119 research outputs found
証明責務の構造に基づくEvent-Bモデルの設計および証明支援手法
形式手法Event-B では,証明対象の仕様をモデル記述し,モデルから作成される証明責務を証明することで仕様の正しさを示せる.しかし記述したモデルに矛盾や不備がある場合は,証明責務を証明できない.その場合,その証明責務を満たすようにモデルを修正する.しかし,モデルを修正することにより,既に実施済みの証明が無効化され,証明の手戻りが発生する可能性がある.本研究では,上記証明の手戻りを防止可能なモデル修正手法を提案する.さらに,提案手法の適用可能性および有効性を確認するため,ファイル転送プロトコルを対象とする適用例とその評価結果を示す.また,上記提案手法の前提となるモデル全体像を策定する工程に対しても,分割戦略木と呼ぶ記法に基づく手法を整備する.電気通信大学201
Symbolic Reachability Analysis of B through ProB and LTSmin
We present a symbolic reachability analysis approach for B that can provide a
significant speedup over traditional explicit state model checking. The
symbolic analysis is implemented by linking ProB to LTSmin, a high-performance
language independent model checker. The link is achieved via LTSmin's PINS
interface, allowing ProB to benefit from LTSmin's analysis algorithms, while
only writing a few hundred lines of glue-code, along with a bridge between ProB
and C using ZeroMQ. ProB supports model checking of several formal
specification languages such as B, Event-B, Z and TLA. Our experiments are
based on a wide variety of B-Method and Event-B models to demonstrate the
efficiency of the new link. Among the tested categories are state space
generation and deadlock detection; but action detection and invariant checking
are also feasible in principle. In many cases we observe speedups of several
orders of magnitude. We also compare the results with other approaches for
improving model checking, such as partial order reduction or symmetry
reduction. We thus provide a new scalable, symbolic analysis algorithm for the
B-Method and Event-B, along with a platform to integrate other model checking
improvements via LTSmin in the future
Core Hybrid Event-B I: Single Hybrid Event-B machines
Faced with the increasing need for correctly designed hybrid and cyber-physical systems today, the problem of including provision for continuously varying behaviour as well as the usual discrete changes of state is considered in the context of Event-B. An extension of Event-B called Hybrid Event-B is presented, that accommodates continuous behaviours (called pliant events) in between familiar discrete transitions (called mode events in this context). The continuous state change can be specified by a combination of indirect specification via ordinary differential equations, or direct specification via assignment of variables to values that depend on time, or indirect specification by demanding that behaviour obeys a time dependent predicate. The syntactic elements of the extension are discussed, and the semantics is described in terms of the properties of time dependent valuations of variables. Refinement is examined in detail, with reference to the notion of refinement inherited from discrete Event-B. A full suite of proof obligations is presented, covering all aspects of the new framework. A selection of examples and case studies is presented. A particular challenge - bearing in mind the desirability of conforming to existing intuitions about discrete Event-B, and the impact on tool support (as embodied in tools for discrete Event-B like Rodin) - is to design the whole framework so as to disturb as little as possible the existing structures for handling discrete Event-B
Circus Models for Safety-Critical Java Programs
Safety-critical Java (SCJ) is a restriction of the real-time specification for Java to support the development and certification of safety-critical applications. The SCJ technology specification is the result of an international effort from industry and academia. In this paper, we present a formalization of the SCJ Level 1 execution model, formalize a translation strategy from SCJ into a refinement notation and describe a tool that largely automates the generation of the formal models. Our modelling language is part of the Circus family; at the core, we have Z, communicating sequential processes and Morgan’s calculus, but we also use object-oriented and timed constructs from the OhCircus and Circus Time variants. Our work is an essential ingredient for the development of refinement-based reasoning techniques for SCJ
A Formal Methodology for Engineering Heterogeneous Railway Signalling Systems
Ph. D. Thesis.Over the last few decades, the safety assurance of cyber-physical systems has become one of the
biggest challenges in the field of model-based system engineering. The challenge arises from an
immense complexity of cyber-physical systems which have deeply intertwined physical, software
and network system aspects.
With significant improvements in a wireless communication and microprocessor technologies,
the railway domain has become one of the frontiers for deploying cyber-physical signalling
systems. However, because of the safety-critical nature of railway signalling systems, the
highest level of safety assurance is essential. This study attempts to address the challenge of
guaranteeing the safety of cyber-physical railway signalling systems by proposing a development
methodology based on formal methods. In particular, this study is concerned with the safety
assurance of heterogeneous cyber-physical railway signalling systems, which have emerged by
gradually replacing outdated signalling systems and integrating mainline with urban signalling
systems. The main contribution of this work is a formal development methodology of railway
signalling systems. The methodology is based on the Event-B modelling language, which
provides an expressive modelling language, a stepwise model development and a proof-based
model verification. At the core of the methodology is a generic communication-based railway
signalling Event-B model, which can be further refined to capture specific heterogeneous or
homogeneous railway signalling configurations. In order to make signalling modelling more
systematic we developed communication and hybrid railway signalling modelling patterns.
The proposed methodology and modelling patterns have been evaluated on two case studies.
The evaluation shows that the methodology does provide a system-level railway signalling
modelling and verification method. This is crucial for verifying the safety of cyber-physical
systems, as safety is dependent on interactions between different subsystems. However, the study
has also shown that automatic formal verification of hybrid systems is still a major challenge and
must be addressed in the future work in order to make this methodology more practical.(EPSRC and Siemens
Rail Automation
- …