FASE 2011 - Formalizing and Operationalizing Industrial Standards

Formalizing and Operationalizing Industrial Standards

Dominik Dietrich Lutz Schroder Ewaryst Schulz

DFKI Bremen, [email protected]

International Conference onFundamental Approaches to Software Engineering

Saarbrucken, GermanyMarch 30 2011

Formalizing Industrial StandardsD. Dietrich, L. Schroder, E. Schulz

German Research Centerfor Artificial Intelligence

OverviewOverview

The problem

I Assure proper functioning of safety critical systems

I Required functional properties of mechanical sub-components mustbe satisfied

Our solution

I Use engineering calculation methods

I Formal language for engineering calculations

I Architecture allowing efficient execution and formal verification



OutlineOutline

1 Motivation

2 The Industrial Standard EN 1591

3 The engineering calculation language EnCL

4 Formal verification of calculations

5 Integration into Hets framework

6 Conclusion



Reliable Mechanical EngineeringReliable Mechanical Engineering

Principal motivation

I Assure proper functioning of system, e.g., pipeline of chemical plant

I Verification of functional properties of sub-components, e.g.,flange connection withstands some given pressure

Some possible approaches

I Formulating properties from first principles (mechanics, geometry)→ level of abstraction not adequate

I Instead: Relying on established practice in engineering→ industrial standards, engineering calculations, e.g.,standard for flange connections EN 1591



The Industrial Standard EN 1591The Industrial Standard EN 1591

I A standard for gasketed circular flange connections

I Consists of applicability, nomenclature and calculation method

I Assures impermeability and mechanical strength of the system



Calculation Method ParameterCalculation Method Parameter

The input parameters to the calculation method

I Flange data, e.g., dimensions and material constants

I Data for operating states such as pressure and temperature



Calculation Method Control FlowCalculation Method Control Flow

I Explicit back-jumps requireconditional loops

I Evaluation order determined bydependency in definitions

I Piecewise function definitionsrequire conditionals



Calculation Method analyzedCalculation Method analyzed

The standard involves calculations using

I Real arithmetic with real functions, e.g., cos, n√

I Special functions such as maximization

Requirements for formalizing the calculation method

I Specify dependencies in arbitrary order(subject to well-formedness requirements)

I Imperative control flow

I Schematic expressions

Observation: little control but a lot of dependencies→ division into program part and dependency store



The Engineering CalculationLanguage EnCL

The Engineering CalculationLanguage EnCL

The main building blocks

I Terms over a {bool , real}-sorted Signature Σ with predefined partΣpre = {𝜋, cos, ...} and user-defined part Σuser = {c1, c2, ...}

I Special term constructions

I Predefined binders: e.g., solve(t = s, x)

I convergence predicate in loop conditions: convergence(0.001, c)

I Dependency stores are sets of dependencies c(x1, ..., xn) = t

I Programs constructs

I Assignment: c(x1, ..., xn) := t

I Sequence: p1; ...; pnI Loop: repeat p until b

I Conditional: case b : p



EnCL and Computer AlgebraSystems

EnCL and Computer AlgebraSystems

Running EnCL program p with dependency store 𝒟𝒮

I CAS provides many predefinedfunctions

I CAS supports dependency storesI CAS-interface

I evaluate termsI assign terms to constants

I Send dependencies to the CAS

I Run program p

I The interpreter maintains dependencystore (in parallel to CAS)

Interpreter CAS

start session

send(𝒟𝒮)

assign(c, t)

t′

eval(u)

u′

...

⎧⎪⎨⎪⎩run

program



A Small ExampleA Small Example

Calculating a root of cos in EnCL using Newton’s Method

The EnCL specification

x = 10 %(A)%

y = cos(x) %(B)%

z = sin(x) %(C)%

------------------------

repeat

x := x + y/z %(D)%

until convergence(0.001, x)

Dependency Graph

x

y

B

z

C

A

D

Behaves like

A;B;C;repeat x’:=x;D;B;C; until reldistLe(x, x’, 0.001)



EnCL SemanticsEnCL Semantics

I Σ-algebras with standard interpretation for predefined part Σpre

I [[t]]𝜎 ∈ R is the interpretation of t in the Σ-algebra 𝜎

I [[t]]𝒟𝒮 is the term t ′ after full substitution of t w.r.t. 𝒟𝒮

I If 𝜎 is a model of 𝒟𝒮 then [[[[t]]𝒟𝒮 ]]𝜎 = [[t]]𝜎

I [[c(x1, ..., xn) := t]]𝒟𝒮 = 𝒟𝒮 [c(x1, ..., xn) = [[t]]𝒟𝒮 ]



Formal VerificationFormal Verification

Correctness of calculations crucial for safety critical applications

I The CAS cannot be fully trusted

I However, results of the CAS can be formally verified

I Mark selected subterms as verification points

I Produce verification conditions

I Use Hets to prove verification conditions

I EnCL term semantics defined in HO-CASL,i.e., axiomatization of Σpre

I Checking solutions is easier than finding them



Verification Conditions: ExampleVerification Conditions: Example

EnCL program

... Dependency Store = 𝒟𝒮y := solve(t=s, x)

...

I Insert verification point at solve

I CAS computes solve(t = s, x) incontext 𝒟𝒮 and returns r

I Verification condition⋀𝒟𝒮 ⇒ solve(t = s, x) = r

I Semantics of solve in HO-CASL

I Translate to HO-CASL for proving



Integration of EnCL into HetsIntegration of EnCL into Hets

EnCLSpecificationLanguage

Interpreter

HO-CASLHigher Order Logic

The Hets Framework

CAS Interface

The Hets Framework



ConclusionConclusion

I Formal verification of functional properties of mechanical systems

I Formal executable language for engineering calculations EnCL

I Integration into Institution Framework

I Implementation based on Hets Framework

I Generic CAS interface in Hets instantiated for Mathematica,Maple and Reduce

I Support for uncertain numerical values

I EnCL-formalization of calculation method from EN 1591

I Future WorkI Statement and proof of properties of calculation methodI Partial instantiations of the standard ensuing simplificationI Structuring of multiple calculation methods



Thank you for your attention.





UncertaintyUncertainty

Some situations require dealing with uncertain numeric values

I Input parameters up to an error value, e.g., 1.53± 0.01

I CAS returns only approximation

I Require tracking of uncertainty throughout the CAS session→ Mathematica’s Numerical-Precision Tracking (NPT)

I Adapt verification condition generation→ replace numbers by intervals





Devices & Hardware

FASE 2011 - Formalizing and Operationalizing Industrial Standards