Software engineering : redundancy is key

Software engineers are humans and so they make lots of mistakes. Typically 1 out of 10 to 100 tasks go wrong. The only way to avoid these mistakes is to introduce redundancy in the software engineering process. This article is a plea to consciously introduce several levels of redundancy for each programming task. Depending on the required level of correctness, expressed in a residual error probability (typically 10-3 to 10-10), each programming task must be carried out redundantly 4 to 8 times. This number is hardly influenced by the size of a programming endeavour. Training software engineers does have some effect as non trained software engineers require a double amount of redundant tasks to deliver software of a desired quality. More compact programming, for instance by using domain specific languages, only reduces the number of redundant tasks by a small constant

Soundness-preserving refinements of service compositions

Soundness is one of the well-studied properties of processes; it denotes that a final state can be reached from every state that is reachable from the initial state. Soundness-preserving refinements are important for enabling the compositional design of systems. In this paper we concentrate on refinements of service compositions. We model service compositions using Petri nets, and consider specific pairs of places that belong to different services. Starting from a sound service composition, we show how to check whether such a pair of places can be refined by another sound service composition, so that soundness is preserved through the refinement

Evaluating the effect of formal techniques in industry

In this paper we evaluate the effectiveness of applying a formal component-based approach called Analytical Software Design (ASD) to the development of control software of an industrial project at Philips Healthcare. We analyze the performance of the ASD related tasks carried out during the development processes and report about the main issues encountered. Furthermore, we investigate whether introducing these formal techniques to industry could actually improve the quality and the productivity of the developed code compared to software developed by more traditional development methods

Incorporating formal techniques into industrial practice

We report about experiences with component-based development supported by formal techniques at Philips Healthcare. The formal Analytical Software Design (ASD) approach of the company Verum has been incorporated into the industrial workflow. The commercial tool ASD:Suite supports both compositional verification and code generation for control components. For other components test-driven development has been used. We discuss the results of these combined techniques in a project which developed the power control service of an interventional X-ray system

Prefix orders as a general model of dynamics

In this report we formalize and study the notion of prex order on the executions of general dynamical systems and use basic category theory to show that appropriate structure preserving maps between such orders lead to the well-known notions of bisimulation, renement, product, and union of behavior, without relying on a notion of 'next state'. Thus these notions are generalized to apply to arbitrary dynamical systems, including continuous and hybrid systems

Modelling and verifying IEEE Std 11073-20601 session setup using mCRL2

In this paper we advocate that formal verification should be a part of the development of a communication standard; in a short period of time issues are uncovered that have been in the standard for a number of years, and all subtleties in the correctness of the protocol are understood. We model and verify the session setup protocol that is part of the IEEE 11073-20601:2008 standard for communication between personal health devices. We identify a number of issues present in the standards document. Discussion with a member of the standards committee unveiled that most, but not all, of the identified issues are fixed in the IEEE 11073-20601:2010 version of the standard. In addition, the correctness of the protocol, including the fixes, is assessed. For this, properties of the session setup protocol are formulated, and using the model checker mCRL2 it is verified whether the model satisfies these properties. We show that the session setup protocol is flawed, and propose a straightforward way to fix this issue

Abstraction in parameterised Boolean equation systems

We present a general theory of abstraction for a variety of verification problems. Our theory is set in the framework of parameterized Boolean equation systems. The power of our abstraction theory is compared to that of generalised Kripke modal transition systems (GTSs). We show that for model checking the modal µ-calculus, our abstractions can be exponentially more succinct than GTSs and our theory is as complete as the GTS framework for abstraction. Furthermore, we investigate the completeness of our theory for verification problems other than the modal µ-calculus. We illustrate the potential of our theory through case studies using the first-order modal µ-calculus and a real-time extension thereof, conducted using a prototype implementation of a new syntactic transformation for equation systems

Checking property preservation of refining transformations for model-driven development

In Model-Driven Software Development, a software product is created through iteratively refined modelling. It is crucial that this process preserves certain desirable properties of the initial model. However, checking this is increasingly difficult as the models are increasingly more refined. We propose an incremental model checking technique to determine the preservation of safety and liveness properties in models of concurrent systems with respect to changes applied on individual processes, formalised as transformations of Labelled Transition Systems. The preservation check involves checking bisimilarity between transformed and new behaviour, and never involves reexploring unchanged behaviour. We prove its correctness and demonstrate its applicability

Decomposability in formal conformance testing

We study the problem of deriving a specification for a third-party component, based on the specification of the system and the environment in which the component is supposed to reside. Particularly, we are interested in using component specifications for conformance testing of black-box components, using the theory of input-output conformance (ioco) testing. We propose and prove sufficient criteria for decompositionality, i.e., that components conforming to the derived specification will always compose to produce a correct system with respect to the system specification. We also study the criteria for strong decomposability, by which we can ensure that only those components conforming to the derived specification can lead to a correct system

Resource-aware life cycle models for service-oriented applications managed by a component framework

In this report we present a series of formal models that describe dynamically reconfigurable applications at various stages of their life cycle. It is our intention that these models capture the essential concepts of such applications and the platforms on which they are deployed, and that they indicate the essential activities required to accomplish an application’s transition from one stage of its life cycle to the next. These models aim to support a life cycle in which applications are designed as a combination of services and realized by predefined components that are deployed in a framework specially tailored to the resource management needs of these applications