A model-based approach to automation of formal verification of ROS 2-based systems

Dust, Lukas; Gu, Rong; Mubeen, Saad; Ekström, Mikael; Seceleanu, Cristina

doi:10.3389/frobt.2025.1592523

ORIGINAL RESEARCH article

Front. Robot. AI, 16 July 2025

Sec. Computational Intelligence in Robotics

Volume 12 - 2025 | https://doi.org/10.3389/frobt.2025.1592523

This article is part of the Research TopicRobotics Software EngineeringView all 11 articles

A model-based approach to automation of formal verification of ROS 2-based systems

Lukas Dust*

Rong Gu

Saad Mubeen

Mikael Ekström

Cristina Seceleanu

School of Innovation, Design, and Technology, Mälardalen University, Västerås, Sweden

Formal verification of robotic applications, particularly those based on ROS 2, is desirable for ensuring correctness and safety. However, the complexity of formal methods and the manual effort required for model creation and parameter extraction often hinder their adoption. This paper addresses these challenges by proposing a model-based methodology that automates the formal verification process using model-driven engineering techniques. We introduce a methodology which can be applied as a toolchain that automates the initialization of formal model templates in UPPAAL using system parameters derived from ROS 2 execution traces generated by the ROS2_tracing tool. The toolchain employs four model representations based on custom Eclipse Ecore metamodels to capture both structural and verification aspects of ROS 2 systems. The methodology supports both implemented and conceptual systems and enables iterative verification of timing and scheduling parameters through model-to-model and model-to-text transformations. A proof-of-concept implementation demonstrates the feasibility of the proposed approach. The designed toolchain supports verification using two types of UPPAAL models: one for individual node verification (e.g., callback latency and buffer overflow) and another for end-to-end latency analysis of ROS 2 processing chains. Experiments conducted on two implemented and one conceptual ROS 2 systems validate the correctness and adaptability of the toolchain. The results show that the toolchain can automate parameter extraction and model generation. The proposed methodology modularizes the verification process, allowing domain experts to focus on their areas of expertise. It targets to enhances traceability and reusability across different verification scenarios and formal models. The approach aims to make formal verification more accessible and practical to robotics developers.

1 Introduction

Ensuring that a robotic system’s design and implementation meet the requirements specification is crucial for guaranteeing the system’s desired behavior. Various verification methods are employed to achieve this, with formal methods, e.g., model checking, being particularly effective due to their rigorous mathematical approach to analyzing complex system models during the design phase (Carvalho et al., 2020). Model checking involves an exhaustive exploration of the system’s model state space to verify that the system meets its specification, uncovering potential errors that might be missed by traditional trial-and-error methods such as simulation and experimentation (Dust et al., 2023a).

Despite its advantages, the application of formal model-based approaches in distributed and complex systems poses significant challenges. The steep learning curve associated with the mathematical syntax and semantics of formal modeling languages can be a barrier for robotic developers. Consequently, the high initial effort required for model checking often deters its use in industry, leading developers to rely on less rigorous, trial-and-error methods (Rajkumar et al., 2010).

The Robot Operating System (ROS) (OpenRobotics, 2023b; OpenRobotics, 2023a) is an open-source middleware that facilitates rapid prototyping and deployment of robotic systems. ROS-based systems, particularly those with safety-critical applications, have stringent timing requirements that necessitate real-time capabilities in the middleware. These capabilities are influenced by various system components, including communication, task scheduling, and execution. To address the limitations of ROS in real-time applications, ROS 2 was developed, incorporating real-time communication through the Data Distribution Service (DDS) C. S. V. (Gutiéerrez et al., 2018). While DDS provides a robust framework for real-time communication, the task scheduling in ROS 2 still requires extensive analysis to ensure deterministic timing behavior (Casini et al., 2019; Blaß et al., 2021).

Tools like ROS2_tracing (Bédard et al., 2022) and Autoware_perf (Li et al., 2022) have been developed to trace system execution and analyze performance based on execution traces. However, these tools primarily offer experimental analysis, which may not be exhaustive and could miss potential system errors. In contrast, model checking offers a comprehensive verification approach capable of identifying all potential bugs in the model. Despite this, the manual application of formal methods to ROS 2 systems remains error-prone and time-consuming, requiring significant background knowledge.

In our previous work (Dust et al., 2023a), we utilize the UPPAAL model checker (Alur and Dill, 1994) to create reusable templates for verifying timing behavior and buffer overflow in ROS 2 systems. These templates simplify the modeling process by allowing systems to be instantiated from pre-defined templates rather than constructed from scratch. However, this approach still requires detailed knowledge of static and runtime system parameters, as well as of the modeling language itself, to represent verification properties accurately. The manual nature of this process makes it susceptible to errors, as parameters are often determined through source-code analysis and runtime evaluation.

1.1 Problem definition and paper contributions

In our previous work (Dust et al., 2023b; Dust et al., 2024), we identified scheduling-related timing issues in ROS 2 and developed formal model templates to address such issues (Dust et al., 2023a). The proposed template-based verification facilitates formal verification, but initializing the formal model templates requires extended knowledge and analysis of static and runtime parameters. Furthermore, due to the manual process of initializing the formal models, extended knowledge about the modeling language is needed. Additionally, manual source code and runtime analysis make the proposed verification vulnerable to errors. In this paper, we aim to simplify the formal verification process by proposing a model-based methodology that automates parameter determination and model initialization using the existing formal model templates. This methodology is designed for robotics developers, with the goal of making formal verification more accessible and less error-prone. In this article, we extend our work (Dust et al., 2024), automating model-based formal verification using model-driven engineering techniques.

Based on the problem definition, we develop the three research questions. The research questions are presented in the following paragraphs.

As the first goal of this paper, we aim to identify an approach that can be used to automate the application of formal verification. By proposing an approach, we aim to reduce the complexity for practitioners when applying formal methods through the facilitation of automation. To achieve the stated goal, we design a methodology and implement a proof of concept of a toolchain that enables the application of such methodology. Hence, we contribute a bridging approach utilizing ROS 2 traces, modeling, and formal methods that automate formal verification through automated transformations.

As the second goal of this paper, we aim to modularize the process of formal verification. The modularization targets to decouple components of the verification process to enable actors to focus on their domain of expertise in the creation and adaptation of the verification process. In this paper, we modularize the process of formal verification through the design and modeling of a methodology that we apply in a novel toolchain implemented in this paper. Hence, we propose a layered and modular methodology that can be applied through the implemented toolchain.

As the third goal of the paper, we aim to propose a methodology that allows verification of different formal models, focusing on different properties to verify. The proposed methodology aims to separate the concerns in terms of the type of properties to verify. We demonstrate the ability of the methodology to allow verification of different formal models by implementation of a toolchain and experimental evaluation. As a result of the design, implementation, and evaluation, we develop a novel validated UPPAAL model for end-to-end (E2E) latency to enable comparison to formal models proposed in the literature. Furthermore, we develop a proof of concept that covers multiple verification goal-oriented UPPAAL models.

Summarizing, the following research questions are tackled in this paper:

RQ1: What approach can be employed to automate the application of formal verification of ROS 2-based applications?

RQ2: How can the formal verification process be modularized to enable domain experts to concentrate on their specific areas of expertise without requiring deep formal methods knowledge?

RQ3: How can a methodology incorporate verification using different formal models?

The contributions of this paper are summarized as follows:

1. A novel methodology for model-based verification of ROS 2 systems, featuring a toolchain that includes UPPAAL, Eclipse, and ROS2_tracing.

2. UPPAAL models for verification of end-to-end latencies in ROS 2 processing chains in a single executor.

3. Ecore metamodels to capture system structure and support verification activities.

4. Automated and conceptual model-to-model transformations from ROS 2 execution traces to Ecore models, and from Ecore models to UPPAAL models.

5. Demonstration of the proposed toolchain’s workflow through a proof of concept implementation, covering key aspects of the toolchain architecture.

The remainder of this paper is organized as follows. Section 2 provides an overview of model checking, ROS 2, and model-driven engineering using Eclipse. Section 3 details the proposed methodology and toolchain architecture, along with the potential workflow. Section 4 presents the proof of concept implementation, followed by a discussion of related work in Section 6. The paper concludes with final remarks, and prospective future work in Section 7.

2 Background

In this section, we provide an overview of the essential concepts and tools relevant to our work, including model checking, ROS 2, model-driven engineering using Eclipse, and end-to-end timing analysis.

2.1 Model checking and UPPAAL

Model checking is a formal verification technique that offers a rigorous, mathematical approach to the analysis of complex systems during the design phase (Carvalho et al., 2020). It involves an exhaustive exploration of the system’s model state space to ensure that the system meets its specification. UPPAAL is a widely used model checker for the modeling, simulation, and verification of real-time systems described as timed automata (Alur and Dill, 1994). It supports the creation of reusable templates to verify timing behavior and buffer overflow, making the application of formal verification more accessible.

Below, we provide a brief, informal overview of timed automata (TA). For detailed and precise definitions of TA and their application in UPPAAL, we refer the reader to the literature (Alur and Dill, 1994; Hendriks et al., 2006).

A timed automaton (TA) (Alur and Dill, 1994) consists of a finite set of locations, including an initial location, which are connected by edges, as well as a finite set of non-negative real-valued variables, known as clocks, which measure the elapse of time and progress simultaneously at rate 1. The edges are decorated with a finite set of actions, and guards, which are conjunctive Boolean formulas of clock constraints that need to evaluate to true for the edge to be traversed. Clocks can be reset over the edges, and a partial function assigns invariants to locations, which constrain the time allowed to elapse in a particular location. The semantics of TA is defined as a labeled transition system with delay and action transitions.

UPPAAL (Hendriks et al., 2006) is a tool used for modeling, simulation, and model checking of an extended version of timed automata called UPPAAL Timed Automata (UTA). In UPPAAL, UTA are organized as templates (see Figure 1) that can be instantiated. UTA enhances the capabilities of TA by adding features such as data variables, synchronization channels (Boolean variables decorated by “!” for sending, and by “?” for receiving), urgent and committed locations, and more. Furthermore, UPPAAL allows the composition of UTA in parallel as a network of UTA (NUTA), synchronized via channels.

Figure 1

Figure 1. Examples of UTA in UPPAAL. (a) UTA template TA1. (b) UTA template TA2.

Figures 1a,b show two NUTA implemented in UPPAAL. In these figures, blue circles represent locations connected by directional edges. Double-circled locations are the initial locations (e.g., L0). Locations marked with an encircled ”u” are urgent (e.g., L3), and those with an encircled ”c” are committed (e.g., L4). UTA imposes constraints that prevent time from progressing in urgent and committed locations. Committed locations have stricter rules: the next edge traversal must start from one of them.

Edges allow for assignments such as resetting clocks (e.g., c1≔0), updating data variables (e.g., v1≔para1), guards (e.g., c1>=10), and synchronization channels (e.g., a! and a?). At location L1, an invariant c1<=15 ensures that clock c1 does not exceed 15 time units in that location. In UPPAAL, UTA templates can include parameters (e.g., para1 in TA1) that are assigned values upon instantiation.

2.2 ROS 2

The Robot Operating System 2 (ROS 2) (OpenRobotics, 2023a) is an open-source middleware designed to facilitate the rapid development and prototyping of robotic systems. Unlike what its name suggests, ROS 2 is not a standalone operating system but rather runs on top of an existing host OS, predominantly Linux.

ROS 2 was developed to meet industrial requirements such as fault tolerance and real-time performance. To achieve real-time capabilities, ROS 2 introduced the Data Distribution Service (DDS) Group (2022) as its communication protocol. DDS, created by the Object Management Group (OMG) Group (2022), enables efficient communication between distributed applications. While DDS is the default communication protocol, other protocols such as Zenoh can be utilized.

The fundamental building blocks of ROS 2 systems are nodes, which communicate through designated channels using DDS. ROS 2 supports two primary communication paradigms (Birman and Joseph, 1987): Publisher-Subscriber and Service-Client. In the Publisher-Subscriber model, nodes can either publish messages to a specific topic or subscribe to receive messages from that topic. All nodes subscribed to a topic receive the published messages. Conversely, the Service-Client model involves directed communication, where a client node requests a service from a server node, which then processes the request and sends back a response.

Figure 2 illustrates an example of a ROS 2 system with two nodes communicating over four channels. In addition to communication channels, system timers can be used to trigger functions within a node at specified intervals.

Figure 2

Figure 2. An example ROS 2 system showing the concepts of Node, Timer, Topic, Publisher, Subscriber, Service, and Client.

Nodes in ROS 2 are executable entities within the host OS and consist of several functions known as callbacks, which are the atomic schedulable units in ROS 2. Callbacks are triggered by events such as the arrival of data in an input buffer or a timer event. There are four types of callbacks: timer, subscriber, service, and client.

Each node also includes an executor, which is responsible for scheduling and executing callbacks (Casini et al., 2019; Blaß et al., 2021). The executor can operate with single or multiple threads, depending on the configuration chosen. However, the latest versions of ROS 2 do not provide options to set callback priorities, making the execution susceptible to blocking. This can lead to issues such as buffer overflow and missed callback instances in worst-case scenarios (Dust et al., 2023b; Dust et al., 2023a).

2.3 ROS2_tracing

ROS2_tracing (Bédard et al., 2022) is a low-overhead framework based on the Linux Trace Toolkit next-generation (LTTng). It is included in the ROS 2 installation and allows for the generation of execution traces. These traces provide valuable insights into the system’s behavior, including callback execution times, message passing instances, and system initialization events. The ROS2_tracing toolbox includes a Python library called tracetools_analysis, which transforms LTTng traces into a defined ROS 2 data model, represented as pandas Python objects (Bédard et al., 2022).

2.4 Autoware real Time reference system

The Autoware Reference System (ROS Realtime Working Group, 2025b) is part of the ROS 2 (Robot Operating System) ecosystem, specifically designed to provide a standardized and repeatable benchmarking environment for evaluating the performance of various executors and configurations within the ROS 2 framework (ROS Realtime Working Group, 2025a). This real-time reference system simulates the Autoware. Auto (Autoware Foundation, 2025) LiDAR data pipeline, to measure and compare the performance of different executor implementations. The reference system is defined by a fixed number of nodes, each with specific publishers, subscribers, processing times, and publishing rates. It uses a fixed message type and size for consistency. The system can run on various platforms, including different hardware and operating systems, ensuring that the benchmarks are portable and replicable.

2.5 Pattern-based verification of ROS 2 timing

In our previous work (Dust et al., 2023a), we proposed a pattern-based verification approach for analyzing the execution behavior of ROS 2 systems using UPPAAL. This approach focuses on verifying two key properties: callback latency and input buffer sizes.

Callback Latency: This is defined as the maximum time between the release of a callback instance and the completion of its execution. Ensuring low callback latency is crucial for maintaining the responsiveness of the system.

Input Buffer Size: This property verifies that the input buffer is large enough to handle incoming data for a given system configuration. Adequate buffer sizes prevent data loss and ensure smooth data flow within the system.

To facilitate the verification process, we create three types of UPPAAL templates to represent ROS 2 nodes:

$•$ Wall-Time-Callbacks: These are callbacks that are released at specific times.

$•$ Periodic Callbacks: These are callbacks that are released periodically.

$•$ Executors: These represent different versions of the ROS 2 executor, which schedules and executes callbacks.

These templates can be composed to model a ROS 2 system, allowing for exhaustive verification of timing properties. Listing 1 illustrates an example of UPPAAL system initialization:

Listing 1

Listing 1. Example of UPPAAL System Initialization.

The listing above shows an example of how a ROS 2 system can be initialized using UPPAAL templates. In this example:

$•$ An array is created to hold the release times for a Wall-Time-Callback. In this case, the callback is released four times at 43 m intervals.

$•$ An executor is initialized with a defined stop time, which describes the interval for which the verification will be conducted.

$•$ The Wall-Time-Callback template is instantiated with parameters such as the callback ID, execution time, number of releases, release time array, callback type, and buffer size.

$•$ The system is defined as a composition of the executor and the callback.

This initialization process allows for the simulation and verification of the system’s timing behavior using UPPAAL. By modeling the system in this way, we can conduct exhaustive verification to ensure that the system meets its timing requirements and identify any potential issues related to callback latency and buffer sizes. The actual verification of such properties happens in the UPPAAL verifier through checking the states of defined variables.

The pattern-based verification approach provides a structured and systematic method for analyzing the timing behavior of ROS 2 systems, making it easier for developers to ensure the correctness and reliability of their systems.

2.6 Eclipse modeling framework (EMF)

The Eclipse Modeling Framework (EMF) (Steinberg et al., 2008) is a widely used tool for model-driven engineering (MDE). EMF provides a framework for defining metamodels and generating code from models. It supports model-to-model and model-to-text transformations, enabling the automation of various development tasks. In our work, we utilize EMF to create metamodels that represent different abstractions of ROS 2 systems, facilitating the automation of formal verification. EMF allows the definition of metamodels that are instances of the Ecore metamodel, which can be used to create models representing system components and their interactions.

2.7 End-to-end timing analysis

End-to-end timing analysis is crucial for ensuring the correct functionality and safety of autonomous systems, particularly in real-time applications. It involves analyzing the timing behavior of cause-effect chains, which represent sequences of reactions from a cause (e.g., sensing) to an effect (e.g., actuation). Two key metrics in end-to-end timing analysis are the maximum reaction time (the maximum time for the system to react to an external input) and the maximum data age (the maximum time between sampling and the output being based on that sample) (Teper et al., 2022).

In ROS 2 systems, end-to-end timing analysis can be challenging due to the combination of time-triggered and event-triggered components. Existing methods for periodic and sporadic task systems are not directly applicable to ROS 2. Therefore, we propose new UPPAAL templates that resemble the end-to-end timing analysis presented in (Teper et al., 2022). These templates are used to model and verify the timing behavior of ROS 2 systems, to ensure that they meet the required timing constraints.

3 Proposed methodology

In this section, we present a methodology designed to automate the formal verification of ROS 2-based systems. The methodology integrates execution traces generated at runtime, model-driven development, and the composition of formal model declarations and verification. This methodology aims to decouple the process of formal modeling from system development while ensuring traceability, enabling users to apply formal verification without requiring extensive domain expertise.

3.1 Definition of users

The primary goal of this methodology is to simplify the verification process for robotic systems. The intended end users are robotics developers who may have limited knowledge of modeling and formal verification. Hence, the aim is to allow robotics engineers to perform formal verification with limited learning effort.

Practically, the methodology is designed to enable the design of an extensible toolchain, where domain experts, such as formal verification specialists and modeling engineers focus on the aspects where they can contribute most. Once such a toolchain following the developed methodology is developed, implemented, and set up, robotics engineers should be able to operate it with limited learning effort. The definition of users and maintainers of the toolchain is essential to analyze potential modularization, as stated in RQ2.

3.2 Architectural overview

The toolchain comprises four main architectural components.

1. System Implementation Layer

2. Tracing Layer

3. Modeling Layer

4. Verification Layer

Figure 3 provides an overview of the methodology, showing the included layers and their connections. Each layer is marked in a different color. It can be seen that with Start A and Start B, there are two starting points for the potential application of the methodology. They refer to the two possible application approaches, namely, the verification of already implemented, executable systems, and the verification of conceptual system design. A more detailed overview of the components of each layer can be found in Figure 4. In the figures, MM stands for Meta-Model, M stands for Model, and T stands for Transformation. In Figure 4, boxes stand for artifacts and system components such as models and traces, while ellipses stand for actions such as transformations. The subsequent sections explain the layers in more detail.

Figure 3

Figure 3. Architectural overview of the proposed methodology for automating verification of ROS 2-based systems. The architecture includes layers for system implementation, tracing, modeling, and verification.

Figure 4

Figure 4. Detailed overview of the elements in the component layers. (1) System Implementation Layer. (2) Tracing Layer. (3) EMF Modeling Layer. (4) Verification Layer. (a) Overview of the ROS 2 system implementation, highlighting the static and dynamic information captured during system execution. (b) Tracing layer overview, showing the process of generating and analyzing execution traces to create the ROS 2 Data Model. (c) Modeling Layer overview, illustrating the different metamodels and transformations used to automate the verification process. M2M stands for model-to-model transformation. (d) Verification Layer overview, showing the generation of UPPAAL artifacts from EMF models for formal verification.

3.2.1 System Implementation Layer

The ROS 2 Layer 0 (light blue) represents the ROS 2 system implementation, encompassing both static information (Figure 4a) (dark blue) and dynamic information (white). Static information includes system components such as nodes, timers, subscriptions, publishers, services, and clients. Dynamic information involves runtime data such as callback execution times, timer release times, and message passing instances that describe the system behavior during execution.

3.2.2 Tracing layer

The Tracing Layer 1 (green) utilizes tracing to generate execution traces from the running system. An overview of the elements in this layer is presented in Figure 4b. Generated traces contain both static and dynamic information, and are then transformed into a human-readable ROS 2 Data Model representation (M0). Additionally, customized analysis can be performed during the initial analysis of the traces, such as message flow analysis, as proposed in (Bédard et al., 2023). Based on the generated traces and analysis, a detailed visualization of system components and their interactions is possible. The traces are an important part to answer RQ1, as they enable automated determination of system parameters.

3.2.3 Modeling layer

The Modeling Layer 2 (light yellow) shown in Figure 4c involves the use of a modeling framework to create and utilize different metamodels and transformations. The metamodels allow the definition of models to model the system from different perspectives. The following exemplary types of metamodels allow representation of various abstractions of the ROS 2 system:

$•$ MM1 Metamodel: Input Metamodel: Maps the ROS 2 Data Model to an model for use in a model editor, allowing detailed analysis and traceability.

$•$ MM2 Metamodel 2: System Model: Allows modeling of the system from a perspective towards the formal model. Parameters not needed for verification might be excluded, and component links might be made using a different approach. This model is used to decouple the formal modeling further from the tracing and parsing. Hence, if a different formal model is introduced, MM2 has to be exchanged. Nevertheless, there can be multiple different implementations of MM2 to allow the generation of different formal model representations.

While it is possible to generate the verification code from the traces directly, it is beneficial to include different metamodels during the generation steps. This allows traceability throughout the generation process, which might lead to a better understanding of parameters. Furthermore, this allows for the testing of different parameters without the need to adapt and rerun the system. Additionally, the introduction of incremental steps is essential to achieve modularization as stated in RQ2. Note that in a modeling environment, there might be multiple different implementations of MM2 to allow the application of different formal models.

To simplify the transformation between the different model representations, three types of transformations can be employed:

$•$ Model Parsing (T1): Transforms textual model descriptions into model representations specific to the chosen modeling environment, ensuring compatibility with the metamodel definitions.

$•$ Model to Model Transformation (T2): Converts one model representation to another, facilitating different sets of features and abstractions.

$•$ Code Generation (T3): Translates models into executable code, enabling the generation of formal model declarations and verification queries.

The shown transformations can be automated using designated tools. Such automation potential is important to answer RQ1.

3.2.4 Verification layer

The Verification Layer 3 (violet) shown in Figure 4d contains three main elements. First of all, there are the formal model templates, which are created by a verification expert; the templates capture the behavior of the system components, formally. The templates can be composed into a system, in the system declaration. Using the toolchain, the system declaration can be produced through model-to-text transformations. Verification queries can be executed in the verifier. The verifier allows verification of the properties of a system specified by such queries. They can be predefined as templates and adapted to the chosen notation and naming during the model-to-text transformations. When applying the methodology following the architectural overview in Figure 3, upon creation of the formal model and queries in form of a compatible file (3.1), the outcome of the verification is given as potential execution traces and the query results (3.2). In the proposed methodology, multiple different implementations of Templates, Systems Declarations, and Verification Queries can be employed. This is essential to answer RQ3.

3.2.5 Relation of components and modularization

In the previous subsections, we divided the methodology into four layers. Each of the layers consists of multiple components.

While the metamodels proposed in the Tracing Layer and the Modeling Layer are not strictly needed to enable automation, in this paper, they are introduced to enable modularization and decoupling of domain knowledge in the verification processes.

Generally, the boxes shown in Figures 4b–d show artifacts that result from specific actions shown as ellipses.

Two consecutive artifacts in the methodology are related by the fact that the set of attributes of the first artifact is an extension of the attributes of the second artifact. Hence, a transformation reduces the set of parameters while changing the structure of the model. As an example, one can transform an instance of the class Trace to an instance of the class ROS 2 Data Model by using Trace_analysis library functions. The classes are substitutable by any other class that obeys the extends mechanism. However, the transformation needs to be adapted, provided that the inherited attributes of the substituted class change. In the Modeling Layer, multiple, different instances of the two metamodels might be created. Any instance of MM1 can be transformed in any instance of MM2, as long as the extends mechanism for the parameters is true. Hence, in case a preceding model is adapted or exchanged, the transformation only needs to be adapted when the inherited attributes change.

The layered approach with the different artifacts allows for reducing complexity and shifting the goal of the models in defined steps through an adaptation of the modeled system architectures incrementally. While the MM1 reflects more the architecture of a ROS 2 system, the MM2 reflects closer the architecture of the proposed formal model. Each parameter reduction and architectural model change is conducted incrementally, reducing the need for complex domain knowledge while allowing traceability. This reflection is essential as an informal proof of modularization to tackle RQ2.

3.3 Application of the methodology

To apply the methodology, a toolchain is needed that implements the required components, such as metamodels and transformations. Once the necessary metamodels and transformations are established, the end user (robotics developer) can perform the verification by following the outlined approach. The general flow of applying the methodology is shown in Figure 3, and the workflow can start from two points: verifying legacy systems (Start A) or conceptual systems (Start B).

3.3.1 Verification of legacy systems

Starting with a ROS 2 system implementation (Start A), tracing is used to generate runtime execution traces. These traces are transformed into the ROS 2 Data Model using analysis tools. A parser then converts the ROS 2 Data Model into a model. Multiple model-to-model transformations can be applied within the EMF environment to generate a formal model based on predefined templates. The generated formal model definition is used for formal verification, and the results can guide parameter adjustments in the model or the real system. This iterative process allows for thorough testing before implementing changes in the actual system.

3.3.2 Verification of new systems

For new system designs (Start B), the system can be modeled directly using the created metamodels. This approach allows for system definition without existing source code. By modeling a system using a modeling environment, only the necessary parameters for verification need to be determined, and the code generation can automatically produce the formal model declaration. Iterative verification of system parameters can then be conducted using the models and formal modeling tool, ensuring a robust design before implementation.

3.4 Toolchain setup, development, and extension

As described in the previous section, a toolchain is needed to enable the application of the methodology following Figure 3 to verify ROS 2-based applications. The design and implementation of such toolchain is done in a different order than the actual verification process shown in Figure 3. The modularity of components in the methodology allows domain experts to focus on their area of expertise when implementing the toolchain. Each domain expert is responsible for the implementation of specific components and only interacts with other domain experts to implement the connectors, such as transformations. Below, we give an overview of the implementation process of a toolchain that involves several steps, each requiring specific expertise:

Step 1: Development of Formal Models (Formal Methods Expert): In a first step, the formal model component templates need to be defined, created, and tested in the formal modeling tool.

Step 2: Determination and setting of Parameters (Formal Methods Expert/Robotics Expert): Next, the needed input parameters for the formal verification, and how they can be obtained (e.g., through ROS2_tracing), need to be identified. If they cannot be obtained through the mainline analysis tools, additional analysis methods may be required.

Step 3: Development or Adaptation of Tracing Tools (Robotics Expert): In a following step, the tracing needs to be adapted to capture the parameters as required.

Step 4: Development or Adaptation of Metamodels (Software Engineering/Modeling Expert): The next step incorporates an update of the ROS 2 data model and creation of the metamodels needed to cover the components needed for formal verification.

Step 5: Development or Adaptation of Transformations (Software Engineering/Modeling Expert): Implementation of the parsing, the model-to-model, and model-to-text transformations. Create verification models in the formal verification environment and corresponding metamodels.

When creating a toolchain, we assume the goal is the verification using one specific formal model representation. Nevertheless, in case different formal model approaches are to be used, the toolchain can be extended by extending the second and third layer. While the first metamodel in the layer is for a seamless parsing of a trace output to a model in the model environment, the second metamodel enables the transformation towards the formal model representation. Hence, when adding a formal model representation, a further implementation of the second metamodel has to be introduced to adapt to the new formal model. The first metamodel and the parsing can be reused. The possibility of domain experts focusing on defined steps with defined connectors with inputs and outputs in between different layers, is evidence of modularization and helps answering RQ2.

4 Toolchain implementation and application

In this section, we apply and evaluate the proposed methodology through the design, implementation, and application of a toolchain. In the first step, we design and implement a toolchain following the process explained in Section 3.4.

4.1 Toolchain design

Following the four layers of the proposed methodology, the designed toolchain comprises four main architectural components: three tools (ROS2_tracing, Eclipse/EMF, and UPPAAL) and the actual system implementation.

An overview of the Tracing Layer, the EMF Modeling Layer and the Verification Layer of the toolchain created in this evaluation is given in Figure 5.

Figure 5

Figure 5. Overview of the proposed toolchain and its components. Note that Layer 0 (ROS 2 Layer) is omitted for space reasons.

To show the extensibility of the approach, in this paper we implement formal verification based on two approaches of formal modeling. The first approach is verifying callback latency (CBL). The second approach focuses on verification of end to end delays (E2E). Hence, the verification layer comprises of two different UPPAAL models. Each UPPAAL model consists of the UPPAAL timed automata templates, the UPPAAL systems definition and the verification queries.

The parsing layer consists of the tool ROS2_tracing and generated outputs created by the python libraries of tracetools_analysis, such as custom graph visualization.

The modeling layer contains the EMF Data MM, which allows direct parsing of the ROS 2 data model to a model in Eclipse. The model can be reused for the generation of both formal models. Next, the specialized model representation has to be designed for each of the verification approaches individually. Hence, the EMF Modeling Layer contains one metamodel for the CBL and one metamodel for the E2E. Besides the metamodels, the EMF modeling layer contains model transformations.

We implement the transformations,T1,T2.1 and T31 to an extent to be conducted automatically using the chosen tools. Transformations T2.2and T2.3are conducted by hand. Nevertheless, if a feature is contained in the preceding model, it can be contained in the next model after the transformation. Furthermore, some features that are not directly contained can be calculated during the transformation from the parameters that are contained.

In the following, we explain the implementation of the toolchain and the order in which it is designed. Furthermore, we explain the parameters and features that are contained in each element in Figure 5.

4.2 Toolchain implementation

In the next sections, we follow the workflow for creation of a toolchain following the methodology presented in Section 3.4.

4.2.1 Step 1: Formal models in UPPAAL

To demonstrate the methodology and toolchain we utilize two different kinds of UPPAAL models for verification. The first kind of UPPAAL models has been created previously (Dust et al., 2023a), and are explained in Section 2. The model focuses on the verification of latency and callback size of a single callback in a ROS 2 system.

The second kind of UPPAAL models (E2E) used for evaluation in this paper are created during the implementation of the toolchain. The models aim to allow verification of end-to-end (E2E) latency as proposed in the literature (Teper et al., 2022). Generally, our modeling approach is to create a chain that contains all the components of the original chain and adds delays during the execution that are equally long as the maximum latency for each component. Hence, when executing the model, at the end of the simulation of the last component, the system time will be according to the maximum latency of the chain. In related work (Teper et al., 2022), the authors define six types that can describe a callback based on the function in a processing chain: Sensor, Filter, Timer Fusion, Subscription Fusion, Timer Actuator, and Subscription Actuator. For each of the types of callbacks, we propose UPPAAL templates that can be used to model the end-to-end delays and are shown in Figure 6. In what follows, we give an overview of the proposed templates, where the details, such as included parameters, are explained in Section 4.2.2.

Figure 6

Figure 6. UPPAAL templates for the callbacks.

Sensor: A sensor node is the start of a chain and sends a message periodically. According to (Teper et al., 2022) the maximum latency is defined as the period minus the maximum execution time plus two times the execution time of all callbacks in the executor. To model the callback in UPPAAL, the callback starts in a location where it waits for the time to elapse until the maximum latency to finish its execution. When the execution of the sensor callback has ended, a following callback is triggered. This is modeled through a synchronized channel to the following callback that is initiated by the sensor.

Filter: The subscription actuator can be modeled like a filter, as the maximum latency is equal to two times the sum of all callback execution times (Teper et al., 2022). The callback is modeled by triggering the execution through the synchronized channel through the preceding callback. Upon triggering of the execution, the callbacks stay in the execution location until the maximum blocking time has elapsed. Upon finishing the execution, the next callback is triggered through a synchronized channel.

Timer fusion: Timer fusion in a chain basically consists of two relevant callbacks. The first callback receiving a message from the preceding node can be modeled as a filter. The second callback is a timer callback that has the same latency as a sensor (Teper et al., 2022). Hence, we model the callback as a sensor, but with the difference that the callback is triggered by another callback and upon execution triggers another following callback.

Subscription Fusion: When modeling a subscription fusion, there are two different paths possible for a chain. If the subscription that triggers the following node of a fusion lies within the same chain (is triggered by a callback in the chain that is modeled). In this case, the callback can be modeled as a filter node.

If the callback that outputs the fusion result is not contained in the same chain, a second chain has to be introduced to determine the maximum latency. As each chain starts with a sensor node, we model the start of that chain as a sensor that is triggered by another node. Following, each element of the same chain including the fusion callback has to be included separately as a fusion callback.

Timer actuator: The timer actuator actually consists of two callbacks that have to be modeled accordingly in our UPPAAL representation. The first callback is triggered by the preceding node in the system and resembles a subscription node. In our example, the callback has to be modeled as a filter. The final callback is a timer callback that executes the actuator. This callback has the same latency as a sensor callback (Teper et al., 2022). Hence, we model the callback as a sensor, but with the difference that the execution is triggered by a preceding callback. Upon finishing the execution, the callback passes through an End location that is used for the verification query.

Subscription actuator: The subscription actuator can be modeled like a filter, as the maximum latency is equal to two times the sum of all callback execution times (Teper et al., 2022). The only difference is the actuator being the end of the chain. Hence it does not need to trigger another execution of a following callback.

The shown templates are sufficient to model processing chains of callbacks and determine the upper bound for the latency by checking the global system time while the Actuator callback passes through the End location.

4.2.2 Step 2: Determining parameters, features, and formal model declaration

In this step, we identify the parameters required to instantiate the UPPAAL templates for model verification. These parameters are essential for accurately modeling the system’s behavior and ensuring the correctness of the verification process.

4.2.2.1 Buffer overflow UPPAAL templates

The legacy UPPAAL model includes three types of templates: BufferOverflow, Executor, and Callbacks. Each template requires specific parameters to be instantiated, as follows.

4.2.2.1.1 Executor template

$•$ stoptime: The time at which the executor stops executing. This parameter defines the duration for which the verification is conducted.

4.2.2.1.2 PeriodicCallback template

$•$ id: A unique identifier for the callback.

$•$ execution time (Ci): The time required to execute the callback.

$•$ period (Ti): The interval at which the callback is triggered.

$•$ type: The type of callback (e.g., timer, subscriber).

$•$ buffer size: The size of the buffer associated with the callback.

4.2.2.1.3 SporadicCallback template

$•$ id: A unique identifier for the callback.

$•$ execution time (Ci): The time required to execute the callback.

$•$ amount of releases: The number of times the callback is released.

$•$ release array: An array specifying the release times of the callback.

$•$ type: The type of callback (e.g., timer, subscriber).

$•$ buffer size: The size of the buffer associated with the callback.

4.2.2.2 End-to-end (E2E) timing analysis templates

For end-to-end timing analysis, we use several templates to model different components of the system. Each template requires specific parameters to capture the timing behavior accurately.