Verified simulation for robotics

Abstract: Simulation is a favoured technique for analysis of robotic systems. Currently, however, simulations are programmed in an ad hoc way, for specific simulators, using either proprietary languages or general languages like C or C++. Even when a higher-level language is used, no clear relation between the simulation and a design model is established. We describe a tool-independent notation called RoboSim, designed specifically for modelling of (verified) simulations. We describe the syntax, well-formedness conditio… Show more

“…Refusals are not included at the end of these traces, but set (5) does include corresponding traces with refusals that are subsets of Σ for any traces with strictly fewer than two tock events. Set ( 5) thus contributes the trace on line (9), which corresponds to the trace on line (7). There is no trace in set ( 5) corresponding to the trace on line (8), since it contains exactly two tock events.…”

“…In addition, using tock-CSP, deadlines can be specified via timestops, that is, by refusing tock, and models can be decomposed into timed and untimed processes, facilitating abstraction and modularity. Extensive use of tock-CSP has been reported, including, for example, in the verification of security properties [11], the design of general-purpose I/O controllers [19], the study of railways [17], the verification of distributed adaptive systems [14], and more recently, in the verification of simulations for robotics [7].…”

“…Most case studies in the literature using tock-CSP focus on safety [11,14,19], rather than liveness [7,17]. Although useful, safety only is a weak notion of conformance.…”

Sound reasoning in tock-CSP

“…Refusals are not included at the end of these traces, but set (5) does include corresponding traces with refusals that are subsets of Σ for any traces with strictly fewer than two tock events. Set ( 5) thus contributes the trace on line (9), which corresponds to the trace on line (7). There is no trace in set ( 5) corresponding to the trace on line (8), since it contains exactly two tock events.…”

“…In addition, using tock-CSP, deadlines can be specified via timestops, that is, by refusing tock, and models can be decomposed into timed and untimed processes, facilitating abstraction and modularity. Extensive use of tock-CSP has been reported, including, for example, in the verification of security properties [11], the design of general-purpose I/O controllers [19], the study of railways [17], the verification of distributed adaptive systems [14], and more recently, in the verification of simulations for robotics [7].…”

“…Most case studies in the literature using tock-CSP focus on safety [11,14,19], rather than liveness [7,17]. Although useful, safety only is a weak notion of conformance.…”

Sound reasoning in tock-CSP

“…The simulation models are also given a formal semantics, making it possible to automatically analyse or reason about them. A formal semantics for RoboSim [5] is given by mapping a RoboSim model to a variant of CSP, called tock-CSP [20,Chapter 14]. One of the benefits of this approach is that we can analyse the semantics of a RoboSim model using formal tools and methodologies available for CSP.…”

“…In this paper we present an implementation relation for timed systems where time is discrete, we are interested in using refusals while testing and do not assume that SUTs are input-enabled. Essentially, this is the framework underlying the LTSs generated by the operational semantics of tock-CSP [20] which, in turn, is the formal language to which RoboSim descriptions are translated [5]. We consider an LTS corresponding to tock-CSP rather than just RoboSim in order to aid generality.…”

An Implementation Relation for Cyclic Systems with Refusals and Discrete Time

Testing Robots Using CSP