Feng Zhang,Yongwang Zhao,Dianfu Ma,Wensheng Niu

DOI: https://doi.org/10.1109/access.2017.2770323

IF: 3.9

2017-01-01

IEEE Access

Abstract:AADL along with its Behavior Annex is an architecture and behavior description language for safety-critical domains, e.g. avionics, aerospace, and defence. In order to formally analyze behavior properties of AADL models, it is necessary to transform the AADL language into formal languages supported by formal verification tools. Moreover, comprehensive formal verification of AADL models highly requires that the transformation supports larger subset of the AADL language, as well as verification tools are able to capture various behavior of AADL, such as concurrency and timing. As an extended communicating sequential process (CSP), stateful timed CSP with its model checker-PAT provide an strongly expressive language and verification tool for real-time systems, distributed systems, and concurrent systems. This paper introduces a model transformation approach from a comparatively complete subset of AADL to stateful timed CSP, in particular supporting major components of AADL Behavior Annex. We propose a comprehensive set of transformation rules for AADL to stateful timed CSP. Then, we perform formal verification in PAT to analyze concurrent behavior properties of AADL models, such as safety, liveness, and trace refinement with various fairness assumptions, in which we consider time capacities, deadlines, periods of AADL threads and durations of AADL processes. As a study case, we develop an AADL model of F-16 “Auto Pilot Controller”and transform the model into Stateful Timed CSP. We specify a set of critical properties of the model and perform formal verification in PAT.

Yu Tan,Yongwang Zhao,Dianfu Ma,Xuejun Zhang

DOI: https://doi.org/10.1155/2022/2079880

2021-01-01

IOP Conference Series Earth and Environmental Science

Abstract:In safety-critical fields, architectural languages such as AADL (Architecture Analysis and Design Language) have been playing an important role, and the analysis of the languages and systems designed by them is a challenging research topic. At present, a formal method has become one of the main practices in software engineering for strict analysis, and it has been applied on the tools of formalization and analysis. The formal method can be used to find and resolve the problems early by describing the system with precise semantics and validating the system model. This article studies the comprehensive formal specification and verification of AADL with Behavior annex by the formal method. The presentation of this specification and semantics is the aim of this article, and the work is illustrated with an ARINC653 model case study in Isabelle/HOL.

Dajiang Suo,Jinxia An,Jihong Zhu

DOI: https://doi.org/10.1109/apsec.2011.27

2011-01-01

Abstract:This paper seeks to model the Integrated Modular Avionics (IMA) using Architectural Analysis and Design Language (AADL). In particular, the mechanism to describe the dynamic reconfiguration of multimodal system is presented. By translating the AADL model into Time Petri Net (TPN), some real-time and logical properties (deadlock, reach ability, missed deadline) of reconfiguration could be checked. The analysis results could then be used to adjust the design of software at the early stage of system development and ensure that the reconfiguration of IMA meets the real-time constraints.

Xiaopu Huang,Qingqing Sun,Jiangwei Li,Tian Zhang

DOI: https://doi.org/10.1007/978-3-642-35795-4_62

2012-01-01

Abstract:State Machine Diagram (SMD) is one of the SysML behavior diagrams, but it is a kind of semi-formal model language. As a consequence, models can not be verified conveniently and efficiently, especially in real-time embedded system (RTES) field as there are no descriptions of time and probability in SMD. To address these problems, we extend SMD with time and probability elements extracted from MARTE and propose a transformation algorithm based on MDE. With the algorithm, we transform the extended SMD to timed automata (TA) and then analyze and verify the transformation result using existing tools. So at the very beginning of system design, errors and deficiencies can be found. At last, we construct an instance to illustrate the validity of our approach.

R. Wang,X. Song,M. Gu

DOI: https://doi.org/10.1049/iet-sen:20070009

2007-01-01

IET Software

Abstract:Validation is an important task in complex embedded system designs. A method of modelling and analysing embedded systems with programmable logic controllers is presented. Controllers and physical plants are modelled using timed automata. The system requirements are specified and formalised as computational tree logic properties. It is demonstrated that the designed model satisfies the required properties by resorting to a symbolic model checker, Uppaal, for real-time systems. A realistic example, the steeve controller of a theatre, illustrates the strategies. The safety and time constraint requirements are validated by Uppaal. The experimental results demonstrate the effectiveness of the approach presented here.

Eun-Young Kang,Dongrui Mu,Li Huang,Qianqing Lan

DOI: https://doi.org/10.48550/arXiv.1803.06103

2018-03-16

Software Engineering

Abstract:The software development for Cyber-Physical Systems (CPS), e.g., autonomous vehicles, requires both functional and non-functional quality assurance to guarantee that the CPS operates safely and effectively. EAST-ADL is a domain specific architectural language dedicated to safety-critical automotive embedded system design. We have previously modified EAST-ADL to include energy constraints and transformed energy-aware real-time (ERT) behaviors modeled in EAST-ADL/STATEFLOW into UPPAAL models amenable to formal verification. Previous work is extended in this paper by including support for SIMULINK and an integration of Simulink/Stateflow within a same tool-chain. Simulink/Stateflow models are transformed, based on extended ERT constraints in EAST-ADL, into verifiable UPPAAL models with stochastic semantics and integrate the translation with formal statistical analysis techniques: Probabilistic extension of EAST-ADL constraints is defined as a semantics denotation. A set of mapping rules is proposed to facilitate the guarantee of translation. Formal analysis on both functional- and non-functional properties is performed using SIMULINK DESIGN VERIFIER/UPPAAL-SMC. The analysis techniques are validated and demonstrated on the autonomous traffic sign recognition vehicle case study.

Yongwang Zhao,Dianfu Ma,Jing Li,Zhuqing Li

DOI: https://doi.org/10.1109/EASe.2011.13

2011-01-01

Abstract:Increasingly, software needs to dynamically adapt its structure and behavior at runtime in response to changing conditions in the supporting computing, network infrastructure, and in the surrounding physical environments. By high complexity, adaptive programs are generally difficult to specify, verify, and validate. Assurance of high dependability of these programs is a great challenge. Efficiently and precisely specifying requirements and flexible model checking for adaptation are the key issues for developing dependably adaptive software. This paper introduces a formal model for adaptive programs which have different behavioral modes. We consider that adaptive programs have two behavioral level, functional behavior and adaptation. State machine is used to describe functional behavior in different modes and mode automata is proposed for adaptations. Specifications of adaptive programs are classified into three categories, local, adaptation and global properties from their different scope of dynamic adaptation. To specify and verify specifications on our model, We propose the Mode-extended Linear Temporal Logic (mLTL) and its model checking approach. mLTL extends Linear Temporal Logic (LTL) by adding mode related element and enables describing properties on different modes. Our formal model and mLTL formulae are translated to SMV language and verified in NuSMV model checker.

Xiong Xu,Shuling Wang,Bohua Zhan,Xiangyu Jin,Naijun Zhan,Jean-Pierre Talpin

DOI: https://doi.org/10.1145/3631483.3631487

2023-10-30

ACM SIGAda Ada Letters

Abstract:The design of safety-critical cyber-physical systems (CPSs) involve several dimensions, including physics, hardware rchitecture and software functionality. It is desirable to design CPSs by taking these issues into account uniformly and yet, few existing design workflows support this aim. For instance, AADL is an architecturecentric modelling formalism for CPSs, which focuses on modelling architecture and prototyping real-time hardware platforms, but it delegates physical and software behavioral models to so-called annexes. By contrast, Simulink/Stateflow (S/S) focuses on modelling interacting physical and software behaviors, but does not render the non-functional characteristics of their hardware platforms. To address this issue, in [1], we proposed the combination of AADL and S/S, called AADL S/S, to comodel CPSs and presented a method to uniformly analyse and verify them. AADL S/S provides a unified graphical co-modelling environment for CPS design and supports simulation through C code generation. Also, [1] presented a formal semantics of AADL S/S by translation to Hybrid Communicating Sequential Processes (HCSP), yielding a deductive verification framework of the combined models using Hybrid Hoare Logic (HHL). Additionally, [1] proved the correctness of the translation of AADL S/S to HCSP.

Martin Kardos,Yuhong Zhao

DOI: https://doi.org/10.1007/1-4020-8149-9_3

2004-01-01

Abstract:System level design incorporating system modeling and formal specification in combination with formal verification can substantially contribute to the correctness and quality of the embedded systems and consequently help reduce the development costs. Ensuring the correctness of the designed system is, of course, a crucial design criterion especially when complex distributed (realtime) embedded systems are considered. Therefore, this paper aims at presenting a verification framework designated for formal verification and validation of UML-based design of embedded systems. It first introduces an approach of using the AsmL language for acquiring formal models of the UML semantics and consequently presents an on-the-fly model checking technique designed to run the formal verification directly over those semantic models.

Bo Chen,Xi Li,Xuehai Zhou

DOI: https://doi.org/10.1016/j.sysarc.2018.06.002

IF: 5.836

2018-01-01

Journal of Systems Architecture

Abstract:Modelling and Analysis of Real-time and Embedded systems (MARTE) as a domain-specific language is widely used for designing, analysing, and the building of cyber physical systems (CPS). It also provides CCSL as a purely declarative language for expressing logical and chronometric constraints on clocks. Although MARTE/CCSL is powerful expressively, it lacks formal semantics-based language support for describing and analysing. Semantic support, such as timed Input/Output automata not only provides modelling and analysis of timing behaviors, it also provides modelling of the Input/Output behaviors in a direct sense compared to timed automata. The Input/Output behavior can verify the casual relationship between components, one of the most important behaviors is the fairness between components. Thus, to improve the capacity of modeling and verification of the MARTE/CCSL behavior model, we present a method to use MARTE/CCSL as a high level specification language for modelling, then mapping MARTE/CCSL behavior model to timed Input/Output automata, then using an integrated tool (UPPAAL-TIGA) to verify the safety, liveness, and fairness thereof. Finally, we demonstrate the proposed transformation method using a Telerobot control system of real-time systems.

Hamida Bouaziz,Samir Chouali,Ahmed Hammad,Hassan Mountassir

DOI: https://doi.org/10.1504/IJCAET.2019.098134

2019-10-07

International Journal of Computer Aided Engineering and Technology

Abstract:In the component paradigm, the system is seen as an assembly of heterogeneous components, where the system reliability depends on these components compatibility. In our approach, we focus on verifying compatibility of components modelled with SysML diagrams. Thus, we model component interactions with sequence diagrams (SDs) and components with SysML blocks. The SDs constitutes a good start point for compatibility verification. However, this verification is still inapplicable directly on SDs, because they are expressed in informal language. Thus, to apply a verification method, it is necessary to translate the SDs into formal models, and then verify the wanted properties. In this paper, we propose a high-level model-driven approach which consists of an ATL grammar that automates the transformation of SDs into interface automata. Also, to allow an easy use of Ptolemy tool to verify properties on automata, we have proposed some Acceleo templates, which generate the Ptolemy entry specification.

Eun-Young Kang,Li Huang,Dongrui Mu

DOI: https://doi.org/10.48550/arXiv.1803.06075

2018-03-16

Software Engineering

Abstract:Modeling and analysis of nonfunctional requirements is crucial in automotive systems. EAST-ADL is an architectural language dedicated to safety-critical automotive system design. We have previously modified EAST-ADL to include energy constraints and transformed energy-aware timed (ET) behaviors modeled in SIMULINK/STATEFLOW into UPPAAL models amenable to formal verification. Previous work is extended in this paper by including support for SIMULINK DESIGN VERIFIER (SDV), i.e., the ET constraints are translated into proof objective models that can be verified using SDV. Furthermore, probabilistic extension of EAST-ADL constraints is defined and the semantics of the extended constraints is translated into verifiable UPPAAL models with stochastic semantics for formal verification. A set of mapping rules are proposed to facilitate the guarantee of translation. Verification & Validation are performed on the extended timing and energy constraints using SDV and UPPAAL-SMC. Our approach is demonstrated on a cooperative automotive system case study.

Yixiao Yang,Yu Jiang,Ming Gu,Jiaguang Sun

DOI: https://doi.org/10.1145/2970276.2970293

2016-01-01

Abstract:Simulink Stateflow is widely used for the model-driven development of software. However, the increasing demand of rigorous verification for safety critical applications brings new challenge to the Simulink Stateflow because of the lack of formal semantics. In this paper, we present STU, a self-contained toolkit to bridge the Simulink Stateflow and a well-defined rigorous verification. The tool translates the Simulink Stateflow into the Uppaal timed automata for verification. Compared to existing work, more advanced and complex modeling features in Stateflow such as the event stack, conditional action and timer are supported. Then, with the strong verification power of Uppaal, we can not only find design defects that are missed by the Simulink Design Verifier, but also check more important temporal properties. The evaluation on artificial examples and real industrial applications demonstrates the effectiveness.

Jiexin Zhang,Yang Liu,Jing Sun,Jin Song Dong,Jun Sun

DOI: https://doi.org/10.1109/hase.2012.12

2012-01-01

Abstract:Software Architecture plays an essential role in the high level description of a system design. Despite its importance in the software engineering practice, the lack of formal description and verification support hinders the development of quality architectural models. In this paper, we present an automated approach to the modeling and verification of software architecture designs using the Process Analysis Toolkit (PAT). We present the formal syntax of the Wright# architecture description language together with its operational semantics in Labeled Transition System (LTS). A dedicated model checking module for Wright# is implemented in the PAT verification framework based on the proposed formalism. The module - ADL supports verification and simulation of software architecture models in PAT. We advance our work via defining an architecture style library that embodies commonly used architecture patterns to facilitate the modeling process. Finally, a case study of the Teleservices and Remote Medical Care System (TRMCS) modeling and verification is presented to evaluate the effectiveness and scalability of our approach.

Giorgio Delzanno

DOI: https://doi.org/10.48550/arXiv.cs/0601038

2006-01-10

Abstract:We present a technique for the automated verification of abstract models of multithreaded programs providing fresh name generation, name mobility, and unbounded control. As high level specification language we adopt here an extension of communication finite-state machines with local variables ranging over an infinite name domain, called TDL programs. Communication machines have been proved very effective for representing communication protocols as well as for representing abstractions of multithreaded software. The verification method that we propose is based on the encoding of TDL programs into a low level language based on multiset rewriting and constraints that can be viewed as an extension of Petri Nets. By means of this encoding, the symbolic verification procedure developed for the low level language in our previous work can now be applied to TDL programs. Furthermore, the encoding allows us to isolate a decidable class of verification problems for TDL programs that still provide fresh name generation, name mobility, and unbounded control. Our syntactic restrictions are in fact defined on the internal structure of threads: In order to obtain a complete and terminating method, threads are only allowed to have at most one local variable (ranging over an infinite domain of names).

Logic in Computer Science,Programming Languages

Ying Wang,Dianfu Ma,Hualei Shen,Yongwang Zhao

DOI: https://doi.org/10.12733/jcis5857

2013-01-01

Journal of Computational Information Systems

Abstract:Modern avionics architecture is evolving to Integrated Modular Avionics (IMA) architecture. ARINC653 is a major avionics industry which supports partitioning concept in IMA. Currently, Architecture Analysis & Design Language (AADL) is a high-level language suitable for modeling and analyzing avionics software. But the AADL semantic is abstract, so it needs to be extended with ARINC653-specific semantic to model avionics software based on ARINC653. This paper proposes an AADL-based ARINC653-compliant language (AADL653) defined with set theory and first-order logic to provide an accurate AADL modeling and validation basis for ARINC653-based avionics software. A multi-task flight application is as a case study to demonstrate the practicability of the language for modeling and validation. © 2013 by Binary Information Press.

Giorgio Delzanno

DOI: https://doi.org/10.48550/arXiv.cs/0601037

2006-01-10

Abstract:We present a technique for the automated verification of abstract models of multithreaded programs providing fresh name generation, name mobility, and unbounded control. As high level specification language we adopt here an extension of communication finite-state machines with local variables ranging over an infinite name domain, called TDL programs. Communication machines have been proved very effective for representing communication protocols as well as for representing abstractions of multithreaded software. The verification method that we propose is based on the encoding of TDL programs into a low level language based on multiset rewriting and constraints that can be viewed as an extension of Petri Nets. By means of this encoding, the symbolic verification procedure developed for the low level language in our previous work can now be applied to TDL programs. Furthermore, the encoding allows us to isolate a decidable class of verification problems for TDL programs that still provide fresh name generation, name mobility, and unbounded control. Our syntactic restrictions are in fact defined on the internal structure of threads: In order to obtain a complete and terminating method, threads are only allowed to have at most one local variable (ranging over an infinite domain of names).

Computation and Language,Programming Languages

S. Akshay,Paul Gastin,R. Govind,B. Srivathsan

2024-07-11

Abstract:The translation of Metric Interval Temporal Logic (MITL) to timed automata is a topic that has been extensively studied. A key challenge here is the conversion of future modalities into equivalent automata. Typical conversions equip the automata with a guess-and-check mechanism to ascertain the truth of future modalities. Guess-and-check can be naturally implemented via alternation. However, since timed automata tools do not handle alternation, existing methods perform an additional step of converting the alternating timed automata into timed automata. This de-alternation step proceeds by an intricate finite abstraction of the space of configurations of the alternating automaton. Recently, a model of generalized timed automata (GTA) has been proposed. The model comes with several powerful additional features, and yet, the best known zone-based reachability algorithms for timed automata have been extended to the GTA model, with the same complexity for all the zone operations. We provide a new concise translation from MITL to GTA. In particular, for the timed until modality, our translation offers an exponential improvement w.r.t. the state-of-the-art. Thanks to this conversion, MITL model checking reduces to checking liveness for GTAs. However, no liveness algorithm is known for GTAs. Due to the presence of future clocks, there is no finite time-abstract bisimulation (region equivalence) for GTAs, whereas liveness algorithms for timed automata crucially rely on the presence of the finite region equivalence. As our second contribution, we provide a new zone-based algorithm for checking Buchi non-emptiness in GTAs, which circumvents this fundamental challenge.

Formal Languages and Automata Theory

Razieh Behjati,Tao Yue,Shiva Nejati,Lionel C. Briand,Bran Selic

DOI: https://doi.org/10.1007/978-3-642-21470-7_17

2011-01-01

Abstract:Recent years have seen a proliferation of languages for describing embedded systems. Some of these languages have emerged from domain-specific frameworks, and some are adaptions or extensions of more general-purpose languages. In this paper, we focus on two widely-used standard languages: the Architecture Analysis and Design Language (AADL) and the Systems Modeling Language (SysML). AADL was born as an avionics-focused domain-specific language and later on has been revised to represent and support a more general category of embedded real-time systems. SysML is an extension of the Unified Modeling Language (UML) intended to support system engineering and modeling. We propose the ExSAM profile that extends SysML by adding AADL concepts to it with the goal of exploiting the key advantages of both languages in a seamless way. More precisely, by using ExSAM and any SysML modeling environment, we will be able to both model system engineering concepts and use AADL analysis tools where needed. We describe the ExSAM profile through several examples and compare it with existing alternatives. We have implemented ExSAM using IBM Rational Rhapsody and evaluated its completeness and usefulness through two case studies.

Junyan Qian,Baowen Xu

DOI: https://doi.org/10.1007/11562436_20

2005-01-01

Abstract: Timed Statecharts, which can efficiently specify explicit dense time, is an extension to the visual specification language Statecharts with real-time constructs. We give a definition of timed Statecharts that specifies explicit temporal behavior as timed automata does. It is very difficult to verify directly whether timed Statecharts satisfies the required properties. However, by compiling it into timed automata, timed Statecharts may be checked using Uppaal tool. In the paper, the state of timed Statecharts is represented by inductive term, and a step semantics of timed Statecharts is briefly described. The translation rules are shown by a compositional approach for formalizing the timed Statecharts semantics directly on sequences of micro steps. Timed automata corresponding to timed Statecharts was also discussed.