56 research outputs found
Integrating formal methods into medical software development : the ASM approach
Medical devices are safety-critical systems since their malfunctions can seriously compromise human safety. Correct operation of a medical device depends upon the controlling software, whose development should adhere to certification standards. However, these standards provide general descriptions of common software engineering activities without any indication regarding particular methods and techniques to assure safety and reliability. This paper discusses how to integrate the use of a formal approach into the current normative for the medical software development. The rigorous process is based on the Abstract State Machine (ASM) formal method, its refinement principle, and model analysis approaches the method supports. The hemodialysis machine case study is used to show how the ASM-based design process covers most of the engineering activities required by the related standards, and provides rigorous approaches for medical software validation and verification
Foundations of the B method
B is a method for specifying, designing and coding software systems. It is based on Zermelo-Fraenkel set theory with the axiom of choice, the concept of generalized substitution and on structuring mechanisms (machine, refinement, implementation). The concept of refinement is the key notion for developing B models of (software) systems in an incremental way. B models are accompanied by mathematical proofs that justify them. Proofs of B models convince the user (designer or specifier) that the (software) system is effectively correct. We provide a survey of the underlying logic of the B method and the semantic concepts related to the B method; we detail the B development process partially supported by the mechanical engine of the prover
On the Extensibility of Formal Methods Tools
Modern software systems often have long lifespans over which they must continually evolve to meet new, and sometimes unforeseen, requirements. One way to effectively deal with this is by developing the system as a series of extensions. As requirements change, the system evolves through the addition of new extensions and, potentially, the removal of existing extensions. In order for this kind of development process to thrive, it is necessary that the system have a high level of extensibility. Extensibility is the capability of a system to support the gradual addition of new, unplanned functionalities. This dissertation investigates extensibility of software systems and focuses on a particular class of software: formal methods tools. The approach is broad in scope. Extensibility of systems is addressed in terms of design, analysis and improvement, which are carried out in terms of source code and software architecture. For additional perspective, extensibility is also considered in the context of formal modelling. The work carried out in this dissertation led to the development of various extensions to the Overture tool supporting the Vienna Development Method, including a new proof obligation generator and integration with theorem provers. Additionally, the extensibility of Overture itself was also improved and it now better supports the development and integration of various kinds of extensions. Finally, extensibility techniques have been applied to formal modelling, leading to an extensible architectural style for formal models
What is the Natural Abstraction Level of an Algorithm?
acceptedVersio
A Comprehensive Study of Declarative Modelling Languages
Declarative behavioural modelling is a powerful modelling paradigm
that enables users to model system functionality abstractly and
formally. An abstract model is a concise and compact representation
of key characteristics of a system, and enables the stakeholders to
reason about the correctness of the system in the early stages of
development.
There are many different declarative languages and they have greatly
varying constructs for representing a transition system, and they
sometimes differ in rather subtle ways. In this thesis, we compare
seven formal declarative modelling languages B, Event-B, Alloy, Dash,
TLA+, PlusCal, and AsmetaL on several criteria. We classify these
criteria under three main categories: structuring transition systems
(control modelling), data descriptions in transition systems (data
modelling), and modularity aspects of modelling. We developed this
comparison by completing a set of case studies across the data-
vs. control-oriented spectrum in all of the above languages.
Structurally, a transition system is comprised of a snapshot
declaration and snapshot space, initialization, and a transition
relation, which is potentially composed of individual transitions. We
meticulously outline the differences between the languages with
respect to how the modeller would express each of the above components
of a transition system in each language, and include discussions
regarding stuttering and inconsistencies in the transition relation.
Data-related aspects of a formal model include use of basic and
composite datatypes, well-formedness and typechecking, and separation
of name spaces with respect to global and local variables. Modularity
criteria includes subtransition systems and data decomposition. We
employ a series of small and concise exemplars we have devised to
highlight these differences in each language. To help modellers
answer the important question of which declarative modelling language
may be most suited for modelling their system, we present
recommendations based on our observations about the differentiating
characteristics of each of these languages
Transitive-closure-based model checking (TCMC) in Alloy
This is a post-peer-review, pre-copyedit version of an article published in Software and Systems Modeling. The final authenticated version is available online at: https://doi.org/10.1007/s10270-019-00763-8We present transitive-closure-based model checking (TCMC): a symbolic representation of the semantics of computational tree logic with fairness constraints (CTLFC) for finite models in first-order logic with transitive closure (FOLTC). TCMC is an expression of the complete model checking problem for CTLFC as a set of constraints in FOLTC without induction, iteration, or invariants. We implement TCMC in the Alloy Analyzer, showing how a transition system can be expressed declaratively and concisely in the Alloy language. Since the total state space is rarely representable due to the state-space explosion problem, we present scoped TCMC where the property is checked for state spaces of a size smaller than the total state space. We address the problem of spurious instances and carefully describe the meaning of results from scoped TCMC with respect to the complete model checking problem. Using case studies, we demonstrate scoped TCMC and compare it with bounded model checking, highlighting how TCMC can check infinite paths
BmcMT: Bounded Model Checking of TLA + Specifications with SMT
International audienceWe present the development version of BmcMT—a symbolic model checker for TLA+. It finds, whether a TLA+ specification satisfies an invariant candidate by checking satisfiability of an SMT formula that encodes: (1) an execution of bounded length, and (2) preservation of the invariant candidate in every state of the execution. Our tool is still in the experimental phase, due to a number of challenges posed by TLA+ semantics to SMT solvers. We will discuss these challenges and our current approach to them in the talk. Our preliminary experiments show that BmcMT scales better than the standard TLA+ model checker TLC for large parameter values, e.g., when a TLA+ specification models a system of 10 processes, though TLC is more efficient for tiny parameters, e.g., when the system has 3 processes.We believe that early feedback from the TLA+ community will help us to focus on the most important language features and improve our tool
TLA+ Model Checking Made Symbolic
International audienceTLA + is a language for formal specification of all kinds of computer systems. System designers use this language to specify concurrent, distributed, and fault-tolerant protocols, which are traditionally presented in pseudo-code. TLA + is extremely concise yet expressive: The language primitives include Booleans, integers, functions, tuples, records, sequences, and sets thereof, which can be also nested. This is probably why the only model checker for TLA + (called TLC) relies on explicit enumeration of values and states. In this paper, we present APALACHE-a first symbolic model checker for TLA +. Like TLC, it assumes that all specification parameters are fixed and all states are finite structures. Unlike TLC, APALACHE translates the underlying transition relation into quantifier-free SMT constraints, which allows us to exploit the power of SMT solvers. Designing this translation is the central challenge that we address in this paper. Our experiments show that APALACHE outperforms TLC on examples with large state spaces
Rigorous development process of a safety-critical system: from ASM models to Java code
The paper presents an approach for rigorous development of safety-critical systems based on the Abstract State Machine formal method. The development process starts from a high level formal view of the system and, through refinement, derives more detailed models till the desired level of specification. Along the process, different validation and verification activities are available, as simulation, model review, and model checking. Moreover, each refinement step can be proved correct using an SMT-based approach. As last step of the refinement process, a Java implementation can be developed and linked to the formal specification. The correctness of the implementation w.r.t. its formal specification can be proved by means of model-based testing and runtime verification. The process is exemplified by using a Landing Gear System as case study
- …