Closed-loop verification of a compensating group drive model using synthesized formal plant model PoHna Ovsiannikova, Daniil ChiviHkhin, Vladimir Ulyantsev, Anatoly Shalyto Computer Technologies Laboratory, ITMO University, Saint Petersburg, Russia Email: polina.ovsyannikova@corp.ifmo.ru.chivdan@rain.ifmo.ru.ulyantsev@rain.ifmo.ru.shalyto@mail.ifmo.ru Abstract-Cyber-physical systems are spread among multiple domains of human activity. Their behavior should be strictly validated as most of them are critical. One perspective direc- tion of ensuring system correctness is verification using model checking. A new method for closed-loop model checking of cyber-physical systems has recently been introduced that involves automatic formal plant model synthesis followed by temporal properties verification. The formal model is inferred based on traces gathered from the simulation model. Then, verification of temporal properties for the whole closed-loop system can be performed using the NuSMV tool. The main purpose of this paper is to investigate the applicability of the aforementioned method by performing a case study on the example of a compensating group drive simulation model provided by our industrial partners. I. INTRODUCTION There is hardly any such scope where no cyber-physical systems (CPS) are applied as they have become an inalienable part of the modern world. In many cases they play a critical role and their behavior is required to be correct. There are several approaches for checking whether the developed CPS follows its specification, among which are testing and formal verification. Standard testing does not consider all the range of possible system states, so it cannot prove that the system is correct. Moreover, in some domains CPS with wrong behavior can make irreparable harm to the environment or people, so the better alternative for ensuring system correctness is formal verification. In particular, in the presented paper we will discuss the model checking method [1], [2] for formal verification. Before using model checking for CPS verification the de- sired strategy of this methodology should be chosen. There are two main approaches for model checking: open-loop and closed-loop [3], [4] verification. With regard to the first approach, the plant model is not taken into consideration, but only the controller model is tested. This leads to the fact that the controller may have any inputs including ones that the plant can never produce leading to the state explosion problem. However, this approach can be useful in systems of limited complexity. In the second approach, both plant and controller formal models are required. Having a formal plant model, plant output stubs in the controller can be replaced by actual model outputs. Thereby, the loop between the controller and the plant is closed. Unlike the open-loop strategy, here the problem of 978-1-5090-6505-91171$31.002017 IEEE state explosion hardly occurs as the state space is reduced. Therefore, in most cases, even complicated systems can be verified. In this paper closed-loop model checking will be discussed. To make this method applicable, first the formal CPS model should be available. A formal model normally consists of two components - formal model of the plant itself (plant model), that is independent and can act in any way allowed by its physical constraints, and formal controller model (controller) that receives output signals from the plant model and generates inputs to the plant model based on them. The problem is that the plant model is almost never provided due to various reasons such as developing it separately from the system itself and then necessity to maintain it with every change of the real system. Generally, resources spent on this kind of work may never be paid off. Hence, there should be a technique for formal plant model inference. For example, [5] considers creating modular formal models from elementary automata. In [6], [7] methods for obtaining formal plant model from 3D CAD models are proposed. The aforementioned methods have such disadvantages as the requirement that the simulation model must be in a specific format and semiautomatic formal model creation. In [8], [9] and [10] methods for automatic formal model inference using simulation model execution traces have been introduced. They do not have restrictions for the source simulation model format and do not require human assistance during formal model creation. As they use traces for model generation, it is necessary to select such traces so that the resulting formal model will be precise enough. Research in this area was performed in [11], where an approach of gathering traces for inferring models satisfying this condition was suggested. The formal model can be inferred using two main ap- proaches [8], [9], [10]. One of them is the explicit-state method. It implies creating an automaton with states pro- duced from outputs and transitions made of inputs between consequent outputs encountered in traces. Since sometimes traces do not cover the whole system behavior, the first issue is deadlocks caused by so-called unsupported transitions. To resolve it, such transitions should be created in advance. All this leads to the approximately unrealistic implementation to the real world. This is due to the fact that to make the system adequate all possible system states need to be covered by traces and, consequently, by automaton states, which can and