Enterprise model verification and validation : an approach

This article presents a verification and validation approach which is used here in order to complete the classical tool box the industrial user may utilize in enterprise modeling and integration domain. This approach, which has been defined independently from any application domain is based on several formal concepts and tools presented in this paper. These concepts are property concepts, property reference matrix, properties graphs, enterprise modeling domain ontology, conceptual graphs and formal reasoning mechanisms

Combinando “model checking” y “proof checking” en el análisis de sistemas de tiempo real

Cada vez son más frecuentes las aplicaciones donde el tiempo juega un rol importante. Por ejemplo en: protocolos de comunicación; controladores de robots, de comandos de aviones, de pasos a nivel de trenes, de procesos industriales automatizados y de dispositivos electrónicos (o electromecánicos); aplicaciones multimedia y de internet; entre otras. En general éstas son aplicaciones críticas, en las cuales una falla o mal funcionamiento pueden acarrear consecuencias graves, tales como poner en juego vidas humanas y/o grandes inversiones económicas. El comportamiento de estos sistemas, llamados sistemas de tiempo real, no está determinado únicamente por la sucesión de acciones que se ejecutan, sino también por el momento en que las mismas ocurren y son procesadas. El tiempo de ejecución es “el” parámetro fundamental en el comportamiento de esta clase de sistemas y una gran parte, quizás la más importante, de los requerimientos de los mismos son temporales: “tal acción debe ejecutarse en un lapso de tiempo determinado”, “el tiempo transcurrido entre dos eventos o señales debe estar acotado por un valor constante”, etc.Eje: Sistemas distribuidos y tiempo realRed de Universidades con Carreras en Informática (RedUNCI

Combinando “model checking” y “proof checking” en el análisis de sistemas de tiempo real

Cada vez son más frecuentes las aplicaciones donde el tiempo juega un rol importante. Por ejemplo en: protocolos de comunicación; controladores de robots, de comandos de aviones, de pasos a nivel de trenes, de procesos industriales automatizados y de dispositivos electrónicos (o electromecánicos); aplicaciones multimedia y de internet; entre otras. En general éstas son aplicaciones críticas, en las cuales una falla o mal funcionamiento pueden acarrear consecuencias graves, tales como poner en juego vidas humanas y/o grandes inversiones económicas. El comportamiento de estos sistemas, llamados sistemas de tiempo real, no está determinado únicamente por la sucesión de acciones que se ejecutan, sino también por el momento en que las mismas ocurren y son procesadas. El tiempo de ejecución es “el” parámetro fundamental en el comportamiento de esta clase de sistemas y una gran parte, quizás la más importante, de los requerimientos de los mismos son temporales: “tal acción debe ejecutarse en un lapso de tiempo determinado”, “el tiempo transcurrido entre dos eventos o señales debe estar acotado por un valor constante”, etc.Eje: Sistemas distribuidos y tiempo realRed de Universidades con Carreras en Informática (RedUNCI

Hazard elimination using backwards reachability techniques in discrete and hybrid models

Thesis (Ph. D.)--Massachusetts Institute of Technology, Dept. of Aeronautics and Astronautics, February 2002.Includes bibliographical references (leaves 173-181).One of the most important steps in hazard analysis is determining whether a particular design can reach a hazardous state and, if it could, how to change the design to ensure that it does not. In most cases, this is done through testing or simulation or even less rigorous processes--none of which provide much confidence for complex systems. Because state spaces for software can be enormous (which is why testing is not an effective way to accomplish the goal), the innovative Hazard Automaton Reduction Algorithm (HARA) involves starting at a hypothetical unsafe state and using backwards reachability techniques to obtain enough information to determine how to design in order to ensure that state cannot be reached. State machine models are very powerful, but also present greater challenges in terms of reachability, including the backwards reachability needed to implement the Hazard Automaton Reduction Algorithm. The key to solving the backwards reachability problem lies in converting the state machine model into a controls state space formulation and creating a state transition matrix. Each successive step backward from the hazardous state then involves only one n by n matrix manipulation. Therefore, only a finite number of matrix manipulations is necessary to determine whether or not a state is reachable from another state, thus providing the same information that could be obtained from a complete backwards reachability graph of the state machine model. Unlike model checking, the computational cost does not increase as greatly with the number of backward states that need to be visited to obtain the information necessary to ensure that the design is safe or to redesign it to be safe. The functionality and optimality of this approach is proved in both discrete and hybrid cases.(cont.) The new approach of the Hazard Automaton Reduction Algorithm combined with backwards reachability controls techniques was demonstrated on a blackbox model of a real aircraft altitude switch. The algorithm is being implemented in a commercial specification language (SpecTRM-RL). SpecTRM-RL is formally extended to include continuous and hybrid models. An analysis of the safety of a medium term conflict detection algorithm (MTCD) for aircraft, that is being developed and tested by Eurocontrol for use in European Air Traffic Control, is performed. Attempts to validate such conflict detection algorithms is currently challenging researchers world wide. Model checking is unsatisfactory in general for this problem because of the lack of a termination guarantee in backwards reachability using model checking. The new state-space controls approach does not encounter this problem.by Natasha Anita Neogi.Ph.D

Especificación y análisis de sistemas de tiempo real en teoría de tipos. Caso de estudio : the railroad crossing example

Para el análisis de sistemas reactivos y de tiempo real dos importantes enfoques formales se destacan: la verificación de modelos, o model checking, y el análisis deductivo basado en asistentes de pruebas. El primero se caracteriza por la automaticidad pero presenta dificultades al tratar con sistemas que involucran un gran número de estados o donde se tienen parámetros variables, no acotados. El segundo permite tratar con sistemas que involucran un gran número de estados o donde se tienen parámetros variables, no acotados. El segundo permite tratar con sistemas arbitrarios pero requiere la interacción del usuario. Este trabajo explora una metodología de trabajo que permita compatibilizar el uso de un verificador de modelos como Kromos y el asistente de pruebas Coq en el análisis de sistemas de tiempo real. Para ello formalizamos grafos (autómatas) temporizados y la lógica TCTL (y CTL) en el cálculo de construcciones inductivas y co-inductivas de Coq, a fin de disponer de lenguajes de especificación y análisis comunes a ambas herramientas. Los grafos permiten describir los sistemas, mientras que la lógica se usa para especificar los requerimientos temporales. Una parte importante del trabajo está dedicada a estudiar cómo razonar deductivamente en Coq sobre esta clase de sistemas -la utilidad de tipos inductivos y la necesidad de tipos co-inductivos- asumiendo inicialmente un modelo de tiempo discreto. Un especial énfasis es puesto en el análisis de un caso de estudio, considerado como benchmark en diferentes trabajos: el control de un paso a nivel de tren ("the railroad corssing example"). Este problema es utilizado para evaluar y validar algunas de las formalizaciones propuestas

Verification of real-time systems : improving tool support

We address a number of limitations of Timed Automata and real-time model-checkers, which undermine the reliability of formal verification. In particular, we focus on the model-checker Uppaal as a representative of this technology. Timelocks and Zeno runs represent anomalous behaviours in a timed automaton, and may invalidate the verification of safety and liveness properties. Currently, model-checkers do not offer adequate support to prevent or detect such behaviours. In response, we develop new methods to guarantee timelock-freedom and absence of Zeno runs, which improve and complement the existent support. We implement these methods in a tool to check Uppaal specifications. The requirements language of model-checkers is not well suited to express sequence and iteration of events, or past computations. As a result, validation problems may arise during verification (i.e., the property that we verify may not accurately reflect the intended requirement). We study the logic PITL, a rich propositional subset of Interval Temporal Logic, where these requirements can be more intuitively expressed than in model-checkers. However, PITL has a decision procedure with a worst-case non-elementary complexity, which has hampered the development of efficient tool support. To address this problem, we propose (and implement) a translation from PITL to the second-order logic WS1S, for which an efficient decision procedure is provided by the tool MONA. Thanks to the many optimisations included in MONA, we obtain an efficient decision procedure for PITL, despite its non-elementary complexity. Data variables in model-checkers are restricted to bounded domains, in order to obtain fully automatic verification. However, this may be too restrictive for certain kinds of specifications (e.g., when we need to reason about unbounded buffers). In response, we develop the theory of Discrete Timed Automata as an alternative formalism for real-time systems. In Discrete Timed Automata, WS1S is used as the assertion language, which enables MONA to assist invariance proofs. Furthermore, the semantics of urgency and synchronisation adopted in Discrete Timed Automata guarantee, by construction, that specifications are free from a large class of timelocks. Thus, we argue that well-timed specifications are easier to obtain in Discrete Timed Automata than in Timed Automata and most other notations for real-time systems.EThOS - Electronic Theses Online ServiceGBUnited Kingdo

Use of synchronous concurrent algorithms in the development of safety related software.

This thesis investigates the use of Synchronous Concurrent Algorithms (SCAs) in the development of safety related software, where a stricter adherence to mathematical correctness is required. The original model of SCAs is extended to produce abstract and concrete dynamic SCAs (dSCAs) that allow dynamic, but predictable, SCAs to be produced whose wiring maybe different at different values of a program counter. A relaxed implementation of the Generalised Railroad Crossing Problem is used to demonstrate each of the SCA models. SCAs were originally defined by Tucker and Thompson and were restricted to unit-delays between modules. Hobley investigated the introduction of non-unit delay SCAs and how non-unit delay SCAs may be represented as unit delay SCAs. Poole, Tucker and Thompson introduced the concept of hierarchies of Spatially Expanded Systems, of which SCAs are a form. All of these tools are used and expanded upon in this thesis to provide a mechanism enabling an SCA representation of an algorithm to be transformed into an SCA representation of a computing device that implements that algorithm, and to be able to demonstrate correctness. As each SCA model can be represented algebraically, this thesis provides the transformations as meta-algebras, i.e. algebras that can transfrom one algebra to another algebra

Deductive Verification of Real-time Systems Using STeP

We present a modular framework for proving temporal properties of real-time systems, based on clocked transition systems and linear-time temporal logic. We show how deductive verification rules, verification diagrams, and automatic invariant generation can be used to establish properties of real-time systems in this framework. As an example, we present the mechanical verification of the generalized railroad crossing case study using the Stanford Temporal Prover, STeP