Z2SAL: a translation-based model checker for Z

Despite being widely known and accepted in industry, the Z formal specification language has not so far been well supported by automated verification tools, mostly because of the challenges in handling the abstraction of the language. In this paper we discuss a novel approach to building a model-checker for Z, which involves implementing a translation from Z into SAL, the input language for the Symbolic Analysis Laboratory, a toolset which includes a number of model-checkers and a simulator. The Z2SAL translation deals with a number of important issues, including: mapping unbounded, abstract specifications into bounded, finite models amenable to a BDD-based symbolic checker; converting a non-constructive and piecemeal style of functional specification into a deterministic, automaton-based style of specification; and supporting the rich set-based vocabulary of the Z mathematical toolkit. This paper discusses progress made towards implementing as complete and faithful a translation as possible, while highlighting certain assumptions, respecting certain limitations and making use of available optimisations. The translation is illustrated throughout with examples; and a complete working example is presented, together with performance data

Robust Biomarkers: Methodologically Tracking Causal Processes in Alzheimer’s Measurement

In biomedical measurement, biomarkers are used to achieve reliable prediction of, and useful causal information about patient outcomes while minimizing complexity of measurement, resources, and invasiveness. A biomarker is an assayable metric that discloses the status of a biological process of interest, be it normative, pathophysiological, or in response to intervention. The greatest utility from biomarkers comes from their ability to help clinicians (and researchers) make and evaluate clinical decisions. In this paper we discuss a specific methodological use of clinical biomarkers in pharmacological measurement: Some biomarkers, called ‘surrogate markers’, are used to substitute for a clinically meaningful endpoint corresponding to events and their penultimate risk factors. We confront the reliability of clinical biomarkers that are used to gather information about clinically meaningful endpoints. Our aim is to present a systematic methodology for assessing the reliability of multiple surrogate markers (and biomarkers in general). To do this we draw upon the robustness analysis literature in the philosophy of science and the empirical use of clinical biomarkers. After introducing robustness analysis we present two problems with biomarkers in relation to reliability. Next, we propose an intervention-based robustness methodology for organizing the reliability of biomarkers in general. We propose three relevant conditions for a robust methodology for biomarkers: (R1) Intervention-based demonstration of partial independence of modes: In biomarkers partial independence can be demonstrated through exogenous interventions that modify a process some number of “steps” removed from each of the markers. (R2) Comparison of diverging and converging results across biomarkers: By systematically comparing partially-independent biomarkers we can track under what conditions markers fail to converge in results, and under which conditions they successfully converge. (R3) Information within the context of theory: Through a systematic cross-comparison of the markers we can make causal conclusions as well as eliminate competing theories. We apply our robust methodology to currently developing Alzheimer’s research to show its usefulness for making causal conclusions

Mutator Suppression and Escape from Replication Error–Induced Extinction in Yeast

Cells rely on a network of conserved pathways to govern DNA replication fidelity. Loss of polymerase proofreading or mismatch repair elevates spontaneous mutation and facilitates cellular adaptation. However, double mutants are inviable, suggesting that extreme mutation rates exceed an error threshold. Here we combine alleles that affect DNA polymerase δ (Pol δ) proofreading and mismatch repair to define the maximal error rate in haploid yeast and to characterize genetic suppressors of mutator phenotypes. We show that populations tolerate mutation rates 1,000-fold above wild-type levels but collapse when the rate exceeds 10−3 inactivating mutations per gene per cell division. Variants that escape this error-induced extinction (eex) rapidly emerge from mutator clones. One-third of the escape mutants result from second-site changes in Pol δ that suppress the proofreading-deficient phenotype, while two-thirds are extragenic. The structural locations of the Pol δ changes suggest multiple antimutator mechanisms. Our studies reveal the transient nature of eukaryotic mutators and show that mutator phenotypes are readily suppressed by genetic adaptation. This has implications for the role of mutator phenotypes in cancer

Typechecking Z

This paper presents some of our requirements for a Z typechecker: that the typechecker accept all well-typeable formulations, however contrived; that it gather information about uses of declarations as needed to support interactive browsing and formal reasoning; that it fit the description given by draft standard Z; and that it be able to check some particular extensions to Z that are intended to allow explicit definitions of schema calculus operators. The paper presents a specification of such a Z typechecker, which we have implemented

Integrating Safety and Formal Analyses using UML and PFS.

Where software systems are safety critical, for example in aircraft engine control, it is necessary to carry out safety analysis on designs in support of certification. We argue that there is also significant value in formally validating such a design. Few “classical” formal notations and methods are geared towards embedded systems. We illustrate one such method known as Practical Formal Specification (PFS), showing how it can be integrated in a UML context with various forms of safety analysis. The PFS method was developed to extend classical approaches in the development of embedded software systems in a way that adds engineering value, and fits into existing well-established frameworks. We exemplify the approach to model the reverse thrust selection function of the thrust reversal system of a turbo-jet engine

A Z Patterns Catalogue II - definitions and laws, v0.1

Contents Preface xiii I Background 1 1 Introduction 3 2 ISO Standard Z 5 2.1 History and current status 5 2.1.1 Z: the early years 5 2.1.2 The need for a change 6 2.1.3 Standardisation 7 2.1.4 Aims of this chapter 7 2.2 Changed features of Standard Z 8 2.3 Improvements 8 2.3.1 Sections 8 2.3.2 Mutually-recursive Free Types 9 2.3.3 Operators 9 2.3.4 Conjectures 9 2.3.5 Binding Extensions and Tuple Selections 10 2.3.6 Schemas as Expressions 11 2.3.7 Empty Schemas 12 2.3.8 Loose Generics 13 2.3.9 Local Constant Declarations 13 2.3.10 Axiom-parts as Predicates 14 2.3.11 Soft Newlines 15 2.3.12 Lexis of Words 15 2.3.13 Toolkit 15 2.4 Incompatibilities 16 2.4.1 Singleton Sets 16 ii Contents 2.4.2 Decorated References to Schemas 17 2.4.3 Decorated References to Generic Schemas 18 2.4.4 let on Predicates 18 2.4.5 Renaming on Theta Expressions 18 2.4.6 Underlined Infix Relations 19 2.4.7 Operator Precedences 19 2.4.8 Theta Expressions 21 2.4.9 Lexis of Words 21 2.5 Subtle Changes 21 2.5.1 Qu

On the Formal Development of Safety-Critical Software

Abstract. We reflect on the formal development models applicable to embedded control systems in light of our experience with safety-critical applications from the aerospace domain. This leads us to propose two complementary enhancements to Parnas ' four-variable model, one elaborating the structure outside the control computer, and the other elaborating the structure inside the control computer. We then identify several challenges which illustrate why formal development in this domain is difficult, and report our own progress in meeting these challenges. Finally, we outline the residual issues, which form the agenda for our future work.