Automated Mapping of UML Activity Diagrams to Formal Specifications for Supporting Containment Checking

Business analysts and domain experts are often sketching the behaviors of a software system using high-level models that are technology- and platform-independent. The developers will refine and enrich these high-level models with technical details. As a consequence, the refined models can deviate from the original models over time, especially when the two kinds of models evolve independently. In this context, we focus on behavior models; that is, we aim to ensure that the refined, low-level behavior models conform to the corresponding high-level behavior models. Based on existing formal verification techniques, we propose containment checking as a means to assess whether the system's behaviors described by the low-level models satisfy what has been specified in the high-level counterparts. One of the major obstacles is how to lessen the burden of creating formal specifications of the behavior models as well as consistency constraints, which is a tedious and error-prone task when done manually. Our approach presented in this paper aims at alleviating the aforementioned challenges by considering the behavior models as verification inputs and devising automated mappings of behavior models onto formal properties and descriptions that can be directly used by model checkers. We discuss various challenges in our approach and show the applicability of our approach in illustrative scenarios.Comment: In Proceedings FESCA 2014, arXiv:1404.043

A framework for the analysis of failure behaviors in component-based model-driven development of dependable systems

Currently, the development of high-integrity embedded component-based software systems is not supported by well-integrated means allowing for quality evaluation and design support within a development process. Quality, especially dependability, is very important for such systems. The CHESS (Composition with Guarantees for High-integrity Embedded Software Components Assembly) project aims at providing a new systems development methodology to capture extra-functional concerns and extend Model Driven Engineering industrial practices and technology approaches to specifically address the architectural structure, the interactions and the behavior of system components while guaranteeing their correctness and the level of service at run time. The CHESS methodology is expected to be supported by a tool-set which consists of a set of plug-ins integrated within the Eclipse IDE. In the framework of the CHESS project, this thesis addresses the lack of well integrated means concerning quality evaluation and proposes an integrated framework to evaluate the dependability of high-integrity embedded systems. After a survey of various failure behavior analysis techniques, a specific technique, called Failure Propagation and Transformation Calculus (FPTC), is selected and a plug-in, called CHESS-FPTC, is developed within the CHESS tool-set. FPTC technique allows users to calculate the failure behavior of the system from the failure behavior of its building components. Therefore, to fully support FPTC, CHESS-FPTC plug-in allows users to model the failure behavior of the building components, perform the analysis automatically and get the analysis results back into their initial models. A case study about AAL2 Signaling Protocol is presented to illustrate and evaluate the CHESS-FPTC framework.CHESS Project - http://chess-project.ning.com

Supporting automated containment checking of software behavioural models

Während des Softwareentwicklungsprozesses ist es eine große Herausforderung, bereits in den frühen Phasen auf verschiedenen Abstraktionsebenen festzustellen, ob ein System von beabsichtigtem Verhalten abweicht und etwaige Abweichungen zu korrigieren. Werden Inkonsistenzen erst in späteren Phasen entdeckt, nachdem das System bereits implementiert oder getestet worden ist, führt dies zu enormem Aufwand für Korrektur, Überarbeitung und Verifikation. Es ist daher von großer Bedeutung, diese Inkonsistenzen bereits in einer frühen Phase des Softwareentwicklungsprozesses zu erkennen und zu beheben. Dies gilt vor allem, sobald verfeinerte Modelle von ihren abstrakten Gegenstücken abweichen. Diese Dissertation konzentriert sich auf eine spezielle Art von vertikaler Konsistenz, insbesondere Containment Checking. Dabei wird überprüft, ob das vom Low-Level-Modell beschriebene Verhalten auch das im High-Level Gegenstück beschriebene erfasst. Die Containment-Beziehung von Verhaltensmodellen wurde in bereits existierenden Forschungsarbeiten bisher nicht untersucht. Nach einer systematischen Überprüfung der vorhandenen Forschung zur Konsistenzprüfung von Software-Verhaltensmodellen konnten wir eine Reihe an Lücken und offenen Problemen ermitteln, die als Basis für diese Dissertation dienen. Der hauptsächliche Beitrag dieser Dissertation besteht aus neuen Konzepten und Techniken zum automatischen Containment Checking von Software-Verhaltensmodellen. Mittels Modelltransformationen und Modellprüfung (Model Checking) wird Containment Checking von Software-Verhaltensmodellen, insbesondere Activity Models, Sequence Models und Service Choreography unterstützt. Genauer gesagt wird eine automatische Transformation von Verhaltensmodellen in formale Spezifikationen und Konsistenzbeschränkungen durchgeführt. Diese werden beim Model Checking für das Erkennen von Abweichungen zwischen den Eingabemodellen und daraus folgende Gegenbeispiele benötigt. Das Feedback von Model Checkern ist jedoch für Benutzer mit eingeschränktem Wissen über die zugrundeliegenden formalen Methoden zur Analyse von beziehungsweise dem Verständnis für Konsistenzverstöße meist wenig hilfreich. Wir schlagen daher einen Ansatz vor, der die Analyse von Gegenbeispielen verwendet, um den Grund von Konsistenzverstößen zu finden und den jeweiligen Akteuren passende Lösungsvorschläge zu präsentieren. Endlosschleifen und parallel ausgeführte Programmteile stellen Techniken, die auf Model Checking basieren, vor große Herausforderungen. Wir haben daher zusätzlich einen Ansatz entwickelt, der basierend auf Graphen fehlende Knoten, fehlende transitive Verbindungen und fehlende Abläufe überprüft. Zunächst wurde Containment Checking allgemein nach benannten Designmodellen untersucht und die Anwendung in realistischen Use-Case-Szenarien geprüft, wobei letztere überwiegend aus Enterprise Informationssystemen entnommen wurden. Als einen zweiten Anwendungsbereich untersuchten wir die Anwendung von Containment Checking im Kontext von Architekturmustern. Diese legen verschiedene Arten von Designbedingungen für den Detailentwurf und für die Implementierung fest, die nicht verletzt werden dürfen. Wir untersuchten außerdem die Anwendung von Containment Checking für das Prüfen von Designbedingungen bei drei beliebten Architekturmustern: Model-View-Controller, Layers und Pipe and Filter, sowie deren Varianten. Die quantitative Evaluierung der realistischen Anwendungsszenarien zeigt, dass die vorgeschlagenen Ansätze in typischen Arbeitsumgebungen für Softwareentwickler ziemlich gut funktionieren und gut genug für übliche Größen von Softwaredesign-Modellen skalieren.A major challenge in software development processes is to detect and fix the deviations of system's intended behaviours at different abstraction levels in early phases. Inconsistencies that are detected at later phases, when the system is already implemented or tested, require huge amounts of time and effort for correction, revision, and verification. Therefore, it is crucial to detect and fix the inconsistencies at early phases of software development, and especially as soon as refined models deviate from their abstract counterparts. This dissertation focuses on a special type of vertical consistency, in particularly containment checking that verifies whether the behaviour described by the low-level model encompasses those specified in the high-level counterpart. Previous research has not investigated the containment relationship for behavioural models. We have performed a systematic review of software behavioural model consistency checking research, and identified a number of gaps and open problems that serve as a foundation for this dissertation. The major contributions of this dissertation are novel concepts and techniques for automatic containment checking of software behaviour models. Containment checking of software behaviour models, in particularly activity models, sequence models and service choreographies, is supported using model transformations and model checking. Specifically, the automated transformation of behaviour models into formal specifications and consistency constraints is performed; they are required by model checkers for detecting any discrepancies between the input models and yielding corresponding counterexamples. However, the feedback of model checkers is rather not helpful for users with limited background on the underlying formal methods to analyse and understand the causes of consistency violations. A counterexample analysis approach is therefore proposed for locating the cause(s) of containment violations and presenting appropriate suggestions to stakeholders for their resolution. Dealing with unconditional loops and parallel execution branches are challenging issues in model checking based techniques. Therefore, we introduced, in addition to the model checking based techniques, a lightweight graph-based approach that verifies missing nodes, missing transitive links, and missing cycles. We have investigated containment checking first generically for the named design models and studied the application in realistic use case scenarios, taken mainly from enterprise information systems. As a second application domain, we have studied applying containment checking in the context of architectural patterns: Architectural patterns impose various kinds of design constraints on the detailed designs and implementations that should not be violated. We studied the application of containment checking for checking those design constraints for three popular architectural patterns: Model-View-Controller, Layers, and Pipe and Filter, as well as their variants. The quantitative evaluation of the realistic use case scenarios shows that the proposed approaches perform reasonably well in typical working environments of software developers and scale well enough for typical sizes of software design models

ATTEST : Automating the review and update of assurance case arguments

The assurance case arguments are created to demonstrate acceptable system safety and/or security. In this regard, a series of propositions expressed by natural language statements (claims) are broken down into sub-claims representing a logical chain of reasoning until the corresponding evidence is obtained. The review and update of assurance arguments for aligning with the process and product counterparts used for their construction are essential tasks. These tasks are perceived as challenging but can be efficiently supported by using Natural Language Processing (NLP). To date, however, the published studies on assurance cases have not leveraged the NLP. Accordingly, this paper presents our NLP-based assurance framework called ATTEST. At first, the text preprocessing is carried out by using NLP tasks. The rules are created, in which both syntactic and semantic features are captured. The former is captured by using NLP tasks, while the latter is captured by the internal structure of models as well as the mappings across them. The created rules are triggered for argument comprehension, well-formedness, sufficiency checks, and identifying defeaters and counter-evidence selection. Besides the process, product, and assurance case models produced during the design and development phase, the operational data is gathered from the configured simulation environments and used for identifying problems as well as the measures for resolving them. Finally, the affected parts of assurance case models are highlighted and the underlying reasoning for their adaptation is presented. The applicability of the proposed framework is demonstrated by reviewing and updating assurance cases constructed for vehicular Accelerator Control System (ACS) with Electronic Throttle Control (ETC)

Systematic review on contract-based safety assurance and guidance for future research

The safety requirements are often described via specifications called contracts. To verify that the system fulfils certain safety requirements, for instance, in the assume-guarantee contract specification, the key safety indicators are organized, so that if certain assumptions hold then the respective behaviour is guaranteed. Safety contracts provide a means of exposing potential incompatibilities early in the development process, selecting components to reuse, certifying systems, and identifying uncertainty sources during the operational phase. There exist several studies on contract-based safety assurance, however, there is not any systematic study in this field. For this, a first Systematic Literature Review (SLR) is carried out to obtain an overview of the various contract-based safety assurance concepts, problems, proposed solutions, and their usefulness. In our study, the identification and selection of the primary studies were based on a well-planned search strategy. The search process identified a total of 2881 studies published between 1969 and 2021, out of which 66 studies were selected through a multi-stage process according to our predefined SLR protocol. This SLR aims to highlight the state-of-the-art of contract-based safety assurance and identify potential gaps for future research. Based on research topics in selected studies, we identified the following main categories: contract type, analysis techniques for system safety, compliance with standards, development stage, domain, level of automation, type of study and evaluation, and tool support. The findings of the systematic review not only highlight that the contracts are even more important for advanced safety-critical systems but also strategies to exploit their full potential should be considered in future studies. The suggestions revealed for future research include the usage of contracts for adapting new behaviour, defining system boundaries, interacting with other systems, managing risk during operation, dynamic/runtime safety assurance, and integration of safety with security.</p

Supporting Automated Verification of Reconfigurable Systems with Product Lines and Model Checking

The capability to dynamically reconfigure in response to change of mode or function, failures, or unanticipatedhazardous conditions is fundamental for many critical systems. The modelling and verification of suchsystems are frequently carried out with product lines and model checking, respectively. At first, the objectivesand related requirements of reconfigurable systems are mapped to a feature model, whereas the units relatedto operational modes are selected in individual configurations. After that, the proposed approach performsautomated transformation of particular models into formal constraints and descriptions for leveraging the analyticalpowers of model checking techniques; the formal verification of completeness, consistency and conflictis carried out with NuSMV model checker. Finally, in circumstances when the counterexample is produced, itsanalysis is performed for the identification of corresponding problems and their resolutions. The applicabilityof the proposed approach is demonstrated through case study of attitude and orbit control system

Compliance checking of software processes : A systematic literature review

The processes used to develop software need to comply with normative requirements (e.g., standards and regulations) to align with the market and the law. Manualcompliance checking is challenging because there are numerous requirements withchanging nature and different purposes. Despite the importance of automated techniques, there is not any systematic study in this field. This lack may hinder organizations from moving toward automated compliance checking practices. In this paper,we characterize the methods for automatic compliance checking of software processes, including used techniques, potential impacts, and challenges. For this, weundertake a systematic literature review (SLR) of studies reporting methods in thisfield. As a result, we identify solutions that use different techniques (e.g., anthologiesand metamodels) to represent processes and their artifacts (e.g., tasks and roles). Various languages, which have diverse capabilities for managing competing and changingnorms, and agile strategies, are also used to represent normative requirements. Mostsolutions require tool-support concretization and enhanced capabilities to handleprocesses and normative diversity. Our findings outline compelling areas for futureresearch. In particular, there is a need to select suitable languages for consolidating ageneric and normative-agnostic solution, increase automation levels, tool support,and boost the application in practice by improving usability aspects

Safe and secure platooning of Automated Guided Vehicles in Industry 4.0

Automated Guided Vehicles (AGVs) are widely used for materials transportation. Operating them in a platooned manner has the potential to improve safety, security and efficiency, control overall traffic flow and reduce resource usage. However, the published studies on platooning focus mainly on the design of technical solutions in the context of automotive domain. In this paper we focus on a largely unexplored theme of platooning in production sites transformed to the Industry 4.0, with the aim of providing safety and security assurances. We present an overall approach for a fault- and threat tolerant platooning  for materials transportation in production environments. Our functional use cases include the platoon control for collision avoidance, data acquisition and processing by considering range, and connectivity with fog and cloud levels. To perform the safety and security analyses, the Hazard and Operability (HAZOP) and Threat and Operability (THROP) techniques are used. Based on the results obtained from them, the safety and security requirements are derived for the identification and prevention/mitigation of potential platooning hazards, threats and vulnerabilities. The assurance cases are constructed to show the acceptable safety and security of materials transportation using AGV platooning. We leveraged a simulation-based digital twin for performing the verification and validation as well as finetuning of the platooning strategy. Simulation data is gathered from digital twin to monitor platoon operations, identify unexpected or incorrect behaviour, evaluate the potential implications, trigger control actions to resolve them, and continuously update assurance cases. The applicability of the AGV platooning is demonstrated in the context of a quarry site