From Software Verification to Everyware Verification

“It is the start of school term and Amy is getting her daughter Ariel ready for school. She checks her smartwatch, which advises her to reduce stress and exercise more. Ariel has chronotropic deficiency and does not tolerate exercise, but she has been much better since she was fitted with a new personalised rate-adaptive pacemaker. They can hear the sound of dishes downstairs; Bo, the robotic assistant, is setting out the breakfast table in the kitchen and making tea. As the sun is higher now, the window blinds lower slightly to maintain constant ambient temperature in the house. Outside a drone arrives, delivering milk ordered by the fridge. Amy checks her smartphone if there are any messages from school. She uses an app to signal to her car to drive itself out of the garage and wait on the driveway warming up. She read somewhere that soon she will be able to hail an autonomous taxi to take her daughter to school...”

The scene just described is nothing other than ubiquitous computing, a vision of computing in which the computer disappears from view and becomes embedded in our environment, in the equipment we use, in our clothes, and even in our body. In this vision, predicted as early as 1993, a multitude of sensor-enabled computing devices – called ‘everyware’ by Adam Greenfield and now more commonly known as the Internet of Things – are operating, silently supporting our daily activities and autonomously making decisions on our behalf. These smart objects are capable of sensing what is around them, adapting to new situations, communicating with humans and other devices, and organising into online communities. The fast pace of technological progress has not only turned the vision of ubiquitous computing into reality, but has also greatly increased our expectations. Smartphones are used for banking, wearables for biometric authentication, and self-driving cars are being tested on roads. Future potential developments are endless, with molecular-scale devices capable of sensing particular molecules and delivering drugs upon detection already envisaged.

But are we safe? In each of these ‘everyware’ devices there is an embedded processor running a complex program, and bugs in computer programs are quite common, as everyone who has experienced a blue screen knows all too well. But a blue screen in self-driving software? Or an illegal operation performed by pacemaker? The consequences would be unimaginable, but, as the recent Tesla Autopilot incident and FDA recalls of pacemakers demonstrate, all too real.

A promising approach is to employ rigorous software engineering methodologies that help to ensure safety, reliability, performability and resource efficiency of embedded software. Model-based design and automated verification offer an attractive solution: they enable fully automatic methods such as model checking and controller synthesis, and can greatly reduce the development effort through code generation. Quantitative verification technologies, as implemented, for example, in the probabilistic model checker PRISM, provide means to automatically and systematically analyse models to check for properties such as “the smartphone will never execute an illegal operation” (reliability), “the probability of failure to raise alarm if the levels of airborne pollutant are unacceptably high is tolerably low” (safety), and “the maximum expected time to retrieve location information is within the specified range” (performability).

However, ubiquitous computing poses unique challenges for quantitative verification. The VERIWARE project aimed to reduce the chance of faults in ‘everyware’ by extending quantitative verification towards automated quantitative synthesis and focusing on the following aspects: (i) we need to consider communities of ‘everyware’, acting autonomously, and verify their cooperative and competitive behaviour with respect to possibly conflicting, quantitative goals; (ii) we also need to enable quantitative verification for sensor-enabled devices that control continuous physical processes, such as the electrical signal in the heart or concentration of glucose in the blood, which may be non-linear; and (iii) since ‘everyware’ continuously interact with and react to the environment, we must be able to handle adaptive behaviours. More concretely, the project targeted properties such as: “the expected energy usage will remain in the specified range, irrespective of demand by other users” (competitive); “the blood glucose level will return to normal in at most 3 hours, assuming wireless communication failure rate is within the specified range” (continuous and stochastic dynamics), and “the expected time to make a collective decision by a group of potentially faulty mobile sensors falls within a specified interval of time, even allowing for some sensors to move out of reach of the signal” (adaptation).

The VERIWARE project has fully met its objectives, delivering major advances in theoretical foundations, developing novel software tools, and pioneering the techniques in new application domains. For (i), an extensive game-theoretic framework was developed that supports verification and strategy synthesis for a variety of single- and multi-objective quantitative properties, including novel compositional assume-guarantee strategy synthesis and Pareto trade-off visualisation. The techniques were implemented as an extension of PRISM, called PRISM-games, and evaluated on a number of real-world case studies drawn from sensor networks, energy smartgrid and autonomous systems. Regarding (ii), focusing on model-based design for cardiac pacemaker software and with support of the Proof of Concept grant VERIPACE, a framework based on Simulink, called HeartVerify, was developed alongside a collection of heart models. The framework supports closed-loop verification against personalised heart models, and not only allows verification against safety properties, but also automatic synthesis of timing delays to optimise a quantitative objective, such as energy usage or cardiac output, without jeopardising safety. For (iii), a general framework for quantitative verification at runtime was developed and implemented in PRISM (www.prismmodelchecker.org) which employs incremental model construction and verification to improve performance of re-verification following each adaptation step; realises a novel concept of permissive controllers to improve robustness; and incorporates machine learning in controller synthesis to improve scalability. Looking to the future of ubiquitous computing, and specifically beyond Moore’s law, we have also studied fundamental problems in scientific understanding and rational design of computational devices and circuits made from DNA.

The outcomes of the VERIWARE project, including links to publications, case studies and software downloads, can be found at the project website www.veriware.org and the PRISM website www.prismmodelchecker.org. The exciting and fruitful research directions initiated by VERIWARE are continuing as part of the Mobile Autonomy and AFFECTIVA projects.