A. Dubey,X. Wu,H. Su,T. J. Koo

DOI: https://doi.org/10.1007/11562948_11

2005-01-01

Abstract:In this paper, we describe a computation platform called ReachLab, which enables automatic analysis of embedded software systems that interact with continuous environment. Algorithms are used to specify how the state space of the system model should be explored in order to perform analysis. In ReachLab, both system models and analysis algorithm models are specified in the same framework using Hybrid System Analysis and Design Language (HADL), which is a meta-model based language. The platform allows the models of algorithms to be constructed hierarchically and promotes their reuse in constructing more complex algorithms. Moreover, the platform is designed in such a way that the concerns of design and implementation of analysis algorithms are separated. On one hand, the models of analysis algorithms are abstract and therefore the design of algorithms can be made independent of implementation details. On the other hand, translators are provided to automatically generate implementations from the models for computing analysis results based on computation kernels. Multiple computation kernels, which are based on specific computation tools such as d/dt and the Level Set toolbox, are supported and can be chosen to enable hybrid state space exploration. An example is provided to illustrate the design and implementation process in ReachLab.

Luxi Chen,Linpeng Huang,Chen Li,Linzhu Wu,Weichao Luo

DOI: https://doi.org/10.1109/compsac.2014.35

2014-01-01

Abstract:Architectural design modeling has emerged as a discipline in a complex system development. To implement early safety analysis, techniques for architectural design have been extended to concern the safety property. Various safety standard profiles, quantitative and qualitative analysis methods are proposed for assessment. However, few of them focuses on the feedback of the safety properties or analysis results on the adjustment to improve original architecture. In this paper, we present an approach to combine safety analysis with architecture modeling. First, we extend the meta-model of our architecture description language - Breeze/ADL with safety elements for design. Second, safety specifications are generated from Breeze/ADL, and then to be converted into Open FTA for FTA (Fault Tree Analysis). Our Breeze/ADL also supports rule definitions to adjust the architecture, to cope with safety problems. Moreover, model checking will be applied to verify the correctness of the adjustment. Finally, the tool Breeze/SA demonstrates the feasibility of our approach.

Rongyao Cai,Xiao Xv,Zhengming Lu,Kexin Zhang,Yong Liu

DOI: https://doi.org/10.1109/isas61044.2024.10552597

2024-01-01

Abstract:Fault tree analysis is the most commonly used methodology in industrial safety analysis to predict the probability or frequency of system failure. Although fault tree analysis has been proposed for more than six decades, the assumptions used in most commercial fault tree analysis codes have not changed significantly, which limits the ability of the method to represent design, operation, and maintenance characteristics in the context of the increasing complexity and specialization of modern industrial systems. The basic setup of traditional fault trees is unable to include dependencies between events, time-varying failures, and repair rate realities to explain complex maintenance strategies. To address the above shortcomings, we propose a fusion tree model combining fault tree and attack tree, and simplify the causal structure of the fusion tree by modularization, and utilize the dynamic Markov model to represent the complex coupling relationship between components or nodes. Finally, we demonstrate the calculation process of fusion tree in pressure vessel systems with temporal control.

Yu Tan,Yongwang Zhao,Dianfu Ma,Xuejun Zhang

DOI: https://doi.org/10.1155/2022/2079880

2021-01-01

IOP Conference Series Earth and Environmental Science

Abstract:In safety-critical fields, architectural languages such as AADL (Architecture Analysis and Design Language) have been playing an important role, and the analysis of the languages and systems designed by them is a challenging research topic. At present, a formal method has become one of the main practices in software engineering for strict analysis, and it has been applied on the tools of formalization and analysis. The formal method can be used to find and resolve the problems early by describing the system with precise semantics and validating the system model. This article studies the comprehensive formal specification and verification of AADL with Behavior annex by the formal method. The presentation of this specification and semantics is the aim of this article, and the work is illustrated with an ARINC653 model case study in Isabelle/HOL.

Li Qiuyan,Tian Jie,Pei Qiuhong,Wu Ji

DOI: https://doi.org/10.1109/iccsn.2011.6014264

2011-01-01

Abstract:AADL supports standard accurate modeling of embedded systems and has been widely used in the embedded field. However, as a new modeling language, modeling and analysis tools of AADL are not mature enough. In the field of software engineering, the method and tool about UML model have been developed widely, so we consider designing a transformation method. This method define a complete meta-model for AADL error model and implement the automatic transformation from the AADL model to UML model. Our research makes the method and tool for UML model reused in the AADL model, expands the application scope of AADL model, and reduces the development cost of AADL modeling. Finally, the potential research directions are discussed.

Xiong Xu,Shuling Wang,Bohua Zhan,Xiangyu Jin,Naijun Zhan,Jean-Pierre Talpin

DOI: https://doi.org/10.1145/3631483.3631487

2023-10-30

ACM SIGAda Ada Letters

Abstract:The design of safety-critical cyber-physical systems (CPSs) involve several dimensions, including physics, hardware rchitecture and software functionality. It is desirable to design CPSs by taking these issues into account uniformly and yet, few existing design workflows support this aim. For instance, AADL is an architecturecentric modelling formalism for CPSs, which focuses on modelling architecture and prototyping real-time hardware platforms, but it delegates physical and software behavioral models to so-called annexes. By contrast, Simulink/Stateflow (S/S) focuses on modelling interacting physical and software behaviors, but does not render the non-functional characteristics of their hardware platforms. To address this issue, in [1], we proposed the combination of AADL and S/S, called AADL S/S, to comodel CPSs and presented a method to uniformly analyse and verify them. AADL S/S provides a unified graphical co-modelling environment for CPS design and supports simulation through C code generation. Also, [1] presented a formal semantics of AADL S/S by translation to Hybrid Communicating Sequential Processes (HCSP), yielding a deductive verification framework of the combined models using Hybrid Hoare Logic (HHL). Additionally, [1] proved the correctness of the translation of AADL S/S to HCSP.

Zhen Li,Zhengqi Jiang,Dongsheng Wang,Zhaobin Wang

DOI: https://doi.org/10.1109/access.2020.3022016

IF: 3.9

2020-01-01

IEEE Access

Abstract:With the increasing scale and complexity of system, it is very necessary to analyze the safety of complex system. Fault tree is an effective method to safety analysis. However, traditional fault tree relies on manual construction and analysis. When fault nodes and systems are complex, the efficiency and correctness of manual analysis can hardly be guaranteed. To the varied understanding of analysts, it is difficult to ensure the consistency of failure mode and system architecture due to the different understanding from safety analysts and system designers. The same node needs fault analysis again in different systems, which has poor reusability and low efficiency. AltaRica is a fault-oriented Safety Modeling Language. It takes the guard transformation system(GTS) as its core, describes nodes and faults with a style of reusable object-oriented language, and describes information of interaction between nodes and systems through interface connections between nodes and nested systems. Therefore, this paper proposed an automatic system modeling and fault analysis method and its detailed computer algorithm on single class node, multiple nodes and nodes with subsystems based on AltaRica. Finally we developed a software prototype and carry out the automatic modeling and fault analysis in a detailed example. The results showed that the proposed method, algorithm and software prototype can realize automatic graphical modeling of the system on AltaRica, the automatic fault analysis is correct and efficient, has reusability of modeling and fault analysis, and greatly improve the accuracy, objectivity and efficiency of fault modeling and analysis.

Ying Wang,Dianfu Ma,Yongwang Zhao,Lu Zou,Xianqi Zhao

DOI: https://doi.org/10.1109/COMPSAC.2011.36

2011-01-01

Abstract:Avionics software is safe-critical embedded software and its architecture is evolving from traditional federated architectures to Integrated Modular Avionics (IMA) to improve resource usability. ARINC653, as a standard widely employed in the avionics industry, supports partitioning concepts in accordance with the IMA philosophy. To insure the development of the avionics software constructed on ARINC653 operating system with high reliability and efficiency, we propose a model-driven design methodology based on Architecture Analysis &Design Language (AADL) for ARINC653 system. This paper focus on the modeling parts of this methodology which main feature is separating the abstract application function logic represented by AADL Platform-Independent Model (AADL PIM) from the concrete execution architecture represented by AADL Model for ARINC653 (AADL653). Additionally, we provide a refined transformation framework with formally transformation rules to transform AADL PIM to AADL653 automatically and the transformation result model AADL653 can then be used for analysis, verification and code generation.

Kai Hu,Teng Zhang,Zhibin Yang,Wei-Tek Tsai

DOI: https://doi.org/10.1016/j.sysarc.2015.02.003

2015-01-01

Abstract:hitecture Analysis and Design Language (AADL) is often used to model safety-critical real-time systems. Model transformation is widely used to extract a formal specification so that AADL models can be verified and analyzed by existing tools. Timed Abstract State Machine (TASM) is a formalism not only able to specify behavior and communication but also timing and resource aspects of the system. To verify functional and nonfunctional properties of AADL models, this paper presents a methodology for translating AADL to TASM. Our main contribution is to formally define the translation rules from an adequate subset of AADL (including thread component, port communication, behavior annex and mode change) into TASM. Based on these rules, a tool called AADL2TASM is implemented using Atlas Transformation Language (ATL). Finally, a case study from an actual data processing unit of a satellite is provided to validate the transformation and illustrate the practicality of the approach.

Eun-Young Kang,Li Huang,Dongrui Mu

DOI: https://doi.org/10.48550/arXiv.1803.06075

2018-03-16

Software Engineering

Abstract:Modeling and analysis of nonfunctional requirements is crucial in automotive systems. EAST-ADL is an architectural language dedicated to safety-critical automotive system design. We have previously modified EAST-ADL to include energy constraints and transformed energy-aware timed (ET) behaviors modeled in SIMULINK/STATEFLOW into UPPAAL models amenable to formal verification. Previous work is extended in this paper by including support for SIMULINK DESIGN VERIFIER (SDV), i.e., the ET constraints are translated into proof objective models that can be verified using SDV. Furthermore, probabilistic extension of EAST-ADL constraints is defined and the semantics of the extended constraints is translated into verifiable UPPAAL models with stochastic semantics for formal verification. A set of mapping rules are proposed to facilitate the guarantee of translation. Verification & Validation are performed on the extended timing and energy constraints using SDV and UPPAAL-SMC. Our approach is demonstrated on a cooperative automotive system case study.

Lu Chen,Jian Jiao,Jiping Fan,Fuchun Ren

DOI: https://doi.org/10.1109/rams.2016.7447978

2016-01-01

Abstract:Fault propagation identification is an indispensable task in complex system safety analysis. With the growing of system scale and complexity, it is hard for the traditional safety analysis techniques, which depend mainly on analysts' personal skills and experiences, to keep completeness and timeliness; moreover, some failure modes may be neglected and failure effects misjudged during the analysis. Formal science provides a new way to solve this problem, where formal verification method such as model checking can automatically validate whether the system design satisfies the given safety requirements, which can reduce an analysts' repetitive work and design cost, and improve the efficiency and quality of safety analysis. However, there is lack of a deliberate and reasonable way to build system models because of the diversity and flexibility of languages used for model checking, which results in that it is difficult to specify and model system quickly and accurately, and leads to some deviation in model checking. In this paper, a system modeling and safety property specifying approach using symbolic language SMV is proposed, including guidance on the mapping relationships between the formal language elements and system functions, architecture and failure modes; moreover, how to define system specifications and safety requirements using temporal logic formulas is discussed as well. Finally, a case study about airborne system safety analysis is provided, in which the counter-examples that do not meet system specifications can be identified automatically using model checker NuSMV to find out fault events and their propagation that can result in accidents.

Guoqiang Cai

DOI: https://doi.org/10.18293/vlss2015-052

2015-01-01

Proceedings

Abstract:Safety analysis ensuring the normal operation of an engineering system is important. The existing safety analysis methods are limited to relatively simple fact description and statistical induction level. Besides, many of them enjoy poor generality, and fail to achieve comprehensive safety evaluation given a system structure and collected information. This work describes a new safety analysis method, called a GO-Bayes algorithm. It combines structural modeling of the GO method and probabilistic reasoning of the Bayes method. It can be widely used in system analysis. The work takes a metro vehicle braking system as an example to verify its usefulness and accuracy. Visual implementation by Extendsim software shows its feasibility and advantages in comparison with the Fault Tree Analysis (FTA) method.

Eun-Young Kang,Dongrui Mu,Li Huang,Qianqing Lan

DOI: https://doi.org/10.48550/arXiv.1803.06103

2018-03-16

Software Engineering

Abstract:The software development for Cyber-Physical Systems (CPS), e.g., autonomous vehicles, requires both functional and non-functional quality assurance to guarantee that the CPS operates safely and effectively. EAST-ADL is a domain specific architectural language dedicated to safety-critical automotive embedded system design. We have previously modified EAST-ADL to include energy constraints and transformed energy-aware real-time (ERT) behaviors modeled in EAST-ADL/STATEFLOW into UPPAAL models amenable to formal verification. Previous work is extended in this paper by including support for SIMULINK and an integration of Simulink/Stateflow within a same tool-chain. Simulink/Stateflow models are transformed, based on extended ERT constraints in EAST-ADL, into verifiable UPPAAL models with stochastic semantics and integrate the translation with formal statistical analysis techniques: Probabilistic extension of EAST-ADL constraints is defined as a semantics denotation. A set of mapping rules is proposed to facilitate the guarantee of translation. Formal analysis on both functional- and non-functional properties is performed using SIMULINK DESIGN VERIFIER/UPPAAL-SMC. The analysis techniques are validated and demonstrated on the autonomous traffic sign recognition vehicle case study.

Ji Wu,Tao Yue,Shaukat Ali,Huihui Zhang

DOI: https://doi.org/10.1002/spe.2281

2014-01-01

Software Practice and Experience

Abstract:SummaryEnsuring that avionics software meets safety requirements at each development stage is very important to warrant the safe operation of an avionics system. Many safety requirements are imposed by various standards and industrial regulations that must be met by avionics software. One of such standards is DO‐178B/C, which provides guidelines (e.g., development process and objectives to satisfy in development activities) for meeting safety requirements. This paper presents a modeling methodology including a UML profile for specifying safety requirements on a component‐based architecture model and a set of design guidelines on avionics software. These safety requirements were identified from both standards (mainly DO‐178B/C) and current engineering practices in the domain of avionics systems. The methodology automatically enforces these safety requirements. We have applied the methodology on an industrial autopilot system, and several previously uncaught faults were revealed. Copyright © 2014 John Wiley & Sons, Ltd.

Guoxin Su,Mingsheng Ying,Chengqi Zhang

DOI: https://doi.org/10.1007/978-3-642-15114-9_4

2010-01-01

Abstract:A rigorous paradigm coordinating components is important in the design stage of large-scale software engineering. In this paper we propose a new Architecture Description Language, called ACDL, to represent the centralized-mode architectural connection in which all components are linked by a single connector. Following one usual approach to architectural description, in which component types and components are distinguished, and connectors integrate behaviors of components by specifying their coordination protocols, ACDL describes connectors in such a way that connectors are insensitive to the numbers of attached same-type components. Based on ACDL, we develop analytic techniques to facilitate the system checking of temporal properties of an architecture. In particular, our method shows to what extent one can add, delete and replace components without making the whole system lose desired temporal properties, and improves the system checking in several ways, for example enhancing the use of previous checking results to deal with new checking problems.

zhibin yang,kai hu,yongwang zhao,dianfu ma,jeanpaul bodeveix

DOI: https://doi.org/10.13328/j.cnki.jos.004776

2015-01-01

Abstract:This paper presents a formal verification method for AADL (architecture analysis and design language) models by TASM (timed abstract state machine) translation. The abstract syntax of the chosen subset of AADL and of TASM are given. The translation rules are defined clearly by the semantic functions expressed in a ML-like language. Furthermore, the translation is implemented in the model transformation tool AADL2TASM, which provides model checking and simulation for AADL models. Finally, a case study of space GNC (guidance, navigation and control) system is provided.

Wu Yuqian,Xiao Gang,Wang Miao

DOI: https://doi.org/10.1007/s42401-020-00073-8

2020-01-01

Aerospace Systems

Abstract:System state that represents a combined influence of internal and external system parameters on the overall failure effect plays a significant role in failure effect analysis. The traditional safety analysis methods can hardly evaluate the overall failure impact due to the dynamic failure behaviors in diverse system interaction situations. To overcome this problem, this paper proposes a state-based safety analysis method for dynamic evaluation of the failure effect combining the situation factor. First, a hierarchical modeling framework that includes functional logic, physical architecture, and the failure mode is constructed, and then the cross-linking relationships between items are characterized by the state machines. Particularly, the event transmission mechanism and the global attribute updating mechanism are designed to realize the state synchronization of various systems, thus enabling the global propagation of failure. The feasibility of the proposed method is verified by simulations. The Enterprise Architect platform is used to model the aircraft integrated surveillance system and analyze the effects of different failure modes in typical situations. The proposed method complements the failure effect evaluation accuracy considering the dynamic interaction situations, thus realizing the global perception of the safety state, enhancing the dynamics and integrity of the failure effect analysis process.

Ana-Elena Rugina,Peter H. Feiler,Karama Kanoun,Mohamed Kaaniche

DOI: https://doi.org/10.48550/arXiv.0809.4109

2008-09-24

Abstract:Performing dependability evaluation along with other analyses at architectural level allows both making architectural tradeoffs and predicting the effects of architectural decisions on the dependability of an application. This paper gives guidelines for building architectural dependability models for software systems using the AADL (Architecture Analysis and Design Language). It presents reusable modeling patterns for fault-tolerant applications and shows how the presented patterns can be used in the context of a subsystem of a real-life application.

Software Engineering

Feng Zhang,Yongwang Zhao,Dianfu Ma,Wensheng Niu

DOI: https://doi.org/10.1109/access.2017.2770323

IF: 3.9

2017-01-01

IEEE Access

Abstract:AADL along with its Behavior Annex is an architecture and behavior description language for safety-critical domains, e.g. avionics, aerospace, and defence. In order to formally analyze behavior properties of AADL models, it is necessary to transform the AADL language into formal languages supported by formal verification tools. Moreover, comprehensive formal verification of AADL models highly requires that the transformation supports larger subset of the AADL language, as well as verification tools are able to capture various behavior of AADL, such as concurrency and timing. As an extended communicating sequential process (CSP), stateful timed CSP with its model checker-PAT provide an strongly expressive language and verification tool for real-time systems, distributed systems, and concurrent systems. This paper introduces a model transformation approach from a comparatively complete subset of AADL to stateful timed CSP, in particular supporting major components of AADL Behavior Annex. We propose a comprehensive set of transformation rules for AADL to stateful timed CSP. Then, we perform formal verification in PAT to analyze concurrent behavior properties of AADL models, such as safety, liveness, and trace refinement with various fairness assumptions, in which we consider time capacities, deadlines, periods of AADL threads and durations of AADL processes. As a study case, we develop an AADL model of F-16 “Auto Pilot Controller”and transform the model into Stateful Timed CSP. We specify a set of critical properties of the model and perform formal verification in PAT.

Lian-chuan Ma,Dongmei Huang,Jian-cheng Mu,Yuan Cao

DOI: https://doi.org/10.2991/AIEA-16.2016.61

2016-11-12

Abstract:Commercial off-the-shelf (COTS) software and hardware components are widely used in the design of train control system. In order to satisfy the application requirements of the safety computer in train control system, it is necessary to analyze its safety properties. In this paper, a method of safety analysis for the safety computer is proposed. The safety properties of the safety computer in train control system are verified by establishing the system model of safety mechanism, and establishing a safety base in safety computer management units (SCMU), and measuring the safety of each part of the system step by step, and then establishing a safety chain. Finally, tests are carried out through a designed software fault injection tool to demonstrate the effectiveness of the proposed method.

Computer Science,Engineering