Model-driven assurance for robotic controllers: a subterranean tunnel inspection case study

Autonomous inspection robots operate in hazardous and safety critical environments where assurance must extend beyond conventional testing. This paper presents an end-to-end, model-driven assurance workflow for the Subterranean Tunnel Autonomous Inspection Robot (ST_AIR), demonstrated through a substantial case study that integrates hazard analysis, formal modelling, and compositional verification within formally verified design models. Behavioural requirements derived from hazard analysis are expressed as formally specified properties and automatically verified using an established toolchain. The workflow validates mission and safety supervisory control logic in isolation and then confirms their synchronised behaviour through integrated harness verification, producing traceable, machine-checked assurance evidence. The verified models capture 29 hazard- and mission-driven behaviours covering gas exposure, water ingress, slope instability, corrosion, and visibility degradation. The results demonstrate how the disciplined integration of existing formal methods can be used to construct reusable, certification-oriented assurance artefacts for safety-critical autonomous robotic systems.