- The paper introduces FORGE, a pipeline that integrates LLM-driven vibe coding with MDE and multi-verifier feedback to generate certification-ready safety-critical software.
- It leverages three complementary verifiers—Dafny, FDR4, and Isabelle/HOL—to ensure rigorous formal verification, achieving convergence in a median of two iterations.
- The approach bridges rapid code generation and industrial safety standards (e.g., DO-178C, IEC 61508, ISO 26262) by extracting formal models from mainstream Java.
Introduction
This paper proposes FORGE (Formal method Oriented Refinement loop for GEnerated code), a comprehensive pipeline for channeling LLM-driven "vibe coding" workflows into certification-relevant, formally verified deliverables for safety-critical domains. The approach leverages established Model-Driven Engineering (MDE) infrastructure to bridge the gap between rapid, intent-driven code generation and stringent requirements imposed by standards like DO-178C, IEC 61508, and ISO 26262. The pipeline positions mainstream Java as the lingua franca for both LLMs and industrial practice, systematically extracting formal models for verification via deductive, algebraic, and theorem-proving paradigms.
Unguided vibe coding, which accepts LLM-generated source with minimal review, fails to meet the requirements for safety-critical systems due to the absence of formal correctness guarantees. Existing approaches either direct LLMs to niche verification-aware languages (Dafny, Verus, Lean) or implement post-hoc verification filters. The former suffers from limited training data, low compositional verification rates, and incompatibility with industrial toolchains; the latter treats verification as a filter without providing iterative guidance. FORGE circumvents these challenges by integrating LLMs as generators within an MDE-guided feedback loop, allowing verification to be performed on models extracted from mainstream languages, thereby maintaining compatibility with both LLM training corpora and industrial practices.
Pipeline Architecture
FORGE comprises a seven-phase pipeline—organised into requirements/generation, extraction, and verification/feedback families:
- Requirements and Generation: Elicitation of structured requirements and iterative Java code generation via LLMs, partitioned into architectural, skeleton, operational, controller, and review prompts. Strong structural constraints ensure code extraction-tractability, mirroring safety-critical subsetting traditions (MISRA, Ravenscar, Safety-Critical Java).
- Extraction: Text-to-model transformation (T2M) employs a Spoon-to-EMF bridge, yielding EMF-native Java models with Java 17+ support. Model-to-model transformation (M2M) maps Java EMF models to RoboChart state machines, supporting timed and reactive controller semantics. Model-to-text transformations (M2T) emit three formal artefacts—Dafny, CSP-M, and Z-Machine (Isabelle/HOL).
- Verification and Feedback: Three complementary verifiers—Dafny (deductive method contracts via Z3), FDR4 (CSP refinement), Isabelle/HOL (symbolic transition relation, deadlock/invariant proofs)—are applied. Verification failures generate structured correction prompts mapped to source code via traceability models. A vacuity audit ensures non-trivial obligation discharge.
Empirical Evaluation
Three externally authored case studies of increasing structural complexity—SRanger (ground robot), Last Response Engine (AUV safety governor), and Chemical Detector (multi-controller robot)—demonstrate FORGE's generality, defect detection, necessity, convergence, and attribution:
- Across five runs per study (15 total), all runs converge to formally verified code in two to three iterations (median 2).
- No cold, single-pass generation achieves convergence (0/30).
- Compile-only ablation (discounting verifier feedback) leaves all runs verification-failing, establishing the necessity of formal feedback.
- Each verifier targets unique defect classes: Dafny detects contract violations; FDR4 identifies behavioral deadlocks/divergences; Isabelle catches structural deadlocks and invariant faults. No single verifier suffices alone.
- Pipeline demonstrates monotonic convergence; structural defects are localised, and iteration costs are dominated by Isabelle proofs.
- Feedback is essential; generic codegen guidance alone cannot preempt all defects.
Numerical Results
- For the SRanger, LRE, and Chemical Detector case studies, verifier results: Dafny verified all transitions with zero errors, FDR4 established deadlock/divergence freedom, Isabelle proved all deadlock/invariant lemmas.
- Median convergence iterations: 2 per study, case complexity did not predict iteration count.
- Ablation (compile-only): 15/15 runs failed at least one verifier, often Dafny or Isabelle individually, confirming necessity of multi-verifier feedback.
Design Rationale and Implications
FORGE assumes formal verification should operate outside the LLM, not as an intrinsic capability nor as a post-hoc filter. The pipeline separates domain knowledge from infrastructure, ensuring extensibility and generalisation across studies. Restrictions on Java code generation are justified by extraction-tractability, aligning with industry safety profile traditions. The pipeline additionally provides full traceability from requirements through code and models to formal artefacts, facilitating integration with structured assurance cases (GSN, SACM).
The approach enables:
- Certification-oriented evidence production—deductive, algebraic, and theorem-proving artefacts compatible with standards.
- Industry adoption by avoiding niche languages, retaining Java-centric toolchains.
- Grounding of verification in model-driven extraction, supporting extensibility to C/C++, Rust, Python with analogous T2M bridges.
Theoretical and Practical Implications
FORGE substantially closes the verification gap between LLM-driven development and industrial certification requirements. The complementary nature of the three verifiers ensures holistic property coverage—function-level, behavioral, and structural. The pipeline evidences that iterative feedback, not codegen guidance alone, is indispensable for conformant artefacts. Restrictions imposed on Java are a trade-off between expressiveness and extraction faithfulness, actionable for automated refactoring research.
Implications for AI and Future Directions:
- Extending T2M bridges to additional languages will enhance domain coverage and industrial adoption of LLM-guided formal methods.
- Integrating outputs into structured assurance cases will streamline external review and certification processes.
- Developing LLM-assisted extraction-tractable refactoring will mitigate upfront syntactic restrictions, increasing developer flexibility.
- Exploring compliance and effectiveness across multiple LLM families (GPT-4, Gemini, DeepSeek, Llama, etc.) is an open avenue, critical for generality.
Limitations and Threats to Validity
- Convergence and feedback effectiveness demonstrated only in the RoboStar/RoboChart domain; wider system types (hybrid, probabilistic) remain untested.
- Stochasticity is confined to the LLM; deterministic transformation phases support reproducibility.
- Semantic preservation of model transformations and qualified tool-chain assurance is not fully established; evidence produced is actionable by human assurance engineers but not strictly certifiable.
Conclusion
FORGE demonstrates a closed-feedback loop for guiding LLM-generated Java code toward standards-recognised formal verification. The pipeline's architecture, combining MDE infrastructure with three distinct verifiers, substantiates the position that assurance should be realised through iterative draft-and-discriminate workflows rather than relying on LLMs for intrinsic verification. Empirically, convergence is rapid and feedback-driven, each verifier indispensable. FORGE thus offers a scalable, generalisable approach for producing certification-relevant evidence from AI-driven software development in safety-critical settings, and sets the agenda for broadening formal verification's reach through MDE-guided AI workflows.
Citation: "Formal-Method-Guided Vibe Coding: Closing the Verification Loop on AI-Generated Safety-Critical Software Through Model-Driven Engineering" (2606.22413)