From AADL to Timed Abstract State Machines: A Verified Model Transformation

International audienceArchitecture Analysis and Design Language (AADL) is an architecture description language standard for embedded real-time systems widely used in the avionics and aerospace industry to model safety-critical applications. To verify and analyze the AADL models, model transformation technologies are often used to automatically extract a formal specification suitable for analysis and verification. In this process, it remains a challenge to prove that the model transformation preserves the semantics of the initial AADL model or, at least, some of the specific properties or requirements it needs to satisfy. This paper presents a machine checked semantics-preserving transformation of a subset of AADL (including periodic threads, data port communications, mode changes, and the AADL behavior annex) into Timed Abstract State Machines (TASM). The AADL standard itself lacks at present a formal semantics to make this translation validation possible. Our contribution is to bridge this gap by providing two formal semantics for the subset of AADL. The execution semantics provided by the AADL standard is formalized as Timed Transition Systems (TTS). This formalization gives a reference expression of AADL semantics which can be compared with the TASM-based translation (for verification purpose). Finally, the verified transformation is mechanized in the theorem prover Coq

Exploring AADL verification tool through model transformation

International audienceArchitecture Analysis and Design Language (AADL) is often used to model safety-critical real-time systems. Model transformation is widely used to extract a formal specification so that AADL models can be verified and analyzed by existing tools. Timed Abstract State Machine (TASM) is a formalism not only able to specify behavior and communication but also timing and resource aspects of the system. To verify functional and nonfunctional properties of AADL models, this paper presents a methodology for translating AADL to TASM. Our main contribution is to formally define the translation rules from an adequate subset of AADL (including thread component, port communication, behavior annex and mode change) into TASM. Based on these rules, a tool called AADL2TASM is implemented using Atlas Transformation Language (ATL). Finally, a case study from an actual data processing unit of a satellite is provided to validate the transformation and illustrate the practicality of the approach

A formal framework for specification-based embedded real-time system engineering

Thesis (Ph. D.)--Massachusetts Institute of Technology, Dept. of Aeronautics and Astronautics, 2008.Includes bibliographical references (v. 2, p. 517-545).The increasing size and complexity of modern software-intensive systems present novel challenges when engineering high-integrity artifacts within aggressive budgetary constraints. Among these challenges, ensuring confidence in the engineered system, through validation and verification activities, represents the high cost item on many projects. The expensive nature of engineering high-integrity systems using traditional approaches can be partly attributed to the lack of analysis facilities during the early phases of the lifecycle, causing the validation and verification activities to begin too late in the engineering lifecycle. Other challenges include the management of complexity, opportunities for reuse without compromising confidence, and the ability to trace system features across lifecycle phases. The use of models as a specification mechanism provides an approach to mitigate complexity through abstraction. Furthermore, if the specification approach has formal underpinnings, the use of models can be leveraged to automate engineering activities such as formal analysis and test case generation. The research presented in this thesis proposes an engineering framework which addresses the high cost of validation and verification activities through specification-based system engineering. More specifically, the framework provides an integrated approach to embedded real-time system engineering which incorporates specification, simulation, formal verification, and test-case generation. The framework aggregates the state-of-the-art in individual software engineering disciplines to provide an end-to-end approach to embedded real-time system engineering. The key aspects of the framework include: * A novel specification language, the Timed Abstract State Machine (TASM) language, which extends the theory of Abstract State Machines (ASM).(cont.) The TASM language is a literate formal specification language which can be applied and multiple levels of abstraction and which can express the three key aspects of embedded real-time systems - function, time, and resources. * Automated verification capabilities achieved through the integration of mature analysis engines, namely the UPPAAL tool suite and the SAT4J SAT solver. The verification capabilities provided by the framework include completeness and consistency verification, model checking, execution time analysis, and resource consumption analysis. * Bi-directional traceability of model features across levels of abstraction and lifecycle phases. Traceability is achieved syntactically through archetypical refinement types; each refinement type provides correctness criteria, which, if met, guarantee semantic integrity through the refinement. * Automated test case generation capabilities for unit testing, integration testing, and regression testing. Unit test cases are generated to achieve TASM specification coverage through the rule coverage criterion. Integration test case generation is achieved through the hierarchical composition of unit test cases. Regression test case generation is achieved by leveraging the bi-directional traceability of model features. The framework is implemented into an integrated tool suite, the TASM toolset, which incorporates the UPPAAL tool suite and the SAT4J SAT solver. The toolset and framework are evaluated through experimentation on three industrial case studies - an automated manufacturing system, a "drive-by-wire" system used at a major automotive manufacturer, and a scripting environment used on the International Space Station.by Martin Ouimet.Ph.D

A programming language view to model-driven engineering

MDE provides an appealing framework for supporting engineering activities, from early design phases to acceptance tests; going through refinement, architectural and functional design down to code generation and V&V efforts. Yet, separation of concerns between system engineers, architects and embedded domain experts may badly interact. by lack of a exchange mechanisms at both syntactic and semantic levels. Pivot meta-models also demonstrated their limits. In this talk, I'll illustrate on various projects how the use of a text-based modeling notation, combined with a strong semantics inherited from typical object-oriented languages, can support seamless integration of most concerns of a traditional V cycle, thus solving many issues in MDE approaches. I'll base my presentation on present current discussions part of the AADL standardization committee to enrich Architecture Description Language with a Constraint language. The objective is to increase the coupling between modeling and verification. By making the verification part of extended semantics rules of an ADL, we control the patterns used to describe the system, ensuring designers respect requirements, but also integrate V&V as part of the modeling effort

A method for mapping between ASMs and implementation language

Thesis (S.M.)--Massachusetts Institute of Technology, Dept. of Aeronautics and Astronautics, 2010.Cataloged from PDF version of thesis.Includes bibliographical references (p. 193-196).One of the challenges of model-based engineering is traceability: the ability to relate the set of models developed during the design stages to the implemented system. This thesis develops a language specific method for creating bidirectional traceability, a mapping between model and implementation, suitable for tracing requirements from model through implementation and vice versa. The mapping is created as a byproduct of code generation and reverse engineering, and can be used to subsequently synchronize changes between the model and implementation. The creation of the mapping is specifically demonstrated through generating Java code from an abstract state machine (ASM) based modeling language, called the Timed Abstract State Machine (TASM) language. This code generation process involves a series of three transformations. The first transformation creates a specialised System Dependency Graph (SDG) called a TASM SDG from a TASM specification.(cont.) The second uses Triple Graph Grammars to transform the TASM SDG to a Java SDG (JSDG). The applied grammars are saved as the mapping information. The third transformation procedurally generates Java code. In order to make this methodology possible, this thesis introduces the TASM SDG, as well as a novel algorithm, generally applicable to ASM languages, that explicates state transitions. The approach presented extends the bidirectional traceability capabilities inherent in the TASM language to Java. The code generation technique is demonstrated using an industrial case study from the automotive domain, an Electronic Throttle Controller (ETC).by David Cheng-Ping Wang.S.M

Developing a framework for Total Apron Safety Management

The Air Traffic Management (ATM) system is a complex socio-technical system that ensures safe, efficient and cost-effective air traffic movements on the ground and in the air. The current ATM system is saturated as a result of an everlasting growth in air travel demand, leading to delays and potential negative safety impacts. In order to meet future demand, current ATM modernisation initiatives in the European Union and the USA are developing a new concept of operations based on strategic holistic system optimisation. On the airport surface, this is achieved by optimising operations not only during the take-off, landing and taxiing phases, but also during the turnaround process on the apron. This requires the boundary of the ATM system to expand to include new elements, namely the apron. A key deficiency in current initiatives is that, while they focus on capacity, punctuality and cost-effectiveness of the apron, they do not address safety. This has potential negative impacts in terms of setting and prioritising safety targets. Unlike the rest of the aviation domain, which is aircraft-centric, the concept of apron safety is much wider and in addition to aircraft safety, it also includes occupational health and safety. Recent aviation safety statistics show that aircraft accidents attributed to ground handling operations are six times more frequent than those attributed to the ATM. Additionally, the UK Health and Safety Executive (HSE) statistics show worse safety records on the apron when compared to the construction and agricultural industries. Considering the change in the ATM system boundary and the low aviation and occupational health and safety records, the airport apron has been identified in this thesis as a new safety-critical area of the future ATM system. Therefore, a key focus of this thesis is to address current deficiencies with respect to safety management on the apron, by developing a better understanding of the processes carried out on the apron and a new framework for safety assessment, as well as recommending enhancements to existing safety management practices. In contrast to existing safety management practices that are based on a dated understanding of safety (referred to as Safety-I), which is predominantly reactive, the framework proposed in this thesis, for the first time, adopts a state-of-the-art proactive and predictive understanding of safety (referred to as Safety-II) for the apron. The thesis demonstrates for the first time that the existing linear component-based models traditionally used for modelling apron safety do not account for the system complexity. Therefore, the proposed framework develops a state-of-the-art systemic functional Total Apron Safety Management (TASM) model and a corresponding taxonomy of factors that characterise different sources of variability of ground handling services, capable of accounting for dependencies and dynamic interactions between different layers of the apron system (i.e. technological, human and organisational). The proposed functional model and taxonomy have been applied to three case studies in retrospective, prospective and system design analysis demonstrating the multi-purposive nature of the framework, particularly important under existing financial pressures. In retrospective analysis the proposed functional model and taxonomy have shown to identify systemic factors previously not found during the occurrence investigation. In prospective analysis, a new protocol for systemic and systematic hazard analysis in complex socio-technical systems (including the apron) was developed. Furthermore, a novel conceptual framework for a safety trend analysis based on the TASM framework was developed, offering a quick, simple, cost-effective analysis of large datasets. A key advantage of the TASM framework is that it is transferable to all ground handling services carried out by Ground Service Providers (GSP), airlines and/or airports.Open Acces

A formal approach to AADL model-based software engineering

Formal methods have become a recommended practice in safety-critical software engineering. To be formally verified, a system should be specified with a specific formalism such as Petri nets, automata and process algebras, which requires a formal expertise and may become complex especially with large systems. In this paper, we report our experience in the formal verification of safety-critical real-time systems. We propose a formal mapping for a real-time task model using the LNT language, and we describe how it is used for the integration of a formal verification phase in an AADL model-based development process. We focus on real-time systems with event-driven tasks, asynchronous communication and preemptive fixed-priority scheduling. We provide a complete tool-chain for the automatic model transformation and formal verification of AADL models. Experimentation illustrates our results with the Flight control system and Line follower robot case studies