TOOL-ASSISTED VALIDATION AND VERIFICATION TECHNIQUES FOR STATE-BASED FORMAL METHODS

To tackle the growing complexity of developing modern software systems that usually have embedded and distributed nature, and more and more involve safety critical aspects, formal methods (FMs) have been affirmed as an efficient approach to ensure the quality and correctness of the design, that permits to discover errors yet at the early stages of the system development. Among the several FMs available, some of them can be described as state-based, since they describe systems by using the notions of state and transitions between states. State-based FMs are sometimes preferred since they produce specifications that are more intuitive, being the notions of state and transition close to the notions of program state and program execution that are familiar to any developer. Moreover, state-based FMs are usually executable and permit to be simulated, so having an abstraction of the execution of the system under development. The aim of the thesis is to provide tool-assisted techniques that help the adoption of state-based FMs. In particular we address four main goals: 1) identifying a process for the development of an integrated framework around a formal method. The adoption of a formal method is often prevented by the lack of tools to support the user in the different development activities, as model editing, validation, verification, etc. Moreover, also when tools are available, they have usually been developed to target only one aspect of the system development process. So, having a well-engineered process that helps in the development of concrete notations and tools for a FM can make FMs of practical application. 2) promoting the integration of different FMs. Indeed, having only one formal notation, for doing different formal activities during the development of the system, is preferable than having a different notation for each formal activity. Moreover such notation should be high-level: working with high level notations is definitely easier than working with low-level ones, and the produced specifications are usually more readable. This goal can be seen as a sub-goal of the first goal; indeed, in a framework around a formal method, it should also be possible to integrate other formal methods that better address some particular formal activities. 3) helping the user in writing correct specifications. The basic assumption of any formal technique is that the specification, representing the desired properties of the system or the model of the system, is correct. However, in case the specification is not correct, all the verification activities based on the specification produce results that are meaningless. So, validation techniques should assure that the specification reflects the intended requirements; besides traditional simulation (user-guided or scenario-based), also model review techniques, checking for common quality attributes that any specification should have, are a viable solution. 4) reducing the distance between the formal specification and the actual implementation of the system. Several FMs work on a formal description of the system which is assumed to reflect the actual implementation; however, in practice, the formal specification and the actual implementation could be not conformant. A solution is to obtain the implementation, through refinements steps, from the formal specification, and proving that the refinements steps are correct. A different viable solution is to link the implementation with its formal specification and check, during the program execution, if they are conformant

Rigorous development process of a safety-critical system: from ASM models to Java code

The paper presents an approach for rigorous development of safety-critical systems based on the Abstract State Machine formal method. The development process starts from a high level formal view of the system and, through refinement, derives more detailed models till the desired level of specification. Along the process, different validation and verification activities are available, as simulation, model review, and model checking. Moreover, each refinement step can be proved correct using an SMT-based approach. As last step of the refinement process, a Java implementation can be developed and linked to the formal specification. The correctness of the implementation w.r.t. its formal specification can be proved by means of model-based testing and runtime verification. The process is exemplified by using a Landing Gear System as case study

Integrating formal methods into medical software development : the ASM approach

Medical devices are safety-critical systems since their malfunctions can seriously compromise human safety. Correct operation of a medical device depends upon the controlling software, whose development should adhere to certification standards. However, these standards provide general descriptions of common software engineering activities without any indication regarding particular methods and techniques to assure safety and reliability. This paper discusses how to integrate the use of a formal approach into the current normative for the medical software development. The rigorous process is based on the Abstract State Machine (ASM) formal method, its refinement principle, and model analysis approaches the method supports. The hemodialysis machine case study is used to show how the ASM-based design process covers most of the engineering activities required by the related standards, and provides rigorous approaches for medical software validation and verification

Equivalence checking of NuSMV specifications

We present a technique for checking the equivalence of NuSMV specifications. The approach is founded on the notion of equivalence between Kripke structures. The necessity to tackle this problem arisen working on using mutation to asses the static analysis fault detection capability. Indeed, mutation, consisting into introducing simple syntactic changes -- representing typical mistakes designers often make -- into specifications, may produce equivalent mutants, namely models behaving as the original one. Equivalent mutants should be detected since they do not represent actual faults. In program mutation, detecting equivalent mutants is an undecidable problem and, when possible, is a time-consuming activity, difficult to automatize. In this work we focus on how detecting equivalence of NuSMV specifications. The novel technique we propose, consists in building a merging unique specification and proving by model checking a series of CTL properties

Decomposition-Based Approach for Model-Based Test Generation

Model-based test generation by model checking is a well-known testing technique that, however, suffers from the state explosion problem of model checking and it is, therefore, not always applicable. In this paper, we address this issue by decomposing a system model into suitable subsystem models separately analyzable. Our technique consists in decomposing that portion of a system model that is of interest for a given testing requirement, into a tree of subsystems by exploiting information on model variable dependency. The technique generates tests for the whole system model by merging tests built from those subsystems. We measure and report effectiveness and efficiency of the proposed decomposition-based test generation approach, both in terms of coverage and time

The use of FDG-PET in the initial staging of 142 patients with follicular lymphoma: a retrospective study from the FOLL05 randomized trial of the Fondazione Italiana Linfomi

BACKGROUND: The role of [(18)F] fluorodeoxyglucose (FDG)-positron emission tomography (PET) in follicular lymphoma (FL) staging is not yet determined. PATIENTS AND METHODS: The aim of the present study was to investigate the role of PET in the initial staging of FL patients enrolled in the FOLL05-phase-III trial that compared first-line regimens (R-CVP, R-CHOP and R-FM). Patients should have undergone conventional staging and have available PET baseline to be included. RESULTS: A total of 142 patients were analysed. PET identified a higher number of nodal areas in 32% (46 of 142) of patients and more extranodal (EN) sites than computed tomography (CT) scan. Also, the Follicular Lymphoma International Prognostic Index (FLIPI) score increased in 18% (26 of 142) and decreased in 6% (9 of 142) of patients. Overall, the impact of PET on modifying the stage was highest in patients with limited stage. Actually, 62% (15 of 24) of cases with limited disease were upstaged with PET. CONCLUSIONS: The inclusion of PET among staging procedures makes the evaluation of patients with FL more accurate and has the potential to modify therapy decision and prognosis in a moderate proportion of patients. Further prospective clinical trials on FL should incorporate PET at different moments, and the therapeutic criteria to start therapy should be re-visited in the views of this new tool

Durvalumab as monotherapy and in combination therapy in patients with lymphoma or chronic lymphocytic leukemia: The FUSION NHL 001 trial.

BACKGROUND: Studies suggest that immune checkpoint inhibitors may represent a promising strategy for boosting immune responses and improving the antitumor activity of standard therapies in patients with relapsed/refractory hematologic malignancies. AIMS: Phase 1/2 FUSION NHL 001 was designed to determine the safety and efficacy of durvalumab, an anti-programmed death ligand 1 (PD-L1) antibody, combined with standard-of-care therapies for lymphoma or chronic lymphocytic leukemia (CLL). METHODS AND RESULTS: The primary endpoints were to determine the recommended phase 2 dose of the drugs used in combination with durvalumab (durvalumab was administered at the previously recommended dose of 1500 mg every 4 weeks) and to assess safety and tolerability. Patients were enrolled into one of four arms: durvalumab monotherapy (Arm D) or durvalumab in combination with lenalidomide ± rituximab (Arm A), ibrutinib (Arm B), or rituximab ± bendamustine (Arm C). A total of 106 patients with relapsed/refractory lymphoma were enrolled. All but two patients experienced at least one treatment-emergent adverse event (TEAE); those not experiencing a TEAE were in Arm C (diffuse large B-cell lymphoma [DLBCL]) and Arm D (DLBCL during the durvalumab monotherapy treatment period). No new safety signals were identified, and TEAEs were consistent with the respective safety profiles for each study treatment. Across the study, patients with follicular lymphoma (FL; n = 23) had an overall response rate (ORR) of 59%; ORR among DLBCL patients (n = 37) was 18%. Exploratory biomarker analysis showed that response to durvalumab monotherapy or combination therapy was associated with higher interferon-γ signature scores in patients with FL (p = .02). CONCLUSION: Durvalumab as monotherapy or in combination is tolerable but requires close monitoring. The high rate of TEAEs during this study may reflect on the difficulty in combining durvalumab with full doses of other agents. Durvalumab alone or in combination appeared to add limited benefit to therapy