TBFV-M : Testing-Based Formal Verification for SysML Activity Diagrams by Yin Yufei
TBFV-M : Testing-Based Formal Verification for
SysML Activity Diagrams
著者 Yin Yufei
出版者 法政大学大学院情報科学研究科
journal or
publication title
法政大学大学院紀要. 情報科学研究科編
volume 14
page range 1-6
year 2019-03-31
URL http://doi.org/10.15002/00021922
TBFV-M: Testing-Based Formal Verification for 
SysML Activity Diagrams 
Yufei Yin  
Graduate School of Computer and Information Sciences 
Hosei University 
Tokyo 184-8584, Japan  
yufei.yin.59@stu.hosei.ac.jp 
 
 
Abstract—SysML activity diagrams are often used as models 
for software systems and its correctness is likely to significantly 
affect the reliability of the implementation. However, how to 
effectively verify the correctness of SysML diagrams still remains 
a challenge. In this paper, we propose a testing-based formal 
verification (TBFV) approach to the verification of SysML 
diagrams, called TBFV-M, by creatively applying the existing 
TBFV approach for code verification. We describe the principle of 
TBFV-M and present a case study to demonstrate its feasibility 
and usability. Finally, we conclude the paper and point out future 
research directions. 
Keywords—SysML activity diagrams; TBFV; test path 
generation; formal verification of SysML diagram; 
I.  INTRODUCTION  
Model-Based Systems Engineering (MBSE) [1] is often 
applied to develop large scale software systems in order to 
effectively ensure their reliability and to reduce the cost for 
testing and verification. The systems modelling language 
SysML [2, 3] can support effective use of MBSE due to its well-
designed mechanism for creating object-oriented models that 
incorporate not only software, but also people, material and 
other physical resources. In MBSE, SysML models are often 
used as the design for code. Therefore, its correctness in terms 
of meeting the users’ requirements becomes critical to ensure the 
high reliability of the code. Unfortunately, to the best of our 
knowledge from the literature, there are few tools to support the 
verification of SysML models [4, 5] in particular rigorous ways 
of verification. 
Testing-Based Formal Verification (TBFV) proposed by Liu 
[6-8] shows a rigorous, systematic, and effective technique for 
the verification and validation of code. Its primary characteristic 
is the integration of the specification-based testing approach and 
Hoare logic for correctness proof of code to guarantee the 
correctness of all the traversed program paths during testing. The 
advantage of TBFV is its potential and capability of achieving 
full automation for verification through testing. However, the 
current TBFV is mainly designed for sequential code in which 
all of the details are formally expressed, and there is no research 
on applying it to verify SysML models yet. In this paper, we 
discuss how the existing TBFV can be applied to SysML models 
for their verification and we use TBFV-M (testing-based formal 
verification for models) to represent the newly developed 
approach. Since SysML Activity Diagrams can model the 
systems dynamic behavior and describe complex control and 
parallel activities, which are similar to code but with additional 
constructs such as parallel execution, our discussion in this paper 
focuses on the activity diagrams. 
The essential idea of TBFV-M is as follows. All of the 
functional scenarios are first extracted from a given formal 
specification defining the users’ requirements where each 
functional scenario defines a meaningful functional behavior of 
the system. Meanwhile, test paths are generated from 
corresponding SysML Activity Diagrams waiting to be verified. 
Then, test paths are matched with functional scenarios by 
comparing the collection of decision condition of each test path 
and the guard condition of the functional scenario. After this, the 
pre-condition of the test path is automatically derived by 
applying the assignment axiom in Hoare logic based on the 
functional scenario. Finally, the implication of the pre-condition 
of the specification in conjunction with the guard condition of 
the functional scenario to the derived pre-condition of the path 
is verified through automatic proof or testing to determine 
whether the path contains bugs. The details of this approach will 
be discussed from Section 5. 
The remainder of the article will detail the TBFV-M method. 
Section 2 presents related work we have referenced. Section 3 
introduces the Testing-Based Formal Verification technique for 
the verification and validation of code. Section 4 mainly details 
the whole development process of using Model-Based Systems 
Engineering and the application scenarios of TBFV-M method. 
Section 5 describes the principle of TBFV-M, showing the core 
technology of TBFV-M. Section 6 uses one case study to present 
the key point of TBFV-M. Finally. The details of the 
implementation of the algorithm are presented in Section 7. 
Section 8 characterizes the evaluation part. Section 9 concludes 
the paper. 
II. RELATED WORK 
In this section, we briefly review the existing work related to 
our study. For the sake of space, we focus on those we have 
referenced during our research. We divide the related work into 
four different parts, including testing-based verification, 
requirements verification, verification using Hoare Logic and 
test case generation. 
Considering the shortcoming of formal verification based on 
Hoare logic being hard to automate, Liu proposed the TBFV 
(Testing-Based Formal Verification) method by combining 
specification-based testing with formal verification [6]. This 
 method not only take the advantage of full automation for testing, 
but also the efficiency of error detection with formal verification. 
Liu also designed a group of algorithms [9] for test cases 
generation from formal specification written in SOFL [10]. A 
supporting tool [8] is also developed. These efforts have 
significantly improved the applicability of formal verification in 
industrial settings. 
Franco Raimondi [11] addressed the problem of verifying 
planning domains written in the Planning Domain Definition 
Language (PDDL). First, he translated test cases into planning 
goals, then verified planning domains using the planner. A tool 
PDVer is also generated. In this paper, testing is also used during 
verification and the effectiveness and the usability is improved. 
Stefano Marrone [12,13] designed a Model-Driven 
Engineering approach, in which formal models are constructed 
and test cases are generated from UML model, utilizing UML 
profiles and model transformation algorithms, automatically. As 
they claimed, formal models can be used for quantitative 
analysis of non-functional properties, while test cases can be 
used for model checking. A railway signaling example is shown 
to introduce its integration, usability and reduction of manual 
activities. 
Feng Liang [14] proposed a vVDR (Virtual Verification of 
Designs against Requirements) approach for verifying a system 
with its requirement. In his research, the system is modeled in 
Modelica, and requirement verification scenarios are specified 
in ModelicaML, an UML profile and a language extension for 
Modelica. vVDR approach guarantees that all requirements can 
be verified by running this scenario automatically. However, the 
deficiency appears when the number of requirements and 
scenarios increase. 
Inspired by Liu’s work, we apply and extend the TBFV 
approach to models and propose the TBFV-M. A model is more 
intuitive than a formal specification because it requires less 
relevant background knowledge and is easier to communicate 
with customers. TBFV approach shows the treatment of code, 
while TBFV-M approach deals with SysML Activity Diagrams. 
And different with Feng Liang’s work, TBFV-M approach do 
not use other supporting tools, like Modelica, we merely use 
Hoare Logic to do the verification. Referring to test case 
generation, TBFV- M approach can deal with unstructured 
diagrams, which may have stronger processing power than 
existing approaches. 
III. INTRODUCTION OF TBFV FOR CODE 
TBFV is a novel technique that makes good use of Hoare 
logic to strengthen testing. The essential idea is first to use 
specification-based testing to discover all traversed program 
paths and then to use Hoare logic to prove their correctness. 
During the proof process, all errors on the paths can be detected. 
TBFV is a specific specification-based testing approach that 
takes both the precondition and post-condition into account in 
test case generation [15]. To precisely describe this strategy, we 
first need to introduce functional scenario. Spre and Spost denote 
the pre- and post-conditions of operation S. Let: 
Spost = (G1 ∧ D1) ∨ (G2 ∧  D2) ∨  … ∨ (Gn ∧ Dn)      (1) 
Gi and Di (i=1,…, n) are two predicates, called guard 
condition and defining condition, respectively. The definition of 
functional scenarios and FSF (functional scenario form) are list 
below: 
Functional Scenario =  Spre ∧ Gi ∧  Di              (2) 
In the definition of functional scenario, Spre ∧ Gi ∧  Di is 
treated as a scenario: when Spre ∧ Gi is satisfied by the initial 
state (or intuitively by the input variables), the final state (or the 
output variables) is defined by the defining condition Di.  
FSF =  (Spre ∧  G1 ∧  D1)  ∨  (Spre ∧  G2 ∧  D2)  
∨  …          ∨  (Spre ∧  Gn ∧ Dn)                 (3) 
A systematic transformation procedure, algorithm, and 
software tool support for deriving an FSF from a pre-post style 
specification written in SOFL have been developed in our 
previous work [16]. First, generate test cases from specification. 
Second, form path triple and the definition are below:  
{Spre ∧  Gi}  P { Di}                             (4) 
P is called a program segment, which consists of decision 
(i.e., a predicate), an assignment, a return statement, or a printing 
statement.  
Finally, repeatedly apply the axiom for assignment to derive 
a pre-assertion, denoted by Ppre. The correctness of the specific 
path is transformed into the implication Spre ∧ Gi → Ppre. If the 
implication can be proved, it means that no error exists on the 
path; otherwise, it indicates the existence of some error on the 
path. 
IV. TBFV-M IN MBSE 
Model-Based Systems Engineering (MBSE) combines 
process and analysis with architecture. In the development 
process using MBSE, as shown below, the users’ requirements 
are obtained first and the requirement document is usually 
written in natural language.  
 
Fig. 1. TBFV-M usage scenario 
To obtain requirements without ambiguities, we may 
generate a SysML Model. During the model-driven 
development process, we use the SysML Model Diagram to 
communicate with the user, because it does not contain many 
mathematical symbols and syntax.  
During the Model-Driven process, model is an important 
medium for the Model based system engineering development. 
 The TBFV-M method is mainly used to verify whether SysML 
Activity Diagram model meets the user's requirements written in 
SOFL (Structured-Object-oriented-Formal Language). 
V. PROCEDURE OF TBFV-M 
The TBFV-M method takes the specification describing the 
users’ requirements and the SysML Activity Diagram model as 
input and verifies the correctness of the SysML model with 
respect to the specification. The procedure of TBFV-M is 
illustrated in Fig.2. 
 
 
 
Fig. 2. TBFV-M usage scenario 
From this figure, we find that functional scenarios are 
derived from the specification, while test paths are generated 
from the Activity Diagram and the data constraints can be 
extracted from each test path. Then, the extracted data 
constraints are used to match with functional scenarios. A 
matching algorithm is defined by us. We will verify the 
successful matched the test path according to the requirements 
represented in specification.  
The verification part can be separated into three parts: first, 
create a path triple, and then use the axiom of Hoare Logic to 
derive pre-assertion for each test path. Finally, prove the 
implication of the pre-condition in the specification and pre-
assertion. If we can prove all the implication of pre-assertion of 
all the test paths of the model and the matching pre-condition, 
then the model is to meet the requirements. 
A. Unified Formal Expression 
Using a unified formal expression can reduce the ambiguity 
between communications, we establish the unified formal 
expression and we chose SOFL to describe formal specification. 
An example specification written in SOFL is given below. It 
describes that if a person is smaller than 6, he will be free; 
otherwise, he should buy the normal price for $10. 
 
 
B. Functional Scenarios Derivation 
The overall goal of functional scenario derivation is to extract 
all functional scenarios completely in "Spre ∧ Gi ∧Di" form 
(FSF), as mentioned above in TBFV section. Because this part 
is not our main topic and has been researched before. In our 
work, we assume that an FSF of the specification has been 
available somehow. The below segment of the process buy 
ticket, mentioned previously, shows the FSF generated from the 
specification described in the last one. 
 
 
C. Test Path Generation 
A test path auto-generation tool based on the SysML Activity 
Diagram model takes the model as input and generates test 
cases as outputs automatically. First, we use transformation 
algorithm to compress the input Activity Diagram, which may 
contain unstructured module. The transformation is a cyclic 
process, dealing with loop module, concurrent module and the 
problem of multiple starting nodes separately. After 
compressing, we transform this unstructured activity diagram 
into an intermediate representation form Intermediate Black 
box Model (IBM). IBM consists of one basic module and a map 
from black box to the corresponding original actions. The third 
phase of our approach is test path generation based on IBM. 
Details of automated test paths generation algorithm and 
implementation of unstructured SysML Activity Diagram has 
been developed in our previous work [19]. 
The Loop module in the SysML activity diagram can be 
considered as a node collection, and these nodes in the 
collection can be cycled multiple times, as shown in Fig.3. 
 
 
Fig. 3. Classification of loop modules 
The first step in the transformation algorithm of the Loop 
module is to identify the loop module, the second step is to 
compress it into a black box node loop, and finally reinsert it 
into the original SysML activity diagram. Fig.4 shows the 
process. 
  
Fig. 4. The transformation of loop module 
In the SysML activity diagram, the most common form of a 
concurrent module is a pair of fork node and join node and all 
actions between these two nodes, as shown in Fig.5 (a). The 
logical representation is AND. However, the synchronization 
stream can also be the logical relationship OR, as shown in 
Fig.5 (b). Depending on how many concurrent streams can be 
synchronized by the join node, the parallel modules can be 
divided into partJoin concurrent and noJoin concurrent, as 
shown in Fig.5 (c) and (d) below, respectively. 
On the test path generation algorithm for concurrent modules, 
the first step is to identify the concurrency module, the second 
step is to compress it into a black box node FJ (Fork-Join), and 
finally reinsert it into the original SysML activity diagram, as 
shown in the following Fig.6. 
 
Fig. 5. Classification of concurrent modules 
For concurrent modules, we can use the Concurrent module 
path generation algorithm and generate the test path 
automatically. For the compressed basic path, the test path 
generation algorithm of the basic module can be applied. Once 
the basic path is generated, replace the FJ black box with the 
test path generated from the concurrency module. 
 
 
Fig. 6. The process of transformation of concurrent modules 
The test case generation with IBM needs to deal with three 
types of modules, which are basic modules, concurrent modules 
and loop modules. For basic module, without considering the 
concurrent module and the loop module, we can transform the 
SysML activity diagram model into a directed acyclic graph, 
using the idea of DFS (Depth First Search) algorithm. While for 
unconstructed module, we can use corresponding generation 
algorithm and generate the test path automatically. After the 
basic path is created, the black box can be replaced with the test 
path generated by the unconstructed module. 
D. Matching Algorithm 
Matching the test path with functional scenario is very 
important for verification. In order to verify the correctness of 
one path in Activity Diagram, we need to match it with 
corresponding functional scenario. The constraints of test path 
can be extracted from edges of each path, which are used to 
compare with Spre ∧ Gi part of functional scenario. If unmatched 
test paths or functional scenarios appears, it means some errors 
may be existed in this model. And the model needs to be 
modified. The matching algorithm is given below. 
 
 
 
After completing the initialization step, find a matching 
functinal scenario for each element in edge list. The specific 
operation is: the edge after the integration compares with Spre  
Gi in the functional scenario, if exactly the same, then we find 
the edge with the matched functional scenario. If there is no 
exact matched functional scenario, then there is an inaccurate 
modeling problem and needs to be refined. Therefore, 
immediately terminate the program, the problem of the edge 
will also be returned. After traversing all the edge_list, we also 
need to check whether each in FS_list has been visited. If there 
is an unvisited functional scenario, then it means that there is a 
requirement that the model fails to be represented in the 
specification, and the model needs to be refined. 
E. Path Triple Establishment 
Establish Path Triple and apply each node with the axiom in 
Hoare Logic. “(Spre ∧ Gi ∧ Di) (i = 2, …, n)” denote one 
functional scenario and P = [node1; node2; …; nodem] be a 
program path in which each nodej(i = 2, … , n) is called a 
functional node, which is a DecisionNode, ActionNode, or 
others.  
To verify the correctness of P with respect to the functional 
scenario, we need to construct Path Triple: {Spre} P {Gi ∧ Di}. 
 Each node has different processing approach, and the details are 
listed in the form below. 
TABLE I.  PROCESSING APPROACH OF AD NODE 
Node Type Approach 
ActionNode(assignment) The axiom for assignment 
ActionNode(input/output) SKIP 
Others node SKIP 
F. Implication 
Prove the implication. Finally, the correctness of one path 
whether it meets the corresponding requirement is changed into 
the proof of the implication “Spre ∧  Gi →  Spre” . If the 
implication can be proved, it means that the path can model one 
part of the requirement; otherwise, it indicates the existence of 
some error on the path. 
Formally proving the implication “Spre ∧ Gi → Spre” may 
not be done automatically, even with the help of a theorem 
prover such as PVS, depending on the complexity of Spre and 
Ppre. Our strategy is as follows: if the complexity of data 
structure is not high, we will transform the problem into solver, 
which can achieve full automation. Otherwise, if achieving a 
full automation is regarded as the highest priority, as taken in 
our approach, the formal proof of this implication can be 
"replaced" by a test. That is, we first generate sample values for 
variables in Spre and Ppre, and then evaluate both of them to see 
whether Ppre is false when Spre is true. If this is true, it tells that 
the path under examination contains an error. 
VI. SUPPORTING TOOL  
We have developed a prototype software tool to support the 
TBFV-M method. Specifically, it provides five major functions, 
which are functional scenario generation, test path generation, 
matching function scenarios to test paths, pre-condition 
derivation, verification of test paths, and output of verification 
result. The tool interface is shown in Fig.7. 
 
 
Fig. 7. The process of transformation of concurrent modules 
VII. CASE STUDY  
Now we show a motivation example to detail the process of 
MBSE and TBFV-M method described in the article above. 
First, we will get a requirement from the user, which consists of 
inform the description. 
 
 
According to the specification, we can construct a set of 
SysML model and the Activity Diagram is shown below. 
 
Fig. 8. Activity Diagram 
We can find the expression is described with SOLF. After 
getting ready with all the input, specification and Activity 
Diagram, we will start the TBFV-M method process. First, 
derive Functional Scenarios from specification and generate 
test paths from Activity Diagram. The result is shown as below. 
 
 
 
 
 
At the same time, we can extract data constraints from each 
test scenario, which is used for matching with functional 
scenario. Then, the matching process is shown below. If it does 
not exist a matched functional scenario, then it means that it 
exists a problem in the model, exactly in this unmatched test 
path. This path is not established accurately according to the 
requirements described in specification in the activity diagram 
model. If the match succeeds, it indicates that the test path is 
designed for the matched test scenario. 
 
 
 We will do the verification of test scenario according to the 
successfully matched functional scenario. First, we establish 
Path Triple and then apply the axiom of Hoare Logic to derive 
Ppre, pre-assertion of one path for the corresponding test path. 
The blow figure chose the forth path and matched the first 
functional scenario as an example and shows the substitution 
process, from bottom to up. So, the top one “~c b AND c =~c 
AND b-r =~b-r" is the Ppre. 
 
 
 
Finally, we turn this verification problem into proving 
whether the pre-condition of specification can imply Ppre. If it 
can be proved, means that the path satisfies the requirement. If 
not, there is a problem existing in the model, exactly in this 
unmatched test path. If the matched pre-condition can imply the 
corresponding Ppre of all the test paths in the model, then the 
model is satisfied with the user’s requirements. 
From the above segment, we can see the implication (~c > 0 
AND b ≥ 0 AND ~p = FALSE AND ~c ≤ ~b) → (~c ≤~ b 
AND c =~c AND b - r =~b - r) is true. This it means that the 
test path is satisfied with the corresponding functional scenario. 
We have proved all the test paths, due to the space limit, we 
omit further details.  
VIII. EVALUATION 
After finishing the supporting tool, we established 20 
example cases to test our system. These test cases include 5 
correct ones and the others include errors. All the incorrect 
Activity Diagrams fail to express the needs fully and correctly, 
such as missing some logic branch or having mistaken on some 
logic branch.  
And the result is that the supporting tool has the ability to 
figure out these mistakes, as our expectation. 
IX. CONCLUSION 
 We have presented an approach, known as TBFV-M 
(Testing-Based Formal Verification for Model), for requirement 
design error detection in SysML Activity Diagrams by 
integrating test cases generation and Hoare Logic. The principle 
underlying TBFV-M is first to derive functional scenarios from 
specifications and generate test scenarios from Activity 
Diagrams. Then match them and verify each test scenario 
according to the corresponding functional scenario. Hoare logic 
is used during the verification process. TBFV-M method solve 
the limitation of TBFV, not concerning about models and solved 
the problem of inconsistent, incomplete, and inaccurate models. 
It has advantage in reducing the probability of system error and 
shortening the developing time. 
X.  ACKNOWLEDGEMENTS 
 This work was supported by JSPS KAKENHI Grant Number 
26240008, and Defense Industrial Technology Development 
Program JCKY 2016212B004-2. 
REFERENCES 
[1] A. W. Wymore, Model-based systems engineering: an introduction to the 
mathematical theory of discrete systems and to the tricotyledon theory of 
system design. CRC Press, 1993. 
[2] S. Friedenthal, A. Moore, and R. Steiner, “A practical guide to sysml,” 
San Francisco Jung Institute Library Journal, vol. 17, no. 1, pp. 41-46, 
2012. 
[3] T. Weilkiens,”Systems engineering with sysml/uml,” Computer, no. 6, p. 
83, 2006. 
[4] M. Shah, L. Chrpa, F. Jimoh, D. Kitchin, T. Mccluskey, S. Parkinson, and 
M. Vallati, “Knowledge engineering tools in planning: State-of-the-art 
and future challenges,” Computer, 01 2013. 
[5] T. S. Vaquero, J. R. Silva, and C. J. Beck, \A brief review of tools and 
methods for knowledge engineering for planning scheduling," Computer, 
pp. 7-14, 2011. 
[6] S. Liu, “Utilizing hoare logic to strengthen testing for error detection in 
programs,” Computer, vol. 50, no. 6, pp. 1-5, 2014. 
[7] S. Liu and S. Nakajima, Combining Specification-Based Testing, 
Correctness Proof, and Inspection for Program Verification in Practice. 
Springer International Publishing, 2013. 
[8] S. Liu, “A tool supported testing method for reducing cost and improving 
quality,” in IEEE International Conference on Software Quality, 
Reliability and Security, 2016, pp. 448-455. 
[9] S. Liu, Testing-Based Formal Verification for Theorems and Its 
Application in Software Specification Verification. Springer International 
Publishing, 2016. 
[10] S. Liu, A. J. Ofiutt, C. Hostuart, Y. Sun, and M. Ohba, “So: A formal 
engineering methodology for industrial applications,” IEEE Transactions 
on Software Engineering, vol. 24, no. 1,pp. 24-45, 1998. 
[11] F. Raimondi, C. Pecheur, and G. Brat, “Pdver, a tool to verify pddl 
planning domains,” Computer, 2009. 
[12] S. Marrone, F. Flammini, N. Mazzocca, R. Nardone, and V. Vittorini, 
“Towards model-driven v&v assessment of railway control systems,” 
International Journal on Software Tools for Technology Transfer, vol. 16, 
no. 6, pp. 669-683, 2014. 
[13] F. Flammini, S. Marrone, N. Mazzocca, R. Nardone, and V. Vittorini, 
“Model-driven v&v processes for computer-based control systems: A 
unifying perspective," Computer, vol. 7610, pp. 190-204, 2012. 
[14] F. Liang, W. Schamai, O. Rogovchenko, S. Sadeghi, M. Nyberg, and P. 
Fritzson, “Model-based requirement veri_cation : A case study,” in 
International Modelica Conference, Munich,Germany, 2012. 
[15] S. Liu and S. Nakajima, “A decompositional approach to automatic test 
case generation based on formal specifications,” in International 
Conference on Secure Software Integration Reliability Improvement, 
2010, pp. 147-155. 
[16] S. Liu, T. Hayashi, K. Takahashi, K. Kimura, T. Nakayama, and S. 
Nakajima, “Automatic transformation from formal specifications to 
functional scenario forms for automatic test case generation," in New 
Trends in Software Methodologies, TOOLS and Techniques Proceedings 
of the Somet 10, September 29 October 1, 2010, Yokohama City, Japan, 
2010, pp. 383-397. 
[17] Kent and Stuart, Model Driven Engineering. Springer Berlin Heidelberg, 
2002. 
[18] M. Broy, K. Havelund, R. Kumar, and B. Steffen, Towards a Unified 
View of Modelling and Programming (Track Summary). Springer 
International Publishing, 2016. 
[19] Y. Yin, Y. Xu, W. Miao, and Y. Chen, \An automated test case generation 
approach based on activity diagrams of sysml," International Journal of 
Performability Engineering, vol. 13, no. 6, pp. 922-936, 2017. 
 
