Supporting Abstraction when Model Checking ASM

Model checking as a method for automatic tool support for verification highly stimulates industry's interests. It is limited, however, with respect to the size of the systems' state space. In earlier work, we developed an interface between the ASM Workbench and the SMV model checker that allows model checking of finite ASM models. In this work, we add a means for abstraction in case the model to be checked is infinite and therefore not feasible for the model checking approach. We facilitate the ASM specification language (ASM-SL) with a notion for abstract types and introduce an interface between ASM-SL and Multiway Decision Graphs (MDGs). MDGs are capable of representing transition systems with abstract types and functions and provide the functionality necessary for symbolic model checking. Our interface maps abstract ASM models into MDGs in a semantic preserving way. It provides a very simple means for generating abstract models that are infinite but can be checked by a model checker based on MDGs

Model Checking Railway Interlocking Systems

For supporting the analysis of railway interlocking systems in the early stage of their design we propose the use of model checking. We investigate the use of the formal modelling language CSP and the corresponding model checker FDR. In this paper, we describe the basics of this formalism and introduce our formal model of a railway interlocking system. Checking this model against the given safety requirements, the signalling principles, we get useful counter-examples that help to debug the given interlocking design. This work provides a successful example of how formal methods can be used to support the industrial development process

Simulation Machines or Checking Action System Refinements

Action systems provide a formal approach to modelling parallel and reactive systems. They have a well established theory of refinement supported by simulation-based proof rules. This paper introduces an automatic approach for verifying action system refinements utilising standard CTL model checking. To do this, we encode each of the simulation conditions as a simulation machine, a Kripke structure on which the proof obligation can be discharged by checking that an associated CTL property holds. This procedure transforms each simulation condition into a model checking problem. Each simulation condition can then be model checked in isolation, or, if desired, together with the other simulation conditions by combining the simulation machines and the CTL properties

Proving Temporal Properties of Z Specifications Using Abstraction

This paper presents a systematic approach to proving temporal properties of arbitrary Z specifications. The approach involves (i) transforming the Z specification to an abstract temporal structure (or state transition system), (ii) applying a model checker to the temporal structure, (iii) determining whether the temporal structure is too abstract based on the model checking result and (iv) refining the temporal structure where necessary. The approach is based on existing work from the model checking literature, adapting it to Z

A synchronous program algebra: a basis for reasoning about shared-memory and event-based concurrency

This research started with an algebra for reasoning about rely/guarantee concurrency for a shared memory model. The approach taken led to a more abstract algebra of atomic steps, in which atomic steps synchronise (rather than interleave) when composed in parallel. The algebra of rely/guarantee concurrency then becomes an instantiation of the more abstract algebra. Many of the core properties needed for rely/guarantee reasoning can be shown to hold in the abstract algebra where their proofs are simpler and hence allow a higher degree of automation. The algebra has been encoded in Isabelle/HOL to provide a basis for tool support for program verification. In rely/guarantee concurrency, programs are specified to guarantee certain behaviours until assumptions about the behaviour of their environment are violated. When assumptions are violated, program behaviour is unconstrained (aborting), and guarantees need no longer hold. To support these guarantees a second synchronous operator, weak conjunction, was introduced: both processes in a weak conjunction must agree to take each atomic step, unless one aborts in which case the whole aborts. In developing the laws for parallel and weak conjunction we found many properties were shared by the operators and that the proofs of many laws were essentially the same. This insight led to the idea of generalising synchronisation to an abstract operator with only the axioms that are shared by the parallel and weak conjunction operator, so that those two operators can be viewed as instantiations of the abstract synchronisation operator. The main differences between parallel and weak conjunction are how they combine individual atomic steps; that is left open in the axioms for the abstract operator.Comment: Extended version of a Formal Methods 2016 paper, "An algebra of synchronous atomic steps

Model-checking tool support for quantitative risk analysis and design for safety

This paper is concerned with quantitative analysis of tolerance of sensor hardware failures by control system software. The aim is to help the system designer evaluate the efectiveness of risk reduction measures in the system design. This paper proposes an approach for using stochastic model checking to evaluate how likely a given sensor failure mode is to lead to a hazardous system failure, taking control logic and sensor-update timing failures into account. In particular we propose two complementary techniques: one for examining short- term consequences of component failures and the other for examining more subtle longer-term consequences (so-called hidden failures). The techniques overcome scaling issues and yield valuable insights into the relative merits of dierent design decisions. The PRISM model checker is used for stochastic analysis of Continuous Time Markov Chain (CTMC) system models. The approach is illustrated on a case study from manufacturing, involving an industrial metal Press. Although relatively simple, the Press exhibits a wide range of different behaviours, including hidden failures and subtle race conditions

Compositional Verification for Object-Z

This paper presents a framework for compositional verification of Object-Z specifications. Its key feature is a proof rule based on decomposition of hierarchical Object-Z models. For each component in the hierarchy local properties are proven in a single proof step. However, we do not consider components in isolation. Instead, components are envisaged in the context of the referencing super-component and proof steps involve assumptions on properties of the sub-components. The framework is defined for linear temporal logic (LTL)

Impact of Low-Dose Dronabinol Therapy on Cognitive Function in Cancer Patients Receiving Palliative Care: A Case-Series Intervention Study

BACKGROUND: Cannabis may offer therapeutic benefits to patients with advanced cancer not responding adequately to conventional palliative treatment. However, tolerability is a major concern. Cognitive function is a potential adverse reaction to tetrahydrocannabinol containing regimens. The aim of this study was to test cognitive function in patients being prescribed dronabinol as an adjuvant palliative therapy.METHODS: Adult patients with advanced cancer and severe related pain refractory to conventional palliative treatment were included in this case-series study. Patients were examined at baseline in conjunction with initiation of dronabinol therapy and at a two-week follow-up using three selected Wechsler's adult intelligence scale III neurocognitive tests: Processing Speed Index (PSI), Perceptual Organization Index (POI), and Working Memory Index (WMI). Patients were also assessed using pain visual analog scale, Major Depression Inventory, and Brief Fatigue Inventory.RESULTS: Eight patients consented to take part in the study. Two patients discontinued dronabinol therapy, one due to a complaint of dizziness and another critical progression of cancer disease, respectively. The remaining six patients were successfully treated with a daily dosage of 12.5 mg dronabinol (p = 0.039). PSI (p = 0.020), POI (p = 0.034.), and WMI (p = 0.039).CONCLUSIONS: Cognitive function improved in this group of patients with advanced cancer in conjunction with low-dose dronabinol therapy. The cause is likely multifactorial including reported relief of cancer-associated symptoms. Further clinical investigation is required.</p