Construction of formal models and verifying property specifications through an example of railway interlocking systems

Abstract The use of formal modeling has seen an increasing interest in the development of safety-critical, embedded microcomputer-controlled railway interlocking systems, due to its ability to specify the behavior of the systems using mathematically precise rules. The research goal is to prepare a specification-verification environment, which supports the developer of the railway interlocking systems in the creation of a formally-proven correct design and at the same time hides the inherent mathematical-computer since related background knowledge. The case study is presented with the aim to summarize the process of formalizing a domain specification, and to show further application possibilities (e.g. verification methods)

Reactive system verification case study: Fault-tolerant transputer communication

A reactive program is one which engages in an ongoing interaction with its environment. A system which is controlled by an embedded reactive program is called a reactive system. Examples of reactive systems are aircraft flight management systems, bank automatic teller machine (ATM) networks, airline reservation systems, and computer operating systems. Reactive systems are often naturally modeled (for logical design purposes) as a composition of autonomous processes which progress concurrently and which communicate to share information and/or to coordinate activities. Formal (i.e., mathematical) frameworks for system verification are tools used to increase the users' confidence that a system design satisfies its specification. A framework for reactive system verification includes formal languages for system modeling and for behavior specification and decision procedures and/or proof-systems for verifying that the system model satisfies the system specifications. Using the Ostroff framework for reactive system verification, an approach to achieving fault-tolerant communication between transputers was shown to be effective. The key components of the design, the decoupler processes, may be viewed as discrete-event-controllers introduced to constrain system behavior such that system specifications are satisfied. The Ostroff framework was also effective. The expressiveness of the modeling language permitted construction of a faithful model of the transputer network. The relevant specifications were readily expressed in the specification language. The set of decision procedures provided was adequate to verify the specifications of interest. The need for improved support for system behavior visualization is emphasized

Decentralized control using compositional analysis techniques

Decentralized control strategies aim at achieving a global control target by means of distributed local controllers acting on individual subsystems of the overall plant. In this sense, decentralized control is a dual problem to compositional analysis where a global verification task is decomposed into several local tasks involving components of the overall system. In this paper we apply recently developed compositional reasoning techniques to decentralized control problems for linear systems. We assume the global plant and global specification to be both given as series of feedback interconnections. In this setting compositional and assume-guarantee reasoning schemes can be shown to be valid. Provided the local controllers are such that the locally controlled subsystems of the plant satisfy their respective sub-specifications the network of locally controlled plants is then guaranteed to satisfy the global specification

Specification and verification of distributed technical systems with central control

This paper presents an algebraic approach to the specification and verification of distributed technical systems, which are controlled by a central control program. The approach is demonstrated by its application to the case study "production cell". The approach uses first-order specifications to describe the possible behaviour of the system. Specifications are structured according to the physical structure of the system. A PASCAL-like program is used to enforce intended behaviour. The whole case study, including specification as well as verification of lifeness and safety conditions, is carried out using the KIV system. This research was sponsored by the BMFT project KORSO

What is the method in applying formal methods to PLC applications?

The question we investigate is how to obtain PLC applications with confidence in their proper functioning. Especially, we are interested in the contribution that formal methods can provide for their development. Our maxim is that the place of a particular formal method in the total picture of system development should be made very clear. Developers and customers ought to understand very well what they can rely on or not, and we see our task in trying to make this explicit. Therefore, for us the answer to the question above leads to the following questions: Which parts of the system can be treated formally? What formal methods and tools can be applied? What does their successful application tell (or does not) about the proper functioning of the whole system