Towards Realizability Checking of Contracts using Theories

Virtual integration techniques focus on building architectural models of systems that can be analyzed early in the design cycle to try to lower cost, reduce risk, and improve quality of complex embedded systems. Given appropriate architectural descriptions and compositional reasoning rules, these techniques can be used to prove important safety properties about the architecture prior to system construction. Such proofs build from "leaf-level" assume/guarantee component contracts through architectural layers towards top-level safety properties. The proofs are built upon the premise that each leaf-level component contract is realizable; i.e., it is possible to construct a component such that for any input allowed by the contract assumptions, there is some output value that the component can produce that satisfies the contract guarantees. Without engineering support it is all too easy to write leaf-level components that can't be realized. Realizability checking for propositional contracts has been well-studied for many years, both for component synthesis and checking correctness of temporal logic requirements. However, checking realizability for contracts involving infinite theories is still an open problem. In this paper, we describe a new approach for checking realizability of contracts involving theories and demonstrate its usefulness on several examples.Comment: 15 pages, to appear in NASA Formal Methods (NFM) 201

CBR and MBR techniques: review for an application in the emergencies domain

The purpose of this document is to provide an in-depth analysis of current reasoning engine practice and the integration strategies of Case Based Reasoning and Model Based Reasoning that will be used in the design and development of the RIMSAT system. RIMSAT (Remote Intelligent Management Support and Training) is a European Commission funded project designed to: a.. Provide an innovative, 'intelligent', knowledge based solution aimed at improving the quality of critical decisions b.. Enhance the competencies and responsiveness of individuals and organisations involved in highly complex, safety critical incidents - irrespective of their location. In other words, RIMSAT aims to design and implement a decision support system that using Case Base Reasoning as well as Model Base Reasoning technology is applied in the management of emergency situations. This document is part of a deliverable for RIMSAT project, and although it has been done in close contact with the requirements of the project, it provides an overview wide enough for providing a state of the art in integration strategies between CBR and MBR technologies.Postprint (published version

Specifying Reusable Components

Reusable software components need expressive specifications. This paper outlines a rigorous foundation to model-based contracts, a method to equip classes with strong contracts that support accurate design, implementation, and formal verification of reusable components. Model-based contracts conservatively extend the classic Design by Contract with a notion of model, which underpins the precise definitions of such concepts as abstract equivalence and specification completeness. Experiments applying model-based contracts to libraries of data structures suggest that the method enables accurate specification of practical software

How Sample Completeness Affects Gamma-Ray Burst Classification

Unsupervised pattern recognition algorithms support the existence of three gamma-ray burst classes; Class I (long, large fluence bursts of intermediate spectral hardness), Class II (short, small fluence, hard bursts), and Class III (soft bursts of intermediate durations and fluences). The algorithms surprisingly assign larger membership to Class III than to either of the other two classes. A known systematic bias has been previously used to explain the existence of Class III in terms of Class I; this bias allows the fluences and durations of some bursts to be underestimated (Hakkila et al., ApJ 538, 165, 2000). We show that this bias primarily affects only the longest bursts and cannot explain the bulk of the Class III properties. We resolve the question of Class III existence by demonstrating how samples obtained using standard trigger mechanisms fail to preserve the duration characteristics of small peak flux bursts. Sample incompleteness is thus primarily responsible for the existence of Class III. In order to avoid this incompleteness, we show how a new dual timescale peak flux can be defined in terms of peak flux and fluence. The dual timescale peak flux preserves the duration distribution of faint bursts and correlates better with spectral hardness (and presumably redshift) than either peak flux or fluence. The techniques presented here are generic and have applicability to the studies of other transient events. The results also indicate that pattern recognition algorithms are sensitive to sample completeness; this can influence the study of large astronomical databases such as those found in a Virtual Observatory.Comment: 29 pages, 6 figures, 3 tables, Accepted for publication in The Astrophysical Journa

Seismicity rate immediately before and after mainshock rupture from high-frequency waveforms in Japan

International audienceWe analyze seismicity rate immediately before and after 82 mainshocks with the magnitudes ranging from 3 to 5 using waveforms recorded by the Hi-net borehole array in Japan. By scrutinizing high-frequency signals, we detect ~5 times as many aftershocks in the first 200 s as in the Japan Meteorological Agency catalogue. After correcting for the changing completeness level immediately after the mainshock, the aftershock rate shows a crossover from a slower decay with an Omori's law exponent p = 0.58±0.08 between 20 and 900 s after the mainshock, to a faster decay with p = 0.92±0.04 after 900 s. The foreshock seismicity rate follows an inverse Omori's law with p = 0.73±0.07 from several tens of days up to several hundred seconds before the mainshock. The seismicity rate in the 200 s immediately before the mainshock appears steady with p = 0.36±0.45. These observations can be explained by the epidemic-type aftershock sequence (ETAS) model, and the rate-and-state model for a heterogeneous stress field on the mainshock rupture plane. Alternatively, non-seismic stress changes near the source region, such as episodic aseismic slip, or pore fluid pressure fluctuations, may be invoked to explain the observation of small p values immediately before and after the mainshock