A DSS For Reservoirs Operation Based On The Execution Of Formal Models

Controlling the evolution of a reservoir in a flood episode can be critical, especially in Mediterranean basins where the concentration time is very short. In this situation, an automatic software tool can help the reservoir manager to make a quick decision. In this paper we present a DSS based on the execution of formal models by means of model checking. This technique exhaustively explores the different execution branches of a model of the system. The DSS addresses two flood control tasks. First, the DSS simulates the evolution of the reservoir (the water stored and released) when applying a predefined flood control strategy. Second, and probably the most important task, the DSS generates, in a short time, new flood control strategies based on a prediction of the water inflow and the goals and constraints imposed by the dam manager. This task is associated with the concept of risk in its technical sense; that is, the probability of occurrence of an extreme event and the damage cost associated. The DSS returns a set of maneuvers over the dam gates that control the evolution of the dam level following the goals and constrains imposed by the dam manager. Currently, the DSS includes hybrid model of a specific dam located in the city of Marbella. This model describes the continuous discharge curves and the discrete opening degrees of the dam gates. Other models of Andalusian dams will be included soon. In addition, there are discrete models of two flood control strategies (Dordogne and MEV) that can be applied. Moreover in order to generate new strategies, the DSS uses a non-deterministic model that simulates the dam manager. We present some case studies where we evaluate the performance of the tool and the suitability of the control strategies generated for different historical flood episodes

Formal Methods: From Academia to Industrial Practice. A Travel Guide

For many decades, formal methods are considered to be the way forward to help the software industry to make more reliable and trustworthy software. However, despite this strong belief and many individual success stories, no real change in industrial software development seems to be occurring. In fact, the software industry itself is moving forward rapidly, and the gap between what formal methods can achieve and the daily software-development practice does not appear to be getting smaller (and might even be growing). In the past, many recommendations have already been made on how to develop formal-methods research in order to close this gap. This paper investigates why the gap nevertheless still exists and provides its own recommendations on what can be done by the formal-methods-research community to bridge it. Our recommendations do not focus on open research questions. In fact, formal-methods tools and techniques are already of high quality and can address many non-trivial problems; we do give some technical recommendations on how tools and techniques can be made more accessible. To a greater extent, we focus on the human aspect: how to achieve impact, how to change the way of thinking of the various stakeholders about this issue, and in particular, as a research community, how to alter our behaviour, and instead of competing, collaborate to address this issue.Comment: 22 pages, 0 figure

Using Agent JPF to Build Models for Other Model Checkers

Abstract. We describe an extension to the AJPF agent program modelchecker so that it may be used to generate models for input into other, non-agent, model-checkers. We motivate this adaptation, arguing that it improves the efficiency of the model-checking process and provides access to richer property specification languages. We illustrate the approach by describing the export of AJPF program models to Spin and Prism. In the case of Spin we also investigate, experimentally, the effect the process has on the overall efficiency of modelchecking.

A comparison of two different model checking techniques

Thesis (MSc)--University of Stellenbosch, 2003.ENGLISH ABSTRACT: Model checking is a computer-aided verification technique that is used to verify properties about the formal description of a system automatically. This technique has been applied successfully to detect subtle errors in reactive systems. Such errors are extremely difficult to detect by using traditional testing techniques. The conventional method of applying model checking is to construct a model manually either before or after the implementation of a system. Constructing such a model requires time, skill and experience. An alternative method is to derive a model from an implementation automatically. In this thesis two techniques of applying model checking to reactive systems are compared, both of which have problems as well as advantages. Two specific strategies are compared in the area of protocol development: 1. Structuring a protocol as a transition system, modelling the system, and then deriving an implementation from the model. 2. Automatically translating implementation code to a verifiable model. Structuring a reactive system as a transition system makes it possible to verify the control flow of the system at implementation level-as opposed to verifying the control flow at abstract level. The result is a closer correspondence between implementation and specification (model). At the same time testing, which is restricted to small, independent code fragments that manipulate data, is simplified significantly. The construction of a model often takes too long; therefore, verification results may no longer be applicable when they become available. To address this problem, the technique of automated model extraction was suggested. This technique aims to reduce the time required to construct a model by minimising manual input during model construction. A transition system is a low-level formalism and direct execution through interpretation is feasible. However, the overhead of interpretation is the major disadvantage of this technique. With automated model extraction there are disadvantages too. For example, differences between the implementation and specification languages-such as constructs present in the implementation language that cannot be expressed in the modelling language-make the development of an automated model extraction tool extremely difficult. In conclusion, the two techniques are compared against a set of software development considerations. Since a specific technique is not always preferable, guidelines are proposed to help select the best approach in different circumstances.AFRIKAANSE OPSOMMING: Modeltoetsing is 'n rekenaargebaseerde verifikasietegniek wat gebruik word om eienskappe rakende 'n formele spesifikasie van 'n stelsel te verifieer. Die tegniek is al suksesvol toegepas om subtiele foute in reaktiewe stelsels op te spoor. Sulke foute word uiters moeilik opgespoor as tradisionele toetsings tegnieke gebruik word. Tradisioneel word modeltoetsing toegepas deur 'n model te bou voor of na die implementasie van 'n stelsel. Om'n model te bou verg tyd, vernuf en ervaring. 'n Alternatiewe metode is om outomaties 'n model van 'n implementasie af te lei. In hierdie tesis word twee toepassingstegnieke van modeltoetsing vergelyk, waar beide tegnieke beskik oor voordele sowel as nadele. Twee strategieë word vergelyk in die gebied van protokol ontwikkeling: 1. Om 'n protokol as 'n oorgangsstelsel te struktureer, dit te moduleer en dan 'n implementasie van die model af te lei. 2. Om outomaties 'n verifieerbare model van 'n implementasie af te lei. Om 'n reaktiewe stelsel as 'n oorgangsstelsel te struktureer maak dit moontlik om die kontrolevloei op implementasie vlak te verifieer-in teenstelling met verifikasie van kontrolevloei op 'n abstrakte vlak. Die resultaat is 'n nouer band wat bestaan tussen die implementasie en die spesifikasie. Terselfdetyd word toetsing, wat beperk word tot klein, onafhanklike kodesegmente wat data manupileer, beduidend vereenvoudig. Die konstruksie van 'n model neem soms te lank; gevolglik, wanneer die verifikasieresultate beskikbaar word, is dit dalk nie meer toepaslik op die huidige weergawe van 'n implementasie nie. Om die probleem aan te spreek is 'n tegniek om modelle outomaties van implementasies af te lei, voorgestel. Die doel van die tegniek is om die tyd wat dit neem om 'n model te bou te verminder deur handtoevoer tot 'n minimum te beperk. 'n Oorgangsstelsel is 'n laevlak formalisme en direkte uitvoering deur interpretasie is wesenlik. Die oorhoofse koste van die interpreteerder is egter die grootste nadeel van die tegniek. Daar is ook nadele wat oorweeg moet word rakende die tegniek om outomaties modelle van implementasies af te lei. Byvoorbeeld, verskille tussen die implementasietaal en spesifikasietaal=-soos byvoorbleed konstrukte wat in die implementasietaal gebruik word wat nie in die modeleringstaal voorgestel kan word nie-vrnaak die ontwikkeling van 'n modelafieier uiters moeilik. As gevolg word die twee tegnieke vergelyk teen 'n stel van programatuurontwikkelingsoorwegings. Omdat 'n spesifieke tegniek nie altyd voorkeur kan geniet nie, word riglyne voorgestel om te help met die keuse om die beste tegniek te kies in verskillende omstandighede

Simulation and statistical model-checking of logic-based multi-agent system models

This thesis presents SALMA (Simulation and Analysis of Logic-Based Multi- Agent Models), a new approach for simulation and statistical model checking of multi-agent system models. Statistical model checking is a relatively new branch of model-based approximative verification methods that help to overcome the well-known scalability problems of exact model checking. In contrast to existing solutions, SALMA specifies the mechanisms of the simulated system by means of logical axioms based upon the well-established situation calculus. Leveraging the resulting first-order logic structure of the system model, the simulation is coupled with a statistical model-checker that uses a first-order variant of time-bounded linear temporal logic (LTL) for describing properties. This is combined with a procedural and process-based language for describing agent behavior. Together, these parts create a very expressive framework for modeling and verification that allows direct fine-grained reasoning about the agents’ interaction with each other and with their (physical) environment. SALMA extends the classical situation calculus and linear temporal logic (LTL) with means to address the specific requirements of multi-agent simulation models. In particular, cyber-physical domains are considered where the agents interact with their physical environment. Among other things, the thesis describes a generic situation calculus axiomatization that encompasses sensing and information transfer in multi agent systems, for instance sensor measurements or inter-agent messages. The proposed model explicitly accounts for real-time constraints and stochastic effects that are inevitable in cyber-physical systems. In order to make SALMA’s statistical model checking facilities usable also for more complex problems, a mechanism for the efficient on-the-fly evaluation of first-order LTL properties was developed. In particular, the presented algorithm uses an interval-based representation of the formula evaluation state together with several other optimization techniques to avoid unnecessary computation. Altogether, the goal of this thesis was to create an approach for simulation and statistical model checking of multi-agent systems that builds upon well-proven logical and statistical foundations, but at the same time takes a pragmatic software engineering perspective that considers factors like usability, scalability, and extensibility. In fact, experience gained during several small to mid-sized experiments that are presented in this thesis suggest that the SALMA approach seems to be able to live up to these expectations.In dieser Dissertation wird SALMA (Simulation and Analysis of Logic-Based Multi-Agent Models) vorgestellt, ein im Rahmen dieser Arbeit entwickelter Ansatz für die Simulation und die statistische Modellprüfung (Model Checking) von Multiagentensystemen. Der Begriff „Statistisches Model Checking” beschreibt modellbasierte approximative Verifikationsmethoden, die insbesondere dazu eingesetzt werden können, um den unvermeidlichen Skalierbarkeitsproblemen von exakten Methoden zu entgehen. Im Gegensatz zu bisherigen Ansätzen werden in SALMA die Mechanismen des simulierten Systems mithilfe logischer Axiome beschrieben, die auf dem etablierten Situationskalkül aufbauen. Die dadurch entstehende prädikatenlogische Struktur des Systemmodells wird ausgenutzt um ein Model Checking Modul zu integrieren, das seinerseits eine prädikatenlogische Variante der linearen temporalen Logik (LTL) verwendet. In Kombination mit einer prozeduralen und prozessorientierten Sprache für die Beschreibung von Agentenverhalten entsteht eine ausdrucksstarke und flexible Plattform für die Modellierung und Verifikation von Multiagentensystemen. Sie ermöglicht eine direkte und feingranulare Beschreibung der Interaktionen sowohl zwischen Agenten als auch von Agenten mit ihrer (physischen) Umgebung. SALMA erweitert den klassischen Situationskalkül und die lineare temporale Logik (LTL) um Elemente und Konzepte, die auf die spezifischen Anforderungen bei der Simulation und Modellierung von Multiagentensystemen ausgelegt sind. Insbesondere werden cyber-physische Systeme (CPS) unterstützt, in denen Agenten mit ihrer physischen Umgebung interagieren. Unter anderem wird eine generische, auf dem Situationskalkül basierende, Axiomatisierung von Prozessen beschrieben, in denen Informationen innerhalb von Multiagentensystemen transferiert werden – beispielsweise in Form von Sensor- Messwerten oder Netzwerkpaketen. Dabei werden ausdrücklich die unvermeidbaren stochastischen Effekte und Echtzeitanforderungen in cyber-physischen Systemen berücksichtigt. Um statistisches Model Checking mit SALMA auch für komplexere Problemstellungen zu ermöglichen, wurde ein Mechanismus für die effiziente Auswertung von prädikatenlogischen LTL-Formeln entwickelt. Insbesondere beinhaltet der vorgestellte Algorithmus eine Intervall-basierte Repräsentation des Auswertungszustands, sowie einige andere Optimierungsansätze zur Vermeidung von unnötigen Berechnungsschritten. Insgesamt war es das Ziel dieser Dissertation, eine Lösung für Simulation und statistisches Model Checking zu schaffen, die einerseits auf fundierten logischen und statistischen Grundlagen aufbaut, auf der anderen Seite jedoch auch pragmatischen Gesichtspunkten wie Benutzbarkeit oder Erweiterbarkeit genügt. Tatsächlich legen erste Ergebnisse und Erfahrungen aus mehreren kleinen bis mittelgroßen Experimenten nahe, dass SALMA diesen Zielen gerecht wird

Model checking techniques for runtime testing and QoS analysis

Los sistemas software y hardware se encuentran cada vez más presentes en nuestras vidas, en multitud de campos de aplicación y de cualquier tamaño. El análisis de estos sistemas es una tarea dura pero necesaria para garantizar que cumplan con sus requisitos. Estos requisitos pueden ser de varios tipos, como evitar comportamientos erróneos u ofrecer un rendimiento satisfactorio. Existen muchas técnicas y herramientas diseñadas para atacar este problema. Por lo general, se aplican distintas técnicas dependiendo del tipo de sistema, fase de desarrollo o tipo de análisis. El model checking es una de estas técnicas de análisis. Un model checker analiza el espacio de estados de un sistema para comprobar si el sistema cumple una propiedad dada. Sin embargo, según aumenta la complejidad del sistema a analizar, su espacio de estados crece rápidamente, hasta llegar a un punto en el que no es factible analizarlo. En esta tesis proponemos una solución integrada basada en model checking para analizar sistemas cuyo comportamiento pueda ser observado en forma de trazas de ejecución. Hemos llamado a esta solución OptySim. Nuestra solución permite acceder a sistemas externos de una forma uniforme, permitiendo realizar distintos tipos de análisis sobre diferentes tipos de sistemas de una forma más homogénea. OptySim trata con un conjunto de trazas de ejecución, que representan un subconjunto del espacio de estados completo del sistema. Para obtener dichas trazas el sistema se ejecuta repetidas veces, posiblemente variando parámetros del sistema de acuerdo a las instrucciones del usuario, generándose una traza por cada ejecución. El contenido de las trazas depende de cada sistema, y además puede variar dependiendo de las necesidades del análisis. Para ello se pueden aplicar una de las proyecciones que se han definido, y que transforman trazas completas en trazas abstractas con una menor, pero suficiente para los propósitos del análisis, cantidad de información. El análisis está guiado por uno o más objetivos establecidos por el usuario, tales como asertos o fórmulas de lógica temporal (LTL), y que le dan al análisis el significado pretendido por el usuario. Los objetivos pueden indicar tanto propiedades deseables del sistema, por ejemplo una meta de rendimiento, como propiedades que no deben ocurrir, por ejemplo una condición de error. OptySim se ha aplicado a varios casos de estudio en varias áreas y con distintos propósitos, para demostrar su utilidad. En primer lugar se ha integrado con el simulador de redes ns-2, para análisis de fiabilidad y rendimiento, optimización de parámetros, y validación y ajuste de modelos. Para el segundo grupo de casos de estudio, se ha integrado con una máquina virtual de Java para analizar programas escritos en dicho lenguaje de programación. En esta ocasión, todos los casos de estudio están enfocados a la depuración de programas

Formal analysis of communication protocols for wireless sensor systems

Sensor technology is an increasingly popular area of research due to the prevalent use of sensor devices. With the need for accurate, detailed data sensors are increasingly often used together in sensor networks. As the size of these sensor networks grows, so does the importance of efficient methods for their analysis for the prevention of system errors and discovery of design flaws. The increasing number of sensor devices leads to an exponential increase is the state space of the associated model. As such models of realistic systems are decreasingly often small enough for their verification to be feasible. Symmetry reduction techniques developed over the last 30 years, have been shown to be effective in reducing the state space explosion problem, particularly in the case of heterogeneous sensor systems, which contain many identical sensor devices. In this thesis we present our approach to verifying Ctrl-MAC, a novel wireless network protocol that supports bidirectional communication of multiple simultaneous physical properties. We explore the extent to which symmetry reduction can aid the model checking process for a sensor network communication protocol. We present our results, and suggest statistical approaches based on our observations of the protocol. We investigate the use of automated tools for the application of symmetry reduction, in particular GRIP, which is well suited for symmetry reduction of wireless sensor network systems. Models of communication protocols often require the use of synchronisation to model the interaction between devices. We present GRIP 3.0, a new version of the tool, which provides support for the use of synchronised transition statements. We provide results from practical work, coupled together with a discussion of drawbacks and future improvements