Formal Methods for Systems Engineering Behavior Models

International audienceSafety analysis in Systems Engineering (SE) processes, as usually implemented, rarely relies on formal methods such as model checking since such techniques, however powerful and mature, are deemed too complex for efficient use. This paper thus aims at improving the verification practice in SE design: considering the widely-used model of EFFBDs (Enhanced Function Flow Block Diagrams), it formally establishes its syntax and behavioral semantics. It also proposes a structural translation of EFFBDs to transition time Petri nets (TPNs); this translation is then proved to preserve the behavioral semantics (i.e. timed bisimilarity). After proving results on the boundedness of the resulting TPNs, it was possible to extend a number of fundamental properties (such as the decidability of liveness, state-access, etc.) from bounded TPNs to so-called \emph{bounded EFFBDs}. Finally, these results led to implement and integrate an operational formal verification tool within a development platform, used in systems design for defense applications, where the underlying complexity is totally concealed from the end-us

Structural Translation of Time Petri Nets into Timed Automata

International audienceIn this paper, we consider Time Petri Nets (TPN) where time is associated with transitions. We give a formal semantics for TPNs in terms of Timed Transition Systems. Then, we propose a translation from TPNs to Timed Automata (TA) that preserves the behavioural semantics (timed bisimilarity) of the TPNs. For the theory of TPNs this result is two-fold: i) reachability problems and more generally TCTL model-checking are decidable for bounded TPNs; ii) allowing strict time constraints on transitions for TPNs preserves the results described in i). The practical applications of the translation are: i) one can specify a system using both TPNs and Timed Automata and a precise semantics is given to the composition; ii) one can use existing tools for analysing timed automata (like KRONOS or UPPAAL or CMC) to analyse TPNs

On the compared expressiveness of arc, place and transition time Petri nets

International audienceIn this paper, we consider safe Time Petri Nets where time intervals (strict and large) are associated with places (TPPN), arcs (TAPN) or transitions (TTPN). We give the formal strong and weak semantics of these models in terms of Timed Transition Systems. We compare the expressiveness of the six models w.r.t. (weak) timed bisimilarity (behavioral semantics). The main results of the paper are : (i) with strong semantics, TAPN is strictly more expressive than TPPN and TTPN ; (ii) with strong semantics TPPN and TTPN are incomparable ; (iii) TTPN with strong semantics and TTPN with weak semantics are incomparable. Moreover, we give a complete classification by a set of 9 relations explained in a figure

Formal Verification of Real-time Systems with Preemptive Scheduling

International audienceIn this paper, we propose a method for the verification of timed properties for real-time systems featuring a preemptive scheduling policy: the system, modeled as a scheduling time Petri net, is first translated into a linear hybrid automaton to which it is time-bisimilar. Timed properties can then be verified using HyTech. The efficiency of this approach leans on two major points: first, the translation features a minimization of the number of variables (clocks) of the resulting automaton, which is a critical parameter for the efficiency of the ensuing verification. Second, the translation is performed by an over-approximating algorithm, which is based on Difference Bound Matrix and therefore efficient, that nonetheless produces a time-bisimilar automaton despite the over-approximation. The proposed modeling and verification method are generic enough to account for many scheduling policies. In this paper, we specifically show how to deal with Fixed Priority and Earliest Deadline First policies, with the possibility of using Round-Robin for tasks with the same priority. We have implemented the method and give some experimental results illustrating its efficiency

Structural translation from time petri nets to timed automata

International audienceIn this paper, we consider Time Petri Nets (TPN) where time is associated with transitions. We give a formal semantics for TPNs in terms of Timed Transition Systems. Then, we propose a translation from TPNs to Timed Automata (TA) that preserves the behavioral semantics (timed bisimilarity) of the TPNs. For the theory of TPNs this result is two-fold: i) reachability problems and more generally TCTL model-checking are decidable for bounded TPNs; ii) allowing strict time constraints on transitions for TPNs preserves the results described in i). The practical appli- cations of the translation are: i) one can specify a system using both TPNs and Timed Automata and a precise semantics is given to the composition; ii) one can use existing tools for analyzing timed automata (like Kronos, Uppaal or Cmc) to analyze TPNs. In this paper we describe the new feature of the tool Romeo that implements our translation of TPNs in the Uppaal input format. We also report on experiments carried out on various examples and compare the result of our method to state-of-the-art tool for analyzing TPNs

A T-time Petri net extension for real time-task scheduling modeling

International audienceIn order to analyze whether timing requirements of a real-time application are met, we propose an extension of the T-time {Petri} net model which takes into account the scheduling of the software tasks distributed over a multi-processor hardware architecture. The paper is concerned with static priority pre-emptive based scheduling. This extension consists in mapping into the {Petri} net model the way the different schedulers of the system activate or suspend the tasks. This relies on the introduction of two new attributes for the places (allocation and priority). First we give the formal semantics of this extended model as a timed transition system (TTS). Then we propose a method for its analysis consisting in the computation of the state class graph. Thus the verification of timing properties can be conducted (possibly together with an observator) and comes to analyze the such obtained state class grap

TCTL model checking of Time Petri Nets

International audienceIn this paper, we consider \emph{subscript} TCTL for Time Petri Nets (TPN-TCTL) for which temporal operators are extended with a time interval, specifying a time constraint on the firing sequences. We prove that the model-checking of a TPN-TCTL formula on a bounded TPN is decidable and is a PSPACE-complete problem. We propose a zone based state space abstraction that preserves marking reachability and traces of the TPN. As for Timed Automata (TA), the abstraction may use an over-approximation operator on zones to enforce the termination. A coarser (and efficient) abstraction is then provided and proved exact w.r.t. marking reachability and traces (LTL properties). Finally, we consider a subset of TPN-TCTL properties for which it is possible to propose efficient on-the-fly model-checking algorithms. Our approach consists in computing and exploring the zone based state space abstractio

Comparison of Different Semantics for Time Petri Nets

International audienceIn this paper we study the model of Time Petri Nets (TPNs) where a time interval is associated with the firing of a transition, but we extend it by considering general intervals rather than closed ones. A key feature of timed models is the memory policy, i.e. which timing informations are kept when a transition is fired. The original model selects an \emphintermediate semantics where the transitions disabled after consuming the tokens, as well as the firing transition, are reinitialised. However this semantics is not appropriate for some applications. So we consider here two alternative semantics: the \emphatomic and the \emphpersistent atomic ones. First we present relevant patterns of discrete event systems which show the interest of these semantics. Then we compare the expressiveness of the three semantics w.r.t. the weak time bisimilarity establishing inclusion results in the general case. Furthermore we show that some inclusions are strict with unrestricted intervals even when nets are bounded. Then we focus on bounded TPNs with upper-closed intervals and we prove that the semantics are equivalent. Finally taking into account both the practical and the theoretical issues, we conclude that persistent atomic semantics should be preferred

Risk factors for Coronavirus disease 2019 (Covid-19) death in a population cohort study from the Western Cape province, South Africa

Risk factors for coronavirus disease 2019 (COVID-19) death in sub-Saharan Africa and the effects of human immunodeficiency virus (HIV) and tuberculosis on COVID-19 outcomes are unknown. We conducted a population cohort study using linked data from adults attending public-sector health facilities in the Western Cape, South Africa. We used Cox proportional hazards models, adjusted for age, sex, location, and comorbidities, to examine the associations between HIV, tuberculosis, and COVID-19 death from 1 March to 9 June 2020 among (1) public-sector “active patients” (≥1 visit in the 3 years before March 2020); (2) laboratory-diagnosed COVID-19 cases; and (3) hospitalized COVID-19 cases. We calculated the standardized mortality ratio (SMR) for COVID-19, comparing adults living with and without HIV using modeled population estimates.Among 3 460 932 patients (16% living with HIV), 22 308 were diagnosed with COVID-19, of whom 625 died. COVID19 death was associated with male sex, increasing age, diabetes, hypertension, and chronic kidney disease. HIV was associated with COVID-19 mortality (adjusted hazard ratio [aHR], 2.14; 95% confidence interval [CI], 1.70–2.70), with similar risks across strata of viral loads and immunosuppression. Current and previous diagnoses of tuberculosis were associated with COVID-19 death (aHR, 2.70 [95% CI, 1.81–4.04] and 1.51 [95% CI, 1.18–1.93], respectively). The SMR for COVID-19 death associated with HIV was 2.39 (95% CI, 1.96–2.86); population attributable fraction 8.5% (95% CI, 6.1–11.1)

Extracorporeal Membrane Oxygenation for Severe Acute Respiratory Distress Syndrome associated with COVID-19: An Emulated Target Trial Analysis.

RATIONALE: Whether COVID patients may benefit from extracorporeal membrane oxygenation (ECMO) compared with conventional invasive mechanical ventilation (IMV) remains unknown. OBJECTIVES: To estimate the effect of ECMO on 90-Day mortality vs IMV only Methods: Among 4,244 critically ill adult patients with COVID-19 included in a multicenter cohort study, we emulated a target trial comparing the treatment strategies of initiating ECMO vs. no ECMO within 7 days of IMV in patients with severe acute respiratory distress syndrome (PaO2/FiO2 <80 or PaCO2 ≥60 mmHg). We controlled for confounding using a multivariable Cox model based on predefined variables. MAIN RESULTS: 1,235 patients met the full eligibility criteria for the emulated trial, among whom 164 patients initiated ECMO. The ECMO strategy had a higher survival probability at Day-7 from the onset of eligibility criteria (87% vs 83%, risk difference: 4%, 95% CI 0;9%) which decreased during follow-up (survival at Day-90: 63% vs 65%, risk difference: -2%, 95% CI -10;5%). However, ECMO was associated with higher survival when performed in high-volume ECMO centers or in regions where a specific ECMO network organization was set up to handle high demand, and when initiated within the first 4 days of MV and in profoundly hypoxemic patients. CONCLUSIONS: In an emulated trial based on a nationwide COVID-19 cohort, we found differential survival over time of an ECMO compared with a no-ECMO strategy. However, ECMO was consistently associated with better outcomes when performed in high-volume centers and in regions with ECMO capacities specifically organized to handle high demand. This article is open access and distributed under the terms of the Creative Commons Attribution Non-Commercial No Derivatives License 4.0 (http://creativecommons.org/licenses/by-nc-nd/4.0/)