentation_command *cmd) {
140     assert(0);
141     return 0;
142 }
143
144 int read_actuation_command(uint8_t id, struct actuation_command *cmd) {
145     assert(0);
146     return 0;
147 }
148
149 int send_actuation_command(uint8_t actuator, struct actuation_command *cmd) {
150     assert(0);
151     return 0;
152 }
153
154 int set_display_line(uint8_t line_number, const char *display, uint32_t size) {
155     assert(0);
156     return 0;
157 }
158
159 uint8_t is_test_running() {
160     assert(0);
161     return 0;
162 }
163
164 void set_test_running(int val) { assert(0); }
165
166 uint8_t get_test_device() {
167     assert(0);
168     return 0;
169 }
170
171 void get_test_instrumentation(uint8_t *id) { assert(0); }
172
173 int get_instrumentation_test_setpoints(uint8_t id, uint32_t *setpoints) {
174     assert(0);
175     return 0;
176 }
177 void set_instrumentation_test_complete(uint8_t div, int v) { assert(0); }
178 int is_instrumentation_test_complete(uint8_t id) {
179     assert(0);
180     return 0;
181 }

```

```

182 int read_test_instrumentation_channel(uint8_t div, uint8_t channel,
183                                     uint32_t *val) {
184     assert(0);
185     return 0;
186 }
187
188 uint8_t get_test_actuation_unit() {
189     assert(0);
190     return 0;
191 }
192 int is_actuation_unit_under_test(uint8_t id) {
193     assert(0);
194     return 0;
195 }
196 void set_actuation_unit_test_complete(uint8_t div, int v) { assert(0); }
197 void set_actuation_unit_test_input_vote(uint8_t id, int v) { assert(0); }
198 int is_actuation_unit_test_complete(uint8_t id) {
199     assert(0);
200     return 0;
201 }
202
203 void set_actuate_test_result(uint8_t dev, uint8_t result) { assert(0); }
204 void set_actuate_test_complete(uint8_t dev, int v) { assert(0); }
205 int is_actuate_test_complete(uint8_t dev) {
206     assert(0);
207     return 0;
208 }
209
210 int main(int argc, char **argv) {
211     assert(0);
212     return 0;
213 }

```

Listing F.30: C implementation of saturation\_impl.

```

1 typedef unsigned _ExtInt(1) w1;
2 typedef unsigned _ExtInt(32) w32;
3 w1 static rotl1(w1 x, w1 shf)
4 {
5     w1 offset = 1;
6     return x << shf | x >> offset - shf;
7 }
8 w1 static rotr1(w1 x, w1 shf)
9 {
10    w1 offset = 1;
11    return x >> shf | x << offset - shf;
12 }
13 w32 static rotl32(w32 x, w32 shf)
14 {
15     w32 offset = 32;
16     return x << shf | x >> offset - shf;
17 }
18 w32 static rotr32(w32 x, w32 shf)
19 {
20     w32 offset = 32;
21     return x >> shf | x << offset - shf;
22 }
23 w32 Saturation(w32 t4762, w32 p4763)
24 {
25     w32 app_4100;
26     w32 app_4101;
27     w1 app_4157;
28     w1 app_4158;
29     w1 app_4159;
30     w32 app_4160;
31     w32 ifv_4099;

```

```

32     w32 ifv_4156;
33     w32 return_4097;
34     w32 table_4102[52];
35     w32 v4804_4103;
36     w32 v4805_4104;
37     w32 v4806_4105;
38     w32 v4807_4106;
39     w32 v4808_4107;
40     w32 v4809_4108;
41     w32 v4810_4109;
42     w32 v4811_4110;
43     w32 v4812_4111;
44     w32 v4813_4112;
45     w32 v4814_4113;
46     w32 v4815_4114;
47     w32 v4816_4115;
48     w32 v4817_4116;
49     w32 v4818_4117;
50     w32 v4819_4118;
51     w32 v4820_4119;
52     w32 v4821_4120;
53     w32 v4822_4121;
54     w32 v4823_4122;
55     w32 v4824_4123;
56     w32 v4825_4124;
57     w32 v4826_4125;
58     w32 v4827_4126;
59     w32 v4828_4127;
60     w32 v4829_4128;
61     w32 v4830_4129;
62     w32 v4831_4130;
63     w32 v4832_4131;
64     w32 v4833_4132;
65     w32 v4834_4133;
66     w32 v4835_4134;
67     w32 v4836_4135;
68     w32 v4837_4136;
69     w32 v4838_4137;
70     w32 v4839_4138;
71     w32 v4840_4139;
72     w32 v4841_4140;
73     w32 v4842_4141;
74     w32 v4843_4142;
75     w32 v4844_4143;
76     w32 v4845_4144;
77     w32 v4846_4145;
78     w32 v4847_4146;
79     w32 v4848_4147;
80     w32 v4849_4148;
81     w32 v4850_4149;
82     w32 v4851_4150;
83     w32 v4852_4151;
84     w32 v4853_4152;
85     w32 v4854_4153;
86     w32 v4855_4154;
87     return_4097 = 0;
88     app_4158 = (signed _ExtInt(32)) t4762 < (signed _ExtInt(32)) (w32) 35;
89     if (app_4158)
90     {
91         ifv_4099 = (w32) 0;
92     }
93     else
94     {
95         app_4100 = t4762 - (w32) 35;
96         app_4101 = app_4100 / (w32) 5;
97         ifv_4099 = app_4101;

```

```

98 }
99 app_4159 = ifv_4099 < (w32) 52;
100 if (app_4159)
101 {
102     app_4157 = (signed _ExtInt(32)) t4762 < (signed _ExtInt(32)) (w32) 35;
103     if (app_4157)
104     {
105         ifv_4099 = (w32) 0;
106     }
107     else
108     {
109         app_4100 = t4762 - (w32) 35;
110         app_4101 = app_4100 / (w32) 5;
111         ifv_4099 = app_4101;
112     }
113     v4804_4103 = (w32) 9998;
114     v4805_4104 = (w32) 12163;
115     v4806_4105 = (w32) 14753;
116     v4807_4106 = (w32) 17796;
117     v4808_4107 = (w32) 21404;
118     v4809_4108 = (w32) 25611;
119     v4810_4109 = (w32) 30562;
120     v4811_4110 = (w32) 36292;
121     v4812_4111 = (w32) 42985;
122     v4813_4112 = (w32) 50683;
123     v4814_4113 = (w32) 59610;
124     v4815_4114 = (w32) 69813;
125     v4816_4115 = (w32) 81567;
126     v4817_4116 = (w32) 94924;
127     v4818_4117 = (w32) 110218;
128     v4819_4118 = (w32) 127500;
129     v4820_4119 = (w32) 147160;
130     v4821_4120 = (w32) 169270;
131     v4822_4121 = (w32) 194350;
132     v4823_4122 = (w32) 222300;
133     v4824_4123 = (w32) 253820;
134     v4825_4124 = (w32) 288920;
135     v4826_4125 = (w32) 328250;
136     v4827_4126 = (w32) 371840;
137     v4828_4127 = (w32) 420470;
138     v4829_4128 = (w32) 474140;
139     v4830_4129 = (w32) 533740;
140     v4831_4130 = (w32) 599260;
141     v4832_4131 = (w32) 671730;
142     v4833_4132 = (w32) 751100;
143     v4834_4133 = (w32) 838550;
144     v4835_4134 = (w32) 934000;
145     v4836_4135 = (w32) 1038600;
146     v4837_4136 = (w32) 1152600;
147     v4838_4137 = (w32) 1277600;
148     v4839_4138 = (w32) 1413200;
149     v4840_4139 = (w32) 1469600;
150     v4841_4140 = (w32) 1718600;
151     v4842_4141 = (w32) 1892100;
152     v4843_4142 = (w32) 2079100;
153     v4844_4143 = (w32) 2280400;
154     v4845_4144 = (w32) 2496800;
155     v4846_4145 = (w32) 2731900;
156     v4847_4146 = (w32) 2984000;
157     v4848_4147 = (w32) 3253900;
158     v4849_4148 = (w32) 3542700;
159     v4850_4149 = (w32) 3854600;
160     v4851_4150 = (w32) 4187500;
161     v4852_4151 = (w32) 4542300;
162     v4853_4152 = (w32) 4920000;
163     v4854_4153 = (w32) 5325900;

```

```

164     v4855_4154 = (w32) 5775200;
165     table_4102[0] = v4804_4103;
166     table_4102[1] = v4805_4104;
167     table_4102[2] = v4806_4105;
168     table_4102[3] = v4807_4106;
169     table_4102[4] = v4808_4107;
170     table_4102[5] = v4809_4108;
171     table_4102[6] = v4810_4109;
172     table_4102[7] = v4811_4110;
173     table_4102[8] = v4812_4111;
174     table_4102[9] = v4813_4112;
175     table_4102[10] = v4814_4113;
176     table_4102[11] = v4815_4114;
177     table_4102[12] = v4816_4115;
178     table_4102[13] = v4817_4116;
179     table_4102[14] = v4818_4117;
180     table_4102[15] = v4819_4118;
181     table_4102[16] = v4820_4119;
182     table_4102[17] = v4821_4120;
183     table_4102[18] = v4822_4121;
184     table_4102[19] = v4823_4122;
185     table_4102[20] = v4824_4123;
186     table_4102[21] = v4825_4124;
187     table_4102[22] = v4826_4125;
188     table_4102[23] = v4827_4126;
189     table_4102[24] = v4828_4127;
190     table_4102[25] = v4829_4128;
191     table_4102[26] = v4830_4129;
192     table_4102[27] = v4831_4130;
193     table_4102[28] = v4832_4131;
194     table_4102[29] = v4833_4132;
195     table_4102[30] = v4834_4133;
196     table_4102[31] = v4835_4134;
197     table_4102[32] = v4836_4135;
198     table_4102[33] = v4837_4136;
199     table_4102[34] = v4838_4137;
200     table_4102[35] = v4839_4138;
201     table_4102[36] = v4840_4139;
202     table_4102[37] = v4841_4140;
203     table_4102[38] = v4842_4141;
204     table_4102[39] = v4843_4142;
205     table_4102[40] = v4844_4143;
206     table_4102[41] = v4845_4144;
207     table_4102[42] = v4846_4145;
208     table_4102[43] = v4847_4146;
209     table_4102[44] = v4848_4147;
210     table_4102[45] = v4849_4148;
211     table_4102[46] = v4850_4149;
212     table_4102[47] = v4851_4150;
213     table_4102[48] = v4852_4151;
214     table_4102[49] = v4853_4152;
215     table_4102[50] = v4854_4153;
216     table_4102[51] = v4855_4154;
217     ifv_4156 = table_4102[ifv_4099];
218 }
219 else
220 {
221     ifv_4156 = (w32) 5775200;
222 }
223 app_4160 = p4763 - ifv_4156;
224 return_4097 = app_4160;
225 return return_4097;
226 }

```

Listing F.31: C implementation of actuation\_unit\_impl.

```

1 #include "common.h"
2 #include "actuation_logic.h"
3 #include "../generated/C/actuation_unit_impl.c"

```

Listing F.32: C implementation of actuator\_generated\_C.

```

1 #define ActuateActuator ActuateActuator_generated_C
2 #define actuate_devices actuate_devices_generated_C
3 #include "../components/actuator.c"
4 #include "../generated/C/actuator_impl.c"

```

Listing F.33: C implementation of saturation\_generated\_C.

```

1 #include "common.h"
2 #include "../generated/C/saturation_impl.c"

```

Listing F.34: C implementation of actuation\_unit\_generated\_SystemVerilog.

```

1 #ifdef PLATFORM_HOST
2 #include "../generated/SystemVerilog/verilator/actuate_d0/VActuate_D0.h"
3 #include "../generated/SystemVerilog/verilator/actuate_d1/VActuate_D1.h"
4 #include <stdio.h>
5 #else
6 #include "printf.h"
7 #endif
8
9 #define Actuate_D0 Actuate_D0_generated_SystemVerilog
10 #define Actuate_D1 Actuate_D1_generated_SystemVerilog
11 #define actuation_unit_step actuation_unit_step_generated_SystemVerilog
12 #include "../components/actuation_unit.c"
13
14 #ifdef PLATFORM_HOST
15 static VActuate_D0 actuate_d0;
16 static VActuate_D1 actuate_d1;
17 uint8_t Actuate_D0(uint8_t* trips[3][4], uint8_t old) {
18     actuate_d0.old = old;
19     for(int b = 0; b < 12; ++b) {
20         memcpy((uint8_t*)actuate_d0.trips + b, (uint8_t*)trips + (11 - b), 1);
21     }
22     actuate_d0.eval();
23     DEBUG_PRINTF("<actuation_unit_generated_SystemVerilog.c> actuate_base: device=0x0, old=%
24             x%X, out=0x%X, trips=[",
25             old, actuate_d0.out));
26     for (int i = 0; i < 3; ++i) {
27         DEBUG_PRINTF("[");
28         for (int div = 0; div < 4; ++div) {
29             DEBUG_PRINTF("%u,", trips[i][div]));
30         }
31         DEBUG_PRINTF("],"));
32     }
33     DEBUG_PRINTF("]\n");
34     return actuate_d0.out;
35 }
36 uint8_t Actuate_D1(uint8_t* trips[3][4], uint8_t old) {
37     actuate_d1.old = old;
38     for(int b = 0; b < 12; ++b) {
39         memcpy((uint8_t*)actuate_d1.trips + b, (uint8_t*)trips + (11 - b), 1);
40     }
41     actuate_d1.eval();
42     DEBUG_PRINTF("<actuation_unit_generated_SystemVerilog.c> actuate_base: device=0x1, old=%
43             x%X, out=0x%X, trips=[",
44             old, actuate_d1.out));

```

```

44     for (int i = 0; i < 3; ++i) {
45         DEBUG_PRINTF("[");
46         for (int div = 0; div < 4; ++div) {
47             DEBUG_PRINTF("%u,", trips[i][div]));
48         }
49         DEBUG_PRINTF("],"));
50     }
51     DEBUG_PRINTF("]\n");
52     return actuate_d1.out;
53 }
54 #else
55 #include "bsp.h"
56 #include "platform.h"
57
58 uint8_t actuate_base(uint8_t trips[3][4], uint8_t old, uint8_t id);
59
60 uint8_t actuate_base(uint8_t trips[3][4], uint8_t old, uint8_t id)
61 {
62     // NOTE: reverse ordering: 2->1->0 goes to 0->1->2
63     // Set value for trip value 0
64     size_t idx = 0;
65     write_reg(ACTUATION_REG_GENERATED_TRIP_2, (uint32_t) (trips[idx][3] << 24| trips[idx][2]
66     // → << 16 | trips[idx][1] << 8 | trips[idx][0]));
67     idx++;
68     write_reg(ACTUATION_REG_GENERATED_TRIP_1, (uint32_t) (trips[idx][3] << 24| trips[idx][2]
69     // → << 16 | trips[idx][1] << 8 | trips[idx][0]));
70     idx++;
71     write_reg(ACTUATION_REG_GENERATED_TRIP_0,(uint32_t) (trips[idx][3] << 24| trips[idx][2]
72     // → << 16 | trips[idx][1] << 8 | trips[idx][0]));
73
74     // trigger the actuation
75     // wdata[0] - value of 'old' argument
76     // wdata[1] - which actuator to actuate
77     write_reg(ACTUATION_REG_GENERATED_BASE, (uint32_t)( id << 1 | old));
78
79     // Get actuation results (only the last bit is pertinent for True/false)
80     uint8_t res = (uint8_t) (read_reg(ACTUATION_REG_GENERATED_RESULT) & 0x1);
81
82     DEBUG_PRINTF("<actuation_unit_generated_SystemVerilog.c> actuate_base: device=0x%X, old
83     // → =0x%X, out=0x%X, trips=[", id, old, res));
84     for (int i = 0; i < 3; ++i) {
85         DEBUG_PRINTF("[");
86         for (int div = 0; div < 4; ++div) {
87             DEBUG_PRINTF("%u,", trips[i][div]));
88         }
89         DEBUG_PRINTF("],"));
90     }
91     DEBUG_PRINTF("]\n");
92     return res;
93 }
94
95 uint8_t Actuate_D0(uint8_t trips[3][4], uint8_t old)
96 {
97     return actuate_base(trips, old, 0);
98 }
99
100 #endif

```