In industrial-sized cyber-physical systems, ensuring fulfillment of requirements gets increasingly more costly as the number of components increases. To make the task feasible, compositional verification has been suggested as a scalable solution. Such techniques allow verification by divide-and-conquer, often using assume-guarantee contracts. Although previous research has focused mostly on the non-probabilistic setting, in the real world, probabilities often arise due to random hardware failures, stochastic communication delays, sensor ghost objects, machine learning components, rounding errors caused by finite-precision arithmetic, human behavior, and probabilistic algorithms. Therefore, for contract theories to be practically relevant to cyber-physical systems, there is a need to support probabilistic reasoning, for instance regarding safety and reliability. To this end, we propose a completely trace-based probabilistic contract theory, supporting general probability measures, continuous time, and continuous state spaces. To verify decompositions of such contracts, we also present a deductive system, which is illustrated on an industrially inspired automatic emergency braking example.

We evaluate the feasibility of generating formally verified C code that adheres to both functional and non-functional requirements using Large Language Models (LLMs) for three real industrial, automotive safety-critical software modules. We explore the capabilities of ten LLMs and four prompting techniques — Zero-Shot, Zero-Shot Chain-of-Thought, One-Shot, and One-Shot Chainof-Thought — to generate C programs for the three modules. Functional correctness of generated programs is assessed through functional verification, and adherence to non-functional requirements is evaluated using an industrial static analyzer, along with human evaluation. The results demonstrate that it is feasible for LLMs to generate functionally correct code, with success rates of 540/800, 59/800, and 46/800 for the three modules. Additionally, the generated programs frequently adhere to the defined non-functional requirements. In the cases where the LLM-generated programs did not adhere to the non-functional requirements, deviations typically involve violations of single-read and single-write access patterns or minimal variable scope constraints. These findings highlight the promise and limitations of using LLMs to generate industrial safety-critical C programs, providing insight into improving automated LLM-based program generation in the automotive safety-critical domain.

We evaluate the feasibility of generating formally verified C code that adheres to both functional and non-functional requirements using Large Language Models (LLMs) for three real industrial, automotive safety-critical software modules. We explore the capabilities of ten LLMs and four prompting techniques - Zero-Shot, Zero-Shot Chain-of-Thought, One-Shot, and One-Shot Chain-of-Thought - to generate C programs for the three modules. Functional correctness of generated programs is assessed through functional verification, and adherence to non-functional requirements is evaluated using an industrial static analyzer, along with human evaluation. The results demonstrate that it is feasible for LLMs to generate functionally correct code, with success rates of 540/800, 59/800, and 46/800 for the three modules. Additionally, the generated programs frequently adhere to the defined non-functional requirements. In the cases where the LLM-generated programs did not adhere to the non-functional requirements, deviations typically involve violations of single-read and single-write access patterns or minimal variable scope constraints. These findings highlight the promise and limitations of using LLMs to generate industrial safety-critical C programs, providing insight into improving automated LLM-based program generation in the automotive safety-critical domain.

Large language models have demonstrated impressive capabilities in generating code, yet they often produce programs with flaws or deviations from intended behavior, limiting their suitability for safety-critical applications. To address this limitation, this paper introduces VeCoGen, a novel tool that combines large language models with formal verification to automate the generation of formally verified C programs. VeCoGen takes a formal specification in ANSI/ISO C Specification Language, a natural language specification, and a set of test cases to attempt to generate a verified program. This program-generation process consists of two steps. First, VeCoGen generates an initial set of candidate programs. Secondly, the tool iteratively improves on previously generated candidates. If a candidate program meets the formal specification, then we are sure the program is correct. We evaluate VeCoGen on 15 problems presented in Codeforces competitions. On these problems, VeCoGen solves 13 problems. This work shows the potential of combining large language models with formal verification to automate program generation.

According to the principles of compositional verification, verifying that lower-level components satisfy their specification ensures that the whole system satisfies its top-level specification. The key step is to ensure that the lower-level specifications constitute a correct decomposition of the top-level specification. In a non-stochastic context, such decomposition can be analyzed using techniques of theorem proving. In industrial applications, especially in safety-critical systems, specifications are often of stochastic nature, for example, giving a bound on the probability that a system failure will occur before a given time. A decomposition of such a specification requires techniques beyond traditional theorem proving. The first contribution of the paper is a theoretical framework that allows the representation of, and reasoning about, stochastic and timed behavior of systems as well as specifications for such behavior. The framework is based on traces that describe the continuous-time evolution of a system, and specifications are formulated using timed automata combined with probabilistic acceptance conditions. The second contribution is a novel approach to verifying decompositions of such specifications by reducing the problem to checking emptiness of the solution space for a system of linear inequalities.

Safety analysis on the level of a complete road vehicle can be an intricate task. Several methods and tools for safety analysis have been developed by the research community. One such tool developed to bridge the gap between research and industry is Semi-Markov Process (SMP) Tool. In this paper, two approaches for safety analysis utilizing SMP Tool are presented. The holistic approach starts out with a quantitative safety target on a vehicle level to then finally argue whether a proposed system design is safe enough. In the segmented approach, the idea is to follow the development steps of industrial standards, while utilizing SMP Tool for specific tasks within the standard. Specifically the standard ISO 26262 will be under most consideration. Both approaches are applied to a case study of a battery management system for an electrified truck. The segmented approach can avoid some difficulties arising when following ISO 26262 conventionally while keeping the advantage that the standard is utilized to find what qualitative tasks should be performed. The holistic approach has an advantage in that it considers the safety from a vehicle perspective. Moreover, all ambiguity issues in ISO 26262 are avoided.

Compositional verification allows a system to be verified indirectly by verifying the individual components of the system. The keystep is to ensure that the decomposition of the system specification intocomponent specifications is correct. That is, it needs to be verified thatthe composition of the component specifications refines the system specification. In many cyber-physical systems, specifications are probabilisticin nature. For instance, a specification might state that the probabilityof reaching an unsafe state within 10.000 hours shall be less than 0.05.Verifying refinement under such assumptions requires techniques beyondtraditional theorem proving. This paper presents a solution where specifications are built up by probabilistic contracts based upon timed automata. In particular, the main contribution is an algorithm for verifyingrefinement between such specifications. The algorithm utilizes a reduction to the language emptiness problem, making the algorithm terminateafter a finite number of computations

Compositional verification allows a system to be verified indirectly by verifying the individual components of the system. The key step is to ensure that the decomposition of the system specification into component specifications is correct. That is, it needs to be verified that the composition of the component specifications refines the system specification. In many cyber-physical systems, specifications are probabilistic in nature. For instance, a specification might state that the probability of reaching an unsafe state within 10.000 h shall be less than 0.05. Verifying refinement under such assumptions requires techniques beyond traditional theorem proving. This paper presents a solution where specifications are built up by probabilistic contracts based upon timed automata. In particular, the main contribution is an algorithm for verifying refinement between such specifications. The algorithm utilizes a reduction to the language emptiness problem, making the algorithm terminate after a finite number of computations.

Although commonly used in industry, a major drawback of Stateflow is that it lacks support for stochastic properties; properties that are often needed to build accurate models of real-world systems. In order to solve this problem, as the first contribution, Stochastic Stateflow (SSF) is presented as a stochastic extension of a subset of Stateflow models. As the second contribution, the tool SMP-tool is updated with support for SSF models specified in Stateflow. Finally, as the third contribution, an industrial case study is presented.