A unified modelling language (UML) based formal verification methodology that can be easily integrated into an embedded system software development life cycle is suggested. The approach augments UML diagrams with formal models through an interfacing domain and adds semantics to these diagrams. The suggested methodology; commences from functional specification and use case modelling, selects the most critical behaviour where formal verification can add value to the development cycle, analyses the selected behaviour using UML state transition diagram, derives a state chart matrix from the same, and a high level language software translates the state chart matrix to a labelled transition system. Safety properties are derived from system specifications and are expressed as computation tree logic (CTL) formulae. CTL model-checking algorithm from the literature is used for modelchecking. The applicability of the suggested approach is established using a safety critical embedded controller used for deployment and recovery of sensor structures from an airborne platform.
INTRODUCTION
Verifying safety-critical embedded systems with unyielding timeliness requirements is challenging. Apart from mundane factors -size, design-complexity, unforeseen environmental interactions, hardware-restrictions etc., there are constraints for functional verification, particularly in sea-faring defence systems. Simulation-based verification is insufficient and sometimes impractical in these cases 1 . Even though formal methods are best suited for better understanding and verification of complex software requirements, the usage of formal methods in model-based software development is minimal. Majority of visual modelling community are reluctant to adopt these methods, however complex and critical the software being developed. It is broadly agreed that practice of formal methods in software engineering is essential, while there are several systems ascertaining the applicability of formal methods in industrial applications presenting very good results. But, embedded designers are still reluctant to adopt formal methods, either due to the complex nature of formal notations or the lack of awareness of the quality attributes they provide in delivering robust systems.
The paper proposes a model-checking based comprehensive system-level design methodology, facilitating the use of the formal models in the development process, adding confidence for realising correct and reliable systems.
It integrates formal methods into unified modelling language (UML) such that the embedded system specification expressed in natural language becomes mathematically verifiable, early in the development cycle.
An airborne sensor array management system (SAMS) is considered as a characteristic system for methodology demonstration. SAMS is a safety-critical multidisciplinary system carried on-board aircrafts and deployed at interest marine locations. It enables smooth and safe sensor structure deployment and retrieval in definite time-limits. The diverse interface requirements and complex behavioural requirements reveal the limitation of simulation-based testing and calls for formal model generation and verification semantics thereafter.
RELATED WORK
Unified modelling language is the standard visual modelling tool used for modelling complex software systems 23 . Verification and validation of such systems' UML diagrams advance error detection to early development phases, resulting in fail-safe and reliable operation. Integration of formal methods with UML diagrams adds semantics to UML diagrams, enabling formal verification and validation during software development life cycle.
Existing literature focusses on integrating formalism in UML diagrams. They mainly focus on UML class diagrams, sequence diagrams, activity diagrams 2 etc. and translate these to formal specification language compatible with an existing model-checking tool. Object constraint language (OCL) is established as the formal language for specification of properties of object structures in UML models 1 . IBM and OMg provide tool support, for verification of class diagrams and state-chart diagrams. Research has been published in integrating communicating sequential processes (CSp) into UML state-charts, class and sequence diagrams, used in safety-critical system-design. prototype verification system (pVS) is the specification and verification language for UML class diagrams and OCL constraints 3 , including usecase diagrams 24 . pROMELA, SpIN, UppAAL, rCOS etc. are used in model-checking of various UML diagrams 25 . Consistency issues across modelling phases or abstraction levels are studied only by a few, therefore inconsistency problems across modelling phases are considered promising 8 . The research here, focusses on evolving a practitioner-friendly, but powerfull modelling methodology that can be easily integrated with existing methods.
PROPOSED MODELLING METHODOLOGY 3.1 Lightweight Formalism Integrated Model
Checking Approach UML is a semi formal modelling language with graphical notations for expressing different views of the system from different viewpoints. The modelling power of UML's modelling artefacts is augmented with formal semantics 5 . The approach integrates UML-based visual abstraction models with formal method based finite automata. It smoothly couples UML visual models and formal methods, synergising the benefits of visual modelling and formal techniques.
The method is named light weight as it suggests application in areas where formal specification accomplishes specific quality objectives and skips areas where they aren't appropriate. The sequence of actions involved in the proposed integrated model-checking approach is as shown in Fig. 1 . There are three distinct domains, UML domain, Interface and Formal domain. The inventive part of the proposal lies in the Interface, domain with which the UML and formal domains are coupled.
The phases involved in the proposed methodology are shown as major blocks in the diagram. It commences with system specification in natural language and proceeds through Use case modelling and state chart transitions. The interfacing software links visual domain to formal model. The model checking algorithm runs the model through various runs and decides the entailment of property specification in the model. The steps in the proposed methodology are as follows.
Requirement Analysis of the Real-time System
The approach begins with a use case model depicting the functional capabilities of the embedded system 26, 28 . In subsequent modelling abstractions, these capabilities manifest themselves as the behaviour of the system or interactions among the system and the environment 7 .
Generation of Detailed Specification of the use Case using State Chart Diagram
This phase ensures the behavioural abstraction of the use case scenarios using UML state chart diagrams 26, 28 . The tabulation of these transitions is done manually by the modeller, and is repeated until all transition paths are covered.
Generation of State Transition Matrix and Conversion into Labelled Transition System

(ii) Auto conversion of the State Transition Matrix to Labelled
Transition System-A high level language program is developed to generate the labelled transition system (LTS) from STM. The program accepts STM as input and generates the formal model, LTS. LTS can be defined by the tuple, 
LTS = (S, Actn, →, I, AP, Labl)
where S is the set of states, Actn is a set of actions, → ⊆ S × Actn× S is a transition relation, I ⊆ S is a set of initial states, AP is a set of atomic propositions, Labl is a labelling function.
here there is direct relationship between the UML model and the generated formal model. The events in the state-charts are mapped to transitions in LTS and the actions in the states in state-chart diagram appear as labels in resulting LTS states. This mapping ensures consistency between the two modelling domains. The commonality of expressions in these diagrams, gives a feel of UML modelling, even when the user is in the formal modelling realm.
Formal Property Specification
Real time systems are designed to function continuously and the perception of time-ordering of events is essential in modelling them. pnueli put forward the idea of temporal logics in 1970s, describing the temporal ordering of events for modelling concurrent and real time systems. Temporal logics 27 describe the temporal ordering of events without explicitly mentioning time.
There are two popular temporal logics, liner temporal logic (LTL) and computational tree logic (CTL). LTL is based on sequential time lines and every instant has a unique possible successor. CTL is reasoned over a branching timeline and each time instant can get into many possible successors [27] [28] [29] [30] . LTL models system behaviour as an infinite sequence of states and each state has a unique successor, based on a lineartime perspective. LTL abstracts time as a discrete entity and is characterised by distinct points 12 . But, there could be system behaviours, which splits into sub behaviours based on events and conditions. For modelling such behaviours, properties that state the existence of a path have to be specified. LTL provides only global quantifiers, and is inadequate while dealing with properties that mix existential and universal path quantifiers. CTL addresses the above problems by introducing path quantifiers. The path quantifiers indicate whether a given formula applies to all possible paths from a given state or only some possible paths, using:
A -for every path E -there exists a path Most safety-critical systems are real time in nature and interact asynchronously with the surrounding medium and sensors. The behaviour of these systems will be decisive in nature. Under such circumstances, branching time logic is appropriate for the behavioural specification. The method suggested here makes use of CTL formulae for property specification.
Formal Verification
The CTL model-checking algorithm is used for formal verification. The LTS model M generated by the high level language translator software is checked for the entailment of CTL property specification.
Model-checking is a widely accepted tool for automatic verification of both hardware and software systems. It's a procedure that checks whether a given structure M is a model of the logic formula ɸ 24, 25 . M is an automata-like structure representing the system and ɸ, a temporal logic formula expressing the system's desirable properties. The model checker verifies whether M satisfies the property during execution 13 . here the advantage is that the checking is exhaustive compared to system-testing using multiple scenarios. Moreover modelchecking is carried out, well before system implementation and thus streamlines system debugging and regression testing.
The inputs to a model checker are the system description expressed as a finite state system and a few performance specifications, i.e. property specifications, expressed as temporal logic formulae [18] [19] . The model checker runs an algorithm and verifies that either the properties hold during model execution, or confirms with a counter example that the property is violated during the model-run. The counter example generated provides insight into design errors overlooked at this stage.
CASE STUDY
The proposed methodology is substantiated by applying the same in modelling, an embedded controller used in a safety critical military system.
System Description
A sensor array management system (SAMS) for military applications is chosen as the typical case for modelling and verification purpose. SAMS is used in the context of dunking sensor systems for acoustic data acquisition and processing onboard military platforms. It operates as an airborne sensor array deployment/retrieval mechanism, using which sensor structures can be deployed from naval platforms. The major subsystems of SAMS are as shown in Fig. 2 .
There is a user interface and an embedded sensor deployment controller (SDC) in the system which initiates commands for positioning the wet end sensor array to desired sea depth. SDC shall read the lower command from the operator, initiated through the user interface. It shall also read various winch sensors periodically, and using these values it generates safety interlocks for ensuring the safety of the Winch Figure 2 . Sensor array management system. and sensor array during operation. The major performance requirements of SAMS are as follows • The deployment and retrieval shall take minimum time • It shall have the facility to monitor the various mechanical sensors (speed, cable tension, cable drift) • Jerks shall be avoided during deploying/hoisting • There should be redundancy/exception handling for retrieving the sensor, in case of any failure. Undesired behaviour of SDC is to be avoided by design itself, mainly because operational failures result in loss/damage of SA, along with instigation of unsafe hovering positions of aircraft, endangering lives of on-board crew.
Light Weight Formalism Integrated Model Checking Approach 4.2.1 Analysis of the Real-time System Modelling
Operational Requirements The major operational capabilities drawn from the above system requirements are secure lowering and hoisting of the sensor array. Lowering operation encompasses four use cases, as shown in Fig. 3. 
Formal Model Generation -Translation of UML State Chart to Labelled Transition System
The major difficulty in generating the formal model of a UML based visual model is the translation of the UML diagram to a formal notation comprehensible by the model-checking algorithm. The research work provides a hands-on method for this translation.
Step1: UML State-chart to STM translation Step2: STM to LTS translation
The state-chart in Fig. 5 is mapped into STM as shown in Table 2 . 
Generate a Detailed Specification of the use
Case using State Chart Diagram There are four different parallel sequence of actions take place in the lowering mode of operation (Fig. 4) . They are:
-WinchMotorhandling -WichSensorhandling -ArraySensorDatahandling -AutopilotDatahandling Amongst these, WinchSensorhandling sub behaviour alone is considered for demonstration purpose. The independent sequences of processing that take place upon reception of various events are as shown in Fig. 5 .
Secondly, the STM is converted into LTS, using high level language translator (hLLT) software and is the most inventive step in the approach. hLLT scans the input STM and generates the corresponding LTS. hLLT facilitates the automatic generation of the formal model and serves as the interface for linking UML domain and formal domain, smoothly. The output of the program appears as shown in Fig. 6 . 
Formal Property Specification
CTL is used for formalising the property to be verified in the above model. The arithmetic propositions involved are: Ap = {I 1 > Angle, I 2 > Limit, I 3 Status = OFF, STOp, ERROR)
The safety specification states that whenever I 1 sensor values are beyond limits, lowering shall be suspended and error be indicated to the operator. This is treated as the safety property of the system, as it is a bad behaviour which shall never be exhibited during operation. Thus, the system's informal performance requirement is translated into formal CTL formula, using the above set of arithmetic propositions.
SafetyProperty1 (ɸ 1 ) If the I 1 sensor value> Angle defined, eventually Lowering is suspended and Error is indicated to the Operator. 
Formal Verification
The formal model is generated and the property specification is available in formal language. The next objective is to verify that the model generated satisfies the safety properties during various runs of the system.
Model-checking
In this particular case-study, the LTS generated from the UML state diagram is the formal model M and ɸ 1 , ɸ 2 form the formal property specification. The prevalent CTL modelchecking algorithm is used as the model checker. It verifies if model executions of the initial states s of M satisfy the CTL formula (M |= ɸ). 
Model-checking Algorithm
CONSISTENCY ACROSS MODELLING PHASES
A continuous symbols trace exists throughout the modelling phases, in this approach. It starts from the use case names in the use case model. Secondly, these names label the state-chart diagram. The same are used in generating STM. The hLLT software uses this matrix as input and generates a formal model in terms of the same symbols and expressions appearing in STM. The performance requirements of the system expressed in natural language is the basis for generating the safety properties. The arithmetic expressions generated from these are mapped into CTL property specifications.
BENEFITS
The approach's major gains are as follows i. Consistent abstraction across modelling phases:
Direct mapping exists between the UML model and the generated formal model, by way of events( instate-charts) to transitions (in LTS) and actions (in state-charts) to labels (in LTS).
ii. Smooth progression from informal to formal domain:
This transition phase is made automatic for the modeller, he is freed from acquiring knowledge and skill in formal modelling.
iii. Easy blending with model driven development process:
Easily integrated into a UML based model driven development process. iv. Modular and flexible abstraction of complex embedded system behaviour: Allows selection of critical behaviour for abstraction and modelling. Modeller can adopt it for modelling complex behaviours wherein he can exhaustively analyse the various system states under different input conditions. This built-in modularity addresses the tediousness in handling compound systems with numerous states.
LIMITATIONS
The entire approach is dependent on STM generated from UML state-charts. If the modeller makes mistakes, or omits states during this phase, the subsequent steps will be incorrect.
CONCLUSIONS AND FUTURE WORK
UML is an accepted visual modelling language with precise notations and expressive power to handle complex software systems. The methodology illustrated, integrates formalism into UML diagrams, by way of STM. This is simple and comprehensive for adoption in embedded software development life cycle. generation of exhaustive STM is significant in this approach and is a modeller driven activity. This could be an overhead, but is simple and straight forward as compared to existing formal methods.
The state transition diagrams, in the behavioural abstraction phase, translated into a tree like structure can be traversed for reachability. If a path exists from the root to destined nodes, its treated as a valid trace/run and leads to behavioural property verification during model-checking. This is a proposal with research potential.
