Formal Evidence Generation for Assurance Cases for Robotic Software Models

Robotics and Autonomous Systems are increasingly deployed in safety-critical domains, so that demonstrating their safety is essential. Assurance Cases (ACs) provide structured arguments supported by evidence, but generating and maintaining this evidence is labour-intensive, error-prone, and difficult to keep consistent as systems evolve. We present a model-based approach to systematically generating AC evidence by embedding formal verification into the assurance workflow. The approach addresses three challenges: systematically deriving formal assertions from natural language requirements using templates, orchestrating multiple formal verification tools to handle diverse property types, and integrating formal evidence production into the workflow. Leveraging RoboChart, a domain-specific modelling language with formal semantics, we combine model checking and theorem proving in our approach. Structured requirements are automatically transformed into formal assertions using predefined templates, and verification results are automatically integrated as evidence. Case studies demonstrate the effectiveness of our approach.

💡 Research Summary

The paper addresses the growing need for rigorous safety assurance in robotics and autonomous systems (RAS) by proposing a fully automated, model‑based pipeline that generates and integrates formal verification evidence into Assurance Cases (ACs). The authors identify three core challenges: (1) translating natural‑language requirements into formal, tool‑ready assertions, (2) coordinating multiple verification engines that each handle different property classes (safety, real‑time, probabilistic), and (3) automatically feeding verification results back into the AC argument structure while preserving traceability.

To solve these problems, the authors build on RoboChart, a domain‑specific modeling language with formal semantics, and on a suite of verification tools: FDR for CSP model checking, PRISM for probabilistic model checking, and Isabelle/HOL for theorem proving. The pipeline consists of four main components. First, a requirement capture stage uses Kapture together with a set of controlled‑natural‑language templates. These templates classify requirements into safety, real‑time, or probabilistic categories and enforce a consistent syntactic structure, reducing reliance on expert manual formalisation. Second, an assertion generator automatically maps the structured requirements to RoboChart‑specific assertion templates, producing LTL, timed‑CSP, or PCTL specifications as appropriate. Third, a verification orchestrator selects the appropriate backend tool based on the assertion type, invokes the tool, and collects the results. The orchestrator also manages tool‑specific parameters and logs any failures for later analysis. Fourth, an evidence integrator transforms verification outcomes into SACM‑compliant “Solution” nodes (or GSN “Evidence” nodes), attaching metadata such as model version, parameter values, verification time, and success/failure status. This ensures that the AC remains a living document that can be automatically updated when the underlying model evolves.

The authors validate their approach with four case studies: (a) an unscrewing robot that adapts its behaviour when encountering new screw types (probabilistic property verified with PRISM), (b) a safety monitor for an autonomous underwater vehicle that must react within strict timing bounds (real‑time property verified with FDR), (c) a mail delivery robot powered by a rechargeable battery where mission completion probability is analysed (PRISM), and (d) a high‑voltage controller where a critical safety invariant is proved using Isabelle. In each case, the end‑to‑end process—from requirement entry to evidence insertion—takes only a few minutes, compared to several days of manual effort in traditional workflows. Moreover, when a requirement changes, the pipeline automatically re‑executes the relevant verification, updates the evidence nodes, and preserves consistency between the AC and the model.

The paper also discusses limitations. The template‑based natural language processing still requires domain experts to define and maintain the templates; complex properties that fall outside the predefined classes may need manual intervention. The theorem‑proving stage remains the least automated, as Isabelle often requires user‑guided proof scripts. The authors propose future work that leverages large language models to expand and refine requirement templates, and to generate initial Isabelle proof sketches, thereby moving toward a fully hands‑off pipeline.

In summary, this work demonstrates that embedding formal verification into the AC development lifecycle is feasible and beneficial. By unifying requirement structuring, assertion generation, multi‑tool orchestration, and evidence integration, the approach dramatically reduces the labor and error‑proneness of evidence management, supports continuous system evolution, and provides a repeatable, traceable foundation for safety cases in safety‑critical robotic applications.