Experiences with formal engineering: model-based specification, implementation and testing of a software bus at Neopost

We report on the actual industrial use of formal methods during the development of a software bus. During an internship at Neopost Inc., of 14 weeks, we developed the server component of a software bus, called the XBus, using formal methods during the design, validation and testing phase: we modeled our design of the XBus in the process algebra mCRL2, validated the design using the mCRL2-simulator, and fully automatically tested our implementation with the model-based test tool JTorX. This resulted in a well- tested software bus with a maintainable architecture. Writing the model (mdev), simulating it, and testing the implementation with JTorX only took 17% of the total development time. Moreover, the errors found with model-based testing would have been hard to find with conventional test methods. Thus, we show that formal engineering can be feasible, beneficial and cost-effective.\ud The findings above, reported earlier by us in (Sijtema et al., 2011) [1], were well- received, also in industrially oriented conferences (Ferreira and Romanenko, 2010) [2] and [3]. In this paper, we look back on the case study, and carefully analyze its merits and shortcomings. We reflect on (1) the added benefits of model checking, (2) model completeness and (3) the quality and performance of the test process.\ud Thus, in a second phase, after the internship, we model checked the XBus protocol—this was not done in [1] since the Neopost business process required a working implementation after 14 weeks. We used the CADP tool evaluator4 to check the behavioral requirements obtained during the development. Model checking did not uncover errors in model mdev, but revealed that model mdev was neither complete nor optimized: in particular, requirements to the so-called bad weather behavior (exceptions, unexpected inputs, etc.) were missing. Therefore, we created several improved models, checked that we could validate them, and used them to analyze quality and performance of the test process. Model checking was expensive: it took us approx. 4 weeks in total, compared to 3 weeks for the entire model-based testing approach during the internship.\ud In the second phase, we analyzed the quality and performance of the test process, where we looked at both code and model coverage. We found that high code coverage (almost 100%) is in most cases obtained within 1000 test steps and 2 minutes, which matches the fact that the faults in the XBus were discovered within a few minutes.\ud Summarizing, we firmly believe that the formal engineering approach is cost-effective, and produces high quality software products. Model checking does yield significantly better models, but is also costly. Thus, system developers should trade off higher model quality against higher costs

The ASSERT Virtual Machine Kernel: Support for preservation of temporal properties.

The ASSERT Project1 is aimed at defining new software engineering methods and tools for the development of critical embedded real-time systems in the aerospace domain. One of its main achievements is a new model-driven software process, which is based on the concept of property-preserving model transformations. Functional models developed with appropriate tools for the application domain are embedded in containers defining component interfaces and non-functional (e.g. timing) properties in a platform-independent set of notations. The resulting model is then automatically transformed to a platform-specific model using deployment information on target computer nodes, communication channels, and software platforms. Finally, source code for each computer node is automatically generated from the platform-specific model. The key element of the ASSERT process is that non-functional properties must be preserved during all phases of model transformations. In order to ensure that properties are preserved in model transformations and that the different views of each model are consistent with each other, a common meta-model has been defined which provides a formal basis to the whole process. This meta-model is called the Ravenscar Computational Model (RCM)

Extending and automating a systems-theoretic hazard analysis for requirements generation and analysis

Thesis (Ph. D.)--Massachusetts Institute of Technology, Engineering Systems Division, 2013.Cataloged from PDF version of thesis.Includes bibliographical references (p. 223-232).Systems Theoretic Process Analysis (STPA) is a powerful new hazard analysis method designed to go beyond traditional safety techniques-such as Fault Tree Analysis (FTA)-that overlook important causes of accidents like flawed requirements, dysfunctional component interactions, and software errors. Although traditional techniques have been effective at analyzing and reducing accidents caused by component failures, modem complex systems have introduced new problems that can be much more difficult to anticipate, analyze, and prevent. In addition, a new class of accidents, component interaction accidents, has become increasingly prevalent in today's complex systems and can occur even when systems operate exactly as designed and without any component failures. While STPA has proven to be effective at addressing these problems, its application thus far has been ad-hoc with no rigorous procedures or model-based design tools to guide the analysis. In addition, although no formal structure has yet been defined for STPA, the process is based on a control-theoretic framework that could be formalized and adapted to facilitate development of automated methods that assist in analyzing complex systems. This dissertation defines a formal mathematical structure underlying STPA and introduces a procedure for systematically performing an STPA analysis based on that structure. A method for using the results of the hazard analysis to generate formal safety-critical, model-based system and software requirements is also presented. Techniques to automate both the STPA analysis and the requirements generation are introduced, as well as a method to detect conflicts between safety requirements and other functional model-based requirements during early development of the system.by John P. Thomas IV.Ph.D

An object-oriented component-based approach to building real-time software systems

A project report submitted to the Faculty of Erlglncerlng, University of Witwatersrand, Johannesburg, In partial fulfilment of the requirements for the degree of Master of Science In Engineering Johannesburg 1993This Project Repolt r ''"lorts on the study of an approach to building integrated real-time software systems based on re-usable object-oriented components. The basis of the approach is the development of a a-layered structure of components, where each layer is built on the underlying layer of components, The lower layer of components consists of generic re-usable building blocks that may be re-used for building and integrating other real-time applications. The middle layer consists of components that are generic to the application domain, and the top layer consists of components that are specific to each application of that application domain. The Report includes researching and developing methods of communicating between these building blocks using an OSI/CMIP-conformant 'software highway" and in this regard particular attention is given to the formal and de facto industry standards. With this approach, it is argued that the application engineer can effectively build new applications using the re-usable components. This is demonstrated by reporting on the implementation of a large real-world Telecommunications Network Management application. The Project Report contains a critical analysis of the technical, organisational and project management issues of this Object-oriented component approach as compared to the traditional development approach. The Report concludes that despite certain technical and organisational concerns, the object-oriented approach does indeed yield several worthwhile benefits for developing real-time software systems. These benefits include genuine re-usability, and l"1proved productivity, testability and maintainability

Hardware-based text-to-braille translation

Braille, as a special written method of communication for the blind, has been globally accepted for years. It gives blind people another chance to learn and communicate more efficiently with the rest of the world. It also makes possible the translation of printed languages into a written language which is recognisable for blind people. Recently, Braille is experiencing a decreasing popularity due to the use of alternative technologies, like speech synthesis. However, as a form of literacy, Braille is still playing a significant role in the education of people with visual impairments. With the development of electronic technology, Braille turned out to be well suited to computer-aided production because of its coded forms. Software based text-to-Braille translation has been proved to be a successful solution in Assistive Technology (AT). However, the feasibility and advantages of the algorithm reconfiguration based on hardware implementation have rarely been substantially discussed. A hardware-based translation system with algorithm reconfiguration is able to supply greater throughput than a software-based system. Further, it is also expected as a single component integrated in a multi-functional Braille system on a chip.Therefore, this thesis presents the development of a system for text-to-Braille translation implemented in hardware. Differing from most commercial methods, this translator is able to carry out the translation in hardware instead of using software. To find a particular translation algorithm which is suitable for a hardware-based solution, the history of, and previous contributions to Braille translation are introduced and discussed. It is concluded that Markov systems, a formal language theory, were highly suitable for application to hardware based Braille translation. Furthermore, the text-to-Braille algorithm is reconfigured to achieve parallel processing to accelerate the translation speed. Characteristics and advantages of Field Programmable Gate Arrays (FPGAs), and application of Very High Speed Integrated Circuit Hardware Description Language (VHDL) are introduced to explain how the translating algorithm can be transformed to hardware. Using a Xilinx hardware development platform, the algorithm for text-to-Braille translation is implemented and the structure of the translator is described hierarchically