



---

# VVML: Specifying Workflows for V&V Methods

## – *Formalisation* –

---

VALU3S Summer School 2023, Genoa, Italy

---

José Proença (ISEP)

19 July 2023



This project has received funding from the ECSEL Joint Undertaking (JU) under grant agreement No 876852. The JU receives support from the European Union's Horizon 2020 research and innovation programme and Austria, Czech Republic, Germany, Ireland, Italy, Portugal, Spain, Sweden, Turkey. Disclaimer: The ECSEL JU and the European Commission are not responsible for the content on this presentation or any use that may be made of the information it contains.

Photo (of the Iberian Ibex) by Arturo de Frías. This work is financed by National Funds through FCT - Fundação para a Ciência e a Tecnologia, I.P. (Portuguese Foundation for Science and Technology) within the project IBEX, with reference PTDC/CCI-COM/4280/2021.

# Who am I

- José Proença
- Polytechnic of Porto, Portugal
  - CISTER – Real-Time & embedded computing systems
- Ph.D. since 2011 from Leiden University, the Netherlands
- Research Interests
  - Formal methods/verification
  - Distributed and concurrent systems
  - Programming languages



<https://jose.proenca.org>



Ibex

|             | Tuesday - 18th                                | Wednesday - 19th                                       | Thursday - 20th                                            |
|-------------|-----------------------------------------------|--------------------------------------------------------|------------------------------------------------------------|
| 9h00-10h30  | Introduction to V&V of dependable CPS         | VVML: Specifying Workflows for V&V Methods             | Symbolic Model Checking of Hybrid Systems                  |
| 10h30-11h00 | Break                                         | Break                                                  | Break                                                      |
| 11h00-12h30 | An overview to testing of safety-critical CPS | Formal requirements engineering                        | Deductive Verification in a Nutshell                       |
| 12h30-14h00 | Lunch & Poster Presentation                   | Lunch & Poster Presentation                            | Lunch & Poster Presentation                                |
| 14h00-15h30 | Software-implemented fault injection          | Introduction to Model Checking                         | An overview of relevant safety and cybersecurity standards |
| 15h30-16h00 | Break                                         | Break                                                  | Break                                                      |
| 16h00-17h30 | Simulation-based fault injection              | A V&V framework for storing elements of V&V activities | An overview of relevant safety and cybersecurity standards |



Ibex

# VVML's goal

Users +  
Development  
team



Verification  
team



Ibex

# (Informal) Guidelines for correct workflows

## Structure



- Exactly 1 **start** & 1 **stop**
- Mandatory: input/output sequence flow
- Mandatory: >1 output artifact
- ...

## Behaviour

- **Act** is executed when any previous **Act'** is finished
- Nested calls are **atomic**
- ...



Ibex

# (Informal) Guidelines for correct workflows



VALU3S

Ibex

# More behavioural guidelines



- Fork to start parallel
- Join to merge parallel



- Copy artefacts
- Do NOT join artefacts



# More behavioural guidelines



- Start alternative flows
- Join alternative flows



Ibex

# Is it correct? 1/10



Ibex

# Is it correct? 1/10



Ibex

Is it correct? 2/10



Ibex

# Is it correct? 2/10



Ibex

Is it correct? 3/10



Ibex

Is it correct? 4/10



Ibex

Is it correct? 5/10



Ibex

Is it correct? 6/10



Ibex

# Continue online...

[https://  
cister-labs.github.io/  
coreVVML/  
?#6](https://cister-labs.github.io/coreVVML/?#6)



# Correct VVML workflow?

- **(good structure)**
- **never blocks** before reaching the stopping node
- never reaches the **stopping** node while some activity **is still running**
- can **always** reach the **stopping** node
- never **re-enters** a **running** activity
- is able to **start all** of its activities



Ibex

# Correct VVML workflow?

- (good structure)
  - never blocks
  - never reaches some activity while another is still running
  - can always reach the stopping node
  - never re-enters a running activity
  - is able to start all of its activities
- What does it mean  
PRECISELY  
to RUN?



Ibex

# Core VVML – Syntax



Ibex

# Core VVML – Syntax

$$\langle A, I, \downarrow, F, Sr, Sk, \rightarrow, \dashrightarrow, \alpha, \gamma \rangle$$


$$A = \{a_3, a_4\}$$

$$F = \{f_1, f_2\}$$

$$\rightarrow = \{\langle f_1, a_3 \rangle, \langle f_1, a_4 \rangle,$$

$$I = \{f_1\}$$

$$Sr = \{mi_2, ao_3\}$$

$$\langle a_3, f_2 \rangle, \langle a_4, f_2 \rangle\}$$

$$\downarrow = \{f_2\}$$

$$Sk = \{ai_3, mo_2\}$$

$$\dashrightarrow = \{\langle mi_2, ai_3 \rangle, \langle ao_3, mo_2 \rangle\}$$

$$\alpha = \{ai_3 \mapsto a_3, ao_3 \mapsto a_3\}$$

$$\gamma = \{\}$$



Ibex

# Core VVML – Semantics (without artefacts)

## Method State

$\langle AS, FS \rangle$

$a_3 \mapsto \text{Idle}$      $f_1 \mapsto 1$

$a_4 \mapsto \text{Idle}$      $f_2 \mapsto 0$



Idle

Activity  
State

Ready  
Run  
Done



Ibex

# Core VVML – Semantics (without artefacts)

$$\frac{}{\langle AS[a \mapsto \text{Ready}], FS \rangle \longrightarrow \langle AS[a \mapsto \text{Run}], FS \rangle} \quad (\text{start})$$

$$\frac{\gamma(a) = \perp}{\langle AS[a \mapsto \text{Run}], FS \rangle \longrightarrow \langle AS[a \mapsto \text{Done}], FS \rangle} \quad (\text{end})$$

$$\frac{\gamma(a) = m_2 \quad m_2 \text{ executes}}{\langle AS[a \mapsto \text{Run}], FS \rangle \longrightarrow \langle AS[a \mapsto \text{Done}], FS \rangle} \quad (\text{call})$$

$$AS = \{a \mapsto \text{Ready} \mid a \in m.I \cap m.A\}$$

$$FS = \{f \mapsto 1 \mid f \in m.I \cap m.F\}$$

$$\langle AS, FS \rangle \implies \langle \_, \_ \rangle$$

$m$  executes

(init)



Ibex

# Core VVML – Semantics (WITH artefacts)

## Method State

$\langle AS, FS, PT \rangle$

$a_3 \mapsto \text{Idle}$      $f_1 \mapsto 1$

$a_4 \mapsto \text{Idle}$      $f_2 \mapsto 0$

$ai_3 \mapsto t_{\perp}$   
 $ao_3 \mapsto t_{a_3}$



## Activity State

Idle

Ready

Run( $PT$ )

Done



Ibex

# Core VVML – Semantics (WITH artefacts)

$$\frac{\overline{\langle AS[a \mapsto \text{Ready}], FS, PT \rangle} \rightarrow \langle AS[a \mapsto \text{Run}(PT(\text{inputs}(a)))], FS, PT \rangle}{\gamma(a) = \perp \quad PT_a \subseteq \{p \mapsto t_a \mid p \in \text{output}(a)\}} \quad (\text{start})$$
$$\frac{\langle AS[a \mapsto \text{Run}(\_)], FS, PT \rangle \rightarrow \langle AS[a \mapsto \text{Done}], FS, PT[PT_a] \rangle}{\gamma(a) = m_2 \quad \langle m_2, PT \rangle \rightsquigarrow PT_2 \quad PT_a = \{p \mapsto t \mid (p \mapsto t) \in PT_2, p \in \text{outputs}(a)\}} \quad (\text{end})$$
$$\frac{\langle AS[a \mapsto \text{Run}(\_)], FS, PT \rangle \rightarrow \langle AS[a \mapsto \text{Done}], FS, PT[PT_a] \rangle}{PT_a = \{p \mapsto t \mid (p \mapsto t) \in PT_2, p \in \text{outputs}(a)\}} \quad (\text{call})$$



Ibex

# Core VVML Tools

<https://cister-labs.github.io/coreVVML/>

Simulate &  
Automatically check:

- **Structure**  
(well-formed)
- **Behaviour**  
(well-behaved)

No artefacts yet:

- Not useful yet
- Need contracts

Core VVML analyser

Core VVML

```
1 method "M1" {
2   start act a1
3   stop act more = "more?": no
4   stop act a2 = call M2
5   a1 -> more
6   more -> a2:yes
7   mi1=>a1.ai1  a1.ao1 => mo1
8   mi1=>a2.mi2  a2.mo2 => mo1
9 }
10 method "M2" {
11   start fork f1
12   stop fork f2
13   f1->a3  a3->f2
14   f1->a4  a4->f2 a3->a4
15   mi2=>a3.ai3  a3.ao3=>mo2
16 }
```

Diagram

Diagram (just data)

Run (no data)

Trace: start-M1/a1, run-M1/a1, end-M1/a1→more, run-M1/more

undo

Enabled transitions:

- end-M1/more→a2
- stop-M1/more

Examples

Well-formed

Activity `a4` has no output pins [@ M2].

Well-behaved (no data)

Trying to enter "M2/a4" but state was not idle



# VALU3S

*Verification and Validation of Automated  
Systems' Safety and Security*

[www.valu3s.eu](http://www.valu3s.eu)



This project has received funding from the ECSEL Joint Undertaking (JU) under grant agreement No 876852. The JU receives support from the European Union's Horizon 2020 research and innovation programme and Austria, Czech Republic, Germany, Ireland, Italy, Portugal, Spain, Sweden, Turkey. Disclaimer: The ECSEL JU and the European Commission are not responsible for the content on this presentation or any use that may be made of the information it contains.



# Ibex

*Quantitative methods for  
cyber-physical programming*

[lmf.di.uminho.pt/Ibex](http://lmf.di.uminho.pt/Ibex)



Fundação  
para a Ciência  
e a Tecnologia



Photo (of the Iberian Ibex) by Arturo de Frías. This work is financed by National Funds through FCT - Fundação para a Ciência e a Tecnologia, I.P. (Portuguese Foundation for Science and Technology) within the project IBEX, with reference PTDC/CCI-COM/4280/2021.