Creation and Evaluation of Formal Specifications for System-of-Systems Development
|
|
- Julianna Williams
- 5 years ago
- Views:
Transcription
1 2005 IEEE International Conference on Systems, Man and Cybernetics Waikoloa, Hawaii October 10-12, 2005 Creation and Evaluation of Formal Specifications for System-of-Systems Development Doron Drusinksy Computer Science Department Naval Postgraduate School Monterey, CA, USA Abstract - Studies have suggested that formal specifications and lightweight formal methods help improve the clarity and precision of the specification. This paper describes a process to augment the current informal approaches to system-of-systems development by introducing temporal assertions to capture the safetycritical and mission-essential system and runtime model checking to evaluate the system designs and implementation. The process allows users to develop and validate temporal assertions iteratively via simulation with multiple scenarios, and to use the assertions to automate the testing of the system-of-systems under development as well as armor-plating the target system against any unexpected behaviors at runtime. Keywords: Formal specification, temporal assertion, prototyping, run-time execution monitoring. 1 Introduction We define a system-of-systems (SoS as a federation of existing systems and developing systems that provide an enhanced capability greater than that of any of the individual systems within the system-of-systems. The individual systems making up of a system-of-systems are often developed for a different context and subjected to a different set of constraints than those of the system-ofsystems. The development of complex systems-of-systems poses many challenges [1,2]. These systems are very complex (often distributed, heterogeneous, network-centric, and software intensive and yet have to be highly dependable. Feasible timing and safety for these systems are difficult to understand, formulate and satisfy. There is a growing interest in using object-oriented analysis and design methods in conjunction with the Unified Modeling Language (UML to develop complex systems-of-systems [3]. These methods usually start with Use Case analysis to identify user needs. Functional and non-functional obtained from the Use Case analysis are often written in natural language, resulting in ambiguous and contradictory specifications whose errors are only discovered late in the development process. Man-Tak Shing Computer Science Department Naval Postgraduate School Monterey, CA, USA shing@nps.edu Run-time Execution Monitoring of formal specification assertions (REM is class of methods of tracking the temporal behavior, often in the form of formal specification assertions, of an underlying application. REM methods range from simple print-statement logging methods to run-time tracking of complex formal (e.g., written in temporal logic for verification purposes. NASA used REM for the verification of flight code for the Deep Impact project [4]. In [5], we showed that the use of run-time monitoring and verification of temporal assertions, in tandem with rapid prototyping, helps debug the and identify errors earlier in the design process. Recently, REM has been adopted by the U.S. Ballistic Missile Defense System project as the primary verification method for the new ballistic missile battle manager because of its ability to scale, and its support for temporal assertions that include real-time and time series constraints [6]. Formal specifications and lightweight formal methods help improve the clarity and precision of the specification [7]. The process of specifying formally enables developers to gain a deeper understanding of the system being specified, and to uncover flaws, inconsistencies, ambiguities and incompletenesses [8]. Unfortunately, users of formal methods often discover, late in the development process, that their formal are incorrect, greatly reducing the effectiveness of the formal method approach. This paper is concerned with early development of correct formal specifications. The artifacts resulted in this process can be formally analyzed to check for inconsistencies, or used to derive other properties of the specified system. The formal specifications also provide the basis for test automation as well as runtime fault detection and exception handling [9]. The process described in this paper augments the current informal approaches to system-of-systems development by introducing temporal assertions to capture the safety-critical and mission-essential system and runtime model checking to evaluate the system designs and implementation (Figure 1. The process starts with expressed in natural language for a /05/$ IEEE 1864
2 specific set of scenarios. Selected safety-critical and mission-essential are translated into formal temporal assertions, which are evaluated against the scenarios using the DBRover temporal logic simulator [10] or the StateRover/JUnit statechart assertion simulator [11] for correctness. Correct assertions are input to the DBRover or StateRover code generator to generate executable timing specifications, which are then used to instrument the prototype system or target system for runtime monitoring and model checking. change scenarios Use Case Analysis - scenarios and development changes Simulation Analysis in tandem with Runtime Model Checking OMNeT++ simulation with runtime monitoring code Simulation Development System Testing with Runtime Model Checking informal scenarios informal architecture changes UML-RT OO architectural models with temporal assertions architecture changes target system with executable assertions and runtime monitoring code components change Assertion Development temporal assertions Assertion Evaluation via scenario simulation validated temporal assertions System Architecture Development executable architecture with runtime monitoring code Components Development via Design by Contract Target System Execution with Runtime Model Checking assertion refinement architecture refinement target system with executable assertions and runtime monitoring code Figure 1. Assertion use in system-of-systems development The rest of the paper is organized as follows. Section 2 provides an introduction to formal specifications in temporal logic and TLCharts. Section 3 presents an example that illustrates the creation and evaluation process for temporal assertions using the DBRover system. Section 4 presents a discussion on the approach and draws some conclusions. 2 Temporal Logic and TLCharts Published REM methods typically use temporal logic as a specification language [12,13]. Temporal Logic is a special branch of modal logic that investigates the notion of time and order. This paper focuses on the use of temporal logic for specifying desired properties of discrete systems. Readers can refer to [14] for a variant of temporal logic for specifying properties of continuous systems. Linear-time Temporal Logic (LTL is an extension of propositional logic where, in addition to the well-known propositional logic operators, there are four future-time operators ( -Eventually, -Always, U-Until, Ο-Next and four dual past-time operators. Pnueli [15] suggested using LTL for reasoning about concurrent programs. Since then, several researchers have used LTL to state and measure correctness of concurrent programs, protocols, and hardware (e.g., [16]. Metric Temporal Logic (MTL was suggested by Chang, Pnueli, and Manna as a vehicle for the verification of real time systems [17]. MTL extends LTL by supporting the specification of relative-time and realtime constraints. With MTL, all four LTL future-time operators can be characterized by relative-time and realtime constraints specifying the duration of the temporal operator. Temporal Logic with Time Series constraints (MTLS was suggested by Drusinsky as an extension of MTL which enables temporal specifications to provide assertions about time-series properties such as stability, monotonicity, and min-max values [12]. For example, the following automotive cruise control code contains a stability assertion (using embedded TemporalRover syntax [10] requiring speed to be 5% stable while cruise is set and not changed: void cruise(boolean cruiseset, boolean cruisechange, boolean cruiseoff, boolean cruiseincr, int speed { /* Cruise Controller functionality */ /* TRBegin TRAssert{Always ({cruiseset} => {speed*0.95 < speed && speed < speed*1.05} Until $speed$ {cruisechange cruiseoff}} => { } // user actions TREnd */ In the example speed is a temporal data variable, which is associated with the Until temporal operator. This association implies that every time the Until operator begins its evaluation, possibly in multiple instances (due to non-determinism, the speed value is sampled and preserved in the speed variable of this instance of the Until; this value is referred to as the pivot value for this Until node instance. Future speed values used by this particular evaluation of the Until statement are referred to using the prime notation, i.e., as speed. Hence, if the speed value was 100Km/h when cruiseset is true, then the pivot value for speed is 100, while every subsequent speed is referred to as speed and must be within 5% of the pivot speed value. Note how speed is declared using the $speed$ notation to be a temporal data variable associated with the Until operator. This declaration indicates to the Temporal Rover that it should be sampling a pivot value from the environment in the first cycle of the Until operators lifecycle, and to refer to all subsequent samples of speed as speed. Drusinsky recently suggested TLCharts as hybrid of Harel Statecharts and temporal logic [18,19]. TLCharts visually and intuitively resemble Harel Statecharts while enabling non-determinism, negation and temporal-logic conditioned transitions. This is useful for specifying abstract non-deterministic temporal properties inside a statechart specification. 1865
3 [infusionbegin] State-1 Init (1 Wait-For-KeyPress entey: reset timer [tm(2min] [{alarm Until keypressed}] Done (1 [infusionend {infusionend Until infusionbegin}] Alarm-Necessary [alarm] [tm(10sec] [alarm] Error (2 [KeyPressed] [alarm] Figure 2. The TLChart specification for the infusion pump controls software For example, Figure 2 shows the TLChart specification of the following behavior of an infusion pump control software: Between every infusionbegin and an End-condition session, a keypressed must be repeatedly sensed within any two-minute intervals or else an alarm must sound within 10 seconds and until keypressed is sensed. Also, once the alarm sounds then the assertion has succeeded and no more alarms are permitted. The End-condition is defined infusionend being sensed until infusionbegin is sensed. which can be formally written in MTL as: Always ( infusionbegin implies ( (infusionbegin keypressed implies ( (Always alarm ( (Next Eventually 120 keypressed ( keypressed Until [120,130] (alarm Until (keypressed Always alarm Until (infusionend Until (infusionbegin infusionend rather than programming and design explains the existence of a sink state (the Error state, which does not typically exist in a design phase statechart. TLChart s flavor of nondeterminism incorporates the specification of both good and bad computations with ambiguities resolved via a priority-based resolution scheme. Hence, a sequence of input events that ends up in both the Done state and the Error state in Figure 2 is a legal sequence because the Done state has higher priority than the Error state. In [11] Drusinsky described the application of specification assertions to monitor and armor-plate statechart models. Using statechart assertions rather than temporal logic assertions to capture temporal assertions is most useful when the SoS, or some of its constituent subsystems, is modeled using UML statecharts. 3 Temporal Assertion Development Typically, formal specification assertions are created from a conceptual requirement as understood by the primary modeler. This requirement is often a derivative of the main scenario resulting from the Use Case analysis. When such an assertion is deployed it is often incorrect and does not work as intended. Possible reasons for an incorrect assertions are: 1. Incorrect cognitive understanding of the requirement. This situation typically occurs when the requirement was driven from the use case s main success scenario, with insufficient investigation of other scenarios. 2. Incorrect translation of the requirement, as understood by the modeler, to natural language. 3. Incorrect translation of the natural language specification to a formal specification. Consequently, we propose the following iterative process for assertion development (Figure 3. TLCharts provides a coherent uniform formalism for a hybrid of statecharts and temporal logic. A TLChart input string represents a sequence of combinations of stimuli and corresponding system responses; for example, a sequence may contain keypressed - generated by the environment, as well as alarm - a system generated response. The TLChart in Figure 2 describes legal (accepted and illegal (rejected sequences. From a verification standpoint, a rejected string means that the systems behavior does not comply with the specification, typically due to an incorrect system reaction to the input stimuli. This application of diagrams for specification 1866
4 Request causes causes Ack 1 min Ack should remain false forever Figure 4. Timing Diagram Then, he expresses the conditions in MTL with the help of the DBRover syntax-directed rule editor (Figure 5. Figure 5. DBRover Rule Editor Figure 3. Iterative process for assertion development 3.1 From Natural Language to MTL Regardless of what formal notations or formal methods were used, UML modelers always start their discovery process based on some scenarios involving the system and its environment, and express their understanding of the expected behavior or properties of the system informally with natural languages. For example, the modeler may come across a scenario where there is a need for the Missile Defense System Command and Control software to handle emergency requests. He expresses the in English as follows: When a request is active, then within one minute an acknowledgement should be generated and should be contiguously active until the request subsides. To translate the into formal assertion, the modeler first introduces one predicate for each important concept (events/responses/guarded conditions in the above English statement: Request = a request is active Ack = an acknowledgement is generated and active Next, he uses timing diagrams to analyze the temporal properties of the requirement (Figure Validating the assertion via simulated scenarios The effectiveness of lightweight formal methods in system-of-systems development depends heavily on the modeler s ability to understand the and to express them correctly as a formal specification. Past studies [20,21] showed that incorrect specifications are the primary cause of major software faults. Hence, it is crucial for engineers to validate the correctness of the formal specifications as early as possible in the system-of-systems development process. In the proposed process, engineers can test their assertions against different scenarios (expressed as timing diagrams using the standalone DBRover temporal rule simulator without writing any simulation code. For example, assume that the English statement in Section 3.1 is formally written as: Always ( Request implies Eventually 1 min Ack Until Not Request Figure 6 shows the DBRover temporal rule simulator set up for the first scenario. In this scenario, the Request predicate is set to true after 1 minute into the simulation and remains true for the next 90 seconds, and the Ack predicate is set to true less than one minute after Request becomes true, remains true for 30 seconds, and then turns false before Request becomes false. The modeler expects the assertion to fail because Ack becomes false before Request subsides. After setting the simulation parameters, the modeler presses the Simulate button (not shown in Figure 6 and a simulation will take place, displaying the output sequence in the output zone. The output shows that the assertion results in a permanent failure at the 10 th cycle because Ack does not remain active until Request becomes 1867
5 false, which matches the intent of the natural language statement. Figure 6. DBRover Temporal Rule Simulator To test the correctness of the assertion, the modeler proceeds to create three more scenarios shown in Figure 7-9. true on cycle 11. The fourth scenario is clearly an example of a scenario not considered by the modeler when the requirement was conceived. It is possible that the cognitive expectation for this scenario is to see the assertion failing, as do all scenarios in which Ack subsides before Request. In this case, the formal specification needs to be adjusted accordingly. A possible new formal specification is therefore: Always ( Request implies ( ( Eventually 1 min Ack ( Always 1 min Ack implies Ack Until Not Request Fig. 10 contains the simulation of this new assertion under the fourth scenario. Clearly, it fails on the 10 th cycle. Figure 7. The second scenario Figure 8. The third scenario too late Figure 9. The fourth scenario The second scenario (Figure 7 represents a typical case where Ack remains true until Request becomes false. The third scenario (Figure 8 represents the case consisting of multiple Request. The assertion results in a permanent failure at the 18 th cycle because Ack fails to become active within 1 minute after Request becomes true the second time. The fourth scenario (Figure 9 represents the case with an unusually short Request interval. Since Request remains true for less than a minute, the condition Eventually 1 min Ack Until Not Request becomes true once Request subsides in the 11 th cycle, even though the rule is temporarily violated, due to the absence of an Ack, in the 10 th cycle. This phenomenon is due to the semantics of the temporal logic Until operator, where a Until b succeeds in the very first cycle when b becomes true. Not Request is true on cycle 11, and therefore Ack Until Not Request is Figure 10. The revised assertion behavior 4 Discussion and Conclusion The use of formal specifications and lightweight formal methods can increase the level of dependability of the complex system-of-systems. However, the effectiveness of such approach hinges on the ability to understand the system correctly and to translate them into formal specifications accurately. We have shown a process for early development and validation of formal specifications. The proposed process helps ensure the correctness of formal per the modeler s expectations, under a wide variety of scenarios. It is crucial to complete this phase early in the design process, to avoid a situation where incorrect formal specification assertions are deployed and used in later design phases, thereby slowing the overall development process. The proposed process is made feasible with the help of the DBRover Temporal Rule Validation System. The DBRover temporal logic simulator allows modelers to set up the scenarios as simple timing diagrams. Modelers can use the DBRover GUI to specify the simulation length (counted in cycles and the mapping of cycles to real-time (as real-time segments, where each segment has its own real-time unit and the number of such units in the segment. DBRover also supports time-series specification within the temporal rules by allowing the modelers to assign integer values to the temporal data variables. Simulation inputs and outputs for the current scenario are saved with their rules in the rule-set file, and simulation scenarios can be saved and loaded (exported and imported to and from files using the Edit menu of the DBRover GUI. 1868
6 Acknowledgement The authors would like to thank the anonymous reviewers for their very helpful comments. The research reported in this article was funded in part by a grant from the U.S. Missile Defense Agency. The views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements, either expressed or implied, of the U.S. Government. The U.S. Government is authorized to reproduce and distribute reprints for Government purposes notwithstanding any copyright annotations thereon. References [1] D.S. Caffall, Conceptual Framework Approach for System-of-Systems Software Developments, Master s thesis, Naval Postgraduate School, Monterey, California, Mar [2] D.S. Caffall and J.B. Michael, A New Paradigm for Requirements Specification and Analysis of System-of- Systems, Lecture Notes in Computer Science 2941, (Proc. Monterey Workshop 2002: Radical Innovations of Software and System Engineering in the Future, pp , Berlin: Springer-Verlag, [3] B. Bruegge, Object-Oriented Software Engineering: Using UML, Patterns and Java (2 nd ed., Prentice Hall, Upper Saddle River, New Jersey, [4] D. Drusinsky and G. Watney, Applying run-time monitoring to the Deep-Impact Fault Protection Engine, Proc. 28 th NASA Goddard Software Engineering Workshop, IEEE, pp , Dec [5] D. Drusinsky and M. Shing, Verification of Timing Properties in Rapid System Prototyping, Proc.14 th IEEE International Workshop in Rapid Systems Prototyping, pp , 9-11 June [6] D. Caffall, T. Cook, D. Drusinsky, B. Michael, M. Shing and N. Sklavounos, Formal Specification and Runtime Monitoring within the Ballistic Missile Defense Project, Tech. Report NPS-CS , Naval Postgraduate School, Monterey, California, June [7] S. Easterbrook, R. Lutz, R. Covington, J. Kely, Y. Ampo and D. Hamilton, Experiences using lightweight formal methods for modeling, IEEE Transactions on Software Engineering, 24(1, pp. 4-11, Jan [8] E. Clarke, J. Wing, et al, Formal Methods: State of the Art and Future Directions, ACM Computing Surveys, Vol. 28, No. 4, pp , December [9] D. Drusinsky, M. Shing and K. Demir, Test-time, Run-time, and Simulation-time Assertions for RSP, Proc. 16 th IEEE International Workshop on Rapid Systems Prototyping, Montreal, Canada, pp , 8-10 June [10] D. Drusinsky, The Temporal Rover and ATG Rover, Lecture Notes in Computer Science (Proc. Spin2000 Workshop, pp , Berlin: Springer- Verlag, [11] D. Drusinsky, Using Deterministic and Nondeterministic Statechart Specification Assertions for Monitoring and Armor-plating Statechart Designs, submitted for publication. [12] D. Drusinsky, Monitoring Temporal Rules Combined with Time Series, Proc Computer Aided Verification Conference (CAV 2003, pp , 8-12 July [13] K. Havelund and G. Rosu, Monitoring Programs using Rewriting, Proc. 16 th Annual Int. Conf. Automated Software Engineering, IEEE, San Diego, Calif., pp , Nov [14] O. Maler and D. Nickovic, Monitoring temporal properties of continuous signals, Lecture Notes in Computer Science 3253, (Proc. Formal Techniques, Modeling and Analysis of Timed and Fault-tolerant Systems, pp , Berlin, Springer-Verlag, [15] A. Pnueli, The Temporal Logic of Programs, Proc. 18 th IEEE Symp. on Foundations of Computer Science, pp , [16] Z. Manna and A. Pnueli, Verification of Concurrent Programs: Temporal Proof Principles, Lecture Notes in Computer Science 131, (Proc. Workshop on Logics of Programs, pp , Berlin, Springer, [17] E. Chang, A. Pnueli and Z. Manna, Compositional Verification of Real-Time Systems, Proc. 9 th IEEE Symp. on Logic in Computer Science, pp , [18] D. Drusinsky, Visual Formal Specification using (NTLCharts: Statechart Automata with Temporal Logic and Natural Language Conditioned Transitions, Proc. International Workshop on Parallel and Distributed Systems: Testing and Debugging (PADTAD, Invited paper. [19] D. Drusinsky, Semantics and Runtime Monitoring of TLCharts: Statechart Automata with Temporal Logic Conditioned Transitions, Proc. 4 th Runtime Verification Workshop (RV 04, 2004, Invited paper. [20] R. Lutz, Targeting safety-related errors during software analysis, Proc. 1st ACM SIGSOFT Symposium on Foundations of Software Engineering, ACM Redondo Beach, Calif., pp , Dec [21] D.R. Wallace and D.R. Kuhn, Lessons from 342 medical device failures, Proc. 4 th Int. Symposium High Assurance Systems Engineering, IEEE, Washington, D.C., pp , Nov
Test-time, Run-time, and Simulation-time Temporal Assertions in RSP
Test-time, Run-time, and Simulation-time Temporal Assertions in RSP Doron Drusinsky, Man-Tak Shing and Kadir Demir Department of Computer Science Naval Postgraduate School 833 Dyer Road, Monterey, CA 93943,
More informationQuality Assurance of the Timing Properties of Real-time, Reactive System-of-Systems
Proceedings of the 2006 IEEE/SMC International Conference on System of Systems Engineering Los Angeles, CA, USA - April 2006 Quality Assurance of the Timing Properties of Real-time, Reactive System-of-Systems
More informationValidating UML Statechart-Based Assertions Libraries for Improved Reliability and Assurance 1
The Second International Conference on Secure System Integration and Reliability Improvement Validating UML Statechart-Based Assertions Libraries for Improved Reliability and Assurance 1 Doron Drusinsky
More informationFrom UML Activity Diagrams to Specification Requirements 1
From UML Activity Diagrams to Specification Requirements 1 Doron Drusinsky 2 Department of Computer Science Naval Postgraduate School 833 Dyer Road, Monterey, CA 93943, USA ddrusins@nps.edu Abstract Formal
More informationModel Checking of Statecharts using Automatic White Box Test Generation
Abstract Model Checking of Statecharts using Automatic White Box Test Generation Doron Drusinsky Time Rover, Inc., 11425 Charsan Lane, Cupertino, CA, 95014 www.time-rover.com This paper describes a model
More informationMonitoring Temporal Logic Specifications Combined with Time Series Constraints
Journal of Universal Computer Science, vol. 9, no. 11 (2003), 1261-1276 submitted: 1/5/03, accepted: 5/9/03, appeared: 28/11/03 J.UCS Monitoring Temporal Logic Specifications Combined with Time Series
More informationTLCharts: Armor-plating Harel Statecharts with Temporal Logic Conditions
Proceedings of the 15 th IEEE International Workshop on Rapid System Prototyping, Geneva, Switzerland, 28-30 June 2004 TLCharts: Armor-plating Harel Statecharts with Temporal Logic Conditions Doron Drusinsky
More informationSemantics and Runtime Monitoring of TLCharts: Statechart Automata with Temporal Logic Conditioned Transitions
RV 04 Preliminary Version Semantics and Runtime Monitoring of TLCharts: Statechart Automata with Temporal Logic Conditioned Transitions Doron Drusinsky 1 Computer Science Department, Naval Postgraduate
More informationJava-MOP: A Monitoring Oriented Programming Environment for Java
Java-MOP: A Monitoring Oriented Programming Environment for Java Feng Chen and Grigore Roşu Department of Computer Science, University of Illinois at Urbana - Champaign, USA {fengchen, grosu}@uiuc.edu
More informationA Frame Study for Post-Processing Analysis on System Behavior: A Case Study of Deadline Miss Detection
Journal of Computer Science 6 (12): 1505-1510, 2010 ISSN 1549-3636 2010 Science Publications A Frame Study for Post-Processing Analysis on System Behavior: A Case Study of Deadline Miss Detection Junghee
More informationAdding Formal Requirements Modeling to SysML
Adding Formal Requirements Modeling to SysML Mark R. Blackburn www.markblackburn.com Abstract. This paper seeks to raise awareness on the SCR extensions derived from industry use, and discusses how an
More informationFlight Systems are Cyber-Physical Systems
Flight Systems are Cyber-Physical Systems Dr. Christopher Landauer Software Systems Analysis Department The Aerospace Corporation Computer Science Division / Software Engineering Subdivision 08 November
More informationDistributed Systems Programming (F21DS1) Formal Verification
Distributed Systems Programming (F21DS1) Formal Verification Andrew Ireland Department of Computer Science School of Mathematical and Computer Sciences Heriot-Watt University Edinburgh Overview Focus on
More informationArchitectural Design, Behavior Modeling and Run-Time Verification of Network Embedded Systems
Calhoun: The NPS Institutional Archive Faculty and Researcher Publications Faculty and Researcher Publications 2007 Architectural Design, Behavior Modeling and Run-Time Verification of Network Embedded
More informationSCR*: A Toolset for Specifying and. Analyzing Software Requirements? Constance Heitmeyer, James Kirby, Bruce Labaw and Ramesh Bharadwaj
SCR*: A Toolset for Specifying and Analyzing Software Requirements? Constance Heitmeyer, James Kirby, Bruce Labaw and Ramesh Bharadwaj Naval Research Laboratory, Code 5546, Washington, DC 20375, USA Abstract.
More informationLeveraging DTrace for runtime verification
Leveraging DTrace for runtime verification Carl Martin Rosenberg June 7th, 2016 Department of Informatics, University of Oslo Context: Runtime verification Desired properties System Every request gets
More informationŁabiak G., Miczulski P. (IIE, UZ, Zielona Góra, Poland)
UML STATECHARTS AND PETRI NETS MODEL COMPARIS FOR SYSTEM LEVEL MODELLING Łabiak G., Miczulski P. (IIE, UZ, Zielona Góra, Poland) The system level modelling can be carried out with using some miscellaneous
More informationA Mini Challenge: Build a Verifiable Filesystem
A Mini Challenge: Build a Verifiable Filesystem Rajeev Joshi and Gerard J. Holzmann Laboratory for Reliable Software, Jet Propulsion Laboratory, California Institute of Technology, Pasadena, CA 91109,
More informationAutomated Freedom from Interference Analysis for Automotive Software
Automated Freedom from Interference Analysis for Automotive Software Florian Leitner-Fischer ZF TRW 78315 Radolfzell, Germany Email: florian.leitner-fischer@zf.com Stefan Leue Chair for Software and Systems
More informationProving the Correctness of Distributed Algorithms using TLA
Proving the Correctness of Distributed Algorithms using TLA Khushboo Kanjani, khush@cs.tamu.edu, Texas A & M University 11 May 2007 Abstract This work is a summary of the Temporal Logic of Actions(TLA)
More informationChecking General Safety Criteria on UML Statecharts
Checking General Safety Criteria on UML Statecharts Zsigmond Pap, István Majzik 1 and András Pataricza Dept. of Measurement and Information Systems Budapest University of Technology and Economics H-1521
More informationA Novel Approach for Software Property Validation
A Novel Approach for Software Property Validation Salamah Salamah Department of Computer and Software Engineering, Embry-Riddle Aeronautical University, salamahs@erau.edu. Irbis Gallegos, Omar Ochoa Computer
More informationExperiences with OWL-S, Directions for Service Composition:
Experiences with OWL-S, Directions for Service Composition: The Cashew Position Barry Norton 1 Knowledge Media Institute, Open University, Milton Keynes, UK b.j.norton@open.ac.uk Abstract. Having used
More information2 nd UML 2 Semantics Symposium: Formal Semantics for UML
2 nd UML 2 Semantics Symposium: Formal Semantics for UML Manfred Broy 1, Michelle L. Crane 2, Juergen Dingel 2, Alan Hartman 3, Bernhard Rumpe 4, and Bran Selic 5 1 Technische Universität München, Germany
More informationScenario Graphs Applied to Security (Summary Paper)
Book Title Book Editors IOS Press, 2003 1 Scenario Graphs Applied to Security (Summary Paper) Jeannette M. Wing Computer Science Department Carnegie Mellon University Pittsburgh, PA 15213 US Abstract.
More informationCover Page. The handle holds various files of this Leiden University dissertation
Cover Page The handle http://hdl.handle.net/1887/22891 holds various files of this Leiden University dissertation Author: Gouw, Stijn de Title: Combining monitoring with run-time assertion checking Issue
More informationIntroduction to Formal Methods
2008 Spring Software Special Development 1 Introduction to Formal Methods Part I : Formal Specification i JUNBEOM YOO jbyoo@knokuk.ac.kr Reference AS Specifier s Introduction to Formal lmethods Jeannette
More informationHYBRID PETRI NET MODEL BASED DECISION SUPPORT SYSTEM. Janetta Culita, Simona Caramihai, Calin Munteanu
HYBRID PETRI NET MODEL BASED DECISION SUPPORT SYSTEM Janetta Culita, Simona Caramihai, Calin Munteanu Politehnica University of Bucharest Dept. of Automatic Control and Computer Science E-mail: jculita@yahoo.com,
More informationThe Fox Project: Advanced Development of Systems Software
The Fox Project: Advanced Development of Systems Software R&D Status Report July 1 to September 30, 1999 School of Computer Science Carnegie Mellon University Pittsburgh, PA 15213 19991222 022 This research
More informationTransforming UML Collaborating Statecharts for Verification and Simulation
Transforming UML Collaborating Statecharts for Verification and Simulation Patrick O. Bobbie, Yiming Ji, and Lusheng Liang School of Computing and Software Engineering Southern Polytechnic State University
More informationCollaborative Framework for Testing Web Application Vulnerabilities Using STOWS
Available Online at www.ijcsmc.com International Journal of Computer Science and Mobile Computing A Monthly Journal of Computer Science and Information Technology ISSN 2320 088X IMPACT FACTOR: 5.258 IJCSMC,
More informationA number of optimizations are already in use by the majority of companies in industry, notably:
1 Abstract Mechatronics products contain significant amounts of software. Most advances in embedded software development focus on specific phases of the development process. However, very little emphasis
More informationCOMPOSABILITY, PROVABILITY, REUSABILITY (CPR) FOR SURVIVABILITY
AFRL-IF-RS-TR-2002-61 Final Technical Report April 2002 COMPOSABILITY, PROVABILITY, REUSABILITY (CPR) FOR SURVIVABILITY Kestrel Institute Sponsored by Defense Advanced Research Projects Agency DARPA Order
More informationSpecification Centered Testing
Specification Centered Testing Mats P. E. Heimdahl University of Minnesota 4-192 EE/CS Building Minneapolis, Minnesota 55455 heimdahl@cs.umn.edu Sanjai Rayadurgam University of Minnesota 4-192 EE/CS Building
More informationRegression Verification - a practical way to verify programs
Regression Verification - a practical way to verify programs Ofer Strichman Benny Godlin Technion, Haifa, Israel. Email: ofers@ie.technion.ac.il bgodlin@cs.technion.ac.il 1 Introduction When considering
More informationTESTING MULTI-AGENT SYSTEMS FOR DEADLOCK DETECTION BASED ON UML MODELS
TESTING MULTI-AGENT SYSTEMS FOR DEADLOCK DETECTION BASED ON UML MODELS Nariman Mani Vahid Garousi Behrouz H. Far Department of Electrical and Computer Engineering Schulich School of Engineering, University
More informationObject Oriented Program Correctness with OOSimL
Kennesaw State University DigitalCommons@Kennesaw State University Faculty Publications 12-2009 Object Oriented Program Correctness with OOSimL José M. Garrido Kennesaw State University, jgarrido@kennesaw.edu
More informationSystem of Systems Architecture Generation and Evaluation using Evolutionary Algorithms
SysCon 2008 IEEE International Systems Conference Montreal, Canada, April 7 10, 2008 System of Systems Architecture Generation and Evaluation using Evolutionary Algorithms Joseph J. Simpson 1, Dr. Cihan
More informationStatic Safety Analysis of UML Action Semantics for Critical Systems Development
Static Safety Analysis of UML Action Semantics for Critical Systems Development Zsigmond Pap, Dániel Varró Dept. of Measurement and Information Systems Budapest University of Technology and Economics H-1521
More informationMonitoring Interfaces for Faults
Monitoring Interfaces for Faults Aleksandr Zaks RV 05 - Fifth Workshop on Runtime Verification Joint work with: Amir Pnueli, Lenore Zuck Motivation Motivation Consider two components interacting with each
More informationFormal Methods in Software Engineering. Lecture 07
Formal Methods in Software Engineering Lecture 07 What is Temporal Logic? Objective: We describe temporal aspects of formal methods to model and specify concurrent systems and verify their correctness
More informationLesson 06. Requirement Engineering Processes
Lesson 06 Requirement Engineering Processes W.C.Uduwela Department of Mathematics and Computer Science Objectives To describe the principal requirements engineering activities and their relationships To
More informationComputer Aided Prototyping System (CAPS) for Heterogeneous Systems Development and Integration *
Computer Aided Prototyping System (CAPS) for Heterogeneous Systems Development and Integration * Luqi, V. Berzins, M. Shing, N. Nada and C. Eagle Computer Science Department Naval Postgraduate School Monterey,
More informationRepresenting Product Designs Using a Description Graph Extension to OWL 2
Representing Product Designs Using a Description Graph Extension to OWL 2 Henson Graves Lockheed Martin Aeronautics Company Fort Worth Texas, USA henson.graves@lmco.com Abstract. Product development requires
More information! Use of formal notations. ! in software system descriptions. ! for a broad range of effects. ! and varying levels of use. !
What Are Formal Methods? David S. Rosenblum ICS 221 Winter 2001! Use of formal notations! first-order logic, state machines, etc.! in software system descriptions! system models, constraints, specifications,
More informationReading 1 : Introduction
CS/Math 240: Introduction to Discrete Mathematics Fall 2015 Instructors: Beck Hasti and Gautam Prakriya Reading 1 : Introduction Welcome to CS 240, an introduction to discrete mathematics. This reading
More informationThe SPIN Model Checker
The SPIN Model Checker Metodi di Verifica del Software Andrea Corradini Lezione 1 2013 Slides liberamente adattate da Logic Model Checking, per gentile concessione di Gerard J. Holzmann http://spinroot.com/spin/doc/course/
More informationDesignMinders: A Design Knowledge Collaboration Approach
DesignMinders: A Design Knowledge Collaboration Approach Gerald Bortis and André van der Hoek University of California, Irvine Department of Informatics Irvine, CA 92697-3440 {gbortis, andre}@ics.uci.edu
More informationCompositional Model Based Software Development
Compositional Model Based Software Development Prof. Dr. Bernhard Rumpe http://www.se-rwth.de/ Seite 2 Our Working Groups and Topics Automotive / Robotics Autonomous driving Functional architecture Variability
More informationApplying Real-Time Scheduling Techniques to Software Processes: A Position Paper
To Appear in Proc. of the 8th European Workshop on Software Process Technology.19-21 June 2001. Witten, Germany. Applying Real-Time Scheduling Techniques to Software Processes: A Position Paper Aaron G.
More informationRIGOROUSLY AUTOMATING TRANSFORMATIONS OF UML BEHAVIOR MODELS
RIGOROUSLY AUTOMATING TRANSFORMATIONS OF UML BEHAVIOR MODELS Jon Whittle 1, João Araújo 2, Ambrosio Toval 3, and Jose Luis Fernández Alemán 3 1 QSS / NASA Ames Research Center, M/S 269-2, Moffett Field,
More informationNAVAL POSTGRADUATE SCHOOL
NPS-CS-14-001 NAVAL POSTGRADUATE SCHOOL MONTEREY, CALIFORNIA COMPUTER-AIDED DISCOVERY OF FORMAL SPECIFICATION BEHAVIORAL REQUIREMENTS AND REQUIREMENT TO IMPLEMENTATION MAPPINGS by Doron Drusinsky January
More informationLiveness and Fairness Properties in Multi-Agent Systems
Liveness and Fairness Properties in Multi-Agent Systems Hans-Dieter Burkhard FB Informatik Humboldt-University Berlin PF 1297, 1086 Berlin, Germany e-mail: hdb@informatik.hu-berlin.de Abstract Problems
More informationLecture 5 Safety Analysis FHA, HAZOP
Lecture 5 Safety Analysis FHA, HAZOP Introduction While designing a safety-critical system usually several safety analysis techniques are applied The idea is to achieve completeness of safety requirements,
More informationSimulation of LET Models in Simulink and Ptolemy
Simulation of LET Models in Simulink and Ptolemy P. Derler, A. Naderlinger, W. Pree, S. Resmerita, J. Templ Monterey Workshop 2008, Budapest, Sept. 24-26, 2008 C. Doppler Laboratory Embedded Software Systems
More informationVICTORY VALIDATION AN INTRODUCTION AND TECHNICAL OVERVIEW
2012 NDIA GROUND VEHICLE SYSTEMS ENGINEERING AND TECHNOLOGY SYMPOSIUM VEHICLE ELECTRONICS AND ARCHITECTURE (VEA) MINI-SYMPOSIUM AUGUST 14-16 TROY, MICHIGAN VICTORY VALIDATION AN INTRODUCTION AND TECHNICAL
More informationAutomatic synthesis of switching controllers for linear hybrid systems: Reachability control
Automatic synthesis of switching controllers for linear hybrid systems: Reachability control Massimo Benerecetti and Marco Faella Università di Napoli Federico II, Italy Abstract. We consider the problem
More informationAn Eclipse Plug-in for Model Checking
An Eclipse Plug-in for Model Checking Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala Electrical Engineering and Computer Sciences University of California, Berkeley, USA Rupak Majumdar Computer Science
More informationSoftware Engineering: Integration Requirements
Software Engineering: Integration Requirements AYAZ ISAZADEH Department of Computer Science Tabriz University Tabriz, IRAN Abstract: - This paper presents a discussion of software integration requirements,
More informationFormal Methods in Describing Architectures
Presented at the 1995 Monterey Workshop on Formal Methods and Architecture Introduction Formal Methods in Describing Architectures Dr. Paul C. Clements Software Engineering Institute 1 Carnegie Mellon
More informationTest-Case Generation and Coverage Analysis for Nondeterministic Systems Using Model-Checkers
Test-Case Generation and Coverage Analysis for Nondeterministic Systems Using Model-Checkers Gordon Fraser and Franz Wotawa Institute for Software Technology Graz University of Technology Inffeldgasse
More informationPrototyping Navigation in Web-Based Information Systems Using WebML
Prototyping Navigation in Web-Based Information Systems Using WebML Jaroslav KURUC 1, Peter DOLOG 2 and Mária BIELIKOVÁ 1 1 Institute of Informatics and Software Engineering, Faculty of Informatics and
More informationSemantic Specifications for Domain-Specific Modeling Languages
Semantic Specifications for Domain-Specific Modeling Languages Gabor Simko Institute for Software Integrated Systems Vanderbilt University Nashville, TN Abstract. While there is a generic agreement that
More informationAn Integrated Test Framework to Reduce Embedded Software Lifecycle Costs
White Paper An Integrated Test Framework to Reduce Embedded Software Lifecycle Costs Version 1.0: August 23, 2012 Presented by: Chris Domin, Business Dev. Mgr. Engineering Services, sales@danlawinc.com
More informationIntroduction to Linear-Time Temporal Logic. CSE 814 Introduction to LTL
Introduction to Linear-Time Temporal Logic CSE 814 Introduction to LTL 1 Outline Motivation for TL in general Types of properties to be expressed in TL Structures on which LTL formulas are evaluated Syntax
More informationCRI: Symbolic Debugger for MCAPI Applications
CRI: Symbolic Debugger for MCAPI Applications Mohamed Elwakil 1, Zijiang Yang 1, and Liqiang Wang 2 1 Department of Computer Science, Western Michigan University, Kalamazoo, MI 49008 2 Department of Computer
More informationHow useful is the UML profile SPT without Semantics? 1
How useful is the UML profile SPT without Semantics? 1 Susanne Graf, Ileana Ober VERIMAG 2, avenue de Vignate - F-38610 Gières - France e-mail:{susanne.graf, Ileana.Ober}@imag.fr http://www-verimag.imag.fr/~{graf,iober}
More informationISO compliant verification of functional requirements in the model-based software development process
requirements in the model-based software development process Hans J. Holberg SVP Marketing & Sales, BTC Embedded Systems AG An der Schmiede 4, 26135 Oldenburg, Germany hans.j.holberg@btc-es.de Dr. Udo
More informationQ Body of techniques supported by. R precise mathematics. R powerful analysis tools. Q Rigorous, effective mechanisms for system.
Introduction to Formal Methods 1 Introduction to Formal Methods 2 Formal Specification Requirements specification R notational statement of system services Software specification R formal abstract depiction
More informationLearning-Based Assume-Guarantee Verification (Tool Paper)
-Based Assume-Guarantee Verification (Tool Paper) Dimitra Giannakopoulou and Corina S. Păsăreanu NASA Ames Research Center, Moffett Field, CA 94035-1000, USA 1 Introduction Despite significant advances
More informationExtracting the Range of cps from Affine Typing
Extracting the Range of cps from Affine Typing Extended Abstract Josh Berdine, Peter W. O Hearn Queen Mary, University of London {berdine, ohearn}@dcs.qmul.ac.uk Hayo Thielecke The University of Birmingham
More informationPROPAGATION-BASED CONSTRAINT SOLVER IN IMS Igor Ol. Blynov Kherson State University
Інформаційні технології в освіті UDC 0044:37 PROPAGATION-BASED CONSTRAINT SOLVER IN IMS Igor Ol Blynov Kherson State University Abstracts Article compiling the main ideas of creating propagation-based
More informationjunit RV Adding Runtime Verification to junit
junit RV Adding Runtime Verification to junit Normann Decker, Martin Leucker, and Daniel Thoma Institute for Software Engineering and Programming Languages Universität zu Lübeck, Germany {decker, leucker,
More informationFORMAL METHODS IN NETWORKING COMPUTER SCIENCE 598D, SPRING 2010 PRINCETON UNIVERSITY LIGHTWEIGHT MODELING IN PROMELA/SPIN AND ALLOY
FORMAL METHODS IN NETWORKING COMPUTER SCIENCE 598D, SPRING 2010 PRINCETON UNIVERSITY LIGHTWEIGHT MODELING IN PROMELA/SPIN AND ALLOY Pamela Zave AT&T Laboratories Research Florham Park, New Jersey, USA
More informationAn Information Model for High-Integrity Real Time Systems
An Information Model for High-Integrity Real Time Systems Alek Radjenovic, Richard Paige, Philippa Conmy, Malcolm Wallace, and John McDermid High-Integrity Systems Group, Department of Computer Science,
More informationSpemmet - A Tool for Modeling Software Processes with SPEM
Spemmet - A Tool for Modeling Software Processes with SPEM Tuomas Mäkilä tuomas.makila@it.utu.fi Antero Järvi antero.jarvi@it.utu.fi Abstract: The software development process has many unique attributes
More informationModel-Driven Verifying Compilation of Synchronous Distributed Applications
Model-Driven Verifying Compilation of Synchronous Distributed Applications Sagar Chaki, James Edmondson October 1, 2014 MODELS 14, Valencia, Spain Copyright 2014 Carnegie Mellon University This material
More informationVerification of Concurrent Programs, Part I: The Temporal Framework
June 1981 Report. No. ~ 1 AN-U-81-836 Verification of Concurrent Programs, Part I: The Temporal Framework by Zohar MilnIla Amir Ynucli Office of Navitl Rcscarch Department of Computer Science Stanford
More informationCOST ESTIMATION FOR DISTRIBUTED SYSTEMS USING USE CASE DIAGRAM
S. V. Pingale et al. : Cost Estimation for Distributed Systems using Use Case Diagram Journal of Advances in Engineering Science 41 Section C (3), July - December 2010, PP 41-48 COST ESTIMATION FOR DISTRIBUTED
More informationMetamodeling for Business Model Design
Metamodeling for Business Model Design Facilitating development and communication of Business Model Canvas (BMC) models with an OMG standards-based metamodel. Hilmar Hauksson 1 and Paul Johannesson 2 1
More informationThe Contract Pattern. Design by contract
The Contract Pattern Copyright 1997, Michel de Champlain Permission granted to copy for PLoP 97 Conference. All other rights reserved. Michel de Champlain Department of Computer Science University of Canterbury,
More informationVerification and Test with Model-Based Design
Verification and Test with Model-Based Design Flight Software Workshop 2015 Jay Abraham 2015 The MathWorks, Inc. 1 The software development process Develop, iterate and specify requirements Create high
More informationModeling Crisis Management System With the Restricted Use Case Modeling Approach
Modeling Crisis Management System With the Restricted Use Case Modeling Approach Gong Zhang 1, Tao Yue 2, and Shaukat Ali 3 1 School of Computer Science and Engineering, Beihang University, Beijing, China
More informationEnhancing validation with Prototypes out of Requirements Model
Enhancing validation with Prototypes out of Requirements Model Michael Deynet, Sabine Niebuhr, Björn Schindler Software Systems Engineering, Clausthal University of Technology, 38678 Clausthal-Zellerfeld,
More informationThis project has received funding from the European Union s Horizon 2020 research and innovation programme under grant agreement No
This project has received funding from the European Union s Horizon 2020 research and innovation programme under grant agreement No 643921. TOOLS INTEGRATION UnCoVerCPS toolchain Goran Frehse, UGA Xavier
More informationAn Automatic Test Case Generator for Testing Safety-Critical Software Systems
An Automatic Test Case Generator for Testing Safety-Critical Software Systems Mehdi Malekzadeh Faculty of Computer Science and IT University of Malaya Kuala Lumpur, Malaysia mehdi_malekzadeh@perdana.um.edu.my
More informationUtilizing Static Analysis for Programmable Logic Controllers
Sébastien Bornot Ralf Huuck Ben Lukoschus Lehrstuhl für Softwaretechnologie Universität Kiel Preußerstraße 1 9, D-24105 Kiel, Germany seb rhu bls @informatik.uni-kiel.de Yassine Lakhnech Verimag Centre
More informationCombining Different Business Rules Technologies:A Rationalization
A research and education initiative at the MIT Sloan School of Management Combining Different Business Rules Technologies:A Rationalization Paper 116 Benjamin Grosof Isabelle Rouvellou Lou Degenaro Hoi
More informationIntroduction & Formal Methods
Introduction & Formal Methods http://d3s.mff.cuni.cz Jan Kofroň CHARLES UNIVERSITY IN PRAGUE faculty of mathematics and physics Introduction to dependable systems NSWE 002 What you learn: Dependable systems
More informationSOME OPERATIONS ON INTUITIONISTIC FUZZY SETS
IJMMS, Vol. 8, No. 1, (June 2012) : 103-107 Serials Publications ISSN: 0973-3329 SOME OPERTIONS ON INTUITIONISTIC FUZZY SETS Hakimuddin Khan bstract In This paper, uthor Discuss about some operations on
More informationVerification Framework for Detecting Safety Violations in UML State chart Models of Reactive Systems C.M. Prashanth
Verification Framework for Detecting Safety Violations in UML State chart Models of Reactive Systems C.M. Prashanth Dept. of Computer Engineering N.I.T.K, Surathkal INDIA-575 025 +91 9448185670 prashanth_bcs@yahoo.co.in
More informationModel Checking: Back and Forth Between Hardware and Software
Model Checking: Back and Forth Between Hardware and Software Edmund Clarke 1, Anubhav Gupta 1, Himanshu Jain 1, and Helmut Veith 2 1 School of Computer Science, Carnegie Mellon University {emc, anubhav,
More informationJava-MOP: A Monitoring Oriented Programming Environment for Java
Java-MOP: A Monitoring Oriented Programming Environment for Java Feng Chen and Grigore Roşu Department of Computer Science University of Illinois at Urbana - Champaign, USA {fengchen,grosu@uiuc.edu Abstract.
More informationFORMALIZED SOFTWARE DEVELOPMENT IN AN INDUSTRIAL ENVIRONMENT
FORMALIZED SOFTWARE DEVELOPMENT IN AN INDUSTRIAL ENVIRONMENT Otthein Herzog IBM Germany, Dept. 3100 P.O.Box 80 0880 D-7000 STUTTGART, F. R. G. ABSTRACT tn the IBM Boeblingen Laboratory some software was
More informationIntroducing MESSIA: A Methodology of Developing Software Architectures Supporting Implementation Independence
Introducing MESSIA: A Methodology of Developing Software Architectures Supporting Implementation Independence Ratko Orlandic Department of Computer Science and Applied Math Illinois Institute of Technology
More informationFormal Foundations of Software Engineering
Formal Foundations of Software Engineering http://d3s.mff.cuni.cz Martin Nečaský Pavel Parízek CHARLES UNIVERSITY IN PRAGUE faculty of mathematics and physics Goals of the course Show methods and tools
More informationModelling and verification of BPEL business processes
Modelling and verification of BPEL business processes Marina Mongiello Dipartimento di Elettronica ed Elettrotecnica Politecnico di Bari, Italy mongiello@poliba.it Daniela Castelluccia Dipartimento di
More informationSPECIFYING AND MODELING MULTICAST COMMUNICATION IN CBCAST PROTOCOL
THE PUBLISHING HOUSE PROCEEDINGS OF THE ROMANIAN ACADEMY, Series A, OF THE ROMANIAN ACADEMY Volume 13, Number 3/2012, pp. 261 268 SPECIFYING AND MODELING MULTICAST COMMUNICATION IN CBCAST PROTOCOL Seyed
More informationOn the Role of Formal Methods in Software Certification: An Experience Report
Electronic Notes in Theoretical Computer Science 238 (2009) 3 9 www.elsevier.com/locate/entcs On the Role of Formal Methods in Software Certification: An Experience Report Constance L. Heitmeyer 1,2 Naval
More informationFrom Event-B Models to Dafny Code Contracts
From Event-B Models to Dafny Code Contracts Mohammadsadegh Dalvandi, Michael Butler, Abdolbaghi Rezazadeh Electronic and Computer Science School, University of Southampton Southampton, United Kingdom {md5g11,mjb,ra3}@ecs.soton.ac.uk
More information