Formal Verification of Real-Time Function Blocks Using PVS

A critical step towards certifying safety-critical systems is to check their conformance to hard real-time requirements. A promising way to achieve this is by building the systems from pre-verified components and verifying their correctness in a compositional manner. We previously reported a formal approach to verifying function blocks (FBs) using tabular expressions and the PVS proof assistant. By applying our approach to the IEC 61131-3 standard of Programmable Logic Controllers (PLCs), we constructed a repository of precise specification and reusable (proven) theorems of feasibility and correctness for FBs. However, we previously did not apply our approach to verify FBs against timing requirements, since IEC 61131-3 does not define composite FBs built from timers. In this paper, based on our experience in the nuclear domain, we conduct two realistic case studies, consisting of the software requirements and the proposed FB implementations for two subsystems of an industrial control system. The implementations are built from IEC 61131-3 FBs, including the on-delay timer. We find issues during the verification process and suggest solutions.Comment: In Proceedings ESSS 2015, arXiv:1506.0325

Abstract State Machines 1988-1998: Commented ASM Bibliography

An annotated bibliography of papers which deal with or use Abstract State Machines (ASMs), as of January 1998.Comment: Also maintained as a BibTeX file at http://www.eecs.umich.edu/gasm

Specification languages for embedded systems : a survey

Requirements specification is an important part of the software development process. Use of well developed techniques, tools, and languages during requirements specification is especially crucial for complex embedded software systems. Four langauges appropriate for the specification of software requirements for complex embedded systems (RSL, PAISLey, Statecharts, and SCR) are reviewed in detail here. In addition, other representation languages with features relevant to the embedded software systems domain are mentioned. Conclusions about the current status of embedded systems requirements specification and indications of further research are given

Computing refactorings of state machines

For behavior models expressed in statechart-like formalisms, we show how to compute semantically equivalent yet structurally different models. These refactorings are defined by user-provided logical predicates that partition the system's state space and that characterize coherent parts - modes or control states-of the behavior. We embed the refactorings into an incremental development process that uses a combination of both tables and graphically represented state machines for describing system

Un modelo para documentar la elicitación de requisitos

Context: This work proposes a model to document the elicitation of requirements in the field of Requirements Engineering. Method: A systematic review of the literature was conducted to determine the validity and effectiveness of the existing models for documenting requirements elicitation. Results: By analyzing the results of this review, it was concluded that it is possible – and that is required – to take the best documented practices and add principles from logic, abstraction, and formal methods to them in order to structure a semi-formal model for documenting elicitation. Those currently proposed focus on techniques to collect information and pay little attention to documentation. In addition, these models are mainly based on natural language, which makes their interpretation difficult, and they generate re-processing in later stages of the life cycle due to ambiguities. Conclusions: This article describes a structured model, as well as its application and validation, by comparing it against five models found in the review.Contexto: En este trabajo se propone un modelo para documentar la elicitación de requisitos en el área de Ingeniería de Requisitos. Método: Se realizó una revisión sistemática de la literatura para determinar la validez y efectividad de los modelos que existen para documentar la elicitación de requisitos. Resultados: Analizando los resultados de esta revisión, se concluyó que es posible –y así se requiere– tomar las mejores prácticas documentadas y agregarles principios de lógica, abstracción y métodos formales para estructurar un modelo semiformal para documentar la elicitación. Los que se proponen actualmente se centran en las técnicas de recogida de información y prestan poca atención a la documentación. Además, estos modelos se basan principalmente en el lenguaje natural, por lo cual es difícil su interpretación, y generan reprocesos para las etapas posteriores del ciclo de vida debido a las ambigüedades. Conclusiones: En este artículo se describe un modelo estructurado, así como su aplicación y validación mediante la comparación con cinco modelos encontrados en la revisión

Using Indexed and Synchronous Events to Model and Validate Cyber-Physical Systems

Timed Transition Models (TTMs) are event-based descriptions for modelling, specifying, and verifying discrete real-time systems. An event can be spontaneous, fair, or timed with specified bounds. TTMs have a textual syntax, an operational semantics, and an automated tool supporting linear-time temporal logic. We extend TTMs and its tool with two novel modelling features for writing high-level specifications: indexed events and synchronous events. Indexed events allow for concise description of behaviour common to a set of actors. The indexing construct allows us to select a specific actor and to specify a temporal property for that actor. We use indexed events to validate the requirements of a train control system. Synchronous events allow developers to decompose simultaneous state updates into actions of separate events. To specify the intended data flow among synchronized actions, we use primed variables to reference the post-state (i.e., one resulted from taking the synchronized actions). The TTM tool automatically infers the data flow from synchronous events, and reports errors on inconsistencies due to circular data flow. We use synchronous events to validate part of the requirements of a nuclear shutdown system. In both case studies, we show how the new notation facilitates the formal validation of system requirements, and use the TTM tool to verify safety, liveness, and real-time properties.Comment: In Proceedings ESSS 2015, arXiv:1506.0325

Toward a Formalism for Conservative Claims about the Dependability of Software-Based Systems

In recent work, we have argued for a formal treatment of confidence about the claims made in dependability cases for software-based systems. The key idea underlying this work is "the inevitability of uncertainty": It is rarely possible to assert that a claim about safety or reliability is true with certainty. Much of this uncertainty is epistemic in nature, so it seems inevitable that expert judgment will continue to play an important role in dependability cases. Here, we consider a simple case where an expert makes a claim about the probability of failure on demand (pfd) of a subsystem of a wider system and is able to express his confidence about that claim probabilistically. An important, but difficult, problem then is how such subsystem (claim, confidence) pairs can be propagated through a dependability case for a wider system, of which the subsystems are components. An informal way forward is to justify, at high confidence, a strong claim, and then, conservatively, only claim something much weaker: "I'm 99 percent confident that the pfd is less than 10-5, so it's reasonable to be 100 percent confident that it is less than 10-3." These conservative pfds of subsystems can then be propagated simply through the dependability case of the wider system. In this paper, we provide formal support for such reasoning