Verifiable Fault-Tolerant Transformation of a Real-Time Legacy System by Owen DJ & Ezhilchelvan PD
Verifiable Fault-Tolerant Transformation of a
Real-Time Legacy System
Dan J. Owen
 
and Paul D. Ezhilchelvan
School of Computing Science, University of Newcastle, NE1 7RU
{d.j.owen, paul.ezhilchelvan}@ncl.ac.uk
Abstract
Transforming a non-fault-tolerant legacy system into a fault-tolerant one re-
quires, among other things, a convincing proof or argument that the transformed
system is functionally equivalent. In addition, one should be able to assess
whether the new system is capable of meeting the timeliness guarantees of the
original system, since the fault-tolerance support activities typically impose a
performance overhead. This paper describes the approach and methods we have
adopted to transform an industrial-strength real-time system specified in a low-
level language called the real-time network specification language (RTN-SL). We
have addressed two issues: (i) expressing the low-level design specification in a
suitably abstract form that simplifies fault-tolerant transformations, and (ii) for-
mulation of rules for incorporating known fault-tolerant techniques in a machine-
verifiable manner. The former is achieved by the use of a context-sensitive graph
grammar and the verification of transformation by utilising the IFAD VDM-SL
Toolbox. Our experience in applying these fault-tolerant transformation on an
industrial-strength legacy system exposes a general problem encountered, mer-
its of utilizing existing industrial tools, and the kinds of tools that need to be
developed.
Keywords: Real-Time, Formal Specification, Fault-Tolerant techniques, Graph Grammars, Test Oracles.
1 Introduction
Despite the wide-spread awareness of the importance of fault-tolerance and depend-
ability, many industrial-strength, real-time systems had stopped short of exploiting

Work was supported in part by BAE SYSTEMS as part of the DCSC project.
1
even well-known fault-tolerance techniques. Missile systems fall into this category of
systems in so far as the UK defence industries are concerned. The primary reason for
this situation is the consequence of the constraints that are normally placed on missile
systems. These constraints, as we understand, are mainly two-fold.
First comes the space constraint which discourages the deployment of redundant pro-
cessors or power supply; any extra space is likely to be used up by processors with
software that can provide highly sophisticated functions. Non-redundant power sup-
ply also mitigates against processor replication since a chain can only be as strong
as its weakest link. Secondly, there is the timeliness constraint. Missile systems are
basically control systems. This means that there are hard deadlines within which the
targets have to be identified and their co-ordinates correctly estimated based on the
radar data.
Despite these constraints, efforts are being made to incorporate fault-tolerance in mis-
sile systems due mainly to the growing importance placed on the UK MoD regulations
on ordinance safety and reliability. Decreasing size and cost of hardware components
and the increasing power and speed of such devices also motivate such efforts. The
work reported here is a part of the on-going work being carried out to make the legacy
missile systems of the BAE SYSTEMS, UK, more fault-tolerant without violating the
timeliness constraints.
Using design templates to record fault-tolerant techniques and applying the templates
on an existing design by means of a design transformation technique have been sug-
gested earlier [1]. Taking this approach for a legacy system throws up a challenging
problem. The specification of a legacy system design is often preserved only in a lan-
guage that the production engineers use. Such a language is usually very low-level,
allows the design to be described in minute details, and therefore remains production-
engineer-friendly. In case of BAE SYSTEMS, the design specifications are available
in a language called the Real-Time Network Specification language (RTN-SL) [2]. An
RTN-SL design is not amenable to modifications that can be systematically verified,
which is necessary to gain confidence in the modified design.
The problem therefore is to identify or develop techniques and tool support to perform
verifiable, fault-tolerant transformation of legacy design in large scale, when the legacy
design is specified in a low-level language (RTN-SL, in our case). We have solved this
problem for a small control system which is a component of the BAE missile system.
More specifically, we have developed techniques and incorporated fault-tolerance into
a small legacy system using passive and active replication techniques. We also verified
our fault-tolerant design transformation. We identify the tool support that need to be
developed for large scale design transformations, which will be our future work. The
paper is organised as follows.
The next section presents our approach and the rationale behind our choice. It is di-
vided into three subsections. The first sub-section highlights the low-level characteris-
tics of RTN-SL and argues that an RTN-SL design, for verifiable transformation, needs
to be represented in a more concrete syntax which in our case is the graph grammar.
The second sub-section provides the back-ground to graph grammar which is essential
to understand design transformation; it also describes the 24-rule grammar we have
derived to generate graph representations of RTN-SL designs. The last subsection
2
presents the essentials of VDM-SL and our strategy for transformation verification.
Section 3 describes the templates that record passive and active replication techniques,
and the steps involved in the fault-tolerant design transformation. Section 4 describes
how the transformation is verified and section 5 identifies the tool support for large-
scale, automated design transformations. Section 6 concludes the paper.
2 Background, Approach and Rationale
2.1 Real-Time Networks
Real-Time Networks (RTNs) are graphical expressions of Real-Time system designs,
used extensively by engineers in the British Defence Industry [3] such as BAE SYS-
TEMS, at the design and production level. The RTN-Specification Language (RTN-
SL) is a formal notation for (i) defining flat RTNs, and (ii) specifying the real-time and
functional behaviour of activities in a given RTN. An RTN activity generally refers to
the actions carried out by a single threaded process in computing systems. An activity
is specified in RTN-SL as a sequential state machine, and the interaction between two
activities is captured via the semantics of explicit communications protocols, called
the inter-communication data areas (IDAs) [4], between the two state machines. A
state machine makes state transitions, and the states reached can be either static or
dynamic. Static states are wait states in which either an input or passage of time is
awaited. They have no computational operation specified on them. A dynamic state,
on the other hand, has exactly one operation specified on it. The specification includes
explicit recording of ports between which the data can flow. It is this explicit data
flow description which makes it feasible to perform the fault-tolerant transformations
we seek. We illustrate this feasibility, and the difficulties involved, through a simple
fault-tolerant transformation of a RTN.
Figure 1: Watch-dog Example
Figure 1(a) shows an activity A in RTN-SL. It is supposed that A receives a signal (in-
dicated by ) at port p1, performs a computation (e.g., radar image manipulation)
and writes the output into a pool ( ) using port p2. Figure 1(b) indicates a sim-
ple transformational step in which the original system is augmented with a watch-dog
timer sub-system. The latter produces an output if A does not produce its output within
a certain time interval after a signal is input. In a primitive sense, this transformation
3
step is fault-tolerant, as the added sub-system can detect the timing failure of A. The
sub-system itself is made up of three activities: the watch-dog itself (W), the Multi-
caster (M) which multicasts the input signals to both A and W, and a Filter (F) which
outputs the earliest of the outputs produced by A and W and suppresses the later one.
Observe that the transformation preserves the original neighbourhood interface of A.
Figure 2: (a) State Machine of activity F and (b) the RTN-SL Specification of state C
To expose the low-level characteristics of RTN-SL, we express the graphical design of
activity F in Figure 2(a) and the specification of one of F’s dynamic states, C in Figure
2(b). Referring to Figure 2(a), the graphical presentation of an activity state-machine
(ASM) specification is illustrated. In an ASM, a static state (e.g. D and E) is repre-
sented by an oval and a dynamic state (e.g. B and C) by a rectangle. The data-flows
to and from an activity are referenced by ’port-names’ and specified in the ASM at the
corners of dynamic states particular to the associated computation which consumes or
produces the result. Activity F starts in state A, the initial state, indicated by an arc
with no source. It remains in this wait state until either a signal stim_p10 on port p10,
or data rd_p9, on port, p9 is received, following which activity F enters either dynamic
state B or C respectively. Should the transition be to state C, then the operation cor-
responding to state C is executed and writes the result, as specified in Figure 2(b), to
p2. As p2 has an associated channel protocol, which is write blocking, state C must
transition to wait state E which can only be left once the write is complete (this cap-
tures the behaviour that a write in not instantaneous, critical in real-time systems). The
RTN-SL specification of state C is provided in Figure 2(b). Here the concrete syntax
is illustrated for just one dynamic state, state C, in activity F. The RTN-SL defines
the functionality of a dynamic state via pre- and post-conditions and imposes that an
operation have one input parameter, and one result. Values of such parameters are ob-
tained from the read of an input port and a result written to the output port mentioned
in the state definition. For C, these ports are p_10 and p2 respectively. A minimum
of three time bounds can be specified of a dynamic state: a best-case execution time
(BCET); a worse-case execution time (WCET); a worse-case response time (WCRT)
- enumerated as l1, wcet1 & u1 in Figure 2(b) respectively. These define the tem-
poral requirements that an implementation of a state must satisfy. On completion of
the associated computation, a transition based on a boolean condition is taken. When
more than one condition is true, a non-deterministic choice is taken. The above, par-
tial specification of F in RTN-SL also serves to indicate the tight coupling between the
graphical form and textual specification. This aspect, though very useful at the produc-
tion level, makes it tedious to pursue our objective of variable design transformations
4
in a larger scale. We therefore require a more abstract technology to represent system
design and make it fault-tolerant.
Our chosen technology is graph grammars for three principal reasons (i) it is possible
to represent a well-formed RTN design in an equivalent graph grammar design; (ii)
production rules inherent in graph grammars allow one graph to be embedded into
another (host) graph in a specified manner; and (iii) certain properties (e.g., flatness)
desired of an RTN design can be verified effectively in the equivalent graph grammar
representation. For instance, Paynter used a graph grammar to verify properties desired
from a low-level design specification [5].
2.2 Graph Grammars
There are many graph grammars in the literature [6][7]. We have chosen the NCE
context-sensitive graph grammar (NCE-CSG) [6]. We present below some terminol-
ogy and rules of this grammar which would be later used in our discussions.
Definition 1 - graph:
Let ∑ be an alphabet of node labels and let   be an alphabet of edge labels. A graph
over ∑ and   is a 3-tuple D=(V,E,λ  , where:
(1) V is a finite nonempty set of nodes,
(2) 
	ffflfiffi  !  #" is a set of edges,
(3) λ  : %$ ∑ is a node labelling function
The components of a graph H are denoted by '& , (& , and λ ) respectively.
Given two graphs, H and G, we say H is a subgraph of G (or H is induced of G) if
VH  VG and *,+-./&10(23+546.8790;:
<>= _ ?A@CB
?ff	D(&+E ffi :
<>= _ ?A@CB
?ff	DF78+
4
 where
:G<H= _ ?I@JB
? : ?A@JBff? _ =J?LKNMO+6PJ@G?Q$ ?I@JB
? _ =J?LK gives the set of edges whose source or
target is the node in graph.
Definition 2 - Directed Edge Neighbourhood-Controlled Embedding (edNCE) Gram-
mar
The edNCE graph gramma [6] is a 6-tuple R ffi 	 ∑ S  ∑ T    S    T UV5W# , where ∑ S and
∑ T are sets of non-terminal and terminal node labels respectively,   S and   T are
sets of non-terminal and terminal edge labels respectively. Z is the initial graph
and P is a set of production rules for transforming Z. A rule XYflW has the form
	DZ#\[1 : : ffiffi^] C_ where A, X and Y are graphs, A is a subgraph of Z, X a
subgraph of A, and C is the embedding relation for p. It defines how X can be
replaced by Y in the context of A, as specified by C.
Figure 3 shows an example of applying a production rule p, depicted in Figure 3(ii),
and transforming the Host graph H (Figure 3(i)) into the Result graph ` --a (Figure 3(iii)).
5
The first element of C states that where there exists in H an edge that is between nodes
a and x1,   1  [ , and labelled β, there should exist in ` --a an edge that is between a and
y1,  1  ] , and labelled γ; the field in indicates the edge under consideration must be
an incoming one incident on x1.
Figure 3: (i) Host graph; (ii) production rule p; (iii) Result Graph ` --a
We remark here that the graphs X and Y in a production rule X ffi 		DZ#\[1 : : ffiffi
	
]
C_V are often termed as the mother and the daughter graphs respectively; the
context graph A may be omitted in which case A is X. For p to be applied over a host
graph H, A must be a subgraph of H. When all nodes and edges of X are removed from
H, the remaining graph is referred as the rest graph.
2.3 Grammar Representation for RTN-SL
Based on the semantics of the edNCE graph grammar, we have developed a 24-rule
graph grammar which allows us to represent an RTN design in terms of a more abstract
syntax. These rules can be used, in appropriate permutations, to represent any well-
formed RTN design. All design representations are derived from the Initial Graph
which is shown in Figure 4.
IDA
01
A_IDA
re
a
d
02
Figure 4: The Initial Graph
The 24-rule grammar is a 6-tuple R ffi 	 ∑ S  ∑ T    S    T UV5W# , where ∑ S ffi 1Z _ Z
.Z _
	 Z  _ 	 _ 	
"
and ∑ T ffi  :JK

@ : @ _ =HK%= _ =HK-X PHKff
"
are sets of non-terminal and terminal node la-
bels respectively.  
S
ffi
A?A: @fi 

K\?fl Kffi ?fl"!L:# =J?fl
"
and  
T
ffi

A?A: @$

K\?%Kffi ?&'!L:# =J?&
"
are sets of non-terminal and terminal edge
labels respectively. Z is the Initial Graph shown in Figure 4, and P the set of produc-
tion rules. Note that more than one node can have the same label drawn from the finite
6
set and nodes are uniquely identified by integer tokens “01” or “02” as in Figure 4.
The 24-rules of our grammar are grouped into ’families’ based on the context in which
they can be applied. The reader is referred to Appendix B for a complete presentation
of the grammar. Here we present an example of a family of rules in Figure 5.
A_IDA
02
A_IDA
re
ad

03
A_IDA :=
01
ACT
04
IDA
w
rit
e
05
IDA
06
A_IDA
re
ad
07
Figure 5: A_IDA node based ’family’ production rules
The family of three rules shown in Figure 5 specifies how the non-terminal node la-
belled A_IDA can be transformed into networks. An A_IDA always consume data via
activities and produces an output for an IDA. The first rule shows how a new A_IDA
can be instantiated into a network. The second rule specifies the basic decomposition
of an A_IDA into a pair of ACT and IDA nodes to represent an activity (ACT) writing
to an IDA e.g., pool or channel. Rule 3 indicates how data from a new data source can
be instantiated into an existing area of a network.
2.4 Use of VDM-SL and Verification
Being able to represent (by hand) a given RTN design in a graphical form using our
24-rule grammar, we enumerate the design representation in the concrete syntax of
the VDM-SL (Vienna data model - specification language). The purpose of this en-
coding is two-fold (i) verify whether the production rules have been correctly applied
during the representation process; and (ii) verify the correctness of design transforma-
tion we intend to apply on the graphical representation. This encoding in VDM-SL is
necessary for two reasons. First, there is only a limited support to verify the graphi-
cal design representation directly and also the transformations we seek. Secondly, the
existing tool support for VDM-SL, namely the IFAD VDM-SL toolbox, allows auto-
mated verification of the representation and the transformation. However, there is no
tool-support for enumerating a graph in the VDM-SL syntax, which we had to do by
hand. Note that the enumerating a graph requires the 24-rule grammar to be encoded as
well, for verification. The 24-rule grammar is represented as values of basic and com-
posite VDM-SL data types, together with invariants which record the constraints and
well-formedness rules associated with a graph. Figure 6 shows the VDM-SL encoding
of graph H of Figure 3(i).
7
 : 	
 mk- 	  mk-token  "01"  A 
mk-token  "02"  B 
mk-token  "03"  C 
mk-token  "04"  D 
mk-token  "05"  X1 
mk-token  "06"  X2 
 mk-  mk-token  "01"  mk-token  "02"  ff ALPHA 
mk-  mk-token  "01"  mk-token  "03"  ff ALPHA 
mk-  mk-token  "01"  mk-token  "05"  ff BETA 
mk-  mk-token  "03"  mk-token  "05"  ff ALPHA 
mk-  mk-token  "03"  mk-token  "06"  ff BETA 
mk-  mk-token  "05"  mk-token  "04"  ff ALPHA 
mk-  mk-token  "06"  mk-token  "04"  ff BETA fi
Figure 6: VDM-SL concrete syntax representation of graph H
The first part of Figure 6 maps the token which uniquely identify nodes to labels. In
the second part, edges are similarly mapped to their labels. Figure 7 shows the data
type invariant for a graph. Lines .1 - .2 specify that the start and end nodes of every
edge must be in the set of nodes that define the graph; the next two lines state that if
there is edge from a start node s to an end node e, then there cannot exist another edge
from e to s (A well-formedness rule).
8.0 	 : : flffiff : !fl"ffi#ff%$&fl"ffifl(')fi*,+ fl"- - fl"ffi#ff#/.-0!fl"ffi#ff - - 1fi-$fl"ffifl')fifi*2+ fl"- - fl"ffi#ff - - 1fi- 
.1 )ff : ff .-3 - - 1fi-
.2 inv 
4
.3  5%76 dom ff8  79
.4  :8  fi'&fi';ffi#ff8 fifl;ffi#ff#"< dom ff8 fl"ffi#ff "=
.5 mk- 8 fifl;ffi#ff8  '&fi';ffi#ff	>6 dom 	8 ff  #=
.6 ?(@ - fiAff-   ff ;
Figure 7: Graph invariant
The specification of a graph and the enumeration of the 24-rule grammar comprise to
form a VDM-SL state-based model (The latter is presented in full in Appendix A.).
The size of the VDM-SL model is large even for a small graph. Therefore, formal
verification through mathematical proof was not considered as an option. An equally
effective approach is to use simulations on the model using the IFAD VDM Tools.
This allows us to verify not just the correctness of transformations but also the model
against the informal specification of graph grammars. Simulations however require
that the entire model be executable. Executable specifications allow one to demon-
strate the behaviour of a model well before implementation, in that specifications are
constructive, i.e. they not only demand the existence of a solution, but they actually
construct it [8]. They dilute the distinct advantages of specification being separable to
the objective of prototyping [9]. Given the lack of tool support [10] to verify trans-
formations in the graphical form itself and based on our experiences with executable
8
specifications [11], we opted to orientate the model as a Test Oracle. Our use of a Test
Oracle for transformation verification is discussed in section 4.
3 Design Transformation
The design transformation is carried out in the following manner. The fault-tolerant
techniques have been recorded as graph templates. A given RTN-SL design is repre-
sented as a graph (net1) by applying the 24-rule grammar mentioned in Section 2.2
to the Initial Graph (init). We then identify critical components which need to be
made fault-tolerant and the technique to be used for each component identified. The
appropriate graph templates are instantiated to net1 to derive the transformed design
representation net1’. These steps are depicted in Figure 8 which are illustrated here as
an example. The graph templates we have developed are presented first.
init net1
net1'
Figure 8: Transformation Steps
3.1 Fault-Tolerant Templates
Figure 9 shows two fault-tolerant templates: (i) passive state replication and (ii) active
activity replication, respectively. Since neither technique is context dependent in their
application, no context graph (A) is shown, leaving Z  [ and the syntax of P to be
simply [ : : ffi#ffi ] (meaning that X can be replaced by Y).
ACT :=
01
ACT
02
IDA
04
IDA
05
IDA
03
ACT
07
ACT
08
ACT
06
IDA
10
IDA
11
IDA
09
ACT
12
D_ST :=
01
D_ST
03
D_ST
02
D_ST
04 (i) (ii)
Figure 9: Fault-tolerant template examples
Figure 9(i) shows a dynamic state (D_ST) can be replaced by a specific arrangement
of three replicas. The arrangement states that should the first dynamic state, with an
associated operation, fail to produce a result within some given interval (WCRT), then
a failure transition to the second replica is taken, which similarly has an upper bound
to produce a result. Should this replica fail, then a further failure transition is followed
to a third and final state. The embedding relation, C1 of Figure 11 additionally speci-
fies the successful transitions from each replica: if a replica produces the result within
9
interval WCRT, a transition to the successor of X should occur. The fault-tolerant
property of this configuration is crash tolerance. Figure 9(ii) illustrates the arrange-
ment of the replicas and support activities required for a triple module redundancy
(TMR) system. The data flows to the mother graph, X are connected to the multicaster
(node “02” in Y), which multicasts this input to each of the replicas (nodes “06”, “07”,
“08”) via IDAs. The results of the replicas are written to the majority voter (node
“12”), again via IDAs. In this technique, replicas compute results in parallel providing
value tolerance. The embedding relation, C2 of Figure 11 states that incoming edges
to X connect to the multicaster, and similarly the outgoing edges of X originate from
the majority voter. We remark here that the edge labels and node ids are not shown in
Figure 9 and Figure 10 purely for presentational reasons, but their presence is essential
as per the graph grammar and for assigning the meaning to an RTN-SL design.
3.2 Fault Tolerant Transformation
Figure 10 shows the host graph taken from [5]. This graph represents the RTN-SL
design of an image processing system that receives real-time data from radars. The
dynamic state (D_ST) of Figure 10 is required to process the image-data received
via the port within some given interval. It is a critical component performing a real-
time task. The objective of processing by D_ST is to convert and trim the raw data
input from a radar into a form acceptable to the activity ACT which identifies a target
from the supplied data and computes the co-ordinates of the target. The co-ordinates
calculated are critical to the dependability of the missile delivery process. So, we
decided to apply template #2 to this activity and template #1 to the dynamic state.
IDA PORTtrue
S_ST
D_ST
tr
u
e
re
ad

S_ST
tr
u
e

PORT true IDA read
w
 rit
e
write IDAACT
=> #1
=> #2
Figure 10: Host Graph net11
The embedding relations for each template (#1 - Figure 9(i) and #2 - Figure 9(ii))
are shown in Figure 11 respectively, where C1 and C2 define the possible new edges
between the rest graph and mother graph.
10
{
   (ida, 01, read, 02, read, in),
   (a_ida, 01, true, 02, read, in),
   (ida, 01, write, 12, write, in),
   (a_ida, 01, write, 12, write, in),
}
C2 =
{
   (sm, 01, true, 02, true, in),
   (s_st, 01, true, 02, true, in),
   (d_st, 01, true, 02, true, in),
   (sm, 01, true, 02, true, out), (sm, 01, true, 03, true, out), (sm, 01, true, 04, true, out),
   (s_st, 01, true, 02, true, out), (s_st, 01, true, 03, true, out), (s_st, 01, true, 04, true, out),
   (d_st, 01, true, 02, true, out), (d_st, 01, true, 03, true, out), (d_st, 01, true, 04, true, out),
}
C1 =
Figure 11: Embedding relations for template #1 & #2 respectively
The result graph net1’ obtained after applying the two templates is given in Figure
12. Given the transformations of Figure 12, it can be seen that crashes are tolerated in
pre-processing the raw data and at most one value fault are masked in identifying the
target.
59
IDA
51
PORTtrue
52
S_ST
53
D_ST
re
 a
d
60
S_ST
55
PORT
56
true IDA
57wr
i te

IDAACT
63
IDA
65
IDA
66
IDA
64
D_ST
61
D_ST
62
tru
 e
tru
 e
tru
 e
read
w
r it
e
write
w
r ite
ACT
68
ACT
69
ACT
67
IDA
71
IDA
72
IDA
70
read
read
read
write
write
write
ACT
73
r ead
read
re
 ad

true
Figure 12: Result graph net1’
It would be a task by hand to translate net1’ back into an RTN-SL design that is more
fault-tolerant than the original design. The consistency and the timeliness properties
of the fault-tolerant design can be verified using the Netspec tool [12]. It must be
noted here that the Netspec-based verification only reports whether the new design is
consistent or not; it or any other known tool provides no support for debugging the
transformed design. Therefore, it is absolutely vital that the transformation to net1’ is
verified before timeliness analysis is done.
4 Verification of transformations
The approach to verification we have taken falls into the category of lightweight formal
methods [13]. In this approach, formal methods are used only where appropriate and
to seek immediate results. Our use of the formal methods is limited to using VDM-SL
in specifying the 24-rule grammar and the application of the production rules. The
verification itself is done through simulations of the test oracle generated. To this end,
the following two preliminary steps have been carried out.
11
A. The 24-rule grammar, used to represent an RTN-SL design in a graphical
form, has been enumerated in VDM-SL (as mentioned in section 2.4).
B. A predicate, called checkProd(), to verify the validity of transformations
is formally specified. Specifically, when a host graph ` --
a
, is transformed
into a resulting graph H by applying P, checkProd() evaluates a Boolean
predicate over ` --a , H and verifies the transformation. The formal specifi-
cation of checkProd() is given in Appendix A, line 18.
The outcomes of steps A and B are combined to produce a VDM-SL model which be-
comes the Test Oracle. The role of the Test Oracle in the verification process is shown
in Figure 13. The Oracle is simulated using the IFAD VDM-SL toolbox, taking the
host graph, result graph, and templates (all enumerated in VDM-SL syntax) as inputs.
It returns true (or false respectively) if the result graph is (is not) a valid transformation
of the host graph according to checkProd(). We have verified the transformation to the
result graph net1’, shown in Figure 12, to be valid.
VDM-SL Test
Oracle
IFAD
Toolbox
Host Graph
gragra VDM-SL
Transformation
Tool
Result Graph
gragra VDM-SL
Templates
gragra VDM-SL
Figure 13: Role of the Test Oracle
5 Further Work
We plan to automate the process of enumerating the graphical representation in VDM-
SL syntax. This will lead to a tool that will be of generic use and not be specific
to RTN-SL. Once a legacy design specified in any low-level language has been rep-
resented as a graph, the tool to be developed will support the automated verification
using the IFAD VDM-SL toolbox. The tool development is expected to involve a good
deal of programming, and our chosen language is ADA95. We are in the process of
developing tool support to represent RTN-SL designs in graph forms. We take ad-
vantage of the parse tree constructed by the Netspec tool when an RTN-SL design is
being verified for consistency and timeliness. To this end, we are developing a tech-
nique to interact with the Netspec tool at run time. The development of tool support
for enumeration in VDM-SL and graph representation of RTN-SL designs, together
with the method for applying transformations discussed here, will permit large-scale
design transformation of legacy systems. Our experience in using the 24-rule grammar
has interested us in hierarchical graphs, in which a node itself can be a graph. This
aspect would allow more detailed templates of fault-tolerant techniques to be applied
at different levels of abstraction.
12
6 Conclusions
To our knowledge, no serious work has been reported to have been carried out on the
topic of incorporating fault-tolerance into legacy systems. Design of such systems
are specified in low-level languages. We have derived a graph grammar to represent
such designs in a more abstract form that permits design transformations that can be
verified. To simplify design transformations, we recorded fault-tolerant techniques
suitable for real-time systems as templates and described a method to apply these tem-
plates, leading to a fault-tolerant design that is functionally equivalent to the original
design. We have taken a small real-time system and demonstrated the effectiveness
of our approach by replacing the critical components of the system with their fault-
tolerant equivalents. The design transformations were verified using the IFAD VDM-
SL Toolbox by generating a Test Oracle and running simulations. The test oracle will
also serve to verify the correctness of the tool support we intend to develop. These
tools will help automate design transformations and transformation verification, thus
simplifying the process of making legacy system design fault-tolerant on a large scale.
Acknowledgements
We would like to thank Stephen Paynter of BAE SYSTEMS for discussions and sup-
port in developing these techniques and John Fitzgerald of Transitive Technologies
Limited, UK, for the feedback given on the structure of the paper.
References
[1] B. Born, “Patterns for safety-critical systems,” Master’s thesis, Univeristy of
York, 1998.
[2] S. Paynter, “Rtn-sl: The real-time network specification language,” Tech. Rep.
DR 20656 - Issue 2, MBDA Technical Report, 2002.
[3] G. Woodward, “Rapier 2000 software development programme,” Software Engi-
neering Journal, vol. 11, no. 2, 1996.
[4] H. Simpson, “Protocols for process interaction: Part 1 (rationale and specifica-
tion), 2 (application), 3 (realisation),” Submitted to IEE Proceedings on Software,
1999.
[5] S. Paynter, “Structuring the semantic definitions of graphical design notations,”
IEE Software Engineering Journal, May 1995.
[6] K. S. T. K. Adachi, Y. and T. Yaku, “An nce context-sensitive graph grammar for
visual design languages,” in IEEE Symposium on Visual Languages, 1999.
13
[7] G. Rozenberg, “An introduction to the nlc way of rewriting graphs,” in Proceed-
ings of Graph Grammars and Their Application to Computer Science (G. R.
H. Ehrig, M. Nagl and A. Rosenfeld, eds.), vol. 291 of Lecture Notes in Computer
Science, pp. 55–66, 1987.
[8] N. Fuchs, “Specifications are (preferably) executable,” Software Engineering
Journal, p. 323, September 1992.
[9] I. Hayes and C. Jones, “Specifications are not (necessarily) executable,” Software
Engineering Journal, 1989.
[10] G. Tool. http://infosun.fmi.uni-passau.de/Graphlet/, Novemeber 2002.
[11] D. Owen, “Towards the formal analysis of a group communication protocol,” in
Proceedings of DSN2001, 2001.
[12] S. Paynter, November 2001.
[13] D. Jackson and J. Wing, “Lightweight formal methods,” in IEEE Computer,
vol. 29, IEEE, 1996.
14
Appendix A
Presented here is the full VDM-SL specification of the test oracle developed to support
the verification of the transformations.
types
1.0 fl"ffi#ff 
 token;
2.0 fl"ffifl')fifi*2+ fl"- - fl"ffi#ff7
 token;
3.0 fl"ffi#ff - - 1fi-:
 A_IDA $ ACT $ IDA $ PORT $ S_ST $ D_ST $ SINGLE_ACT $ SM $ END $ STATE ;
4.0 fl"ffifl')fifi*2+ fl"- - fl"ffi#ff - - 1fi-:
 A_IDA $ ACT $ IDA $ PORT;
5.0  - - 1fi-ff
 TRUE $ FALSE $ READ $ WRITE;
6.0  : :  fi'&fi';ffi#ff : flffiff
.1 fifl;ffi#ff : fl"ffi#ff
.2 inv 
4
8  fi'&fi'; ffiff%>
 8 fl";ffi#ff ;
7.0 1fi - )ff : :  fi'&fi'; ffiff : fl"ffi#ff - - 1fi-($)fl"ffifl')fifi*2+ fl- - flffiff - - 1fifi-
.1 fl"; ffiff : fl"ffi#ff - - 1fi-$flffifl(')fi*,+ fl"- - fl"ffi#ff - - 1fi-
.2 - 1fi- : )ff - - 1fifi-
8.0 	 : : flffiff : !fl"ffi#ff%$&fl"ffifl(')fi*,+ fl"- - fl"ffi#ff# .-0!fl"ffi#ff - - 1fi-$fl"ffifl')fifi*2+ fl"- - fl"ffi#ff - - 1fi- 
.1 )ff : ff .-3 - - 1fi-
.2 inv 
4
.3  5%76 dom ff8  79
.4  :8  fi'&fi';ffi#ff8 fifl;ffi#ff#"< dom ff8 fl"ffi#ff "=
.5 mk- 8 fifl;ffi#ff8  '&fi';ffi#ff	>6 dom 	8 ff  #=
.6 ?(@ - fiAff-   ff ;
9.0 fi- '+ffifl : :  fi ; ffiff : fl"ffi#ff - - 1fi-
.1 ffi- ;ffi#ff : flffiff
.2 +  fi'+ fl	   :  - - 1fi-
.3 fl ?   :  - - 1fi-
.4 '!; ffiff : fl"ffi#ff
.5 +  fi'+ffifl : IN $ OUT
10.0 ffi#A '+ ffifl : : -  -  :  	 
.1 -  - 	 : 	
.2  : 	
.3 * 1
%- : fi- '+ ffifl -set
.4 inv 
4
5//6 "8 * 1
%-#9
.5 :8 ffi- ;ffi#ff6 dom 8 -  - 	 8 fl"ffi#ff =
.6 :8 '&;ffi#ff6 dom "8  8 fl"ffi#ff ;
11.0 *,*  : : + fl(+ ' 	 : 	
.1  fi+ *  - ; : fl"ffifl')fifi*2+ fl"- - fl"ffi#ff -set
.2  fi+ *  -  : flffiff -set
.3 '&A - ; :  - - 1fi- -set
.4 '&A -  : ff - - 1fi- -set
.5 
 : ffi#A '+ ffifl -set
12.0 state  of
.1 * 	 : 	
.2 * *,*  : *,* 
.3 end
15
functions
13.0 fi)ff fi  #ffi : 	  flffiff  fl"ffi#ff -set
.1 fi)ff fi  #ffi " ff!fl"
4
.2 :8  fi'&fi';ffi#ff$/6 dom ff8 )ff 9fi8 fl"; ffiff7
 fl" ;
14.0  fiA  fi  #ffi : 	  flffiff7 fl"ffi#ff -set
.1  fiA  fi  #ffi " ff!fl"
4
.2 :8 fifl;ffi#ff%$fi 6 dom ff8  "98  fi'&fi'; ffiff7
 fl" ;
15.0 ?(@ - fiAff-  : 	 
.1 ?(@ - fiAff-   ff
4
.2 :8  fi'&fi'; ffiff8 fl";ffi#ff# $/6 dom ff8 )ff 7
 dom ff8 fl"ffi#ff =
.3    6 dom ff8  79!ff8 flffiff )8  fi'&fi'; ffiff#
 ff8 flffiff )8 fl"; ffiff# =
.4  5/fl 6 dom 	8 fl"ffi#ff "9
.5    6 dom ff8  98 fl";ffi#ff 
 fl 
	
.6 ff8 flffiff fl"ff
 IDA =
.7  5/fl 6 dom 	8 fl"ffi#ff "9
.8    6 dom ff8  98  fi'&fi'; ffiff7
 fl"
	
.9 ff8 flffiff fl"ff
 IDA =
.10  5/fl 6 dom 	8 fl"ffi#ff "9
.11 ff   ffi " ff!fl 
 fi
.12 "fl6 dom ff8 fl"ffi#ff 79!fl:6 fi)ff fi  #ffi " ff!fl"#=
.13 ff   ffi " ff!fl  
 fifi =
.14  5/fl 6 dom 	8 fl"ffi#ff "9
.15  A  fi  #ffi " ff!fl ff
 fi
.16 "fl  6 dom ff8 fl"ffi#ff 79!fl  6  fiA  fi  #ffi "ff!fl"#=
.17  A  fi  #ffi " ff!fl 
 fifi =
.18  5%6 dom 	8 ff 9
.19 &8 fifl;ffi#ff 
   8 fl"; ffiff(=
.20 	8 fl"ffi#ff 8 fl"; ffiff#
 IDA 
	
.21 
 #=
.22  5%6 dom 	8 ff 9
.23 &8 fifl;ffi#ff 
   8  fi'&fi'; ffiff(=
.24 	8 fl"ffi#ff 8 fl"; ffiff#
 IDA 
	
.25 
 # ;
16.0 + flA  : 	  	  
.1 + flA     
4
.2 let fl"ffi' -  : flffiff -set 

.3 #fl $)fl,6 dom  8 fl"ffi#ff "9  8 fl"ffi#ff (fl ">6 rng 8 flffiff  in
.4 let  : 	 

.5 mk- 	fl"ffi' -   8 fl"ffi#ff 
.6 :%$ 6 dom  8  "9
.7 8  fi'&fi'; ffiff 6 fl"ffi' - 
.8 8 fl";ffi#ff 6fl"ffi' -  
.9  8 )ff  in
.10 5/fl 6 dom 8 flffiff "9
.11  fl  6 dom   8 flffiff "9
.12 : - 1 #($fi 6 dom  8 ff "9
.13 8  fi'&fi'; ffiff 
 fl
28 fifl;ffi#ff 
 fl" <
.14 : - 1      ($  6 dom   8  79
.15   8  fi'&fi'; ffiff 
 fl  ,  8 fl"; ffiff 
 fl   ;
17.0  - 1 : 	   31 - 
.1  - 1 (ff#
4
.2 mk- 1 - ff( ff8 flffiff 8  fi'&fi'; ffiff#
.3 ff8 fl"ffi#ff 8 fifl;ffi#ff#
.4 ff8  ( 
16
operations
18.0  fi(   /ffi   : ffi#A '+ ffifl7  : flffiff -set 
.1 ext wr *  	 : 	
.2 rd *  *,*  : *2* 
.3 pre  6*  *2* :8 
,=
.4   6 8 * 1
%fi-9
.5 :8  fi ; ffiff 6 rng *  	(8 fl"ffi#ff =
.6 :8 ffi- ;ffi#ff6 dom "8 -  - 	 8 flffiff =
.7 :8 +  fi'+ fl	  6 rng * 	8  =
.8 :8 '!; ffiff 6 dom "8  8 flffiff =
.9  56 9
.10  +6 dom "8 -  - 	 8 flffiff "9
.11 8 -  - 	 8 fl"ffi#ff (+
 * 	8 flffiff  : =
.12 + flA fi * 	 8 -  -  
.13 post  56 9
.14 "+6 dom *  	(8 fl"ffi#ff "9
.15 +
:=
.16  56 9
.17   6 dom * 	8  "9
.18 8  fi'&fi';ffi#ff7
 28 fifl;ffi#ff 
:=
.19  let ' 1 
 #fl $fl,6 dom *  	8 fl"ffi#ff "9
.20  /6 "8 fi* 1 
%-9
.21  * 	8 flffiff fl"
 :8  fi fi;ffi#ff=
.22  let ffi-  
 @Afffl   !*  	( "8 -  - 	  (!:8 ffi- ;ffi#ff in
.23 mk- !fl7)ffi- 	ff6 dom *  	(8  ##=
.24 :8  fi ; ffiff/6 rng * 	8 fl"ffi#ff ##=
.25 :8 +  fi'+ffifl,
 IN    in
.26 5/fl 6' 1 9
.27  6 8 * 1
%fi-9
.28 mk- (fl7!:8 '&;ffi#ff#ff6 dom *  	8  =
.29 * 	8 )ff ( mk- ff(fl !:8 '!; ffiff# ff
 :8 fl"fi?  ff#=
.30  let ' 1 
 #fl $fl,6 dom *  	8 fl"ffi#ff "9
.31  /6 "8 fi* 1 
%-9
.32  * 	8 flffiff fl"
 :8  fi fi;ffi#ff=
.33  let ffi-  
 @Afffl   !*  	( "8 -  - 	  (!:8 ffi- ;ffi#ff in
.34 mk- )ffi- !fl ff6 dom *  	(8  ##=
.35 :8  fi ; ffiff/6 rng * 	8 fl"ffi#ff ##=
.36 :8 +  fi'+ffifl,
 OUT    in
.37 5/fl 6' 1 9
.38  6 8 * 1
%fi-9
.39 mk- (:8 '!; ffiff!fl"ff6 dom *  	8  =
.40 * 	8 )ff ( mk- ff(:8 '!;ffi#ff!fl" ff
 :8 fl"fi?  ff#
functions
19.0 @Afffl   : 	  	  flffiff -set   fl"ffi#ff  flffiff
.1 @Afffl   *  	(!-  - 	  !fl 1 
4
.2 let  6  be st *  	8 fl"ffi#ff (ff
 -  - 	 8 fl"ffi#ff fl 1  in
.3 
17
Appendix B
Below we present the full 24-rules of our grammar presented in graphical form.
B.1 net_p1
A_IDA
02
A_IDA
re
a
d
03
A_IDA ::==
01
ACT
04
IDA
w
ri
te

05
IDA
06
A_IDA
re
ad
07
  
 
 +	 01 ! 02 !!+ fl"
! _ +	 01 !'fiA 02 !'fiA(!+ fl"
&  ' 01 !'fiA 03 !'fiA()ffiAff'
! _ +	 01 !'fiA 04 !'fiA(!+ fl"
 +	 01 ! 04 !!+ fl"
& _ +	 01 !'fiA 05 !'fiA()ffiAff'
&  fi' 01 ! 05 !)ffiAff'
! _ +	 01 !'fiA 07 !'fiA(!+ fl"
& _ + 	 01 !'fiA( 07 !'fiA()ffiAff'

Figure 14: A_IDA based production rulesand embedding relations
B.2 net_p2
PORT
02
PORT
04
IDA ::==
01
IDA
05
A_IDA
re
a
d
06
IDA
08
IDA
07
ida
03
tr
u
e

tr
u
e

FT_IDA
09
  
 
&  fi' 01 !?/fi+ ') 02 !? fi+ ')!+ fl" ! _ +	 01 !? fi+ ') 02 !?/fi+ ')!+ fl 
&  fi' 01 !fi) 04 !fi)ffiAff' ! _ +	 01 ! 04 !)ffiAff'
&  fi' 01 !?/fi+ ') 05 !? fi+ ')!+ fl" & _ + 	 01 !?/fi+ ') 05 !? fi+ ')!+ fl"
&  fi' 01 !'fiA( 06 !'fiA)ffiAff' ! _ +	 01 !'fiA( 06 !'fiA()ffiA	' 
&  fi' 01 !?/fi+ ') 07 !? fi+ ')!+ fl" !  ' 01 !? fi+ ') 08 !?/fi+ ')!+ fl 
& _ + 	 01 !?/fi+ ') 07 !?/fi+ ')!+ fl" ! _ +	 01 !? fi+ ') 08 !?/fi+ ')!+ fl  
&  fi' 01 !fi) 07 !fi)ffiAff' !  ' 01 ! 08 !)ffiAff'
& _ +ff 01 !fi) 07 !fi)ffiAff' ! _ +	 01 ! 08 !)ffiAff'
&  fi' 01 !?/fi+ ') 09 !? fi+ ')!+ fl" ! _ +	 01 !? fi+ ') 09 !?/fi+ ')!+ fl 
&  fi' 01 !fi) 09 !fi)ffiAff' ! _ +	 01 ! 09 !)ffiAff'

Figure 15: IDA based production rules and embedding relations
18
B.3 net_p3
ACT ::==
01
ACT
03
IDAw
ri
te

04
IDA
06
ACT
05
single_
act
02
FT_ACT
10
w
rite
w
r
ite
 write
read
IDA
09
A_IDA
07
w
rit
e
write
read
A_IDA
08
w
r
ite

 7
 
& _ + 	 01 ! 02 !!+ fl" +ff 01 !fi) 02 !fi!+ fl  
! _ +	 01 !'fiA( 02 !'fiA()ffiA	'  +ff 01 !?/fi+ ') 02 !?/fi+ '))ffiA	' 
! _ +	 01 !'fiA( 03 !'fiA(!+ fl" +ff 01 !fi) 03 !fi!+ fl  
! _ +	 01 !'fiA( 03 !'fiA()ffiA	'  +ff 01 !?/fi+ ') 03 !?/fi+ '))ffiA	' 
! _ +	 01 !'fiA( 05 !'fiA(!+ fl" +ff 01 !fi) 05 !fi!+ fl  
! _ +	 01 !'fiA( 05 !'fiA()ffiA	'  +ff 01 !?/fi+ ') 05 !?/fi+ '))ffiA	' 
! _ +	 01 !'fiA( 07 !'fiA(!+ fl" +ff 01 !fi) 07 !fi!+ fl  
! _ +	 01 !'fiA( 07 !'fiA()ffiA	'  +ff 01 !?/fi+ ') 08 !?/fi+ '))ffiA	' 
& _ + 	 01 !'fiA( 10 !'fiA!+ fl  +ff 01 !fi) 10 !fi!+ fl  
! _ +	 01 !'fiA( 10 !'fiA()ffiA	'  +ff 01 !?/fi+ ') 10 !?/fi+ '))ffiA	'

Figure 16: ACT based prodcution rules and embedding relations
B.4 net_p4
SM
02
END
tru
e

03
single_
act ::==
01
FT_ACT
04
 7
 
& _ + 	 01 ! 02 !!+ fl" +ff 01 !fi) 02 !fi!+ fl  
! _ +	 01 !'fiA( 02 !'fiA()ffiA	'  +ff 01 !?/fi+ ') 02 !?/fi+ '))ffiA	' 
& _ + 	 01 !'fiA( 04 !'fiA!+ fl  +ff 01 !fi) 04 !fi!+ fl  
! _ +	 01 !'fiA( 04 !'fiA()ffiA	'  +ff 01 !?/fi+ ') 04 !?/fi+ '))ffiA	'

Figure 17: single activity based prodcutions rules and embedding relations
19
B.5 net_p5
state
02
SM
tr
u
e

03
SM ::==
01
SM
06
SM
05
D_ST
04
SM
07
SMD_ST
08
tr
u
e
 true
true
c1

tr u
e
c2
tr ue 09
SM
10
c
2
c1
  
 
  fi*  01    02   !+ fl"   fi' _  fi' 01    02   !+ fl  & _  fi' 01    02 !+ fl 
  fi*  01    03   )ffiAff'   fi' _  fi' 01    03   )ffiAff' ! _  fi' 01    02 )ffiAff'
  fi*  01    04   !+ fl"   fi' _  fi' 01    04   !+ fl  & _  fi' 01    04 !+ fl 
  fi*  01    07   )ffiAff'   fi' _  fi' 01    07   )ffiAff'& _ fi' 01    04 )ffiAff'
  fi*  01    08   !+ fl"   fi' _  fi' 01    08   !+ fl  & _  fi' 01    08 !+ fl 
  fi*  01    08   )ffiAff'   fi' _  fi' 01    08   )ffiAff'& _ fi' 01    08 )ffiAff'
  fi*  01    10   !+ fl"   fi' _  fi' 01    10   !+ fl  & _  fi' 01    10 !+ fl 
  fi*  01    10   )ffiAff'   fi' _  fi' 01    10   )ffiAff'& _ fi' 01    10 )ffiAff'

Figure 18: State-machined (SM) based production rules and embedding relations
B.6 net_p6
STATE ::==
01
st_st
02
D_ST
03
 7
 
& _  fi' 01    02   !+ fl  
& _  fi' 01    02   )ffiAff'
  fi' _  fi' 01    03   !+ fl"& _ fi' 01    03   !+ fl  
  fi' _  fi' 01    03   )ffiA	'  & _  fi' 01    03   )ffiAff'

Figure 19: Single state based prodcution rules and embedding productions rules
20
B.7 net_p7
D_ST ::==
01
02
ft_dy_st
03
A
pX pY
l u
  
 
 +	 01 ! 02 !!+ fl"
! _ +	 01 !'fiA 02 !'fiA(!+ fl"
&  ' 01 !'fiA 03 !'fiA()ffiAff'
! _ +	 01 !'fiA 04 !'fiA(!+ fl"
 +	 01 ! 04 !!+ fl"
& _ +	 01 !'fiA 05 !'fiA()ffiAff'
&  fi' 01 ! 05 !)ffiAff'
! _ +	 01 !'fiA 07 !'fiA(!+ fl"
& _ + 	 01 !'fiA( 07 !'fiA()ffiAff'

Figure 20: Terminal Dynamic state based production rules and embedding relations
B.8 net_p8
FT_ACT ::==
01
ACT
02
IDA
04
IDA
05
IDA
03
ACT
07
ACT
08
ACT
06
IDA
10
IDA
11
IDA
09
ACT
12
  
 
 +	 01 ! 02 !!+ fl"
& _ + 	 01 !'fiA( 02 !fi!+ fl  
+ff 01 !?/fi+ ') 02 !?/fi+ ')!+ fl"
& _ +ff 01 !?/fi+ ') 02 !?/fi+ '))ffiA	' 

Figure 21: Template #1 - TMR Activity
21
B.9 net_p9
FT_D_ST ::==
01
D_ST
03
D_ST
02
D_ST
04
  
 
  fi*  01 !'fiA( 02 !'fiA!+ fl 
  _  fi' 01 !'fiA( 02 !'fiA(!+ fl"
& _  fi' 01 !'fiA 02 !'fiA(!+ fl"
  fi*  01 !'fiA( 02 !'fiA)ffiAff'   *  01 !'fiA( 03 !'fiA()ffiA	'    fi*  01 !'fiA( 04 !'fiA)ffiAff'
  _  fi' 01 !'fiA( 02 !'fiA()ffiA	'    _  fi' 01 !'fiA( 03 !'fiA()ffiA	'    _  fi' 01 !'fiA 04 !'fiA()ffiAff'
& _  ' 01 !'fiA( 02 !'fiA()ffiAff' & _  fi' 01 !'fiA( 03 !'fiA()ffiAff' ! _  fi' 01 !'fiA( 04 !'fiA)ffiAff'

Figure 22: Template #2 - Passive state replication
22
