ABSTRACT Formal methods help in quantifying the functional and nonfunctional requirements that are later used in the verification process for safety assurance in real-time systems. System formalism is a crucial step in terms of exploring system's behavior and listing the non-functional requirements. In the context of real-time systems, the non-functional requirements refer to the verification properties of the system. Formalism in software development life cycle refines every process, starting from the formalization of system's requirements, analysis of system's behavior and exploring its properties, implementation of the problem's solution under consideration, and verification of safety critical properties. Rule-based expert system helps in inferring unknown on the basis of some known input, that is, knowledge and rule set. Knowledge is comprised of something known by an individual called an expert of that domain. It requires an expert skill set in order to model and verify some system in model checkers like UPPAAL. This research contribution has explored a variation of traffic light system's case study, modeled the system in UPPAAL model checker, and later verified the safety critical properties of the generated system like safety, liveness, fairness, reachability, and deadlock freeness to cross-check the validity of transformation rule set. This research is focused on providing the rule-based expert system for inferring timed automata (input of UPPAAL model checker) on the basis of fact cum input, that is, C++ code. Structural facts are used along with the transformation rule set to get the timed automata that verify safety properties of selected case studies-multiple variations of a traffic light system. INDEX TERMS UPPAAL model checker, verification properties, automaton, formalism, rule-based expert system, knowledge base, inference engine.
I. INTRODUCTION
In Software Engineering (SE), computation and automation techniques help in delivering the quality product. SE is fundamentally opted to minimize human error in real-time processes. There are some generic phases in Software Development Life Cycle (SDLC) like Software Requirement Engineering (SRE), Software Design and Architecture (SDA), Software Implementation (SI), Software Testing (ST) and Maintenance. Software Project Management (SPM) and Software Quality Engineering (SQE) are the umbrella activities for the SDLC. This research contribution focuses on the automation of some of the SDLC phases so that the artifacts are processed in an efficient and optimized way.
With a focus on traffic light systems, this research presents how the mentioned goal is accomplished by the core contribution of this dissertation i.e., holistic method for the automation of formalism in SDLC for the validation and verification of the real-time systems and its application in satisfying the verification properties associated with the critical section of complex systems.
Formal methods help in quantifying the functional and nonfunctional requirements that are later used in the verification process for safety assurance in real-time systems. System formalism is a crucial step in terms of exploring system's behavior and listing the non-functional requirements. In the context of real-time systems, the non-functional requirements refer to the verification properties of the system. Formalism in software development life cycle refines every process, starting from the formalization of system's requirements, analysis of system's behavior and exploring its properties, implementation of the problem's solution under consideration and verification of safety critical properties [2] .
II. LITERATURE SURVEY
Computational sciences work for the automation from one artifact to another [1] . Earlier when the computational machines were introduced, big promises of the error free systems were made by the developers [2] . In software development life cycle, there are five core processes which are software requirement engineering (SRE), software design and architecture (SDA), implementation, Testing (Verification and Validation V&V) and maintenance.
As per research [10] , it is found that most of the errors are introduced in the SRE phase and captured later in the testing phase. The formalism of the requirements helps in parsing the requirements systematically so that to explore errors as soon as possible. Error pruning is highly critical in real-time systems [16] . In case the system is not formally crosschecked against the safety critical properties, there is a very high probability of loss of life, reputation, time and money [13] . Model checkers like UPPAAL, SPIN, DiVine, Hytech etc help in formalizing the system in terms of its modeling, simulation, and verification [24] .
III. CASE STUDY IMPLEMENTATION
The research contribution is focused on implementing two case studies provided in the literature [20] and [32] . Systems are modeled and verified in UPPAAL model checker. Experimental results are recorded by executing the verification properties in BFS, DFS, and Random DFS search order.
This section presents the brief description of both systems along with modeling and verification of the safety critical properties.
A. FIRST CASE STUDY -HIGHWAY FARM TRAFFIC LIGHT SYSTEM Fig.1 shows the Highway Farm Traffic Light (HFTL) system where there are two highway and farm road, and both facilitate 2-way traffic. The cross section in the center is the safety critical area and traffic light system is deployed to control the access of this shared resource. Software modeling and verification of this system is done in UPPAAL model checker and presented in the following sections:
1) MODELING OF HFTL SYSTEM
HFTL system is a composition of these sub-systems i.e., Light, Timer, and Controller models. In Fig. 2 , the Light subsystem is modeled in UPPAAL. Y1 and Y2 are yellow Light Model has four states i.e., yellow and green for highway and farm road whereas red1 and red2 Booleans are modeled as guard conditions. Fig. 3 Initially, the Light model is in Y2 state and timer model is in Ticking state and Highway traffic is in hy state. When it receives green1? Signal from the controller model, the farm road traffic starts utilizing the cross section and highway traffic waits.
2) VERIFICATION OF HFTL SYSTEM
In order to crosscheck the validity of modeled automaton, its mandatory to verify the model's simulation and verification properties. Some basic real-time properties are verified in CTL as follows:
The system is in safe when the green signal of farm road and a red signal of highway is on.
i.e., A[](Light1.G1 == true imply red2 == true)
The system is in a safe state when highway traffic is moving and farm road traffic is waiting. HSTL system is a composition of these sub-systems i.e., Lamp, Timer, and Controller models. As shown in Fig. 6 , Lamp Model has three states i.e., Green, Yellow, and Red. There are three boolean indicators i.e., green_on, yellow_on, and red_on that are used in guard conditions. Initially, the Controller is in Highway_Green state where start1 is true with stop1 equals false. After traversing Highway_Yellow, Highway_Red, Street_Green, Street_Yellow and Street_Red states, the control is transferred to Highway_Green with start2 equals false and turning on stop2.
2) VERIFICATION OF HSTL SYSTEM
In order to crosscheck the validity of modeled automaton, it's mandatory to verify the model's simulation and verification properties. Some basic real-time properties are verified in CTL as follows:
Safety property states that if the traffic is flowing through the highway road then the street traffic should be in waiting state. 
IV. EXPERIMENTAL RESULTS OF IMPLEMENTED CASE STUDY
The verification properties executed in Section III for HFTL and HSTL systems are analyzed in the result section. The automaton can be expanded into the tree where the initial state is the root node and the next nodes after successful transitions are the child nodes. The search operation is performed while verifying the safety properties. In UPPAAL, there are three search options i.e., BFS, DFS, and Random DFS. Verification properties of both HFTL and HSTL systems are executed for all three search orders. with BFS where Verification, Kernel and Elapsed time used (in seconds) is recorded for all five verification properties.
As per experiment, verification and kernel time is almost negligible whereas elapsed time is the key distinguishing factor. Fig. 9 shows the graphical representation of the time used in the way to properties execution of HSTL with BFS. Fig. 9 highlights the curve in the center of the graph for all three types of times used while execution. Verification time used by the UPPAAL model checker is worth mentioning for Safety and Deadlock freeness properties. Kernel responded all properties in no time but the deadlock property took 0.01 seconds. Elapsed time is the one that responded uniquely for all of the verified properties. Safety property took maximum elapsed time i.e., 0.02 seconds and with fractional change deadlock freeness property has 0.018 seconds of elapsed time used whereas milliseconds were taken by the execution of reachability, liveness and fairness properties. As per experiment, verification and kernel time is almost negligible whereas elapsed time is the key distinguishing factor. Fig. 10 shows the graphical representation of the time used in the way to properties execution of HSTL with DFS. Table 3 . Shows the HSTL with Random DFS where Verification, Kernel and Elapsed time used (in seconds) is recorded for all five verification properties.
As per experiment, verification and kernel time is almost negligible whereas elapsed time is the key distinguishing factor. Fig. 11 shows the graphical representation of the time used in the way to properties execution of HSTL with Random DFS. Fig. 11 highlights the curve for the kernel elapsed time whereas Verification time used is non-zero only for safety property.
Analyzing the results from different search order shows that BFS took more elapsed time as compared to DFS and Random DFS.
For BFS, only safety property took non-zero verification time whereas in DFS and Random DFS properties which were using 'for all (A)' path quantifier are taking more time as compared to the properties where the path quantifier is 'there exists (E)'. Reasons for this variation are discussed in Section V for Discussion and Analysis.
The search operation is performed for HFTL as well while verifying the safety properties. Verification properties of HFTL system are executed for all three search orders. As per experiment, verification and kernel time is exactly zero for all six verification properties whereas elapsed time is the key distinguishing factor for all properties except Reachability and Utility. As mentioned above, these are the only properties where the path quantifier is 'there exists (E)'.
Results from Table 4 shows that the only time used by some of the properties is in milliseconds thus the complexity of the system contributes to the time and space efficiency. Fig. 12 shows the graphical representation of the time used in the way to properties execution of HFTL with BFS. Fig. 12 only mentions the curve for the elapsed time whereas Verification and Kernel time used are non-zero only for each and every verification property. Table 5 . Shows the HFTL with DFS where Verification, Kernel and Elapsed time used (in seconds) is recorded for all six verification properties.
As per experiment, verification time is exactly zero for all six verification properties whereas kernel is 0.01 for deadlock freeness only. Elapsed time is the key distinguishing factor for all properties except Utility. Comparing the results from Table 4 and 5 for BFS and DFS time efficiency of HFTL system shows that BFS took more elapsed time as compared to DFS. Verification and Kernel time is exactly zero for all properties in BFS but in DFS deadlock freeness took 0.01s of kernel time to check the nonprogressing states deep inside the search space. Fig. 13 shows the graphical representation of HFTL with DFS. Table 6 shows the HFTL with Random DFS where time used (in seconds) is recorded for all six verification properties. 
V. DISCUSSION AND ANALYSIS OF THE EXPERIMENT
This section provides a brief discussion and analysis of the results with respect to different case studies, search options, and verification properties. One quick observation is that the properties which were using 'for all (A)' path quantifier are taking more time as compared to the properties where the path quantifier 'there exists (E)' is used. A brief explanation of 'for all (A)' and 'there exists (E)' path quantifier is provided before comparing the results on the basis of variation in the system, a search option and type of verification property. Fig. 15 graphically represents the 'For All (A)' path quantifier. Yellow indicates that these nodes have satisfied any particular property so the property is true for all paths as in every path we have the yellow node. One counter-example is enough to nullify the properties represented with 'A'. Fig. 16 graphically represents the 'There Exists (E)' path quantifier. Yellow indicates that this particular node has satisfied some property so the property is true for this specific path only. One correct example is enough to prove that the property specified with 'E' is true.
Dimensional analysis of the experimental results as per verification, kernel and elapsed time used, is as follows:
A. VARIATION IN SYSTEM
In HFTL system, there is no change after varying the search option and nature of the property and it is observed that the verification time used is exactly zero for complete HFTL system. Deadlock freeness property is the only case where the kernel time used is non-zero whereas it's exactly zero for 17 instances. Elapsed time used is the either zero or in milliseconds for complete HFTL system.
As far as HSTL system is concerned, verification time is 0.01 in some cases for safety and deadlock freeness only. Kernel time is occasionally 0.01 for safety, deadlock freeness, and fairness properties. Elapsed time is the one that responded uniquely for all of the verified properties. Safety property took maximum elapsed time (i.e., 0.02, 0.012 and 0.014 seconds) and with fractional change deadlock freeness property (i.e., 0.018, 0.013 and 0.009 approx 0.01 seconds) has second largest elapsed time whereas milliseconds were taken in the execution of reachability, liveness and fairness properties.
As HFTL is relatively less complex as compared to HSTL system, so it took zero verification and kernel time. Also elapsed time is always in milliseconds as compared to greater time used by HSTL system in verifying properties.
B. VARIATION IN SEARCH OPTION
BFS for HSTL took relatively more elapsed time for verifying safety and deadlock freeness properties while DFS VOLUME 5, 2017 and Random DFS took milliseconds for satisfying the properties.
C. VARIATION IN VERIFICATION PROPERTIES
Safety and Deadlock freeness took more as compared to all other properties in every search option and system's variation. If the system is safe and is progressing (deadlock free), then the system is said to be in the feasible state.
VI. COMPUTATIONAL CONVERSION VIA TRANSFORMATION RULES
As in the Object Oriented Programming, there are attributes and methods inside a class and in automata, there are nodes and edges. Nodes represent the static or stable behavior of the system and edges are the transitions. Thus edges show the dynamicity and depict the variability factor of the automata in terms of processing the triggered event and modifying the state [30] . C++ code will be provided as an input, after applying some transformation rules the automaton will be generated which will be used later in UPPAAL and verification properties will be ensured. cout<<"State is not defined"; break; } } As per the transformation rules proposed in this research, the attributes of the class are translated as a state of automata and methods of the class define the transition mechanism.
Translation Rule # 1: Class name is the system name in UPPAAL model checker i.e., [system_name] is TrafficLight for the case study under observation.
Rule # 1 -Set System Name If <variable_name comes after the keyword 'Class'> Then <use that variable name as the System name in UPPAAL> Translation Rule # 2: s11, s12, . . . , s1M are the states of subsystem1 defined in attribute section of the class.
Translation Rule # 3: In the constructor, the initial state of all the subsystems is defined e.g., the initial state of subsystem1 is s11 which is marked as a double circle in UPPAAL's automaton. Translation Rule # 4: After defining all states and marking the initial state, the edges handle in the automaton. In the private section of class declarations, state variables are defined for all subsystems and in the transition function, it is the same state variable which keeps the information of the current state. States switch among s11, s12, and s1M in subsystem1 so the switch construct of C++ is translated. For example, if the current state is s11, then the controller checks if the cond1 is true and in case it is true then the state control variable value is switched from s11 to s12. Same happens for all switch cases. In an expert system or knowledge-based intelligent agent, knowledge is represented as a rule set. The reasoning is either probabilistic or logical. Inference engine, knowledge base, and facts are the basic components of an expert system. In the case of a rule-based expert system, knowledge is the composition of the rule set. Facts are the data elements that derive the inference engine. Inference engine uses the rule set and the facts to infer the conclusion.
After applying the above three transformation rules on subsystem1 following automaton of Fig. 17 is the Traffic Light system for Highway and Street road is provided in [21] and for this research, it is implemented in C++. The case study illustrates the working of highway and street road; the crossing section of both roads is the critical region and traffic light system is to be deployed there to ensure the flow of either highway or street traffic at a time but not both (XOR operator).
A. CASE STUDY
There is the main class of TrafficLight having attributes of all subsystems' states and methods for all transitions. Enumeration is used for listing all states of a specific subsystem. Lamp, Timer (Highway and Street) and Controller are the subsystems of TrafficLight class.
All transition functions are declared public for Lamp 
B. SUB-SYSTEM1: LAMP
Lamp of the TrafficLight system shows the light status i.e., GREEN, YELLOW and RED as per the status of guard conditions. State control variable for Lamp is l_state and it is being used in switch construct of C++ code to switch over the states on the basis of conditional cases. cout<<"State is not defined"; break; } } Initially the Lamp is in GREEN state as defined by the constructor. If the boolean value for green_on is true, yellow_on is false and red_on is false then the system switches to the Yellow_Lamp state. l_state is equal to YELLOW. Fig. 18 shows the Lamp Automaton generated from the code transformation.
When the system is in YELLOW state and controller transmits a change in state signal than on the basis of green_on is equal to false, yellow_on is true and red_on is false, control is transferred from YELLOW to RED state. The same pattern of customized conditions will be followed by RED to GREEN state transfer.
C. SUB-SYSTEM2: TIMER
The timer of the TrafficLight system will manage the time required for staying in the state and condition for transiting to the successor state. As Highway traffic flows for more time as compared to street traffic, so two different transitions code are there for both cases i.e., HighwayTimerTransitions and StreetTimerTransitions respectively but the time controlled variables like T1, T2, T3, T4, T5, and T6 synchronize both automatons. HighwayTimer and StreetTimer automatons work in synchronization. When the Highway_Green OR Highway_Yellow is turned on, then Street_Red is also active. Similarly when Street_Green or Street_Yellow is turned on then Highway_Red is also active. Fig. 19 shows the Highway and Street Timer Automaton generated from the code transformation. Initially, the Controller is in the Highway_Green state where start1 is true with stop1 equals false. After traversing Highway_Yellow, Highway_Red, Street_Green, Street_Yellow and Street_Red states, the control is transferred to Highway_Green after equating start2 with false and turning on stop2. The translated automaton satisfies all of the six basic verification properties as shown in Fig. 21 .
VII. CONCLUSION
This research is focused on providing the transformation rule set for the automation of C++ code into an UPPAAL's automaton and vice versa. The framework is proposed that takes the object oriented code of the system's class. System's static and dynamic behavior is declared in the attribute and method section of the class respectively. As the real-time system is a composition of modules, components, and subsystems so enumeration construct is used for listing all states of every subsystem accordingly. For every subsystem, transition cases are defined which are later translated for the edges i.e., guard conditions.
TrafficLight system with Timer (Highway and Street), Lamp and Controller is coded in C++ and after applying the transformation rules, automatons are generated for all subsystems. In order to verify the correctness of the rule set, the transformed automatons are cross-checked across the critical properties and finally, the correctness is ensured once all properties are satisfied.
UPPAAL model checker provides enriched features to model timed automaton. This research is the starting contribution of a series of automation and transformation rules where time factor, urgent state, reset operation; committed state and time invariant are the remaining items in the research continuation to be automaton from C++ code to UPPAAL automaton. As this contribution is just a beginning, hence states and guards are extracted from C++ code and verified in the model checker.
This research aims to provide the rule-based expert system for inferring UPPAAL's automata on the basis of C++ code. The system is proposed that takes the object oriented code of the system's class. System's static and dynamic behavior is declared in the attribute and method section of the class respectively. As real-time system is a composition of modules, components and subsystems so enumeration construct is used for listing all states of every subsystem accordingly. For every subsystem, transition cases are defined which are later translated for the edges i.e., guard conditions. TrafficLight system with subsystem Lamp is coded in C++ and after applying the transformation rules, automatons are generated for the subsystems. In order to verify the correctness of the rule set, the transformed automaton is crosschecked across the critical properties and finally, the correctness is ensured once all properties are satisfied.
